THIS PAGE LEFT INTENTIONALLY BLANK

Transcription

1

2 THIS PAGE LEFT INTENTIONALLY BLANK

3 THE DEPARTMENT OF DEFENSE CYBER STRATEGY April 2015

4 THIS PAGE LEFT INTENTIONALLY BLANK

5

6 THIS PAGE LEFT INTENTIONALLY BLANK

7 TABLE OF CONTENTS I. INTRODUCTION...1 II. STRATEGIC CONTEXT...9 III. STRATEGIC GOALS...13 I. Build and maintain ready frces and capabilities t cnduct cyberspace peratins II. Defend the DD infrmatin netwrk, secure DD data, and mitigate risks t DD missins III. IV. Be prepared t defend the U.S. hmeland and U.S. vital interests frm disruptive r destructive cyberattacks f significant cnsequence Build and maintain viable cyber ptins and plan t use thse ptins t cntrl cnflict escalatin and t shape the cnflict envirnment at all stages V. Build and maintain rbust internatinal alliances and partnerships t deter shared threats and increase internatinal security and stability IV. IMPLEMENTATION OBJECTIVES...17 STRATEGIC GOAL I STRATEGIC GOAL II STRATEGIC GOAL III STRATEGIC GOAL IV STRATEGIC GOAL V V. MANAGING THE STRATEGY...29 CONCLUSION...32

8 THIS PAGE LEFT INTENTIONALLY BLANK

9 T h e D e p a r t m e n t f D e f e n s e C y b e r S t r a t e g y We live in a wired wrld. Cmpanies and cuntries rely n cyberspace fr everything frm financial transactins t the mvement f military frces. Cmputer cde blurs the line between the cyber and physical wrld and cnnects millins f bjects t the Internet r private netwrks. Electric firms rely n industrial cntrl systems t prvide pwer t the grid. Shipping managers use satellites and the Internet t track freighters as they pass thrugh glbal sea lanes, and the U.S. military relies n secure netwrks and data t carry ut its missins. The United States is cmmitted t an pen, secure, interperable, and reliable Internet that enables prsperity, public safety, and the free flw f cmmerce and ideas. These qualities f the Internet reflect cre American values f freedm f expressin and privacy, creativity, pprtunity, and innvatin. And these qualities have allwed the Internet t prvide scial and ecnmic value t billins f peple. Within the U.S. ecnmy alne, anywhere frm three t 13 percent f business sectr value-added is derived frm Internet-related businesses. Over the last ten years Internet access increased by ver tw billin peple acrss the glbe.. Yet these same qualities f penness and dynamism that led t the Internet s rapid expansin nw prvide dangerus state and nn-state actrs with a means t undermine U.S. interests. We are vulnerable in this wired wrld. Tday ur reliance n the cnfidentiality, availability, and integrity f data stands in stark cntrast t the inadequacy f ur cybersecurity. The Internet was nt riginally designed with security in mind, but as an pen system t allw scientists and researchers t send data t ne anther quickly. Withut strng investments in cybersecurity and cyber defenses, data systems remain pen and susceptible t rudimentary and dangerus frms f explitatin and attack. Malicius actrs use cyberspace t steal data and intellectual prperty fr their wn ecnmic r plitical gals. And an actr in ne regin f the glbe can use cyber capabilities t strike directly at a netwrk thusands f miles away, destrying data, disrupting businesses, r shutting ff critical systems. State and nn-state actrs cnduct cyber peratins t achieve a variety f plitical, ecnmic, r military bjectives. In cnducting their peratins, they may strike at a natin s values as well as its interests r purpses. As ne example, in Nvember, 2014, likely in retaliatin fr the 1

10 T h e D e p a r t m e n t f D e f e n s e C y b e r S t r a t e g y planned release f a satirical film, Nrth Krea cnducted a cyberattack against Sny Pictures Entertainment, rendering thusands f Sny cmputers inperable and breaching Sny s cnfidential business infrmatin. In additin t the destructive nature f the attacks, Nrth Krea stle digital cpies f a number f unreleased mvies, as well as thusands f dcuments cntaining sensitive data regarding celebrities, Sny emplyees, and Sny s business peratins. Nrth Krea accmpanied their cyberattacks with cercin, intimidatin, and the threat f terrrism. The Nrth Krean attack n Sny was ne f the mst destructive cyberattacks n a U.S. entity t date. The attack further spurred an already nging natinal discussin abut the nature f the cyber threat and the need fr imprved cybersecurity. The increased use f cyberattacks as a plitical instrument reflects a dangerus trend in internatinal relatins. Vulnerable data systems present state and nn-state actrs with an enticing pprtunity t strike the United States and its interests. During a cnflict, the Defense Department assumes that a ptential adversary will seek t target U.S. r allied critical infrastructure and military netwrks t gain a strategic advantage. Beynd the attacks described abve, a sphisticated actr culd target an industrial cntrl system (ICS) n a public utility t affect public safety, r enter a netwrk t manipulate health recrds t affect an individual s well-being. A disruptive, manipulative, r destructive cyberattack culd present a significant risk t U.S. ecnmic and natinal security if lives are lst, prperty destryed, plicy bjectives harmed, r ecnmic interests affected. The Red Flag 14-1 Cyber Prtectin Team wrks n cyber defense prcedures inside the Cmbined Air and Space Operatins Center-Nellis, Nellis, NV. The CPT's primary gal is t find and thwart ptential space, cyberspace and missile threats against U.S. and allied frces. (U.S. Air Frce pht by Senir Airman Brett Clashman) Leaders must take steps t mitigate cyber risks. Gvernments, cmpanies, and rganizatins must carefully priritize the systems and data that they need t prtect, assess risks and hazards, and make prudent investments in cybersecurity and cyber defense capabilities t achieve their security gals and bjectives. Behind these defense investments, rganizatins f every kind must build business cntinuity plans and be ready t perate in a degraded cyber envirnment where access t netwrks and data is uncertain. T mitigate risks in cyberspace requires a cmprehensive strategy t cunter and if necessary withstand disruptive and destructive attacks. Defending the United States in Cyberspace In cncert with ther agencies, the United States Department f Defense (DD) is respnsible fr defending the U.S. hmeland and U.S. interests frm attack, including attacks that may ccur in cyberspace. In a manner cnsistent with U.S. and internatinal law, the Department f Defense seeks t deter attacks and defend the United States against any adversary that seeks t harm U.S. natinal interests during times f peace, crisis, r cnflict. T this end the Defense Department has develped capabilities fr cyber peratins and is integrating thse capabilities int the full array f tls that the United States gvernment uses t defend U.S. natinal interests, including diplmatic, infrmatinal, military, ecnmic, financial, and law enfrcement tls. 2

11 T h e D e p a r t m e n t f D e f e n s e C y b e r S t r a t e g y The May 2011 Department f Defense Strategy fr Operating in Cyberspace guided the Defense Department s cyber activities and peratins in supprt f U.S. natinal interests ver the last fur years. This new strategy sets priritized strategic gals and bjectives fr DD s cyber activities and missins t achieve ver the next five years. It fcuses n building capabilities fr effective cybersecurity and cyber peratins t defend DD netwrks, systems, and infrmatin; defend the natin against cyberattacks f significant cnsequence; and supprt peratinal and cntingency plans. This strategy builds n previus decisins regarding DD s Cyber Missin Frce and cyber wrkfrce develpment and prvides new and specific guidance t mitigate anticipated risks and capture pprtunities t strengthen U.S. natinal security. As a matter f first principle, cybersecurity is a team effrt within the U.S. Federal gvernment. T succeed in its missins the Defense Department must perate in partnership with ther Departments and Agencies, internatinal allies and partners, state and lcal gvernments, and, mst imprtantly, the private sectr. Cybersecurity Activities T supprt its missins in cyberspace, the Defense Department cnducts a range f activities utside f cyberspace t imprve cllective cybersecurity and prtect U.S. interests. Fr example, the Defense Department cperates with agencies f the U.S gvernment, with the private sectr, and with ur internatinal partners t share infrmatin, build alliances and partnerships, and fster nrms f respnsible behavir t imprve glbal strategic stability. Infrmatin sharing and interagency crdinatin. T secure and advance U.S. interests in cyberspace, DD seeks t share infrmatin and crdinate with U.S. gvernment agencies in an integrated fashin n a range f cyber activities. Fr example, if DD learns f malicius cyber activities that will affect imprtant U.S. netwrks and systems that are vital fr U.S. natinal and ecnmic security r public safety, DD supprts agencies like the Department f Hmeland Security (DHS) and the Federal Bureau f Investigatin (FBI) as they reach ut t U.S. entities, and ften ther cuntries, t share threat infrmatin such as technical indicatrs f a ptential attack. Such infrmatin sharing can significantly imprve an rganizatin s ability t defend itself against a brad range f cyberattacks. In additin t sharing infrmatin, DD partners with ther agencies f the U.S. gvernment t synchrnize peratins and t share lessns-learned and cybersecurity bestpractices. This includes incident management and netwrk defense respnse. Build bridges t the private sectr. Frm applicatin develpers t Internet Services Prviders, private cmpanies prvide the gds and services that make up cyberspace. The Defense Department relies n the private sectr t build its netwrks, prvide cybersecurity services, and research and Mr. Je Sciabica and Maj. Gen. J. Kevin McLaughlin sign an Air Frce Civil Engineer Center-Air Frces Cyber cllabratin agreement. The initiative is designed t enhance the security f industrial cntrl systems that supprt critical Air Frce infrastructures arund the wrld. (U.S. Air Frce pht by Shannn Carabajal) 3

12 T h e D e p a r t m e n t f D e f e n s e C y b e r S t r a t e g y develp advanced capabilities. The Defense Department has benefited frm private sectr innvatin thrughut its histry. Ging frward, DD will wrk clsely with the private sectr t validate and cmmercialize new ideas fr cybersecurity fr the Department. Building alliances, calitins, and partnerships abrad. The Defense Department engages in a brad array f activities t imprve cybersecurity and cyber peratins capacity abrad. DD helps U.S. allies and partners t understand the cyber threats they face and t build the cyber capabilities necessary t defend their netwrks and data. Allies and partners als ften have cmplementary capabilities that can augment thse f the United States, and the United States seeks t build strng alliances and calitins t cunter ptential adversaries cyber activities. Strategically, a unified calitin sends a message that the United States and its allies and partners are aligned in cllective defense. In additin t the Five Eyes treaty partners, DD wrks clsely with key partners in the Middle East, the Asia-Pacific, and Eurpe t understand the cybersecurity envirnment and build cyber defense capacity. Three Primary Missins in Cyberspace The President has established principles and prcesses fr gverning cyber peratins. The purpse f these principles and prcesses is t plan, develp, and use U.S. capabilities effectively, and t ensure that cyber peratins ccur in a manner cnsistent with the values that the United States prmtes dmestically and internatinally. The Defense Department has three primary cyber missins. First, DD must defend its wn netwrks, systems, and infrmatin. The U.S. military s dependence n cyberspace fr its peratins led the Secretary f Defense in 2011 t declare cyberspace as an peratinal dmain fr purpses f rganizing, training, and equipping U.S. military frces. The Defense Department must be able t secure its wn netwrks against attack and recver quickly if security measures fail. T this end, DD cnducts netwrk defense peratins n an nging basis t securely perate the Department f Defense Infrmatin Netwrk (DDIN). If and when DD detects indicatins f hstile activity within its netwrks, DD has quick-respnse capabilities t clse r mitigate vulnerabilities and secure its netwrks and systems. Netwrk defense peratins n DD netwrks cnstitute the vast majrity f DD s peratins in cyberspace. In additin t defense investments, DD must prepare and be ready t perate in an envirnment where access t cyberspace is cntested. During the Cld War, frces prepared t perate in an envirnment where access t cmmunicatins culd be interrupted by the adversary s advanced capabilities, t include the ptential use f an electrmagnetic pulse that culd disrupt satellite and ther glbal cmmunicatins capabilities. Cmmanders cnducted peridic exercises that required their teams t perate withut access t cmmunicatins systems. Thrugh years f practice and exercise, a culture f resilience tk rt in the military and units were ready and prepared t perate in cntested envirnments. Since the end f the Cld War, hwever, a yunger generatin has grwn increasingly mre accustmed t an envirnment f cnnectivity. The generatin f military men and wmen that grew up since the end f the Cld War have had near cnstant access t infrmatin and cmmunicatins, and the infrmatin revlutin has led t a mre agile and glbally adaptive frce. In the face f an escalating cyber threat, the lessns f the previus generatins must nw be passed dwn. The Defense Department must be able t carry ut its missins t defend the 4

13 T h e D e p a r t m e n t f D e f e n s e C y b e r S t r a t e g y cuntry. Organizatins must exercise and learn t perate withut the tls that have becme such a vital part f their daily lives and peratins. Fr its secnd missin, DD must be prepared t defend the United States and its interests against cyberattacks f significant cnsequence. While cyberattacks are assessed n a case-by-case and factspecific basis by the President and the U.S. natinal security team, significant cnsequences may include lss f life, significant damage t prperty, serius adverse U.S. freign plicy cnsequences, r serius ecnmic impact n the United States. If directed by the President r the Secretary f Defense, the U.S. military may cnduct cyber peratins t cunter an imminent r n-ging attack against the U.S. hmeland r U.S. interests in cyberspace. The purpse f such a defensive measure is t blunt an attack and prevent the destructin f prperty r the lss f life. DD seeks t synchrnize its capabilities with ther gvernment agencies t develp a range f ptins and methds fr disrupting cyberattacks f Navy Petty Officer 1st Class Jel Melendez, Naval Netwrk Warfare Cmmand infrmatin systems analysis, Air Frce Staff Sgt. Rgerick Mntgmery, U.S. Cyber Cmmand netwrk analysis, and Army Staff Sgt. Jacb Harding, 780th Military Intelligence Brigade cyber systems analysis, at an exercise during Cyber Flag 13-1 at Nellis Air Frce Base, NV. (U.S. Air Frce pht by Senir Airman Matthew Lancaster) significant cnsequence befre they can have an impact, t include law enfrcement, intelligence, and diplmatic tls. As a matter f principle, the United States will seek t exhaust all netwrk defense and law enfrcement ptins t mitigate any ptential cyber risk t the U.S. hmeland r U.S. interests befre cnducting a cyberspace peratin. The United States gvernment has a limited and specific rle t play in defending the natin against cyberattacks f significant cnsequence. The private sectr wns and perates ver ninety percent f all f the netwrks and infrastructure f cyberspace and is thus the first line f defense. One f the mst imprtant steps fr imprving the United States verall cybersecurity psture is fr cmpanies t priritize the netwrks and data that they must prtect and t invest in imprving their wn cybersecurity. While the U.S. gvernment must prepare t defend the cuntry against the mst dangerus attacks, the majrity f intrusins can be stpped thrugh relatively basic cybersecurity investments that cmpanies can and must make themselves. Third, if directed by the President r the Secretary f Defense, DD must be able t prvide integrated cyber capabilities t supprt military peratins and cntingency plans. There may be times when the President r the Secretary f Defense may determine that it wuld be apprpriate fr the U.S. military t cnduct cyber peratins t disrupt an adversary s militaryrelated netwrks r infrastructure s that the U.S. military can prtect U.S. interests in an area f peratins. Fr example, the United States military might use cyber peratins t terminate an nging cnflict n U.S. terms, r t disrupt an adversary s military systems t prevent the use f frce against U.S. interests. United States Cyber Cmmand (USCYBERCOM) may als be directed t cnduct cyber peratins, in crdinatin with ther U.S. gvernment agencies as apprpriate, t deter r defeat strategic threats in ther dmains. 5

14 T h e D e p a r t m e n t f D e f e n s e C y b e r S t r a t e g y T ensure that the Internet remains pen, secure, and prsperus, the United States will always cnduct cyber peratins under a dctrine f restraint, as required t prtect human lives and t prevent the destructin f prperty. As in ther dmains f peratins, in cyberspace the Defense Department will always act in a way that reflects enduring U.S. values, including supprt fr the rule f law, as well as respect and prtectin f the freedm f expressin and privacy, the free flw f infrmatin, cmmerce, and ideas. Any decisin t cnduct cyber peratins utside f DD netwrks is made with the utmst care and deliberatin and under strict plicy and peratinal versight, and in accrdance with the law f armed cnflict. As it makes its investments and builds cyber capabilities t defend U.S. natinal interests, the Defense Department will always be attentive t the ptential impact f defense plicies n state and nn-state actrs behavir. A New Cyber Missin Frce The Defense Department requires the cmmitment and crdinatin f multiple leaders and cmmunities acrss DD and the brader U.S. gvernment t carry ut its missins and execute this strategy. Defense Department law enfrcement, intelligence, cunterintelligence, and plicy rganizatins all have an active rle, as d the men and wmen that build and perate DD s netwrks and infrmatin technlgy systems. Every rganizatin needs t play its part. Fr example, netwrk service prviders acrss DD must be adaptive and active t fllw cybersecurity best-practices and cyber defense rders. U.S. Cyber Cmmand must synchrnize its activities with ther DD rganizatins, particularly cmbatant cmmands, t respnd t emerging challenges and pprtunities. Installatin wners and peratrs must partner with the Military Departments Cmputer Emergency Respnse Teams (CERTs), DHS, and USCYBERCOM t build adaptive defenses and cntinuity plans fr missin-critical systems and the civil systems that supprt them. Success requires creative and strng intra-departmental and interagency partnerships. Amng DD s cyber persnnel and frces, the Cyber Missin Frce (CMF) has a unique rle within the Department. In 2012, DD began t build a CMF t carry ut DD s cyber missins. Once fully peratinal, the CMF will include nearly 6,200 military, civilian, and cntractr supprt persnnel frm acrss the military departments and defense cmpnents. The Cyber Missin Frce represents a majr investment by the Department f Defense and the United States as whle, and a central aim f this strategy is t set specific gals and bjectives t guide the develpment f the Cyber Missin Frce and DD s wider cyber wrkfrce t prtect and defend U.S. natinal interests. The Cyber Missin Frce will be cmprised f cyber peratrs rganized int 133 teams, primarily aligned as fllws: Cyber Prtectin Frces will augment traditinal defensive measures and defend pririty DD netwrks and systems against pririty threats; Natinal Missin Frces and their assciated supprt teams will defend the United States and its interests against cyberattacks f significant cnsequence; and Cmbat Missin Frces and their assciated supprt teams will supprt cmbatant cmmands by generating integrated cyberspace effects in supprt f peratinal plans and cntingency peratins. Cmbatant cmmands integrate Cmbat Missin Frces and Cyber Prtectin Teams int plans and peratins and emply them in cyberspace, while the Natinal Missin Frce perates under the Cmmander f USCYBERCOM. Outside f this cnstruct, teams can als be used t supprt ther missins as required by the Department. 6

15 T h e D e p a r t m e n t f D e f e n s e C y b e r S t r a t e g y In 2013 the Department began t integrate the CMF int the larger multi-missin U.S. military frce t achieve synergy acrss dmains, assure the CMF s readiness within the frce, and restructure the military and civilian wrkfrce and infrastructure t execute DD s missins. During the curse f implementing this strategy, DD will cntinue t build the CMF, and will cntinue t mature the necessary cmmand, cntrl, and enabling rganizatins required fr effective peratins. DD will fcus n ensuring that its frces are trained and ready t perate using the capabilities and architectures they need t cnduct cyber peratins, cntinue t build plicy and legal framewrks t gvern CMF emplyment, and integrate the CMF int DD s verall planning and frce develpment. This strategy recgnizes that effective cybersecurity will require clse cllabratin within DD and acrss the federal gvernment, with industry, with internatinal allies and partners, and with state and lcal gvernments. The pursuit f security in cyberspace requires a whle-f-gvernment and internatinal apprach due t the number and variety f stakehlders in the dmain, the flw f infrmatin acrss internatinal brders, and the distributin f respnsibilities, authrities, and capabilities acrss gvernments and the private sectr. Fr each f DD s missins, DD must cntinue t develp rutine relatinships and prcesses fr crdinating its cyber peratins. Specific risks and pprtunities infrm this new strategy. Fr example, DD s wn netwrk is a patchwrk f thusands f netwrks acrss the glbe, and DD lacks the visibility and rganizatinal structure required t defend its diffuse netwrks effectively. The Defense Department must further develp adequate warning intelligence f adversary intentins and capabilities fr cnducting destructive and disruptive cyberattacks against DD and the United States. Beynd its wn netwrks, DD relies n civil critical infrastructure acrss the United States and verseas fr its peratins, yet the cybersecurity f such critical infrastructure is uncertain. T mitigate these and ther risks and imprve U.S. natinal security, this strategy sets strategic gals fr the Department t achieve, and prescribes bjectives and metrics fr meeting each gal. All f the gals and bjectives within this strategy reflect the gals f the 2015 United States Natinal Security Strategy and the 2014 Quadrennial Defense Review. DD sets five strategic gals fr its cyberspace missins: U.S. Strategic Cmmand serves as the Defense Department s glbal synchrnizer fr capabilities that affect every cmbatant cmmand. Here the sun sets ver sme f the assets that prvide capabilities at Frward Operating Base Sharana in Afghanistan s Paktika prvince. (U.S. Army pht by Spc. Raymnd Schaeffer) 1. Build and maintain ready frces and capabilities t cnduct cyberspace peratins; 2. Defend the DD infrmatin netwrk, secure DD data, and mitigate risks t DD missins; 7

16 T h e D e p a r t m e n t f D e f e n s e C y b e r S t r a t e g y 3. Be prepared t defend the U.S. hmeland and U.S. vital interests frm disruptive r destructive cyberattacks f significant cnsequence; 4. Build and maintain viable cyber ptins and plan t use thse ptins t cntrl cnflict escalatin and t shape the cnflict envirnment at all stages; 5. Build and maintain rbust internatinal alliances and partnerships t deter shared threats and increase internatinal security and stability. 8

17 T h e D e p a r t m e n t f D e f e n s e C y b e r S t r a t e g y Key Cyber Threats Frm , the Directr f Natinal Intelligence named the cyber threat as the number ne strategic threat t the United States, placing it ahead f terrrism fr the first time since the attacks f September 11, Ptential state and nn-state adversaries cnduct malicius cyber activities against U.S. interests glbally and in a manner intended t test the limits f what the United States and the internatinal cmmunity will tlerate. Actrs may penetrate U.S. netwrks and systems fr a variety f reasns, such as t steal intellectual prperty, disrupt an rganizatin s peratins fr activist purpses, r t cnduct disruptive and destructive attacks t achieve military bjectives. Ptential adversaries have invested significantly in cyber as it prvides them with a viable, plausibly deniable capability t target the U.S. hmeland and damage U.S. interests. Russia and China have develped advanced cyber capabilities and strategies. Russian actrs are stealthy in their cyber tradecraft and their intentins are smetimes difficult t discern. China steals intellectual prperty (IP) frm glbal businesses t benefit Chinese cmpanies and undercut U.S. cmpetitiveness. While Iran and Nrth Krea have less develped cyber capabilities, they have displayed an vert level f hstile intent twards the United States and U.S. interests in cyberspace. In additin t state-based threats, nn-state actrs like the Islamic State in Iraq and the Levant (ISIL) use cyberspace t recruit fighters and disseminate prpaganda and have declared their intent t acquire disruptive and destructive cyber capabilities. Criminal actrs pse a cnsiderable threat in cyberspace, particularly t financial institutins, and idelgical grups ften use hackers t further their plitical bjectives. State and nn-state threats ften als blend tgether; patritic entities ften act as cyber surrgates fr states, and nn-state entities can prvide cver fr state-based peratrs. This behavir can make attributin mre difficult and increases the chance f miscalculatin. Malware Prliferatin The glbal prliferatin f malicius cde r sftware ( malware ) increases the risk t U.S. netwrks and data. T cnduct a disruptive r destructive cyber peratin against a military system r industrial cntrl system requires expertise, but a ptential adversary need nt spend 9

18 T h e D e p a r t m e n t f D e f e n s e C y b e r S t r a t e g y billins f dllars t develp an ffensive capability. A natin-state, nn-state grup, r individual actr can purchase destructive malware and ther capabilities n the black market. State and nn-state actrs als pay experts t search fr vulnerabilities and develp explits. This practice has created a dangerus and uncntrlled market that serves multiple actrs within the internatinal system, ften fr cmpeting purpses. As cyber capabilities becme mre readily available ver time, the Department f Defense assesses that state and nn-state actrs will cntinue t seek and develp cyber capabilities t use against U.S. interests. Risk t DD Netwrks and Infrastructure The Defense Department s wn netwrks and systems are vulnerable t intrusins and attacks. In additin t DD s wn netwrks, a cyberattack n the critical infrastructure and key resurces n which DD relies fr its peratins culd impact the U.S. military s ability t perate in a cntingency. DD has made gains in identifying cyber vulnerabilities f its wn critical assets thrugh its Missin Assurance Prgram fr many key assets, DD has identified its physical netwrk infrastructure n which key physical assets depend but mre must be dne t secure DD s cyber infrastructure. In additin t destructive and disruptive attacks, cyber actrs steal peratinal infrmatin and intellectual prperty frm a range f U.S. gvernment and cmmercial entities that impact the Defense Department. Victims include weapns develpers as well as cmmercial firms that supprt frce mvements thrugh U.S. Transprtatin Cmmand (USTRANSCOM). State actrs have stlen DD s intellectual prperty t undercut the United States strategic and technlgical advantage and t benefit their wn military and ecnmic develpment. Finally, the Defense Department faces a risk frm the U.S. gvernment s cntinued budgetary uncertainty. Althugh DD has priritized the allcatin f resurces in its budget t develp cyber capabilities, cntinued fiscal uncertainty requires that DD plan t build its cyber capabilities under a declining verall defense budget. DD must cntinue t priritize its cyber investments and develp the capabilities required t defend U.S. interests at hme and verseas. Deterrence in the Future Security Envirnment In the face f an escalating threat, the Department f Defense must cntribute t the develpment and implementatin f a cmprehensive cyber deterrence strategy t deter key state and nn-state actrs frm cnducting cyberattacks against U.S. interests. Because f the variety and number f state and nn-state cyber actrs in cyberspace and the relative availability f destructive cyber tls, an effective deterrence strategy requires a range f plicies and capabilities t affect a state r nn-state actrs behavir. As DD builds its Cyber Missin Frce and verall capabilities, DD assumes that the deterrence f cyberattacks n U.S. interests will nt be achieved thrugh the articulatin f cyber plicies alne, but thrugh the ttality f U.S. actins, including declaratry plicy, substantial indicatins and warning capabilities, defensive psture, effective respnse prcedures, and the verall resiliency f U.S. netwrks and systems. The deterrence f state and nn-state grups in cyberspace will thus require the fcused attentin f multiple U.S. gvernment departments and agencies. The Department f Defense has a number f specific rles t play in this equatin. 10

19 T h e D e p a r t m e n t f D e f e n s e C y b e r S t r a t e g y Deterrence is partially a functin f perceptin. It wrks by cnvincing a ptential adversary that it will suffer unacceptable csts if it cnducts an attack n the United States, and by decreasing the likelihd that a ptential adversary s attack will succeed. The United States must be able t declare r display effective respnse capabilities t deter an adversary frm initiating an attack; develp effective defensive capabilities t deny a ptential attack frm succeeding; and strengthen the verall resilience f U.S. systems t withstand a ptential attack if it penetrates the United States defenses. In additin, the United States requires strng intelligence, frensics, and indicatins and warning capabilities t reduce annymity in cyberspace and increase cnfidence in attributin. Respnse: The United States has been clear that it will respnd t a cyberattack n U.S. interests thrugh its defense capabilities. The United States has articulated this declaratry plicy in the 2011 United States Internatinal Strategy fr Cyberspace, in the Department f Defense Cyberspace Plicy Reprt t Cngress f 2011, and thrugh public statements by the President and the Secretary f Defense. The United States will cntinue t respnd t cyberattacks against U.S. interests at a time, in a manner, and in a place f ur chsing, using apprpriate instruments f U.S. pwer and in accrdance with applicable law. Denial: While DD has made prgress in building the Cyber Missin Frce, DD must increase its defensive capabilities t defend DD netwrks and defend the natin frm sphisticated cyberattacks, and must wrk with ther departments, agencies, internatinal allies and partners, and the private sectr t strengthen deterrence by denial thrugh imprved cybersecurity. Resilience: Because the Defense Department s capabilities cannt necessarily guarantee that every cyberattack will be denied successfully, the Defense Department must invest in resilient and redundant systems s that it may cntinue its peratins in the face f Airman 1st Class Nate Hammnd adjusts the frequency f a Rll-On Beynd Line f Sight Enhancement, r ROBE, data link system at the Transit Center at Manas, Kyrgyzstan. A ROBE cnnects manpwer assets n the grund t ther grund r airbrne units. (U.S. Air Frce pht/senir Airman Brett Clashman) disruptive r destructive cyberattacks n DD netwrks. The Defense Department cannt, hwever, fster resilience in rganizatins that fall utside f its authrity. In rder fr resilience t succeed as a factr in effective deterrence, ther agencies f the gvernment must wrk with critical infrastructure wners and peratrs and the private sectr mre bradly t develp resilient and redundant systems that can withstand a ptential attack. Effective resilience measures can help cnvince ptential adversaries f the futility f cmmencing cyberattacks n U.S. netwrks and systems. Attributin is a fundamental part f an effective cyber deterrence strategy as annymity enables malicius cyber activity by state and nn-state grups. On matters f intelligence, attributin, and warning, DD and the intelligence cmmunity have invested significantly in all surce 11

20 T h e D e p a r t m e n t f D e f e n s e C y b e r S t r a t e g y cllectin, analysis, and disseminatin capabilities, all f which reduce the annymity f state and nn-state actr activity in cyberspace. Intelligence and attributin capabilities help t unmask an actr s cyber persna, identify the attack s pint f rigin, and determine tactics, techniques, and prcedures. Attributin enables the Defense Department r ther agencies t cnduct respnse and denial peratins against an incming cyberattack. Public and private attributin can play a significant rle in dissuading cyber actrs frm cnducting attacks in the first place. The Defense Department will cntinue t cllabrate clsely with the private sectr and ther agencies f the U.S. gvernment t strengthen attributin. This wrk will be especially imprtant fr deterrence as activist grups, criminal rganizatins, and ther actrs acquire advanced cyber capabilities ver time. Finally, cyber capabilities present state and nn-state actrs with the ability t strike at U.S. interests in a manner that may r may nt necessarily warrant a purely military respnse by the United States, but which may nnetheless present a significant threat t U.S. natinal security and may warrant a nn-military respnse f sme kind. In respnse t certain attacks and intrusins, the United States may undertake diplmatic actins, take law enfrcement actins, and cnsider ecnmic sanctins. Fr example, the United States used verifiable and attributable data t engage China abut the risks psed by its ecnmic espinage. The attributin f this data allwed the United States t express cncerns regarding the impact f Chinese intellectual prperty theft n U.S. ecnmic cmpetitiveness, and the ptential risks psed t strategic stability by Chinese activity. Because they brke the law and t deter China frm cnducting future cyber espinage, the Justice Department indicted five members f the Peple s Liberatin Army fr stealing U.S. intellectual prperty t directly benefit Chinese cmpanies. The Defense Department will supprt the Justice Department and ther agencies in explring new tls and capabilities t help deter such activity in cyberspace. 12

21 T h e D e p a r t m e n t f D e f e n s e C y b e r S t r a t e g y III. STRATEGIC GOALS T mitigate risks and defend U.S. interests in the current and future security envirnment, the Defense Department utlines five strategic gals and specific bjectives fr its activities and missins. STRATEGIC GOAL I: BUILD AND MAINTAIN READY FORCES AND CAPABILITIES TO CONDUCT CYBERSPACE OPERATIONS. T perate effectively in cyberspace, DD requires frces and persnnel that are trained t the highest standard, ready, and equipped with best-in-class technical capabilities. In 2013 DD initiated a majr investment in its cyber persnnel and technlgies by initiating the CMF; nw DD must make gd n that investment by training its peple, building effective rganizatins and cmmand and cntrl systems, and fully develping the capabilities that DD requires t perate in cyberspace. This strategy sets specific bjectives fr DD t meet as it mans, trains, and equips its frces and persnnel ver the next five years and beynd. STRATEGIC GOAL II: DEFEND THE DOD INFORMATION NETWORK, SECURE DOD DATA, AND MITIGATE RISKS TO DOD MISSIONS. While DD cannt defend every netwrk and system against every kind f intrusin DD s ttal netwrk attack surface is t large t defend against all threats and t vast t clse all vulnerabilities DD must take steps t identify, priritize, and defend its mst imprtant netwrks and data s that it can carry ut its missins effectively. DD must als plan and exercise t perate within a degraded and disrupted cyber envirnment in the event that an attack n DD s netwrks and data succeeds, r if aspects f the critical infrastructure n which DD relies fr its peratinal and cntingency plans are disrupted. Finally, DD must raise the bar n technlgy and innvatin t stay ahead f the threat by enhancing its cyber defense capabilities, including by building and emplying a mre defendable netwrk architecture in the Jint Infrmatin Envirnment (JIE). Outside f DD netwrks, DD must wrk with the private sectr t help secure defense industrial base trade 13

22 T h e D e p a r t m e n t f D e f e n s e C y b e r S t r a t e g y data, and be prepared t assist ther agencies in hardening U.S. netwrks and data against cyberattacks and cyber espinage. STRATEGIC GOAL III: BE PREPARED TO DEFEND THE U.S. HOMELAND AND U.S. VITAL INTERESTS FROM DISRUPTIVE OR DESTRUCTIVE CYBERATTACKS OF SIGNIFICANT CONSEQUENCE. Cyber Flag 14-1 participants analyze an exercise scenari in the Red Flag building at Nellis Air Frce Base, NV. Cyber Flag fcuses n exercising USCYBERCOM s missin f perating and defending DD netwrks acrss the full spectrum f peratins against a realistic adversary in a virtual envirnment. (U.S. Air Frce pht by Airman 1st Class Christpher Tam) The Department f Defense must wrk with its interagency partners, the private sectr, and allied and partner natins t deter and if necessary defeat a cyberattack f significant cnsequence n the U.S. hmeland and U.S. interests. The Defense Department must develp its intelligence, warning, and peratinal capabilities t mitigate sphisticated, malicius cyberattacks befre they can impact U.S. interests. Cnsistent with all applicable laws and plicies, DD requires granular, detailed, predictive, and actinable intelligence abut glbal netwrks and systems, adversary capabilities, and malware brkers and markets. T defend the natin, DD must build partnerships with ther agencies f the gvernment t prepare t cnduct cmbined cyber peratins t deter and if necessary defeat aggressin in cyberspace. The Defense Department is fcused n building the capabilities, prcesses, and plans necessary t succeed in this missin. STRATEGIC GOAL IV: BUILD AND MAINTAIN VIABLE CYBER OPTIONS AND PLAN TO USE THOSE OPTIONS TO CONTROL CONFLICT ESCALATION AND TO SHAPE THE CONFLICT ENVIRONMENT AT ALL STAGES. During heightened tensins r utright hstilities, DD must be able t prvide the President with a wide range f ptins fr managing cnflict escalatin. If directed, DD shuld be able t use cyber peratins t disrupt an adversary s cmmand and cntrl netwrks, military-related critical infrastructure, and weapns capabilities. As a part f the full range f tls available t the United States, DD must develp viable cyber ptins and integrate thse ptins int Departmental plans. DD will develp cyber capabilities t achieve key security bjectives with precisin, and t minimize lss f life and destructin f prperty. T ensure unity f effrt, DD will enable cmbatant cmmands t plan and synchrnize cyber peratins with kinetic peratins acrss all dmains f military peratins. 14

23 T h e D e p a r t m e n t f D e f e n s e C y b e r S t r a t e g y STRATEGIC GOAL V: BUILD AND MAINTAIN ROBUST INTERNATIONAL ALLIANCES AND PARTNERSHIPS TO DETER SHARED THREATS AND INCREASE INTERNATIONAL SECURITY AND STABILITY. All three f DD s cyber missins require clse cllabratin with freign allies and partners. In its internatinal cyber engagement DD seeks t build partnership capacity in cybersecurity and cyber defense, and t deepen peratinal partnerships where apprpriate. Given the high demand and relative scarcity f cyber resurces, the Department f Defense must make hard chices and fcus its partnership capacity initiatives n areas where vital U.S. natinal interests are stake. Over the next five years, in additin t nging partner capacity building effrts in ther regins, DD will fcus its internatinal engagement n: the Middle East, the Asia-Pacific, and key NATO allies. Thrugh the curse f this strategy DD will cnstantly assess the internatinal envirnment and develp innvative partnerships t respnd t emerging challenges and pprtunities. 15

24 T h e D e p a r t m e n t f D e f e n s e C y b e r S t r a t e g y THIS PAGE LEFT INTENTIONALLY BLANK 16

25 T h e D e p a r t m e n t f D e f e n s e C y b e r S t r a t e g y IV. IMPLEMENTATION OBJECTIVES Each f DD s strategic gals requires specific, measurable bjectives fr the Department t achieve. The Office f the Principal Cyber Advisr t the Secretary f Defense, the Office f the Under Secretary f Defense fr Acquisitin, Technlgy, and Lgistics, and the Jint Staff will wrk with DD cmpnents t priritize and versee the implementatin f this strategy and its bjectives and t assign ffices f primary and supprt respnsibility fr managing each bjective. The ffice f primary respnsibility will develp a prject plan fr each bjective; the Principal Cyber Advisr will track prgress in achieving each bjective and ultimately the success f each strategic gal. STRATEGIC GOAL I: BUILD AND MAINTAIN READY FORCES AND CAPABILITIES TO CONDUCT CYBERSPACE OPERATIONS. Build the cyber wrkfrce. T make gd n DD s significant investment in cyber persnnel, and t help achieve many f the bjectives in this strategy, DD s first pririty is t develp a ready Cyber Missin Frce and assciated cyber wrkfrce. This wrkfrce will be built n three fundatinal pillars: enhanced training; imprved military and civilian recruitment and retentin; and strnger private sectr supprt. Maintain a persistent training envirnment. DD requires an individual and cllective training capability t achieve the gals utlined in this strategy and t meet future peratinal requirements. U.S. Cyber Cmmand will wrk with ther cmpnents, agencies, and military departments t define the requirements fr and create a training envirnment that will enable the ttal cyber frce t cnduct jint training (including exercises and missin rehearsals), experimentatin, certificatin, as well as the assessment and develpment f cyber capabilities and tactics, techniques, and prcedures fr missins that crss bundaries and netwrks. 17

26 T h e D e p a r t m e n t f D e f e n s e C y b e r S t r a t e g y Build viable career paths. Thrughut the curse f this strategy, and fllwing the CMF decisins f 2013, DD will cntinue t fster viable career paths fr all military persnnel perfrming and supprting cyber peratins. Draw n the Natinal Guard and Reserve. Thrughut the curse f this strategy, DD will draw n the Natinal Guard and Reserve Cmpnents as a resurce fr expertise and t fster creative slutins t cybersecurity prblems. The Reserve Cmpnent ffers a unique capability fr supprting each f DD s missins, including fr engaging the defense industrial base and the cmmercial sectr. It represents DD s critical surge capacity fr cyber respnders. Imprve civilian recruitment and retentin. In additin t develping highly-skilled military persnnel, DD must recruit and retain highly-skilled civilian persnnel, including technical persnnel fr its ttal cyber wrkfrce. Civilians must fllw a welldevelped career develpment and advancement track and be prvided with best-inclass pprtunities t develp and succeed within the wrkfrce. Develp and implement exchange prgrams with the private sectr. T supplement DD s civilian cyber wrkfrce, DD must be able t emply technical subject matter experts frm the best cybersecurity and infrmatin technlgy cmpanies in the cuntry t perfrm unique engineering and analytic rles within DD. The Defense Department will implement successful private sectr exchange prgrams t bring measurable benefits t the Department f Defense thrugh the design and develpment f new peratinal cncepts fr DD s cyberspace missins. Supprt the Natinal Initiative fr Cyberspace Educatin. DD will develp plicies t supprt the Natinal Initiative fr Cybersecurity Educatin. Wrking with interagency partners, ne r mre educatinal institutins, as well as state and private sectr partners, DD will cntinue t supprt innvative wrkfrce develpment partnerships fcused n bth the technical and plicy dimensins f cybersecurity and cyber defense. Build technical capabilities fr cyber peratins. In 2013, DD develped a mdel fr achieving CMF readiness and fr develping viable cyber military ptins t present t the President and Secretary f Defense. DD must have the technical tls available t cnduct peratins in supprt f cmbatant cmmand missins. Key initiatives include the fllwing: Develp the Unified Platfrm. On the basis f planning requirements, DD will develp the detailed requirements fr integrating disparate cyber platfrms and building an interperable and extendable netwrk f cyber capabilities. This Unified Platfrm will enable the CMF t cnduct full-spectrum cyberspace peratins in supprt f natinal requirements. Accelerate research and develpment. The Defense Department will cntinue t accelerate innvative cyber research and develpment t build cyber capabilities. The 18

27 T h e D e p a r t m e n t f D e f e n s e C y b e r S t r a t e g y DD research and develpment cmmunity as well as established and emerging private sectr partners can prvide DD and the natin with a significant advantage in develping leap-ahead technlgies t defend U.S. interests in cyberspace. In additin t supprting current and planned investments, DD will fcus its basic and applied research agenda n develping cyber capabilities t expand the capacity f the CMF and the brader DD cyber wrkfrce. Validate and cntinually refine an adaptive cmmand and cntrl mechanism fr cyber peratins. DD has made significant prgress in recent years in develping cmmand and cntrl fr all three f its missins, but its cmmand and cntrl mdel must be finalized, resurced, and tested t ensure effectiveness. The cmmand and cntrl mdel must supprt USCYBERCOM and the cmbatant cmmands. It must be efficient and practical, and must prmte unity f effrt f effrt acrss all three cyber missins. Establish an enterprise-wide cyber mdeling and simulatin capability. DD will wrk in cllabratin with the intelligence cmmunity t develp the data schema, databases, algrithms, and mdeling and simulatin (M&S) capabilities necessary t assess the effectiveness f cyber peratins. Assess Cyber Missin Frce capacity. Assess the capacity f the prjected Cyber Missin Frce t achieve its missin bjectives when cnfrnted with multiple cntingencies. The Jint Staff, with supprt frm USCYBERCOM and ther DD cmpnents, will prpse, cllect, analyze, and reprt a set f apprpriate metrics t the Principal Cyber Advisr t measure the peratinal capacity f the CMF. These metrics will include updates n the status f USCYBERCOM cntingency capabilities, t include Air Frce Tech Sgt. Kevin Garner and Air Frce Senir Airman David Slnk, cyber transprt technicians assigned t the 354 th Cmmunicatins Squadrn, hk cables in t the new Air Frce Netwrk ruter system at Eielsn Air Frce Base, AK. (U.S. Air Frce pht by Staff Sgt. Christpher Bitz) capability develpment and prficiency as well as accesses and tls that may be required in a cntingency. In respnse t this analysis, DD will develp a plan fr ensuring that the CMF has the apprpriate capacity and flexibility available t respnd t changes in the strategic envirnment. STRATEGIC GOAL II: DEFEND THE DOD INFORMATION NETWORK, SECURE DOD DATA, AND MITIGATE RISKS TO DOD MISSIONS. Build the Jint Infrmatin Envirnment (JIE) single security architecture. The Defense Department will build DD infrmatin netwrks t meet the JIE s single security 19

28 T h e D e p a r t m e n t f D e f e n s e C y b e r S t r a t e g y architecture. The single security architecture will adapt and evlve t mitigate cyber threats; it will help DD t develp and fllw best-in-class cybersecurity practices, and its small netwrk ftprint will allw USCYBERCOM, cmbatant cmmands, and DD cmpnents t maintain cmprehensive situatinal awareness f netwrk threats and mitigatins. The JIE s single security architecture will enable a rbust netwrk defense and shift the fcus frm prtecting service-specific netwrks and systems t securing the DD enterprise in a unified manner. The JIE s single security architecture must be develped with enhanced cyber situatinal awareness, deplyed in respnse t validated requirements, and able t accmmdate future defensive measures. As a part f JIE planning DD will develp a framewrk fr develping and integrating new defensive techniques int DD s cybersecurity architecture, t include anmalybased detectin capabilities, data analytics t identify vulnerabilities and threats, and advanced encryptin methds. Assess and ensure the effectiveness f the Jint Frce Headquarters fr DD infrmatin netwrk (DDIN) peratins. Operating under USCYBERCOM, the Jint Frce Headquarters-DDIN will crdinate netwrk defense and mitigate cyber risks t DD peratins and missins acrss the defense enterprise. DD will assess, validate, and fully implement the Jint Frce Headquarters-DDIN cncept t perate DD netwrks securely, defend DD netwrks, and mitigate cyber risks t DD missins. Mitigate knwn vulnerabilities. The Defense Department will implement a capability t mitigate all knwn vulnerabilities that present a high risk t DD netwrks and data. In additin t zer-day vulnerabilities, ne f the greatest threats t DD netwrks and systems lies in knwn, high-risk vulnerabilities that ptential adversaries can explit. DD ften finds itself rushing t clse vulnerabilities nce an adversary has penetrated a system. The DD Chief Infrmatin Officer (CIO) will lead an effrt t implement an autmated patch management capability t distribute sftware and cnfiguratin patches, updates, and fixes t mitigate knwn, majr vulnerabilities n DD netwrks and systems against threats. Assess DD s cyber defense frces. The Defense Department will assess its cyber defense frces ability t cnduct integrated, adaptive, and dynamic defensive peratins. Enterprise-level and Cyber Prtectin Team (CPT) netwrk defenders must be able t discver, detect, analyze, and mitigate threats and vulnerabilities t defend the DD infrmatin netwrk. Imprve the effectiveness f the current DD Cmputer Netwrk Defense Service Prvider (CNDSP) cnstruct in defending and prtecting DD netwrks. Cmputer netwrk defense service prviders deliver cybersecurity slutins fr DD netwrks, t include mnitring, detectin, and prtectin capabilities. The Defense Department will determine whether current CNDSP prcesses are sufficient t defend netwrks against knwn and prjected threats in cyberspace and whether current CNDSP frces are adequately trained and equipped t defend against advanced threats. Finally, DD will 20

29 T h e D e p a r t m e n t f D e f e n s e C y b e r S t r a t e g y determine whether its CNDSP frces can integrate int the brader cyberspace cmmand and cntrl cnstruct and hw that integrated cnstruct will perfrm in the face f cyber threats that span CNDSP and CPT prtected netwrks and data. Plan fr netwrk defense and resilience. The Defense Department must identify and plan t defend the netwrks that supprt key DD missins. The Department must make a careful assessment f the pririty assets that it must defend in cyberspace t assure DD missins and exercise t defend thse assets effectively. Integrate cyber int missin assurance assessments. The Defense Department will integrate cybersecurity requirements and assessments int the DD Missin Assurance prgram and update DD plicy apprpriately. Currently DD cmpnents take varying appraches t measuring and assessing cyber risks fr missin assurance. DD will develp a Jint Missin Assurance Assessment Prgram that includes the integratin f cybersecurity assessments, cybersecurity requirements, and cyber peratins requirements. Assess Cyber Prtectin Team (CPT) capabilities. DD will cmplete an assessment f CPT capacity, capability, and emplyment mdel in regard t missin assurance pririties as set by cmbatant cmmand requirements. Sldiers mnitr netwrks in the Cyber Missin Unit Operatins Center at the Army's Cyber Center f Excellence, Frt Grdn, GA. (Pht by Michael L. Lewis) Imprve weapns systems cybersecurity. DD will assess and initiate imprvements t the cybersecurity f current and future weapns systems, ding s n the basis f peratinal requirements. Fr all future weapns systems that DD will acquire r prcure, DD will mandate specific cybersecurity standards fr weapns systems t meet. Acquisitin and prcurement plicy and practice will be updated t prmte effective cybersecurity thrughut a system s life cycle. Build and exercise cntinuity plans. All DD cmpnents will identify and build resiliency plans t maintain cntinuity f their mst critical peratins in the event f netwrk disruptin and degradatin. Military campaign plans must fully incrprate the ability t perate in a degraded cyber envirnment; military frces must exercise and be able t cnduct military campaigns in a degraded cyber envirnment where access t netwrks and data is uncertain. Cmpnents must balance cyber risks effectively t ensure that they can cntinue t carry ut their missins in the physical wrld. Red team DD s netwrk defenses. The Defense Department has develped mature red team capabilities t test vital netwrks and missin systems fr vulnerabilities and t better 21

30 T h e D e p a r t m e n t f D e f e n s e C y b e r S t r a t e g y prepare its cyber defense frces. Ging frward, DD must fcus its red team capabilities n pririty netwrks and missin systems t assure DD s ability t carry ut its mst critical missins. As a part f this wrk, every majr DD exercise shuld include a cyber red team t test DD's cyber defenses in a realistic scenari where the Department culd have its peratins disrupted by an adversary. Cmpnents will be audited regularly t ensure prgress in incrprating red team findings and imprving their cybersecurity psture. Mitigate the risk f insider threats. The natin's defense depends upn the fidelity f thse entrusted with the natin's secrets. The Defense Department has invested in the technlgical and persnnel slutins necessary t identify threats befre they can impact U.S. natinal security. The Defense Department cntinues t deply and implement these slutins thrugh cntinuus netwrk mnitring, imprved cybersecurity training fr the wrkfrce, and imprved methds fr identifying, reprting, and tracking suspicius behavir. This wrk extends beynd infrmatin technlgy and includes matters f persnnel and reliability. Mitigating the insider threat requires gd leadership and accuntability thrughut the wrkfrce. Beynd implementing plicies and prtcls, leaders will strive t create a culture f awareness t anticipate, detect, and respnd t insider threats befre they have an impact. Exercise t prvide Defense Supprt f Civil Authrities. Under its existing and planned frce structure, DD will develp a framewrk and exercise its Defense Supprt f Civil Authrities (DSCA) capabilities in supprt f DHS and ther agencies and with state and lcal authrities t help defend the federal gvernment and the private sectr in an emergency if directed. DD s annual exercise prgram, t include Cyber Guard, will include exercising with DHS and the FBI fr cntingencies that may require emergency allcatin f frces t help prtect critical infrastructure, under partner agencies lead. This framewrk will describe hw cmbatant cmmands and cmbat supprt agencies can partner with DHS and FBI and ther agencies t imprve integratin, training and supprt. Members f the Ohi Natinal Guard Cmputer Netwrk Defense Team cnduct cyber defense peratins during exercise Cyber Shield 2015 at Camp Atterbury, IN. (Ohi Natinal Guard pht by Staff Sgt. Gerge Davis) Define and refine the Natinal Guard s rle in supprting law enfrcement, Hmeland Defense, and Defense Supprt f Civil Authrities missins. DD will wrk with the Natinal Guard t define the crdinate, train, advise, and assist (C/TAA) rles f the Natinal Guard frce and refine implementatin thrugh Cyber Guard Under its existing and planned frce structure, 22

31 T h e D e p a r t m e n t f D e f e n s e C y b e r S t r a t e g y Natinal Guard frces will exercise t crdinate, train, advise, and assist state and lcal agencies and dmestic critical infrastructure and t prvide supprt t law enfrcement, Hmeland Defense, and Defense Supprt f Civil Authrities activities in supprt f natinal bjectives. Imprve accuntability and respnsibility fr the prtectin f data acrss DD and the DIB. The Defense Department will ensure that plicies and any assciated federal rules r cntract language requirements have been implemented t require DIB cmpanies t reprt data theft and lss t the Defense Cyber Crime Center. DD will cntinue t assess Defense Federal Acquisitin Regulatin Supplement (DFARS) rules and assciated guidance t ensure they mature ver time in a manner cnsistent with knwn standards fr prtecting data frm cyber adversaries, t include standards prmulgated by the Natinal Institute f Standards and Technlgy (NIST). DD will cntinue t expand cmpanies' participatin in threat infrmatin sharing prgrams, such as the Cyber Security/Infrmatin Assurance prgram. As the certificatin authrity fr DIB cleared defense cntractr sites, the Defense Security Service will expand educatin and training prgrams t include material fr DD persnnel and DIB cntractrs t enhance their cyber threat awareness. In additin, the Office f the Under Secretary f Defense fr Intelligence will review the sufficiency f current classificatin guidance fr critical acquisitin and technlgy prgrams t prtect infrmatin n cntractr netwrks. Strengthen DD s prcurement and acquisitin cybersecurity standards. T defend DD netwrks, DD must strengthen the cybersecurity requirements f DD s netwrk acquisitin and prcurement items by integrating cybersecurity standards int cntract vehicles fr research, develpment, and prcurement. DD will specify additinal cybersecurity standards fr industry t meet fr cmpnents f any DD prcurement item. Build cllabratin between the acquisitin, intelligence, cunterintelligence, law enfrcement, and peratins cmmunities t prevent, mitigate, and respnd t data lss. DD will establish a Jint Acquisitin Prtectin and Explitatin Cell (JAPEC) t link intelligence, cunterintelligence, and law enfrcement agents with acquisitin prgram managers t prevent and mitigate data lss and theft. DD will cnduct cmprehensive risk and damage assessments f cyber espinage and theft t infrm requirements, acquisitin, prgrammatic, and cunterintelligence curses f actin. The DD CIO, in cllabratin with the Office f the Under Secretary f Defense fr Acquisitin, Technlgy, and Lgistics, will assess and update specific infrmatin system security cntrls that underpin the DFARs fr defense cntractrs within the NIST and DFARS standards. 23

32 T h e D e p a r t m e n t f D e f e n s e C y b e r S t r a t e g y T safeguard critical prgrams and technlgies DD will wrk with cmpanies t develp alert capabilities and build layered cyber defenses. Finally, the Defense Cyber Crime Center, the Principal Cyber Advisr t the Secretary f Defense, and the Office f the Under Secretary f Defense fr Acquisitin, Technlgy, and Lgistics will cllabrate with the Services' Damage Assessment Management Offices t streamline risk and damage assessment prcesses t better infrm decisins t maintain, mdify, r cancel penetrated prgrams. Use DD cunterintelligence capabilities t defend against intrusins. The Military Departments and the Under Secretary f Defense fr Intelligence, in cnsultatin with the Principal Cyber Advisr, will develp a strategy fr the Secretary f Defense s apprval that maximizes the capabilities and authrities f the military departments cunterintelligence agencies t identify, attribute, and defend against cyber intruders. Cunterintelligence authrities are uniquely psitined t imprve ur insight int and frustrate and defeat cyber espinage. The strategy will specify hw DD s cunterintelligence agencies will cllabrate mre effectively with the brader U.S. intelligence and law enfrcement cmmunities n investigatins and human and technical peratins t thwart cyber-enabled intellectual prperty theft against the United States and its allies and partners. Supprt whle-f-gvernment plicies and capabilities t cunter intellectual prperty theft. The Defense Department will cntinue t wrk with ther agencies f the U.S. gvernment t cunter the threat psed by intellectual prperty theft thrugh cyberspace. STRATEGIC GOAL III: BE PREPARED TO DEFEND THE U.S. HOMELAND AND U.S. VITAL INTERESTS FROM DISRUPTIVE OR DESTRUCTIVE CYBERATTACKS OF SIGNIFICANT CONSEQUENCE. Cntinue t develp intelligence and warning capabilities t anticipate threats. T defend the natin against cyberattacks f significant cnsequence, DD will wrk with the brader intelligence cmmunity t develp intelligence capabilities abut adversary activities and prepare t disrupt cyberattacks befre they can impact the U.S. hmeland and U.S. interests. T meet cmbatant cmmand cntingency requirements, DD will expand its intelligence f key adversary human and technical netwrks. T perate effectively in cyberspace DD requires cyber intelligence and warning and shared situatinal awareness thrugh all phases f a ptential peratin. All intelligence cllectin will fllw the law and guidance utlined in executive rders. Develp and exercise capabilities t defend the natin. The Natinal Missin Frce and ther relevant DD cmpnents will train and partner with key interagency rganizatins 24

33 T h e D e p a r t m e n t f D e f e n s e C y b e r S t r a t e g y t prepare t cnduct cyber peratins t defend the natin frm cyberattacks f significant cnsequence. In additin, DD will practice emergency prcedures thrugh regular exercises at all levels f the Department and supprt interagency exercises t practice emergency and deliberate cyber actin prcedures. Build partnerships t defend the natin. DD will have a framewrk in place t cperate with ther gvernment agencies t cnduct defend the natin peratins. DD will wrk with FBI, CIA, DHS and ther agencies t build relatinships and integrate capabilities t prvide the President with the widest range f ptins available t respnd t a cyberattack f significant cnsequence t the United States. Cnduct an annual cmprehensive review f DD s defend the natin capabilities. The Defense Department s requirements and capabilities fr its missin t defend the natin against cyberattacks f significant cnsequence The Defense Advanced Research Prjects Agency (DARPA) Plan X prgram is a fundatinal cyber warfare prgram that is develping platfrms fr the Defense Department. DARPA uses advanced tuch-table displays t use finger gestures and mtins t advance the state f the art in cyber peratins. (Pht curtesy f DARPA) will evlve ver time. On an annual basis, DD will cnduct an in-depth review f the capabilities available and required fr the missin. As a part f this review, DD will validate new requirements and identify gaps and initiatives t pursue. Develp innvative appraches t defending U.S. critical infrastructure. DD will wrk with DHS t imprve the Enhanced Cybersecurity Services prgram and encurage additinal critical infrastructure entities t participate, with a particular emphasis n increasing the number f defense critical infrastructure participants. Develp autmated infrmatin sharing tls. T imprve shared situatinal awareness DD will partner with DHS and ther agencies t develp cntinuus, autmated, standardized mechanisms fr sharing infrmatin with each f its critical partners in the U.S. gvernment, key allied and partner militaries, state and lcal gvernments, and the private sectr. In additin, DD will wrk with ther U.S. gvernment agencies and Cngress t supprt legislatin that enables infrmatin sharing between the U.S. gvernment and the private sectr. Assess DD s cyber deterrence psture and strategy. Building ff f the Defense Science Bard s Task Frce n Cyber Deterrence, U.S. Strategic Cmmand (USSTRATCOM), in crdinatin with the Jint Staff and the Office f the Secretary f Defense, will assess the Department f Defense s ability t deter specific state and nn-state actrs frm cnducting cyberattacks f significant cnsequence n the U.S. hmeland and against U.S. interests, t 25

34 T h e D e p a r t m e n t f D e f e n s e C y b e r S t r a t e g y include lss f life, significant destructin f prperty, r significant impact n U.S. freign and ecnmic plicy interests. In cnducting its analysis, USSTRATCOM must determine whether DD is building the capabilities required fr attributing and deterring key threats frm cnducting such attacks and recmmend specific actins that DD can take t imprve its cyber deterrence psture. Careful attentin shuld be devted als t deterring nn-state actrs that may fall utside f traditinal deterrence framewrks but which culd pse a cnsiderable threat t U.S. interests. STRATEGIC GOAL IV: BUILD AND MAINTAIN VIABLE CYBER OPTIONS AND PLAN TO USE THOSE OPTIONS TO CONTROL CONFLICT ESCALATION AND TO SHAPE THE CONFLICT ENVIRONMENT AT ALL STAGES. Integrate cyber ptins int plans. T meet strategic end-states as defined by the Guidance fr the Emplyment f the Frce, cmbatant cmmand plans, and ther strategic guidance dcuments, DD will wrk with agencies f the U.S. gvernment as well as U.S. allies and partners t integrate cyber ptins int cmbatant cmmand planning. Accelerate the integratin f cyber requirements int plans. The Defense Department will accelerate the integratin f cyber requirements int cmbatant cmmand plans. Plans must utline and define specific cyberspace effects against targets. T facilitate this wrk, the Jint Staff will wrk with USSTRATCOM t synchrnize and integrate requirements int planning and prvide recmmendatins t the Chairman f the Jint Chiefs f Staff n the alignment, allcatin, assignment, and apprtinment f Cyber Missin Frces. STRATEGIC GOAL V: BUILD AND MAINTAIN ROBUST INTERNATIONAL ALLIANCES AND PARTNERSHIPS TO DETER SHARED THREATS AND INCREASE INTERNATIONAL SECURITY AND STABILITY. Build partner capacity in key regins. Under its existing and planned frce structure, DD will wrk with key allies and partners t build partner capacity and help secure the critical infrastructure and key resurces n which DD missins and U.S. interests depend. The Defense Department will wrk regularly with ther agencies f the U.S. gvernment, t include the Department f State, in building partner capacity. Pririty regins include the Middle East, Asia-Pacific, and Eurpe. Supprt the hardening and resiliency f Middle Eastern allies and partners netwrks and systems. As a part f its cyber dialgue and partnerships, DD will wrk with key Middle Eastern allies and partners t imprve their ability t secure their military netwrks as well as the critical infrastructure and key resurces upn which U.S. interests depend. Key initiatives include imprved infrmatin sharing t establish a 26

35 T h e D e p a r t m e n t f D e f e n s e C y b e r S t r a t e g y unified understanding f the cyber threat, an assessment f ur mutual cyber defense psture, and cllabrative appraches t building cyber expertise. Supprt the hardening and resiliency f Nrtheast Asian allies netwrks and systems. As a part f its brader cyber dialgue with Asian allies, DD will wrk with key allies and partners t imprve their ability t secure their military netwrks and critical infrastructure and key resurces upn which U.S. and allied interests depend. Build new strategic partnerships in the Asia-Pacific regin. The Defense Department will wrk with key states acrss the Asia-Pacific t build cyber capacity and minimize risk t U.S. and allied interests, in a manner cnsistent with DD s Internatinal Cyberspace Security Cperatin Guidance. U.S. Navy Seaman Katelynn L. Ehrs discusses netwrk and cmmunicatin training with Ryal Thai Navy sailrs during a Cperatin Aflat Readiness and Training military peratins sympsium in Sattahip, Thailand, in (Pht by Petty Officer 2nd Class David A. Brandenburg, U.S. Navy.) Wrk with key NATO allies t mitigate cyber risks t DD and U.S. natinal interests. The Defense Department will develp these partnerships thrugh the defense cnsultatins that DD hlds with its key NATO allies. DD will remain flexible and agile as it builds alliances and partnerships t best respnd t shifts in the strategic envirnment. Develp slutins t cunter the prliferatin f destructive malware. State and nn-state actrs seek t acquire destructive malware. The uncntrlled spread f destructive malware t hstile actrs presents a significant risk t the internatinal system. Wrking with the Department f State and ther agencies f the U.S. gvernment as well as U.S. allies and partners, the Defense Department will draw n best-practices t cunter the prliferatin f destructive malware within the internatinal system. In additin t internatinal regimes and best-practices, the U.S. gvernment has a range f dmestic exprt cntrl regimes fr gverning dual-use technlgies that can be used t prevent prliferatin. Wrk with capable internatinal partners t plan and train fr cyber peratins. Thrughut the curse f this strategy, DD will strengthen its internatinal alliances and partnerships t develp cmbined capabilities t achieve cyber effects in supprt f cmbatant cmmand plans. 27

36 T h e D e p a r t m e n t f D e f e n s e C y b e r S t r a t e g y Strengthen the United States cyber dialgue with China t enhance strategic stability. Thrugh the curse f this strategy, as part f the U.S.-China Defense Cnsultative Talks and related dialgues, such as the Cyber Wrking Grup, DD will cntinue t hld discussins with China t bring greater understanding and transparency f each natin s military dctrine, plicy, rles and missins in cyberspace. The gal f this wrk is t reduce the risks f misperceptin and miscalculatin that culd cntribute t escalatin and instability. DD will supprt U.S. gvernment effrts t strengthen cnfidence-building measures t bring a greater level f trust t the U.S.-China relatinship. In additin, DD will cntinue t raise cncerns abut China s cyber enabled theft f U.S. intellectual prperty, trade secrets, and cnfidential business infrmatin. 1 1 If and when U.S.-Russia military relatins resume, as a part f brader interagency effrts DD will seek t develp a military-t-military cyber dialgue with Russia t fster strategic stability in cyberspace. 28

37 T h e D e p a r t m e n t f D e f e n s e C y b e r S t r a t e g y V. MANAGING THE STRATEGY T achieve the gals and bjectives utlined in this strategy will require hard chices regarding cyber frces and persnnel, rganizatins, and capabilities. The financial chices that DD makes in the curse f implementing this strategy will have natinal and glbal implicatins fr years t cme, and DD must perate in an effective and cst-efficient manner t guarantee the best return n its investments. T that end, DD will pursue the fllwing management bjectives t gvern its cyber activities and missins. Establish the Office f the Principal Cyber Advisr t the Secretary f Defense. In the Natinal Defense Authrizatin Act (NDAA) f 2014, Cngress required the Defense Department t designate a Principal Cyber Advisr t the Secretary f Defense t review military cyberspace activities, cyber missin frces, and ffensive and defensive cyber peratins and missins. In additin, the Principal Cyber Advisr will gvern the develpment f DD cyberspace plicy and strategy fr the DD enterprise. The 2014 NDAA als stipulated that this Principal Cyber Advisr integrate the cyber expertise and perspectives f key rganizatins t build an intradepartmental team f key players t ensure effective gvernance f cyber issues within DD. The Principal Cyber Advisr respnsibilities assigned by the FY14 NDAA shall nt be interpreted t affect the existing respnsibilities and authrities f the Under Secretary f Defense fr Acquisitin, Technlgy, and Lgistics; the Under Secretary f Defense fr Plicy; the Under Secretary f Defense fr Intelligence; the Under Secretary f Defense fr Persnnel and Readiness; r any ther Principal Staff Assistant (PSA) in the ffice f the Secretary f Defense in cyber-related respnsibilities and authrities. An intradepartmental team. The Principal Cyber Advisr will wrk with DD cmpnents thrugh the Cyber Investment and Management Bard (CIMB) t review DD s cyber management. The CIMB will be a frum fr synchrnizatin, crdinatin, and prject management. It will nt replicate existing prgrammatic and budgetary mechanisms r interfere with previusly defined Principal Staff Assistant rles and authrities, nr will it interfere in any way with the military chain f cmmand; rather, it will prvide a single frum t integrate cyber initiatives, it will manage prjects thrugh 29

38 T h e D e p a r t m e n t f D e f e n s e C y b e r S t r a t e g y cmpletin, and streamline DD s cyber gvernance structures. The PCA will wrk with the Office f the Under Secretary f Defense fr Acquisitin, Technlgy, and Lgistics and the Jint Staff t build an intradepartmental team f DD representatives t supprt the CIMB in this wrk. A senir executive frum. Subrdinate and reprting t the CIMB, a senir executive frum will prvide initial senir-level crdinatin n key cyber issues. The senir executive frum will recmmend curses f actin t the CIMB and will crdinate with ther OSD and Jint Staff gvernance bdies t facilitate unity f effrt and reslve management issues at apprpriate levels. If and when a budgetary r financial matter cmes int play during the Prgram and Budget Review prcess, the Principal Cyber Advisr will use the senir executive frum and the CIMB t crdinate recmmendatins fr the Deputy s Management Actin Grup r ther financial and budgetary rganizatins, vetting ptins and alternatives thrugh the issue teams as apprpriate. Imprve cyber budgetary management. DD will develp an agreed-upn methd t mre transparently and effectively manage the DD cyber peratins budget. Tday cyber funding is spread acrss the DD budget, t include the Military Intelligence Prgram (MIP), in multiple apprpriatins, budget lines, prgram elements, and prjects. In additin, the Under Secretary f Defense fr Intelligence, n behalf f DD, ensures that all Natinal Intelligence Prgram (NIP) investments are aligned t supprt DD missins. The diffuse nature f the DD cyber budget presents DD with a challenge fr effective budgetary management; DD must develp a new methd fr managing crss-prgram funding t imprve missin effectiveness and achieve management efficiencies. Sailrs cnduct an exercise at Fleet Cyber Cmmand's headquarters in the Frank B. Rwlett Building, Frt Gerge G. Meade, MD. This exercise features members f Fleet Cyber Cmmand's Jint Frce Headquarters-Cyber (JFHQ-C). Develp DD s cyber peratins and cybersecurity plicy framewrk. Cnsistent with Presidential guidance, DD will align and simplify its cyber peratins and cybersecurity plicy management and identified gaps, verlaps, seams, cnflicts, and areas in need f revisin in current dcumentatin. This effrt will help translate natinal and departmental guidance and plicy int tactical peratins. It is essential t clarifying cnflicts in existing dcumentatin that currently cmplicate cyber peratins and cybersecurity gvernance. Cnduct an end-t-end assessment f DD s cyber capabilities. U.S. Cyber Cmmand will lead a cmprehensive peratinal assessment f its psture. In crdinatin with the Principal Cyber Advisr t the Secretary f Defense, the Office f the Under Secretary f Defense fr Acquisitin, Technlgy, and Lgistics, and the Office f the Directr f Cast Assessment and Prgram Evaluatin, USCYBERCOM will prvide shrt- and lng-term recmmendatins thrugh the CIMB t prvide t the Secretary f 30

39 T h e D e p a r t m e n t f D e f e n s e C y b e r S t r a t e g y Defense regarding rganizatinal structure, cmmand and cntrl mechanism, rules f engagement, persnnel, capabilities, tls, and ptential peratinal gaps. The gal f this psture assessment will be t prvide a clear understanding f the future peratinal envirnment; key stakehlder views; as well as strategic pririties, chices, and resurces fr planning and peratins. 31

40 T h e D e p a r t m e n t f D e f e n s e C y b e r S t r a t e g y THIS PAGE LEFT INTENTIONALLY BLANK 32

41 T h e D e p a r t m e n t f D e f e n s e C y b e r S t r a t e g y CONCLUSION We live in a time f grwing cyber threats t U.S. interests. State and nn-state actrs threaten disruptive and destructive attacks against the United States and cnduct cyber-enabled theft f intellectual prperty t undercut the United States technlgical and military advantage. We are vulnerable in cyberspace, and the scale f the cyber threat requires urgent actin by leaders and rganizatins acrss the gvernment and the private sectr. Since develping its first cyber strategy in 2011, the Defense Department has made significant prgress in building its cyber capabilities, develping its rganizatins and plans, and fstering the partnerships necessary t defend the cuntry and its interests. Mre must be dne. Stemming frm the gals and bjectives utlined in this strategy, apprpriate resurces must be aligned and managed t ensure prgress. This strategy presents an aggressive, specific plan fr achieving change. Fr DD t succeed in its missin f defending the United States and its interests in cyberspace, leaders frm acrss the Department must take actin t achieve the bjectives utlined in this dcument. They must als hld their rganizatins accuntable. Because f the nature f netwrks and cmputer cde, n single rganizatin can be relied upn t d this wrk. Success requires clse cllabratin acrss DD, between agencies f the U.S. gvernment, with the private sectr, and with U.S. allies and partners. The strategic envirnment can change quickly. That is especially true in cyberspace. We must be dynamic, flexible, and agile in this wrk. We must anticipate emerging threats, identify new capabilities t build, and determine hw t enhance ur partnerships and planning. As always, ur wmen and men bth unifrmed and civilian persnnel will be ur greatest and mst enduring strength and a cnstant surce f inspiratin. By wrking tgether we will help prtect and defend the United States and its interests in the digital age. 33