Secretary of Defense Ashton B. Carter unveiled the Pentagon’s new cybersecurity strategy before a Stanford audience Thursday, saying the United States would defend the nation using cyber warfare and calling for a renewed partnership with Silicon Valley.

Carter, the first sitting secretary of defense to speak on the Stanford campus in two decades, warned cyber criminals that Washington considers a cyber attack against the homeland or American businesses and citizens like any other threat to national security.

“Adversaries should know that our preference for deterrence and our defensive posture don’t diminish our willingness to use cyber options if necessary,” he told the audience at CEMEX Auditorium. “And when we do take action – defensive or otherwise, conventionally or in cyberspace – we operate under rules of engagement that comply with domestic and international law.”

Carter, who has a doctorate in theoretical physics, has strong ties to technology. He knows that as he takes the helm at the Pentagon, digital innovators and cyber criminals are trying to outpace one another at breakneck speeds. A strong partnership between military strategist and technologists would establish an unbeatable pact, he said.

The secretary was a senior partner at Global Technology Partners, where he advised major investment firms on technology and defense. He acknowledges the boundless transformation of technology and the opportunities and prosperity that it has brought to all sectors of American society.

But, he added: “The same Internet that enables Wikipedia also allows terrorists to learn how to build a bomb. And the same technologies we use to target cruise missiles and jam enemy air defenses can be used against our own forces – and they’re now available to the highest bidder.”

This is why, he said, the Pentagon must rebuild the bridge between Washington and Silicon Valley. “Renewing our partnership is the only way we can do this right.” Carter was building on President Barack Obama’s cybersecurity policies outlined by the president at the White House Summit on Cybersecurity and Consumer Protection at Stanford earlier this year. 

Carter was the Payne distinguished visitor at the Freeman Spogli Institute for International Studies and a distinguished visiting fellow at the Hoover Institution until he was sworn in as the 25th secretary of defense in February.

Carter’s speech was delivered as the annual Drell Lecture for Stanford’s Center for International Security and Cooperation (CISAC).

The lecture is named for theoretical physicist and arms control expert Sidney Drell, the center’s co-founder, a senior fellow at Hoover and former director of the SLAC National Accelerator Laboratory. Drell and former Secretary of Defense William J. Perry – a FSI senior fellow and consulting professor at CISAC – were both mentors to Carter and he thanked them at length before his formal policy speech. (Read here.)

"Secretary Carter is the first sitting secretary of defense to speak in Silicon Valley in 20 years," said CISAC Co-Director and Hoover senior fellow Amy Zegart, who led a Q&A session with Carter at the end of his talk. "This was an historic day, with the unveiling of DoD's new cyber strategy, and we are honored that Stanford could play a part. Cybersecurity is one of the toughest international security challenges of our time, and we are dedicated to playing a leading role in bringing together policymakers, scholars, and industry leaders to develop the new technologies, talent, and ideas that our nation requires."

Image

As Carter was speaking, the Department of Defense released online its new cyber strategy based on three primary missions: To defend the Pentagon’s networks; to defend the United States and its interests against cyber attacks of “significant consequences”; and to provide integrated cyber capabilities to support military operations and contingency plans.

“The cyber threat against U.S. interests is increasing in severity and sophistication,” Carter said. “While the North Korean cyber attack on Sony was the most destructive on a U.S. entity so far, this threat affects us all. Just as Russia and China have advanced cyber capabilities and strategies ranging from stealthy network penetration to intellectual property theft, criminal and terrorist networks are also increasing their cyber operations. Low-cost and global proliferation of malware have lowered barriers to entry and made it easier for smaller malicious actors to strike in cyberspace.”

The cyber strategy calls for a 6,200-strong Cyber Mission Force of military, civilian and defense contractors, with 133 cyber protection and combat teams in action by 2018.

“These are the talented individuals who hunt down intruders, red-team our networks and perform the forensics that help keep our systems secure,” Carter said.

And the Pentagon is creating a new “point of partnership” in the Silicon Valley called the Defense Innovation Unit X.

“The first-of-its-kind unit will be staffed by an elite team of active-duty and civilian personnel, plus key people from the Reserves, where some of our best technical talent resides,” he said, adding the unit would scout for breakthrough and emerging technologies and potentially help startups find new ways to work with the military.

The Pentagon will establish a branch of the U.S. Digital Service, the outgrowth of the technical team that helped rescue the beleaguered healthcare.gov site, which collapsed when the Affordable Care Act was implemented.

Herb Lin, a senior research scholar for cyber policy and security at CISAC and a research fellow at Hoover, said the concept was particularly noteworthy. “He’s asking technologists to take a tour of duty helping the DoD by working on some important technical problems. I heartily endorse this vision.”

Lin said the new DoD cyber strategy that was released online is also notable for its openness about the role of the Pentagon’s offensive cyber capabilities.

“It’s been an open secret for a long time that DoD has these capabilities, but by discussing them more forthrightly than any defense secretary has done before, Dr. Carter has done a real public service,” Lin said. “And the announcement of the new strategy will spark much needed conversations among policymakers and researchers about what should be done with these capabilities.”

Lin – chief scientist for the Computer Science and Telecommunications Board, National Research Council of the National Academies before coming to Stanford earlier this year – was also impressed by how open Carter was about wanting to repair relations with Silicon Valley. Those have been frosty at best since the Edward Snowden revelations.

“That will be a hard task, but you have to start somewhere, and Carter is quite tech-savvy, so if anyone can make headway, he can,” Lin said.

The secretary was slated to visit Facebook after his speech and meet with tech leaders on Friday. Not only does he hope to make amends, but to enlist their support in countering the threat of cyber attacks and ensuring the military has the technology it needs.

Carter revealed that earlier this year, sensors that guard the Pentagon’s unclassified networks detected what they believed were Russian hackers. After investigating, they discovered an old vulnerability in one of the DoD’s legacy networks that hadn’t been patched. But they caught it and kicked off the hackers within 24 hours.

He said the incident had not been made public until now.

“Shining a bright light on such intrusions can eventually benefit us all, government and business alike,” he said. “As secretary of defense, I believe that we at the Pentagon must be open, and think, as I like to say, outside our five-sided box.”

After his speech, the secretary took questions from the Stanford and Twitter audiences in a session moderated by Zegart.

One of those questions from Twitter asked why young Stanford computer scientists or technologists from the valley would want to join the cyber teams at the Pentagon.

“Because we have the most exciting problems you can have in technology,” he said. “And they’re consequential – they matter.”

Image

All Photos by Rod Searcey.

U.S. Navy Adm. Cecil D. Haney, the U.S. Strategic Command commander, hosted CISAC Co-Directors David Relman and Amy Zegart as well as CISAC faculty and fellows at Offutt Air Force Base in Nebraska on March 30-31, 2015, to promote military-to-university cooperation and innovation, and provide a better understanding of USSTRATCOM’s global missions.

The visit follows Haney’s trip to Stanford last year, during which he held seminars and private meetings with faculty, scholars and students to discuss strategic deterrence in the 21st century. Those discussions focused on reducing the U.S. nuclear weapons stockpile while maintaining an effective deterrent, the integration of space and cyberspace in nuclear platforms and the congested, contested and competitive operating environment in space.

“Developing and maintaining partnerships with security experts from the private sector and academic institutions like CISAC enables USSTRATCOM to view the strategic environment from a different perspective and adjust our decision calculous accordingly,” Haney said. “We are excited about this unique opportunity to exchange ideas and share information with this prestigious organization.” 

Haney opened the discussions by presenting a command mission brief, in which he described USSTRATCOM’s nine Unified Command Plan-assigned missions, his priorities as commander and his ongoing effort to build enduring relationships with partner organizations to exchange ideas and confront the broad range of global strategic challenges.

Zegart, who is also a senior fellow at Stanford’s Hoover Institution, said getting to see and experience how USSTRATCOM operates first-hand was “an eye opener.”

“It’s one thing to think about deterrence, it’s another to live it,” she said. “When you go to each other’s neighborhoods, you gain a better understanding of where each side is coming from … and that’s enormously important to us in how we think about deterrence and what we can do to help USSTRATCOM and its mission.”

“These kinds of exchanges have cascade effects on young people; how they think about civil-military relations [and] how they understand what our military is doing,” she added.

Image

The delegation also received a tour of USSTRATCOM’s global operations center and held discussions with subject matter experts on strategic deterrence, cyber responsibility and nuclear modernization.

“As a cybersecurity fellow, it was fascinating to visit the global operations center and the battle deck to see the role that cybersecurity and information technology plays in the strategic deterrence mission,” said Andreas Kuehn, a CISAC pre-doctoral cybersecurity fellow from Switzerland. “At CISAC, we often discuss deterrence from a theoretical perspective, so it was very insightful to hear from people who work in [this field] and see how they deal with deterrence in an operational manner.”

The two-day visit concluded with an open discussion, during which CISAC and USSTRATCOM members discussed the most effective means to share information, plan future engagements and continue working to build on the mutually beneficial relationship between the two organizations.

“Sometimes people talk [about strategic issues] in the abstract and it becomes difficult to understand what is happening on the ground and in the real world,” Kuehn said. “I think [USSTRATCOM] took extra steps to keep the conversations open and concrete.”

USSTRATCOM is one of nine Department of Defense unified combatant commands charged with strategic deterrence, space operations, cyberspace operations, joint electronic warfare, global strike, missile defense, intelligence, surveillance and reconnaissance, combating weapons of mass destruction, and analysis and targeting.

Former U.S. Sen. Mark Udall gained notoriety for his vocal opposition to National Security Agency surveillance programs in the wake of the Edward Snowden disclosures of June 2013.

Before losing his seat in the mid-term elections last year, the senior senator from Colorado had become one of the staunchest critics of the U.S. spy agency for conducting massive, warrantless data grabs on millions of Americans without their knowledge.

Even before the Snowden leaks, Udall had warned on the Senate floor in 2011 that the Patriot Act was being interpreted in a way to allow domestic surveillance activities that many members of Congress and the American public do not understand.

"Americans would be alarmed if they knew how this law is being carried out," he told fellow senators before he introduced amendments to the Patriot Act that would have secured tougher privacy mechanisms. The act was renewed without the amendments.

Udall – who served on the Senate's Intelligence and Armed Services committees – will be in conversation with Center for International Security and Cooperation Co-Director Amy Zegart Thursday, April 2, at 7:30 p.m. in CEMEX Auditorium as part of Stanford's Security Conundrum lecture series. The event is open to the public but an RSVP is required by 5 p.m. April 1.

The special series has brought together nationally prominent experts this academic year to explore the critical issues raised by the NSA's activities, including their impact on security, privacy and civil liberties. The series ends April 10 with a public conversation with Judge Reggie Barnett Walton, former presiding judge of the Foreign Intelligence Surveillance Court, known as the FISA court.

The Foreign Intelligence Surveillance Act of 1978 empowered the FISA court to oversee government requests for surveillance of foreign intelligence agencies. During its existence, the court has granted more than 30,000 warrants; it has denied only 11.

Walton, in conversation with Stanford Law School Professor Jenny Martinez, will explain the role that the secretive institution attempts to play in maintaining the balance between civil liberties and national security.

"We're delighted to end the Security Conundrum series with a view from Congress and the courts," said Zegart, who is also a senior fellow at the Hoover Institution. "Holding serious campus-wide conversations about issues of national importance is an essential part of the Stanford experience."

Zegart said CISAC and Hoover would conduct a similar series on international cybersecurity challenges in the coming academic year.

Udall, the third speaker in the series, also advocated for the declassification of the Senate Intelligence Committee's study on the CIA's enhanced interrogation program. The post-9/11 program allowed the government to ship suspected terrorists to secret overseas prisons and subject them to waterboarding and other torture techniques.

Gen. Michael Hayden, the former director of the NSA and CIA who has defended the government surveillance programs, kicked off the Security Conundrum series in October. In that talk, he said the metadata collection "is something we would never have done on Sept. 9 or Sept. 10. But it seemed reasonable after Sept. 11. No one is doing this out of prurient interests. No – it as a logical response to the needs of the moment."

The second speaker in the series, journalist Barton Gellman, gave a detailed account of his relationship with former NSA contractor Snowden and how he worked with him to reveal the details of the NSA's global and domestic surveillance programs.

One of the first Snowden revelations, Gellman said, was the top-secret PRISM surveillance program, in which the NSA tapped into the servers of nine large U.S. Internet companies, including Google, Microsoft, Yahoo and Facebook. Snowden said he believed the extent of mass data collection on American citizens was far greater than what the public knew.

The PRISM program allows the U.S. intelligence community to gain access from the tech companies to a wide range of digital information, including audio, video chats, photographs, emails and stored data, that enables analysts to track foreign targets. The program does not require individual warrants, but instead operates under the broad authorization of the FISA court.

"I asked him very bluntly, 'Why are you doing this?'" Gellman said of Snowden.

"He gave me very persuasive and consistent answers about his motives. Whatever you think of what he did or whether or not I should have published these stories, I would claim to you that all the evidence supports his claim that he had come across a dangerous accumulation of state power that the people needed to know about."