DOD recruits Silicon Valley for cyber, innovation efforts

Carter unveiled his cyber strategy but displayed his doctoral thesis during his speech at Stanford.

In formally unveiling the Defense Department’s new cyber strategy during a visit to the Silicon Valley Thursday, Defense Secretary Ash Carter underscored the changes in the technology and cybersecurity landscapes in recent years and said the United States’ response to those changes has to be a cooperative, integrated effort.

In a speech at Stanford University, Carter promoted a closer working relationship between DOD and the nation’s high-tech companies in developing new, innovative technologies, and outlined the cyber strategy, which, among other things, emphasizes the need to work together with industry, foreign allies and civilian security agencies.

Citing attacks such as North Korea’s large-scale hack of Sony, Carter said those kinds of threats, whether from state or non-state actors, are a constant threat to both public and private organizations. “While we in DOD are an attractive target, the cyber threat is one we all face,” he said.

While acknowledging that DOD needs “to be open and adjust the way we do things” to win back the public’s trust in the wake of the Edward Snowden leaks, Carter touted several new Silicon Valley initiatives to spur innovation that could, he said, benefit both DOD and private industry.

Perhaps chief among them is the creation the Pentagon's first permanent outreach office in the area, to be called the Defense Innovation Unit X (X for Experimental), which will be staffed by technically skilled active-duty and Reserve troops, and civilian personnel who will engage industry people on tech matters.

DOD also is planning a pilot to work with startup companies that aren’t usually involved in military programs; have In-Q-Tel, the Intelligence Community’s investment capital arm, invest in emerging technologies with national security potential; and expand the Secretary of Defense Corporate Fellows Program, a kind of employee-exchange program that allows U.S. military officers to work at leading commercial companies for a year before returning to DOD.

Carter also plans to set up a DOD branch of the U.S. Digital Service, the agency-based tech teams that, among other things, were credited with cleaning up healthcare.gov. Job one for the new branch: improving the interoperability of electronic health records between DOD and the Veteran Affairs Department.

Carter said two-way collaboration with industry is important to the United States retaining its technological edge, something several defense leaders (including former Defense Secretary Chuck Hagel) have said it’s in danger of losing. He cited past collaborations, such as the Manhattan Project during World War II, and current ones, such as a number of forward-looking projects involving the Defense Advanced Research Projects Agency, as examples of what industry and the military can do together.

Another key to improving innovation is improving DOD’s slow acquisition process. "I don't want us to lose out on an innovative idea or capability we need because the Pentagon bureaucracy was too slow to fund something, or we weren't amenable to working with as many startups as we could be," he said.

As with innovation, cybersecurity also needs to be collaborative, Carter said in giving a rundown of the new strategy. The combined threat to military and other government systems, commercial intellectual property and allies’ systems means that cyber defense has to involve all parties working together. With the growing number of state and non-state actors capable of carrying out sophisticated attacks, the cyber threat “is bigger than who we are as individuals, bigger than who we are as companies,” he said.

The strategy, an update of DOD’s 2011 document, sets broad guidelines for the department but also includes specific goals for the next few years. It covers five principle areas:

1. Building up the size of the Cyber Command’s Cyber Mission workforce, currently about half of the planned 6,200, and ensuring they are properly trained.

2. Defend DOD systems and the DOD Information Network from attack, which involves building a single security architecture (work is underway on the Joint Regional Security Stacks).

3. Readiness to help DHS and the FBI in defending domestic systems from attack. Although it’s likely that fewer than 2 percent of such attacks would involve DOD, the department needs to improve its working relationship with civilian agencies. Carter also emphasized the private sector’s role in defending its own networks.

4. Develop precise plans for responding to a significant cyberattack, to limit any damage or fatalities, ensure the U.S. does not fall behind technologically, and to give the White House options for managing the escalation of a conflict. In response to a question, Carter said that the kind of attacks that could draw retaliation would be anything that threatens loss of life, property damage or other significant losses. “It won’t be any different in cyber that it would be in any other domain, and the response might not be in cyber,” he said, noting that the U.S. responded to the Sony hack with sanctions against North Korea.

5. Working with foreign allies and partners to build up their cyber capabilities.

A crucial factor in building up DOD’s cyber capabilities is in getting the right personnel. Carter said DOD can’t compete with the private sector in pay and some other opportunities, but it does offer a challenging and rewarding environment that, he hopes, will convince people to spend at least part of their careers protecting the nation.