New U.S. Cyber-Defense Strategy a Two-Edged Sword

NEWS ANALYSIS: The Pentagon says it's going to protect companies, not just government agencies, from cyber-attack, but what does this really mean?

Cyber-Defense Policy 2

The U.S. military says it's using a nuclear doctrine from the Cold War to prevent the next Sony Pictures Entertainment-style hack.

U.S. Defense Secretary Ash Carter trotted out the Pentagon's new Cyber Strategy in Silicon Valley last month. It replaces the previous strategy rolled out four years ago. The new strategy contains three very new and very surprising components, which will directly affect every company in the U.S.—doubly so for technology-oriented companies.

Here's what you need to know.

1. The U.S. military says it will protect your company.

In the past, the Pentagon's cyber strategy was all about protecting the U.S. military from attack, as well as government agencies. Now Carter explicitly said that the department will also protect American "interests," which includes U.S.-based corporations.

The November attack on Sony Pictures Entertainment, which the government blames on the North Korean government, appears to have greatly influenced this policy shift to protect U.S. businesses.

2. The new policy is deterrence through hack-attack retaliation.

Instead of playing defense, which was the old strategy, the Pentagon says it intends to develop tools that enable it to "disrupt" the attackers' networks, among other things. The paper singles out Russia, China, Iran and North Korea as major state-sponsored cyber-threats.

Specifically, the military sees Russian government hackers as very good at covering their tracks, but they aren't really sure what they're after. Both Iran and North Korea are less skillful at hacking, but are super hostile toward U.S. interests. And, of course, China is great at hacking and it uses its skills mainly to steal everything and anything it can.

The idea is that if foreign national governments know they'll be attacked if caught, they'll be less likely to engage in the espionage—corporate, industrial and military—that's now becoming somewhat routine.

This mirror's America's strategy during the Cold War. In fact, the era was called "the Cold War" because it was considered an ongoing war in which active hostilities were avoided because it could lead to nuclear annihilation. In effect, the "war" was conducted through proxies, economic isolation, sanctions and other means that avoided direct military engagement between the United States and the Soviet Union.

The new cyber-strategy essentially escalates U.S. tensions with Russia, China, Iran and North Korea from non-war to Cold War, where U.S. policy is to engage the enemy with hostility hopefully without triggering a real war.

It's also similar organizationally to the War on Terror, where non-military organizations within the government are granted permission to conduct ongoing offensive operations against America's perceived enemies. For example, the Central Intelligence Agency has since 911 been conducting drone strikes, assassinations and other wartime operations not only without war but without the Pentagon.

In this case, the Cyber Mission Force is actually part of the Pentagon. But instead of simply supporting military operations, the group can now conduct operations on its own, including offensive operations, similar to what the CIA now does, but over the Internet.