Cybersecurity Seen as DoD Priority Under CarterDefense Secretary Nominee Has Cybersecurity Track Record
Ashton Carter is a Ph.D. physicist and an expert in nuclear weaponry and procurement, but the defense secretary nominee understands that cyberdefense must be a priority in running the Pentagon.
"Cybersecurity won't get lost," says Jane Holl Lute, who as deputy secretary of the Department of Homeland Security worked closely with Carter when he was Defense Department deputy secretary. "He understands the importance of the issues, the need for collaborative action. He understands the role defense has, and homeland security, that lies at the heart of effective cybersecurity."
Carter served as deputy defense secretary from October 2011 to December 2013. Before becoming deputy secretary, Carter served as DoD undersecretary for acquisition, technology and logistics from April 2009 to October 2011.
Those who have worked with and know Carter say he will utilize his vast knowledge of the workings of the Pentagon if he's confirmed as defense secretary, succeeding Chuck Hagel, who is stepping down. President Obama nominated Carter to be defense secretary on Dec. 5.
Depth of Understanding
"Ash will bring the in-depth understanding of weapons systems and the acquisition process and the knowledge of how critical cybersecurity is to the mission success," says former DoD Principal Deputy CIO Robert Carey, vice president and general manager for public sector cybersecurity at CSC, an IT services company.
Though not schooled in IT and IT security, cyber is an area of interest for Carter in which he has been involved in for many years. "He knows enough about [cyber] that he likely knows when he should call on domain experts for more information, something not all of our national leaders have done," says Gene Spafford, founder and executive director of the Center for Education and Research in Information Assurance and Security at Purdue University.
President Obama on cyberdefense as a Defense Department priority with Ashton Carter at the helm.
Carey says Carter, as the DoD's former chief operating officer, knows what the new job entails and has developed the trust of key cyberleaders at the Pentagon, including acting CIO Terry Halvorsen and Eric Rosenbach, assistant secretary for homeland defense and global security.
"Cybersecurity needs to be one of his burning issues, one that he pays attention to, if not daily, then several times a week," Carey says. "As he takes on the new role, it is not clear what his priorities will be, although I am confident [cybersecurity] will be one. The question will be, compared to ISIL (Islamic State), JSF (Joint Strike Force fighter jet system), etc., where will [cybersecurity] fall?"
If Carter's deeds and words during his deputy secretary tenure are an indication, cybersecurity will be one of his priorities. As deputy secretary, according to his LinkedIn profile, Carter led two major reviews of defense strategies, including one strengthening America's approach to cyberwarfare. He also says he formulated the current DoD investment strategies in a number of key areas, including cyber and enterprise IT. During his tenure as deputy secretary, Carter championed cybersecurity innovation as a DoD priority, so the military could "continue to be the first-est with the most-est in this field technologically," he said in a February 2012 RSA conference keynote address. "And that means to continue to support innovation in this field, in cryptography, in other techniques."
Expanding Cyber Skills
Carter was involved in growing the military Cyber Command during his tenure as deputy secretary. At the Aspen Security Forum in July 2013, Carter explained how he and other DoD leaders began to expand the technical staff at Cyber Command.
"This is not a money problem for me," Carter said. "This is a management problem. It doesn't cost a lot. And fundamentally, we're spending everything we can think about spending intelligently for, notwithstanding our budget hassles, because this is an area (cyberdefense) that we are protecting even as other military capabilities will be cut."
In the RSA keynote address, Carter expressed his commitment, and that of the Obama administration, to cybersecurity as a top Defense Department priority.
"At no time in the deliberations with the president, or the secretary of defense, or the joint chiefs, or our combatant commanders or any of us in the department - no time, no moment in all those deliberations was it even considered to make cuts in our cyber expenditures - not even considered," Ashton said.
"The investments are now at the level of several billion, a lot of money, but ... we would make room for more if we could find worthy investments to make," he said.
Former colleagues say Carter would take a collaborative approach with others in government and business to safeguard military, government and private sector IT.
Based on her dealings with Carter, Lute says she believes he'll support the military playing a role in helping defend the privately operated critical IT infrastructure. "We all agree that DoD has a role to defend the country," says Lute, who now serves as president and CEO of the Council on Cybersecurity. "That doesn't mean we have the military on every street corner. Those same principles apply in cyberspace.
"In the private sector, every enterprise has a set of responsibilities to defend themselves, in sharing information, and improving defense. We're all on the same network, large and small, and what we know is that we have to get all houses in order, protect our own systems, and share information appropriately, not elbow people out of the way. Enterprises must all play an appropriate role."
Speaking at last year's Aspen conference, Carter presented what could be a preview of some of the challenges he'll face as defense secretary, including cyberwar.
"Obviously, we want to do things, as we try always to do, in a way that is lawful and in a way that ... our population can support and that is consistent with our values," Carter said. "And the tricky things that come into cyber are privacy, obviously, although that's not so much of an issue on the offensive side. It's things like, are you sure that a particular action you take with an enemy's information system will only have the consequence of disrupting, let us say, an air defense system and not wider consequences? So you have to understand what the consequences are of your actions."