A top Defense Department official described the private sector as “absolutely essential” in implementing the agency’s new cyber strategy.
A top Defense Department official said Wednesday that expanding information sharing relationships with industry and international partners will be crucial for implementing the department's 2023 cyber strategy.
An unclassified version of the strategy released this week described capacity-building and cooperation with allies and partners as a top priority for the department in cyberspace, in addition to enhanced bilateral technical collaboration with key stakeholders.
The fourth iteration of the cyber strategy builds on lessons learned from previous large-scale cybersecurity operations and observations of how Russia has leveraged cyber throughout its invasion of Ukraine, according to Assistant Secretary of Defense for Space Policy John Plumb.
"The private sector is absolutely essential in our collective efforts to become more cyber resilient, from adopting cyber best practices to mitigating threats in a crisis," Plumb said at an event on the 2023 DOD cyber strategy hosted by the Center for a New American Security. "Our success as a nation is not just up to the U.S. military — it can't be."
The guidance outlines four complimentary lines of effort that DOD will prioritize to ensure cyber resilience, including working with partners to enable the defense of U.S. critical infrastructure and conducting defensive cyberspace operations to help win the nation's wars.
The strategy also says that U.S. Cyber Command will support DOD campaigns seeking to limit, frustrate and disrupt adversarial activities, with additional help from interagency partners and the private sector.
DOD's latest cyber strategy is distinct from previous iterations because it "commits to increasing our collective cyber resilience by building the cyber capability of allies and partners," Deputy Assistant Secretary for Cyber Policy Mieke Eoyang said in a statement announcing the new guidance.
"It also reflects the department’s approach to defending the homeland through the cyber domain as well as prioritizing the integration of cyber capabilities into our traditional warfighting capabilities," he added.
The strategy specifically highlights the persistent threats that the People's Republic of China, Russia, North Korea, Iran and violent extremist organizations pose to the U.S. in cyberspace, in addition to transnational criminal groups and other cybercriminals. DOD will identify malicious cyber groups and track their organization and capabilities to bolster national security, in addition to coordinating with partners "to publicize this information as circumstances permit," under the strategy.
As the sector risk management agency for the defense industrial base, DOD also said it will "continue to convene government and industry officials and leverage public-private partnerships" to ensure its overall security. In that vein, the strategy also affirms the role of the Cybersecurity Maturity Model Certification program. The CMMC framework is designed to protect sensitive unclassified information in the custody of defense contractors by requiring compliance with baseline cybersecurity standards in order to compete for certain defense contracts.
The report states that DOD "will complement this program with other efforts to increase active defense measures and improve data protection across the DIB, such as provision of no-cost cybersecurity services to qualifying companies."