Eric Rosenbach: Agreement on Definitions Slowing Pentagon Cyber Offense Policy


The Defense Department is determining how the Law of Armed Conflict can be applied in the cyber domain, the American Forces Press Service reports.

Eric Rosenbach, deputy assistant secretary for cyber policy, said the Pentagon is considering cyber operations policy that would give the president and the defense secretary more options for cyber defense.

Rosenbach said the Pentagon only wants to mount cyberspace operations when it is appropriate and in a way that allows them to avoid using kinetic tools.

The Pentagon’s effort to define rules of cyber engagement has been slowed by the fact that officials cannot agree on basic Internet-related language, Rosenbach said.

There is also not a clear agreement on what cyber means, he noted.

Rosenbach said the Pentagon tends to consider anything that involves a network, not necessarily connected to the Internet, to be cyber.

Defense officials did not begin to publicly discuss offensive cyber efforts until last November, Rosenbach explains.

He said there is still difficulty choosing words to describe offensive and defensive cyber operations.

Rosenbach said the Pentagon answered 13 Senate Armed Services Committee questions about its cyber policy as part of the National Defense Authorization Act.

The law gives light to the fact that the Pentagon can engage in offensive cyber operatives if ordered to do so.

The cyber language hurdles not only impede the Pentagon drawing out rules of engagement, but also its ability to develop international cyber agreements with nations such as the U.K., Australia, New Zealand and Canada.

Rosenbach said he has had productive talks with France and Germany, and has attempted to engage in with China to avoid any accidental escalations.

You may also be interested in...

Brian Conrad

Brian Conrad: FedRAMP to Implement Threat-Based Scoring in Security Control Assessments

Brian Conrad, acting director of the Federal Risk Authorization Management Program, said FedRAMP wants to apply a threat-scoring methodology to evaluate security controls. Conrad said FedRAMP is working to implement the fifth control catalog revision of the National Institute of Standards and Technology's Special Publication 800-53.

Leave a Reply

Your email address will not be published. Required fields are marked *