Last week, the Pentagon announced a plan for "operating in cyberspace," clearly marking out a new terrain in the world of national defense. John Joyner breaks down the document and what it means for future cybersecurity measures.
In a frank and timely confirmation of the gravity of some recent successful cyber-attacks with strategic consequences to the United States, the Pentagon released on July 14, 2011 an 11-page report on Cybersecurity. A readable and relevant wake-up call to the nation from its military, the report communicates an urgency that has implications to every Internet user. While disturbing news, it is refreshing to see the U.S. government share information with the American people in this transparent way. The findings and recommendations of the document are logical and smack of common sense.
Cyber threats listed in the context section of the document establish the urgency by referring to recent revelations such as the electronic theft in March 2011 of thousands of classified documents from a U.S. defense contractor by a foreign power, and the report this month of malicious components discovered embedded in foreign-manufactured electronics. The document is the first of its kind by the Pentagon, and there was speculation that a new offensive-oriented policy might state that cyber-damage inflicted by hostile agent-states could be answered by physical force.
As released, the document makes no provocative policy statement linking possible physical retaliation to cyber-attacks. The document more basically sounds a clear alarm about significant hostile activities discovered recently, and lets people know what the nation's military planners are doing about it in the short term. The Pentagon organizes the document in five strategic initiatives; I've simplified and paraphrased them below.
#1 The military will give the effort sufficient resources
An interesting concept the military uses is calling cyberspace a ‘domain', defined by quoting the 2010 Quadrennial Defense Review: "Although it is a man-made domain, cyberspace is now as relevant a domain for Department of Defense (DoD) activities as the naturally occurring domains of land, sea, air, and space."
Here are some examples the document provides of the level of attention the cyberspace domain is to receive in the military:
- Resources are provided on a scale as if cyberspace were another terrestrial continent; for example, the U.S. Navy's "10th Fleet" was reactivated in 2010, charged now with looking after cyberspace (rather than anti-submarine operations in the Atlantic, as was its mission from 1943-1945). Of note is that a numbered U.S. fleet historically represents a vast geographic region. Establishing a numbered fleet command automatically carries the weight of a three-star admiral and quite a large staff.
- Cyber red teams will be included in all war games and exercises, anticipating degraded cyberspace operations and disruption in the midst of a mission. Disrupting war games is expensive and even risky; but this seems like a great way to improve our troop readiness across the board.
#2 The military will try and manage IT security better
This initiative includes sub-categories of (1) following cyber hygiene best practices, (2) focusing on insider threat mitigation, (3) deploying a better Intrusion Prevention System (IPS), and (4) a promise to constantly develop new defense operating concepts. These are modern security housekeeping concepts for any large IT organization; including them in the document shows the military has not forgotten about the basics.
#3 The military will partner with other government agencies and the private sector
The military wants to enable a "whole of government" approach to increase national cybersecurity, and the DoD has partnered with the Department of Homeland Security (DHS) to lead the inter-agency efforts. Realistically, the military admits that it depends on the entire private sector IT hardware and software industry, and the same telecommunications carriers and Internet Service Providers (ISPs) that everyone else uses.
The document mentions that incentives to promote private sector participation in national cybersecurity are possible. To date, there has been very little federal government financial support for public-private sector cybersecurity partnerships. An example is the Federal Bureau of Investigation (FBI) InfraGard program; while enjoying broad industry support, the program runs on a shoestring. It would be great news if this DoD document paved the way for the Pentagon to somehow compensate the FBI (which reports to the Department of Justice) for increased resources to support InfraGard.
#4 The military will leverage U.S. allies and international partners to act globally against the bad guys
This is a cyber-defense option that makes great sense. It is right for government to fill the role of leading a collective self-defense effort, and this strategy is a logical underpinning for all kinds of possible new strategic alliances. I hope our government will exploit this opportunity, which might include such physical world concepts as international blockades and embargoes applied against strategic cyber offenders.
#5 The military will recruit patriot geeks to replicate the dynamism of the private sector
This is the most exciting part of the document, where the Pentagon describes how American ingenuity is a cyber-strength we can draw on. For example, I am glad to know there is a National Cyber Range where large scale experiments and network simulations are conducted, and knowing that we have such a facility to attract and retain cyber talent is good news.
Reaching out to academic and business resources with an entrepreneurial approach, and developing Reserve and National Guard cyber capabilities are new missions the military will consider -- these sound like great ideas. So does the promise to achieve a cybersecurity technology development lifecycle of 12 to 36 months, compared to seven or eight years as is typical for Pentagon computer projects.Who's in charge?
Responsibility for coordinating cyber-readiness in the military is given to the Director of the National Security Agency (NSA), General Keith B. Alexander, who is "dual-hatted" as commander of USCYBERCOM. In fact a "key organizational concept is [USCYBERCOM's] co-location with the National Security Agency."
We know the NSA is good at cryptography, exploiting the electromagnetic spectrum, and maintaining secrecy. The ability of NSA to respond in a nimble fashion to changing conditions in "Internet time" is unknown, and the NSA is probably not the best agency when it comes to a track record of public relations. Let's hope the Pentagon does as good a job keeping us informed of their progress in the fight as they have done in announcing the battle in this document.