Filed in: CyberWarfare
A couple of weeks ago, I talked about the DOD's new cyber warfare policy. Deputy Secretary of Defense, William Lynn, rolled out his justification and strategy in an essay published in Foreign Affairs magazine. I gave an evaluation on how far along the DoD is in implementing that policy and gave Secretary Lynn a thumbs up for crafting a cogent plan.
In the Strategy section of the essay, Lynn mentions a concept called active defense. This is a government euphemism for Offensive Cyber Operations. He basically says that you cannot be effective in cyber space if you are only playing defense. Lynn said,
"In an offense-dominant environment, a fortress mentality will not work. The United States cannot retreat behind a Maginot Line of firewalls or it will risk being overrun."
This is a basic tenant of regular warfare (Look up quotes from any famous general or military expert like Napoleon, Clausewitz, McArthur, Patton, etc). To win, you have to take the fight to the enemy. This is not different just because we operate in cyberspace. The basics tenants of warfare do not change simply because you are in a new medium. They are the same on land, in the air and on the sea. If we fight in cyberspace, we have to go on the offense.
This is consistent with what General Alexander, the Army General in charge of the new Cyber Command, said in August when he spoke at the Armed Forces Communications and Electronics Association's LandWarNet conference:
"We have to have offensive capabilities, to, in real time, shut down somebody trying to attack us."
But developing and deploying a framework for these kinds of operations is hard and must be done in advance. You don't want to be making this stuff up on the fly during a crisis. Working out the legal and civil liberties issues is tough. Lynn agrees,
"The speed at which active defense systems must act means that the rules of engagement governing network defense must be set largely in advance. Devising these protocols is not easy."
Also, just saying the Army will conduct offensive operations sounds so clean and precise. It is not. It will be messy. Unforeseen consequences will happen. The enemy will react. As civilians, we like to think that just because the Army will hit back, the enemy will wither and run away. That will absolutely not happen. It has not happened in Iraq and in Afghanistan, and it will not happen in cyberspace. I had an old commander of mine who always use to say, "The Enemy gets a vote." Most likely he will not vote to quit.
General Alexander and Deputy Secretary of Defense Lynn know this. They have been around the block a few times. They know what is in store when we start down this path. That is why it is imperative that the framework is in place before the crisis occurs. We must have a general game plan in place that is transparent and generally agreed upon before the first cyber digit is fired in anger; transparent to the good guys and yes to the enemy. The enemy must know what we are likely to do before they cast their vote. This will all influence the shape of the battle space.
I believe that all of this is years away, but we have started down the path. The DOD must still negotiate many obstacles; but Secretary Lynn has outlined a strategy and General Alexander has committed to it. It is just a matter of time now.
(No Comments)
Filed in: DoD Policy Lynn Intelligence Policy Trends
William Lynn, the US Deputy Defense Secretary, published an essay in Foreign Affairs magazine last week describing recent US Department of Defense (DoD) policy changes concerning cyber warfare. Although the essay does not present much new information, it is the most cogent description of the issues, challenges and potential solutions on the table that I have read in one easy-to-read article. Here is a summary of Lynn's Justification and Strategy:
Justification
In 2008, hackers - most likely from a foreign government - successfully penetrated DoD networks (both the CLASSIFIED SIPIRNET and UNCLASSIFIED NIPRNET) and exfiltrated large volumes of official documents. This situation instigated the formalization of a US strategy (See below).
Cyberspace is asymmetric and the offense will always have the upper hand.
Cold War deterrence models of assured retaliation do not work because the attribution problem is hard.
Cyber warfare forces will not attack just military targets. They will go after the nation's critical infrastructure and industrial secrets.
Cyber Warfare forces will not always come from the network. They will infiltrate the supply chain, both hardware and software, and attack from within.
Strategy
(My assessment of each plank's completeness in parentheses)
Formally recognize cyberspace as a new domain of warfare (Done)
Put one command in charge of the strategy: Cyber Command (Done)
1). Lead daily defense operations (On-going)
2). Provide an accountable way to marshal cyber warfare resources across the military (On-going)
3). Coordinate with other government bodies and commercial entities (Just Beginning)
Dynamic reaction to Attacks (On-going)
1). Maintain computer hygiene (On-going)
2). Deploy advanced sensors (On-going)
3). Develop an "Active Defense" but protect US civil liberties (Just Beginning)
Define rules of engagement (Just Beginning)
Support broader efforts to protect critical infrastructure (Just Beginning)
Coordinate Signals Intelligence (SIGINT) with allies (On-going)
Bring the commercial sector into the discussion (Just Beginning)
Fund research and development (R&D); focus on superior technology (On-going)
Train and equip the military cyber warrior (Just Beginning)
Streamline the government's procurement process (Just Beginning)
My Observations
Like I said, there is not much new here. Many of the concepts expressed in the justification and in the strategy have been on the table for the last 10 years. That's the bad news. The good news is that they are starting to congeal into something more than just a set of slides in PowerPoint deck.
Regarding the actual 2008 data breach, it is not clear who the actual perpetrators were. The code, agent.btz, had been around for at least 3 years when discovered by the US military skipping through both the classified (SIPRNET) and unclassified (NIPRNET) networks. As reported by our Russian analyst, Kimberly Zenz, in December 2008, a Russian hacker most likely crafted the code, but the attack vector was so lame that it seems unlikely that any nation's cyber espionage program would launch it. Wired Magazine's Noah Shachtman echoed this observation when he interviewed Lynn last week.
Still, Lynn's essay is a signpost in the continuing discussion and developing plans of the US government. It definitely shows the direction the US government is heading. It also supports the notion that iDefense put forward in last year's 2010 Cyber Threats and Trends paper: We are witnessing the incipient stages of a significant shift in the center of gravity away from the commercial enterprise and toward the government in terms of new policy, the amount of money that will be spent on cyber security and what the cyber security professional will look like in terms of skill set.
Whether or not the US government will be successful in executing the above strategy remains to be seen. Lynn has cogently laid out the plan. It is clear what he wants to do. Like we said in last year's trends paper though, the space is likely to be muddled for the next couple of years while government leaders work through the issues.
(No Comments)
