Sep09
The US DOD Proposes their Cyber Security Plan posted by Rick Howard
Filed in: DoD Policy Lynn Intelligence Policy Trends
William Lynn, the US Deputy Defense Secretary, published an essay in Foreign Affairs magazine last week describing recent US Department of Defense (DoD) policy changes concerning cyber warfare. Although the essay does not present much new information, it is the most cogent description of the issues, challenges and potential solutions on the table that I have read in one easy-to-read article. Here is a summary of Lynn's Justification and Strategy:
Justification
In 2008, hackers - most likely from a foreign government - successfully penetrated DoD networks (both the CLASSIFIED SIPIRNET and UNCLASSIFIED NIPRNET) and exfiltrated large volumes of official documents. This situation instigated the formalization of a US strategy (See below).
Cyberspace is asymmetric and the offense will always have the upper hand.
Cold War deterrence models of assured retaliation do not work because the attribution problem is hard.
Cyber warfare forces will not attack just military targets. They will go after the nation's critical infrastructure and industrial secrets.
Cyber Warfare forces will not always come from the network. They will infiltrate the supply chain, both hardware and software, and attack from within.
Strategy
(My assessment of each plank's completeness in parentheses)
Formally recognize cyberspace as a new domain of warfare (Done)
Put one command in charge of the strategy: Cyber Command (Done)
1). Lead daily defense operations (On-going)
2). Provide an accountable way to marshal cyber warfare resources across the military (On-going)
3). Coordinate with other government bodies and commercial entities (Just Beginning)
Dynamic reaction to Attacks (On-going)
1). Maintain computer hygiene (On-going)
2). Deploy advanced sensors (On-going)
3). Develop an "Active Defense" but protect US civil liberties (Just Beginning)
Define rules of engagement (Just Beginning)
Support broader efforts to protect critical infrastructure (Just Beginning)
Coordinate Signals Intelligence (SIGINT) with allies (On-going)
Bring the commercial sector into the discussion (Just Beginning)
Fund research and development (R&D); focus on superior technology (On-going)
Train and equip the military cyber warrior (Just Beginning)
Streamline the government's procurement process (Just Beginning)
My Observations
Like I said, there is not much new here. Many of the concepts expressed in the justification and in the strategy have been on the table for the last 10 years. That's the bad news. The good news is that they are starting to congeal into something more than just a set of slides in PowerPoint deck.
Regarding the actual 2008 data breach, it is not clear who the actual perpetrators were. The code, agent.btz, had been around for at least 3 years when discovered by the US military skipping through both the classified (SIPRNET) and unclassified (NIPRNET) networks. As reported by our Russian analyst, Kimberly Zenz, in December 2008, a Russian hacker most likely crafted the code, but the attack vector was so lame that it seems unlikely that any nation's cyber espionage program would launch it. Wired Magazine's Noah Shachtman echoed this observation when he interviewed Lynn last week.
Still, Lynn's essay is a signpost in the continuing discussion and developing plans of the US government. It definitely shows the direction the US government is heading. It also supports the notion that iDefense put forward in last year's 2010 Cyber Threats and Trends paper: We are witnessing the incipient stages of a significant shift in the center of gravity away from the commercial enterprise and toward the government in terms of new policy, the amount of money that will be spent on cyber security and what the cyber security professional will look like in terms of skill set.
Whether or not the US government will be successful in executing the above strategy remains to be seen. Lynn has cogently laid out the plan. It is clear what he wants to do. Like we said in last year's trends paper though, the space is likely to be muddled for the next couple of years while government leaders work through the issues.
