DoD's new cyberstrategy includes academia partnering
The U.S. Department of Defense (DoD) operates the world's largest network - a diffuse patchwork of thousands of networks - and, as you can imagine, it's a giant target for state-sponsored and other malicious cyberattackers. One of the biggest factors enabling cyberspace attacks is the fact that security simply wasn't factored in when the Internet was designed. It was intended to serve as an open system to allow scientists and researchers around the world to connect and share data quickly and easily, which it does, but at the same time it creates an Internet-security "Achilles' heel" that allows attackers to do the same.
As U.S. Secretary of Defense Ash Carter spelled out during an April speech at Stanford University, the extent of our reliance upon technology without adequate security equates to real vulnerabilities that “adversaries are eagerly exploiting.”
In a move to tackle the overall lack of visibility that comes with operating an enormous patchwork of networks, as well as to improve its defense against the relentless onslaught of attacks, DoD has come up with a new multifaceted strategy that includes working with academia and industry. The DoD’s new cyberstrategy centers on “deterrence by denial” by building a single security architecture for its widely dispersed networks, while also putting what it calls “offensive” options on the table.
Of the three key goals of this strategy, as outlined by Carter, the first is “defending our own networks and weapons because they’re critical in what we do every day … and they’re no good if they’ve been hacked.” The second goal is to “help defend the nation against cyberattacks from abroad – especially if it would cause loss of life, property destruction, or significant foreign policy and economic consequences,” he added. The third goal is to “provide offensive cyberoptions that, if directed by the president, can augment our other military systems.”
During future conflicts, DoD presumes that adversaries will target U.S. or allied critical infrastructure to gain strategic advantages. DoD’s 2015 cyberstrategy calls these types of disruptive, manipulative, or destructive cyberattacks “a significant risk to U.S. economic and national security.” Beyond its own networks, DoD relies on civil critical infrastructure across the U.S. and overseas for its operations, “yet the cybersecurity of such critical infrastructure is uncertain.”
With disruptive and destructive attacks viewed as a real threat on the horizon, DoD’s new strategy encourages U.S. government agencies, companies, and organizations to “carefully prioritize the systems and data they need to protect, assess risks and hazards, and make prudent investments in cybersecurity and cyberdefense capabilities to achieve their security goals and objectives.” Beyond these defense investments, DoD recommends that all organizations build business continuity plans and be prepared to operate within a degraded cyberenvironment.
Another crucial aspect of DoD’s strategy is to re-establish close ties with academia and the tech industry. “We want to partner with businesses on everything from autonomy to robotics to biomedical engineering; from power, energy, and propulsion to distributed systems, data science, and the Internet of Things,” explained Carter in his speech, “because if we’re going to leverage these technologies to defend our country and help make a better world, DoD cannot do everything in all these areas alone. And the same is true with cybersecurity – we have to work together on this one.”
Cyberthreats against U.S. interests are increasing in severity and sophistication, Carter noted, and it’s a problem the entire country faces, not just DoD. “Networks nationwide are scanned millions of times a day,” he said.
Nation-states – most notably Russia, China, and Iran – have “advanced cybercapabilities and strategies ranging from stealthy network penetration to intellectual property theft,” Carter pointed out, but criminal and terrorist networks are also ramping up their cyberoperations. “Low-cost and global proliferation of malware has lowered barriers to entry and made it easier for smaller malicious actors to strike in cyberspace. We’re also seeing blended state and nonstate threats in cyber … which complicates potential responses for us and for others.”
To better defend DoD information networks, the goal is to adopt deterrence by denial by building a single security architecture that’s more easily defendable, while remaining flexible enough to adapt and evolve to mitigate any threats. This single point will replace the myriad of networks currently operated by DoD.
DoD needs to “strengthen our network defense command and control to synchronize across thousands of these disparate networks and conduct exercises in resiliency … so that if a cyberattack degrades our usual capabilities, we can still mobilize, deploy, and operate our forces in other domains – air, land, and sea – despite the attack,” Carter said.