The United States quickly must adopt a segmented approach to its military forces to ensure that key elements can survive a comprehensive cyber attack, according to a recently released Defense Science Board (DSB) Task Force on Resilient Military Systems. This approach entails a risk reduction strategy that combines deterrence, refocused intelligence capabilities and improved cyber defense. The effort must constitute “a broad systems approach … grounded in its technical and economic feasibility” to face a cyber threat that has “potential consequences similar in some ways to the nuclear threat of the Cold War,” the DSB report says.
The report declares that the United States cannot be confident that its critical information technology systems will work under attack from sophisticated adversaries combining cyber capabilities with conventional military and intelligence assets. In particular, the Defense Department’s dependence on vulnerable information technology “is a magnet” to U.S. opponents. U.S. networks are built on “inherently insecure architectures with increasing use of foreign-built components.” The report states that the department and its contractor base already have sustained “staggering losses” of system design information representing decades of combat knowledge and experience.
No silver bullet exists to eliminate cyberthreats, the report allows. Instead, it recommends an approach analogous to that employed against U-boats in World War II. Risks are not reduced to zero, but the challenge can be contained and managed through broad systems engineering of a spectrum of techniques.
Protecting all military systems from advanced cyber attacks is neither feasible nor affordable, the report states. Accordingly, having a critical set of segmented conventional systems will allow the United States to continue to deliver vital mission capabilities even under a catastrophic attack. Also, the president would have multiple response options in the event of a cyber attack, which would enhance deterrence.
The task force broke down its solution into seven recommendations. Foremost among these—and identified as the most expensive recommendation by far—is protecting the nuclear strike as a deterrent “for existing nuclear armed states and existential cyber attack.” This would ensure that nuclear forces and their command, control and communications remain capable in the face of a multispectrum attack that includes onslaughts through supply chains, insiders and communications. That effort would be combined with determining the proper mix of cyber, protected conventional and nuclear capabilities necessary for assured operation in the face of a full-spectrum adversary. This would give the president a “ladder of capabilities” for responding without having to resort to an all-or-nothing threat of nuclear weapons.
Another recommendation calls for refocusing intelligence collection and analysis on adversarial cyber activities, plans and intentions. This knowledge would be used to enable counterstrategies, the report notes.
High-end cyber activities are not the only challenge. Low- and mid-tier threats also must be addressed, with the Defense Department chief information officer designated as the lead for establishing an enterprise security architecture in collaboration with military departments and agencies. This architecture would include appropriate standards that ensure the availability of enabling enterprise missions.
And, the Defense Department culture for cyber and security must change. The report recommends the establishment of a departmentwide policy, communication, education and enforcement program to change that culture. Comparing it to the need to keep members of the armed forces physically fit, the DSB task force calls for communicating about, and applying discipline to, “cyber hygiene and security.”
The United States also must build and maintain “world-class cyber offensive capabilities,” the report recommends. The U.S. Cyber Command should develop the capability to model, game and train for full-scale cyber warfare. And, the Defense Department should establish a formal career path for military and civilian personnel in offensive cyber operations.
Above all, the department must build a cyber-resilient force with actions applied throughout the Defense Department force structure. These actions would include standards and requirements that incorporate cyber resiliency into cyber critical survivable missions. A resiliency standard would serve as the metric by which systems would be designed, built and measured. This standard would be applied to all the elements that would compose the segmented survivable force outlined by the task force.
“It will take years” for the department to build an effective response that includes deterrence, mission assurance and offensive cyber capabilities, the DSB report declares. So, it concludes, “We must start now!”
The unclassified version of the report, which was released March 1, can be viewed at www.acq.osd.mil/dsb/reports2010s.htm.