Last month I expressed concern that the growing gap between online functionality and security demanded a rethinking of several key aspects of security—more focus on tagging and tracking data, rethinking resilience and robustness, clearer security policies, and a need to change people’s behavior to reflect more security awareness.
Deputy Secretary of Defense Bill Lynn has written an important article, “Defending a New Domain,” published in the September/October 2010 issue of Foreign Affairs. The article begins with a description of a 2008 intrusion into U.S. Defense Department networks that “marked a turning point in U.S. cyberdefense strategy,” and outlines steps that the “U.S. government has begun putting in place … to defend the United States in the digital age.”
Lynn says that the strategy has five main elements: “Develop an organizational construct for training, equipping and commanding cyberdefense forces; employ layered protections with a strong core of active defenses; use military capabilities to support other departments’ efforts to secure the networks that run the United States’ critical infrastructures; build collective defenses with U.S. allies; and invest in the rapid development of additional cyberdefense capabilities.”
Collectively, these elements point beyond a focus on information assurance, or even cybersecurity, to a broader goal of mission assurance—the ability to complete a wide range of missions across a wide range of degradations. This is consistent with the strategy’s charge that “all operational forces are able to function in a degraded information environment.” The trick is how to do this.
Consider a naval analogy. A warship is not designed with the expectation that it never will be damaged. Instead, the ship has watertight compartments, fire mains and pumps, as well as both defensive and offensive weapon systems and intelligence support. And the crew trains and trains and trains—the ship must be regarded as an integrated weapon system.
This integrated approach applies in cyberspace as well, but the cyberstrategy must address some important differences from the naval analogy. Attacks will occur not just in the cyber domain, and nonmilitary activities—such as the protection of critical infrastructures—can have a profound effect on the outcome of an engagement.
Clearly, many other public and private components will have to be engaged to provide a full national capability. But the strategy articulates a role for the Defense Department while the rest of the national—and international—discussion is underway. It also helps to frame the discourse in terms that are consistent with other military usage. The organization of U.S. Cyber Command with military service components—the Army Forces Cyber Command, 10th Fleet, 24th Air Force, Marine Corps Forces Cyberspace Command—is one example. The use of terms such as “part sensor, part sentry, part sharpshooter” to describe active defense systems is another. Some people doubtless will see this as a militarization of cyberspace. But it will be important to differentiate roles as the broader debate plays out, and the article clearly describes its focus as “the Pentagon’s cyberstrategy.”
However well formed the strategy, how it is implemented will be crucial. Several approaches exist. Since 2003, DOD Instruction 8500.2 has defined a set of mission assurance criteria, ranging from “Vital” to “Needed.” The MITRE Corporation, Booz Allen Hamilton Incorporated and others have outlined ways to operationalize mission assurance that align well with the new strategy. More work remains to be done, but because this cyberstrategy probably will be subject to extended debate, there will be chances to refine the processes.
At this stage, I see three concerns.
The first is that the paper seems to assume
A second is that the paper’s proper emphasis on developing an effective cyber corps needs to be paralleled by senior leader education. The former is essential, but decision makers and senior policy makers also must be taught. The U.S. Justice Department has a very interesting program called Advanced S&T Adjudication Resource, or ASTAR, that develops and maintains a cadre of judges who are qualified to hear technical cases from the bench. A similar project is being investigated at the
The third concern focuses on the need for sustained and effective private-sector engagement. Since Presidential Decision Directive 63 (Critical Infrastructure Protection) in 1998, public-private collaboration in cyber-related areas consistently has fallen short of both needs and expectations. As noted in last month’s column, commercial factors continue to undercut security in favor of functionality. The new cyberstrategy reiterates the need to do better, and these are areas to which AFCEA members can contribute directly.
Linton Wells II is the director of the Center for Technology and National Security Policy (CTNSP) in the Institute for National Security Studies and a distinguished research professor at the