U.S. Defense Science Board Calls for Segmented Force Cyber Defense
The United States quickly must adopt a segmented approach to its military forces to ensure that key elements can survive a comprehensive cyber attack, according to a recently released Defense Science Board (DSB) Task Force on Resilient Military Systems. This approach entails a risk reduction strategy that combines deterrence, refocused intelligence capabilities and improved cyber defense. The effort must constitute “a broad systems approach … grounded in its technical and economic feasibility” to face a cyber threat that has “potential consequences similar in some ways to the nuclear threat of the Cold War,” the DSB report says.
The report declares that the United States cannot be confident that its critical information technology systems will work under attack from sophisticated adversaries combining cyber capabilities with conventional military and intelligence assets. In particular, the Defense Department’s dependence on vulnerable information technology “is a magnet” to U.S. opponents. U.S. networks are built on “inherently insecure architectures with increasing use of foreign-built components.” The report states that the department and its contractor base already have sustained “staggering losses” of system design information representing decades of combat knowledge and experience.
No silver bullet exists to eliminate cyberthreats, the report allows. Instead, it recommends an approach analogous to that employed against U-boats in World War II. Risks are not reduced to zero, but the challenge can be contained and managed through broad systems engineering of a spectrum of techniques.
Protecting all military systems from advanced cyber attacks is neither feasible nor affordable, the report states. Accordingly, having a critical set of segmented conventional systems will allow the United States to continue to deliver vital mission capabilities even under a catastrophic attack. Also, the president would have multiple response options in the event of a cyber attack, which would enhance deterrence.
The task force broke down its solution into seven recommendations. Foremost among these—and identified as the most expensive recommendation by far—is protecting the nuclear strike as a deterrent “for existing nuclear armed states and existential cyber attack.” This would ensure that nuclear forces and their command, control and communications remain capable in the face of a multispectrum attack that includes onslaughts through supply chains, insiders and communications. That effort would be combined with determining the proper mix of cyber, protected conventional and nuclear capabilities necessary for assured operation in the face of a full-spectrum adversary. This would give the president a “ladder of capabilities” for responding without having to resort to an all-or-nothing threat of nuclear weapons.
Another recommendation calls for refocusing intelligence collection and analysis on adversarial cyber activities, plans and intentions. This knowledge would be used to enable counterstrategies, the report notes.
High-end cyber activities are not the only challenge. Low- and mid-tier threats also must be addressed, with the Defense Department chief information officer designated as the lead for establishing an enterprise security architecture in collaboration with military departments and agencies. This architecture would include appropriate standards that ensure the availability of enabling enterprise missions.
And, the Defense Department culture for cyber and security must change. The report recommends the establishment of a departmentwide policy, communication, education and enforcement program to change that culture. Comparing it to the need to keep members of the armed forces physically fit, the DSB task force calls for communicating about, and applying discipline to, “cyber hygiene and security.”
The United States also must build and maintain “world-class cyber offensive capabilities,” the report recommends. The U.S. Cyber Command should develop the capability to model, game and train for full-scale cyber warfare. And, the Defense Department should establish a formal career path for military and civilian personnel in offensive cyber operations.
Above all, the department must build a cyber-resilient force with actions applied throughout the Defense Department force structure. These actions would include standards and requirements that incorporate cyber resiliency into cyber critical survivable missions. A resiliency standard would serve as the metric by which systems would be designed, built and measured. This standard would be applied to all the elements that would compose the segmented survivable force outlined by the task force.
“It will take years” for the department to build an effective response that includes deterrence, mission assurance and offensive cyber capabilities, the DSB report declares. So, it concludes, “We must start now!”
The unclassified version of the report, which was released March 1, can be viewed at www.acq.osd.mil/dsb/reports2010s.htm.
Comment
U.S. Defense Science Board Cyber Defense Plan
In response to this article’s premises,
1. U.S. networks are built on “inherently insecure architectures with increasing use of foreign-built components.”
2. “Protecting all military systems from advanced cyber attacks is neither feasible nor affordable, the report states. Accordingly, having a critical set of segmented conventional systems will allow the United States to continue to deliver vital mission capabilities even under a catastrophic attack.”
The commercial transport network today is almost entirely designed, built and operated by foreign nationals. This situation was driven by large commercial corporations zeal to make money at any cost, while lobbying their government to eliminate the security requirements for government networks and computers. As a result of this fact, fewer US citizen technical workers are today capable of designing systems that can be made secure, and the government steadfastly refused to fund any efforts to create networks and computers that can be made secure. The holy grail answer (this year’s hype or fad) is build it in the cloud, get everybody dependent on a network service provider set that is sure to be owned by the oligopoly of the tech giants and outsourced overseas (say to Russia and China?).
I assume these “conventional systems” are tube based HF radio nets with modern radio and crypto technology and morse code key capabilities to survive and operate after the EMP pulse delivered on the next war zero day?
If you think you are going to use COTS based Microsoft, Cisco, Oracle, Google and Open Source Linux systems software, don’t bother. All of the proprietary products have been reengineered by now, and the open source products are available to plan and execute application attacks. The discovered but secret zero day vulnerabilities are sold to the top bidder (i.e. China via a dark net) and transported over Chinese monitored COTS networks, don’t spend any more money on COTS solutions that don’t work.
Congress and the NSA have announced several programs to shutdown “stove pipe encryption development” so as to save money, exactly when it is needed to provide a secure distributed architecture with a US citizen workforce based non-COTS supply chain. That security has to include the entire supply chain or you are just wasting time. The government needs to look at the potential loss versus the cost of doing the same thing (COTS uber alles) and expecting different results. The emperor has no clothes.
Amen.
Amen. It's almost as if too many of them want the system to fail on purpose. I'd hate to think there were *that* many nepotistic-ally hired idiots running the show..but maybe?
Comments