President's Commentary: Information Is the New Gold in Cyberspace
The challenges of cyberspace permeate just about everything we do—whether in defense, critical infrastructure such as banking systems or utilities and any other major commercial enterprise or individual pursuit. The ability to shape, change and manipulate data in an unauthorized and undetected manner can severely undermine confidence in the systems that depend on that information. Consequently, the ability to secure cyberspace is critical.
Our potential adversaries in cyberspace are practicing a digital form of maneuver warfare. Their work is nonstop: Think, collaborate, deceive, expand, contract, move, elude. Repeat. They know the value of information—real or fake—and focus their efforts on exploiting it. Defeating them will take a coordinated effort in which all participants recognize the value of that information.
Training is key, and not just in terms of operating in cyberspace. Traditional military disciplines such as electronic warfare, radio frequency spectrum deception, misinformation, disinformation, psychological operations and others are coming together with cyber under the rubric of information warfare. This evolution, along with the skills to operate in the cyber domain, must become a larger part of military education and training. Students and cyber operators must understand the full range of capabilities as well as the liabilities facing the force.
Matching adversaries step for step in cyberspace requires reliable intelligence. We are not yet where we need to be in this area. Intelligence must forewarn of attacks and enable attribution when attackers are detected so that retribution can be focused on the proper target.
The force must develop tools that will allow proper responses. This includes ways of correctly attributing cyber attacks and a method of rapidly disseminating that information. The cyber force also needs tools that enable a wide range of effects for offensive actions and deterrence. Flexible response—or the threat of an effective pre-emptive attack—is important in cyber operations.
Cyber operators must be able to tailor their activities. Small, targeted actions should not produce undesirable effects. And any strong cyber force must have an effective command and control structure that extends down to the level of execution and beyond. This structure establishes proper boundaries to help avoid unintended effects. Unfortunately, the nation’s leaders have not yet decided how far down that execution level rests.
Clearly, cyber operations must include offensive measures against adversaries. This involves taking actions to deny the threat at its source, wherever it is. Absent those actions, the United States and its allies are likely to continually be attacked. A better course would be to force any potential attacker to weigh the price of an attack versus the value of a target.
Deterrence is no simple matter. Using cyber offense requires focused high-skills training to develop talents in the people who employ those capabilities. These operators must understand the precision with which they must strike. They must understand the cyberscape thoroughly to avoid disruptions that cause adverse second- or third-order effects. And national leadership must have confidence that these skills have been imbued in cyber operators according to established parameters.
Defending against cyberthreats can differ for military and civilian vulnerabilities, but when combined, both present a broad national security challenge that must be addressed. With the critical infrastructure identified, the United States must find a way to motivate the private sector to ameliorate its security problems. This solution likely includes costly design and technical changes to the infrastructure to isolate attacks and mitigate damage—problems that cannot be ignored.
Risk mitigation strategies are needed to soften the blow of an attack. When a known critical threat is detected, perhaps software containing a shutdown mode could kick in. And government must establish a methodology for practicing its response to any attack.
Unlike other government or industry issues, the cyberthreat is not compartmentalized between the two sectors. It is a national issue that will require stronger partnerships among industry, government and academia, with oversight that will be more than just sticking a toe in the water. This country needs a national strategy with the proper incentives for the commercial sector to commit to protecting the national infrastructure. Information is the new gold, and national bankruptcy looms if the country fails to secure it.