Locked and Loaded With Cyber
Officials discuss cyber as a weapon.
While serving as the first luncheon keynote speaker at AFCEA’s Defensive Cyber Operations Symposium, Lt. Gen. Ronnie D. Hawkins Jr., USAF, outgoing director of the Defense Information Systems Agency (DISA), compared cyber and traditional weapons. “We have really, really been modernizing our weapon systems. When you juxtapose that, however, with what we’ve been doing in cyber, we are just now catching on to recognizing that cyber truly is a weapon system,” he said at the June 16-18 event held in Baltimore. “Truly, we are modernizing our weapon system when it comes to cyber right now.”
He compared the cyber domain to the air domain, pointing out that both include commercial and military resources and operations. “We have to coexist in that airspace, that domain called air. I would argue with you at a professional level that we need to do the same thing when it comes to coexisting within cyber.”
Gen. Hawkins also released an updated DISA strategic plan for 2015-2020. The plan lays out an objective state for assured, scalable and managed access to services and data in all environments at the point of need. It also calls for a cost-effective infrastructure and computing.
Terry Halvorsen, the Defense Department’s chief information officer, picked up on the cyber as weapon theme when talking about the need for accountability. Halvorsen indicated that a soldier who inadvertently fires a weapon faces dire consequences. “The weapon represented by the network is far more dangerous, far more powerful and can cause far more damage than the single stray shot from an M-16 or .45 [caliber]. We have to get accountability up,” he said.
When it comes to cyber, Halvorsen indicated he prefers an automated weapon. “There ought to be some things we can almost completely automate. That’s the only way we’ll stay up to date,” he said, citing analysis as one area ripe for automation. “You can’t keep putting this back on people to do the analysis in real time. It’s not going to work.”
He observed that automation cuts costs. “The other problem that solves is that we don’t have the money to have all the people we want. You automate, save some money, so we can put it into having a much more structured, higher-level cybersecurity force,” he said.
Halvorsen also hinted at a Cold War-like strategy by suggesting the United States should increase the cost of waging cyberwarfare. “Adversaries are resource-driven, too,” he stated. “That automation also, by going faster, makes it harder for the threat [actors] to play.”
He recommended a variety of options, including two-factor authentication, biometrics and tokens to finally kill passwords and increase costs for adversaries.
Halvorsen also noted, however, the department simply does not have the money to treat the entire cyber domain as a weapon system comparable to other weapon platforms. Even a logistics system could, under some circumstances, be considered a weapon system, he added.
Lt. Gen. James “Kevin” McLaughlin, USAF, deputy commander, U.S. Cyber Command, led the second day of the symposium by stressing the importance of command and control. Over the decades, the Defense Department has gone from a “highly decentralized everything” to “a more unified command and control,” he said, explaining the Cyber Command commander “needs to have visibility and access and the ability to direct across the DOD information network.”
Richard Hale, Defense Department deputy chief information officer for cybersecurity, noted the complexity of defending the network when it includes weapon systems. “We have airplanes filled with computers. A small diameter bomb has a computer in it. Anything with a computer or software in it is cyber attackable,” Hale said.
The final day featured an all-DISA panel discussion, during which officials emphasized the agency prefers to partner, rather than compete, with industry to better equip warfighters. “The old days of us against you are over. We can’t do it anymore,” said Tony Montemarano, the agency’s executive deputy director.