Cyber Defense Strategy, From Paper to Practice
This month, Linton Wells II drew his inspiration for Mission Assurance Moves to the Fore in Cyberspace from Deputy Secretary of Defense William J. Lynn III's recently published article, Defending a New Domain: The Pentagon's Cyberstrategy. Wells summarizes Lynn's strategy points, noting that taken on a whole they have a broader implication than just cyberdefense. It has more to do with mission assurance, he says:
Attacks will occur not just in the cyber domain, and nonmilitary activities-such as the protection of critical infrastructures-can have a profound effect on the outcome of an engagement. Lynn's article recognizes this and provides a framework not only for implementing mission assurance but also for defining the military's role within the broad national framework.
Clearly, many other public and private components will have to be engaged to provide a full national capability. But the strategy articulates a role for the Defense Department while the rest of the national-and international-discussion is underway. It also helps to frame the discourse in terms that are consistent with other military usage. The organization of U.S. Cyber Command with military service components-the Army Forces Cyber Command, 10th Fleet, 24th Air Force, Marine Corps Forces Cyberspace Command-is one example. The use of terms such as "part sensor, part sentry, part sharpshooter" to describe active defense systems is another. Some people doubtless will see this as a militarization of cyberspace. But it will be important to differentiate roles as the broader debate plays out, and the article clearly describes its focus as "the Pentagon's cyberstrategy."
However well formed the strategy, how it is implemented will be crucial. Several approaches exist. Since 2003, DOD Instruction 8500.2 has defined a set of mission assurance criteria, ranging from "Vital" to "Needed." The MITRE Corporation, Booz Allen Hamilton Incorporated and others have outlined ways to operationalize mission assurance that align well with the new strategy. More work remains to be done, but because this cyberstrategy probably will be subject to extended debate, there will be chances to refine the processes.
How can the private sector do a better job of meeting the requirements of the new cyberstrategy?