Incoming: Cyber Threats Need Less Hand-to-Hand Combat, More Collective Defense
Part one of a two-part series.
Nothing keeps Defense Department leaders up at night more than today’s cyber threat. This heightened concern was clearly reflected in the September 2018 DoD Cyber Strategy, which noted that “competitors deterred from engaging the United States and our allies in an armed conflict are using cyberspace operations to steal our technology, disrupt our government and commerce, challenge our democratic processes, and threaten our critical infrastructure.”
Moreover, the threat continues to grow rapidly. As Undersecretary of Defense for Acquisition and Sustainment Ellen Lord told an audience in March, “The item that has changed the most since I have been at DoD for the last 18 months or so [has] been the cybersecurity imperative. We have threats every day. We are being attacked and the attack surface is huge… We have had many leaks, many attacks over the last five years or so, and they are accelerating.”
The Defense Department has responded with many tactics. Among them, it is locking down cyber vulnerabilities within its networks and systems with its shift to the Risk Management Framework, and it is conducting command cyber operational readiness inspections (CCORIs) to provide combatant commands and federal agencies a fuller understanding of the operational risks they face as they relate to their cybersecurity postures. It also is updating and automating its Defense Department-wide cybersecurity scorecard to provide leaders an up-to-date status on how well the department is ensuring strong authentication, hardening devices, reducing its attack surface and detecting and responding to potential intrusions. And it is developing a new ISO-like cybersecurity standard that suppliers must meet.
These and other actions are all necessary steps. But even department leaders acknowledge plenty more must be done to create a secure and resilient ecosystem for the Defense Department and its many stakeholders to operate effectively.
I am especially happy to see a few department leaders acknowledge a challenge I think is particularly important. Some Defense Department-connected organizations lack the financial and talent resources to build and maintain robust cybersecurity defenses. My colleague Gus Hunt, the former chief technology officer at the CIA, refers to this as the “cyber poverty line.”
Because we are all so interconnected, and growing moreso every day, we must all be concerned with the vulnerabilities of the cyber “have-nots.” The Defense Department, after all, is only as secure as its weakest link. Our adversaries have proved themselves smart and inventive: When they approach a secure front gate, they find another gate further down the road that allows them entry into the broader ecosystem of organizations from where they can move sideways to their target. This is how cyber attacks work today.
Many defense organizations may well be cyber hardened. But what about the department’s innumerable partners and stakeholders? That might be federal, state and local government agencies, National Guard and Reserve organizations, small businesses, hospitals or others.
Undersecretary Lord articulated this concern well when she recently said, “What I am concerned about especially is the small companies where our innovation comes from, where—when we sit down with them and talk to them about cybersecurity—we sometimes hear, no kidding, ‘My nephew does my cybersecurity.’ That gets us a little bit worried. And we know that we will either put these small companies out of business, or we will drive them away from the Department of Defense if we give them very, very onerous regulations to meet.”
Today, we still see a heavy reliance on hand-to-hand combat in the cyber realm when we really need greater focus on building better collective defenses. The “every man for himself” approach clearly does not—and cannot—work.
Instead, we need strategies and mesh solutions, such as managed security services, that are designed at the enterprise level and include all Defense Department stakeholders, regardless of how small or niche they are, to ensure that all are adequately protected. This would elevate everyone’s cyber posture for our collective defense. Until that happens, the Defense Department will continue to be vulnerable at every level.
Next month, I will explore how the Defense Department might better address this challenge.
Lt. Gen. Susan Lawrence, USA (Ret.), is managing director for the Armed Forces Sector, Accenture Federal Services. She previously served as the CIO/G-6 for the U.S. Army as well as the commanding general for the Army’s Network Enterprise Technology Command (NETCOM).