The Department of Defense’s long awaited (DOD) new cyber strategy – its second – which was just announced is intended “to guide the development of DoD’s cyber forces and strengthen its cyber defense and cyber deterrence posture,” the Pentagon said.
So far, though, it’s been met with a rather tepid response from industry cybersecurity authorities and officials.
The 40-plus document detailing the DOD’s cyber strategy “focuses on building cyber capabilities and organizations for DoD’s three cyber missions,” which are defending DoD networks, systems and information; defending the United States and its interests against cyber attacks of significant consequence; and providing integrated cyber capabilities to support military operations and contingency plans.”
DOD said, “The strategy sets five strategic goals and establishes specific objectives for DoD to achieve over the next five years and beyond.”
The Pentagon said there are 3 “major drivers” requiring DoD’s development of a new and comprehensive cyber strategy.
“First is the increasing severity and sophistication of the cyber threat to US interests, to include DoD networks, information and systems. The Department of Defense has the largest network in the world and DoD must take aggressive steps to defend its networks, secure its data and mitigate risks to DoD missions. Second, in 2012 President Obama directed DoD to organize and plan to defend the nation against cyberattacks of significant consequence, in concert with other US government agencies.”
Finally, because the new mission required new strategic thinking, and “in response to the threat, in 2012 DoD began to build a Cyber Mission Force (CMF) to carry out DoD’s cyber missions. The CMF will include nearly 6,200 military, civilian and contractor support personnel from across the military departments and defense components. The strategy provides clear guidance for the CMF’s development.”
The Pentagon said, this new “strategy describes the Department of Defense contributions to a broader national set of capabilities to deter adversaries from conducting cyberattacks,” and that DOD “assumes that the deterrence of cyber attacks on US interests will be achieved through the totality of US actions, including declaratory policy, substantial indications and warning capabilities, defensive posture, effective response procedures and the overall resiliency of US networks and systems.”
DoD said it “has a number of specific roles to play in this equation; this strategy describes how DoD will fulfill its deterrence responsibilities effectively.”
“The Pentagon cybersecurity strategy document just states clearly what was already an open secret – cyber weapons exist, and have a significant role in modern warfare, and that we are likely to use them when challenged,” responded Dr. Mike Lloyd, CTO of RedSeal, asecurity analytics company.
“Every weapon humans have made has been used sooner or later, and there is no reason to believe the online world is an exception. There may be no clear ‘Cyber Pearl Harbor’ event to mark the outbreak of cyber war,” Lloyd said. “Today’s reality has a closer analogy to naval piracy than to World War II – rather than a great conflict of warring nations, piracy was a scourge based in lawless areas, but that represented a steady back-pressure on prosperity, security and trade.”
“Eventually,” Lloyd continued, “military means had to be used – cracking down with force on piracy. (Pirates themselves were often state-sanctioned ‘terrorists,’ in modern terms – we have close analogs of this in today’s cyber environment.) We face and will face online adversaries ranging from individuals to state-supported pirates, and possibly eventually full-on wars between countries. In that environment, the use of cyber offensive capabilities is inevitable.”
Adam Kujawa, head of Malware Intelligence at Malwarebytes Labs, the research arm of the anti-malware company, said, “The most surprising aspect of this strategy is that the government, having listened to the concerns from all levels of government and society, will be transparent in discussion of their cyber offensive measures.”
“The one thing that needs to be considered, however, is that while there may be a lot of information, from a high level, about operations, we will most likely not be privy to actual tools / exploits / malware / infection means that the government will utilize against its adversaries,” Kujawa said, adding that, “At the end of the day, our involvement online goes beyond just the causal entertainment or work needs — we live our lives online, more than ever before.”
Kujawa said, “Because of this, the cyber world should be considereda theatre where operations can take place. St the same time, we might know that operations are being done in a specific country but the exact operations, on a deep and secure level, will remain secret until time has passed that the information can be discussed without potentially endangering operations or operators.”
Malwarebytes Labs malware intelligence analyst Josh Cannell added, “The new DoD cyber strategy seems to be a step in the right direction to protecting America and its assets. Since the last cyber strategy implementation by the DoD in 2011, the latest strategy is much lengthier (33 pages vs only 13 in 2011), likely because it is intended to be more transparent as stated by Defense Secretary Ash Carter.”
But, “While Carter states the DoD hopes to use transparency in an effort to deter enemies of the United States, it’s likely the goal of transparency also exists to help rebuild trust in United States intelligence agencies following NSA document leaks that raised a lot of eyebrows,” Cannell said.
“Additionally,” Cannell said, “it’s also true that malware has advanced since 2011, as the DoD has also noted. Threats like Cryptolocker, malware that could bring an entire network to its knees, didn’t exist at the time, and organizations like the DoD need to revise their strategy to make sure they’re prepared for whatever happens over the next five years.”
“The Pentagon’s cybersecurity strategy makes explicit a long-known truth: there are substantial investments in cyber attack technology being made by governments and criminal organizations with deep pockets,” said Steve Hultquist, chief evangelist at RedSeal. “Organizations with a wide range of target objectives focus their efforts across the spectrum of connected infrastructures, using a wide range of automation and social engineering to attack. The only defense for this reality is to recognize the threat, use automation to overcome the inherent complexity of the enterprise infrastructure, and get ahead of potential attacks by being aware of all potential attack paths before they are ever used.”
“Cyberattacks are on the rise and the stakes are high. With the rapidly changing landscape, it is great to see the Pentagon release a new cyber security strategy, especially with our nation and economy at risk,” commented Eric Chiu, president & founder of HyTrust, a cloud control company. “We are fighting an invisible enemy that is usually already on the inside and is highly motivated to steal our secrets, intellectual property and private data or cause destruction. Looking at the major breaches over the last 18 months including Anthem, Target, Home Depot, Sony and Snowden, every company and government agency should take notice.”
DOD created a new website about its new cyber strategy. It can be viewed here:
