ALGORITHMIC WARFARE CYBER
Analysts Laud New Federal Cyber Strategies
With high-tech adversaries increasingly targeting U.S. government networks, two recently released cybersecurity strategies are a step in the right direction, experts have said.
The National Cyber Strategy and a summary of the Defense Department’s Cyber Strategy were both released in September. The documents provided high-level objectives for the Pentagon and other federal agencies to better wrap their arms around cybersecurity issues.
In the National Cyber Strategy — the first of its kind in 15 years — President Donald Trump said the document explains how his administration plans to defend the homeland; protect American prosperity; deter and punish malicious actors; and expand American influence abroad to push for an “open, interoperable, reliable and secure internet.”
Protecting space assets is also a focus of the document.
The Pentagon’s strategy clearly laid out that its main focus is on cyber threats from peer adversaries, though North Korea and Iran also pose risks.
“We are engaged in a long-term strategic competition with China and Russia,” the document said. “These states have expanded that competition to include persistent campaigns in and through cyberspace that pose long-term strategic risk to the nation as well as to our allies and partners.”
China, for example, is “eroding U.S. military overmatch and is persistently exfiltrating sensitive information from the U.S. public and private sector.”
Russia, on the other hand, is using cyber-enabled information operations to influence the U.S. population and challenge its democratic processes, the strategy said.
“Globally, the scope and pace of malicious cyber activity continue to rise,” the document said. “The United States’ growing dependence on the cyberspace domain for nearly every essential civilian and military function makes this an urgent and unacceptable risk to the nation.”
The main objectives of the Pentagon’s strategy are to ensure the joint force can achieve its mission in a contested cyberspace environment, strengthen the joint force by conducting cyberspace operations that enhance U.S. military advantages, defend U.S. critical infrastructure from malicious cyber activity, secure Pentagon information systems, and expand the Defense Department’s cyber cooperation with interagency, industry and international partners.
The strategy came out just a few weeks before the Government Accountability Office released a new report, “Weapon Systems Cybersecurity: DoD Just Beginning to Grapple with Scale of Vulnerabilities,” that said the Defense Department still faced issues tackling these problems.
“Although GAO and others have warned of cyber risks for decades, until recently, DoD did not prioritize weapon systems cybersecurity,” the report said.
Experts said both new government strategies are a positive step toward addressing these challenges.
Gary Shiffman, CEO of Giant Oak, an Arlington, Virginia-based software company and a professor at Georgetown University, said the release of this guidance is overdue.
“If anything, we’re late in getting there in the sense that technology always moves faster than policy,” he said. “Technology evolves at a very quick pace, and policy … never anticipates [it] and is always trying to catch up.”
In order to make real change, however, programmatic activities and budget adjustments need to follow, he noted.
“At the national level, these kinds of high-level documents provide the top cover for the rest of government to follow in terms of … their future year planning and budgeting,” he said.
Daniel Charles, CEO and co-founder of Charles Bernard Ventures and a cybersecurity fellow at New America, a Washington, D.C.-based think tank, said the strategies laid out key initiatives.
“In both the National Cyber Strategy [and] in the DoD Cyber Strategy, they’re taking important steps,” he said. “They’re introducing some new things.”
The Pentagon is prioritizing international collaboration which will be critical to tackling future issues, he noted. That “is something new that has been talked about quietly but hasn’t really ever come out in the light,” he added.
In the strategy, the Defense Department said many of the United States’ allies and partners already have advanced cyber capabilities that complement its own. The Pentagon plans “to strengthen the capacity of these allies and partners and increase DoD’s ability to leverage its partners’ unique skills, resources, capabilities and perspectives,” the document said.
It also plans to reinforce norms of responsible state behavior in cyberspace during peace time, the strategy said. The United States has already endorsed the work done by the UN Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, or UNGGE, to develop a framework of responsible behavior.
Another important area of emphasis is increased accountability among contractors, Charles said. The Pentagon noted that it will hold both Defense Department personnel and private sector partners accountable for their cybersecurity practices and choices.
“That’s clearly a response to things like [the Office of Personnel Management breach] … and a number of the other vulnerabilities that have been introduced, because contractors have not had their systems maintained in a way that is best for the protection of federal networks,” Charles added.
Calvin Nobles, a cybersecurity fellow at New America, said the government will need to be mindful about making iterative changes to the strategies as time goes on.
“The cyberspace domain is changing as we talk right now,” he said during an interview. It is “hard to capture everything because we’re shooting at a moving target.”