The Department of Defense’s release last week of its upgraded cyber strategy understandably drew attention for its focus on the threats from China and Russia in a re-emerging, artificial intelligence-fueled great power competition reminiscent of the Cold War.
The Cyber Strategy 2018 promotes a “defend forward” approach to protecting U.S. networks, economic interests, and infrastructure against an onslaught of cyberattacks from foreign entities, “particularly China and Russia,” while continuing to integrate cyber operations into the Joint Forces’ fifth operational domain of warfare. “We must assertively defend our interests in cyberspace below the level of armed conflict and ensure the readiness of our cyberspace operators to support the Joint Force in crisis and conflict,” Deputy Secretary Patrick Shanahan said in unveiling the strategy.
The strategy’s five key objectives address the need to engage in a contested cyberspace, protect DoD networks and U.S. critical infrastructure, enhance the cyber capabilities of the Joint Forces, and work with allies and other partners on cyber cooperation. But in addition to the bigger picture of potential cyber conflicts, some of the most essential elements of DoD security show up further down in the report, under the comparatively mundane heading of Reform the Department.
First on that list is incorporating cyber awareness into DoD institutional culture. The Pentagon wants cyber fluent people at every level, educated about the cyberspace domain, and able to “incorporate that knowledge into their day-to-day activities.” The strategy also says that the department will hold DoD personnel and contractors accountable for their cyber activities as a way to reduce DoD’s attack surface.
This can be a difficult step for any organization. Despite awareness training and a workforce that, like the public at large, is increasingly aware of online capabilities and cyber threats, users still remain the weak link in the security chain. By falling for phishing or other tactics, users can inadvertently open a network up to malware and hacking attempts. The Pentagon has addressed this with programs involving both leadership and the rank and file.
The Defense Information Systems Agency (DISA) late last year added the Cyber Awareness Challenge 2018 to its catalog of online training for DoD and Intelligence Community employees. The challenge, mandatory for members of the military services, is the most recent addition to DISA’s Information Assurance Support Environment, joining other courses such as Phishing Awareness and Social Networking. It gives users first-person simulations and mini-game challenges that emulate decisions DoD employees must make every day, including encounters with spyware, malicious code, phishing, identity theft, insider threats, and what to do when they come across classified or sensitive documents on the internet.
Aside from the potential threat from unwitting or malicious users, a new take on cyber weaknesses is that it really starts at the top. Users’ practices are only as secure as their environment, which depends on leadership and the usability of their systems (and executives are spear-phished, too). DoD, like the rest of the Federal government, has made cyber awareness a condition for the brass as well. The strategy points out that leaders need to be fully versed in the implications of cyber activity and how it can be used to gain a strategic or tactical advantage.
Chief information security officers also are becoming a bigger cog in Federal operations. The Federal CISO Council, which includes DoD, was formed two years ago and recently issued a CISO Handbook to guide efforts at improving security throughout an organization. Federal CISO Grant Schneider also serves as senior director for cybersecurity for the National Security Council.
DoD’s refreshed cyber strategy is an attempt to bring its approach to cyber operations up to date. The great power competition with China and Russia may be the biggest part of that, but protecting the full range of operations and educating personnel at every level also is essential.