LADING

Why DoD's Current Approach to Cyber Won't Work

By Tom Muehleisen, CISSP and LTC (R) (11A/30A/53A)
tomm@mill-iron-security.com

Because we don't build forts to protect soldiers... we don't build planes to leave them on the tarmac... we don't build ships that stay in port. But, in cyber? Guess what? Yup, we are primarily concerned with preserving our ability to achieve effects in the "real" domains: land, sea and air. Very 20th Century (and not in a good way).

Back in 2010, when DoD was really trying hard to wrap its brain around this "cyber" thing, I was a very junior member of a discussion in the other Washington. Dr. Paul Stockton was onstage discussing what the Office of the Secretary of Defense thought about the topic and what initiatives they had in place to being defining this emerging domain of war. Questions were solicited. Softballs were tossed up. And, because I had to... I approached the microphone and asked a question, with this lead in, "Sir, our constitution tells us to 'Provide for the COMMON Defense', each of our domains provides for the COMMON defense by achieving effects within that domain, and others, that are of benefit to our interests and detrimental to our adversary's interests. Our internal maintenance, security and administrative aspects are assumed as implied tasks, supporting our main task of going places and breaking things in support of our country's interests. So, WHY, as we begin our discussion are we focused on 'Protect the GIG!'? (Global Information Grid - precursor to the DoDIN)

He threw out a pound of sand and tapdanced for a bit and I was not satisfied with his answer. And, frankly, my leadership was not satisfied with my question. One person said, "Dang, Tom! Why don't you say what you REALLY think?" Yeah, well, to quote Ron White, "I have the RIGHT to remain silent... but lack the ability." (Note: Do not take this as a slam on Dr. Stockton, he's brilliant. I just didn't like his answer.)

But, echoes of that interchange continued over the next 5 years, culminating in the DoD's cyber strategy document (April 2015), here's a fact sheet: https://www.defense.gov/Portals/1/features/2015/0415_cyber-strategy/Department_of_Defense_Cyber_Strategy_Fact_Sheet.pdf

Go ahead and take a read. I'll wait... (no, really scan the doc, if you have not already read it)

Okay, you're back and still reading, so let me share my thoughts on the 3 priorities. Good start, wrong order.

Here's another quick read (you may have seen this before), "“We the People of the United States, in Order to form a more perfect Union, establish Justice, insure domestic Tranquility, provide for the common defence, promote the general Welfare, and secure the Blessings of Liberty to ourselves and our Posterity, do ordain and establish this Constitution for the United States of America.”

So, "provide for the common defence," Right there in the Preamble. Like someone thought it was important or something. maybe a priority?

Now, look back at the DoD Cyber Strategy:
1. BUILD AND MAINTAIN READY FORCES AND CAPABILITIES TO CONDUCT CYBERSPACE OPERATIONS
2. DEFEND THE DOD INFORMATION NETWORK, SECURE DOD DATA, AND MITIGATE RISKS TO DOD MISSIONS
3. BE PREPARED TO DEFEND THE U.S. HOMELAND AND U.S. VITAL INTERESTS FROM DISRUPTIVE OR
DESTRUCTIVE CYBERATTACKS OF SIGNIFICANT CONSEQUENCE

Which priority is "common defence?" Yup... third.

It wasn't even in the earlier versions I saw.

Maybe it should be #1? Maybe #2 could go away? Yes, protecting your ability to do a thing is important, but I would say it was more of a job requirement (i.e. "maintain your capability, General/Admiral, or I will replace you with someone who can" kind of thing). But, even if we keep it, it must go last.

But, Tom, you are just arguing order.

No, I'm not. I'm making a point about priorities and decision-making. I'm saying that words mean things. If we start with the problem statement and work backward to solutions and/or strategies, I would argue that the current primary and secondary strategies are merely enabling operations in support of what should be the rally cry of, "be prepared to defend the US Homeland and/or US vital interests..."

Yes, we should protect our networks. Yes, we should have forces that cover the entire range of missions: attack, defend, exploit.

But, the reason we do ANY of this is for COMMON defense. Stop naval gazing. Be expeditionary. Think inside a larger box.

Like the one you live in, here in the "Homeland."

tomm@mill-iron-security.com