Is It Time to Overhaul Your Enterprise Security Strategy?
Dan Lohrmann
Cybersecurity Leader | CxO Advisor | Bestselling Author | GT Blogger: 'Lohrmann on Cyber' | Global Keynote Speaker | CISO Mentor
Around the world, cyberdefense policies and strategies are rapidly evolving. Is now the time for the public and private sectors to adapt and change as well? Here are some options.
The U.S. Navy released a new 5-year strategy in July that plans to use the service’s networks as a warfighting platform.
The new strategic plan is available online here, and it includes many new changes in direction. In the foreword to the document, T.J. White, Vice Admiral, United States Navy Commander, U.S. Fleet Cyber Command / U.S. TENTH Fleet, wrote these words:
“In this ever-changing technology ecosystem, we struggle to protect information, knowledge, intellectual property, national security and sovereignty. Across the Navy, many now grasp the severity of the situation. We need an ‘all hands’ response to make changes necessary to prevail in great power competition. GPC is too dynamic for any strategic plan to remain static. Future commanders must adapt or revise as necessary to meet the challenges that will emerge on their watch. We are a maritime nation whose vital interests are firmly tied to the sea. With our colleagues in the Marine Corps and Coast Guard we must safeguard those interests against the challenges of our strategic competitors.
The fundamental purpose of Strategic Plan 2020-2025 is to show ‘We Get It,’ we have a plan to deal with it, and one that can foster unity across the Command to achieve its strategic goals and vision.”
As highlighted by C$ISRNET.com, the plan tweaks the five goals outlined in the previous strategic plan 2015-2020. They include:
- Operating the network as a warfighting platform: Following several high profile network breaches, the Navy must tighten the screws on its IT. Fleet Cyber is responsible for operating, maintaining and defending the network and as part of that, service leaders recognize they must “fight hurt” when networks are strained. They are also working ton establish greater cyber situational awareness across the service and reduce the intrusion attack surface.
- Conducting fleet cryptologic warfare: Fleet Cyber published its cryptologic cyber warfare vision in 2019. As part of the new strategy, command officials said they will seek to expand and enhance capabilities in distributed signals intelligence as part of its contribution to Distributed Maritime Operations.
- Delivering warfighting capabilities and effects: Fleet Cyber wants to expand how it delivers effects on the battlefield to include accelerating and synchronizing information warfare capabilities across Maritime Operations Centers, advancing integration of cyber effects into Navy and Marine Corps concepts and creating tactical cyber teams along with a maritime fires cell to provide expertise across the fleet for delivering cyber effects.
- Accelerate Navy’s cyber forces: Fleet Cyber needs to develop a plan to meet increased demand, both for its joint force requirements through U.S. Cyber Command and Navy specific requirements. Leaders are also looking to mature organizational structures and command and control relationships between various cyber entities that control forces across the globe such as Joint Forces Headquarters–DoDIN, Joint Force Headquarters–Cyber and Cyber Operations–Integrated Planning Elements. Moreover, with the additional importance of the space domain, Fleet Cyber will look to exploit the increasing convergence between space, cyberspace and electromagnetic spectrum.
- Establish and Mature Navy Space Command: The document states that Fleet Cyber’s goal is to “maintain maritime superiority from the sea floor to space with a core emphasis on lethality, readiness and capacity,” and so officials must re-focus to provide the best space integration possible as the service component to Space Command.
And the U.S. Navy is only one military service that is adapting to the new normal regarding cybersecurity in the 21st century. Last year, the U.S. Air Force released a plans for cyber warfare over the next ten years. However, unlike this navy plan, that plan was not released to the public with a few overview exceptions.
Federal News Radio reported that the Air Force plan addresses human capital, just as the navy plan does. Advanced training is one top theme.
“The plan starts with human capital,” said Brig. Gen. Bradley Pyburn, Air Force director of cyberspace operations and warfighter communications. “We have to be able to recruit, retain and develop talent in this battle space.”
Other areas of importance include accelerating emerging technologies, coming up with low cost options for defensive cyber operations, expanding offensive cyber capabilities and providing resilient communications. The other lines of effort focus on emerging technologies and readiness.
If you are looking for a primer on these topics, this Air Force University paper, written in 2017, does a very good job laying out definitions and basic legal concepts regarding cyber deterrence and cyber war strategies.
Meanwhile, the army is also focusing on the cyber workforce and developing new cyber capabilities. One recent article on the army workforce said it this way:
“Over the next several years, the Army plans to recode thousands of positions and reskill and upskill the people who currently hold them via a new project called Quantum Leap. Although the Army’s broader people strategy is meant to address the entire talent management lifecycle, including acquiring new talent, Quantum Leap is specifically focused on the 15,000 people who are already part of the cyber and IT management workforce. …
The Army is deliberately using the word “reskill,” rather than “recertify.” Officials said formal IT certification programs will still play a role in the future IT and cyber workforce, but the Army is more interested in real-world skills. So one of Quantum Leap’s first steps will be to try to get a better handle on what skills its employees already have that might be unknown to the Army, or are underutilized.”
The U.S. Department of Defense (DoD) has also made other changes to cyber operations and cyber policy over the past few years, as articulated here.
Hack-and-Leak Operations and U.S. Cyber Policy
Meanwhile, WarontheRocks.com reports examples of growing “hack-and-lead operations where malicious actors use cyber tools to gain access to sensitive or secret material and then release it in the public domain. Hack-and-leak operations pose difficult questions for scholars and policymakers on how best to conceptualize and respond to this new frontier in digital foreign interference. Scholars need to take hack-and-leak operations seriously as a challenge to theoretical understandings of the boundary between legitimate and impermissible political practice. But hack-and-leak operations are also an urgent policy challenge for both offensive and defensive cyber security policies as U.S. government agencies receive greater latitude to conduct such operations around the world. …”
Of course, civilian agencies and private companies are not legally permitted to conduct offensive operations, even as the U.S. military has ramped offensive capabilities.
This blog has covered the topics of the U.S. National Strategy of cyber strength through offensive operations, but also should companies be able to “hack back” or have “active defense” against cyber attackers. As I wrote in 2017,
“I expect to see additional steps taken to legalize hacking back in the coming years, with certain constraints and regulations applied. We may even see the development of formal licenses and/or certifications guiding who can hack back and when — just as marijuana use was initially authorized only for medical uses, when prescribed by a physician. Whether "hack back practices" expand beyond this (as marijuana use has done in some states) will depend upon a wide variety of factors — including initial results.
In this regard, I expect to see (by 2020) more public-private partnerships to ensure that any “authorized” or “legalized” hacking back is done in “safe” ways. We will probably see law enforcement organizations, who often lack the needed technical expertise to fight hackers, decide to “deputize” certain private-sector experts to help fight cybercrime under supervision."
State and Local Governments Need Cyber Strategies
So with the military redeveloping and/or refining their cyber policy and strategies, should state and local governments and private sector companies be doing the same?
My answer is yes, and as a top priority NOW - as we head into 2021 and life after the pandemic.
As I have shared in earlier blogs, developing flexible cyber strategies should be a central part of every state and local government technology and security team's culture. Building this into the way you do business is similar to how emergency management groups plan for dealing with a tornado, flood or other natural disaster. Also, teams need to practice and constantly improve incident response - which must be included in the plan.
In Michigan, we developed at least six unique cybersecurity strategies between 2002 and 2015, and several of those plans and best practices are outlined here by FEMA. The Michigan Cyber Initiative of 2011 and 2015 became national models, with major sub-projects such as the Michigan Cyber Range, Michigan Cyber Civilian Corps, Michigan Cyber Disruption Response Plan, Michigan Cyber Summit Series, (which later became the North America International Cyber Summit), the Michigan approach to statewide tabletop exercises and several other cybersecurity projects are still being studied and emulated all over the world.
Many of these cyber efforts had multiple versions in Michigan and were redone every 3-4 years. Nevertheless, none of this would have happened without leadership, planning and execution against the plan. Other technology and cybersecurity plans go back a decade earlier to the 2002 timeframe. My point is that this needs to be a part of your culture – in the same way that the military always plans to plan and refreshes their strategies to maintain their role as global leaders. This planning also enables a continual budget line items and needed growth as cyberthreats change.
Not only do these cyber topics impact groups like our National Guard and state military reserve units, many of the same tactics and cyberattacks seen by the military defending our country are faced by businesses and local governments every day. The distinction between military and civilian cyberattacks is becoming more blurry every day.
The hack-and-leak examples listed above impacted domestic politics in the United Kingdom, and similar issues are face in the U.S. now. The National Conference of State Legislatures (NCSL) issued this brief report on federal and state cybersecurity enhancement efforts last year.
A few more recent examples of states that have released new cybersecurity plans include: This Virginia cybersecurity plan, Georgia’s unique efforts in developing a Cyber Center for cybersecurity and the cybersecurity strategy developed by Illinois.
Final Thoughts - Getting Closer to Home
These disinformation campaigns and new cyberattack vectors online impact every one of us. When I posted some of the referenced military cyber plan articles online over the past week, here were a few of the responses:
“Thanks Dan Lohrmann for posting. My what a ‘web’ we have woven in the cyber world. The criminal element has jumped into the places where many aren’t looking and seems bent on monetizing many areas where the average person/government/country is not watching. I pray that we can keep up with dispelling the misinformation and disinformation that they produce.” Bonnie Sult, Manager Legal Shield ID Theft Protection
“Thanks for posting Dan Lohrmann. Cyber-espionage is the practice of misinforming, dis-informing, and misdirecting attention for the purpose of causing confusion and poor decision making on the part of an adversary. The practice was actually derived from studies of the methods of magicians which were/are formulated as well-planned operations hundreds/thousands of years ago, and according to the Director of the FBI represent the "greatest transfer of wealth in human history." The problem is not just "hacking and theft;" it is a much larger concern, imo. One observation might well be that while these operations were traditionally the domain of national governments, and they still are, they are also becoming part of the trade-craft of criminal elements of society targeted at governments, industries, and individuals. I think it is time to pay attention and better understand; I think for everyone, but even more-so for cyber security experts. See: https://securitytrails.com/blog/cyber-espionage” Joseph Costantini – Cyber Subject Matter Expert (SME) HTA Technology Security Consulting
I agree with both of them, and the many other comments that suggest we all need to be formally planning for the future of Internet security – just as the military is doing now.
See the original blog at: https://www.govtech.com/blogs/lohrmann-on-cybersecurity/as-military-cyber-policies-change-should-others-do-the-same.html
Cybersecurity. Space. Disasters.
4 年The answer is "yes" for most of the organizations I've spoken with recently.