SlideShare a Scribd company logo
1 of 8
Download to read offline
AY 2014-2015
US Cyber Strategy for 2030: A Direction
LT COL SCOTT A. DICKSON
USAF
SEMINAR 19
The Dwight D. Eisenhower School
for National Security and Resource Strategy
National Defense University
Fort McNair, Washington, D.C. 20319-5062
The views expressed in this paper are those of the author and do not reflect
the official policy or position of the National Defense University,
the Department of Defense or the U.S. Government.
Lt Col Dickson/ES/DSR/856-220-3899/6 Oct 14
BULLET BACKGROUND PAPER
ON
US CYBERSECURITY STRATEGY FOR CY2030
PURPOSE
Explain DoD’s comprehensive 2030 US Cybersecurity Strategy to US strategic leaders
CONCERNS
- Pres Obama’s EO 13636: “one of the most serious national security challenges”
- Gen Dempsey’s 2014 QDR: “we will not innovate quickly enough or deeply enough to be prepared for
the future for the world we will face two decades from now”
- Hard to define; Cyber is “of, relating to, or involving computers or computer networks (as the Internet)”
- Unique properties: both a domain and a means, both tangible and non-tangible aspects, & no substitute
- As a Domain
-- Man-made; “Man can actually change this geography, and anything that happens there actually creates
a change in someone’s physical space” (Gen (ret) Michael Hayden, USAF)
-- Strengths are also its weaknesses, hence exploitable
--- Highly Connected: Interconnected nodes spanning across the entire world
--- Easily Accessible: Reachable from any computer or mobile device
--- Few Boundaries: Built with minimal restrictions to expedite information flow
--- Predictable: Possible pathways configured by humans, real-time selected by computers
--- Layered: Complex computer applications executing on operating systems and firmware
--- Digitized: All information stored in a common format, easily manipulated and transmitted
-- As a Means
--- Anonymously conducted via protection software like TOR, a US Navy-developed program
--- Five categories of Attack1
---- Consumption of computer resources: bandwidth, memory, disk space, processor time
3
---- Disruption of configuration information, such as routing information
---- Disruption of state information, such as unsolicited resetting of TCP sessions
---- Disruption of physical network components
---- Obstructing communication media between intended users and victim
--- Focused on disrupting, denying, or destroying capability or communications
---- Trojan malware: static programs hidden on computers and activated to disrupt
---- Botnets: automated programs hidden on computers facilitating other actions
---- Distributed Denial of Service (DDoS): consuming bandwidth to preclude other’s use
---- Permanent Denial of Service (PDoS): overwriting firmware to render hardware useless
--- Cyber-espionage considered a non-DoD attack category
ACTORS
- “The number of mobile-connected devices will exceed the world’s population by 2014.”2
- US Domestic Actors: include US Government agencies, NGOs, industry, and citizens
-- Primary Govt Agencies include:
--- DoD: responsible for coordinating cyber attack capabilities
--- DHS: mandated by EO 13636 to lead US cyber threat identification efforts
--- US Attorney General: mandated by EO 13636 to support cyber threat identification efforts
--- DNI: mandated by EO 13636 to support cyber threat identification efforts
--- Commerce: mandated by EO 13636 to reduce cyber risk to critical infrastructure
--- NSA: responsible for increasing US cyber situational awareness
--- FBI: Domestic prosecution of cyber crime
--- DoJ: Prosecution of cyber crime and offenses
- External Actors:
-- Cyber Anonymity allows an actor to act like any other actor
-- Three main types:
4
--- Organized crime groups: primarily threatening financial services sector, expanding scope
--- State sponsors: Interested in pilfering data, intellectual property, research and development data
from manufacturers, government agencies, and defense contractors
--- Terrorist groups: Use network to disrupt or harm nation’s critical infrastructure
CURRENT ENVIRONMENT
- Congress
--- Introduced S.733, Cybersecurity Act of 2009, 24 Mar 2010, Not Enacted
--- Introduced S.2105, Cybersecurity Act of 2012, 15 Feb 2012, Not Enacted
--- Introduced S.1353, Cybersecurity Act of 2013, 24 Jul 2013, Not Enacted
--- Introduced H.R.624, Cyber Intelligence Sharing and Protection Act
Passed House on 18 Apr 2013, Refered in Senate to Select Committee on Intelligence
--- Introduced S.2588, Cybersecurity Information Sharing Act (CISA) on 10 Jul 20143
---- Develop process for classified and declassified cyber threat indicators, to share in real time
with private entities; non-federal govt agencies; or state, tribal, or local govts
---- Permits private entities to monitor and operate countermeasures to prevent or mitigate
cybersecurity threats or security vulnerabilities on own information systems (IS) and, with
written consent, the IS of other entities and federal entities
---- Authorizes entities to monitor information stored on, processed by, or transiting such
monitored systems
---- Current Status: Senate has not considered or voted on CISA
- President
-- Signed Executive Order 13636 on 12 Feb 2013, established US cyber interests
-- “To enhance the security and resilience of the Nation's critical infrastructure and to maintain a cyber
environment that encourages: efficiency, innovation, and economic prosperity while promoting
safety, security, business confidentiality, privacy, and civil liberties”
5
INTERESTS
- Due to the overlap between external actors in the interest analysis table below, a strategy which
addresses Terrorist Groups’ interests should address all external actors
United States Organized Crime State Sponsors Terrorist Groups
Verifiable Access to
Information
Unimpeded Access
to Information
Verifiable Access to
Information
Unimpeded Access to
Information
Intellectual Property
Rights
Intellectual Property
Exploitation
Depends on State
Intellectual Property
Exploitation
Data Protection Data Exploitation Data Protection Data Exploitation
Non-repudiation Anonymity Non-repudiation Anonymity
Efficient
Infrastructure
Efficient
Infrastructure
Efficient
Infrastructure
Inefficient/
Ineffective infrastructure
Economic Growth Economic Growth Economic Growth Economic Regression
Note: Dark/Red shading denotes external interests counter to US interests
CY2030 SCENARIO DRIVERS
- Active Anti-US Terrorist Groups & Global Polarity selected as primary drivers affecting cyber scenarios
- Relevant drivers listed in below table, secondary drivers set as scenario building assumptions
Note: Non-selected drivers are scenario assumptions; colored text = assumed values for scenarios
Drivers Outcome #1 Outcome #2 Uncertainty
Active Anti-US Terrorist Groups Eradicated Exist High
Global Polarity Dominant US Multi-Polar Med
Persistant Cybermonitoring Technology Developed Non-Developed Med
US Economic Type Manufacturing Knowledge Low
Privacy/Civil Liberties Concerns None Preventative Low
Cyber Sovereignty None Server-based Low
SCENARIOS
- Based on Active Anti-US Terrorist Groups & Global Polarity drivers, four potential 2030 scenarios exist
- A DoD 2030 cyberstrategy should also hedge against an
-- DHS Sec, 24 Jan 2013, "We shouldn't wait until there is a 9/11 in the cyber world. There are things we
can and should be doing right now that, if not prevent, would mitigate the extent of damage“
-- Similar to Jul 2014 cyber attacks on Israel where Hamas hacked or targeted:
--- Half a million smartphones, sending texts of false chemical attacks
--- Systems controlling vital Israeli infrastructure, including Israel Electric Co power
desalination plants, traffic lights, and railroads and other transportation systems
--- Israel's banking system, including Bank of Israel, one of the country’s largest banks
--- Thousands of largely unprotected civilian websi
--- Israel's Foreign Affairs and Defense Ministries, Air Force, the office of the president, the Knesset,
the Israel Police, and the government's official jobs portal
US Terrorist Groups & Global Polarity drivers, four potential 2030 scenarios exist
A DoD 2030 cyberstrategy should also hedge against an exogenous Cyber 9/11 scenario
"We shouldn't wait until there is a 9/11 in the cyber world. There are things we
can and should be doing right now that, if not prevent, would mitigate the extent of damage“
Similar to Jul 2014 cyber attacks on Israel where Hamas hacked or targeted:
Half a million smartphones, sending texts of false chemical attacks
Systems controlling vital Israeli infrastructure, including Israel Electric Co power
desalination plants, traffic lights, and railroads and other transportation systems
Israel's banking system, including Bank of Israel, one of the country’s largest banks
Thousands of largely unprotected civilian websites via DDoS attacks
Israel's Foreign Affairs and Defense Ministries, Air Force, the office of the president, the Knesset,
the Israel Police, and the government's official jobs portal
6
US Terrorist Groups & Global Polarity drivers, four potential 2030 scenarios exist
exogenous Cyber 9/11 scenario
"We shouldn't wait until there is a 9/11 in the cyber world. There are things we
can and should be doing right now that, if not prevent, would mitigate the extent of damage“
Systems controlling vital Israeli infrastructure, including Israel Electric Co power stations, water
Israel's banking system, including Bank of Israel, one of the country’s largest banks
Israel's Foreign Affairs and Defense Ministries, Air Force, the office of the president, the Knesset,
7
ACTIONS
- Based on CY2030 & exogenous scenarios, below table lists recommended DoD shaping/hedging actions
Type Priority Action
Shaping High Establish a Cybersecurity Enforcement Coalition
Shaping High Partner w/DoS to develop a Cybersecurity Code of Conduct (or Treaty) to
Define Acceptable Cyber Behavior and Enforcement Responsibilities
Shaping High Continue to Minimize Anti-US Terrorist Groups (in progress)
Shaping High Invest and Implement Persistent Cyber Situational Awareness/Monitoring
Technology
Shaping Med Develop a Layered Cyber Defense Strategy to Defend National Security
Data (in progress)
Shaping Med Implement Public Policy Restricting Use of Anonymity Software within
United States
Shaping Low Implement Public Policy Requiring Minimum Cyber Protection
Mechanisms for US Businesses (in progress)
Shaping Low Continue Cyber Protection Education Efforts with the Public, National
Security Professionals and US Companies (in progress)
Hedging High Maintain Resilient and Redundant Storage of Critical National Security
Data
Hedging High Develop Robust Cyber Attack Capabilities
Hedging High Develop and Maintain Capability to Operate in a Degraded Cyber
Environment
Hedging Med Implement Public Policy requiring Manual or Isolated Networked
Capability of Critical National Energy Capabilities
Hedging Med Create Emergency Isolation Plan and Develop Necessary Capabilities to
Implement
Hedging Med Partner with DoS and DHS to Build Positive US Public Opinion Behind
Required US Privacy and Monitoring Policies
RECOMMENDATIONS
- Implement shaping and hedging actions to protect DoD’s cyber capabilities as a force multiplier
- Support CISA passage within Congress
- Continue DoD’s compliance actions as dictated by President’s EO 13636
8
END NOTES
1
“Denial of Service Attacks”. Accessed on 6 Oct 2014. http://en.wikipedia.org/wiki/Denial-of-service_attack.
2
Cisco Visual Networking Index: Global Mobile Data Traffic Forecast Update, 2013–2018. Accessed on 23 Sep
2014. http://www.cisco.com/c/en//solutions/collateral/service-provider/visual-networking-index-
vni/white_paper_c11-520862.html
3
Feinstein. S.2588. Accessed on 29 Sep 2014, https://www.congress.gov/bill/113th-congress/senate-bill/2588

More Related Content

What's hot

Cyber War ( World War 3 )
Cyber War ( World War 3 )Cyber War ( World War 3 )
Cyber War ( World War 3 )Sameer Paradia
 
Cyberdefense strategy - Boston Global Forum - 2017
Cyberdefense strategy - Boston Global Forum - 2017Cyberdefense strategy - Boston Global Forum - 2017
Cyberdefense strategy - Boston Global Forum - 2017NgocHaBui1
 
2015 Cyber Security Strategy
2015 Cyber Security Strategy 2015 Cyber Security Strategy
2015 Cyber Security Strategy Mohit Kumar
 
The Role Of Technology In Modern Terrorism
The Role Of Technology In Modern TerrorismThe Role Of Technology In Modern Terrorism
The Role Of Technology In Modern TerrorismPierluigi Paganini
 
Event: George Washington University -- National Security Threat Convergence: ...
Event: George Washington University -- National Security Threat Convergence: ...Event: George Washington University -- National Security Threat Convergence: ...
Event: George Washington University -- National Security Threat Convergence: ...Chuck Brooks
 
Clt3328fisk
Clt3328fiskClt3328fisk
Clt3328fiskJulesroa
 
Self defence & Cyber Terrorism
Self defence & Cyber Terrorism Self defence & Cyber Terrorism
Self defence & Cyber Terrorism Pranav Gupta
 
Raduenzel_Mark_FinalAssignment_NSEC506_Fall2015
Raduenzel_Mark_FinalAssignment_NSEC506_Fall2015Raduenzel_Mark_FinalAssignment_NSEC506_Fall2015
Raduenzel_Mark_FinalAssignment_NSEC506_Fall2015Mark Raduenzel
 
CWFI Presentation Version 1
CWFI   Presentation Version 1CWFI   Presentation Version 1
CWFI Presentation Version 1Brett L. Scott
 
Computers as weapons of war
Computers as weapons of warComputers as weapons of war
Computers as weapons of warMark Johnson
 
The National Cyber Security Strategy: Success Through Cooperation
The National Cyber Security Strategy: Success Through CooperationThe National Cyber Security Strategy: Success Through Cooperation
The National Cyber Security Strategy: Success Through CooperationMark Johnson
 
Cybersecurity Awareness- Libya' 1st Cybersecurity Days Conference (CDC)
Cybersecurity Awareness- Libya' 1st Cybersecurity Days Conference (CDC)Cybersecurity Awareness- Libya' 1st Cybersecurity Days Conference (CDC)
Cybersecurity Awareness- Libya' 1st Cybersecurity Days Conference (CDC)Esam Abulkhirat
 
Bashar H. Malkawi, The Forum on National Security Law
Bashar H. Malkawi, The Forum on National Security LawBashar H. Malkawi, The Forum on National Security Law
Bashar H. Malkawi, The Forum on National Security LawBashar H. Malkawi
 
Privacy in the Information Age
Privacy in the Information AgePrivacy in the Information Age
Privacy in the Information AgeJordan Peacock
 
Privacy in the Information Age [Q3 2015 version]
Privacy in the Information Age [Q3 2015 version]Privacy in the Information Age [Q3 2015 version]
Privacy in the Information Age [Q3 2015 version]Jordan Peacock
 
Hacking Municipal Government Best Practices for Protection of Sensitive Loc...
Hacking Municipal Government  Best Practices for Protection of  Sensitive Loc...Hacking Municipal Government  Best Practices for Protection of  Sensitive Loc...
Hacking Municipal Government Best Practices for Protection of Sensitive Loc...Ben Griffith
 
Securing Cyber Space- Eljay Robertson
Securing Cyber Space- Eljay RobertsonSecuring Cyber Space- Eljay Robertson
Securing Cyber Space- Eljay RobertsonEljay Robertson
 
Cyberwar and Geopolitics
Cyberwar and GeopoliticsCyberwar and Geopolitics
Cyberwar and Geopoliticstnwac
 
The Security Implications of Foreign Hardware & Software February 2019
The Security Implications of Foreign Hardware & Software  February 2019The Security Implications of Foreign Hardware & Software  February 2019
The Security Implications of Foreign Hardware & Software February 2019ChadCogan
 

What's hot (20)

Cyber War ( World War 3 )
Cyber War ( World War 3 )Cyber War ( World War 3 )
Cyber War ( World War 3 )
 
Cyberdefense strategy - Boston Global Forum - 2017
Cyberdefense strategy - Boston Global Forum - 2017Cyberdefense strategy - Boston Global Forum - 2017
Cyberdefense strategy - Boston Global Forum - 2017
 
2015 Cyber Security Strategy
2015 Cyber Security Strategy 2015 Cyber Security Strategy
2015 Cyber Security Strategy
 
The Role Of Technology In Modern Terrorism
The Role Of Technology In Modern TerrorismThe Role Of Technology In Modern Terrorism
The Role Of Technology In Modern Terrorism
 
Event: George Washington University -- National Security Threat Convergence: ...
Event: George Washington University -- National Security Threat Convergence: ...Event: George Washington University -- National Security Threat Convergence: ...
Event: George Washington University -- National Security Threat Convergence: ...
 
Clt3328fisk
Clt3328fiskClt3328fisk
Clt3328fisk
 
Self defence & Cyber Terrorism
Self defence & Cyber Terrorism Self defence & Cyber Terrorism
Self defence & Cyber Terrorism
 
Raduenzel_Mark_FinalAssignment_NSEC506_Fall2015
Raduenzel_Mark_FinalAssignment_NSEC506_Fall2015Raduenzel_Mark_FinalAssignment_NSEC506_Fall2015
Raduenzel_Mark_FinalAssignment_NSEC506_Fall2015
 
CWFI Presentation Version 1
CWFI   Presentation Version 1CWFI   Presentation Version 1
CWFI Presentation Version 1
 
Computers as weapons of war
Computers as weapons of warComputers as weapons of war
Computers as weapons of war
 
The National Cyber Security Strategy: Success Through Cooperation
The National Cyber Security Strategy: Success Through CooperationThe National Cyber Security Strategy: Success Through Cooperation
The National Cyber Security Strategy: Success Through Cooperation
 
Cybersecurity Awareness- Libya' 1st Cybersecurity Days Conference (CDC)
Cybersecurity Awareness- Libya' 1st Cybersecurity Days Conference (CDC)Cybersecurity Awareness- Libya' 1st Cybersecurity Days Conference (CDC)
Cybersecurity Awareness- Libya' 1st Cybersecurity Days Conference (CDC)
 
Bashar H. Malkawi, The Forum on National Security Law
Bashar H. Malkawi, The Forum on National Security LawBashar H. Malkawi, The Forum on National Security Law
Bashar H. Malkawi, The Forum on National Security Law
 
Privacy in the Information Age
Privacy in the Information AgePrivacy in the Information Age
Privacy in the Information Age
 
Privacy in the Information Age [Q3 2015 version]
Privacy in the Information Age [Q3 2015 version]Privacy in the Information Age [Q3 2015 version]
Privacy in the Information Age [Q3 2015 version]
 
Hacking Municipal Government Best Practices for Protection of Sensitive Loc...
Hacking Municipal Government  Best Practices for Protection of  Sensitive Loc...Hacking Municipal Government  Best Practices for Protection of  Sensitive Loc...
Hacking Municipal Government Best Practices for Protection of Sensitive Loc...
 
Securing Cyber Space- Eljay Robertson
Securing Cyber Space- Eljay RobertsonSecuring Cyber Space- Eljay Robertson
Securing Cyber Space- Eljay Robertson
 
Cyberwar and Geopolitics
Cyberwar and GeopoliticsCyberwar and Geopolitics
Cyberwar and Geopolitics
 
The Security Implications of Foreign Hardware & Software February 2019
The Security Implications of Foreign Hardware & Software  February 2019The Security Implications of Foreign Hardware & Software  February 2019
The Security Implications of Foreign Hardware & Software February 2019
 
RESEARCH PAPER
RESEARCH PAPERRESEARCH PAPER
RESEARCH PAPER
 

Viewers also liked

Resourcing the US 2030 Cyber Strategy
Resourcing the US 2030 Cyber StrategyResourcing the US 2030 Cyber Strategy
Resourcing the US 2030 Cyber StrategyScott Dickson
 
Presentación socialización...
Presentación socialización...Presentación socialización...
Presentación socialización...GabrielaAssefC
 
Prezentatsia patriotichne vikhovannya
Prezentatsia patriotichne vikhovannyaPrezentatsia patriotichne vikhovannya
Prezentatsia patriotichne vikhovannyanvk-zosh7
 
A08 12116 Downey 02-10-08 A
A08 12116 Downey 02-10-08 AA08 12116 Downey 02-10-08 A
A08 12116 Downey 02-10-08 ADonnie Estrada
 
Lactancia materna en el prematuro
Lactancia materna en el prematuro Lactancia materna en el prematuro
Lactancia materna en el prematuro jessnavaipn
 
Introducción a la computación
Introducción a la computación Introducción a la computación
Introducción a la computación Adriana Vargas
 
Kelly Resume - April 2016
Kelly Resume - April 2016Kelly Resume - April 2016
Kelly Resume - April 2016Kelly Reynolds
 
TRABAJO PRACTICO: APRENDIZAJE UBICUO
TRABAJO PRACTICO: APRENDIZAJE UBICUOTRABAJO PRACTICO: APRENDIZAJE UBICUO
TRABAJO PRACTICO: APRENDIZAJE UBICUOIrma Robledo
 
Curso de competencias t.i.c.s.
Curso de competencias                     t.i.c.s.Curso de competencias                     t.i.c.s.
Curso de competencias t.i.c.s.sharon verderber
 
Osos de peluches (1)
Osos de peluches (1)Osos de peluches (1)
Osos de peluches (1)gabriela_04
 
قانون البناء الموحد
قانون البناء الموحدقانون البناء الموحد
قانون البناء الموحدahmed elsaid
 
Prezentatsia1 2
Prezentatsia1 2Prezentatsia1 2
Prezentatsia1 2nvk-zosh7
 
Prezentatsia1
Prezentatsia1Prezentatsia1
Prezentatsia1nvk-zosh7
 
Proyecto emisora escolar
Proyecto emisora escolarProyecto emisora escolar
Proyecto emisora escolardayanaguti11
 
أعمال التاكسيات
أعمال التاكسياتأعمال التاكسيات
أعمال التاكسياتahmed elsaid
 
Everyone Active Profile
Everyone Active ProfileEveryone Active Profile
Everyone Active Profileleroy phillips
 

Viewers also liked (20)

Resourcing the US 2030 Cyber Strategy
Resourcing the US 2030 Cyber StrategyResourcing the US 2030 Cyber Strategy
Resourcing the US 2030 Cyber Strategy
 
Presentación socialización...
Presentación socialización...Presentación socialización...
Presentación socialización...
 
Prezentatsia patriotichne vikhovannya
Prezentatsia patriotichne vikhovannyaPrezentatsia patriotichne vikhovannya
Prezentatsia patriotichne vikhovannya
 
Introducción a la informática
Introducción a la informáticaIntroducción a la informática
Introducción a la informática
 
A08 12116 Downey 02-10-08 A
A08 12116 Downey 02-10-08 AA08 12116 Downey 02-10-08 A
A08 12116 Downey 02-10-08 A
 
Lactancia materna en el prematuro
Lactancia materna en el prematuro Lactancia materna en el prematuro
Lactancia materna en el prematuro
 
Introducción a la computación
Introducción a la computación Introducción a la computación
Introducción a la computación
 
Kelly Resume - April 2016
Kelly Resume - April 2016Kelly Resume - April 2016
Kelly Resume - April 2016
 
Nvk seminar
Nvk seminarNvk seminar
Nvk seminar
 
TRABAJO PRACTICO: APRENDIZAJE UBICUO
TRABAJO PRACTICO: APRENDIZAJE UBICUOTRABAJO PRACTICO: APRENDIZAJE UBICUO
TRABAJO PRACTICO: APRENDIZAJE UBICUO
 
Análise guernica 001
Análise guernica 001Análise guernica 001
Análise guernica 001
 
Curso de competencias t.i.c.s.
Curso de competencias                     t.i.c.s.Curso de competencias                     t.i.c.s.
Curso de competencias t.i.c.s.
 
Osos de peluches (1)
Osos de peluches (1)Osos de peluches (1)
Osos de peluches (1)
 
SU2C Project
SU2C Project SU2C Project
SU2C Project
 
قانون البناء الموحد
قانون البناء الموحدقانون البناء الموحد
قانون البناء الموحد
 
Prezentatsia1 2
Prezentatsia1 2Prezentatsia1 2
Prezentatsia1 2
 
Prezentatsia1
Prezentatsia1Prezentatsia1
Prezentatsia1
 
Proyecto emisora escolar
Proyecto emisora escolarProyecto emisora escolar
Proyecto emisora escolar
 
أعمال التاكسيات
أعمال التاكسياتأعمال التاكسيات
أعمال التاكسيات
 
Everyone Active Profile
Everyone Active ProfileEveryone Active Profile
Everyone Active Profile
 

Similar to A US Cybersecurity Strategy for 2030

Cyber warfare ss
Cyber warfare ssCyber warfare ss
Cyber warfare ssMaira Asif
 
Cyber(in)security: systemic risks and responses
Cyber(in)security: systemic risks and responsesCyber(in)security: systemic risks and responses
Cyber(in)security: systemic risks and responsesblogzilla
 
Systemic cybersecurity risk
Systemic cybersecurity riskSystemic cybersecurity risk
Systemic cybersecurity riskblogzilla
 
Worldwide Cyber Threats report to House Permanent Select Committee on Intelli...
Worldwide Cyber Threats report to House Permanent Select Committee on Intelli...Worldwide Cyber Threats report to House Permanent Select Committee on Intelli...
Worldwide Cyber Threats report to House Permanent Select Committee on Intelli...David Sweigert
 
Cyber security-in-india-present-status
Cyber security-in-india-present-statusCyber security-in-india-present-status
Cyber security-in-india-present-statusRama Reddy
 
Review DNI WTAs for 2015 and 2016 (see attached). Compare and con.docx
Review DNI WTAs for 2015 and 2016 (see attached). Compare and con.docxReview DNI WTAs for 2015 and 2016 (see attached). Compare and con.docx
Review DNI WTAs for 2015 and 2016 (see attached). Compare and con.docxronak56
 
ZamanAsad_INFA 670_9041_RPAPER_Cybersecurity-3
ZamanAsad_INFA 670_9041_RPAPER_Cybersecurity-3ZamanAsad_INFA 670_9041_RPAPER_Cybersecurity-3
ZamanAsad_INFA 670_9041_RPAPER_Cybersecurity-3Asad Zaman
 
National Critical Information Infrastructure Protection Centre (NCIIPC): Role...
National Critical Information Infrastructure Protection Centre (NCIIPC): Role...National Critical Information Infrastructure Protection Centre (NCIIPC): Role...
National Critical Information Infrastructure Protection Centre (NCIIPC): Role...Cybersecurity Education and Research Centre
 
Cybersecurity and its impact on your commercial real estate portfolio
Cybersecurity and its impact on your commercial real estate portfolioCybersecurity and its impact on your commercial real estate portfolio
Cybersecurity and its impact on your commercial real estate portfolioJLL
 
Vision By 2023, the Departme.docx
Vision  By 2023, the Departme.docxVision  By 2023, the Departme.docx
Vision By 2023, the Departme.docxjessiehampson
 
The Biggest Cyber and Physical Security Threats to Critical Infrastructure FM...
The Biggest Cyber and Physical Security Threats to Critical Infrastructure FM...The Biggest Cyber and Physical Security Threats to Critical Infrastructure FM...
The Biggest Cyber and Physical Security Threats to Critical Infrastructure FM...Fas (Feisal) Mosleh
 
CYBERWAR: THE NEXT THREAT TO NATIONAL SECURITY
CYBERWAR: THE NEXT THREAT TO NATIONAL SECURITYCYBERWAR: THE NEXT THREAT TO NATIONAL SECURITY
CYBERWAR: THE NEXT THREAT TO NATIONAL SECURITYTalwant Singh
 
AECF: A Look into Cyber Crime - Doomsday Preppers for the Naked and Afraid
AECF: A Look into Cyber Crime - Doomsday Preppers for the Naked and AfraidAECF: A Look into Cyber Crime - Doomsday Preppers for the Naked and Afraid
AECF: A Look into Cyber Crime - Doomsday Preppers for the Naked and AfraidPhil Agcaoili
 
wp-us-cities-exposed
wp-us-cities-exposedwp-us-cities-exposed
wp-us-cities-exposedNumaan Huq
 
Francesca Bosco, Le nuove sfide della cyber security
Francesca Bosco, Le nuove sfide della cyber securityFrancesca Bosco, Le nuove sfide della cyber security
Francesca Bosco, Le nuove sfide della cyber securityAndrea Rossetti
 
Cyber Security Conference - Rethinking cyber-threat
Cyber Security Conference - Rethinking cyber-threatCyber Security Conference - Rethinking cyber-threat
Cyber Security Conference - Rethinking cyber-threatMicrosoft
 

Similar to A US Cybersecurity Strategy for 2030 (20)

28658043 cyber-terrorism
28658043 cyber-terrorism28658043 cyber-terrorism
28658043 cyber-terrorism
 
Cyber warfare ss
Cyber warfare ssCyber warfare ss
Cyber warfare ss
 
Cyber(in)security: systemic risks and responses
Cyber(in)security: systemic risks and responsesCyber(in)security: systemic risks and responses
Cyber(in)security: systemic risks and responses
 
Systemic cybersecurity risk
Systemic cybersecurity riskSystemic cybersecurity risk
Systemic cybersecurity risk
 
Worldwide Cyber Threats report to House Permanent Select Committee on Intelli...
Worldwide Cyber Threats report to House Permanent Select Committee on Intelli...Worldwide Cyber Threats report to House Permanent Select Committee on Intelli...
Worldwide Cyber Threats report to House Permanent Select Committee on Intelli...
 
Cyber security-in-india-present-status
Cyber security-in-india-present-statusCyber security-in-india-present-status
Cyber security-in-india-present-status
 
Review DNI WTAs for 2015 and 2016 (see attached). Compare and con.docx
Review DNI WTAs for 2015 and 2016 (see attached). Compare and con.docxReview DNI WTAs for 2015 and 2016 (see attached). Compare and con.docx
Review DNI WTAs for 2015 and 2016 (see attached). Compare and con.docx
 
ZamanAsad_INFA 670_9041_RPAPER_Cybersecurity-3
ZamanAsad_INFA 670_9041_RPAPER_Cybersecurity-3ZamanAsad_INFA 670_9041_RPAPER_Cybersecurity-3
ZamanAsad_INFA 670_9041_RPAPER_Cybersecurity-3
 
National Critical Information Infrastructure Protection Centre (NCIIPC): Role...
National Critical Information Infrastructure Protection Centre (NCIIPC): Role...National Critical Information Infrastructure Protection Centre (NCIIPC): Role...
National Critical Information Infrastructure Protection Centre (NCIIPC): Role...
 
Cybersecurity and its impact on your commercial real estate portfolio
Cybersecurity and its impact on your commercial real estate portfolioCybersecurity and its impact on your commercial real estate portfolio
Cybersecurity and its impact on your commercial real estate portfolio
 
Vision By 2023, the Departme.docx
Vision  By 2023, the Departme.docxVision  By 2023, the Departme.docx
Vision By 2023, the Departme.docx
 
The Biggest Cyber and Physical Security Threats to Critical Infrastructure FM...
The Biggest Cyber and Physical Security Threats to Critical Infrastructure FM...The Biggest Cyber and Physical Security Threats to Critical Infrastructure FM...
The Biggest Cyber and Physical Security Threats to Critical Infrastructure FM...
 
CYBERWAR: THE NEXT THREAT TO NATIONAL SECURITY
CYBERWAR: THE NEXT THREAT TO NATIONAL SECURITYCYBERWAR: THE NEXT THREAT TO NATIONAL SECURITY
CYBERWAR: THE NEXT THREAT TO NATIONAL SECURITY
 
Cyber-what?
Cyber-what?Cyber-what?
Cyber-what?
 
ISIS Cyber Terrorism Analysis
ISIS Cyber Terrorism AnalysisISIS Cyber Terrorism Analysis
ISIS Cyber Terrorism Analysis
 
AECF: A Look into Cyber Crime - Doomsday Preppers for the Naked and Afraid
AECF: A Look into Cyber Crime - Doomsday Preppers for the Naked and AfraidAECF: A Look into Cyber Crime - Doomsday Preppers for the Naked and Afraid
AECF: A Look into Cyber Crime - Doomsday Preppers for the Naked and Afraid
 
wp-us-cities-exposed
wp-us-cities-exposedwp-us-cities-exposed
wp-us-cities-exposed
 
Francesca Bosco, Le nuove sfide della cyber security
Francesca Bosco, Le nuove sfide della cyber securityFrancesca Bosco, Le nuove sfide della cyber security
Francesca Bosco, Le nuove sfide della cyber security
 
Terrorist Cyber Attacks
Terrorist Cyber AttacksTerrorist Cyber Attacks
Terrorist Cyber Attacks
 
Cyber Security Conference - Rethinking cyber-threat
Cyber Security Conference - Rethinking cyber-threatCyber Security Conference - Rethinking cyber-threat
Cyber Security Conference - Rethinking cyber-threat
 

A US Cybersecurity Strategy for 2030

  • 1. AY 2014-2015 US Cyber Strategy for 2030: A Direction LT COL SCOTT A. DICKSON USAF SEMINAR 19 The Dwight D. Eisenhower School for National Security and Resource Strategy National Defense University Fort McNair, Washington, D.C. 20319-5062 The views expressed in this paper are those of the author and do not reflect the official policy or position of the National Defense University, the Department of Defense or the U.S. Government.
  • 2. Lt Col Dickson/ES/DSR/856-220-3899/6 Oct 14 BULLET BACKGROUND PAPER ON US CYBERSECURITY STRATEGY FOR CY2030 PURPOSE Explain DoD’s comprehensive 2030 US Cybersecurity Strategy to US strategic leaders CONCERNS - Pres Obama’s EO 13636: “one of the most serious national security challenges” - Gen Dempsey’s 2014 QDR: “we will not innovate quickly enough or deeply enough to be prepared for the future for the world we will face two decades from now” - Hard to define; Cyber is “of, relating to, or involving computers or computer networks (as the Internet)” - Unique properties: both a domain and a means, both tangible and non-tangible aspects, & no substitute - As a Domain -- Man-made; “Man can actually change this geography, and anything that happens there actually creates a change in someone’s physical space” (Gen (ret) Michael Hayden, USAF) -- Strengths are also its weaknesses, hence exploitable --- Highly Connected: Interconnected nodes spanning across the entire world --- Easily Accessible: Reachable from any computer or mobile device --- Few Boundaries: Built with minimal restrictions to expedite information flow --- Predictable: Possible pathways configured by humans, real-time selected by computers --- Layered: Complex computer applications executing on operating systems and firmware --- Digitized: All information stored in a common format, easily manipulated and transmitted -- As a Means --- Anonymously conducted via protection software like TOR, a US Navy-developed program --- Five categories of Attack1 ---- Consumption of computer resources: bandwidth, memory, disk space, processor time
  • 3. 3 ---- Disruption of configuration information, such as routing information ---- Disruption of state information, such as unsolicited resetting of TCP sessions ---- Disruption of physical network components ---- Obstructing communication media between intended users and victim --- Focused on disrupting, denying, or destroying capability or communications ---- Trojan malware: static programs hidden on computers and activated to disrupt ---- Botnets: automated programs hidden on computers facilitating other actions ---- Distributed Denial of Service (DDoS): consuming bandwidth to preclude other’s use ---- Permanent Denial of Service (PDoS): overwriting firmware to render hardware useless --- Cyber-espionage considered a non-DoD attack category ACTORS - “The number of mobile-connected devices will exceed the world’s population by 2014.”2 - US Domestic Actors: include US Government agencies, NGOs, industry, and citizens -- Primary Govt Agencies include: --- DoD: responsible for coordinating cyber attack capabilities --- DHS: mandated by EO 13636 to lead US cyber threat identification efforts --- US Attorney General: mandated by EO 13636 to support cyber threat identification efforts --- DNI: mandated by EO 13636 to support cyber threat identification efforts --- Commerce: mandated by EO 13636 to reduce cyber risk to critical infrastructure --- NSA: responsible for increasing US cyber situational awareness --- FBI: Domestic prosecution of cyber crime --- DoJ: Prosecution of cyber crime and offenses - External Actors: -- Cyber Anonymity allows an actor to act like any other actor -- Three main types:
  • 4. 4 --- Organized crime groups: primarily threatening financial services sector, expanding scope --- State sponsors: Interested in pilfering data, intellectual property, research and development data from manufacturers, government agencies, and defense contractors --- Terrorist groups: Use network to disrupt or harm nation’s critical infrastructure CURRENT ENVIRONMENT - Congress --- Introduced S.733, Cybersecurity Act of 2009, 24 Mar 2010, Not Enacted --- Introduced S.2105, Cybersecurity Act of 2012, 15 Feb 2012, Not Enacted --- Introduced S.1353, Cybersecurity Act of 2013, 24 Jul 2013, Not Enacted --- Introduced H.R.624, Cyber Intelligence Sharing and Protection Act Passed House on 18 Apr 2013, Refered in Senate to Select Committee on Intelligence --- Introduced S.2588, Cybersecurity Information Sharing Act (CISA) on 10 Jul 20143 ---- Develop process for classified and declassified cyber threat indicators, to share in real time with private entities; non-federal govt agencies; or state, tribal, or local govts ---- Permits private entities to monitor and operate countermeasures to prevent or mitigate cybersecurity threats or security vulnerabilities on own information systems (IS) and, with written consent, the IS of other entities and federal entities ---- Authorizes entities to monitor information stored on, processed by, or transiting such monitored systems ---- Current Status: Senate has not considered or voted on CISA - President -- Signed Executive Order 13636 on 12 Feb 2013, established US cyber interests -- “To enhance the security and resilience of the Nation's critical infrastructure and to maintain a cyber environment that encourages: efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties”
  • 5. 5 INTERESTS - Due to the overlap between external actors in the interest analysis table below, a strategy which addresses Terrorist Groups’ interests should address all external actors United States Organized Crime State Sponsors Terrorist Groups Verifiable Access to Information Unimpeded Access to Information Verifiable Access to Information Unimpeded Access to Information Intellectual Property Rights Intellectual Property Exploitation Depends on State Intellectual Property Exploitation Data Protection Data Exploitation Data Protection Data Exploitation Non-repudiation Anonymity Non-repudiation Anonymity Efficient Infrastructure Efficient Infrastructure Efficient Infrastructure Inefficient/ Ineffective infrastructure Economic Growth Economic Growth Economic Growth Economic Regression Note: Dark/Red shading denotes external interests counter to US interests CY2030 SCENARIO DRIVERS - Active Anti-US Terrorist Groups & Global Polarity selected as primary drivers affecting cyber scenarios - Relevant drivers listed in below table, secondary drivers set as scenario building assumptions Note: Non-selected drivers are scenario assumptions; colored text = assumed values for scenarios Drivers Outcome #1 Outcome #2 Uncertainty Active Anti-US Terrorist Groups Eradicated Exist High Global Polarity Dominant US Multi-Polar Med Persistant Cybermonitoring Technology Developed Non-Developed Med US Economic Type Manufacturing Knowledge Low Privacy/Civil Liberties Concerns None Preventative Low Cyber Sovereignty None Server-based Low
  • 6. SCENARIOS - Based on Active Anti-US Terrorist Groups & Global Polarity drivers, four potential 2030 scenarios exist - A DoD 2030 cyberstrategy should also hedge against an -- DHS Sec, 24 Jan 2013, "We shouldn't wait until there is a 9/11 in the cyber world. There are things we can and should be doing right now that, if not prevent, would mitigate the extent of damage“ -- Similar to Jul 2014 cyber attacks on Israel where Hamas hacked or targeted: --- Half a million smartphones, sending texts of false chemical attacks --- Systems controlling vital Israeli infrastructure, including Israel Electric Co power desalination plants, traffic lights, and railroads and other transportation systems --- Israel's banking system, including Bank of Israel, one of the country’s largest banks --- Thousands of largely unprotected civilian websi --- Israel's Foreign Affairs and Defense Ministries, Air Force, the office of the president, the Knesset, the Israel Police, and the government's official jobs portal US Terrorist Groups & Global Polarity drivers, four potential 2030 scenarios exist A DoD 2030 cyberstrategy should also hedge against an exogenous Cyber 9/11 scenario "We shouldn't wait until there is a 9/11 in the cyber world. There are things we can and should be doing right now that, if not prevent, would mitigate the extent of damage“ Similar to Jul 2014 cyber attacks on Israel where Hamas hacked or targeted: Half a million smartphones, sending texts of false chemical attacks Systems controlling vital Israeli infrastructure, including Israel Electric Co power desalination plants, traffic lights, and railroads and other transportation systems Israel's banking system, including Bank of Israel, one of the country’s largest banks Thousands of largely unprotected civilian websites via DDoS attacks Israel's Foreign Affairs and Defense Ministries, Air Force, the office of the president, the Knesset, the Israel Police, and the government's official jobs portal 6 US Terrorist Groups & Global Polarity drivers, four potential 2030 scenarios exist exogenous Cyber 9/11 scenario "We shouldn't wait until there is a 9/11 in the cyber world. There are things we can and should be doing right now that, if not prevent, would mitigate the extent of damage“ Systems controlling vital Israeli infrastructure, including Israel Electric Co power stations, water Israel's banking system, including Bank of Israel, one of the country’s largest banks Israel's Foreign Affairs and Defense Ministries, Air Force, the office of the president, the Knesset,
  • 7. 7 ACTIONS - Based on CY2030 & exogenous scenarios, below table lists recommended DoD shaping/hedging actions Type Priority Action Shaping High Establish a Cybersecurity Enforcement Coalition Shaping High Partner w/DoS to develop a Cybersecurity Code of Conduct (or Treaty) to Define Acceptable Cyber Behavior and Enforcement Responsibilities Shaping High Continue to Minimize Anti-US Terrorist Groups (in progress) Shaping High Invest and Implement Persistent Cyber Situational Awareness/Monitoring Technology Shaping Med Develop a Layered Cyber Defense Strategy to Defend National Security Data (in progress) Shaping Med Implement Public Policy Restricting Use of Anonymity Software within United States Shaping Low Implement Public Policy Requiring Minimum Cyber Protection Mechanisms for US Businesses (in progress) Shaping Low Continue Cyber Protection Education Efforts with the Public, National Security Professionals and US Companies (in progress) Hedging High Maintain Resilient and Redundant Storage of Critical National Security Data Hedging High Develop Robust Cyber Attack Capabilities Hedging High Develop and Maintain Capability to Operate in a Degraded Cyber Environment Hedging Med Implement Public Policy requiring Manual or Isolated Networked Capability of Critical National Energy Capabilities Hedging Med Create Emergency Isolation Plan and Develop Necessary Capabilities to Implement Hedging Med Partner with DoS and DHS to Build Positive US Public Opinion Behind Required US Privacy and Monitoring Policies RECOMMENDATIONS - Implement shaping and hedging actions to protect DoD’s cyber capabilities as a force multiplier - Support CISA passage within Congress - Continue DoD’s compliance actions as dictated by President’s EO 13636
  • 8. 8 END NOTES 1 “Denial of Service Attacks”. Accessed on 6 Oct 2014. http://en.wikipedia.org/wiki/Denial-of-service_attack. 2 Cisco Visual Networking Index: Global Mobile Data Traffic Forecast Update, 2013–2018. Accessed on 23 Sep 2014. http://www.cisco.com/c/en//solutions/collateral/service-provider/visual-networking-index- vni/white_paper_c11-520862.html 3 Feinstein. S.2588. Accessed on 29 Sep 2014, https://www.congress.gov/bill/113th-congress/senate-bill/2588