SlideShare a Scribd company logo
1 of 12
Download to read offline
AY 2014-2015
Resourcing the US 2030 Cyber Strategy
LT COL SCOTT A. DICKSON
USAF
SEMINAR 19
The Dwight D. Eisenhower School
for National Security and Resource Strategy
National Defense University
Fort McNair, Washington, D.C. 20319-5062
The views expressed in this paper are those of the author and do not reflect
the official policy or position of the National Defense University,
the Department of Defense or the U.S. Government.
“The end cannot justify the means, for the simple and obvious reason that the means employed
determine the nature of the ends produced.” - Aldous Huxley
Strategists must caution themselves against using any and all means necessary to accomplish an
end simply due to the importance of the goal. Pursuers should consider the context of the chase, less
more damage and cost result than saved from capturing the conquest. President Obama’s Executive
Order 13636 left no doubt on the Executive Branch’s commitment to a US cyber strategy. However,
Congress’s four failed attempts to pass a Cybersecurity Act indicate unclear direction on the context: how
and whether to fund a strategy. With America’s national security dependence on cyber and contracting
defense budgets, a positive review of the cyber strategy’s means, i.e “what will likely happen”, will
highlight potential resourcing challenges and risks in the strategy and help justify the expense of the
means against the pursuit of the ends.
Strategy Summarized
Cyber threats vary; from state actors using cyber as an asymmetric attack, organized networks
conducting cyber crime, or non-state actors threatening cyber Armageddon, all exploit the highly
connected, easily accessible, predictable, layered, and digitized nature of the internet. For the first time,
the Chinese People’s Liberation Army (PLA) published a document in the summer of 2014 detailing their
cyber and network warfare forces and their division of labor across formal operational attack and defense
units, PLA authorized forces, and external non-governmental forces.1
While not revealing a cyber
strategy, this document highlighted China’s dedicated cyber manpower resources and their intent to
develop a cyber capability to achieve their strategy. In May 2014, the US publicly indicted five People’s
Liberation Army officers serving in a cyber unit responsible for stealing trade secrets in the shipping,
aeronautics, arms, energy, manufacturing, engineering, electronics, financial, and software sectors over
the past seven years. Despite denying the claim, the incident cements China’s credibility in using cyber
as a means to pursue its desired ends while also publicly signaling the US’s inability to deter its use.
The proposed US cyber strategy represents a multi-layered strategy to build defensive cyber
infrastructure capabilities and deterrence-producing offensive capabilities to promote a future globally-
collaborative cyber environment within the FY2030 timeframe (see Table 1). Effective deterrence
depends on credible capability, reliable signaling, and perception of intent. In this strategy, credible
capability is displayed through adequate monitoring technology and development of robust cyber attack
capabilities. Reliable signaling is available through the creation of a cyber coalition, enforcement options
detailed within the cyber standards agreement, and step-wise implementation of an emergency isolation
plan. Perception of intent rests on shaping enemies opinions in regards to leaderships’ future actions in
actual cyber incidents. Enemies must believe their interests are equally at risk if they implement a cyber
attack on the US or its allies. All cyber attacks should be dealt with proportionally and not in an escalated
manner. Like current US missile defense and nuclear response exercises, visible exercises, such as Cyber
Flag 15-1, will demonstrate US resolve. Also, demonstrating future capability to manually isolate
networks involving critical national assets demonstrates our ability to operate in a degraded cyber
environment and will weaken a state actor’s perception of a cyber attack’s influence.
Primarily, the proposed actions leverage the possibility of non-state actors and cyber criminals to
disrupt the cyber domain as a crystallizing agent to solidify a multi-polar coalition of state actors to
enforce appropriate cyber behavior. Mutual economic dependence on cyber acts as an incentive for
coalition members to not attack each other. The incentive’s effectiveness will depend on how competitive
or collaborative the future is and the depth of economic interdependence, i.e. sanctions against one may
cause harm to others. The coalition will focus these deterrence actions on all actors outside the coalition.
To achieve the strategy, the US must resource the ways and means in Table 1; the list is not
exhaustive, representing only the primary means. While industry has begun initial cyber protection
efforts and should be leveraged, funding will be challenging, particularly considering the specified
impacts to the military-industrial complex (MIC). These simplified impacts, either additive, neutral, or
substractive, indicate the likely MIC assessment to their economic bottom line of instituting each mean.
Despite the scope of this paper preventing a full analysis explanation, some broad generalities do apply.
The extent of the subtractive means will depend on the US government’s willingness to subsidize the
effort. While the neutral means are not intended to overly constrain industries’ freedom of action, actual
implementation may drive a more subtractive assessment. From a priority perspective, the coalition,
Ways Means
Budget
Category
MIC
Impact
Establish a Cybersecurity
Enforcement Coalition focused on
securing Cyber for global prosperity
- Create “Cyber Partners for Prosperity” (CPfP)
like NATO’s Partnership for Peace prgm
- Encourage NATO/ITU mbrs to join CPfP
Force
Structure
Additive
Partner w/DoS to develop a
Strategic Partnership Agreement to
Define Acceptable Cyber Behavior
and Enforcement Responsibilities
- Use NATO allies and ITU mbrs who signed
agreement to enforce acceptable cyber behavior Force
Structure
Neutral
Continue to Minimize Anti-US
Terrorist Groups
- Continued Funding for War on Terror
- Congressional Approval of AUMF
Readiness Additive
Implement Persistent Cyber
Situational Awareness/Monitoring
Technology to support Attribution
- Funding for Cyber Monitoring program
- Funding for Cyber Awareness program Modernize Additive
Leverage w/ Industry to Develop
Layered Cyber Defense Strategy to
Defend Critical US Data and Assets
- Data Security Standards
- Certified Data Protection Algorithms
- ID of Critical Nat’l Security Data/Assets
Modernize Subtractive
Implement Public Policy
Restricting Use of Anonymity
Software within United States
- Create OSD Cybersecurity Division to
coordinate all policy and strategy efforts
Force
Structure
Additive
Implement Public Policy Requiring
Minimum Cyber Protection
Mechanisms for US Businesses
- Create OSD Cybersecurity Division to
coordinate all policy and strategy efforts
Force
Structure
Subtractive
Continue Cyber Protection
Education Efforts with the Public,
National Security Professionals and
US Companies
- Create OSD Cybersecurity Division to
coordinate all policy and strategy efforts
- Cyberprotection Curriculum
Force
Structure,
Readiness
Neutral
Maintain Resilient and Redundant
Storage of Critical National
Security Data
- Data Security Standards
- Certified Data Protection Algorithms Modernize Subtractive
Develop Robust Cyber Attack
Capabilities
- Funding for Cyber Attack development &
education to DoD (national) & DoJ (domestic)
Modernize Additive
Develop and Maintain Capability to
Operate in a Degraded Cyber
Environment
- Update to cyber acquisition standards
- Funding to modernize req’d & unprotected
assets
Modernize Additive
Implement Public Policy requiring
Manual or Isolated Networked
Capability of Critical National
Assets
- Funding/strategy to modify critical energy
assets (energy, financial, space, water, etc.)
- Map of critical assets and their network
Modernize Subtractive
Create Emergency Isolation Plan
and Develop Necessary Capabilities
- Map energy assets to req’d nat’l security assets
- Funding of pgrm to modify req’d assets
Modernize Neutral
Partner w/ DoS, DoJ, & DHS to
Build Positive US Public Opinion
Behind Required US Privacy and
Monitoring Policies
- US Privacy Policies
- US Monitoring Policies
N/A Neutral
Table 1: US 2030 Cyber Strategy: Ways, Means, Categories and Military-Industrial Complex (MIC) Impact
monitoring and encryption technology, monitoring and data security policies, and identification of critical
national assets represent the strategy’s lifeblood.
Resourcing of each mean draws from an associated major budget category (Modernize, Force
Structure, and Readiness) as listed in Table 1 and should be accurately reflected in any Programming,
Planning, Budget, and Execution activities. As a new and emerging national security concern, the
strategy relies heavily on Modernization efforts, i.e. acquisition dollars, rather than Force Structure, i.e.
personnel, or Readiness, i.e. operations and maintenance dollars. More importantly, each mean requires a
certain level of acquiring products and services, coordinating support from the military-industrial
complex, and/or partnering with national and global allies. A survey of each resourcing method to fulfill
these means and their impact on the associated budget category will highlight inherent challenges facing
the implementation of the strategy.
Acquiring and Sustaining
For fifty percent of the strategy’s ways, the US must modernize by acquiring new cyber products
or services, running the gamut from developing DoD cyber attack capabilities to providing relevant
government agencies with cyber awareness and cyber monitoring tools to improving cyber robustness in
existing government infrastructure technology. To ensure expeditious resourcing of the strategy’s means,
the DoD needs to carefully consider whether to source a product or service, lead-turn needed cyber
documentation in the JCIDS process, and/or enlist combatant commander assistance to shorten the long
lead times of the Defense Acquisition System. Predicting each choice’s likely outcome will allow US
policy makers to use a positive approach to mitigate strategy obstacles and reduce enactment delay.
Initially, policy makers need to determine whether a product or service best fulfills the purpose,
responsiveness, and persistence of each mean. Product solutions deliver permanent government-owned
capabilities to the warfighter’s specification, yet require longer requirement definition and development
timelines and an associated long-term sustainment costs. For service solutions, the government relies on
industry to develop, own, and manage the capability and sustainment while preserving the ability to
terminate the capability rapidly. With the US’ national dependence on cyber, an investment in permanent
product solutions for cyber attack, cyber awareness, cyber monitoring, and critical infrastructure
protection seems appropriate. On the other hand, for standards’ creation, enforcement, and cyber
protection certification, a service solution allows the government to rapidly generate initial capability and
quickly disband the capability as needed.
Procuring product solutions will require strategic navigation of the JCIDS process and the Joint
Requirements Oversight Council, since CJCSI 5123F charges the JROC, among other duties, with
reviewing “the estimated level of resources required in the fulfillment of each joint military requirement
and ensuring the total cost of such resources is consistent with the level of priority”2
Unfortunately,
except for Information Assurance considerations and requirements established by the Clinger-Cohen
Compliance Act, the JCIDS process does not yet include cyber requirements to provide the JROC
sufficient information to weigh the benefit of the product against its total costs. The lack of this relevant
information will ultimately slow down the approval of cyber products. To weigh the current cyber
strategy products and any future products against priorities, the JCIDS process will need to eventually
consider cyber requirements similar to those listed in Table 2. For example, the creation of cyber metrics
JCIDS Improvement
Implement a “Cyber” KPP, raising the importance of Cyber to the appropriate level
Require a Cyber Defense Strategy as a 5000.2 requirement to be submitted at the MS A decision and
updated at each recurring MS decision
Require a program’s System Engineering Plan explain how the design process verifies Cyber Defense
Require each program’s Life Cycle Sustainment Plan to explain how Cyber Defense will be
maintained and certified through the program’s sustainment phase
Institute a IOT&E requirement, similar to Live Fire Testing, which requires Cyber Penetration Red-
Teaming on all software and hardware programs.
Define the extent of a program’s planned Cyber Penetration Red-Teaming approved in the TEMP
Institute a set of cyber metrics which will be defined as part of each Cyber program’s Cyber Defense
Strategy and updated annually in DAMIR
Table 2: JCIDS Process Improvements for Cyber
as part of each product’s Cyber Defense Strategy will allow policy makers to assess the DoD’s overall
cyber readiness. Possible metrics include: Cyber Resiliency (the probability of continued mission
operation after a cyber attack), Cyber Sustainability (the number of identified cyber vulnerabilities in the
Software Supply Chain), Cyber Vulnerability (the number of “questionable” suppliers in the hardware
supply chain), and Cyber Detection (the probability of detecting a cyber attack against a system).
Consideration will need to be given to metrics duplicated in the Clinger-Cohen Compliance Act. By
choosing to address these requirements upfront in initial cyber product documentation, the JROC and its
associated staffs should expedite approval of cyber product acquisition and challenge DoD acquisition
professionals to add these requirements to future versions of DODI 5000.2 to ensure all future cyber
products conform to the DoD’s cyber strategy.
Additionally, the Defense Acquisition System (DAS) has historically delivered products late,
over-cost, and at decreased performance. In 2008, the Government Accountability Office reviewed 96
DoD programs against original estimates and concluded 42 percent cost growth in research and
development, 25% growth in Total Acquisition Cost, and a 22-month average schedule delay.3
The
milestone-driven schedule of the DAS conflicts with the calendar-driven schedule of the Programming,
Planning, Budgeting, and Execution (PPB&E) process yielding some of these delays. Other delays result
from a focus on “procedures dominating production, equity ruling over efficiency, and top executives as
short timers”4
With a pressing national need for a cyber strategy, cyber strategists will enlist combatant
commanders to designate cyber products as Urgent Operational Needs (UON), routing these products’
approval through the Warfighter Senior Integration Group (SIG) for eventual fielding within a 2-year
timeline.5
Since UONs are intended only for products requiring minimal development to meet the short
2-yr timeline, some products will need to utilize the more robust JCIDS process. Further, with the US’
enduring dependence on cyber in the digital age, the DoD should consider the historical sustainability of
products developed via the UON process vice the JCIDS, i.e. the abandonment of Mine-Resistant
Ambush Vehicles due to a lack of sustainment capabilities. By strategically considering the best path
through the DAS, adequate cyber documentation for the JCIDS process, and the right balance of products
and services, DoD policy makers will adopt a more positive approach to acquiring cyber means.
Coordinating
To resource the cyber strategy, DoD policy makers will need to coordinate through all elements
of the iron triangle: the interagency executive bureaucracy, industry and its associated interest groups, and
the legislative Congress. Efforts for coordinating acquisition products and services will differ from other
policy measures, such as developing cyber standards of behavior with the DoS, building public opinion
on privacy and monitoring, or establishing minimum protection mechanisms with industry. However,
each coordination effort shares similar challenges in solidifying the iron triangle support around the cyber
strategy. Specifically, DoD policymakers must overcome rent seeking industrialists, “bootlegger and
baptist” congressional members, and the principal-agent problem inherent in the Executive branch to
realize the cyber strategy.
In the zero-sum nature of the interagency environment, a new strategy must contend with impacts
from the fundamental principal-agent problem where the agent, due to competing internal interests, may
not accurately represent the principal’s interests. Initially, even if no conflicts exist, the perception from
the principal-agent problem casts doubt on the true motivation of the strategy, potentially hindering
coordination. Eventually, once the strategy gains leadership acceptance and process momentum, ulterior
interests may develop, perpetuating the principal-agent problem anew. While the President’s EO 13636
solidified importance and ownership of different cyber aspects across the interagency, each agency will
interpret the President’s interests differently for its own benefit, potentially creating conflicting interests
and priorities. For example, DoJ and DHS may seek tighter cyber standards and enforcement authority
for their mission accomplishment while the DoS may desire lighter standards and enforcement to ease
diplomacy. Across the Executive branch, DoD strategic leaders will need to combat these principal-
agent dynamics, leveraging each internal agency’s self interests, as appropriate, to enact the strategy.
To tighten the triangle with the Legislative branch, DoD strategic leaders will need to identify
supporting “bootleggers and baptists” within Congress, primarily to secure funding from congressional
appropriators and enact policy support from authorizers. Failed attempts at a Cybersecurity Act
demonstrate a lack of congressional majority on cyber issues, which heightens the importance of this
coordination on successful implementation of the strategy. Despite the intent of the selfish bootleggers
or the righteous baptists, the national importance of cyber defense may form common ground between
camps and draw others to the bandwagon. With cyber attacks on Sony Pictures Entertainment over the
film “The Interview” and multiple versions of ransomware rampant over the past six months6
, US public
awareness of cyber attacks has never been higher. Voter awareness and concern should resonate
positively with congressional members.
Energizing industry to support the cyber strategy could prove to be the most challenging of iron
triangle hurdles as most of the means require industry investment. The development of cyber products or
services will appeal to the rent seeking nature of industry, providing another revenue stream to the MIC.
At the same time, with the perception of cyber governance as a public good, industry may resist providing
internal investment to meet nationally-mandated cyber protection standards or upgrade critical
infrastructure. Hopefully, “whereas genuine free riding temptations pose only modest risks to cyber
security governance, weak cyber defences create significant externalities and can therefore be understood
as a global public bad. What may be required to improve this state of affairs is a future regime that
combines ‘sticks’ and ‘carrots’ and, thus, changes state incentives.”7
Cyber policies requiring companies
to conform to the new standards to maintain eligibility for government contracts may incentivize
industries which rely on large government market revenues. Ultimately, with a strategy cornerstone of
monitoring and cyber accountability, DoD leaders should expect privacy interest groups to strongly
counter any attempts to strengthen the iron triangle around the strategy. DoD policy makers will need to
ensure proper messaging and maintain constant coordination with this corner of the triangle for success.
Partnering
With the global connectedness of cyber, DoD strategic leaders must develop partners…nationally
and internationally, institutionally and individually…to succeed. To create the proposed Cyber
Enforcement Coalition, the DoD, with the DoS, must enlist help from NATO, anti-terrorism allies, and
like-minded friends within the International Telecommunication Union (ITU). Ideally, a strong coalition
contains both industrial and international partners, providing economic and geopolitical benefits through
dialogue to its members. For nations without obvious reasons for partnership, the US could provide
access to cyber security assistance programs, offering cyber protection capability in exchange for support.
If implemented, US policy makers must set proper export control boundaries to incentivize international
and industrial support while protecting the technological advantages on which the strategy rests.
Besides traditional institutions like the ITU, DoD strategic leaders need to partner with cyber
institutions with national and international presence, such as Twitter and Facebook, whose transactions
benefit from a stable and secure cyber domain. DoD leaders must emphasize accountability over
attribution less the institutions steer clear from assisting. Facebook’s recent policy regarding community
standards and terrorism demonstrates the partnerships’ possibilities. “The community standards now state
that any ‘expressions of support’ for groups involved in ‘terrorist activity’ — or even for those groups’
leaders — are prohibited. Facebook does not name the groups, though it and Twitter have been under
pressure from EU leaders and others to censor the propaganda and recruiting tools of the Islamic State in
Iraq and the Levant (ISIL).”8
Like the terrorism campaign, an aggressive and comprehensive cyber
campaign will build global unity of effort and ultimately empower institutions to directly and indirectly
influence the global cyber culture in ways the DoD could not accomplish alone.
To further resource the means, DoD strategic leaders must develop partners at the individual
level, countering micro-politics by continuing cyber protection education efforts with the public. For
example, the Air Force Association and Northrop Grumman sponsored this year’s CyberPatriot
competition, for the seventh season, where more than 2,100 student teams from across the United States,
Canada, and Defense Department dependent schools in Europe and the Pacific compete in finding and
defending cyber vulnerabilities for scholarships.9
Besides raising cyber awareness within the students,
parents, and their communities, this activity inspires youth into pursuing cyber and STEM-related degrees
and professions, improving the US cyber industry’s future innovative capability.
Conclusion
Throughout the resourcing process, active awareness of the iron triangle by DoD strategic leaders
on managing strategy coherence within the executive bureaucracy, micro-politics across US public and
interest groups, and competing interests within the Congress will eventually instill a cyber national
culture and ease resourcing of the strategy. Leading globally requires partnering widely and the
connectedness of cyber demands the US foster a global awareness. This awareness will justify the
means to the ends and ensure the means don’t change the ends in the process. While experts argue
whether the digital age began in the 1950s with transistors or the Internet in the 1990s, the inclusion of a
realistic and effective cyber strategy into the national security portfolio is years late. With sufficient
resourcing, a generation of US DoD strategic leaders, born at the digital dawn and raised by the Google
network, will innovatively and rapidly develop, acquire, and produce the means to close the gap.
1
Marc V. Schanz. “PLA Strategy Now Openly Touts Cyber Forces.” Air Force Magazine Daily Report, March 13,
2015.
2
Mary Redshaw. “Choosing Strategic Capabilities.” National Defense University, Course DSR 2-5. Slide 9.
3
GAO. “Charting a Course for Lasting Reform.” 2008. Accessed on March 18, 2015. Available at
http:www.gao.govnew.itemsd09663t.pdf.
4
Mary Redshaw. “Defense Acquisition System.” National Defense University, Course 2-10. Slide 21.
5
DoD. “Rapid Fulfillment of Combatant Commander Urgent Operational Needs.” DoD Directive 5000.71. August
24, 2012. Accessed on March 18, 2015. Available at http:www.dtic.milwhsdirectivescorrespdf500071p.pdf
6
Lucian Constantin. “Ransomware authors streamline attacks, infections rise”. February 10, 2015. Accessed on
March 19, 2015. Available at http://www.pcworld.com/article/2882532/ransomware-authors-streamline-attacks-
infections-rise.html.
7
Mischa Hansel. “Cyber Security Governance and the Theory of Public Goods”. June 27, 2013. Accessed on March
21, 2015. Available at http://www.e-ir.info/2013/06/27/cyber-security-governance-and-the-theory-of-public-
goods/.
8
Michael Pizzi. “Facebook clarifies, confuses with new content rules”. March 16, 2015. Accessed on March 19,
2015. Available at http://america.aljazeera.com/articles/2015/3/16/facebook-clarifies-confuses-with-new-content-
rules.html
9
Air Force Magazine Daily Report. “CyberPatriot VII Winners Announced.” March 17, 2015.

More Related Content

What's hot

Finland s cyber security strategy background dossier
Finland s cyber security strategy   background dossierFinland s cyber security strategy   background dossier
Finland s cyber security strategy background dossierYury Chemerkin
 
Supporting an Effective Cyber Insurance Market (OECD Report for the G7 Presid...
Supporting an Effective Cyber Insurance Market (OECD Report for the G7 Presid...Supporting an Effective Cyber Insurance Market (OECD Report for the G7 Presid...
Supporting an Effective Cyber Insurance Market (OECD Report for the G7 Presid...Δρ. Γιώργος K. Κασάπης
 
Is 2014 the year for Cyber Militias ?
Is 2014 the year for Cyber Militias ?Is 2014 the year for Cyber Militias ?
Is 2014 the year for Cyber Militias ?David Sweigert
 
National Incident Management System (NIM) Command and Management System
National Incident Management System (NIM) Command and Management SystemNational Incident Management System (NIM) Command and Management System
National Incident Management System (NIM) Command and Management SystemTerry Dorn, PhD candidate
 
The impacts of cyberattacks on intangibles of firms and critical sectors, ahm...
The impacts of cyberattacks on intangibles of firms and critical sectors, ahm...The impacts of cyberattacks on intangibles of firms and critical sectors, ahm...
The impacts of cyberattacks on intangibles of firms and critical sectors, ahm...Cyber Watching
 
IE Magazine Article
IE Magazine ArticleIE Magazine Article
IE Magazine ArticleLaura Devine
 
Mass transit security awareness white paper
Mass transit security awareness white paperMass transit security awareness white paper
Mass transit security awareness white paperzcelik
 
Asymmetric threat 4_paper (1)
Asymmetric threat 4_paper (1)Asymmetric threat 4_paper (1)
Asymmetric threat 4_paper (1)MarioEliseo3
 
CST 20363 Session 6 Cybersecurity Policy
CST 20363 Session 6 Cybersecurity PolicyCST 20363 Session 6 Cybersecurity Policy
CST 20363 Session 6 Cybersecurity Policyoudesign
 
2015 Cyber Security Strategy
2015 Cyber Security Strategy 2015 Cyber Security Strategy
2015 Cyber Security Strategy Mohit Kumar
 
Active Shooter - The New Cyber
Active Shooter - The New CyberActive Shooter - The New Cyber
Active Shooter - The New CyberCBIZ, Inc.
 
Satori Whitepaper: Threat Intelligence - a path to taming digital threats
Satori Whitepaper: Threat Intelligence  - a path to taming digital threatsSatori Whitepaper: Threat Intelligence  - a path to taming digital threats
Satori Whitepaper: Threat Intelligence - a path to taming digital threatsDean Evans
 
Useof thir aforpreparednessgrants
Useof thir aforpreparednessgrantsUseof thir aforpreparednessgrants
Useof thir aforpreparednessgrantssiupals
 
Beasley.turesday
Beasley.turesdayBeasley.turesday
Beasley.turesdaynado-web
 
Evolution terriskmod woo_journalre
Evolution terriskmod woo_journalreEvolution terriskmod woo_journalre
Evolution terriskmod woo_journalredacooil
 

What's hot (16)

Finland s cyber security strategy background dossier
Finland s cyber security strategy   background dossierFinland s cyber security strategy   background dossier
Finland s cyber security strategy background dossier
 
Supporting an Effective Cyber Insurance Market (OECD Report for the G7 Presid...
Supporting an Effective Cyber Insurance Market (OECD Report for the G7 Presid...Supporting an Effective Cyber Insurance Market (OECD Report for the G7 Presid...
Supporting an Effective Cyber Insurance Market (OECD Report for the G7 Presid...
 
Is 2014 the year for Cyber Militias ?
Is 2014 the year for Cyber Militias ?Is 2014 the year for Cyber Militias ?
Is 2014 the year for Cyber Militias ?
 
National Incident Management System (NIM) Command and Management System
National Incident Management System (NIM) Command and Management SystemNational Incident Management System (NIM) Command and Management System
National Incident Management System (NIM) Command and Management System
 
Order 325914012
Order 325914012Order 325914012
Order 325914012
 
The impacts of cyberattacks on intangibles of firms and critical sectors, ahm...
The impacts of cyberattacks on intangibles of firms and critical sectors, ahm...The impacts of cyberattacks on intangibles of firms and critical sectors, ahm...
The impacts of cyberattacks on intangibles of firms and critical sectors, ahm...
 
IE Magazine Article
IE Magazine ArticleIE Magazine Article
IE Magazine Article
 
Mass transit security awareness white paper
Mass transit security awareness white paperMass transit security awareness white paper
Mass transit security awareness white paper
 
Asymmetric threat 4_paper (1)
Asymmetric threat 4_paper (1)Asymmetric threat 4_paper (1)
Asymmetric threat 4_paper (1)
 
CST 20363 Session 6 Cybersecurity Policy
CST 20363 Session 6 Cybersecurity PolicyCST 20363 Session 6 Cybersecurity Policy
CST 20363 Session 6 Cybersecurity Policy
 
2015 Cyber Security Strategy
2015 Cyber Security Strategy 2015 Cyber Security Strategy
2015 Cyber Security Strategy
 
Active Shooter - The New Cyber
Active Shooter - The New CyberActive Shooter - The New Cyber
Active Shooter - The New Cyber
 
Satori Whitepaper: Threat Intelligence - a path to taming digital threats
Satori Whitepaper: Threat Intelligence  - a path to taming digital threatsSatori Whitepaper: Threat Intelligence  - a path to taming digital threats
Satori Whitepaper: Threat Intelligence - a path to taming digital threats
 
Useof thir aforpreparednessgrants
Useof thir aforpreparednessgrantsUseof thir aforpreparednessgrants
Useof thir aforpreparednessgrants
 
Beasley.turesday
Beasley.turesdayBeasley.turesday
Beasley.turesday
 
Evolution terriskmod woo_journalre
Evolution terriskmod woo_journalreEvolution terriskmod woo_journalre
Evolution terriskmod woo_journalre
 

Viewers also liked

A US Cybersecurity Strategy for 2030
A US Cybersecurity Strategy for 2030A US Cybersecurity Strategy for 2030
A US Cybersecurity Strategy for 2030Scott Dickson
 
LABARDO Profile (V3.4-2016)
LABARDO Profile (V3.4-2016)LABARDO Profile (V3.4-2016)
LABARDO Profile (V3.4-2016)Theo Hudayanto
 
Lactancia materna en el prematuro
Lactancia materna en el prematuro Lactancia materna en el prematuro
Lactancia materna en el prematuro jessnavaipn
 
Políticas educativas internacionales
Políticas educativas internacionalesPolíticas educativas internacionales
Políticas educativas internacionaleserihk
 
Analisis propuesta Robótica I y II Ciclos
Analisis propuesta Robótica I y II CiclosAnalisis propuesta Robótica I y II Ciclos
Analisis propuesta Robótica I y II CiclosLuis Pérez
 
CSU Newsletter
CSU NewsletterCSU Newsletter
CSU NewsletterJ Ruiz
 
Acquisition of the KC-46 Pegasus
Acquisition of the KC-46 PegasusAcquisition of the KC-46 Pegasus
Acquisition of the KC-46 PegasusScott Dickson
 
Presentación curso computacion
Presentación curso computacionPresentación curso computacion
Presentación curso computacionVeronica Ratti
 
Enseñar y-aprender-con-tic.
Enseñar y-aprender-con-tic.Enseñar y-aprender-con-tic.
Enseñar y-aprender-con-tic.Lucas Silva
 
Fenómeno del niño y de la niña
Fenómeno del niño y de la niñaFenómeno del niño y de la niña
Fenómeno del niño y de la niñazilerys valderrama
 
El corazon humano
El corazon humanoEl corazon humano
El corazon humanoGabo Reigns
 
Políticas educativas internacionales
Políticas educativas internacionalesPolíticas educativas internacionales
Políticas educativas internacionaleserihk
 
Everyone Active Profile
Everyone Active ProfileEveryone Active Profile
Everyone Active Profileleroy phillips
 

Viewers also liked (20)

A US Cybersecurity Strategy for 2030
A US Cybersecurity Strategy for 2030A US Cybersecurity Strategy for 2030
A US Cybersecurity Strategy for 2030
 
La valla
La valla La valla
La valla
 
LABARDO Profile (V3.4-2016)
LABARDO Profile (V3.4-2016)LABARDO Profile (V3.4-2016)
LABARDO Profile (V3.4-2016)
 
Lactancia materna en el prematuro
Lactancia materna en el prematuro Lactancia materna en el prematuro
Lactancia materna en el prematuro
 
1. introduccion
1. introduccion1. introduccion
1. introduccion
 
Políticas educativas internacionales
Políticas educativas internacionalesPolíticas educativas internacionales
Políticas educativas internacionales
 
Slideshare
SlideshareSlideshare
Slideshare
 
Analisis propuesta Robótica I y II Ciclos
Analisis propuesta Robótica I y II CiclosAnalisis propuesta Robótica I y II Ciclos
Analisis propuesta Robótica I y II Ciclos
 
CSU Newsletter
CSU NewsletterCSU Newsletter
CSU Newsletter
 
Acquisition of the KC-46 Pegasus
Acquisition of the KC-46 PegasusAcquisition of the KC-46 Pegasus
Acquisition of the KC-46 Pegasus
 
Presentación curso computacion
Presentación curso computacionPresentación curso computacion
Presentación curso computacion
 
Enseñar y-aprender-con-tic.
Enseñar y-aprender-con-tic.Enseñar y-aprender-con-tic.
Enseñar y-aprender-con-tic.
 
Fenómeno del niño y de la niña
Fenómeno del niño y de la niñaFenómeno del niño y de la niña
Fenómeno del niño y de la niña
 
Tpack
TpackTpack
Tpack
 
Juventude e Movimentos Sociais
Juventude e Movimentos SociaisJuventude e Movimentos Sociais
Juventude e Movimentos Sociais
 
El corazon humano
El corazon humanoEl corazon humano
El corazon humano
 
Vaccine
VaccineVaccine
Vaccine
 
Análise guernica 001
Análise guernica 001Análise guernica 001
Análise guernica 001
 
Políticas educativas internacionales
Políticas educativas internacionalesPolíticas educativas internacionales
Políticas educativas internacionales
 
Everyone Active Profile
Everyone Active ProfileEveryone Active Profile
Everyone Active Profile
 

Similar to Resourcing the US 2030 Cyber Strategy

HM502Unit 5 DQTopic 1 Infrastructure ProtectionA detailed
HM502Unit 5 DQTopic 1 Infrastructure ProtectionA detailedHM502Unit 5 DQTopic 1 Infrastructure ProtectionA detailed
HM502Unit 5 DQTopic 1 Infrastructure ProtectionA detailedSusanaFurman449
 
Cyber security-in-india-present-status
Cyber security-in-india-present-statusCyber security-in-india-present-status
Cyber security-in-india-present-statusRama Reddy
 
Global Partnership Key to Cyber Security
Global Partnership Key to Cyber SecurityGlobal Partnership Key to Cyber Security
Global Partnership Key to Cyber SecurityDominic Karunesudas
 
Raduenzel_Mark_ResearchPaper_NSEC506_Fall2015
Raduenzel_Mark_ResearchPaper_NSEC506_Fall2015Raduenzel_Mark_ResearchPaper_NSEC506_Fall2015
Raduenzel_Mark_ResearchPaper_NSEC506_Fall2015Mark Raduenzel
 
INITIATIVES TO ENHANCE CRITICAL INFRASTRUCTURE PROTECTION 2 .docx
INITIATIVES TO ENHANCE CRITICAL INFRASTRUCTURE PROTECTION  2 .docxINITIATIVES TO ENHANCE CRITICAL INFRASTRUCTURE PROTECTION  2 .docx
INITIATIVES TO ENHANCE CRITICAL INFRASTRUCTURE PROTECTION 2 .docxmaoanderton
 
D20110714cyber
D20110714cyberD20110714cyber
D20110714cybernitay123
 
Department of Defense Strategy for Operating in Cyberspace
Department of Defense Strategy for Operating in CyberspaceDepartment of Defense Strategy for Operating in Cyberspace
Department of Defense Strategy for Operating in CyberspaceDepartment of Defense
 
Guideline Thailand Cybersecure Strate Digital Economy
Guideline Thailand Cybersecure Strate Digital EconomyGuideline Thailand Cybersecure Strate Digital Economy
Guideline Thailand Cybersecure Strate Digital EconomySettapong_CyberSecurity
 
Project 4 Threat Analysis and ExploitationTranscript (backgroun.docx
Project 4 Threat Analysis and ExploitationTranscript (backgroun.docxProject 4 Threat Analysis and ExploitationTranscript (backgroun.docx
Project 4 Threat Analysis and ExploitationTranscript (backgroun.docxstilliegeorgiana
 
F e B r U A r y 2 0 1 0 v O l . 5 3 n O . 2 .docx
F e B r U A r y  2 0 1 0      v O l .  5 3      n O .  2   .docxF e B r U A r y  2 0 1 0      v O l .  5 3      n O .  2   .docx
F e B r U A r y 2 0 1 0 v O l . 5 3 n O . 2 .docxssuser454af01
 
F e B r U A r y 2 0 1 0 v O l . 5 3 n O . 2 .docx
F e B r U A r y  2 0 1 0      v O l .  5 3      n O .  2   .docxF e B r U A r y  2 0 1 0      v O l .  5 3      n O .  2   .docx
F e B r U A r y 2 0 1 0 v O l . 5 3 n O . 2 .docxmecklenburgstrelitzh
 
Improved-Cybersecurity-cooperation
Improved-Cybersecurity-cooperationImproved-Cybersecurity-cooperation
Improved-Cybersecurity-cooperationrrepko
 
CyberSecurity Challenge Decision Document
CyberSecurity Challenge Decision Document CyberSecurity Challenge Decision Document
CyberSecurity Challenge Decision Document LeAnn Rhodes
 
2015_ICMSS_Institutional_Cybersecurity_s02
2015_ICMSS_Institutional_Cybersecurity_s022015_ICMSS_Institutional_Cybersecurity_s02
2015_ICMSS_Institutional_Cybersecurity_s02Government
 
Why Great Powers Launch Destructive Cyber Operations and What to Do About It ...
Why Great Powers Launch Destructive Cyber Operations and What to Do About It ...Why Great Powers Launch Destructive Cyber Operations and What to Do About It ...
Why Great Powers Launch Destructive Cyber Operations and What to Do About It ...Snarky Security
 
Case studies in cybersecurity strategies
Case studies in cybersecurity strategiesCase studies in cybersecurity strategies
Case studies in cybersecurity strategiesEyesOpen Association
 
Integration of cyber security incident response with IMS -- an approach for E...
Integration of cyber security incident response with IMS -- an approach for E...Integration of cyber security incident response with IMS -- an approach for E...
Integration of cyber security incident response with IMS -- an approach for E...David Sweigert
 
20130917-CyberInitiativeJointLetter
20130917-CyberInitiativeJointLetter20130917-CyberInitiativeJointLetter
20130917-CyberInitiativeJointLetterDoug DePeppe, Esq.
 

Similar to Resourcing the US 2030 Cyber Strategy (20)

HM502Unit 5 DQTopic 1 Infrastructure ProtectionA detailed
HM502Unit 5 DQTopic 1 Infrastructure ProtectionA detailedHM502Unit 5 DQTopic 1 Infrastructure ProtectionA detailed
HM502Unit 5 DQTopic 1 Infrastructure ProtectionA detailed
 
Cyber security-in-india-present-status
Cyber security-in-india-present-statusCyber security-in-india-present-status
Cyber security-in-india-present-status
 
Prof E Hewitt
Prof  E HewittProf  E Hewitt
Prof E Hewitt
 
Global Partnership Key to Cyber Security
Global Partnership Key to Cyber SecurityGlobal Partnership Key to Cyber Security
Global Partnership Key to Cyber Security
 
Raduenzel_Mark_ResearchPaper_NSEC506_Fall2015
Raduenzel_Mark_ResearchPaper_NSEC506_Fall2015Raduenzel_Mark_ResearchPaper_NSEC506_Fall2015
Raduenzel_Mark_ResearchPaper_NSEC506_Fall2015
 
INITIATIVES TO ENHANCE CRITICAL INFRASTRUCTURE PROTECTION 2 .docx
INITIATIVES TO ENHANCE CRITICAL INFRASTRUCTURE PROTECTION  2 .docxINITIATIVES TO ENHANCE CRITICAL INFRASTRUCTURE PROTECTION  2 .docx
INITIATIVES TO ENHANCE CRITICAL INFRASTRUCTURE PROTECTION 2 .docx
 
DoD Cyber Strategy
DoD Cyber StrategyDoD Cyber Strategy
DoD Cyber Strategy
 
D20110714cyber
D20110714cyberD20110714cyber
D20110714cyber
 
Department of Defense Strategy for Operating in Cyberspace
Department of Defense Strategy for Operating in CyberspaceDepartment of Defense Strategy for Operating in Cyberspace
Department of Defense Strategy for Operating in Cyberspace
 
Guideline Thailand Cybersecure Strate Digital Economy
Guideline Thailand Cybersecure Strate Digital EconomyGuideline Thailand Cybersecure Strate Digital Economy
Guideline Thailand Cybersecure Strate Digital Economy
 
Project 4 Threat Analysis and ExploitationTranscript (backgroun.docx
Project 4 Threat Analysis and ExploitationTranscript (backgroun.docxProject 4 Threat Analysis and ExploitationTranscript (backgroun.docx
Project 4 Threat Analysis and ExploitationTranscript (backgroun.docx
 
F e B r U A r y 2 0 1 0 v O l . 5 3 n O . 2 .docx
F e B r U A r y  2 0 1 0      v O l .  5 3      n O .  2   .docxF e B r U A r y  2 0 1 0      v O l .  5 3      n O .  2   .docx
F e B r U A r y 2 0 1 0 v O l . 5 3 n O . 2 .docx
 
F e B r U A r y 2 0 1 0 v O l . 5 3 n O . 2 .docx
F e B r U A r y  2 0 1 0      v O l .  5 3      n O .  2   .docxF e B r U A r y  2 0 1 0      v O l .  5 3      n O .  2   .docx
F e B r U A r y 2 0 1 0 v O l . 5 3 n O . 2 .docx
 
Improved-Cybersecurity-cooperation
Improved-Cybersecurity-cooperationImproved-Cybersecurity-cooperation
Improved-Cybersecurity-cooperation
 
CyberSecurity Challenge Decision Document
CyberSecurity Challenge Decision Document CyberSecurity Challenge Decision Document
CyberSecurity Challenge Decision Document
 
2015_ICMSS_Institutional_Cybersecurity_s02
2015_ICMSS_Institutional_Cybersecurity_s022015_ICMSS_Institutional_Cybersecurity_s02
2015_ICMSS_Institutional_Cybersecurity_s02
 
Why Great Powers Launch Destructive Cyber Operations and What to Do About It ...
Why Great Powers Launch Destructive Cyber Operations and What to Do About It ...Why Great Powers Launch Destructive Cyber Operations and What to Do About It ...
Why Great Powers Launch Destructive Cyber Operations and What to Do About It ...
 
Case studies in cybersecurity strategies
Case studies in cybersecurity strategiesCase studies in cybersecurity strategies
Case studies in cybersecurity strategies
 
Integration of cyber security incident response with IMS -- an approach for E...
Integration of cyber security incident response with IMS -- an approach for E...Integration of cyber security incident response with IMS -- an approach for E...
Integration of cyber security incident response with IMS -- an approach for E...
 
20130917-CyberInitiativeJointLetter
20130917-CyberInitiativeJointLetter20130917-CyberInitiativeJointLetter
20130917-CyberInitiativeJointLetter
 

Resourcing the US 2030 Cyber Strategy

  • 1. AY 2014-2015 Resourcing the US 2030 Cyber Strategy LT COL SCOTT A. DICKSON USAF SEMINAR 19 The Dwight D. Eisenhower School for National Security and Resource Strategy National Defense University Fort McNair, Washington, D.C. 20319-5062 The views expressed in this paper are those of the author and do not reflect the official policy or position of the National Defense University, the Department of Defense or the U.S. Government.
  • 2. “The end cannot justify the means, for the simple and obvious reason that the means employed determine the nature of the ends produced.” - Aldous Huxley Strategists must caution themselves against using any and all means necessary to accomplish an end simply due to the importance of the goal. Pursuers should consider the context of the chase, less more damage and cost result than saved from capturing the conquest. President Obama’s Executive Order 13636 left no doubt on the Executive Branch’s commitment to a US cyber strategy. However, Congress’s four failed attempts to pass a Cybersecurity Act indicate unclear direction on the context: how and whether to fund a strategy. With America’s national security dependence on cyber and contracting defense budgets, a positive review of the cyber strategy’s means, i.e “what will likely happen”, will highlight potential resourcing challenges and risks in the strategy and help justify the expense of the means against the pursuit of the ends. Strategy Summarized Cyber threats vary; from state actors using cyber as an asymmetric attack, organized networks conducting cyber crime, or non-state actors threatening cyber Armageddon, all exploit the highly connected, easily accessible, predictable, layered, and digitized nature of the internet. For the first time, the Chinese People’s Liberation Army (PLA) published a document in the summer of 2014 detailing their cyber and network warfare forces and their division of labor across formal operational attack and defense units, PLA authorized forces, and external non-governmental forces.1 While not revealing a cyber strategy, this document highlighted China’s dedicated cyber manpower resources and their intent to develop a cyber capability to achieve their strategy. In May 2014, the US publicly indicted five People’s Liberation Army officers serving in a cyber unit responsible for stealing trade secrets in the shipping, aeronautics, arms, energy, manufacturing, engineering, electronics, financial, and software sectors over the past seven years. Despite denying the claim, the incident cements China’s credibility in using cyber as a means to pursue its desired ends while also publicly signaling the US’s inability to deter its use.
  • 3. The proposed US cyber strategy represents a multi-layered strategy to build defensive cyber infrastructure capabilities and deterrence-producing offensive capabilities to promote a future globally- collaborative cyber environment within the FY2030 timeframe (see Table 1). Effective deterrence depends on credible capability, reliable signaling, and perception of intent. In this strategy, credible capability is displayed through adequate monitoring technology and development of robust cyber attack capabilities. Reliable signaling is available through the creation of a cyber coalition, enforcement options detailed within the cyber standards agreement, and step-wise implementation of an emergency isolation plan. Perception of intent rests on shaping enemies opinions in regards to leaderships’ future actions in actual cyber incidents. Enemies must believe their interests are equally at risk if they implement a cyber attack on the US or its allies. All cyber attacks should be dealt with proportionally and not in an escalated manner. Like current US missile defense and nuclear response exercises, visible exercises, such as Cyber Flag 15-1, will demonstrate US resolve. Also, demonstrating future capability to manually isolate networks involving critical national assets demonstrates our ability to operate in a degraded cyber environment and will weaken a state actor’s perception of a cyber attack’s influence. Primarily, the proposed actions leverage the possibility of non-state actors and cyber criminals to disrupt the cyber domain as a crystallizing agent to solidify a multi-polar coalition of state actors to enforce appropriate cyber behavior. Mutual economic dependence on cyber acts as an incentive for coalition members to not attack each other. The incentive’s effectiveness will depend on how competitive or collaborative the future is and the depth of economic interdependence, i.e. sanctions against one may cause harm to others. The coalition will focus these deterrence actions on all actors outside the coalition. To achieve the strategy, the US must resource the ways and means in Table 1; the list is not exhaustive, representing only the primary means. While industry has begun initial cyber protection efforts and should be leveraged, funding will be challenging, particularly considering the specified impacts to the military-industrial complex (MIC). These simplified impacts, either additive, neutral, or substractive, indicate the likely MIC assessment to their economic bottom line of instituting each mean. Despite the scope of this paper preventing a full analysis explanation, some broad generalities do apply.
  • 4. The extent of the subtractive means will depend on the US government’s willingness to subsidize the effort. While the neutral means are not intended to overly constrain industries’ freedom of action, actual implementation may drive a more subtractive assessment. From a priority perspective, the coalition, Ways Means Budget Category MIC Impact Establish a Cybersecurity Enforcement Coalition focused on securing Cyber for global prosperity - Create “Cyber Partners for Prosperity” (CPfP) like NATO’s Partnership for Peace prgm - Encourage NATO/ITU mbrs to join CPfP Force Structure Additive Partner w/DoS to develop a Strategic Partnership Agreement to Define Acceptable Cyber Behavior and Enforcement Responsibilities - Use NATO allies and ITU mbrs who signed agreement to enforce acceptable cyber behavior Force Structure Neutral Continue to Minimize Anti-US Terrorist Groups - Continued Funding for War on Terror - Congressional Approval of AUMF Readiness Additive Implement Persistent Cyber Situational Awareness/Monitoring Technology to support Attribution - Funding for Cyber Monitoring program - Funding for Cyber Awareness program Modernize Additive Leverage w/ Industry to Develop Layered Cyber Defense Strategy to Defend Critical US Data and Assets - Data Security Standards - Certified Data Protection Algorithms - ID of Critical Nat’l Security Data/Assets Modernize Subtractive Implement Public Policy Restricting Use of Anonymity Software within United States - Create OSD Cybersecurity Division to coordinate all policy and strategy efforts Force Structure Additive Implement Public Policy Requiring Minimum Cyber Protection Mechanisms for US Businesses - Create OSD Cybersecurity Division to coordinate all policy and strategy efforts Force Structure Subtractive Continue Cyber Protection Education Efforts with the Public, National Security Professionals and US Companies - Create OSD Cybersecurity Division to coordinate all policy and strategy efforts - Cyberprotection Curriculum Force Structure, Readiness Neutral Maintain Resilient and Redundant Storage of Critical National Security Data - Data Security Standards - Certified Data Protection Algorithms Modernize Subtractive Develop Robust Cyber Attack Capabilities - Funding for Cyber Attack development & education to DoD (national) & DoJ (domestic) Modernize Additive Develop and Maintain Capability to Operate in a Degraded Cyber Environment - Update to cyber acquisition standards - Funding to modernize req’d & unprotected assets Modernize Additive Implement Public Policy requiring Manual or Isolated Networked Capability of Critical National Assets - Funding/strategy to modify critical energy assets (energy, financial, space, water, etc.) - Map of critical assets and their network Modernize Subtractive Create Emergency Isolation Plan and Develop Necessary Capabilities - Map energy assets to req’d nat’l security assets - Funding of pgrm to modify req’d assets Modernize Neutral Partner w/ DoS, DoJ, & DHS to Build Positive US Public Opinion Behind Required US Privacy and Monitoring Policies - US Privacy Policies - US Monitoring Policies N/A Neutral Table 1: US 2030 Cyber Strategy: Ways, Means, Categories and Military-Industrial Complex (MIC) Impact
  • 5. monitoring and encryption technology, monitoring and data security policies, and identification of critical national assets represent the strategy’s lifeblood. Resourcing of each mean draws from an associated major budget category (Modernize, Force Structure, and Readiness) as listed in Table 1 and should be accurately reflected in any Programming, Planning, Budget, and Execution activities. As a new and emerging national security concern, the strategy relies heavily on Modernization efforts, i.e. acquisition dollars, rather than Force Structure, i.e. personnel, or Readiness, i.e. operations and maintenance dollars. More importantly, each mean requires a certain level of acquiring products and services, coordinating support from the military-industrial complex, and/or partnering with national and global allies. A survey of each resourcing method to fulfill these means and their impact on the associated budget category will highlight inherent challenges facing the implementation of the strategy. Acquiring and Sustaining For fifty percent of the strategy’s ways, the US must modernize by acquiring new cyber products or services, running the gamut from developing DoD cyber attack capabilities to providing relevant government agencies with cyber awareness and cyber monitoring tools to improving cyber robustness in existing government infrastructure technology. To ensure expeditious resourcing of the strategy’s means, the DoD needs to carefully consider whether to source a product or service, lead-turn needed cyber documentation in the JCIDS process, and/or enlist combatant commander assistance to shorten the long lead times of the Defense Acquisition System. Predicting each choice’s likely outcome will allow US policy makers to use a positive approach to mitigate strategy obstacles and reduce enactment delay. Initially, policy makers need to determine whether a product or service best fulfills the purpose, responsiveness, and persistence of each mean. Product solutions deliver permanent government-owned capabilities to the warfighter’s specification, yet require longer requirement definition and development timelines and an associated long-term sustainment costs. For service solutions, the government relies on industry to develop, own, and manage the capability and sustainment while preserving the ability to
  • 6. terminate the capability rapidly. With the US’ national dependence on cyber, an investment in permanent product solutions for cyber attack, cyber awareness, cyber monitoring, and critical infrastructure protection seems appropriate. On the other hand, for standards’ creation, enforcement, and cyber protection certification, a service solution allows the government to rapidly generate initial capability and quickly disband the capability as needed. Procuring product solutions will require strategic navigation of the JCIDS process and the Joint Requirements Oversight Council, since CJCSI 5123F charges the JROC, among other duties, with reviewing “the estimated level of resources required in the fulfillment of each joint military requirement and ensuring the total cost of such resources is consistent with the level of priority”2 Unfortunately, except for Information Assurance considerations and requirements established by the Clinger-Cohen Compliance Act, the JCIDS process does not yet include cyber requirements to provide the JROC sufficient information to weigh the benefit of the product against its total costs. The lack of this relevant information will ultimately slow down the approval of cyber products. To weigh the current cyber strategy products and any future products against priorities, the JCIDS process will need to eventually consider cyber requirements similar to those listed in Table 2. For example, the creation of cyber metrics JCIDS Improvement Implement a “Cyber” KPP, raising the importance of Cyber to the appropriate level Require a Cyber Defense Strategy as a 5000.2 requirement to be submitted at the MS A decision and updated at each recurring MS decision Require a program’s System Engineering Plan explain how the design process verifies Cyber Defense Require each program’s Life Cycle Sustainment Plan to explain how Cyber Defense will be maintained and certified through the program’s sustainment phase Institute a IOT&E requirement, similar to Live Fire Testing, which requires Cyber Penetration Red- Teaming on all software and hardware programs. Define the extent of a program’s planned Cyber Penetration Red-Teaming approved in the TEMP Institute a set of cyber metrics which will be defined as part of each Cyber program’s Cyber Defense Strategy and updated annually in DAMIR Table 2: JCIDS Process Improvements for Cyber
  • 7. as part of each product’s Cyber Defense Strategy will allow policy makers to assess the DoD’s overall cyber readiness. Possible metrics include: Cyber Resiliency (the probability of continued mission operation after a cyber attack), Cyber Sustainability (the number of identified cyber vulnerabilities in the Software Supply Chain), Cyber Vulnerability (the number of “questionable” suppliers in the hardware supply chain), and Cyber Detection (the probability of detecting a cyber attack against a system). Consideration will need to be given to metrics duplicated in the Clinger-Cohen Compliance Act. By choosing to address these requirements upfront in initial cyber product documentation, the JROC and its associated staffs should expedite approval of cyber product acquisition and challenge DoD acquisition professionals to add these requirements to future versions of DODI 5000.2 to ensure all future cyber products conform to the DoD’s cyber strategy. Additionally, the Defense Acquisition System (DAS) has historically delivered products late, over-cost, and at decreased performance. In 2008, the Government Accountability Office reviewed 96 DoD programs against original estimates and concluded 42 percent cost growth in research and development, 25% growth in Total Acquisition Cost, and a 22-month average schedule delay.3 The milestone-driven schedule of the DAS conflicts with the calendar-driven schedule of the Programming, Planning, Budgeting, and Execution (PPB&E) process yielding some of these delays. Other delays result from a focus on “procedures dominating production, equity ruling over efficiency, and top executives as short timers”4 With a pressing national need for a cyber strategy, cyber strategists will enlist combatant commanders to designate cyber products as Urgent Operational Needs (UON), routing these products’ approval through the Warfighter Senior Integration Group (SIG) for eventual fielding within a 2-year timeline.5 Since UONs are intended only for products requiring minimal development to meet the short 2-yr timeline, some products will need to utilize the more robust JCIDS process. Further, with the US’ enduring dependence on cyber in the digital age, the DoD should consider the historical sustainability of products developed via the UON process vice the JCIDS, i.e. the abandonment of Mine-Resistant Ambush Vehicles due to a lack of sustainment capabilities. By strategically considering the best path
  • 8. through the DAS, adequate cyber documentation for the JCIDS process, and the right balance of products and services, DoD policy makers will adopt a more positive approach to acquiring cyber means. Coordinating To resource the cyber strategy, DoD policy makers will need to coordinate through all elements of the iron triangle: the interagency executive bureaucracy, industry and its associated interest groups, and the legislative Congress. Efforts for coordinating acquisition products and services will differ from other policy measures, such as developing cyber standards of behavior with the DoS, building public opinion on privacy and monitoring, or establishing minimum protection mechanisms with industry. However, each coordination effort shares similar challenges in solidifying the iron triangle support around the cyber strategy. Specifically, DoD policymakers must overcome rent seeking industrialists, “bootlegger and baptist” congressional members, and the principal-agent problem inherent in the Executive branch to realize the cyber strategy. In the zero-sum nature of the interagency environment, a new strategy must contend with impacts from the fundamental principal-agent problem where the agent, due to competing internal interests, may not accurately represent the principal’s interests. Initially, even if no conflicts exist, the perception from the principal-agent problem casts doubt on the true motivation of the strategy, potentially hindering coordination. Eventually, once the strategy gains leadership acceptance and process momentum, ulterior interests may develop, perpetuating the principal-agent problem anew. While the President’s EO 13636 solidified importance and ownership of different cyber aspects across the interagency, each agency will interpret the President’s interests differently for its own benefit, potentially creating conflicting interests and priorities. For example, DoJ and DHS may seek tighter cyber standards and enforcement authority for their mission accomplishment while the DoS may desire lighter standards and enforcement to ease diplomacy. Across the Executive branch, DoD strategic leaders will need to combat these principal- agent dynamics, leveraging each internal agency’s self interests, as appropriate, to enact the strategy.
  • 9. To tighten the triangle with the Legislative branch, DoD strategic leaders will need to identify supporting “bootleggers and baptists” within Congress, primarily to secure funding from congressional appropriators and enact policy support from authorizers. Failed attempts at a Cybersecurity Act demonstrate a lack of congressional majority on cyber issues, which heightens the importance of this coordination on successful implementation of the strategy. Despite the intent of the selfish bootleggers or the righteous baptists, the national importance of cyber defense may form common ground between camps and draw others to the bandwagon. With cyber attacks on Sony Pictures Entertainment over the film “The Interview” and multiple versions of ransomware rampant over the past six months6 , US public awareness of cyber attacks has never been higher. Voter awareness and concern should resonate positively with congressional members. Energizing industry to support the cyber strategy could prove to be the most challenging of iron triangle hurdles as most of the means require industry investment. The development of cyber products or services will appeal to the rent seeking nature of industry, providing another revenue stream to the MIC. At the same time, with the perception of cyber governance as a public good, industry may resist providing internal investment to meet nationally-mandated cyber protection standards or upgrade critical infrastructure. Hopefully, “whereas genuine free riding temptations pose only modest risks to cyber security governance, weak cyber defences create significant externalities and can therefore be understood as a global public bad. What may be required to improve this state of affairs is a future regime that combines ‘sticks’ and ‘carrots’ and, thus, changes state incentives.”7 Cyber policies requiring companies to conform to the new standards to maintain eligibility for government contracts may incentivize industries which rely on large government market revenues. Ultimately, with a strategy cornerstone of monitoring and cyber accountability, DoD leaders should expect privacy interest groups to strongly counter any attempts to strengthen the iron triangle around the strategy. DoD policy makers will need to ensure proper messaging and maintain constant coordination with this corner of the triangle for success.
  • 10. Partnering With the global connectedness of cyber, DoD strategic leaders must develop partners…nationally and internationally, institutionally and individually…to succeed. To create the proposed Cyber Enforcement Coalition, the DoD, with the DoS, must enlist help from NATO, anti-terrorism allies, and like-minded friends within the International Telecommunication Union (ITU). Ideally, a strong coalition contains both industrial and international partners, providing economic and geopolitical benefits through dialogue to its members. For nations without obvious reasons for partnership, the US could provide access to cyber security assistance programs, offering cyber protection capability in exchange for support. If implemented, US policy makers must set proper export control boundaries to incentivize international and industrial support while protecting the technological advantages on which the strategy rests. Besides traditional institutions like the ITU, DoD strategic leaders need to partner with cyber institutions with national and international presence, such as Twitter and Facebook, whose transactions benefit from a stable and secure cyber domain. DoD leaders must emphasize accountability over attribution less the institutions steer clear from assisting. Facebook’s recent policy regarding community standards and terrorism demonstrates the partnerships’ possibilities. “The community standards now state that any ‘expressions of support’ for groups involved in ‘terrorist activity’ — or even for those groups’ leaders — are prohibited. Facebook does not name the groups, though it and Twitter have been under pressure from EU leaders and others to censor the propaganda and recruiting tools of the Islamic State in Iraq and the Levant (ISIL).”8 Like the terrorism campaign, an aggressive and comprehensive cyber campaign will build global unity of effort and ultimately empower institutions to directly and indirectly influence the global cyber culture in ways the DoD could not accomplish alone. To further resource the means, DoD strategic leaders must develop partners at the individual level, countering micro-politics by continuing cyber protection education efforts with the public. For example, the Air Force Association and Northrop Grumman sponsored this year’s CyberPatriot competition, for the seventh season, where more than 2,100 student teams from across the United States, Canada, and Defense Department dependent schools in Europe and the Pacific compete in finding and
  • 11. defending cyber vulnerabilities for scholarships.9 Besides raising cyber awareness within the students, parents, and their communities, this activity inspires youth into pursuing cyber and STEM-related degrees and professions, improving the US cyber industry’s future innovative capability. Conclusion Throughout the resourcing process, active awareness of the iron triangle by DoD strategic leaders on managing strategy coherence within the executive bureaucracy, micro-politics across US public and interest groups, and competing interests within the Congress will eventually instill a cyber national culture and ease resourcing of the strategy. Leading globally requires partnering widely and the connectedness of cyber demands the US foster a global awareness. This awareness will justify the means to the ends and ensure the means don’t change the ends in the process. While experts argue whether the digital age began in the 1950s with transistors or the Internet in the 1990s, the inclusion of a realistic and effective cyber strategy into the national security portfolio is years late. With sufficient resourcing, a generation of US DoD strategic leaders, born at the digital dawn and raised by the Google network, will innovatively and rapidly develop, acquire, and produce the means to close the gap. 1 Marc V. Schanz. “PLA Strategy Now Openly Touts Cyber Forces.” Air Force Magazine Daily Report, March 13, 2015. 2 Mary Redshaw. “Choosing Strategic Capabilities.” National Defense University, Course DSR 2-5. Slide 9. 3 GAO. “Charting a Course for Lasting Reform.” 2008. Accessed on March 18, 2015. Available at http:www.gao.govnew.itemsd09663t.pdf. 4 Mary Redshaw. “Defense Acquisition System.” National Defense University, Course 2-10. Slide 21. 5 DoD. “Rapid Fulfillment of Combatant Commander Urgent Operational Needs.” DoD Directive 5000.71. August 24, 2012. Accessed on March 18, 2015. Available at http:www.dtic.milwhsdirectivescorrespdf500071p.pdf 6 Lucian Constantin. “Ransomware authors streamline attacks, infections rise”. February 10, 2015. Accessed on March 19, 2015. Available at http://www.pcworld.com/article/2882532/ransomware-authors-streamline-attacks- infections-rise.html. 7 Mischa Hansel. “Cyber Security Governance and the Theory of Public Goods”. June 27, 2013. Accessed on March 21, 2015. Available at http://www.e-ir.info/2013/06/27/cyber-security-governance-and-the-theory-of-public- goods/. 8 Michael Pizzi. “Facebook clarifies, confuses with new content rules”. March 16, 2015. Accessed on March 19, 2015. Available at http://america.aljazeera.com/articles/2015/3/16/facebook-clarifies-confuses-with-new-content- rules.html
  • 12. 9 Air Force Magazine Daily Report. “CyberPatriot VII Winners Announced.” March 17, 2015.