Formalized Offensive Cyber Strategies
While the new strategy contains many different statements with varying degrees of importance to the general public, the most important elements are the commitment to talent development, offensive actions and strengthened infrastructure.
On talent development, the DoD is indirectly acknowledging the difficulty of finding and retaining infosec talent which we have previously reported on. To combat the issue, it commits to creating compelling career paths and developing internal talent. These strategies are on par with what most companies and other organizations in the private sector are doing. Faced with a lack of available staff, creating a compelling work environment and upskilling are the most common and most effective tools to bridge the skill-gap.
The commitment to offensive actions includes countering incoming attacks and preventing attacks from making it to US infrastructure. This approach is commonly referred to as “countering” in the media. Practicing offensive security to deter and stall incoming attacks is somewhat controversial as it carries the risk of attacking wrong targets. Since the internet is an anonymous space and cyber attackers are very good at covering their tracks, a falsely identified attacker and rash response may in turn trigger a counter response from the hit party. Even when attackers are correctly identified, it will be almost impossible to establish reliable proof of the identification.
Strengthening infrastructure has been a core priority for many countries trying to cope with the emerging cyber landscape. Computer systems controlling power or industry installations are often decades old. Scenarios where cyber attackers or even invading armies cripple the power or phone grid to prevent a coordinated response are common. However, as with all infrastructure, the required changes will take significant time to implement.
While the strategy in general and the three points mentioned above are likely to gather repeated attention on both media and political stages, we expect little tangible impact in the foreseeable future. In a way, the new strategy merely codified what the US - and for that matter most countries - are already doing.
The strengthening of infrastructure and development of talent are ongoing projects that have been in motion for almost a decade and are likely to continue. The commitment to offensive security is equally common. As various leaks have shown and continue to show, virtually all countries are engaging in offensive cyber actions to establish footholds and gain experience for potential future engagements.
Thus, we look at the strategy as mostly a political statement for the time being.
The same actions of continuously developing talent and infrastructure while codifying an ordered response plan are also valid strategies for any organization looking to improve their cybersecurity standing.