The US Department of Defense Cyber Strategy serves as DoD's next step toward re-engineering cyber operations to protect and defend its networks and systems. This is the first time the DoD has had a clear direction on how it will address its cyber needs. So tell me, where's your plan?
First Published 21st September 2018
Generals gathered in their masses.
4 min read | Reflare Research Team
While the new strategy contains many different statements with varying degrees of importance to the general public, the most important elements are the commitment to talent development, offensive actions and strengthened infrastructure.
On talent development, the DoD is indirectly acknowledging the difficulty of finding and retaining infosec talent which we have previously reported on. To combat the issue, it commits to creating compelling career paths and developing internal talent. These strategies are on par with what most companies and other organizations in the private sector are doing. Faced with a lack of available staff, creating a compelling work environment and upskilling are the most common and most effective tools to bridge the skill gap.
The commitment to offensive actions includes countering incoming attacks and preventing attacks from making it to US infrastructure. This approach is commonly referred to as “countering” in the media. Practising offensive security to deter and stall incoming attacks is somewhat controversial as it carries the risk of attacking the wrong targets. Since the internet is an anonymous space and cyber attackers are very good at covering their tracks, a falsely identified attacker and rash response may in turn trigger a counter-response from the hit party. Even when attackers are correctly identified, it will be almost impossible to establish reliable proof of the identification.
Strengthening infrastructure has been a core priority for many countries trying to cope with the emerging cyber landscape. Computer systems controlling power or industrial installations are often decades old. Scenarios, where cyber attackers or even invading armies cripple the power or phone grid to prevent a coordinated response, are common. However, as with all infrastructure, the required changes will take significant time to implement.
Impact
While the strategy in general and the three points mentioned above are likely to gather repeated attention on both media and political stages, we expect little tangible impact in the foreseeable future. In a way, the new strategy merely codified what the US - and for that matter, most countries - are already doing.
The strengthening of infrastructure and the development of talent are ongoing projects that have been in motion for almost a decade and are likely to continue. The commitment to offensive security is equally common. As various leaks have shown and continue to show, virtually all countries are engaging in offensive cyber actions to establish footholds and gain experience for potential future engagements.
Thus, we look at the strategy as mostly a political statement for the time being. The same actions of continuously developing talent and infrastructure while codifying an ordered response plan are also valid strategies for any organization looking to improve its cybersecurity standing.