The Defense Science Board’s latest study on the state of cyber defense in the U.S. reaches some worrying conclusions, both for civil infrastructure and for military capability. The panel assesses that even after foreign intrusions into election systems, financial institutions and Defense contractors, the U.S. has only seen the “virtual tip of the cyber attack iceberg.”
On the civilian side, the new report warns that for at least the next five-to-10 years, other nations will have offensive cyber capabilities that “far exceed the United States’ ability to defend and adequately strengthen the resilience of its critical infrastructures.”
To make matters worse, the traditional weapons systems the military relies on to deter countries from actually launching those attacks are themselves vulnerable to cyber attack, undermining a deterrence policy one Defense official articulated six years ago: “If you shut down our power grid, maybe we’ll put a missile down one of your smokestacks.”
Consequently, the advisory panel says the Pentagon needs to devote “urgent and sustained attention” to making its strike systems immune from cyber attack and make it clear to adversaries that it’s done that. Otherwise, its threats vis-a-vis missiles and smokestacks will rightly be seen as —well, blowing smoke.
Insight by the Anomali: Justice Department, DODIN, DHS and IT-ISAC explore cyber threat intelligence in this free webinar.
“To be able to credibly impose unacceptable costs in response to cyber attack by major powers, Russia and China, the U.S. needs its key strike systems — cyber, nuclear and nonnuclear strike — to be able to function even after the most advanced cyber attack,” James Miller, a former undersecretary of Defense for policy and a co-chair of the task force that authored the report, told the Senate Armed Services Committee. “And this is not a simple task.”
The board gave several examples of complex systems that need urgent attention in order to harden them against cyber attack. Strike platforms like guided missile submarines and heavy weapons bombers are on the list, and the authors advise that that new nuclear weapons systems not be “networked by default.”
But so is IT infrastructure for command and control and logistics, because a cyber attack on military systems “might result in U.S. guns, missiles, and bombs failing to fire or detonate or being directed against our own troops; or food, water, ammo, and fuel not arriving when or where needed; or the loss of position/navigation ability or other critical warfighter enablers.”
That’s just part two of the report.
Part one strongly hints that the federal government doesn’t have a unified national policy on how to deter cyber attacks and says it must develop one, and then implement ongoing, tailored campaigns to deal with the most potentially troublesome attackers, including not just China and Russia, but also countries with mid-level capabilities, like North Korea and Iran.
The panel said the U.S needs a pre-exercised, tailored playbook of options that, above all, makes clear that the government will respond to any and all cyber attacks, rather than a piecemeal approach which inevitably lets at least some of them slide.
“The question should be not whether we respond, the question should be how,” Miller said. “You have to look at what [another nation’s] leadership values across a range of potential targets that we could hold at risk. The value of campaign planning is you have a sense of what level of response and what specific types of targets might be most appropriate for a given scenario.”
The DSB report was, in many ways, concordant with the views of Sen. John. McCain (R-Ariz.), the chairman of the Armed Services Committee, who frequently criticized the Obama administration for failing to come up with a coherent cyber policy that, in his view, would help deter future attacks. But McCain also acknowledged that Congress contributed to the problem by dividing its cyber oversight responsibilities among numerous committees.
Keith Alexander, who served as the commander of U.S. Cyber Command from its inception in 2010 until his retirement in 2014, agreed that both the executive and legislative branches had a hand in creating dysfunction. Alexander, who frequently championed a “team sport” and “whole of government” approach to cyber while he headed CYBERCOM, said last week that the government’s current approach to cyber suffers from fundamental structural problems.
“It’s not working. There are four stovepipes,” he said, referring to the Defense Department, the FBI, the Department of Homeland Security and the intelligence community. “If we were running this like a business, we’d put them together. You also have all these committees in Congress looking at all this, and it’s messed up.”
Alexander said he and former Defense Secretary Robert Gates had, at one time, discussed a proposal to rearrange the government’s cyber defense responsibilities so as to bring a more unified approach to tasks that are now performed by federal law enforcement agencies and DHS; they believed that DoD and the intelligence community were already fairly well-integrated.
“I think that’s where we ultimately need to go, but before we do that, I would highly recommend that we get those four groups together and practice: do a couple of exercises with Congress and with the government and potentially with industry and show how this should work. What you have now is agencies acting independently, and with those seams, we will never defend this country. When industry looks at our government, they are quite frankly dismayed. We’re all over the map, and no one can answer who’s responsible.”
But if the current state of cyber defense is partly a matter of deterrence and retaliation, it’s important to keep other domestic agencies in mind. The Treasury and Justice departments, for example, have played key roles in prior responses to cyber attacks, including through crippling financial sanctions targeting key leaders of state-sponsored hacks and criminal prosecutions of those officials.
“I don’t see duplication of effort, I see gaps in effort. We don’t have an orchestra conductor to ensure that we don’t have those gaps,” said Dr. Craig Fields, the chairman of the Defense Science Board. “On the board, we’ve talked about the National Security Council playing that role, but we’re not completely comfortable with that. It’s an unsolved problem, because we do need a campaign strategy to make this a continuous process, including exercises. … We have a long list of execution issues like whether we have the right number of offensive cyber folks or whether the intelligence community is collecting the right stuff at the right time, but unless we have policy and the orchestra conductor and the strategy, we’ll never go where we need to go.”