As the Defense Department continues to build cyber into its thinking about what it means to conduct modern warfare, it’s using old-fashioned mechanisms to ensure the transition is successful: it’s now incorporating cybersecurity in to the notion of military readiness, and going forward, commanders will be held accountable when their networks or weapons systems fail cyber inspections.
U.S. Cyber Command and the military service components, which report to it, have been conducting spot cybersecurity inspections of military units for several years, but until recently, those findings have functioned essentially as advisory opinions to commanders on how they might improve their own defensive posture. From now on, CYBERCOM will play more of an independent enforcement role in ensuring the network defense directives it’s been empowered to issue are actually followed, said Lt. Gen. Kevin McLaughlin, the deputy commander of Cyber Command.
“We’re going to trust, but verify,” he said. “We’re building a pretty robust cyber compliance and readiness inspection program; we’re going to show up at an installation and inspect everything. We’ve done this in the past, but we always gave the report card to the installation commander, and we never figured out why we kept seeing the same problems over and over again. Now, in every one of those compliance inspections, Adm. Michael Rogers, (the commander of U.S. Cyber Command) is the first person who’s told if there’s a problem. His first question is going to be whether we’ve called the local commander, whether that commander is remediating his problems and whether or not we need to disconnect that installation from the network. That visibility and oversight is driving a huge culture change.”
McLaughlin spoke Thursday at the annual Billington Cybersecurity summit in Washington. Separately, he told the Reuters news agency that Cyber Command is building a sophisticated, automated system that will generate “scorecards” rating the cyber readiness of installations, weapons systems and IT networks throughout the department, and that Defense officials hope to reach agreement on how the system will operate within the next several weeks.
The initiatives, he said, are part of a broader effort to make all military commanders more conscious of the importance of cybersecurity in everything they do.
“In previous lives, I was not a cyber unit commander and I didn’t understand the importance of this. I had a communications staff, and I just told them to make sure my network was always working. Even if there were issues with cybersecurity standards or if we needed to get a waiver, my answer was, ‘Yes, just get it in place, just make it work.’ I thought it was a bureaucratic burden to have to do that, but I think we’re all realizing that’s not true,” he said. “I should have been held just as accountable for that as I was the other things I knew very well. The fact that there’s now some independent oversight and some transparency about whether you’re ready to get your job done is a real stimulating factor to make change.”
Defense officials have said that part of commanders’ reticence to add cybersecurity to the list of things they concern themselves with each day may have something to do with the fact that the major battlefields of the last decade – the low-tech counterinsurgency campaigns in Iraq and Afghanistan – involved almost no interference with the U.S. military’s ability to operate in cyberspace, giving it free access to whatever satellite or terrestrial communications it wanted and with no adversary able to mount a credible attack on any unit’s IT systems.
Experts generally expect that any future conflict will include at least some cyberspace component, so DoD now is insisting that its regular training exercises incorporate realistic simulations of what would happen if an enemy were attacking U.S. military networks while that opposing force or its proxies while simultaneously firing rocket-propelled grenades, deploying squadrons of jet fighters or engaging in whatever other more-traditional form of warfare a commander might be most attuned to.
“That’s so that the commander knows that he was or wasn’t able to get his job done based on a realistic encounter in cyberspace,” McLaughlin said. “What gets a commander’s attention is if he failed at the mission. If that’s because of cyber, it’s a whole new way of getting non-cyber people like me to jump up and down and insist on more capabilities and more priority on the cyber part of the mission.”
Richard Hale, DoD’s deputy chief information officer for cybersecurity, said the Pentagon also intends to impose accountability by adding cyber to the list of measurements it traditionally has used to determine whether a unit is ready to deploy.
“If some unit isn’t patching their systems right away, okay, that’s bad, but maybe it isn’t the fault of the guy at the bottom of some big pile, maybe it’s some three-star admiral who’s said we’re not going to do that,” he said. “So we’re going to ask for reporting, which is quite different from just measuring compliance. We’re changing the DoD readiness system around so that cyber gets reported in the same way a company commander would tell us the percentage of your trucks that are working and all the other things that tell us whether you’re ready to go do your mission right now. We’re going to report those things and hold people accountable for them all the way to the tippy-top of the chain of command.”
The same principles will extend beyond readiness for current military operations. The Pentagon is applying leadership accountability for cyber to its acquisition program offices. A scathing report by DoD’s director of operational test and evaluation which found cyber vulnerabilities in most the weapons systems the military hopes to use on future battlefields.
“The small diameter bomb, for example, has some computers in it. Everything with a computer in it is cyber-attackable,” Hale said. “These are cases where I don’t want to just contain cyber attacks, I need them to not happen at all. So I want that acquisition program office to have certain characteristics. And we’re going to report their performance all the way up the acquisition chain of command to the top levels of the department.”
Hale, who briefs Defense Secretary Ashton Carter once per month on how the department is handling basic tasks such as hardening its endpoints and complying with two-factor authentication, said the department’s new cybersecurity sanctions are not intended strictly as punitive measures.
Besides raising the defensive posture of military units and weapons systems, the hope is that more deckplate-level reporting will inform the level of financial resources DoD needs to dedicate to cyber defenses and enable it to argue for more spending — where it is justified — against a vast set of competing programs in the defense budget.
“We have all of this accountability stuff going on, but it’s unreasonable to hold people accountable if they don’t have the means to be accountable,” he said. “So what reporting these things up to the secretary of Defense has done for us is to cause these conversations to happen about what resources we actually need to do some of these things. That’s very hard to pull off in a very big complicated organization, but now we’ve forced a whole hell of a lot of conversations about budget and people and training, and those conversations have to happen.”