The Department of Defense Strategy for Operating in Cyberspace has attracted its share of attention and criticism since it was released last month.
For instance, critics from outside the Department believe the document is written at such a high level, it offers little of new value in the debate about how to address cyber threats.
Even those within the Department, including the former Vice Chairman of the Joint Chiefs, General James Cartwright, suggest that the DoD strategy should move from being overly focused on protecting DoD networks to placing more emphasis on deterring attacks.
Nevertheless, the DoD’s strategy document represents an important milestone in dealing with global cyber threats.
One of the primary takeaways of this new document is the degree to which cyber has now matured and is being publicly recognized as a top DOD priority. The strategy shows the evolution and pronouncements related to that process.
The DoD’s emphasis (in this document) on improving the capabilities of the cyber workforce and enhancing its capabilities …mean that resources will be dedicated to this emerging mission area.
Within the DoD, cyberspace has now been officially designated as an operational domain, comparable to land, sea, air and space. This allows the Department of Defense to organize their thoughts and actions into training and equipping the cyber workforce within the Department – an important evolutionary step.
It also reflects on the DoD’s emphasis on improving the capabilities of the cyber workforce and enhancing its capabilities. These important elements mean that resources will be dedicated to this emerging mission area.
Another distinguishing aspect of this document is the stated need for increased DoD cooperation with the private sector and our allied countries. This recognizes that the DoD desires to work with others who have similar objectives in capitalizing on the unlimited opportunities offered by cyberspace.
However, there still appear to be questions in many people’s minds regarding how the DoD might work to deter cyber attacks.
The strategy report delves deeply into how the Defense Department would operate and defend itself in cyberspace. But questions about how the DOD might shift to a proactive posture and use cyber attack capabilities remain unanswered.
For 13 years now, DoD has been moving to consolidate computer network defense, computer network exploitation and computer network attack. These capabilities were finally brought together into the U.S. Cyber Command which was stood up in 2010. But today, projections or thoughts on how cyber attack might be employed are absent from the DoD strategy even when insights into using that capability might be helpful in deterring at least some who might consider attacking us.
What we also are going to see now is the combined use of DoD and Intelligence Community capabilities lending their assistance to Department of Homeland Security to help defend critical infrastructures that are important to America.
The critical infrastructures spelled out in the “Commission on Cybersecurity for the 44th Presidency” report, sponsored by the Center for Strategic and International Studies (CSIS), were well received by the administration and will likely be the areas of focus. These include: financial services, energy, essential government services, and telecommunications. There is already some agreement between the secretaries of Defense and Homeland Security on moving ahead to explore best ways to use DoD and Intelligence Community capabilities in that regard.
Finally, I believe that with this strategy, the DoD now has made an attempt to be even more transparent in what they are trying to do. This is reflected in the new website DoD launched in connection with this report. It is well organized around the initiatives that are spelled out in the DoD strategy.
The strategy will also allow others to have more insight into what the Department is doing. It’s going to inspire a lot of questions, especially of public officials like General Alexander at U.S. Cyber Command, even though military details in areas such as specific operational tactics, techniques and procedures would not be divulged.
All of this, however, cannot be divorced from the new realities of federal budgets. The numbers we are hearing really are staggering. When we hear about major thrusts to cut $400 billion in spending or even higher figures of $800 billion or more, certainly that is going to have a major impact on the Department of Defense. But it appears that cyber is going to remain a top priority, even more so now with the DoD’s overall operational strategy that will help explain, justify and align cyber-related resources in the future.
This will take on more importance as DoD officials appear before the Congress. As the various military Service chiefs and secretaries testify, they can point to this new DoD strategy as the underlying document that connects the dots throughout the DoD and the reasons why they are asking for funding to organize, train and equip the cyber workforce.
The DoD has many important priorities, but cyber – any electronic connectivity among bits, bytes and packets for sharing information within the Defense Department — is an inevitable part of every modern DoD capability today and into the future.
The DoD has recognized that to achieve a smaller, more modernized and effective force, great strength can be realized through a credible cyber capability. It’s certainly going to be interesting to see how successful the DoD is in requesting allocations for their needs and how Congress responds in appropriating the funds for cyber-related capabilities.
Lt. General Harry Raduege, USAF (Ret.) is chairman, Deloitte Center for Cyber Innovation and a former director of the Defense Information Systems Agency.