The new DoD Cyber Policy, “DoD Strategy for Operating in Cyberspace,” released on July 14, turned out to be quite a good document in my opinion. It is not without fault, but in Washington, D.C., what is?
The policy paper correctly articulated the problem facing us in cybersecurity as tough, dangerous, ubiquitous and continuous. OK, it may overstate it a little for my taste. I am not a “today is the cyber apocalypse” guy. Our way of life is not going to end tomorrow. I am worried that if we don’t get off our duffs soon, we will be facing a problem that can grow to existential proportions sooner than we think. All that said, their opening section on the Strategic Context is worth reading – just don’t accept it all without a little critical analysis of your own.
The document then outlines five Strategic Initiatives, taking a couple of pages to elaborate on each. These all touch on where the Defense Cyber folks want to go in the future. The direction is correct and speaks well of the practicality of the Department on an issue that is fraught with way to little of anything grounded in reality. Let’s look at the five.
The first Strategic Initiative is a rehash of the Department’s position that Cyber is and should be one of the operational domains, which it must control to properly defend the Nation. There is nothing new here. Not that it is wrong; in fact I agree with them on this. Many experts do not, but basically, this is how DoD looks at the world and how they determine responsibilities in the Department. If that does not sit well with other Departments or academics, they need to understand that DoD is not telling them how to view the issue set, but this is their view.
Initiative Two speaks of utilizing new defensive concepts. This is, to me, the highlight of the document. Rather than going high tech and expensive, DoD has chosen to call for fixing all the low hanging fruit. They address “people” through training, education and cyber hygiene. Bravo! They also focus on leadership to close the gap that WiKi Leaks exposed. All the defensive concepts they talked about can be implemented today, for very low relative costs, and have a very beneficial effect on our security posture.
The next Initiative (Three) addresses partnering with other parts of the U.S. Government, particularly in the implementation of active defenses. The only criticism here is that I think they slightly blow their own horn a little too much. DoD has the right goals, but in my interaction, they are not there yet and in some of the services, they are a long way off from effectively securing their networks. As a set of goals, they are again right on target and need to make it all real.
The Fourth Initiative is working effectively with our allies abroad. I agree 100 percent with this, but as I have pointed out before, we still do not have a U.S. position on many of these crucial issues, so how can we negotiate with our allies?!? The need for multinational solutions is clear, but first we should decide what it is we want to do, what we will not do, and how we decide which is which. Once we do that, we should reach out to others. NATO right now is really pushing cyber, and we should use the opportunity to motivate and speed up our internal efforts.
The Fifth Initiative is a “Mom and Apple Pie” one. Leverage our ingenuity, innovation and workforce. This is all true, and must be done, but it is getting to be the necessary platitude on everyone’s cyber action list. DoD, get away for the bumper stickers on Number 5 and really do it!
All said, I was very pleased. The policy honestly addresses pretty much all the key issues facing us in cyber. They have gone for the easiest (and in my opinion most potentially effective) ways to make progress. They are being straightforward and realistic. Again, I say “Bravo!”
Now guys, let’s do it. We have waited too long.
