Pages

8 December 2018

An Assessment of the 2018 U.S. Department of Defense Cyber Strategy Summary

By Doctor No

Doctor No has worked in the Cybersecurity field for more than 15 years. He has also served in the military. He has a keen interest in following the latest developments in foreign policy, information security, intelligence, military, space and technology-related issues. You can follow him on Twitter @DoctorNoFI. The author wishes to remain anonymous due to the work he is doing. The author also wishes to thank @LadyRed_6 for help in editing. Divergent Options’ content does not contain information of an official nature nor does the content represent the official position of any government, any organization, or any group. 

Summary: On September 18, 2018, the U.S. Department of Defense (DoD) released a summary of its new Cyber Strategy. While the summary indicates that the new document is more aggressive than the 2015 strategy, that is not surprising as President Donald Trump differs significantly from President Barack Obama. Additionally, many areas of adversary vulnerabilities will likely be taken advantage of based upon this new strategy.


Text:The U.S. DoD released a summary of its new Cyber Strategy on September 18, 2018[1]. This 2018 strategy supersedes the 2015 version. Before looking at what has changed between the 2015 strategy and the new one, it is important to recap what has happened during the 2015-2018 timeframe. In 2015, President Obama met with China’s Premier Xi Jinping, and one of the issues discussed was China’s aggressive cyber attacks and intelligence gathering targeting the U.S. Government, and similar activities targeting the intellectual property of U.S. companies. The meeting and the sanctions before that did bear some fruit, as information security company FireEye reported cyber attacks from China against the U.S. decreased after that meeting[2].

Russia on the other hand, has increased cyber operations against the U.S. and other nations. During 2014 in Ukraine, Russia seized Crimea, participated in military operations in Eastern Ukraine, and also demonstrated its might in cyber capabilities during these conflicts. Perhaps the most significant cyber capability demonstrated by Russia was the hacking and immobilizing of Ukrainian power grid in December 2015[3]. This event was significant in that it attacked a critical part of another country’s essential infrastructure.

The cyber attack that had the most media coverage likely happened in 2016. The media was shocked when Russians hacked the U.S. Democratic National Committee[4] and used that data against Presidential candidate and former Secretary of State Hillary Clinton, specifically in social media during the U.S. Presidential election[5].

The U.S. had its own internal cyber-related problems as well. “Whistleblower” Reality Winner[6] and the criminal negligence of Nghia Hoang Pho[7] have somewhat damaged the National Security Agency’s (NSA) capabilities to conduct cyber operations. The Nghia Hoang Pho case was probably the most damaging, as it leaked NSA’s Tailored Access Operations attacking tools to adversaries. During this timeframe the U.S. Government also prohibited the use of Kaspersky Lab’s security products[8] in its computers due to security concerns.

Also worthy of note is that the U.S. administration has changed how it conducts diplomacy and handles military operations. Some have said during President Obama’s tenure his administration micromanaged military operations[9]. This changed when President Trump came to the White House as he gave the U.S. military more freedom to conduct military operations and intelligence activities.

Taking these events into account, it is not surprising that the new DoD Cyber Strategy is more aggressive in its tone than the previous one. Its statement to “defend forward to disrupt or halt malicious cyber activity at its source,” is perhaps the most interesting. Monitoring adversaries is not new in U.S. actions, as the Edward Snowden leaks have demonstrated. The strategy also names DoD’s main adversaries, mainly China and Russia, which in some fields can be viewed as near-peer adversaries. The world witnessed a small example of what to expect as part of this new strategy when U.S. Cyber Command warned suspected Russian operatives of upcoming election meddling[10].

Much has been discussed about U.S. reliance on the Internet, but many forget that near-peer adversaries like China and Russia face similar issues. What China and Russia perhaps fear the most, is the so-called Orange Revolution[11], or Arab Spring-style[12] events that can be inspired by Internet content. Fear of revolution leads China and Russia to control and monitor much of their population’s access to Internet resources via the Great Firewall of China[13], and Russia’s SORM[14]. Financial and market data, also residing on the Internet, presents a vulnerability to Russia and China. Much of the energy sector in these countries also operates and monitors their equipment thru Internet-connected resources. All of these areas provide the U.S. and its allies a perfect place to conduct Computer Network Attack (CNA) and Computer Network Exploitation (CNE) operations, against both state and non-state actors in pursuit of U.S. foreign policy goals. It is worth noting that Britain, arguably the closest ally to the U.S., is also investing in Computer Network Operations, with emphasis on CNA and CNE capabilities against Russia’s energy sector for example. How much the U.S. is actually willing to reveal of its cyber capabilities, is in the future to be seen.

Beyond these changes to the new DoD Cyber Strategy, the rest of the document follows the same paths as the previous one. The new strategy continues the previous themes of increasing information sharing with allies, improving cybersecurity in critical parts of the homeland, increasing DoD resources, and increasing DoD cooperation with private industry that works with critical U.S. resources.

The new DoD Cyber Strategy is good, provides more maneuver room for the military, and its content will likely be of value to private companies as they think about what cyber security measures they should implement on their own systems.

No comments:

Post a Comment