GailForce: Latest Information from the Military on Its Cyberspace Operations Part Two

Photo Credit: Torkild Retvedt

Around this time every year the intelligence community gives a worldwide threat overview to Congress.  As part of this process, they publish an unclassified Worldwide Threat Assessment that is available to the public.  For the second year in a row, they identified cyber as the number one national security threat.

“Several critical governmental, commercial, and societal changes are converging that will threaten a safe and secure online environment. In the past several years, many aspects of life have migrated to the Internet and digital networks. These include essential government functions, industry and commerce, health care, social communication, and personal information. The foreign threats…below pose growing risks to these functions as the public continues to increase its use of and trust in digital infrastructures and technologies…

“We assess that computer network exploitation and disruption activities such as denial-of-service attacks will continue.  Further, we assess that the likelihood of a destructive attack that deletes information or renders systems inoperable will increase as malware and attack tradecraft proliferate.  Many instances of major cyber attacks manifested themselves at home and abroad in 2013…”

This public discussion of cyber by the head of the intelligence community is huge on a variety of levels, but suffice it to say a new form of warfare (think air warfare, submarine warfare, etc) has finally gotten military and intelligence leaders’ attention at the highest levels.  This is not to say they have been unaware of the growing cyber problem — not at all. Elements of the military have been fighting the good cyber fight for some time, but they now recognize cyber threat planning as something that must be integrated into every level of military and intelligence planning. By the way, for those who’d like to know more about the history of military involvement in cyber, I highly recommend Jason Healey’s book, A Fierce Domain: Conflict in Cyberspace, 1986 to 2012.

Some might say, “Hey Gail, don’t you live in Colorado?  Have you been partaking of what is now a legal substance in Colorado?”  No not at all.  Back in the year 2000 or so as I mentioned in my last blog, I was leading the cyber charge for the intelligence community.  One of the key leaders in this process was meeting with massive resistance from his chain of command.  He worked for one of the “3 letter” D.C. organizations.  His bosses weren’t being total jerks — they simply felt cyber was an issue for military communications people to work on, not the intelligence community.  My friend was of the school of thought that believed just as the intelligence community tracked what potential adversaries could, might, and were doing with more conventional weapons (missiles, ships, submarines, etc), we now had to track what they were and/or might do with cyber.

One day he found himself in the elevator with the head of the organization.  He seized the moment and gave one of the most important “elevator” speeches I’ve ever heard.  He explained why the involvement of the intelligence community was critical to solving the problem of cyber.  End of problem, at least from that particular agency.

Now, I’d like to share more of what jumped out at from the Cyberspace 2014 Symposium I attended a couple of weeks ago.  Eric Hutchins, from Lockheed Martin spoke about the “Cyber Kill Chain” and “Intelligence Drive Defense.”  He said intelligence-driven defense defeats persistent threats.  The focus needs to be on what happened yesterday, today, and tomorrow.  If you respond to an intrusion at the point of boom, you’re responding to late.  In a white paper he states:

“Conventional incident response methods fail to mitigate the risk posed by APTs (Advanced Persistent Threats) because they make two flawed assumptions: response should happen after the point of compromise, and the compromise was the result of a fixable flaw…

“Responses to APT intrusions require an evolution in analysis, process, and technology; it is possible to anticipate and mitigate future intrusions based on knowledge of the threat… Each discrete phase of the intrusion is mapped to courses of action for detection, mitigation and response. The phrase ‘kill chain’ describes the structure of the intrusion, and the corresponding model guides analysis to inform actionable security intelligence. …Through intelligence-driven response, the defender can achieve an advantage over the aggressor for APT caliber adversaries.”

During his talk, he said it takes tradecrafts to defeat threats. He does not believe aggressors always have an advantage. He thinks defenders can. If we built a network, we can defend it. There are too many ooda loops over too many different organizations. You are not only defending your environment, but your data that can come from a variety of sources. He finished by saying cyber is a team activity and that we’re all in it together.

General William Shelton, the head of Air Force Space Command gave further insights into the military mindset on cyber.  Here are some of the key points:

• Cyber capabilities are absolutely essential for today’s military.
• Intelligence, logistics and operational plans all come from remote locations to the military commanders.
• Cyber issues continue to accelerate, how do we stay on top of the problems while dealing with the breakneck speed of change?
• The price of admission to be a cyber actor is cheap.
• What are alternatives to building the best defenses we know how to build?
• Cyber weapons are cheap to build.
• Adversaries we face in cyber include insiders.
• Attribution in this domain can be difficult if not impossible.
• The military approach now is defining what information really needs to be protected. What information is mission critical? This will help in determining priorities.
• The Air Force has worked hard to consolidate all networks into a single one.
• They don’t yet have rules of engagement in cyber.  There are no treaties. It’s the Wild West.  It might take a cataclysmic event for us to get there.

As I listened to various cyber presentations in Colorado Springs and interacted with practioners attending the event, I saw plenty of evidence these critical issues were finally starting to be worked at the intensity needed at the highest levels of the military and civilian government communities.  This does not mean they have solved the many problems in the cyberspace domain.  Now we need a major push to get industry and the public on board.  I’ve blogged in the past about Department of Defense initiatives in this area, but much more needs to be done.  This will require even more transparency by the government in declassifying some information to give the public and industry a better understanding of the threat. I understand the need for secrecy but I also suspect there is plenty of historical information that can be declassified. The intelligence community is already heading in that direction by declassifying a lot more information. I’m often amazed by the amount of data that is available but also disappointed that the main stream media fails to report on a lot of it.

As I drove home to Durango from Colorado Springs, a quote by Winston Churchill came to mind and summarized my views on where the military and intelligence community stands on defeating the cyber threat these days.  At the start of World War II, Britain had suffered a string of defeats from Dunkirk to Singapore.  Finally, in November 1942, British Forces turned back Rommel’s forces at El Alamein, in what Churchill called “The Battle of Egypt.” Speaking before Parliament he said: “Now this is not the end. It is not even the beginning of the end. But it is, perhaps, the end of the beginning.”