How military strategy can improve cyber response
Cyberattacks will occur. Preparation is the key -- and civilian agencies could take a cue from the military’s sustained readiness model.
There is no doubt that the importance of being prepared for, and recovering from, cyberattacks has dramatically increased in recent years. We've seen that momentum continue in the most recent budget request from the White House, in which President Barack Obama asked for $19 billion for cybersecurity -- a 35 percent increase from last year. That request provides an aggressive backdrop for government agencies to rethink their approach to cybersecurity.
The budget increase aims to further combat the constantly evolving internal and external adversarial threats that in many instances are outpacing even the most well-defined and executed cybersecurity strategy.
As malicious technology advances, the military and federal civilian agencies alike need to be prepared for a cyberattack when it comes. Civilian agencies should look to military readiness planning to structure their responses to cyber incidents so they can mitigate risks and protect mission-critical assets.
An agency's ability to effectively recover from an attack takes preparation and practice. A key challenge is sustaining cyber resilience in the face of constant change. Many agencies face change on a daily basis -- new users, devices, applications and processes. If security controls are not adjusted to keep pace, agencies face vulnerabilities that could leave them exposed for days, months or even years.
Consider how the Navy responds to change. When a ship is getting ready to deploy overseas, it first goes through a maintenance overhaul. During that time, the crew and leaders often rotate, combat systems are replaced or upgraded, and tactics are adjusted to meet evolving threats and missions.
The military readiness approach assumes that change occurs across all those areas and adjusts resourcing and training plans to account for that change. It is a sustained readiness model.
Cybersecurity is now vital to accomplish mission objectives, which means agencies should consider instituting a culture of cybersecurity rather than rely on technology to support control or compliance issues. Until that culture shift happens, cybersecurity might be a challenge from a budget perspective.
In an effort to address the budget challenges and enhance their cybersecurity posture, some agencies have realigned their technology and cybersecurity objectives to match the agencies' mission directives.
Once the cybersecurity culture takes hold, however, a cybersecurity flaw in a mission-critical application will prompt leaders to request additional protection. More important, improving security is not merely about spending more money or buying the latest security tools. Many agencies can improve security by instilling better discipline in basic areas, such as ensuring employees have access only to the areas they need or through data classification/segmentation. Security can be bolstered by various simple actions, such as knowing where sensitive data resides inside and outside the agency and streamlining controls around access to the data.
By relying on the military readiness model, agencies could build resilience from the ground up and then sustain those target resilience levels in the face of perpetual change. As in the military, an effective, sustained resilience plan allows an agency to put a wedge in the budget that acknowledges that constant change upfront. Furthermore, having the proper resources in place in advance could give an agency the ability to be proactive versus reactive in the face of a cyber adversary.
In 2013, in response to a cyber breach, the Navy executed Operation Rolling Tide, a plan to remove an adversary from the Navy's unclassified network and then secure the network from further penetration. Officials applied the same operational planning principles used to defend ships at sea. Key elements included establishing clear command and control, defining roles and responsibilities, synchronizing network operator and defender activities, and developing an effective strategic communications plan, both internally and externally.
Simple, flexible and distributed plans were critical to providing guidance to responsible parties throughout the organization. Those tenets are useful not only in the military but at any agency.
Wargaming is another way to build that resilience. Cyber wargaming exercises immerse participants in a simulated cyberattack scenario and give agencies the chance to test their response plans, identify capability gaps and develop advanced preparedness techniques. Cyber incident response might be unfamiliar terrain, and it often requires orchestration among departments that normally have little direct interaction. Wargaming establishes a response foundation by promoting familiarity with the people and tasks that arise during a crisis.
One of the more comprehensive cybersecurity simulations ever conducted, named Quantum Dawn 2, tested the crisis readiness of multiple financial institutions, the Treasury Department, the Securities and Exchange Commission and the industry as a whole. The test involved a series of simulated systemic attacks that attempted to disrupt trading in the U.S. equities markets. The goal was to develop an understanding of the operational readiness of the industry to function after an attack.
Participants observing the simulation in New York, Chicago and Washington, D.C., pinpointed several areas for improvement, including the industry's crisis management playbook and coordination among market participants, industry groups and government agencies. At the same time, the exercise enhanced the financial services industry's readiness to respond to an incident and its crisis management capabilities.
To be resilient after a cyber incident, agencies need a big-picture view that typically includes a crisis management plan involving IT leaders and decision-makers from the legal, risk management, human resources, finance, communications and marketing functions. It usually necessitates a playbook across those functions that is designed to consider how threat scenarios might affect critical assets and processes.
By incorporating military readiness planning, agencies can effectively create a winning playbook and be ready to respond to any and all incoming cyberattacks.