DOD's 2023 cyber strategy — what we know and what we need
COMMENTARY | Russia's invasion of Ukraine has provided us a blueprint for what modern warfare will look like for the foreseeable future — and the role of cybersecurity plays on offense and on defense.
The Defense Department's classified cybersecurity strategy was released to Congress this May. An unclassified summary is still in the works, but an unclassified fact sheet notes that the unfolding events in Ukraine are a key component of the Pentagon's plans for proactively disrupting malicious cyber activity before it hits U.S.-based networks – the "defend forward" strategy in place since 2018.
A key component of the strategy is an approach called "Defend the Nation," which states that the Department will campaign in and through cyberspace to generate insights about malicious cyber actors, as well as aggressively counterattack in the cyber realm to disrupt and degrade these actors' capabilities and supporting ecosystems. Additionally, DOD will work with its interagency partners to improve the cyber resilience of U.S. critical infrastructure and to counter threats to military readiness. This part of the strategy is foundational and it will take public and private sector leaders working together to fight off the day-to-day probing and assault on our networks.
U.S. Cyber Command is getting more authority over its own budget to execute on these strategies — beginning in fiscal year 2024 the command's spending authority jumps from $75 million to $3.2 billion, allowing for the creation of internal acquisition programs aligned to the department's cyber strategy.
In March, U.S. Cybercom commander Gen. Paul Nakasone told Congress that enhanced budgetary control "gives USCYBERCOM the ability to directly allocate resources for greater efficiencies during the department's programming phase, and make sure they remain aligned with priorities through execution."
One element that's not explicitly spelled out is that our government will also need to ensure the best technologies are integrated in a vendor in-depth approach — the idea being that if one technology vendor misses a cyberattack or instance of malware, another will catch it. While putting all your eggs in one basket is simpler to manage, having multiple solutions integrated with one another significantly strengthens our defense. As stated in the 2023 National Cybersecurity Strategy, "the American people must have confidence in the availability and resilience of this infrastructure and the essential services it provides."
Effects on industry
Cyber Command's enhanced budget authority will not immediately change how money is spent in the near term. According to Michael Clark, previous director for cyber acquisition and technology at Cyber Command, the department doesn't want to "break good." However, the cybersecurity industry should be cognizant that offices will report up to Cyber Command as opposed to their service-specific program executive offices or chains of command moving forward. With the purse-holder now changing, that will require new relationships and office engagements.
Cyber Command also continues an active industry engagement effort through programs like Under Advisement where it establishes intel exchange relationships with cybersecurity-focused industry partners. Additionally, a highly successful U.S. ally and partner activity continues under their conduct of hunt-forward operations, which involves physically sending defensively oriented cyber protection teams from the U.S. Cyber Command's Cyber National Mission Force to foreign nations at their invitation to look for malicious activity on their network. These activities build foreign nation-state relationships, identify malicious cyber actor tactics, techniques, and procedures, and ultimately improve our national cyber defense posture.
Securing networks and infrastructure
There are two main growth areas that will be paramount for robust security for our networks and infrastructure.
First, we need more talent. This has been an ongoing issue that our industry has tried to solve but has struggled to get ahead of as attacks increase in sophistication and frequency. Even before the establishment of US Cyber Command, our nation recognized the need for highly skilled, motivated, and patriotic cyber forces.
Secondly, to secure infrastructure, we need to maintain basic cyber hygiene on our networks. Cyber Command and the Department of Homeland Security continue to build relationships across critical sectors needed to secure our networks and infrastructure. Efforts include DHS' Joint Cyber Defense Collaboration and NSA's Cybersecurity Collaboration Center. While these collaborative efforts are essential, the fundamental means of exploitation still resides in the failure to meet cyber hygiene minimums. For example, we must know every endpoint/device on the network, fully patch systems immediately, require/manage multi-factor authentication and complex passwords, continually review users/groups, and be prepared to immediately respond to any unique indicator of compromise. Anything short of that opens the door for potential attacks.
Even though the 2023 DOD Cyber Strategy is classified, it's clear which elements will be most important and the areas they need to get right. Russia's invasion of Ukraine has provided us a blueprint for what modern warfare will look like for the foreseeable future, and as such, we need to continue improving our national cyber defense posture to ensure we remain protected.
An influx in funding granted to U.S. Cyber Command this year will reinforce existing capabilities in the short term and open the door to Cyber Command having more control of acquisitions moving forward. That, paired with greater public and private sector collaboration and the necessary fail-safes are great steps in the right direction. However, we need to continue developing our cyber talent and maintain basic cyber hygiene. If we fail to properly address these two foundational issues, nothing else will matter.