12
AY 2014-2015 Resourcing the US 2030 Cyber Strategy LT COL SCOTT A. DICKSON USAF SEMINAR 19 The Dwight D. Eisenhower School for National Security and Resource Strategy National Defense University Fort McNair, Washington, D.C. 20319-5062 The views expressed in this paper are those of the author and do not reflect the official policy or position of the National Defense University, the Department of Defense or the U.S. Government.

Resourcing the US 2030 Cyber Strategy

Embed Size (px)

Citation preview

Page 1: Resourcing the US 2030 Cyber Strategy

AY 2014-2015

Resourcing the US 2030 Cyber Strategy

LT COL SCOTT A. DICKSON USAF

SEMINAR 19

The Dwight D. Eisenhower School

for National Security and Resource Strategy National Defense University

Fort McNair, Washington, D.C. 20319-5062

The views expressed in this paper are those of the author and do not reflect the official policy or position of the National Defense University,

the Department of Defense or the U.S. Government.

Page 2: Resourcing the US 2030 Cyber Strategy

“The end cannot justify the means, for the simple and obvious reason that the means employed determine the nature of the ends produced.” - Aldous Huxley Strategists must caution themselves against using any and all means necessary to accomplish an

end simply due to the importance of the goal. Pursuers should consider the context of the chase, less more damage and cost result than saved from capturing the conquest. President Obama’s Executive Order 13636 left no doubt on the Executive Branch’s commitment to a US cyber strategy. However, Congress’s four failed attempts to pass a Cybersecurity Act indicate unclear direction on the context: how and whether to fund a strategy. With America’s national security dependence on cyber and contracting defense budgets, a positive review of the cyber strategy’s means, i.e “what will likely happen”, will highlight potential resourcing challenges and risks in the strategy and help justify the expense of the means against the pursuit of the ends. Strategy Summarized

Cyber threats vary; from state actors using cyber as an asymmetric attack, organized networks conducting cyber crime, or non-state actors threatening cyber Armageddon, all exploit the highly connected, easily accessible, predictable, layered, and digitized nature of the internet. For the first time, the Chinese People’s Liberation Army (PLA) published a document in the summer of 2014 detailing their cyber and network warfare forces and their division of labor across formal operational attack and defense units, PLA authorized forces, and external non-governmental forces.1 While not revealing a cyber strategy, this document highlighted China’s dedicated cyber manpower resources and their intent to develop a cyber capability to achieve their strategy. In May 2014, the US publicly indicted five People’s Liberation Army officers serving in a cyber unit responsible for stealing trade secrets in the shipping, aeronautics, arms, energy, manufacturing, engineering, electronics, financial, and software sectors over the past seven years. Despite denying the claim, the incident cements China’s credibility in using cyber as a means to pursue its desired ends while also publicly signaling the US’s inability to deter its use.

Page 3: Resourcing the US 2030 Cyber Strategy

The proposed US cyber strategy represents a multi-layered strategy to build defensive cyber infrastructure capabilities and deterrence-producing offensive capabilities to promote a future globally-collaborative cyber environment within the FY2030 timeframe (see Table 1). Effective deterrence depends on credible capability, reliable signaling, and perception of intent. In this strategy, credible capability is displayed through adequate monitoring technology and development of robust cyber attack capabilities. Reliable signaling is available through the creation of a cyber coalition, enforcement options detailed within the cyber standards agreement, and step-wise implementation of an emergency isolation plan. Perception of intent rests on shaping enemies opinions in regards to leaderships’ future actions in actual cyber incidents. Enemies must believe their interests are equally at risk if they implement a cyber attack on the US or its allies. All cyber attacks should be dealt with proportionally and not in an escalated manner. Like current US missile defense and nuclear response exercises, visible exercises, such as Cyber Flag 15-1, will demonstrate US resolve. Also, demonstrating future capability to manually isolate networks involving critical national assets demonstrates our ability to operate in a degraded cyber environment and will weaken a state actor’s perception of a cyber attack’s influence.

Primarily, the proposed actions leverage the possibility of non-state actors and cyber criminals to disrupt the cyber domain as a crystallizing agent to solidify a multi-polar coalition of state actors to enforce appropriate cyber behavior. Mutual economic dependence on cyber acts as an incentive for coalition members to not attack each other. The incentive’s effectiveness will depend on how competitive or collaborative the future is and the depth of economic interdependence, i.e. sanctions against one may cause harm to others. The coalition will focus these deterrence actions on all actors outside the coalition.

To achieve the strategy, the US must resource the ways and means in Table 1; the list is not exhaustive, representing only the primary means. While industry has begun initial cyber protection efforts and should be leveraged, funding will be challenging, particularly considering the specified impacts to the military-industrial complex (MIC). These simplified impacts, either additive, neutral, or substractive, indicate the likely MIC assessment to their economic bottom line of instituting each mean. Despite the scope of this paper preventing a full analysis explanation, some broad generalities do apply.

Page 4: Resourcing the US 2030 Cyber Strategy

The extent of the subtractive means will depend on the US government’s willingness to subsidize the effort. While the neutral means are not intended to overly constrain industries’ freedom of action, actual

implementation may drive a more subtractive assessment. From a priority perspective, the coalition,

Ways Means Budget

Category MIC

Impact Establish a Cybersecurity Enforcement Coalition focused on securing Cyber for global prosperity

- Create “Cyber Partners for Prosperity” (CPfP) like NATO’s Partnership for Peace prgm - Encourage NATO/ITU mbrs to join CPfP

Force Structure Additive

Partner w/DoS to develop a Strategic Partnership Agreement to Define Acceptable Cyber Behavior and Enforcement Responsibilities

- Use NATO allies and ITU mbrs who signed agreement to enforce acceptable cyber behavior Force

Structure Neutral

Continue to Minimize Anti-US Terrorist Groups

- Continued Funding for War on Terror - Congressional Approval of AUMF Readiness Additive

Implement Persistent Cyber Situational Awareness/Monitoring Technology to support Attribution

- Funding for Cyber Monitoring program - Funding for Cyber Awareness program Modernize Additive

Leverage w/ Industry to Develop Layered Cyber Defense Strategy to Defend Critical US Data and Assets

- Data Security Standards - Certified Data Protection Algorithms - ID of Critical Nat’l Security Data/Assets

Modernize Subtractive Implement Public Policy Restricting Use of Anonymity Software within United States

- Create OSD Cybersecurity Division to coordinate all policy and strategy efforts Force

Structure Additive Implement Public Policy Requiring Minimum Cyber Protection Mechanisms for US Businesses

- Create OSD Cybersecurity Division to coordinate all policy and strategy efforts Force

Structure Subtractive Continue Cyber Protection Education Efforts with the Public, National Security Professionals and US Companies

- Create OSD Cybersecurity Division to coordinate all policy and strategy efforts - Cyberprotection Curriculum

Force Structure, Readiness

Neutral

Maintain Resilient and Redundant Storage of Critical National Security Data

- Data Security Standards - Certified Data Protection Algorithms Modernize Subtractive

Develop Robust Cyber Attack Capabilities

- Funding for Cyber Attack development & education to DoD (national) & DoJ (domestic) Modernize Additive

Develop and Maintain Capability to Operate in a Degraded Cyber Environment

- Update to cyber acquisition standards - Funding to modernize req’d & unprotected assets

Modernize Additive Implement Public Policy requiring Manual or Isolated Networked Capability of Critical National Assets

- Funding/strategy to modify critical energy assets (energy, financial, space, water, etc.) - Map of critical assets and their network Modernize Subtractive

Create Emergency Isolation Plan and Develop Necessary Capabilities

- Map energy assets to req’d nat’l security assets - Funding of pgrm to modify req’d assets Modernize Neutral

Partner w/ DoS, DoJ, & DHS to Build Positive US Public Opinion Behind Required US Privacy and Monitoring Policies

- US Privacy Policies - US Monitoring Policies N/A Neutral

Table 1: US 2030 Cyber Strategy: Ways, Means, Categories and Military-Industrial Complex (MIC) Impact

Page 5: Resourcing the US 2030 Cyber Strategy

monitoring and encryption technology, monitoring and data security policies, and identification of critical national assets represent the strategy’s lifeblood.

Resourcing of each mean draws from an associated major budget category (Modernize, Force Structure, and Readiness) as listed in Table 1 and should be accurately reflected in any Programming, Planning, Budget, and Execution activities. As a new and emerging national security concern, the strategy relies heavily on Modernization efforts, i.e. acquisition dollars, rather than Force Structure, i.e. personnel, or Readiness, i.e. operations and maintenance dollars. More importantly, each mean requires a certain level of acquiring products and services, coordinating support from the military-industrial complex, and/or partnering with national and global allies. A survey of each resourcing method to fulfill these means and their impact on the associated budget category will highlight inherent challenges facing the implementation of the strategy. Acquiring and Sustaining For fifty percent of the strategy’s ways, the US must modernize by acquiring new cyber products or services, running the gamut from developing DoD cyber attack capabilities to providing relevant government agencies with cyber awareness and cyber monitoring tools to improving cyber robustness in existing government infrastructure technology. To ensure expeditious resourcing of the strategy’s means, the DoD needs to carefully consider whether to source a product or service, lead-turn needed cyber documentation in the JCIDS process, and/or enlist combatant commander assistance to shorten the long lead times of the Defense Acquisition System. Predicting each choice’s likely outcome will allow US policy makers to use a positive approach to mitigate strategy obstacles and reduce enactment delay. Initially, policy makers need to determine whether a product or service best fulfills the purpose, responsiveness, and persistence of each mean. Product solutions deliver permanent government-owned capabilities to the warfighter’s specification, yet require longer requirement definition and development timelines and an associated long-term sustainment costs. For service solutions, the government relies on industry to develop, own, and manage the capability and sustainment while preserving the ability to

Page 6: Resourcing the US 2030 Cyber Strategy

terminate the capability rapidly. With the US’ national dependence on cyber, an investment in permanent product solutions for cyber attack, cyber awareness, cyber monitoring, and critical infrastructure protection seems appropriate. On the other hand, for standards’ creation, enforcement, and cyber protection certification, a service solution allows the government to rapidly generate initial capability and quickly disband the capability as needed.

Procuring product solutions will require strategic navigation of the JCIDS process and the Joint Requirements Oversight Council, since CJCSI 5123F charges the JROC, among other duties, with reviewing “the estimated level of resources required in the fulfillment of each joint military requirement and ensuring the total cost of such resources is consistent with the level of priority”2 Unfortunately, except for Information Assurance considerations and requirements established by the Clinger-Cohen Compliance Act, the JCIDS process does not yet include cyber requirements to provide the JROC sufficient information to weigh the benefit of the product against its total costs. The lack of this relevant information will ultimately slow down the approval of cyber products. To weigh the current cyber strategy products and any future products against priorities, the JCIDS process will need to eventually consider cyber requirements similar to those listed in Table 2. For example, the creation of cyber metrics

JCIDS Improvement Implement a “Cyber” KPP, raising the importance of Cyber to the appropriate level Require a Cyber Defense Strategy as a 5000.2 requirement to be submitted at the MS A decision and updated at each recurring MS decision Require a program’s System Engineering Plan explain how the design process verifies Cyber Defense Require each program’s Life Cycle Sustainment Plan to explain how Cyber Defense will be maintained and certified through the program’s sustainment phase Institute a IOT&E requirement, similar to Live Fire Testing, which requires Cyber Penetration Red-Teaming on all software and hardware programs. Define the extent of a program’s planned Cyber Penetration Red-Teaming approved in the TEMP Institute a set of cyber metrics which will be defined as part of each Cyber program’s Cyber Defense Strategy and updated annually in DAMIR Table 2: JCIDS Process Improvements for Cyber

Page 7: Resourcing the US 2030 Cyber Strategy

as part of each product’s Cyber Defense Strategy will allow policy makers to assess the DoD’s overall cyber readiness. Possible metrics include: Cyber Resiliency (the probability of continued mission operation after a cyber attack), Cyber Sustainability (the number of identified cyber vulnerabilities in the Software Supply Chain), Cyber Vulnerability (the number of “questionable” suppliers in the hardware supply chain), and Cyber Detection (the probability of detecting a cyber attack against a system). Consideration will need to be given to metrics duplicated in the Clinger-Cohen Compliance Act. By choosing to address these requirements upfront in initial cyber product documentation, the JROC and its associated staffs should expedite approval of cyber product acquisition and challenge DoD acquisition professionals to add these requirements to future versions of DODI 5000.2 to ensure all future cyber products conform to the DoD’s cyber strategy.

Additionally, the Defense Acquisition System (DAS) has historically delivered products late, over-cost, and at decreased performance. In 2008, the Government Accountability Office reviewed 96 DoD programs against original estimates and concluded 42 percent cost growth in research and development, 25% growth in Total Acquisition Cost, and a 22-month average schedule delay.3 The milestone-driven schedule of the DAS conflicts with the calendar-driven schedule of the Programming, Planning, Budgeting, and Execution (PPB&E) process yielding some of these delays. Other delays result from a focus on “procedures dominating production, equity ruling over efficiency, and top executives as short timers”4 With a pressing national need for a cyber strategy, cyber strategists will enlist combatant commanders to designate cyber products as Urgent Operational Needs (UON), routing these products’ approval through the Warfighter Senior Integration Group (SIG) for eventual fielding within a 2-year timeline.5 Since UONs are intended only for products requiring minimal development to meet the short 2-yr timeline, some products will need to utilize the more robust JCIDS process. Further, with the US’ enduring dependence on cyber in the digital age, the DoD should consider the historical sustainability of products developed via the UON process vice the JCIDS, i.e. the abandonment of Mine-Resistant Ambush Vehicles due to a lack of sustainment capabilities. By strategically considering the best path

Page 8: Resourcing the US 2030 Cyber Strategy

through the DAS, adequate cyber documentation for the JCIDS process, and the right balance of products and services, DoD policy makers will adopt a more positive approach to acquiring cyber means. Coordinating To resource the cyber strategy, DoD policy makers will need to coordinate through all elements of the iron triangle: the interagency executive bureaucracy, industry and its associated interest groups, and the legislative Congress. Efforts for coordinating acquisition products and services will differ from other policy measures, such as developing cyber standards of behavior with the DoS, building public opinion on privacy and monitoring, or establishing minimum protection mechanisms with industry. However, each coordination effort shares similar challenges in solidifying the iron triangle support around the cyber strategy. Specifically, DoD policymakers must overcome rent seeking industrialists, “bootlegger and baptist” congressional members, and the principal-agent problem inherent in the Executive branch to realize the cyber strategy.

In the zero-sum nature of the interagency environment, a new strategy must contend with impacts from the fundamental principal-agent problem where the agent, due to competing internal interests, may not accurately represent the principal’s interests. Initially, even if no conflicts exist, the perception from the principal-agent problem casts doubt on the true motivation of the strategy, potentially hindering coordination. Eventually, once the strategy gains leadership acceptance and process momentum, ulterior interests may develop, perpetuating the principal-agent problem anew. While the President’s EO 13636 solidified importance and ownership of different cyber aspects across the interagency, each agency will interpret the President’s interests differently for its own benefit, potentially creating conflicting interests and priorities. For example, DoJ and DHS may seek tighter cyber standards and enforcement authority for their mission accomplishment while the DoS may desire lighter standards and enforcement to ease diplomacy. Across the Executive branch, DoD strategic leaders will need to combat these principal-agent dynamics, leveraging each internal agency’s self interests, as appropriate, to enact the strategy.

Page 9: Resourcing the US 2030 Cyber Strategy

To tighten the triangle with the Legislative branch, DoD strategic leaders will need to identify supporting “bootleggers and baptists” within Congress, primarily to secure funding from congressional appropriators and enact policy support from authorizers. Failed attempts at a Cybersecurity Act demonstrate a lack of congressional majority on cyber issues, which heightens the importance of this coordination on successful implementation of the strategy. Despite the intent of the selfish bootleggers or the righteous baptists, the national importance of cyber defense may form common ground between camps and draw others to the bandwagon. With cyber attacks on Sony Pictures Entertainment over the film “The Interview” and multiple versions of ransomware rampant over the past six months6, US public awareness of cyber attacks has never been higher. Voter awareness and concern should resonate positively with congressional members.

Energizing industry to support the cyber strategy could prove to be the most challenging of iron triangle hurdles as most of the means require industry investment. The development of cyber products or services will appeal to the rent seeking nature of industry, providing another revenue stream to the MIC. At the same time, with the perception of cyber governance as a public good, industry may resist providing internal investment to meet nationally-mandated cyber protection standards or upgrade critical infrastructure. Hopefully, “whereas genuine free riding temptations pose only modest risks to cyber security governance, weak cyber defences create significant externalities and can therefore be understood as a global public bad. What may be required to improve this state of affairs is a future regime that combines ‘sticks’ and ‘carrots’ and, thus, changes state incentives.”7 Cyber policies requiring companies to conform to the new standards to maintain eligibility for government contracts may incentivize industries which rely on large government market revenues. Ultimately, with a strategy cornerstone of monitoring and cyber accountability, DoD leaders should expect privacy interest groups to strongly counter any attempts to strengthen the iron triangle around the strategy. DoD policy makers will need to ensure proper messaging and maintain constant coordination with this corner of the triangle for success.

Page 10: Resourcing the US 2030 Cyber Strategy

Partnering With the global connectedness of cyber, DoD strategic leaders must develop partners…nationally and internationally, institutionally and individually…to succeed. To create the proposed Cyber Enforcement Coalition, the DoD, with the DoS, must enlist help from NATO, anti-terrorism allies, and like-minded friends within the International Telecommunication Union (ITU). Ideally, a strong coalition contains both industrial and international partners, providing economic and geopolitical benefits through dialogue to its members. For nations without obvious reasons for partnership, the US could provide access to cyber security assistance programs, offering cyber protection capability in exchange for support. If implemented, US policy makers must set proper export control boundaries to incentivize international and industrial support while protecting the technological advantages on which the strategy rests.

Besides traditional institutions like the ITU, DoD strategic leaders need to partner with cyber institutions with national and international presence, such as Twitter and Facebook, whose transactions benefit from a stable and secure cyber domain. DoD leaders must emphasize accountability over attribution less the institutions steer clear from assisting. Facebook’s recent policy regarding community standards and terrorism demonstrates the partnerships’ possibilities. “The community standards now state that any ‘expressions of support’ for groups involved in ‘terrorist activity’ — or even for those groups’ leaders — are prohibited. Facebook does not name the groups, though it and Twitter have been under pressure from EU leaders and others to censor the propaganda and recruiting tools of the Islamic State in Iraq and the Levant (ISIL).”8 Like the terrorism campaign, an aggressive and comprehensive cyber campaign will build global unity of effort and ultimately empower institutions to directly and indirectly influence the global cyber culture in ways the DoD could not accomplish alone. To further resource the means, DoD strategic leaders must develop partners at the individual level, countering micro-politics by continuing cyber protection education efforts with the public. For example, the Air Force Association and Northrop Grumman sponsored this year’s CyberPatriot competition, for the seventh season, where more than 2,100 student teams from across the United States, Canada, and Defense Department dependent schools in Europe and the Pacific compete in finding and

Page 11: Resourcing the US 2030 Cyber Strategy

defending cyber vulnerabilities for scholarships.9 Besides raising cyber awareness within the students, parents, and their communities, this activity inspires youth into pursuing cyber and STEM-related degrees and professions, improving the US cyber industry’s future innovative capability. Conclusion Throughout the resourcing process, active awareness of the iron triangle by DoD strategic leaders on managing strategy coherence within the executive bureaucracy, micro-politics across US public and interest groups, and competing interests within the Congress will eventually instill a cyber national culture and ease resourcing of the strategy. Leading globally requires partnering widely and the connectedness of cyber demands the US foster a global awareness. This awareness will justify the means to the ends and ensure the means don’t change the ends in the process. While experts argue whether the digital age began in the 1950s with transistors or the Internet in the 1990s, the inclusion of a realistic and effective cyber strategy into the national security portfolio is years late. With sufficient resourcing, a generation of US DoD strategic leaders, born at the digital dawn and raised by the Google network, will innovatively and rapidly develop, acquire, and produce the means to close the gap. 1 Marc V. Schanz. “PLA Strategy Now Openly Touts Cyber Forces.” Air Force Magazine Daily Report, March 13, 2015. 2 Mary Redshaw. “Choosing Strategic Capabilities.” National Defense University, Course DSR 2-5. Slide 9. 3 GAO. “Charting a Course for Lasting Reform.” 2008. Accessed on March 18, 2015. Available at http:\\www.gao.gov\new.items\d09663t.pdf. 4 Mary Redshaw. “Defense Acquisition System.” National Defense University, Course 2-10. Slide 21. 5 DoD. “Rapid Fulfillment of Combatant Commander Urgent Operational Needs.” DoD Directive 5000.71. August 24, 2012. Accessed on March 18, 2015. Available at http:\\www.dtic.mil\whs\directives\corres\pdf\500071p.pdf 6 Lucian Constantin. “Ransomware authors streamline attacks, infections rise”. February 10, 2015. Accessed on March 19, 2015. Available at http://www.pcworld.com/article/2882532/ransomware-authors-streamline-attacks-infections-rise.html. 7 Mischa Hansel. “Cyber Security Governance and the Theory of Public Goods”. June 27, 2013. Accessed on March 21, 2015. Available at http://www.e-ir.info/2013/06/27/cyber-security-governance-and-the-theory-of-public-goods/. 8 Michael Pizzi. “Facebook clarifies, confuses with new content rules”. March 16, 2015. Accessed on March 19, 2015. Available at http://america.aljazeera.com/articles/2015/3/16/facebook-clarifies-confuses-with-new-content-rules.html

Page 12: Resourcing the US 2030 Cyber Strategy

9 Air Force Magazine Daily Report. “CyberPatriot VII Winners Announced.” March 17, 2015.


RESOURCING TOOL

RESOURCING TOOL

Documents
School Resourcing System

School Resourcing System

Documents
Resourcing Volunteers

Resourcing Volunteers

Documents
Resourcing Information Technology

Resourcing Information Technology

Documents
Resourcing Future Generations

Resourcing Future Generations

Documents
Operational Resourcing Update

Operational Resourcing Update

Documents
Resourcing the world

Resourcing the world

Documents
RESOURCING WAROONA 2030

RESOURCING WAROONA 2030

Documents
09. brand resourcing

09. brand resourcing

Business
Resourcing n°1

Resourcing n°1

Documents
D1 Resourcing

D1 Resourcing

Recruiting & HR
Resourcing - tralac

Resourcing - tralac

Documents
RESOURCING STRATEGY

RESOURCING STRATEGY

Documents
allaboutXpert Resourcing · allaboutXpert resourcing allaboutXpert resourcing, as a certified member of the Association of Personnel Services Organisations and the Information Technology

allaboutXpert Resourcing · allaboutXpert resourcing allaboutXpert resourcing, as a certified member of the Association of Personnel Services Organisations and the Information Technology

Documents
Resourcing Missional Entrepreneurs

Resourcing Missional Entrepreneurs

Spiritual
RESOURCING TOOLS

RESOURCING TOOLS

Documents
Resourcing Information

Resourcing Information

Documents
CONGREGATION RESOURCING SYSTEM

CONGREGATION RESOURCING SYSTEM

Documents
Internet resourcing

Internet resourcing

Technology
RESOURCING PRACTICAL SCIENCE

RESOURCING PRACTICAL SCIENCE

Documents
TECHNOLOGY, OFFSHORING, RESOURCING

TECHNOLOGY, OFFSHORING, RESOURCING

Documents
RESOURCING OTHERS OURSELVES

RESOURCING OTHERS OURSELVES

Documents
CPTLA resourcing curriculum

CPTLA resourcing curriculum

Education
PSMAC Subcommittee on PEOPLE Resourcing · i People Resourcing Subcommittee Members . The People Resourcing Subcommittee was established with the following membership: Department

PSMAC Subcommittee on PEOPLE Resourcing · i People Resourcing Subcommittee Members . The People Resourcing Subcommittee was established with the following membership: Department

Documents
Resourcing 2

Resourcing 2

Documents
MU0001 Manpower Planning.& Resourcing)

MU0001 Manpower Planning.& Resourcing)

Documents
Resourcing Solutions’

Resourcing Solutions’

Documents
MAC Resourcing

MAC Resourcing

Documents
RESOURCING INCLUSIVE EDUCATION

RESOURCING INCLUSIVE EDUCATION

Documents
Resourcing Information. FundView: a searchable resourcing information tool New Zealand’s primary source of resourcing information for community groups

Resourcing Information. FundView: a searchable resourcing information tool New Zealand’s primary source of resourcing information for community groups

Documents