war on the rocks

Getting ‘Cyber’ Right for the Department of Defense

“Cyber” is getting a lot of press these days. The problems seem endless, from nuisances, to hacks involving major corporations, to interference in democratic elections, to existential threats to the United States. The Department of Defense is clearly responsible for protecting against some of these threats, but where should the line be drawn? The answer, unfortunately, is unclear.

A good example of differing views on this question is the recent exchange between Sen. John McCain and Kenneth Rapuano, the assistant secretary of defense for homeland defense and global security. McCain believes the Department of Defense should have relatively broad cybersecurity responsibilities while Rapuano thinks its responsibilities should be defined more narrowly. Both gentlemen have valid bases for starkly different perspectives.

For example, Rapuano’s view is statutorily supported by the Posse Comitatus Act that limits the military’s role in domestic security matters. This act originated in 1878 when an overbearing militia could be easily imagined but cyber activities could not. And much more recently, the White House Executive Order on Cybersecurity delineated cybersecurity expectations for the Departments of Homeland Security, Commerce, Treasury, Justice, State, and others beyond the Department of Defense — cybersecurity is not just the Pentagon’s problem.

Yet McCain observes that a primary Defense Department cyber mission is to “defend the nation against cyberattacks of significant consequence” and reasonable people could surely interpret that as protecting critical infrastructure, including political election processes. Why should the Defense Department shun responsibility for this?

We observe that even though the Pentagon has a long way to go to successfully confront its acknowledged cyber challenges, it — with significant help from the intelligence community — has the most capabilities within the executive branch for responding to cyber intrusions or attacks. Thus we propose that the Department of Defense should show the way toward a satisfactory approach that could then be adopted by other government departments and agencies.

Potential Scope of the Problems

Despite Pentagon definitions for cyberspace, cybersecurity, cyberspace operations, cyberspace workforce, and other related terms, its cyber responsibilities appear to be interpreted narrowly sometimes (even within Title 10 of U.S. Code). Narrow definitions naturally lead to narrow scopes of responsibility, reinforcing Rapuano’s perspective.

But even within the Department of Defense, a recent Defense Science Board Task Force offered a broader interpretation of “cyber”, emphasizing that even within the department’s scope, cyber elements include more than just the computer networks but also software and hardware embedded in weapons systems, logistics and human resource systems, and infrastructure systems. A few hypothetical scenarios illustrate the board’s point.

Suppose that one of the Navy’s new Zumwalt-class destroyers, operating with an integrated control system for its engineering plant supporting its navigation and combat systems, became dead-in-the-water and had to be towed to a local port for repair. If, during those months-long repairs, it became evident that the ship was the victim of a sophisticated cyber attack to its engineering plant, what response would be appropriate?

What if during the Army’s attempt to launch a missile during a training event, the missile self-destructed shortly after launch, and a second launch attempt produced the same outcome? Suppose that subsequent investigation could not rule out the possibility that the software that altered the timing of sequential launch events had been infected. What should come next?

What if the military’s logistics system abruptly canceled orders for some critical supplies and rerouted others in the midst of an overseas crisis? What should happen if an investigation discovered that relatively-unsophisticated malware had been introduced into related software used by several key vendors?

These troubling scenarios are compounded because even though they would demand a purposeful response involving the Department of Defense, it isn’t obvious which Pentagon official(s) should lead the response, or more importantly, take the steps to ensure that the attacks are not carried out in the first place. Where should the buck stop?

In the Zumwalt scenario for example, was the problem caused by an operator who failed to follow doctrine or training? Or was there a hardware or software deficiency behind the problem, perhaps a vulnerability that was exploited by an adversary? If so, were maintenance procedures at fault, such as a failure to install the latest software patch? Or was it a systemic vulnerability that testing and evaluation failed to identify? Perhaps the vulnerability wasn’t even tested because the system’s requirements did not stipulate the ability to withstand the problem. If that was the case, why should the program manager, or contractor, have allocated the resources necessary to develop the system for performance above and beyond its stipulated requirements? Could it be that poorly conceived requirements were validated by the Joint Requirements Oversight Council? Given the many years between the establishment of requirements and operational capabilities, the requirements may have been set a decade ago, before cyber vulnerabilities were as well understood as they are today.

But even though those scenarios involve attacks beyond traditional computer networks, they still conform to the Science Board’s relatively broad view of cyber activities. We can offer additional scenarios that transcend that broad view and which would nonetheless affect the Department of Defense to some degree.

For example, what if several deep oil wells operating under U.S. leases in the Gulf of Mexico began to malfunction, causing limited spillage and otherwise becoming inoperable? Suppose that subsequent investigation in the operating software of nearby oil platforms revealed malware designed to cause similar effects? A temporary halt might be placed on all deep-well energy production as the problems are sorted out. Although nominally not a primary concern for the Department of Defense, it still represents an attack on the United States. And as the price for fuel begins to rise, the military must curtail some readiness training and exercises, thus the impact would be felt, perhaps severely.

Or what if a foreign entity were to create several fake (but credible) Facebook profiles for senior national security leaders, enabling it to gain background information on many other defense personnel that “friend” the leaders before the bogus sites are disabled? This would affect the Defense Department, even though it might be a problem that should be solved by law enforcement or perhaps by the private sector.

Or what if a foreign entity posted a damaging “news item” concerning the Pentagon, maybe holding a grain of truth but is otherwise false, and employed auto-generating retransmissions of the news in an attempt to embarrass and distract Pentagon officials?

There are endless scenarios, and the correct answer to the question of where the Department of Defense’s duties lie is probably to demarcate what’s “in” and what’s “out” of its set of responsibilities. The first three scenarios are clearly “in” under existing statutes, while the latter three may represent nuisances or problems for which the department has varying degrees of interest but no overall responsibility to develop or maintain capabilities.

Regardless of the Defense Department’s demarcation, the U.S. government has vested interests in all of these scenarios and therefore the government needs a skilled workforce to address the broad array of concerns. The boundary between the Defense Department’s cyber responsibilities and non-responsibilities might not be as significant if there was an adequate supply of skilled workers for the overall (government and private) cyber workforce, but there will be a shortage of cyber-skilled workers for the foreseeable future. This implies that workers who are engaged outside the Pentagon’s core interests will not generally be available to support those interests.

Implications and Recommendations

We appreciate that the cyber landscape, or perhaps more accurately our understanding of the cyber landscape, has evolved, so we should expect continued evolution of that understanding. But we have identified three fundamental problems here: unclear demarcation of Department of Defense cyber responsibilities, identification of the responsible (Pentagon) cyber officials, and a shortage of skilled cyber workforce competing with non-defense demands. To avoid playing a never-ending game of “catch-up,” there are three steps the secretary of defense can take.

1.     Work to establish the department’s set of cyber responsibilities smartly.

Any potential future cyber event with significant implications for the department should fall within its set of responsibilities. The Pentagon’s current definition of cyberspace appears too narrow, or at least appears to be interpreted too narrowly in practice, to accommodate all potential events, which may be why the Defense Science Board offered its expanded definition of cyber.

We recognize the difficulties in taking responsibility for “everything,” but counter with the argument that everything of concern to the department needs to be unambiguously addressed somewhere. A risk assessment should address which portion of the demand for the cyber workforce can be sacrificed in the short term (while still acknowledging responsibility for it), and alternative technologies, strategies, and policies to mitigate the risk of these shortfalls can be devised. Without a comprehensive examination of the alternatives and exploration of mitigation approaches, the choices will be made implicitly if not deliberately. Explicitly focusing on these choices, with a concomitant risk assessment, should be a high priority for the secretary of defense.

2.     Empower a senior department leader for cyber matters, and hold that person accountable.

If a problem arises such as one of the hypothetical scenarios above for which the Department of Defense bears responsibility, who is the responsible official? Recall the post-mortem discussion for the Zumwalt destroyer vignette. Because finger-pointing could continue for some time, the situation points to the need for a senior official responsible for the entire chain of events, and that responsibility demands significant empowerment.

We think that senior official should be an Under Secretary, recognizing that creating such a position requires congressional approval. Assuming that such an under secretary position was created, this official could also naturally become the principal cyber advisor established by Section 932 of the 2014 National Defense Authorization Act.

3.     Reduce the department’s insatiable demand for cyber workforce talent.

It is almost universally agreed that the cyber workforce demand exceeds the supply of skilled workers. For example, Gen. John Hyten, commander of U.S. Strategic Command, recently opined that “[t]he [cyber workforce] demand signal is going to go nowhere but up and the capacity is not sufficient to meet all of the demand.” Although this assessment acknowledges that the supply of skilled workers is currently insufficient, it does not explicitly recognize that capacity may never catch up.

This presents difficult choices for the Department of Defense because options for reducing the demand are elusive. Automation can (and surely must) help, and there are other risk-shifting approaches, such as requiring vendors to share some of the risk through product warranties, but these options cannot solve the full range of challenges. These and other alternatives for workforce demand reduction should be incorporated in concert with the risk assessment conducted as the department’s set of cyber responsibilities is established.

While it may be tempting to draw the set of responsibilities narrowly, any solution that limits the department’s responsibilities but fails to align them with its broad interests is short-sighted and ultimately self-defeating.

 

Gregory V. Cox joined the Institute for Defense Analyses (IDA) in 2010, following 21 years of service with the Center for Naval Analyses (CNA) where he was a Deputy Division Director. He has directed multiple research projects and has twice received Superior Service awards from the Navy. He is also a recipient of CNA’s annual Phil E. DePoy award for analytic excellence. Priscilla E. Guthrie began her career at TRW where she rose to become a Vice President. Since then she has served as a Deputy Assistant Secretary of Defense (Office of Chief Information Officer), Division Director at IDA (Information Technology and Systems), Intelligence Community Chief Information Officer (Office of Director of National Intelligence), Technical Lead for Cyber Study (U.S. House of Representatives), and Special Command Advisor, (U.S. Cyber Command).

Image: U.S. Air Force/Brett Clashman