Cyber Defense Review

Personal Lessons about Effective Cyber Policies and Strategies

By MG (Ret) John Davis | October 30, 2015

I recently retired from active duty after a 35 year career in the U.S. military, the past decade of which has been devoted to the sometimes mysterious cyber world. I would like to offer some insight into the personal lessons that I’ve learned during my experience helping stand up U.S. Cyber Command and while working cyber policies and strategies at the Pentagon. Although I’ve learned many lessons, the three that I’ve chosen to share in this article are, in my view, especially important for leaders in both the public and private sectors … because we are all becoming increasingly connected through modern information technology. This means we all share in the exploding opportunities as well as the escalating risks. Below are my top three lessons and I will attempt to add more context in subsequent paragraphs to help both government and industry leaders understand why all sectors of society should care about these key points:

  1. Strong teamwork and effective partnerships are essential to cybersecurity success.
  2. The world is changing dramatically and so too must the balance between opportunity and risk in the information technology decision-making environment.
  3. As more nation-state militaries become involved in cyber operations, we must shine further light on what they are doing and why, in order to set accurate expectations and prevent mistakes.

Lesson number one is about a real need for teamwork and effective partnerships.  If I had to come up with a motto for this lesson it would be, “Make friends … lots of friends … you’re going to need them!” If you think you can go it alone in the cybersecurity business, think again. Many different organizations, both public and private, have critical roles and responsibilities in the cybersecurity environment, but no single organization has all the skills, talent, resources, capabilities, capacity or authority to act effectively in isolation. It truly does take a team approach and strong partnerships to operate effectively. However, creating trusted, credible partnerships requires significant dedication of time and energy from the leadership of an organization. It doesn’t happen overnight and must be continuously cultivated. I spent the biggest portion of my personal time as a cyber leader building teams and strengthening professional relationships with leaders of other organizations who played an important role in our shared objectives. I also invested a considerable amount of time trying to reduce the inevitable bureaucratic friction that periodically pops up in the form of “turf battles” by using the trust that comes from strong personal leadership bonds developed carefully over time. These turf battles usually arose because the relatively new term “cyber” crosses so many legacy boundaries. In fact, it’s hard to find an organization these days that doesn’t think it has a key role to play when it comes to cyber. Sometimes this causes a clash of roles, responsibilities, and equities. Good leaders figure out ways to navigate these rough waters.

So how does a leader develop and cultivate credibility and trusted relationships? In my experience there is no single answer, but one of the most important aspects of building trust and credibility involves the development of shared goals and objectives and making progress toward them. Every leader of every organization involved has to see not only what’s in it for themselves and their own organizational interests (often a competitive, win/lose view) but how the achievement of the larger outcome will contribute to what’s best for the collective effort while not significantly eroding internal interests (often a cooperative, win/win view). This is not easy to achieve, it takes long-term commitment, and the development of personal leader-to-leader bonds based on honesty and compassion can help significantly. I use the term compassion very deliberately. In my experience, an effective leader in a partnership must be able to see and feel things from the other leaders’ views and interests. However, that doesn’t mean you always have to agree. This is where honesty plays an important role, and as long as it is accompanied by genuine respect, I have found that respectful disagreements can sometimes even strengthen the partnership.

During my time in the Department of Defense (DoD), we strove to build partnerships using four categories, which I sometimes referred to as the four “I’s”:

The first category was “internal” to the Department. If you want to be an effective member of any team and not sit out the game on the bench you have to first build credible capabilities internal to your own organization. In an organization as large and diverse as DoD, creating a joint culture that provided the Army, Navy, Air Force, Marine Corps and dozens of other DoD agencies and unified commands with enough flexibility to address their individual, unique operational requirements while at the same time recognizing a climate of shared operational opportunities and risks. Establishing common joint operational objectives were essential to keeping teamwork strong across traditionally competitive barriers. In an environment of diminishing resources it also just plain made sense to reduce redundancy, eliminate waste, and allow for everyone to share in a best of breed dynamic. The considerable effort required to build our internal team was best memorialized in DoD’s initial 2011 strategy for operating in cyberspace. This original strategy was recently updated in a new DoD Cyber Strategy, which was unveiled publicly by Secretary of Defense Ash Carter at Stanford University in April, 2015. Beyond these strategies, an implementation process was put in place to routinely bring the broader team together, review progress, and identify issues to be resolved. This process produced recommendations for senior DoD leaders to make decisions and move forward in tangible ways to achieve strategic goals and objectives.

The second category was the cross governmental partnership known as the “interagency.” U.S. cyber policy and approach requires a whole of government effort to be effective. This cyber policy includes several different types of oversight, including policy, operational, legal, and even congressional oversight in most cases. DoD oversight shapes the way we organize, train and equip forces to perform DoD’s cyber role, but within the context of a much broader team approach. These types of oversight also shape the way we impose policy limitations on our military cyber forces and capabilities. However, in contrast to  restrictions imposed on the military role, this kind of approach actually provides a much broader range of options across all elements of national power for national leadership decision making. Military options are simply one part of a much larger and more comprehensive cyber approach.

The third category deals with “international” partnerships. Cybersecurity requires effective international partnerships focused on working together toward common goals and objectives. It also requires a great deal of respect for cultural differences, and finding credible ways of accommodating them in the development of common goals and objectives. DoD leadership has made a made a concerted effort to build partnerships with a growing array of nations outside of our traditional allies in NATO, Australia, and New Zealand … particularly with Middle East and Asia-Pacific countries. In order to fulfill our international defense obligations, we must rely on critical information technology infrastructure that we do not directly control. In order to understand what is happening in the cyber environment and support DoD’s joint mission, we have to establish close international relationships. It is also worth noting that when DoD brings these international partnership forums together, we encourage not only our counterpart Ministry of Defense players to participate, but also recommend a whole of government approach from our partner nations. We do so in order to share our lessons in dealing with challenges not only within DoD, but also across our own various U.S. government and industry partners.

The fourth and last category has to do with “industry” teamwork and partnerships. In my view, this is the most important of all partnerships because industry owns and operates the vast majority of the world-wide information technology environment. This partnership is sometimes the most complex. In the DoD, as in just about every other U.S. government agency, we rely on numerous critical nodes of the information technology environment that we do not directly control in order to perform our vital national security mission. This requires effective partnerships with industry involving critical infrastructure cybersecurity standards for protection and defense, and information sharing about threat indications, warning, events, and incidents, as well as our own vulnerabilities and effective response actions. We have taken a voluntary approach to these various aspects of our industry partnership. Further collaboration and developments are necessary to accomplish fully effective and comprehensive information sharing and adherence to a higher security posture. We have not yet solved that problem in the U.S., but we are making progress to develop information sharing mechanisms and cyber security standards, and promoting them through strong, expanding voluntary partnerships as well as the sharing of best practices.

As one can see, we have been casting an ever widening net to build and strengthen partnerships across not only the various organizations within DoD, but we’ve reached out to key members of the interagency, international, and industry teams as well.  This has been a very deliberate part of DoD’s policy and strategy because without effective teamwork and trusted partnerships, we know it is impossible to achieve success.  You simply cannot go it alone in the cybersecurity business unless you want to lose spectacularly.

Lesson number two focuses on the changing balance between opportunity and risk. If I had to come up with a motto for this lesson it would be, “It’s not if, but when!” Cybersecurity challenges will intensify, and our decision making process must adapt.  Our exploding reliance on information technology for all that we do in today’s environment stands in stark contrast to the inadequacy of the security of that environment. Traditionally, technology has been driven by opportunity, while security and risk management have always chased from behind, trying to catch up. Some have said that for the longest time opportunity is “baked in” our information technology environment, while security is “bolted on” afterwards. In my experience, I believe this large imbalance between opportunity and risk is changing. It is changing slowly and unevenly, but I believe it is changing … in no small measure due to the alarm bell that the national security community has been ringing about the growing cyber threat for the past several years. Getting a better balance so that security is woven into the fabric at the core of every IT project is important because of what’s at stake.

On one end of the spectrum is the need for an open, secure, and reliable internet.  This end of the spectrum also includes the need for establishing responsible norms of internet behavior. It includes the need to protect freedom of expression, personal privacy and civil liberties as well. Finally, one of the most important factors underpinning the opportunity end of the balance is the need to drive economic innovation. These have been and always will be fundamental to our values and way of life as Americans, and it is very much the same with many of our international partners.

On the other end of the spectrum is a threat that is growing in scope and sophistication, and it is not just hacktivism, criminal activity, and espionage. This growing threat has now moved into the realm of disruptive activities, sabotage, intimidation, threat of violence, and even destruction of both information and the associated systems and networks that can support critical infrastructure. This end of the spectrum needs everyone’s attention, because in my view lives are at stake, and our national and economic security posture is at risk if we don’t achieve a better balance than the one we choose to live with today.

Let’s face it, we make it too easy for a wide range of threats in the cyber landscape to compromise our computing environment. We inadequately protect and defend our intellectual property and much of our critical national infrastructure. We do even less protecting our personal information as individuals. We are simply not as careful about scrutinizing who’s knocking on our electronic front door in the same way we are very careful about who’s knocking on the actual front door to our house or business. I remember a time as a kid when we left our front door unlocked at night and left the keys in the car. Time and culture have changed all that, and perhaps we should consider a similar change to the way we implement some basic standards and discipline for our online behavior based on today‘s changing cyber threat landscape.

This points to what I consider a very important aspect of the shifting balance between opportunity and risk, and that’s the human dynamic. While there’s no doubt that cybersecurity, and cyber operations in general, are technically oriented activities, we should never forget the human dimension to the cyber environment. There’s a human brain behind the development of every malicious software code or delivery technique, just as there is a human hand on every keyboard executing decisions. In my personal experience, the bulk of our cybersecurity challenges are not on the technical side, though there is a very important place for technical solutions that I will address in a moment. The bulk of our cyber problems can be traced to human issues: basic standards of conduct, discipline, and accountability. As an organizational issue, this is also a leadership challenge (or as we like to say in the military, this is Commanders’ business). As a result of recent cyberattacks in the private sector directed at Target, Niemen Marcus, Anthem, Home Depot, etc., this is becoming a Boardroom issue rather than something left to the sole purview of the IT staff or the Information Security Officer.

In fact, I cannot think of a single cyber incident or event in which I have personally been involved over the past decade with DoD, which was not primarily the result of a human deficiency in standards, discipline and accountability. Several key examples come to mind. First there was the 2008 malicious software infection of DoD’s classified networks, caused by the insertion of infected thumb drives by elements of our own forces because of the need to move information quickly against the terrorist and insurgent threats in Iraq and Afghanistan. Then a little over three years ago there was a damaging penetration of the unclassified Navy Marine Corps Intranet (NMCI) by a cyber threat because a simple patch had not been administered, allowing a relatively unsophisticated structured query language injection technique to successfully penetrate a “hole” and spread, putting the entire system at risk. Finally, we had the Joint Chiefs unclassified email system breach over this past summer, caused by a clever spear phishing technique and one of our own “users” not carefully checking to see who was at the electronic front door. These examples don’t even include the most serious incidents of all … the WikiLeaks breach and the Snowden disclosures, which we classify as “insider” threats … another human dimension problem.

As I mentioned earlier, there is definitely a place for technology on the risk side of the spectrum just as it certainly drives the opportunity end. Technology must be part of a comprehensive approach that includes indications and warning for threats, cyber threat prevention-minded and layered defenses, resilience (and you MUST plan for breach – it is inevitable, but can be acceptably mitigated with solid planning and routine rehearsals), and response options (but most responses must come from government because of laws and authorities). However, technology is just one component, as are policies, people and processes. In my view, the most important part of the comprehensive approach is getting the human dimension right with better standards of conduct, discipline and accountability. This is the leader’s task.

How does a leader get people in the organization to care about this? In my experience, there are no magic solutions. It takes a combination of education, making cyber issues more personal and closer to home, and training people in the organization to detect and assess the risks against other competing interests. It also takes a willingness to establish and enforce real consequences to unacceptable behavior. This takes creativity and ingenuity, instead of an unrealistic, extremist regime that can undermine morale, effect productivity and result in a counterproductive environment.

Once a leader gets the human dimension right, and creates an organizational culture of strong standards and discipline, enforced accountability will follow. In my experience, the result is that any organization can use improved standards and discipline to wipe 80% of the “noise from the radar screen” and focus the rest of the comprehensive approach on the 20% of the challenge that counts. This includes prioritizing application of the most sophisticated technology solutions for threat indications and warning, prevention and protection, and resilience and recovery to support what is most important to the organization’s success (in military terminology that means the mission). A prioritized approach is much more effective than trying to protect and defend everything against all threats (which means that you‘re strong nowhere). This kind of comprehensive approach should speak to business leaders just as much as it does those in government. It allows leaders to balance opportunity and risks using all the tools available to make wise decisions about the allocation of resources and assets while managing risk in ways that protect only what’s most important while not breaking the bank.

What’s at stake in getting the opportunity/risk balance right? From my perspective U.S. and global infrastructure and key resources are at stake. National security, international stability, and economic viability are also at stake. Public health and welfare interests are also at stake. Public and private sector leaders have to think hard about the balance and make it a priority to get it right and keep it right as things change in a very dynamic information driven world.

Lesson number three is about the need for greater clarity and transparency. If I had to come up with a motto for this lesson it would be, “Don’t expect the cavalry for every problem, so be ready to do your own part!” I believe we need to shine more light on what the world‘s militaries are doing in cyber so that we set accurate expectations and avoid a range of dangerous miscalculations. Cyber can be an intimidating term, evoking a mysterious virtual world that has its own terminology, culture, values and norms. I agree with what the former Chairman of the Joint Chiefs, General Dempsey, once said about the need to demystify cyber and speak with much more clarity and transparency as a military and as a nation. There are both principled as well as practical reasons for doing this, so let me explain my personal perspective on why this is so important.

Historically, many of the world’s most sophisticated organizations and capabilities in the cyber arena grew up in the underground. They matured in darkness and anonymity. Political activism, crime and espionage are activities which seek the darkness so they can flourish in the face of governmental efforts (both legitimate and corrupt) to counter them. However, in recent years we’ve witnessed a growing number of nation state militaries, including our own, that are building military cyber forces and capabilities. When you consider the use of uniformed military forces and capabilities in the cyber world, in my view we should shine a bit more light on what they are doing and why they are doing it … including our own U.S. military cyber forces.

Why is that important? It is absolutely critical to reduce uncertainty and  mistakes. It is also important to increase stability and control escalation. In the past several years those of us working cyber in national security have witnessed an alarming growth of activities within our nation’s systems and networks, including some of our most sensitive critical infrastructure such as transportation, electricity and power, oil and natural gas, telecommunications, and even in our most sensitive military networks. When we see activity that is attributed to sophisticated capabilities, with no explanation of intentions … well, that’s something that keeps national security professionals up at night. This is especially true when the observed activity and capability appear to have nothing at all to do with criminal or espionage intentions, and may be viewed as preparation for something much more serious. Uncertainty is extremely destabilizing, and the chances of misperception and a resulting mistake are unacceptably high.

Clarity and transparency from the U.S. military is also important to interagency, international, and industry partners alike, for practical reasons. We need to be clear about creating accurate expectations for what U.S. military cyber missions are, and just as importantly, are not. As a result of U.S. cyber policy deliberations over the past several years (keeping in mind the notion of teamwork, partnerships and a whole of government approach, which the U.S. cyber policy embodies) the cyber mission has been clarified in the recently published DoD Cyber Strategy. While two of the three DoD cyber missions have always existed and remain constant (defending DoD’s own information networks and combat systems, and providing cyber operational capabilities alongside traditional land, maritime, air and space capabilities to support the contingency plans and operations of our Combatant Commanders), a new military mission has emerged within the context of the broader U.S. government approach. DoD is now responsible for being prepared to defend the nation and its vital interests in all domains, including cyberspace.

What should be clear to our various partners? This new role is not about DoD riding to the rescue of any private sector entity that has a routine, criminal cyber incident, or even one that does not involve serious national security interests. Just as important, this new role is about DoD gaining an exquisite understanding of the significant foreign cyber threat intentions, operational posture, research and developmental activities, cyber capabilities, supporting infrastructure, operational activities and their potential impact.  It is also about being in a position to take action – when authorized by the highest level of national authorities – to counter that cyber threat if it is assessed as going to cause, or already causing, significant consequence. The term “significant consequence” has specific meaning in the form of loss of life, significant disruption or destruction of critical infrastructure, or other significant national or economic security consequences such as adversely impacting a military response or risking economic collapse. It is extremely important for our industry and international partners to understand DoD’s roles and responsibilities, as well as those of other U.S. government agencies, so they can plan their own roles and responsibilities more effectively as part of a collective effort.

During my time working cyber at the Pentagon we made a deliberate decision to   clearly explain what we are doing as a U.S. military, why we are doing it, and how we are exercising careful control over what we are doing as a responsible nation. In fact, it may surprise some to know that we included China and Russia in cyber discussions, and I had the opportunity to participate directly with my military counterparts. While more clarity and transparency are needed, especially from the growing array of nations  building cyber forces, there is also a need for some balance in the decision about how much transparency is required. After all, when you are in the military you do not want to give away an operational advantage. However, I believe that we do need to talk more openly about what we do and you are seeing a more open and transparent posture from DoD continuing today. We are setting an example of how a responsible nation’s military acts, and we expect others to follow this example. Another practical benefit in being more clear and transparent is that you can use military cyber capabilities more effectively in a deterrent role by doing so, and I think we are just beginning to tackle that issue within DoD and the U.S. government.

As I mentioned at the start of this article, there are many more lessons that I’ve learned over my tenure in DoD. The three lessons that I share in this article are intended to help leaders in both the public and private sectors focus their attention on those things that I’ve seen make the biggest difference in effective cyber policies and strategies:

  1. Build trust and respect across your organization and with critical external partnerships, and constantly cultivate them with great care and attention.
  2. Prioritize efforts based upon an accurate assessment of today’s risk, but don’t ignore the opportunities that you may encounter. Apply a comprehensive approach (people, processes and technology) with the human dimension as your top priority and prioritize technology and surgically apply it toward the organization’s most vital functions.

Understand the limited (but vital) role the U.S. military and other government agencies have as part of a collective cyber security effort, and the resulting impact on your organizational responsibilities as an effective member of the broader public / private partnership required for us to successfully navigate the cyber environment together.

[1]

I acknowledge the assistance of Clif Triplett, Managing Partner at SteelPointe Partners, in the development of this article. Clif is a dear old friend, a 1980 West Point classmate, and a highly successful and well respected leader in the information technology field within industry. I asked Clif to help me articulate my personal lessons in ways that would be most meaningful to leaders in the private sector, and I’m ever grateful for his insight and edits.