October 30, 2015 — I recently retired from active duty after a 35 year career in the U.S. military, the past decade of which has been devoted to the sometimes mysterious cyber world. I would like to offer some insight into the personal lessons that I’ve learned during my experience helping stand up U.S. Cyber Command and while working cyber policies and strategies at the Pentagon. Although I’ve learned many lessons, the three that I’ve chosen to share in this article are, in my view, especially important for leaders in both the public and private sectors … because we are all becoming increasingly connected through modern information technology. This means we all share in the exploding opportunities as well as the escalating risks. Below are my top three lessons and I will attempt to add more context in subsequent paragraphs to help both government and industry leaders understand why all sectors of society should care about these key points:
MORE
|
October 30, 2015 — “Teenage kid hacks into the CIA directors email.” It sounds like a faux headline from a 1980s Matthew Broderick film. In the age of sophisticated Intrusion Detection Systems, and a billion-dollar cybersecurity industrial complex that is present to prevent such absurdities, one would hope that such taglines are only something that a Hollywood writer could drum up. MORE
|
October 28, 2015 — Our data is not secure. That is the attitude you should take when interacting with providers online or when providing data at a point of sale. We must take the position that important personal data will be compromised at some point and we should therefore be prepared to enact a plan to reduce our vulnerabilities from its loss. According to the 2015 Verizon data breach report, there were over 2100 confirmed data breaches (pg5). These malicious attacks are conducted against the full range of providers that we all interact with, to include health insurers, financial institutions, educational institutions, and specialty services. MORE
|
October 23, 2015 — Many major corporations have standing “bug bounty” programs that monetarily reward participants for identifying vulnerabilities in their products and responsibly disclosing the findings to the company. These programs help ensure vulnerabilities end up in the correct hands and lead to products that are more secure. In contrast, the Army does not have a central location for responsibly disclosing vulnerabilities found through daily use, much less a program that can permit active security assessments of networks or software solutions. Without a legal means to disclose vulnerabilities in Army software or networks, vulnerabilities are going unreported and unresolved. The critical necessity of an Army vulnerability response program will be highlighted throughout this paper as well as a proposed implementation to better defend our networks and sensitive information. MORE
|
October 23, 2015 — Singer, P. W., and Cole, August. Ghost Fleet: A Novel of the Next World War. New York: Houghton Mifflin Harcourt Publishing Company, 2015, 416pp.
When it comes to cyber Pearl Harbor metaphors, this book takes the cake. Providing a disturbingly realistic take on a connected future warfare scenario Singer and Cole immerse the reader into a world that lies just beyond the horizon. Their tale of interwoven fact and fiction is a quick and entertaining must read for all who would belittle the potential disruptive attributes of cyberspace and a networked way of war that has become increasingly pervasive from modern strategy and tactics down to acquisitions and manpower assessments.
MORE
|
September 15, 2015 — Cyberspace and cybersecurity contain numerous problems in search of novel approaches able to facilitate dynamic, results driven solution sets. Big Data if examined from a complex, multi-disciplinary perspective offers a range of potential advantages to cyber offense and defense for public and private sector entities ranging from small businesses to the national security community. This post, in brief, highlights the foundations of a research push in its infancy to assess the application of big data for national cybersecurity. While the focus is national cybersecurity writ-large, the lessons to be learned are likely to be impactful to organizations and individuals as the economics and applications of big data for cybersecurity become increasingly affordable. MORE
|
August 27, 2015 — It is this paper’s contention that as terrorist organizations have grown in geographical reach and influence, so too have they grown in the sophistication of their operations, especially in terms of technology. The exploitation of cyberspace has arguably become the latest force multiplier utilized by terrorist groups in pursuit of various objectives, including (i) carrying out elaborate ideological propaganda campaigns; (ii) radicalization and recruitment of new followers; and (iii) educating recruits on topics ranging from data mining to the use of explosives. Perhaps most significantly, terrorist organizations have increasingly made use of cyberspace in launching attacks on their enemies. Many analysts are quick to point out that to date, such cyberattacks have been unsophisticated and relatively ineffective. While they have been useful in disrupting online domains, they have done little in terms of inflicting actual casualties. A counter argument can be made, however, that focusing primarily on the casualties directly inflicted by cyberattacks conducted by foreign terrorist organizations greatly oversimplifies the issue. Specifically, it ignores the effects wrought by the individuals recruited and trained via cyberspace. The technical knowledge passed on to them with respect to planning and executing attacks has undoubtedly allowed terrorist groups to conduct far more wide-ranging, elaborate and brutally efficient strikes. Cyberspace is therefore not simply a medium through which to communicate and express ideas, but a tool whose effectiveness is limited only by the breadth of creativity of its users, particularly in military applications. MORE
|
August 27, 2015 — As our present theory is to destroy ‘personnel,’ so should our new theory be to destroy ‘command,’ not after the enemy’s personnel has been disorganised, but before it has been attacked, so that it may be found in a state of complete disorganisation when attacked.
-JFC Fuller, “Plan 1919” [1]
Doctrine ranks among those words that may be more used than understood. In essence, doctrine constitutes the customary way of applying established rules in varying cases. “Custom” might imply a certain lack of flexibility in dealing with the uncommon or the unforeseen, of course, but it also carries positive aspects. It prepares one with a set of basic analytical tools, and leaves room for improvisation when necessary. Improvisation is the watchword; it is what a military establishment does when confronted with a new rival or technology that disrupts not only settled doctrine but the very assumptions underlying concepts of force and power.
MORE
|
August 14, 2015 — Many, many people are writing great things about using U.S. Special Operations Command (SOCOM) as a model for the development of U.S. Cyber Command (CYBERCOM), and many, many people are writing great things about the potential of raising CYBERCOM to a full unified command. However, cyberspace has yet to be recognized as a functional domain deserving of its own dedicated unified command. The comments made by GEN Joseph Votel, commander of SOCOM, at the West Point Senior Conference this past April illustrate the military’s increased emphasis on understanding the vulnerabilities and advantages that cyberspace brings to conflict. The Department of Defense should heed GEN Votel’s words and elevate CYBERCOM to unified command status, and, moreover, use SOCOM as model in developing CYBERCOM. Thanks to our friends at the Combating Terrorism Center at West Point, below is an excerpt from GEN Votel’s speech* dedicated to describing the implications of terrorism in the future operating environment:
* I have bolded cyberspace-related nouns to emphasize the targets and attack/influence vectors future terrorist may affect and use to achieve their ends.
MORE
|
August 11, 2015 — The theories proposed by Carl Von Clausewitz almost 185 years ago maintain relevance based on their applicability relating to the rise of non-state actors and the increasing relevance of cyber operations in the context of modern warfare. Clausewitzian theory is useful in the Computer Age and continues to offer insights to some of the most consistently experienced issues in modern warfare. The recent release of the Department of Defense (DOD) Cyber Strategy is predicated upon the tenacious adherence to a comprehensive strategy, a topic to which Clausewitz devotes a significant amount of attention. Another area of interest for success in cyber warfare is defining the proper mix of joint Cyber Mission Forces (CMF) to fight and win the nation’s future wars (DOD Cyber Strategy). Clausewitz again provides valuable insights by analyzing the relationship between the branches of service in the context of battlefield efficacy. Some may contend that with the exponential proliferation of technology and non-state actors that Clauswitz and his theories lose relevance, and this may apply in the context of legacy, kinetic-based warfare. However, Clausewitz will continue to influence future generations of American military practitioners simply from the standpoint that his theories remain rooted in the very nature of warfare. Additionally, nation-states and non-state actors will continue to operate across the cyber domain, where the changing definitions of terms such as “lethality” and “magnitude” are factors in a new form of warfare. MORE
|