As a former Air Force information warfare officer, and a member of the military’s red and blue teams for many years, I believe the Department of Defense’s new “Strategy for Operating in Cyber-Space” is a small step towards developing a security plan for protecting our nation from cyber attacks. What leaves me a little perplexed, however, are the realities the DoD is up against in achieving the five strategic initiatives that have been outlined in the document.
As I was going through the plan, what struck me first was the fact that the U.S. has publicly called out to the world that cyberspace will be added as one of the operational domains, retaliating to any attacks against it in the same way it would to attacks by land, sea, air and space. Saying that it plans to aggressively train, organize, collaborate, and strengthen relationships with global partners sends a strong message to the international community about its intentions to take full advantage of cyberspace’s potential, as well as how the government plans to deal with and respond to threats against this domain. While the plan still leaves many questions around attribution and countermeasures against any such attack, I think the clear and unambiguous addition of the domain is an important step to deter cyber attacks targeting the U.S. government and our nation’s critical assets and infrastructure.
Unfortunately, a significant portion of the document is simply reiterating the government’s “business as usual” tactics. I’ve got to believe that for the five strategic initiatives, the DoD already has active programs in place. Therefore, the first question that comes to mind is how effective are these defenses? I suspect that the fundamental problem with the existing defenses is that the government is using traditional security solutions that don’t measure up against evolving cyber attacks. The root of this problem stems from the fact that the government continues to favor status-quo, “no one ever got fired for buying from” large companies and contractors. DoD and other agencies turn to these organizations to build offensive and defensive technologies without paying much attention to smaller, more innovative companies that, in my opinion, develop far better, more effective technology. From my experience, this has historically been the case with the military (just ask the innovative arms manufacturers that couldn’t get the military to adopt new weapons in the Civil War).
I did, however, find a glimmer of hope in the plan’s Strategic Initiative No. 5: “DoD will leverage the nation’s ingenuity through an exceptional cyber workforce and rapid technological innovation.” While I’m pleased to hear the government would like to work with small, nimble companies that I believe provide the rapid technological innovation that the document calls for, the reality is what I just outlined: the DoD tradition and evaluation/purchasing structures favor large companies and contractors.
The problem with the claim is the government sets an extremely high bar that almost guarantees they can’t do business with smaller companies. Take, for example, the cost of trying to meet common criteria and update certifications. The average vendor does not have the resources to put their products through all of the regulatory requirements needed for most defense-related implementations. Small businesses generally cannot afford the quarter of a million dollar certification programs that large companies can. As a result, historical precedent has shown that the DoD primarily goes with incumbents.
I commend the government for recognizing the need to innovate technology very rapidly to keep up with evolving cyber threats. Smaller, innovative companies can play a critical role for defending our nation’s networks and systems from more sophisticated attacks. However, I cannot fully believe the DoD is serious about this claim until there is action behind it. It’s a great vision, but there still exists structural impediments that don’t allow smaller companies under normal operating procedures to fulfill that promise.
As a smaller company that provides highly innovative and effective application whitelisting-based endpoint protection solutions, CoreTrace stands ready to help the DoD and other agencies deliver on the cybersecurity vision. My challenge to the DoD is this: If you say working with innovative companies is part of the national cyberwarfare strategy, prove it by bringing companies like CoreTrace in and streamlining the evaluation/procurement bureaucracy. Let us all help make your strategy a reality.
by Toney Jennings
No comments:
Post a Comment