On the offense: How federal cybersecurity is changing
- By Kevin Freiburger
- Aug 27, 2019
From ransomware attacks on local government to election interference by foreign nations, cyberattacks are serious threats to governments, businesses and citizens alike. While the federal government already addresses cybersecurity, responsibility is fragmented and siloed across departments.
The Department of Defense is responsible for various geographical and functional areas; its Cyber Command was established in 2009 partly in response to Russia hacking the Pentagon's network. Outside of DOD, the National Security Agency has its own cybersecurity resources and practices, as does the FBI and the Department of Homeland Security. At the state level, CIOs in individual agencies and those in statewide positions work closely with their federal counterparts. This disconnect and fragmentation is still causing problems today, 18 years after it played a part in the 9/11 terrorist attacks.
Cybersecurity change is coming, however, and the John S. McCain 2019 National Defense Authorization Act (H.R.5515) is paving the way. This law outlines DOD's budget, expenditures and policies and puts cyber activities front and center. In fact, the act mentions “cyber” 349 times.
The NDAA normalizes certain military cyber activities so these actions don’t require presidential briefing or approval, only authorization by the defense secretary. This change accomplishes two objectives: It drives government focus more deliberately on cybersecurity, and it formalizes cybersecurity processes and tools -- both of which will help solve fragmentation issues.
Switching cybersecurity strategy from defensive to offensive
The way the federal government approaches cybersecurity strategy is also changing. Originally, cybersecurity was commissioned as a defensive command focused on defending the U.S. digital infrastructure from attack. Increasingly, however, cybersecurity strategy is shifting to the offensive. Legal authority from the 2019 NDAA has led to more offensive cybersecurity tactics being green lit as standard elements of modern warfare. In fact, the chief of the U.S. Cyber Command describes increased offensive tactics as support for the DOD’s need to “defend forward.”
Offensive cybersecurity means planting cyber “weapons” deep within adversaries’ networks. The U.S. doesn’t need to actually use cyber weapons for the strategy to work. Instead, the mere presence of a cyber weapon shows adversaries that the U.S. has the capability to inflict damage. Offensive cybersecurity tactics act as deterrents, reminiscent of gunboat diplomacy or the mutually assured destruction scenarios contemplated in conventional nuclear weapons war games.
The U.S. currently deploys offensive cybersecurity strategies with Russia. In what is a more aggressive strategy for the U.S., officials confirmed that they have placed the equivalent of digital land mines into Russia’s electric power grid to serve as a warning to President Vladimir Putin and as a demonstration of Cyber Command’s power. This particular effort adds to a previous cyber strategy already in place meant to overwhelm the computer systems at Russia’s Internet Research Agency -- the entity responsible for the 2016 election meddling.
Offensive cyberattacks are conducted remotely, shortening the time for deployment and costing less than conventional weaponry and military infrastructure. And in some ways, offensive cyber strategy has the potential to save lives. In June of this year, the U.S. called off a conventional weapons counterattack on Iran due to the high potential of human casualties. The DOD chose to instead move forward with an unnamed cyberattack.
The future of government cybersecurity
Another way the nation can steel itself against cyberattack is by leveraging partnerships with private-sector companies offering top talent and global innovation. The Pentagon’s $10 billion Joint Enterprise Defense Infrastructure cloud procurement – down to its finalists Amazon Web Services and Microsoft – will help DOD modernize its infrastructure so warfighters at the network edge can quickly and securely access the information they need. According to Lt. Gen. Bradford Shwedo, the CIO for the Joint Chiefs of Staff, "JEDI Cloud is critical to safeguarding our technological advantage against those that seek to harm our nation."
Ideally, these policy, strategic and technology changes will create a more unified system. Rather than fragmentation exacerbating major threats, departments will have tactics and strategies already in place so they can quickly respond to any incident.
As we enter an increasingly digital world, the safety of the country depends on the government’s ability to defend in both the physical and the digital space. A safer, more expansive cybersecurity infrastructure accomplishes this, keeping the U.S. on the offense through a defend-forward strategy and mediating threats from across the globe before they even begin to take shape.
Kevin Freiburger is director of identity programs with Valid.