This very readable document outlines five strategic initiatives in how the DoD is going to deal with threats on the battlefield of cyberspace. But it's not really the initiatives I'm so concerned with. I like getting some insight into what this over half a trillion dollar agency is actually worried about and where they are likely to be spending their money. When it comes to technology, I feel about the DoD the way I do about high performance computing and the big cloud providers: whither they go, soon I shall be.
Here are some snippets from the document that caught my eye. Emphasis is mine.
Low barriers to entry for malicious cyber activity, including the widespread availability of hacking tools, mean that an individual or small group of determined cyber actors can potentially cause significant damage ... Small-scale technologies have an impact disproportionate to their size ... (p. 3)
The potential for small groups to have an asymmetric impact in cyberspace creates very real incentives for malicious activity. ... Whether the goal is monetary, access to intellectual property, or the disruption of critical DoD systems, the rapidly evolving thread landscape presents a complex and vital challenge for national and economic security. ... (p. 3)
... DoD is particularly concerned with three areas of potential adversarial activity: theft or exploitation of data; disruption or denial of access or service ...; and destructive action including corruption, manipulation, or direct activity ... (p. 3)
... computer-induced failure of power grids, transportation networks, or financial systems could cause massive physical damage and economic disruption. (p. 4)
When I've seen the term asymmetric warfare in the past, it has usually been used in the context of a high-technology opponent versus a low-technology opponent, or adversaries using traditional versus guerrilla strategies. But it applies here in an economic sense: it doesn't take a weapons program the scope of the Manhattan Project to bring economic ruin in the realm of cyberspace.
The Stuxnet worm completely changed the way I think about threats. Although it was surely an expensive program, requiring huge amounts of technical talent, the impact it had on Iran's nuclear program was surely disproportionately large compared to its cost. It is not hard to imagine either state or non-state actors bringing similar talent to bear on other critical technical infrastructure in the U.S. or elsewhere.
At a recent conference, I got chills thinking what malware inspired by Stuxnet could do if it infiltrated the firmware of tape drives used in a mass storage system. Don't laugh: most of the data in the world is still stored in tape. Son of Stuxnet could modify or remove data as it is being written to tape or as it is read back. This could render ground installations invisible in satellite photographs or accounts untraceable in financial records. A colleague of mine quipped that this kind of thing already happens by accident due to firmware bugs. The idea of it happening deliberately with specific intent is alarming.
... Every year, an amount of intellectual property larger than that contained in the Library of Congress is stolen from networks maintained by U.S. businesses, universities, and government departments and agencies. ... military strength ultimately depends on economic vitality ... (p. 4)
... Many U.S. technology firms outsource software and hardware factors of production, and in some cases their knowledge base, to firms overseas. Additionally, increases in the number of counterfeit products and components demand procedures to both reduce risk and increase quality. ... (p. 9)
Globalization is here to stay. That means it's now more important than ever to manage your supply chain and understand where your parts, both software and hardware, are really coming from.
... DoD's acquisition processes and regulations must match the technology development life cycle. With information technology, this means cycles of 12 to 36 months, not seven to eight years. ... DoD will be willing to sacrifice or defer some customization to achieve speedy internal improvements. ... (p. 11)
In Product Development as War Fighting I applied the principles espoused by the late John Boyd, the U.S. Air Force officer who revolutionized both air and ground combat, to software development. The kind of rapid iteration that this document discusses is just the kind of thing Boyd was talking about about when he referred to fast transients and his Observe, Orient, Decide Act (OODA) cycle in combat. Victory goes to the opponent who can make the correct decision and act upon it the most quickly. This applies to the choice of technology and its deployment as well.
If your organization is developing its own strategy to deal with information security, it is worth your time to read this document and see if they thought of something that you missed. For sure, they have a lot more eyes on the problem.