1. AY 2014-2015
US Cyber Strategy for 2030: A Direction
LT COL SCOTT A. DICKSON
USAF
SEMINAR 19
The Dwight D. Eisenhower School
for National Security and Resource Strategy
National Defense University
Fort McNair, Washington, D.C. 20319-5062
The views expressed in this paper are those of the author and do not reflect
the official policy or position of the National Defense University,
the Department of Defense or the U.S. Government.
2. Lt Col Dickson/ES/DSR/856-220-3899/6 Oct 14
BULLET BACKGROUND PAPER
ON
US CYBERSECURITY STRATEGY FOR CY2030
PURPOSE
Explain DoD’s comprehensive 2030 US Cybersecurity Strategy to US strategic leaders
CONCERNS
- Pres Obama’s EO 13636: “one of the most serious national security challenges”
- Gen Dempsey’s 2014 QDR: “we will not innovate quickly enough or deeply enough to be prepared for
the future for the world we will face two decades from now”
- Hard to define; Cyber is “of, relating to, or involving computers or computer networks (as the Internet)”
- Unique properties: both a domain and a means, both tangible and non-tangible aspects, & no substitute
- As a Domain
-- Man-made; “Man can actually change this geography, and anything that happens there actually creates
a change in someone’s physical space” (Gen (ret) Michael Hayden, USAF)
-- Strengths are also its weaknesses, hence exploitable
--- Highly Connected: Interconnected nodes spanning across the entire world
--- Easily Accessible: Reachable from any computer or mobile device
--- Few Boundaries: Built with minimal restrictions to expedite information flow
--- Predictable: Possible pathways configured by humans, real-time selected by computers
--- Layered: Complex computer applications executing on operating systems and firmware
--- Digitized: All information stored in a common format, easily manipulated and transmitted
-- As a Means
--- Anonymously conducted via protection software like TOR, a US Navy-developed program
--- Five categories of Attack1
---- Consumption of computer resources: bandwidth, memory, disk space, processor time
3. 3
---- Disruption of configuration information, such as routing information
---- Disruption of state information, such as unsolicited resetting of TCP sessions
---- Disruption of physical network components
---- Obstructing communication media between intended users and victim
--- Focused on disrupting, denying, or destroying capability or communications
---- Trojan malware: static programs hidden on computers and activated to disrupt
---- Botnets: automated programs hidden on computers facilitating other actions
---- Distributed Denial of Service (DDoS): consuming bandwidth to preclude other’s use
---- Permanent Denial of Service (PDoS): overwriting firmware to render hardware useless
--- Cyber-espionage considered a non-DoD attack category
ACTORS
- “The number of mobile-connected devices will exceed the world’s population by 2014.”2
- US Domestic Actors: include US Government agencies, NGOs, industry, and citizens
-- Primary Govt Agencies include:
--- DoD: responsible for coordinating cyber attack capabilities
--- DHS: mandated by EO 13636 to lead US cyber threat identification efforts
--- US Attorney General: mandated by EO 13636 to support cyber threat identification efforts
--- DNI: mandated by EO 13636 to support cyber threat identification efforts
--- Commerce: mandated by EO 13636 to reduce cyber risk to critical infrastructure
--- NSA: responsible for increasing US cyber situational awareness
--- FBI: Domestic prosecution of cyber crime
--- DoJ: Prosecution of cyber crime and offenses
- External Actors:
-- Cyber Anonymity allows an actor to act like any other actor
-- Three main types:
4. 4
--- Organized crime groups: primarily threatening financial services sector, expanding scope
--- State sponsors: Interested in pilfering data, intellectual property, research and development data
from manufacturers, government agencies, and defense contractors
--- Terrorist groups: Use network to disrupt or harm nation’s critical infrastructure
CURRENT ENVIRONMENT
- Congress
--- Introduced S.733, Cybersecurity Act of 2009, 24 Mar 2010, Not Enacted
--- Introduced S.2105, Cybersecurity Act of 2012, 15 Feb 2012, Not Enacted
--- Introduced S.1353, Cybersecurity Act of 2013, 24 Jul 2013, Not Enacted
--- Introduced H.R.624, Cyber Intelligence Sharing and Protection Act
Passed House on 18 Apr 2013, Refered in Senate to Select Committee on Intelligence
--- Introduced S.2588, Cybersecurity Information Sharing Act (CISA) on 10 Jul 20143
---- Develop process for classified and declassified cyber threat indicators, to share in real time
with private entities; non-federal govt agencies; or state, tribal, or local govts
---- Permits private entities to monitor and operate countermeasures to prevent or mitigate
cybersecurity threats or security vulnerabilities on own information systems (IS) and, with
written consent, the IS of other entities and federal entities
---- Authorizes entities to monitor information stored on, processed by, or transiting such
monitored systems
---- Current Status: Senate has not considered or voted on CISA
- President
-- Signed Executive Order 13636 on 12 Feb 2013, established US cyber interests
-- “To enhance the security and resilience of the Nation's critical infrastructure and to maintain a cyber
environment that encourages: efficiency, innovation, and economic prosperity while promoting
safety, security, business confidentiality, privacy, and civil liberties”
5. 5
INTERESTS
- Due to the overlap between external actors in the interest analysis table below, a strategy which
addresses Terrorist Groups’ interests should address all external actors
United States Organized Crime State Sponsors Terrorist Groups
Verifiable Access to
Information
Unimpeded Access
to Information
Verifiable Access to
Information
Unimpeded Access to
Information
Intellectual Property
Rights
Intellectual Property
Exploitation
Depends on State
Intellectual Property
Exploitation
Data Protection Data Exploitation Data Protection Data Exploitation
Non-repudiation Anonymity Non-repudiation Anonymity
Efficient
Infrastructure
Efficient
Infrastructure
Efficient
Infrastructure
Inefficient/
Ineffective infrastructure
Economic Growth Economic Growth Economic Growth Economic Regression
Note: Dark/Red shading denotes external interests counter to US interests
CY2030 SCENARIO DRIVERS
- Active Anti-US Terrorist Groups & Global Polarity selected as primary drivers affecting cyber scenarios
- Relevant drivers listed in below table, secondary drivers set as scenario building assumptions
Note: Non-selected drivers are scenario assumptions; colored text = assumed values for scenarios
Drivers Outcome #1 Outcome #2 Uncertainty
Active Anti-US Terrorist Groups Eradicated Exist High
Global Polarity Dominant US Multi-Polar Med
Persistant Cybermonitoring Technology Developed Non-Developed Med
US Economic Type Manufacturing Knowledge Low
Privacy/Civil Liberties Concerns None Preventative Low
Cyber Sovereignty None Server-based Low
6. SCENARIOS
- Based on Active Anti-US Terrorist Groups & Global Polarity drivers, four potential 2030 scenarios exist
- A DoD 2030 cyberstrategy should also hedge against an
-- DHS Sec, 24 Jan 2013, "We shouldn't wait until there is a 9/11 in the cyber world. There are things we
can and should be doing right now that, if not prevent, would mitigate the extent of damage“
-- Similar to Jul 2014 cyber attacks on Israel where Hamas hacked or targeted:
--- Half a million smartphones, sending texts of false chemical attacks
--- Systems controlling vital Israeli infrastructure, including Israel Electric Co power
desalination plants, traffic lights, and railroads and other transportation systems
--- Israel's banking system, including Bank of Israel, one of the country’s largest banks
--- Thousands of largely unprotected civilian websi
--- Israel's Foreign Affairs and Defense Ministries, Air Force, the office of the president, the Knesset,
the Israel Police, and the government's official jobs portal
US Terrorist Groups & Global Polarity drivers, four potential 2030 scenarios exist
A DoD 2030 cyberstrategy should also hedge against an exogenous Cyber 9/11 scenario
"We shouldn't wait until there is a 9/11 in the cyber world. There are things we
can and should be doing right now that, if not prevent, would mitigate the extent of damage“
Similar to Jul 2014 cyber attacks on Israel where Hamas hacked or targeted:
Half a million smartphones, sending texts of false chemical attacks
Systems controlling vital Israeli infrastructure, including Israel Electric Co power
desalination plants, traffic lights, and railroads and other transportation systems
Israel's banking system, including Bank of Israel, one of the country’s largest banks
Thousands of largely unprotected civilian websites via DDoS attacks
Israel's Foreign Affairs and Defense Ministries, Air Force, the office of the president, the Knesset,
the Israel Police, and the government's official jobs portal
6
US Terrorist Groups & Global Polarity drivers, four potential 2030 scenarios exist
exogenous Cyber 9/11 scenario
"We shouldn't wait until there is a 9/11 in the cyber world. There are things we
can and should be doing right now that, if not prevent, would mitigate the extent of damage“
Systems controlling vital Israeli infrastructure, including Israel Electric Co power stations, water
Israel's banking system, including Bank of Israel, one of the country’s largest banks
Israel's Foreign Affairs and Defense Ministries, Air Force, the office of the president, the Knesset,
7. 7
ACTIONS
- Based on CY2030 & exogenous scenarios, below table lists recommended DoD shaping/hedging actions
Type Priority Action
Shaping High Establish a Cybersecurity Enforcement Coalition
Shaping High Partner w/DoS to develop a Cybersecurity Code of Conduct (or Treaty) to
Define Acceptable Cyber Behavior and Enforcement Responsibilities
Shaping High Continue to Minimize Anti-US Terrorist Groups (in progress)
Shaping High Invest and Implement Persistent Cyber Situational Awareness/Monitoring
Technology
Shaping Med Develop a Layered Cyber Defense Strategy to Defend National Security
Data (in progress)
Shaping Med Implement Public Policy Restricting Use of Anonymity Software within
United States
Shaping Low Implement Public Policy Requiring Minimum Cyber Protection
Mechanisms for US Businesses (in progress)
Shaping Low Continue Cyber Protection Education Efforts with the Public, National
Security Professionals and US Companies (in progress)
Hedging High Maintain Resilient and Redundant Storage of Critical National Security
Data
Hedging High Develop Robust Cyber Attack Capabilities
Hedging High Develop and Maintain Capability to Operate in a Degraded Cyber
Environment
Hedging Med Implement Public Policy requiring Manual or Isolated Networked
Capability of Critical National Energy Capabilities
Hedging Med Create Emergency Isolation Plan and Develop Necessary Capabilities to
Implement
Hedging Med Partner with DoS and DHS to Build Positive US Public Opinion Behind
Required US Privacy and Monitoring Policies
RECOMMENDATIONS
- Implement shaping and hedging actions to protect DoD’s cyber capabilities as a force multiplier
- Support CISA passage within Congress
- Continue DoD’s compliance actions as dictated by President’s EO 13636
8. 8
END NOTES
1
“Denial of Service Attacks”. Accessed on 6 Oct 2014. http://en.wikipedia.org/wiki/Denial-of-service_attack.
2
Cisco Visual Networking Index: Global Mobile Data Traffic Forecast Update, 2013–2018. Accessed on 23 Sep
2014. http://www.cisco.com/c/en//solutions/collateral/service-provider/visual-networking-index-
vni/white_paper_c11-520862.html
3
Feinstein. S.2588. Accessed on 29 Sep 2014, https://www.congress.gov/bill/113th-congress/senate-bill/2588