Dr. Kamal Jabbour and Dr. Erich Devendorf have characterized the cyber threat the DoD faces. They describe threats as having these ten characteristics:
- Highly educated on the science of information assurance
- Doctrinally trained on the art of cyber warfare
- Adequately resourced in talent, time, and treasure
- Thoroughly briefed on target missions and systems
- Mathematically specialized in architectural properties
- Superiorly skilled in byzantine failure analysis
- Intricately involved in protocol specification and analysis
- Critically embedded in the supply chain
- Strategically postured in command and control
- Conveniently situated for access and persistence
The paper uses these points to demonstrate how an adversary thinks about attacking our systems. However, I see a lot of ways in which these should coerce the DoD to make serious changes in how we build and maintain our cyber professional workforce.
Highly educated on the science of information assurance
The DoD focuses on training cyber professionals. One strength in the DoD, in other domains, is the ability to train an individual from no ability to effective ability (effective during warfare). This works for things like driving a tank, tactical-warfare thinking, and flying an aircraft. The status-quo is thinking that this will suffice in cyberspace.
The problem is that our adversaries are highly-educated, instead of highly-trained. Our adversaries have achieved at higher levels on Bloom’s taxonomy than many of our cyber professionals. Further, the DoD doesn’t properly value education in the cyber domain, as evidenced by hiring and pay practices.
The DoD cannot rely on training to match our adversaries. The DoD cannot feasibly take new accessions and begin to educate them… The US Government must focus on building its next generation of cyber professionals starting at an early age. This does not need to look like a Big Brother program, and can be solved with good leadership of our nation’s education programs.
Doctrinally trained on the art of cyber warfare
The DoD builds doctrine in its military services… Each service has a different set of doctrine. Doctrine does not prescribe the actions of a service’s members, but it does try to form the basis of our collective planning/thinking/decision making. Doctrine provides a set of good behaviors, examples, and broad techniques upon which we can base other actions. It can act as a cognitive shortcut for service members.
There is no cyber service. The doctrine we use in cyberspace is largely derived from or glommed-on to service doctrine. This truly colors the decisions we make and the ways we justify them, because our cognitive shortcuts are based in the air, land, or sea (soon to include space) domains. Ideally decisions would be made without shortcuts, but in practice that’s impractical.
Adequately resourced in talent, time, and treasure
We will always battle over resources. In the DoD resources are allocated by Congress to specific programs, via the services. This allows Congress to require services to spend money on specific things. In general though, services choose how and what they will fight for. There is no cyber service, so there’s no group that’s truly got their dog in this fight. Services are still fighting admirably (if sometimes looking half-heartedly) for resources in cyberspace.
Thoroughly briefed on target missions and systems
The DoD has an outstanding professional intelligence arm - and I speak specifically of the members who prepare us for cyber conflict against other nations. They are some of the strongest cyberspace professionals in my opinion.
Mathematically specialized in architectural properties
Superiorly skilled in byzantine failure analysis
Intricately involved in protocol specification and analysis
Each of these three describes areas in which US education should refocus its information assurance education. These are not issues I have seen get significant focus. They’re tough - I’d consider them PhD work, the analysis piece of the third is possibly masters-degree work. In the same way we must drive education of programming, information assurance, and everything cyber to lower grades, the we must drive understanding of these issues lower too. That may not be the direct job of the US government, but entities like the DoD can influence education and we must have a stronger hand in that.
I really have little opinion about these final three, but will describe how they fit into the paper and provide some context.
Critically embedded in the supply chain
Our adversaries manufacture many of our goods, especially computer hardware. The US government does regularly consider strategically changing requirements for some supply chains - forcing them to operate more in the US. I’ve seen some of this happen firsthand, and know that we have a greater control over this than I generally see acknowledged by engineers, newspapers, and even academic writers. I do not have enough domain knowledge or experience to say whether we’re acting correctly in this area though.
Strategically postured in command and control
The paper explains this command and control issue as a sort of supply chain for information - the adversary has control, or can seize control, of some of the physical and virtual assets we use to move information around for the purposes of our military’s command and control. The DoD has multiple redundant command and control paths setup. Are they tested and sufficient? I would not speculate here.
Conveniently situated for access and persistence
This point refers to adversaries being physically located convenient to where we choose to do battle. That’s so because we choose to do battle in places other than the US.