New U.S. Cyber-Defense Strategy a Two-Edged Sword

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.eweek.com/security/new-u.s.-cyber-defense-strategy-a-two-edge-sword.html

The U.S. military says it's using a nuclear doctrine from the Cold War to
prevent the next Sony Pictures Entertainment-style hack.

U.S. Defense Secretary Ash Carter trotted out the Pentagon's new Cyber
Strategy in Silicon Valley last month. It replaces the previous strategy
rolled out four years ago. The new strategy contains three very new and
very surprising components, which will directly affect every company in the
U.S.—doubly so for technology-oriented companies.

Here's what you need to know.

1. The U.S. military says it will protect your company.

In the past, the Pentagon's cyber strategy was all about protecting the
U.S. military from attack, as well as government agencies. Now Carter
explicitly said that the department will also protect American "interests,"
which includes U.S.-based corporations.

The November attack on Sony Pictures Entertainment, which the government
blames on the North Korean government, appears to have greatly influenced
this policy shift to protect U.S. businesses.

2. The new policy is deterrence through hack-attack retaliation.

Instead of playing defense, which was the old strategy, the Pentagon says
it intends to develop tools that enable it to "disrupt" the attackers'
networks, among other things. The paper singles out Russia, China, Iran and
North Korea as major state-sponsored cyber-threats.

Specifically, the military sees Russian government hackers as very good at
covering their tracks, but they aren't really sure what they're after. Both
Iran and North Korea are less skillful at hacking, but are super hostile
toward U.S. interests. And, of course, China is great at hacking and it
uses its skills mainly to steal everything and anything it can.

The idea is that if foreign national governments know they'll be attacked
if caught, they'll be less likely to engage in the espionage—corporate,
industrial and military—that's now becoming somewhat routine.

This mirror's America's strategy during the Cold War. In fact, the era was
called "the Cold War" because it was considered an ongoing war in which
active hostilities were avoided because it could lead to nuclear
annihilation. In effect, the "war" was conducted through proxies, economic
isolation, sanctions and other means that avoided direct military
engagement between the United States and the Soviet Union.

The new cyber-strategy essentially escalates U.S. tensions with Russia,
China, Iran and North Korea from non-war to Cold War, where U.S. policy is
to engage the enemy with hostility hopefully without triggering a real war.

It's also similar organizationally to the War on Terror, where non-military
organizations within the government are granted permission to conduct
ongoing offensive operations against America's perceived enemies. For
example, the Central Intelligence Agency has since 911 been conducting
drone strikes, assassinations and other wartime operations not only without
war but without the Pentagon.

In this case, the Cyber Mission Force is actually part of the Pentagon. But
instead of simply supporting military operations, the group can now conduct
operations on its own, including offensive operations, similar to what the
CIA now does, but over the Internet.

3. The Pentagon wants to enlist private companies into the cause.

Interestingly, though not surprisingly, a big part of the new strategy is
to help the "private sector" do a better job securing its own company
networks.

Carter also proposed "private-sector exchange programs" to attract security
talent into the military and to increase security research. The Pentagon
plans to open a new office at Silicon Valley's Moffett Field (managed by
Google as part of a 60-year lease deal with NASA), which will not only
enable the military to be closer to commercial technology, but also
function as a venture arm to direct money to startups creating technology
of use to the cyber-security effort.

The military will use a venture capital firm called In-Q-Tel, which was set
up by U.S. intelligence agencies 16 years ago to support new
cyber-technology development.

It's clear that this new office will serve as a headquarters where the
Pentagon will try to build bridges to the major Silicon Valley companies.

In the wake of the Edward Snowden revelations, mistrust is at an all-time
high between the government and the nation's high-tech community. The
government in general and the Pentagon in particular see this mistrust as
part of the threat to national security. Part of the new mission seems to
be to rebuild trust and foster cooperation.

The most interesting goal of the new office, however, is that the military
hopes Silicon Valley's culture of turning failure into an advantage will
rub off on Pentagon technologists. While government projects in general are
focused on avoiding failure, Silicon Valley succeeds by accepting failure
as part of the learning process. The goal is to fail as fast as you can so
you can learn and move forward.

There's good news and bad news for IT professionals or someone who works in
the private-sector technology community.

The good news is that the Pentagon plans to do something about the ongoing
state-sponsored hack attacks that just keep getting worse. Moreover, the
government's deep pockets will step up investment in security-related
technology that will probably benefit companies and enterprises.

That bad news is that state-sponsored cyber-war is here to stay. The nature
of hacking-related hostilities is such that government hackers can usually
cover their tracks and will never run out of targets.

If they can't hit the military, they hit the government. If they can't hit
the government, they go after the economy by attacking and making demands
of private companies by spreading malware, stealing trade secrets and
forcing them to spend huge amounts of money in a mostly futile effort to
block the attacks.

There's simply no alternative than to invest in strong security and button
up your company's policies.

Welcome to the new Cold War. Let's just hope it stays cold.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!