DOD's "First" Cyber Strategy is Neither First, Nor a Strategy

[InfoSec News <alerts () infosecnews org>]

http://blogs.forbes.com/seanlawson/2011/08/01/dods-first-cyber-strategy-is-neither-first-nor-a-strategy/

By Sean Lawson
Net Assessment
Forbes.com
August 1, 2011

The Department of Defense has released its long-awaited "Department of 
Defense Strategy for Operating in Cyberspace" [PDF], as well as a 
website devoted to selling that strategy. The strategy has faced no 
shortage of criticism over the last couple weeks, from VCJS Gen. James 
Cartwright's criticism that it is too defensive and too predictable to 
Richard Clarke’s criticism that the strategy is not a strategy at all. I 
agree with the basic arguments of both of these critiques. This piece is 
the first in a series that I will be posting over the course of the 
coming week, in which I will provide my own take on the DOD cyberspace 
strategy.

In this series of posts, I will argue that the core problem plaguing the 
strategy is that the focus on defense is a reflection of more 
problematic underlying assumptions about the nature of both cyberspace 
and information. The strategy takes a too narrow, technocratic view of 
both. It assumes that cyberspace as a "domain" is primarily physical and 
technological and that information is primarily a commodity that flows 
through and is stored by the physical infrastructure of cyberspace. 
Thus, the primary focus of the strategy is the defense or protection of 
the physical information infrastructure and the commodity that it stores 
and transmits. Little attention is given to the social or cognitive 
aspects of cyberspace and information, nor to the opportunities that 
they provide for contributing to achieving military objectives in other 
domains and promoting the national interest more generally.

I will expand on each of these points in future posts. But in this post 
I want to begin by calling into question the "firstness" of what Deputy 
Secretary of Defense William J. Lynn, III called "the Department's first 
ever Strategy for Operating in Cyberspace" when he introduced it at the 
National Defense University on 14 July 2011. But in December 2006, the 
Joint Chiefs of Staff released the National Military Strategy for 
Cyberspace Operations [PDF] and it is not clear how the new "first" 
strategy relates to the previous "first" strategy. This confusion is an 
example of a more general confusion that the GAO has identified in DOD 
cyberspace policy as a whole.

One might be tempted to think that the 2011 strategy is more broadly 
applicable to DOD than the 2006 strategy. But the 2006 strategy was also 
meant to be applicable to all DOD components:

[...]

___________________________________________________________
Attend Black Hat USA 2011, hosted at Caesars Palace in
Las Vegas, Nevada July 30-Aug 4, offering over 60 training
sessions and 9 tracks of Briefings from security industry elite.
To sign up visit: http://www.blackhat.com