I often talk to governments about their Cybersecurity strategy and agenda. Sometimes I think it is extremely hard for a government official or high-ranking military person to really understand what is going on in the cyber space and what this means. It is not too easy for people like us but for somebody who’s job is to protect a country’s border, it is much, much harder.

Now, I read an article called Defending a New Domain - The Pentagon's Cyberstrategy by William J. Lynn III who is the U.S. Deputy Secretary of Defense. This article to me shows the challenges and organization like the Pentagon faces when they have to deal with challenges in the cyber space.

You might have read about a success attack on US classified systems, which was launched in 2008 by the use of a USB-stick.

That code spread undetected on both classified and unclassified systems, establishing what amounted to a digital beachhead, from which data could be transferred to servers under foreign control. It was a network administrator’s worst fear: a rogue program operating silently, poised to deliver operational plans into the hands of an unknown adversary.

It is one of the scenarios, which keep me up at night – and you too I guess: Code coming into the network by social engineering and spreading silently. Almost impossible to detect as the code is custom built and is targeting “just your” organization.

The impact was different a few years ago, but today:

In less than a generation, information technology in the military has evolved from an administrative tool for enhancing office productivity into a national strategic asset in its own right.

I am not sure whether everybody in the government bodies really gets this: It is not about productivity anymore. It needs a sound and proper design and response – without organizational boundaries.

And there are more bad news. When war was “just” on the battle field, you needed weapons and the US had a huge advantage because of sheer size and power. This changed:

A dozen determined computer programmers can, if they find a vulnerability to exploit, threaten the United States’ global logistics network, steal its operational plans, blind its intelligence capabilities, or hinder its ability to deliver weapons on target. Knowing this, many militaries are developing offensive capabilities in cyberspace, and more than 100 foreign intelligence organizations are trying to break into U.S. networks. Some governments already have the capacity to disrupt elements of the U.S. information infrastructure.

The challenge we face a security people is, that one vulnerability (or one careless user) might be enough to come in. Therefore:

In cyberspace, the offense has the upper hand. […] In an offense-dominant environment, a fortress mentality will not work. The United States cannot retreat behind a Maginot Line of firewalls or it will risk being overrun. Cyberwarfare is like maneuver warfare, in that speed and agility matter most. To stay ahead of its pursuers, the United States must constantly adjust and improve its defenses.

It needs new approaches to defend “your” Cyberspace compare to defending your country. It might even be hard to figure out who is attacking you.

Whereas a missile comes with a return address, a computer virus generally does not. The forensic work necessary to identify an attacker may take months, if identification is possible at all.

And as everything is connected and based upon each other, the protection of your critical infrastructure is absolutely key. This needs a sound partnership between the government and the private sector.

Hackers and foreign governments are increasingly able to launch sophisticated intrusions into the networks that control critical civilian infrastructure.

And finally, I – obviously – liked this paragraph Smile

Microsoft and other computer technology companies have developed sophisticated risk-mitigation strategies to detect malicious code and deter its insertion into their global supply chains; the U.S. government needs to undertake a similar effort for critical civilian and military applications.

If you are a security professional you might wonder, where the news are. To me it is all about where this analysis comes from, i.e. who wrote it, and about the openness of the statements made.

I would wish more governments realized this on the level the US seems to. It will be interesting to see what the outcome really is. There is a whole chapter on strategies in there, which is worth reading.

At the end of the day in a lot of governments it is unfortunately often not about technology but about organizations competing for the lead in the Cyberspace and withholding information for the sake of power – I am not talking about the US here as I am definitely not qualified to make a statement.

The only people who win in this game are the criminals and the terrorists…

Roger