In a recent interview with Breaking Defense, the U.S. Department of Defense’s Deputy Chief Information Officer for Cybersecurity, Richard Hale, emphasized the central role that cybersecurity is playing in the DoD’s acquisition process: “Every acquisition that DoD does needs to worry about cybersecurity. We’ve got to design and manage each of these computers… whether it’s in airplane or on my desk.”
“Whether the computer is on a desk or in a medical device or in the engine of a jet airplane, that computer has to be designed to be as resistant to attack as possible, it has to be configured securely every second, [and] it’s got to be able to be updated as quickly as possible,” Hale continues in the interview.
He further elaborates that, “The Joint Staff has recently put out a formal requirement document that includes cybersecurity as a key part of the survivability key performance parameter [KPP],” for every new acquisition. He also noted that his staff and that of the DoD’s chief procurement officer, Frank Kendall, “have jointly written a guidebook for acquisition programs on how to better secure things with embedded computing systems.” Examples of embedded computing systems are routers and modems, but can also be digital watches and MP3 players.
In terms of cyber defenses, Hale notes the utility of Joint Regional Security Stacks in putting up a layered defense: “We also want an infrastructure that’s designed to contain an attack (…) Some of the technologies we are deploying right this moment, help give us some of these zoning and maneuver options in much richer ways than we had 10 years ago.”
At the end Hale repeats the often heard mantra about the pervasive nature of cybersecurity in modern warfare: “We have to stay cognizant of the deep connection between the cyber domain and all the other warfighting domains. [Cybersecurity is] about defending our ability to execute the mission in every domain.” In other words, information dominance is part of the Pentagon’s cyberwar doctrine.
While this makes sense from a pure military point of view, the repeated reiteration of this concept can cause trouble when it comes to international cooperation on cybersecurity. For example, both U.S. and Chinese military doctrine (from scanning the thoughts of Chinese military theorists) call for information dominance during times of conflict, which necessitates active “network probes” during peacetime.
However, in order to avoid an escalation of tensions, I believe that both sides should agree to abandon their quest for information dominance. This is obviously easier said than done, but perhaps as an initial first step, an agreement could be produced to curtail active cyber defense in times of peace between both countries and call certain critical information infrastructures off limits.
Both countries must also actively promote cyber resiliency and adequate backup systems, as Richard Hale points out above. The reason behind this is that both China and the United States must create conditions in which neither side is vulnerable to a surprise knockout blow by incorporating adequate backup systems in both the private and public sectors. The end goal should be some form of strategic stability in cyberspace.