Quick Take: The Pentagon’s Cybersecurity Plan

BY Larisa Epatko  July 14, 2011 at 1:00 PM EST

Flickr
Photo of Pentagon by Flickr user Minfrieze

The Defense Department unveiled its long-awaited strategy for cybersecurity Thursday. The plan is aimed at defending its own computer networks and those of its partners, and developing “robust cyberspace capabilities.”

The department had held off releasing the non-classified portion of its plan until after the White House’s global strategy for cyberspace.

Rather than equating cyber attacks to acts of war, as some had expected, the Pentagon’s policy statement describes cybersecurity in the context of protecting military networks, and outlines five strategic initiatives to undertake toward that aim.

View the Pentagon’s full strategy:


We’ve asked several cybersecurity specialists for their take:

James Andrew Lewis

Director and senior fellow, Technology and Public Policy Program, at the Center for Strategic and International Studies:

“The interesting thing is that the classified version isn’t very different from what was made public. No other country has been as transparent about their defense planning.

“The strategy lays the groundwork for a coherent defense, but DOD knows they have a lot of work to do in implementing it. They’ve identified the right problems and the right approaches to addressing them. The big issues that will need work are defining cooperation with the Department of Homeland Security, developing ways to work with our allies, and getting an international dialogue going on cybersecurity norms. The best sign is they are already thinking about what the next strategy should look like.

“DOD wants strong public private partnerships and to get this they will have to build out some of the work being done in DIB (defense industrial base) and ESF (emergency support function) initiatives — that means finding better ways to work with Silicon Valley. Many companies are still a little shy about working with the government.

“One issue that comes up repeatedly and which the strategy didn’t address is making acquisitions work better for cybersecurity. Right now, the refresh cycle at DOD is measured in years. That’s not the same for our opponents.”

Alan Paller

Director of research at the SANS Institute, which provides information security training:

“The high point of the strategy, in terms of impact on the nation’s ability to protect its networks and systems, is Initiative 5. Part of the impact of this Initiative comes from the promise of innovative recruiting and training activities. But the larger part comes from the promise of deployment of the federal procurement infrastructure (sometimes they use the term “supply chain”) to provide incentives to vendors to build safer and more defensible systems and software. Procurement is the only major leverage the nation has — its $75 billion IT expenditure. Leveraging that to “persuade” companies to deliver safer systems is THE big step forward. However, the procurement Initiative works only for future systems that are touched by the procurement process.

“A second, and nearly equally valuable element is in Initiative 2. Specifically this is the first time the nation has fully and publicly committed to continuous monitoring and active defense that will allow the federal government to raise the bar in securing existing systems.

“In sum — very well done.”

Added July 15:

Mischel Kwon

Former director for the U.S. Computer Emergency Readiness Team, now runs a consulting firm:

“The strategy has no suprises. The DOD has been moving at a rapid pace to address this problem head on for some time, good to see it in writing and moving forward.

“Very happy to see this isn’t just about security tools and monitoring — but hygiene of their networks makes it into the plan, we have to get to the core hygiene problem that allows the known attacks to take place — this is not the sexy work — but it is critical.

“I agree there is a need for a whole-government cybersecurity strategy, but this cannot be DOD-dominated, and each agency needs the ability and funding to create a mission specific cybersecurity strategy. The civil government has unique missions, issues, and requirements that must be addressed as well.

“In moving to the new defense operating concept, I hope this also includes partnerships with private sector software/hardware vendors to use existing and develop new innovative tools — we need to take advantage of the high tech industries talents and innovations.”

On Thursday’s NewsHour, we’ll hear more about the cyber strategy from William Lynn, deputy secretary of defense. Follow us on Twitter.