CYBERCOM was tasked to bring together all existing DoD cyberspace resources and synchronize the nation’s ability to defend information in a secure environment. That included providing a centralized command for cyberspace operations, strengthening DoD’s cyber capabilities, and integrating and enhancing military cyber expertise. Prior to the current combination of downsizing the uniformed services, budget cuts, sequestration, and the October government “shutdown,” CYBERCOM comprised some 11,000 military and civilian personnel across its four components. It has liaison officers within each combatant command and has expeditionary support units it can deploy worldwide, as needed.

In testimony before the Senate Armed Services Committee, Gen. Keith B. Alexander, CYBERCOM’s first commander as well as director of the NSA and chief of the Central Security Service, explained both the scope and difficulties facing the nation and DoD in an environment he described as “both orderly and chaotic, beneficial and perilous.”

“U.S. Cyber Command operates in a dynamic and contested environment that literally changes its characteristics each time someone powers on a networked device. Geographic boundaries are perhaps less evident in cyberspace, but every server, fiber-optic line, cell tower, thumb drive, router, and laptop is owned by someone and resides in some physical locale.”

“U.S. Cyber Command operates in a dynamic and contested environment that literally changes its characteristics each time someone powers on a networked device. Geographic boundaries are perhaps less evident in cyberspace, but every server, fiber-optic line, cell tower, thumb drive, router, and laptop is owned by someone and resides in some physical locale,” he said. “Cyberspace as an operating environment also has aspects unique to it. Events in cyberspace can seem to happen instantaneously. Data can appear to reside in multiple locations. There is a great deal of anonymity and strongly encrypted data are virtually unreadable.

“In cyberspace, moreover, sweeping effects can be precipitated by states, enterprises, and individuals, with the added nuance that such cyber actors can be very difficult to identify. The cyber landscape also changes rapidly with the connection of new devices and bandwidth and with the spread of strong encryption and mobile devices. … Convergence is our watchword; our communications, computers, and networks are merging into one digital environment as our political, economic, and social realms are being re-shaped by the rush of innovation.”

It also is a world in which the number of those with the capability, nature, and intent to harm U.S. and allied interests and operations in cyberspace is growing rapidly, with other nation-states topping the list of concerns. Alexander indicated the ability to track an attack back to its source has created a 21st century form of cyber MAD (mutually assured destruction), as any major cyber attack on the United States would “elicit a prompt and proportionate response.” But that may not matter to rogue states and criminal or terrorist organizations, which have been “behaving recklessly and aggressively in the cyber environment,” launching attacks that have been destructive to both data and property.

“We have also seen repressive regimes, desperate to hold on to power in the face of popular resistance, resort to all manner of cyber harassment on both their opponents and their own citizens caught in the crossfire. Offensive cyber programs and capabilities are growing, evolving, and spreading before our eyes; we believe it is only a matter of time before the sort of sophisticated tools developed by well-funded state actors find their way to non-state groups or even individuals,” he warned.

“The United States has already become a target. Networks and websites owned by Americans and located here have endured intentional, state-sponsored attacks, and some have incurred damage and disruption because they happened to be along the route to another state’s overseas targets.”

For example, during the Russian invasion of its former satellite, Georgia (now a U.S. ally), a cyber attack intended to disrupt Georgia’s internal networks wound up striking computers in America’s state of Georgia, where some of the East European nation’s cyber support structure is located.

“In keeping with DoD’s ‘Strategy for Operating in Cyberspace,’ CYBERCOM and NSA are together assisting the department in building: (1) a defensible architecture, (2) global situational awareness and a common operating picture, (3) a concept for operating in cyberspace, (4) trained and ready cyber forces, and (5) capacity to take action when authorized,” Alexander said. “Indeed, we are finding that our progress in each of these five areas benefits our efforts in the rest. We are also finding the converse – that inertia in one area can result in slower progress in others.

“Every world event, crisis, and trend now has a cyber aspect to it. And decisions we make in cyberspace will routinely affect our physical or conventional activities and capabilities, as well. USCYBERCOM is building cyber capabilities into our planning, doctrine, and thinking now – while we as a nation have time to do so in a deliberate manner. We do not want to wait for a crisis and then have to respond with hasty and ad hoc solutions that could do more harm than good.”

At an International Institute for Strategic Studies conference in Singapore on June 1, 2013, Secretary of Defense Chuck Hagel emphasized the importance not only of DoD-specific cybersecurity, but also the need to work with allies in the Pacific and worldwide.

“The U.S. and all nations in the region have many areas of common interest and concern in cyberspace, where the threats to our economic security, businesses, and industrial base are increasing. In response, the United States is increasing investment in cybersecurity and we are deepening cyber cooperation with allies in the region and across the globe,” he said. “We are also clear-eyed about the challenges in cyber.

“The United States has expressed our concerns about the growing threat of cyber intrusions, some of which appear to be tied to the Chinese government and military. As the world’s two largest economies, the U.S. and China have many areas of common interest and concern, and the establishment of a cyber working group is a positive step in fostering U.S.-China dialogue on cyber. We are determined to work more vigorously with China and other partners to establish international norms of responsible behavior in cyberspace.”

At a meeting of NATO ministers in June for their first in-depth review of cyber defense, NATO Secretary General Anders Fogh Rasmussen said the alliance experienced more than 2,500 “significant” cyber attacks in 2012. The greatest concern centers on attacks against systems that coordinate military actions among NATO’s 28 member nations.

“We are all closely connected, so an attack on one ally, if it is not dealt with quickly and effectively, can affect us all. Cyber defense is only as effective as the weakest link in the chain. By working together, we strengthen the chain,” he said during a news conference.

A similar approach is being pursued by the Center for Internet Security (CIS), a New York-based nonprofit organization focused on enhancing public- and private-sector cybersecurity readiness and response.

“My goal is to see how we can get information to the right people as soon as possible. I keep saying the bad guys already have it, so all we’re doing to ourselves, if we’re not sharing, is keeping it out of the hands of the good guys,” Will Pelgrin, the center’s president and CEO, said. “There are people out there who think information is power. I think sharing is power.

“I look at how secure I was yesterday and how secure I am today and, if I’m more secure, I keep moving forward. You do have a plan; it’s just that plan has to be flexible enough to understand that this environment changes that quickly.”

Although not focused on military cybersecurity, CIS and others are pursuing similar goals and developing solutions that may be useful to everyone operating in cyberspace.

Another example is the “2013 Data Breach Investigations Report” (DBIR), headed by Verizon’s RISK (Research, Investigations, Solutions, Knowledge) team and including cybersecurity experts from 19 other organizations around the world. The DBIR emphasized the complexity and variety of cybersecurity, both offensive and defensive.

“Any attempt to enforce a one-size-fits-all approach to securing our assets may result in leaving some organizations under-protected from targeted attacks while others potentially over-spend on defending against simpler opportunistic attacks,” the report warned. “All in all, 2012 reminded us that breaches are a multi-faceted problem and any one-dimensional attempt to describe them fails to adequately capture their complexity.”

While the DBIR focuses on the civilian and commercial world, the four key elements in its “A-Threat Model” that must be identified in any threat assessment and security implementation scenario apply equally well to both defense and homeland security:

• Actors: Whose actions affected the asset?

• Actions: What actions affected the asset?

• Assets: Which assets were affected?

• Attributes: How was the asset affected?

Actors can be external entities (identified with 92 percent of reported breaches) with no implied trust or privilege; internal individuals who are trusted; and privileged or partners, including any third party sharing a business relationship with the victim organization, with some level of trust and privilege implied.

“[External] motive correlates very highly with country of origin. The majority of financially motivated incidents involved actors in either the U.S. or Eastern European countries (e.g., Romania, Bulgaria, and the Russian Federation), while 96 percent of espionage cases were attributed to threat actors in China; the remaining 4 percent were unknown. This may mean that other threat groups perform their activities with greater stealth and subterfuge. But it could also mean that China is, in fact, the most active source of national and industrial espionage in the world today,” according to the DBIR.

“Most insider breaches [14 percent of reported incursions] were deliberate and malicious in nature and the majority arose from financial motives. Of course, not all insiders are about malice and money. Inappropriate behaviors such as ‘bringing work home’ via personal e-mail accounts or sneakernetting data out on a USB drive against policy also expose sensitive data to a loss of organizational control. While not common in our main dataset, unintentional actions can have the same effect.”

While partner breaches are the smallest component in the report, it was emphasized these refer only to incidents in which a partner was the direct and deliberate source of a breach and not to breaches resulting from partner security lapses or other indirect causes.

“Some interpret attack difficulty as synonymous with the skill of the attacker. And while there’s some truth to that, it almost certainly reveals much more about the skill and readiness of the defender,” the DBIR concluded, adding a key to that is “Initial Compromise-to-Discovery” – the time a breach occurs to when the victim first learns of the incident.

“If not the most, this must be one of the most important challenges to the security industry. Prevention is crucial and we can’t lose sight of that goal. But we must accept the fact that no barrier is impenetrable and detection/response represents an extremely critical line of defense. Let’s stop treating it like a backup plan if things go wrong and start making it a core part of the plan.”

Alexander agrees, as he told the Senate: “The novelist and visionary William Gibson once noted ‘the future is already here, it’s just not evenly distributed.’ We are seeing that future at U.S. Cyber Command. Cyber capabilities are already enhancing operations in all domains.

“We are working to contain the vulnerabilities inherent in any networked environment or activity while ensuring that the benefits that we gain and the effects we can create are significant, predictable, and decisive. We have no choice but to normalize cyberspace operations within the U.S. military and make them part of the capability set of our senior policymakers and commanders.”

This article first appeared in the Defense Fall/Winter 2013-2014 Edition.