The DoD Cybersecurity Strategy https://www.fifthdomain.com/dod/2018/09/19/department-of-defense-unveils-new-cyber-strategy/ stresses nine key points. Are you aligning your spending with these objectives?
1. Using cyberspace to amplify military lethality and effectiveness
Cyberspace is a battle domain; are you equipped to fight the enemy there? Do you have the tools you need to defend your systems, and support the warfighter?
2. Defending forward, confronting threats before they reach U.S. networks
This is a tough target, but it’s necessary to hit it before the enemy hits us. New threats require new technology, new expertise. Have you planned for AI and ML deployments? Do you know which systems are most vulnerable to the “forward, confronting threats” facing the nation? Does your spending reflect that knowledge?
3. Proactively engaging in the day-to-day great power competition in cyberspace
The adversary moves fast, and uses the latest technology, attacking us every day, all day. Do your cybersecurity systems let you respond in kind? Can you respond as fast as they attack? If not, what do you need to procure to keep pace with the enemy?
4. Protecting military advantage and national prosperity
In the “Art of War”, Sun-Tzu famously said “All warfare is based on deception”. To keep the advantage, then, you must fool the enemy. Have you considered deception technology – “honeypots”, to use the outdated term – to maintain the advantage in cyberspace?
5. Recognizing partnerships are key to shared success in protecting cyberspace
When you buy a product, you don’t just buy bits and bytes; you buy the company behind the software: a de facto partnership. Consider the support model behind the software, not just its capabilities, it’s “speeds and feeds”.
6. Actively contesting the exfiltration of sensitive DoD information
When someone steals something in the physical world, you know it’s gone: they have it, and you don’t. When the enemy steals data, you still have it, so how do you know they do, too? Do you have systems in place to detect data exfiltration? Can you stop the bleeding immediately? Can you quickly determine the extent of the breach, and can you provide evidence of attribution to identify the perpetrators? All of these require new, sophisticated technology, technology that you’ll want to consider in your spending decisions.
7. Embracing technology, automation, and innovation to act at scale and speed
If you don’t use innovative and cutting-edge technology, the enemy most certainly will; in fact, they already are. Yes, there’s a risk to using new software and hardware, but the risk of falling behind the adversary is much higher. Look at small, innovative companies, think outside the box. Use OTAs if necessary; they’re tailor-made for this type of procurement.
8. Supporting the defense of critical infrastructure
“Critical infrastructure” often translates to IOT: everything from heart monitors and other medical equipment, to HVAC systems to embedded systems on weapons and satellites. Have you considered IOT security requirements in your spending calculations?
9. Recruiting, developing, and managing critical cyber talent
Talent is great; well-trained and up-to-date talent is better. Training options abound, and they’re a key part of keeping cybersecurity staff fully engaged and working effectively.