Tiffany Jones, director, Public Sector Programs and Strategy
As one might expect, details are scarce in the declassified version of the DoD’s first-ever cyberspace guidelines (released last Thursday). But from a 30,000 foot perspective, the policy looks sounds.
Consider the five key tenets (or “strategic initiatives”) contained in the directive:
1: Treat cyberspace as a domain for training and equipping defense forces
2: Employ new defense operating concepts
3: Create strong partnerships between agencies and with the private sector
4: Build relationships with foreign allies
5: Leverage U.S. innovation
These are worthy goals, to be sure (in particular, the overarching themes of operational preparedness and information sharing). Even without the details, it’s heartening to see fundamentally sound priorities for a DoD infrastructure that houses—quite possibly—more sensitive information than any entity on the planet.
And yet simply protecting that infrastructure isn’t enough. Security in the cyber domain demands protection of the information itself, not just the network or individual access points. After all, with private-sector contractors inextricably rooted to the DoD chain of operations, and with a figurative explosion of federal workers on new mobile devices, it’s unrealistic to think that even the most advanced, Pentagon-level security channels will do anything other than postpone the inevitable risk.
Hopefully, the details of the DoD’s cyber operations strategy will address these very issues (for instance: the employment of new operating concepts, including active defenses using sensors, software and signatures).
Surely, there’s a long and difficult road ahead for the Federal Government in cyberspace in continuing to execute on these tenets and other existing cyber policies/directives. But the DoD’s new policy seems a good, sound framework to continue the forge ahead.