ANALYSIS The US National Institute of Standards and Technology (NIST) is planning significant changes to its Cybersecurity Framework (CSF) – the first in five years, and the biggest reform yet.
First published in 2014 and updated to version 1.1 in 2018, the CSF provides a set of guidelines and best practices for managing cybersecurity risks. The framework is designed to be flexible and adaptable rather than prescriptive, and is widely used by organizations and government agencies, both within and outside the US, to create cybersecurity programs and measure their maturity.
Following a long consultation, NIST has published a concept paper (pdf) for CSF 2.0 and opened it up to further review. The resulting feedback will be used to develop a final draft of the revised framework, due out sometime this summer.
“We think that there’s been enough changes in the cybersecurity landscape to warrant a significant update this time around,” says Cherilyn Pascoe, senior technology policy advisor at NIST and Cybersecurity Framework Program lead.
“There have been changes in cybersecurity standards, including those published by NIST but also elsewhere; there’s been significant changes in the risk landscape and in technologies. And so even though the vast majority of our respondents said they still like the framework, there were a number of changes that folks are looking for, and so we thought it was time for us to do a refresh.”
Cherilyn Pascoe, senior technology policy advisor at NIST and Cybersecurity Framework Program lead
Expanded audience
One notable change is who the framework is aimed towards. Since the publication of CSF 1.1, the US Congress has explicitly directed NIST to consider the needs of small businesses and higher education institutions, beyond its original target demographic of critical national infrastructure organizations (in utilities, telecoms, transport, banking etc).
“The scope was originally for critical infrastructure, as defined under [a US President] Executive Order, but over time lots of organizations have started to use it,” says Pascoe.
“We don’t want organizations to have to make that determination about whether or not they’re critical infrastructure, which is sometimes a legal issue that comes with additional burdens, and so were proposing to broaden it to all organizations.”
There are also plans to increase international collaboration, and encourage more countries to adopt the framework, either in full or in part.
Meanwhile, a new ‘Govern’ function will join the existing five precepts – Identify, Protect, Detect, Respond, and Recover – with the aim of positioning cybersecurity risk alongside other enterprise risks such as threats to financial stability.
The new function would include determination of the priorities and risk tolerances of the organization, its customers, and larger society; assessment of cybersecurity risks and impacts; the establishment of cybersecurity policies and procedures; and an evaluation of cybersecurity roles and responsibilities.
“There has been a lot of work to better understand how cybersecurity risk can be incorporated as part of other enterprise risks, so alongside financial risk; the importance of senior leadership being aware of cybersecurity risks and the policies and procedures that would need to be in place to address cybersecurity,” says Pascoe.
“I think there’s become much more awareness that cybersecurity is not just a technical issue and that it’s something that needs to be addressed by the upper levels of the organization,” she added.
This addition is largely a response to the growing use of the framework to structure discussions about cybersecurity risk between technologists and senior managers.
Joined-up thinking
One issue highlighted during the request for information was the need to improve the alignment of the framework with other NIST and non-NIST security programmes, such as the Risk Management Framework and Workforce Framework for Cybersecurity.
Respondents also called for more practical guidance on applying the framework, leading to a new section focused on implementation examples. While the framework remains focused on high level outcomes rather than specific processes, according to Pascoe, “these examples will help give a starting point for organizations to think about different ways that they can implement the higher level subcategory outcomes”.
Risk management
For the first time, the new framework will have a significant focus on supply chain risk management, helping and encouraging organizations to address third-party risks of all kinds, from cloud computing to computers, software and networking equipment, along with the non-technology supply chain.
However, says Pascoe, there are mixed opinions about how to do this: in particular, whether cybersecurity supply chain management should be integrated into the framework’s existing structures or split off as a separate function.
“Everyone thinks yes, this is a really important issue, but feedback was mixed, so we’ve said let’s think some more about this and how to address it,” she says.
“It sometimes goes by sector, and is sometimes based off their existing regulatory requirements; so, for example, the financial sector is very regulated for cybersecurity and they have existing third party requirements that they’re hoping to see within the framework, so they’re probably the most vocal about wanting a significant expansion for third party [responsibilities].”
Measure for measure
CSF 2.0 is also set to include more guidance on measurement and assessment, with a common taxonomy and lexicon to communicate the outcome of an organization’s measurement and assessment efforts, regardless of the underlying risk management process.
“NIST is a measurement science agency and so we’re always striving to develop tools to measure things – but cybersecurity measurement is probably one of the hardest things that we’ve ever tackled,” says Pascoe.
“Organizations are asking the question: ‘Now that I’ve used the framework for a decade, how do I know that my cybersecurity posture is improving and the actions that I’m taking are beneficial to reduce the risk?””
The plan is to provide additional guidance about how to do access levels of security maturity – some in CSF 2.0 itself, and some in separate guidance.
Privacy, zero trust conundrums
NIST decided not to merge its privacy framework with the CSF after consulting stakeholders, although Pascoe says that could be a move for a future CSF 3.0 given increasing “overlap between the two”.
Pascoe foresees disagreement, or at least significant further discussion, on topics such as the applicability within the framework of zero trust – a network security concept that urges organizations not to trust any device by default, regardless of whether it sits outside or inside an organization’s perimeter.
NIST’s view is that zero trust need not be incorporated into the framework, even though applying the architecture is a priority for the Biden administration.
Vendor neutral?
Another area still very much up for discussion is NIST’s proposal to keep the framework technology- and vendor-neutral, with some calling for it to address specific topics, technologies, and applications.
“The framework has always been tech-neutral, but organizations are looking for more guidance when they are, say, leveraging cloud or leveraging the internet of things or operational technologies,” says Pascoe.
“And so that one’s going to be a really particular struggle to make sure that we are remaining tech-neutral, while also not excluding any particular systems – but I think there are a number of organizations that were looking for us to go further than that, and have specific guidance for each of these technologies.”
Comments on the proposals can be submitted to NIST at cyberframework@nist.gov until March 3, with a draft planned for summer, followed by a public review.
“So we’re going to try and find consensus where we can, but some of these changes on governance and supply chain are really large. Hopefully we’ll be able to find a solution,” Pascoe concluded.
Many government CIOs over- or underestimate the potential of robotic process automation (RPA). These strategies improve the chances of success.
In short:
The hype around robotic process automation (RPA) can result in government CIOs understating its potential or overpromising its benefits.
Common pitfalls include underestimating the total cost of ownership of RPA-based solutions and neglecting alternative and effective automation tools.
To realize the true promise of RPA, adopt a structured approach to automation, establish a shared center of excellence to manage automation as a whole (not just as RPA) and pilot simple use cases with a clear return on investment to demonstrate value.
The popularity and use of robotic process automation (RPA) is expanding across governments around the world. Used more and more to perform mundane manual tasks, remove keying errors and reduce processing times, RPA ultimately frees up staff to focus on activities of higher value.
Gartner expects that by 2024, 75% of governments will have at least three hyperautomation initiatives launched or underway, and RPA is a critical part of the modernization journey. You can help smooth the way by preemptively addressing potential blind spots in strategy.
“Government business leaders tend to overhype or misunderstand the role of robotic process automation and end up underestimating the total cost of ownership (TCO) of RPA-based solutions,” says Dean Lacheca,Senior Director Analyst at Gartner. “There’s also a tendency to focus too narrowly on RPA rather than the wider topic of hyperautomation, which results in government communities of practice (COPs) and centers of excellence (COEs) not fully examining the automation tools and approaches needed for an effective hyperautomation strategy.”
Learn more: Gartner BuySmart™ helps you make smarter tech purchasing decisions.
Deploying RPA in digital government
Robotic process automation offers government organizations from all tiers and segments opportunities to streamline administration and optimize government processes. The ROI ranges from improved citizen experience to improved data quality — and the freeing up of the workforce to focus on more value-added activities.
Three ways to realize the true potential of RPA in government:
In the 2021 Gartner Digital Transformation Divergence Across Government Sectors Survey, 19% of government respondents said are already using RPA, with a further 33% indicating they intend to deploy RPA in the next two years. RPA’s popularity stems mostly from the operational efficiencies delivered, its ability to deliver benefits quickly and its use in automating legacy system processes.
To balance and quantify the “speed to value” benefits against total cost of ownership, improve your chances of success with the following three strategies.
1. Adopt a structured approach to automation that reviews processes and identifies a roadmap
The low cost of entry makes a business case for implementing RPA relatively obvious, but the total cost of ownership often becomes a challenge, especially for CIOs using RPA as a means to extend the life of legacy applications.
While RPA may look at first like a quick fix for an underlying problem, core legacy risks and technical debt remain. To better address this issue, take a structured approach, treating RPA as part of a larger suite of tools that augment or automate processes. Make clear whether RPA is being used as a productivity tool or an interim step on a longer modernization initiative — which also helps to manage stakeholders’ expectations.
2. Establish a shared automation COE that includes RPA
Government agencies increasingly use COPs and COEs to ensure the full realization of the benefits of automation tools such as RPA. As supported processes become increasingly complex, COEs and COPs help establish new controls that ensure the appropriate security, management and orchestration for automation solutions.
Automation solutions are not one-size-fits-all, and while there is always pressure to deliver better ROI, it’s never a good idea to simply scale the volume of scripts or bots as each one has its own maintenance and utilization costs. Even where an infrastructure is in place under an existing license, there may be limited skilled resources available to maximize ROI.
3. Pilot RPA on straightforward tasks with a clear ROI
Hype around RPA creates the false perception — especially among non-IT people — that it’s a simple way to deliver process efficiency targets. This distracts from the reality of how RPA is best used and what its benefits really are.
The proven benefits of government process automation and augmentation include increased efficiency, which helps to free the workforce to take on more productive work, fewer errors (and, as a result, increased data quality), and an improved citizen experience through faster processing time and reduced double handling.
A big part of your role in RPA is to demystify and position it correctly with government decision makers. Aim to identify specific RPA use cases that are not overly complex, possess structured data and have simple processing paths.
Such use cases help you engender a better understanding of RPA tools and demonstrate some early benefits to the business. Also, these use cases will be an important part of a realistic change management process, and they can be an effective tool to gain support and manage expectations.
Take inspiration from RPA in action
With the growing popularity of RPA, examples abound of its tangible benefits to government organizations. A U.S. State of Federal RPA Report from November 2020 noted that preliminary results from the 23 programs assessed showed “the annualized hours saved by automations deployed increased from 285,651 to 848,336, a 195% increase.” The December 2021 report said the “federal RPA community has reduced over 1.4 million hours (and counting) of low-value work across the [U.S.] government to date.”
Regardless of mission or purpose, internal functions like finance,procurement, payroll and HR can all benefit from RPA’s ability to optimize tasks and processes. Scale will be the factor that influences the value of the benefits, but larger departments or organizations with significant procurement will reap most value.
Save the Date: Feb 16, 2023 – Cloud Applications and Development #CBNE with Steve Karam. Beginning at 3pm followed by a networking happy hour at Coffee Bar 1010 at 4pm.
This CBNE we will be discussing the latest advancements in cloud applications and development technology. Join industry, academia, and government leaders to discuss topics such as developing cloud-based applications, deploying and scaling cloud applications, and other related topics. You will also have the opportunity to network with peers and get valuable insight into the current state of cloud computing.
♦️Amanda S. | Jonathan Payton | Joel Scharlat | Matthew Weaver | Kaleb Hunter | Katharine Reinboldt | Jeff Rose | Michael Schwartz and CHEVERLY | Donovan Applewhite | Luke Wright | Sam Hanson | Steve Karam | Dr. Paul de Souza |
Yet despite all of the money and attention that has been thrown at the “cyber problem” and for all of the increased authorities and appropriations from Congress, the nation’s offensive and defensive cyber capabilities suffer from inefficiency and a lack of a unified approach, slow to non-existent progress in even the most basic of cybersecurity efforts, and a short leash that is inconsistent with the agility of actors and adversaries in cyberspace. Our adversaries continue to attack our diplomatic, information, military, economic, and political systems at speeds never before seen.
The discourse surrounding the formation of a dedicated service for space defense has captured the American imagination, and for good reason. Since World War II, America has shown her ingenuity and innovation, and the success of the U.S. Air Force provides a historical model for how a combat-ready, specialized fighting force can be built around a new warfighting domain. However, a force structure has already taken shape within the U.S. military that would logically translate to its own service, and the operational culture it would both allow and cultivate would greatly enhance the effectiveness of national security.
It is past time to form the U.S. Cyber Force (USCF) as a separate branch of the United States Armed Forces.
America’s Position in Cyberspace is Challenged Daily — but it can be Strengthened
It’s no surprise that a wider breadth of adversaries can do more harm to American interests through cyberspace than through space, and for far less cost. In the aftermath of the 2008 Russo-Georgian War — the cyber “ghosts” of which are still alive and well in 2018 — Bill Woodcock, the research director of the Packet Clearing House observed, “You could fund an entire cyberwarfare campaign for the cost of replacing a tank tread, so you would be foolish not to.”
Deterring and responding to Russian hybrid warfare in cyberspace, countering Chinese cyber theft of U.S. intellectual property, shutting down state and non-state actor attacks, defending American critical infrastructure — including the very machinations of our democracy, such as voting and political discourse and even cyber defense of U.S. space assets are just some of the heavy-lift missions that would occupy a U.S. Cyber Force.
Admiral (retired) Jim Stavridis recently described four ways for the U.S. and allied nations to counter challenges like the weaponization of social media and multifaceted information warfare campaigns on Western democracy: public-private cooperation, better technical defenses, publicly revealing the nature of the attacks (attribution), and debunking information attacks as they happen. A dedicated U.S. Cyber Force, with the proper ways and means to do so, could accomplish all of these things, and be a major stakeholder from day one.
Admiral (ret.) Mike Rogers, former Director, National Security Agency (NSA)/Chief, Central Security Service (CSS) and Commander, USCYBERCOM, in his 2017 testimony before the Senate Armed Services Committee, cautioned against prematurely severing the coupling of cyber operations and intelligence that has been the hallmark of any success the U.S. has thus far enjoyed in cyberspace. General Paul Nakasone, the current DIRNSA/CHCSS and Commander, USCYBERCOM, made the same recommendation in August 2018. Despite increased resourcing of USCYBERCOM by both Congress and the Executive Branch, operational authorities in cyberspace are hamstrung by concerns about blending Title 10 military operations with Title 50 intelligence activities, along with negative public perception of the NSA. The relationship between USCYBERCOM and NSA requires a complicated (and classified) explanation, but blending cyber operations with rapid, fused intelligence is vital, and go hand-in-hand — to separate them completely would be to take the leash that already exists around USCYBERCOM’s neck and tie their hands with it as well. Offensive and defensive operations in cyberspace are two sides of the same coin — and intelligence is the alloy between them. Standing up a U.S. Cyber Force would also enable a deliberate re-imagining of this unique symbiosis, and a chance to — very carefully — lay out lines of authority, accountability, and oversight, to both prevent overreach and justifiably earn public trust.
The above challenges could be addressed in part by refining the existing structures and processes, but the real sticking point in USCYBERCOM’s sustainment of fully operational cyber forces lies in how we build forces ready to be employed. Force generation of the CMF through the various armed services’ manning, training, and equipping (MT&E) their own cyber warriors is an inefficient and weak model to sustain a combat ready force in this highly-specialized and fast-moving mission area.
Cyber resources play second-fiddle to service-specific domain resourcing; for example, the Department of the Navy has an existential imperative to resource the maritime domain such as shipbuilding and warplanes, especially during a time of great power competition. The cyber mission is secondary at best, and that’s not the Navy’s fault. It just simply isn’t what the Navy is built or tasked to do. This same reality exists for our other military services. Cyber will always be synergistic and a force multiplier within and across all domains, necessitating the need for the services to retain their existing internal cyber operations efforts, but feeding the joint CMF is ultimately unsustainable: the CMF must sustain itself.
The Cyber Force is Already Taking Shape
USCYBERCOM, NSA, the 133 teams comprising Cyber Mission Force — are approaching full operational capability in 2019 — and the operational and strategic doctrine they have collectively developed can now more easily transition to a separate service construct that more fully realizes their potential within the joint force. There is a strong correlation here with how the U.S. Army Air Force became the U.S. Air Force, with strong support in Congress and the approval of President Truman. The DoD has begun revising civilian leadership and building upon cyber subject matter expertise, as well, with the creation of the Principal Cyber Advisor (PCA) to the Secretary of Defense — a position that Congress not only agreed with but strengthened in the Fiscal Year 2017 National Defense Authorization Act. Such a position, and his or her staff, could transition to a Secretary of the Cyber Force.
The footprint would be small, and room in Washington would need to be carved out for it, but the beginnings are already there. Cyber “culture” — recruiting, retention, and operations — as well as service authorities (blending Title 10 and Title 50 smartly, not the blurry “Title 60” joked about in Beltway intelligence circles) would all benefit from the Cyber Force becoming its own service branch.
Perhaps one of the greatest benefits of a separate cyber branch of the armed forces is the disruptive innovation that would be allowed to flourish beyond the DoD’s traditional model of incremental improvement and glacial acquisition. The cyber domain, in particular, requires constant reinvention of techniques, tools, and skillsets to stay at the cutting edge. In the early 2000s, operating in a cyber-secure environment was thought to mean a restrictive firewall policy coupled with client-based anti-virus software. In 2018, we are developing human-machine teaming techniques that blend automation and smart notifications to fight and learn at machine speed. Likewise, the traditional acquisition cycle of military equipment, often taking 4-6 years before prototyping, just doesn’t fit in the cyber domain.
In short, the “cyber culture” is an incubator for innovation and disruptive thinking, and there are professionals chomping at the bit for the chance to be a part of a team that comes up with new ideas to break norms. A dedicated acquisition agency for cyber would be an incubator for baked-in cybersecurity controls and techniques across the entire DoD acquisition community. The Defense Innovation Unit (DIU) — recently shedding its Experimental “x” — is proving that something as simple as colocation with innovation hubs like California’s Silicon Valley and Austin, Texas, and a willingness to openly engage these partners, can deliver innovative outcomes on cyber acquisition and much more. Similarly, the Cyber Force must be free to exist where cyber innovation lives and thrives.
Creating the USCF has other benefits that would be felt throughout the military. The Army, Navy, Marines, and Air Force, relieved of the burden of feeding the offensive and national CMF and paying their share of the joint-force cyber bill, can better focus on their core warfighting domains. This doesn’t absolve them of the need for cybersecurity at all levels of acquisition, but a USCF can be an even greater advocate and force-multiplier for DoD cybersecurity efforts. Services can and should retain their service-specific Cyber Protection Teams (CPTs), which could be manned, trained, equipped, and tactically assigned to their service but also maintain ties into the USCF for operations, intelligence, and reachback. Smart policies and a unity of effort can pay big dividends here, as the services would naturally look to such an organization as the resident experts.
The service cyber and personnel chiefs have made a clear case before the Armed Services Committees of both houses of Congress for the urgent need for flexibility on issues such as rank and career path for cyber experts specifically. Cyber needs were repeatedly cited as the rationale for the need for changes to restrictive military personnel laws. Many of these items were indeed addressed in the Fiscal Year 2019 (FY19) National Defense Authorization Act (NDAA), with provisions which may now be implemented by each service in what is hailed as the biggest overhaul to the military personnel system in decades:
Allow O-2 to O-6 to serve up to 40 years without promotions, or continue service members in these grades if not selected for promotion at a statutory board
Ability for service members to not be considered at promotion boards “with service secretary approval” — for instance, to stay in “hands on keyboard” roles
No need to meet 20 years creditable service by age 62 for new accessions (no need for age limit or age waiver above 42 years old for direct commissions)
Direct commissions or temporary promotion up to O-6 for critical cyber skills
But even these provisions do not go far enough, and the services are not obligated to implement them. When the challenges of pay, accessions at higher rank, physical fitness, or military standards in other areas come up, invariably some common questions are raised.
A common question is why don’t we focus on using civilians or contractors? In the case of naval officers, why don’t we make them Staff Corps (instead of Restricted Line), like doctors and lawyers who perform specialized functions but need “rank for pay” and/or “rank for status?” What about enlisted specialists versus commissioned officers?
The answer to the first question is easy in that we do use civilians and contractors across the military, extensively. The reason this is a problem is that we also need the expertise in uniform, for the same legal and authorities reasons we don’t use civilians or contractors to drive ships, lead troops, launch missiles, fly planes, and conduct raids.
As for making them Staff Corps officers or equivalent in the other services, the Navy, for instance, has been talking about going the other direction: making officers in the Navy Information Warfare community designators (18XX) unrestricted line, instead of restricted line, like their warfare counterparts, or doing away with the unrestricted line vs. restricted line distinction altogether. This is a matter of protracted debate, but the reality is that some activities, like offensive cyberspace operations (OCO) and electronic attack (EA), are already considered forms of fires under Title 10 right now — thus requiring the requisite presence of commissioned officers responsible and accountable for the employment of these capabilities. The employment of OCO creates military effects for the commander, and may someday be not just a supporting effort, or even a main effort, but the only effort, in a military operation.
Under the Navy’s Information Warfare Commander Afloat Concept, for the first time the Information Warfare Commander of a Carrier Strike Group, the Navy’s chief mechanism for projecting power, can be a 18XX Officer instead of a URL Officer. If anything, we’re shifting more toward URL, or “URL-like”, and the reality of the information realm as a warfighting domain is only becoming more true as time goes on, if not already true as it stands today.
So what about our enlisted members? They’re doing the work. Right now. And the brightest among them are often leaving for greener pastures. But still for reasons of authorities, we still need commissioned officers who are themselves cyber leaders, subject matter experts, and practitioners.
None of this is to say that direct commissioning of individuals with no prior service as officers up to O-6 is the only solution, or that it would not create new problems as it solves others. But these problems and all of the concerns about culture shock and discord in the ranks can also be solved with a distinct U.S. Cyber Force which accesses, promotes, and creates career paths for its officers as needed to carry out its missions, using the full scope of flexibility and personnel authority now granted in the FY19 NDAA.
Another major challenge is the lack of utilization of our reserve components. Many members of our reserve force have multiple graduate degrees and 10-15 years or more of experience, usually in management and leadership roles, in information technology and cybersecurity. We have individuals in GS/GG-14/15 or equivalent contractor and other positions, who are doing this work, every day, across the Department of Defense (DOD), the Intelligence Community (IC), academia, and industry.
Yet reservists are currently accessed at O-1 (O-2 under a new ARCYBER program), need to spend 3-5 years in training before they are even qualified to mobilize, or for the active components to use in virtually any operational or active duty capacity. And that’s after doing usually a year or more of non-mobilization active duty, for which nearly all employers don’t give differential pay because of existing employment policies, including in federal GS/GG positions.
We have very limited mechanisms and funding sources to even put reservists on active duty at NSA or USCYBERCOM, where our service cyber leadership repeatedly stateswe need people the most. And in the rare instances we manage to put people on some type of active duty in a cyber role in their area of expertise, it often is not a “mobilization” under the law — which means a person is now an O-2 or O-3, and with that “level” of perceived authority and experience to those around them. And they often just left their civilian job where they are recognized as a leader and expert — and easily make $200k a year.
National Security Operations Center (NSOC) c. 1985 — National Cryptologic Museum
Most people appreciate that you can’t just magically appear as an O-6, and have the same depth, breadth, and subtlety of experience and knowledge as a O-6 with 25 years in uniform. Yet these O-6s, as well as general and flag officers, routinely retire and assume senior leadership positions in all manner of public and private civilian organizations where “they don’t know the culture” — because they’re leaders.
So while a person off the street doesn’t have the same level of understanding of the military culture, it’s incorrect to say they can’t innovate and lead on cyber matters — to include in uniform as a commissioned officer. We’re not so special to imply that you can’t lead people and do the critical work of our nation, in uniform, unless you’ve “put in your time” in a rigid career path. It’s time to change our thinking, and to establish a military service to support the realities of that shift.
Recommendations
The call for a dedicated cyber branch of the U.S. Armed Forces is not new. Admiral (ret.) Jim Stavridis and Mr. David Weinstein argued for it quite passionately in 2014, calling on national leaders to embrace cyber innovation and imploring us to “not wait 20 years to realize it.” Great strides have been made in the four years since that argument was made, and we are closer than ever to realizing this vision. It will take a focused effort by Congress and the president to make this happen, as it did with the U.S. Army Air Forces becoming the U.S. Air Force in 1947. A tall order, perhaps, in today’s political environment, but not impossible, especially given the desire to compromise on issues of national defense and when both Republicans and Democrats alike are seeking wins in this column.
To summarize: the threat is eating our lunch, USCYBERCOM and the CMF are nearly ready to transition to their own service branch, and the benefits of doing so are numerous:
Sensible use of resources spent on cyberspace operations
An incubator of disruptive and rapid innovation in the cyber domain
Improved oversight and accountability by policy and under U.S. Code
More efficient and sustainable force generation and talent retention
Better alignment of service-specific core competencies across all warfighting domains
Synergy with a unified space commander (such as cyber protection of satellite constellations)
The United States House of Representatives recently ordered the Government Accountability Office (GAO) to begin an assessment on DoD cyberspace operations as part of the FY19 NDAA. This study, due to Congress in 2019, should prove enlightening and may become a foundational effort that could be built upon to explore the feasibility of establishing the U.S. Cyber Force as a new branch of the Armed Forces. Congress could order this as soon as FY21, with the Cyber Force fully established by the mid-2020s (blazingly fast by federal government standards, but no faster than the proposed Space Force).
Conclusion
The President has also now relaxed rules around offensive cyberspace operations, perceiving the urgent need to respond more quickly to cyber threats and cyber warfare directed at the United States. We have a great stepping stone in USCYBERCOM, but with no plans to take it to the next step, even a dedicated combatant commander for the cyber domain will face challenges with the above issues for the duration of its lifespan. Similar to how we are just becoming aware of space as a distinct warfighting domain, cyber has alreadybeen a warfighting domain since the beginning of the 21st century. The time for a U.S. Cyber Force is now. The threat in cyberspace, and our underwhelming response to it thus far, cannot wait.
Travis Howard is an active duty Navy Information Professional Officer. He holds advanced degrees and certifications in cybersecurity policy and business administration, and has over 18 years of enlisted and commissioned experience in surface and information warfare, information systems, and cybersecurity. Connect with him on LinkedIn.
The views expressed here are solely those of the author and do not necessarily reflect those of the Department of the Navy, Department of Defense, the United States Government, or the University of Wisconsin–Madison.
Featured Image: National Security Operations Center floor at the National Security Agency in 2012 (Wikimedia Commons)
As quantum computers continue to advance and become more powerful, they present a significant threat to the Department of Defense’s cybersecurity assurance.
When former Pentagon’s Chief Data Officer, David Spirk, left his post in March 2022, he did so with a warning: “I don’t think that there are enough senior leaders getting their heads around the [cybersecurity] implications of quantum… I think that’s a new wave of computers that, when it arrives, is going to be a pretty shocking moment to industry and government alike.”
Quantum computers have the ability to process information much faster than classical computers, making them capable of cracking the secure encryption algorithms relied on to protect information today. This could allow adversaries to access sensitive military intelligence, disrupt communication networks, and even disable military systems.
In late 2021, the head of the NSA’s Cybersecurity Directorate signaledthat developing next-generation cryptologic systems to secure weapon systems from foreign adversaries was a top priority. In a fact sheet published that year, the NSA stated that “the impact of adversarial use of a quantum computer could be devastating to National Security Systems.”
The battle for quantum supremacy is already under way, and is set to fundamentally change the defense sector as the technology edges towards maturation.
The quantum threat is closer than you think
Many experts, including Spirk, believe that military applications for quantum computing could be less than 10 years away.
Case in point: according to the Pentagon’s annual report on Chinese military power, China recently designed and fabricated a quantum computer capable of outperforming a classical high-performance computer for a specific problem.
This is also why DARPA announced the ‘Underexplored Systems for Utility-Scale Quantum Computing’ (US2QC) program to explore potentially overlooked methods by which quantum computers could achieve practical levels of utilization much faster than current predictions suggest.
The White House recently signed the Quantum Computing Cybersecurity Preparedness Act into law, signaling that it regards quantum as a serious issue. The act addresses the migration of executive agencies’ IT systems to post-quantum cryptography (PQC) – encryption which is secure from attacks by quantum computers because of the advanced mathematics underpinning it.
As major powers like China, under its Digital Silk Road initiative, continue to accelerate investment into advanced technologies like AI and quantum computing, the US risks being left behind if it does not pay equal attention to the quantum opportunity – and to the quantum threat.
The need for action is all the more urgent because of the looming threat of ‘harvest now, decrypt later’ attacks, by which adversaries can gather sensitive data today to decrypt as soon as they have their hands on a sufficiently powerful quantum computer.
Time is running out for the DoD
The defense sector needs to take the threat of quantum computers seriously because they have the potential to greatly impact national security.
Encryption is a crucial tool for protecting sensitive military information, and if quantum computers are able to break current encryption algorithms, this could compromise the security of classified documents, strategic plans, and even communication networks. This could potentially give adversaries an advantage in military conflicts and put US military personnel at risk.
In addition to the potential impact on national security, the defense sector also has a responsibility to protect the personal information of military personnel and civilians. Quantum computers could potentially be used to steal sensitive personal information, such as social security numbers, as well as medical and financial information.
As DoD moves from network-centric operations to data-centric operations, PQC implementation becomes even more relevant, regardless of whether the data comes from the cloud or any other source. DoD’s Joint All Domain Command and Control (JADC2) and Joint Cloud Computing concepts, network modernization etc. will all require post-quantum cryptography for cybersecurity assurance.
Quantum computers also have the ability to perform complex calculations at a much faster rate than classical computers, which could allow them to disable or manipulate military systems. This could potentially disrupt communication networks, navigation systems, and even weapons systems, leading to potential loss of lives and damage to military assets.
First-mover advantage
In July last year, the National Institute of Standards and Technology announced a major milestone in its efforts to standardize post-quantum cryptography algorithms.
New draft standards are a welcome arrival and will hopefully dispel any hesitation about putting concrete transition roadmaps in place. But the bigger picture is that encryption standards are going through their biggest change in decades, and post-quantum cryptography will soon be essential for all businesses hoping to work with the US government. Up to $3 billion of federal quantum projects are now either in operation or planned, including a $1.2 billion National Quantum Initiative.
The advent of quantum technology converges with the race for global tech supremacy as well as a period of turbulent geopolitics. The longer the government and businesses wait to act, the greater the potential harm.
Freddie Hudson is director for the Federal and Defense Sectors at PQShield, a cybersecurity company specializing in post-quantum cryptography. He is a retired Army Lieutenant Colonel and experienced defense contractor specializing in cyber/IT and Integrated Air and Missile Defense.
Artem Vlasov, IAEA Office of Public Information and Communication
Matteo Barbarino, IAEA Department of Nuclear Sciences and Applications
Seven Ways AI Will Change Nuclear Science and Technology
22 Sep 2022
Artem Vlasov, IAEA Office of Public Information and Communication
Matteo Barbarino, IAEA Department of Nuclear Sciences and Applications
AI has the potential to advance the development of nuclear applications, science and technology. (Image: A. Vargas/IAEA)
Over the past decade, artificial intelligence (AI) has evolved rapidly, becoming increasingly sophisticated and capable of solving ever more complex problems. AI is deployed in sectors as diverse as manufacturing, transportation, finance, education and healthcare. In a similar vein, it has the potential to advance the development of nuclear applications, science and technology. Harnessing its capabilities in the nuclear field can positively contribute to addressing some of today’s most pressing challenges, from food security to climate change.
AI can contribute to combating diseases. It is already applied to support the diagnosis and treatment of cancer through improved image interpretation and precise tumour contouring, enabling more accurate treatment plans and adaptive radiotherapy — a process tailored to the anatomical characteristics of the individual patient. The IAEA has recently launched a coordinated research project in this area.
AI will also play an important role in the IAEA’s Zoonotic Disease Integrated Action (ZODIAC) initiative to help experts better understand the impact of zoonotic diseases on human health and predict, assess and contain future outbreaks of such diseases.
2. Food and agriculture
AI tools combined with nuclear technologies can help make food systems more sustainable and climate change resilient, while also addressing food and nutrition insecurity.
Experts deploy AI to process and analyse data to increase crop yields, estimate soil moisture, remediate radioactively contaminated land, detect and predict food fraud events and improve irrigation.
3. Water and the environment
Isotopic methods allow experts to study and track how water moves through different stages of the hydrological cycle and what transformations occur in this cycle due to climate change. Experts already apply AI-based approaches to quickly analyse huge amounts of water-related isotopic data stored in global repositories, such as the Global Network of Isotopes in Precipitation maintained by the IAEA and the World Meteorological Organization.
Effective and efficient analysis of data facilitated with AI helps scientists understand climate change and its impact on water availability worldwide.
4. Nuclear science and fusion research
Artificial intelligence plays an increasingly important role in nuclear science. AI are used in data analysis, theoretical modelling and experiment design, helping to accelerate fundamental research, for example in the realm of nuclear and atomic data evaluation and compilation, and advancing technological innovation.
A particular area that benefits from the application of AI is fusion research. With its ability to solve large and complex problems, AI can aid experiments and scientific discovery through modelling and simulations. These applications of AI are included in a new five-year IAEA coordinated research projectaimed at accelerating fusion research and development.
5. Nuclear power
Nuclear power is a reliable, low carbon source of energy, and it can benefit significantly from the inclusion of AI. By combining digital simulations of real nuclear facilities with AI systems, the industry can optimize complex procedures and improve reactor design, performance and safety. Such optimization can increase the efficiency of operations and reduce maintenance costs.
Machine learning — a process whereby AI learns by analysing large amounts of data — helps to automate tasks and thereby increase reliability and avoid errors. Furthermore, AI has considerable analytical and predictive potential to help monitor power plant processes and detect anomalies.
6. Nuclear security and radiation protection
As more and more countries choose to use nuclear technology for peaceful purposes and adopt nuclear power programmes, the IAEA works continuously to ensure the protection of people and the environment from the potential harmful effects of ionizing radiation.
AI can contribute to nuclear security and safety in several ways. It can be used in the processing of data from radiation detection systems to enhance the detection and identification of nuclear and other radioactive material. It can be applied to analyse data from physical protection systems to improve the detection of intruders. It can also help spot anomalies that could indicate a cyber-attack on a nuclear facility. Furthermore, in the realm of radiation protection, the integration of AI in safety standards-related software can reinforce the protection of the millions of workers with occupational exposure in medicine, construction, mining, shipping, agriculture and nuclear power.
7. Safeguards
Safeguards are technical verification measures through which the IAEA provides credible assurances that countries are honouring their legal obligations to use nuclear material for peaceful purposes only. The IAEA assesses states’ declared nuclear material and nuclear-related activities and seeks to verify the absence of undeclared ones through measures, such as inspections at nuclear facilities and sites.
Safeguards rely on large amounts of data obtained by various means, such as satellite imagery, environmental sampling, gamma ray spectroscopy and video surveillance. AI can help nuclear inspectors and safeguard analysts with the analysis of these data. Machine learning methods have already been used to detect outliers in large datasets and assist in verifying spent fuel and analysing surveillance recordings. AI is expected to further improve the efficiency of safeguards implementation by reducing the number of repetitive tasks performed by inspectors.
The way forward
The IAEA provides interdisciplinary fora for professionals to discuss and foster collaboration on the use of AI in nuclear applications, science and technology and is committed to sharing knowledge and forging partnerships through its AI for Atoms platform. As part of this initiative, the IAEA cooperates with the International Telecommunication Union, the UN Interagency Working Group on AIand almost 40 other UN organizations to provide a solid foundation for accelerated sustainable development with AI.
The AI for Good is a year-round digital platform of the United Nations system, where AI innovators and problem owners learn, discuss and connect to identify practical AI solutions to advance the United Nations Sustainable Development Goals.
A new watchdog review found that federal agencies overseeing critical infrastructure have only implemented 43% of recommendations made since 2010.
More than half of the Government Accountability Office’s recommendations for protecting critical infrastructure services from cyber threats have not been implemented since 2010, potentially jeopardizing the security of the nation’s power grid and other vital services, according to a report issued by the watchdog Tuesday.
The report found that of the 106 public recommendations for bolstering cyber critical infrastructure that have been issued by the agency since 2010, only 46 have been implemented as of December 2022.
“Until these are fully implemented, key critical infrastructures will continue to have increased cybersecurity risks to their systems and data,” GAO warned.
The report said that agencies need to focus on “strengthening the federal role in cybersecurity for critical infrastructure,” including placing a greater emphasis on enhancing their cybersecurity practices to account for shifting cyber threats.
GAO cited a March 2021 report, which found that the Energy Department had “developed plans to help combat these threats and implement the national cybersecurity strategy for the grid,” but did not “address distribution systems’ vulnerabilities related to supply chains.”
“As a result, these plans will likely be of limited use in prioritizing federal support to states in addressing grid distribution systems’ cybersecurity,” the report said.
Although GAO recommended that Energy “coordinate with the Department of Homeland Security, states and industry to more fully address risks to the grid’s distribution systems from cyberattacks” in its plans to implement the national cybersecurity strategy, the watchdog said that the agency has still not done so as of December 2022.
“The U.S. grid’s distribution systems—which carry electricity from transmission systems to consumers and are regulated primarily by states—are increasingly at risk from cyberattacks,” the report noted. “Distribution systems are growing more vulnerable, in part because of industrial control systems’ increasing connectivity. As a result, threat actors can use multiple techniques to access those systems and potentially disrupt operations.”
GAO also said that the Cybersecurity and Infrastructure Security Agency “needs to assess the effectiveness of its programs and services to support the communications sector,” which faces a range of human-related, physical and cyber threats.
GAO previously released a November 2021 report which warned that CISA “had not assessed the effectiveness of its programs and services supporting the security and resilience of the communications sector,” and “had not updated its 2015 communications sector-specific plan.” Although the watchdog recommended that CISA “assess the effectiveness of its programs and services to support the communications sector” and produce a revised plan, the agency had not implemented either recommendation by the end of 2022.
Story Continues Below Sponsor Message
null
Additionally, GAO said that the increase in ransomware attacks—particularly those directed at critical infrastructure services—necessitates enhanced interagency coordination between the Department of Homeland Security and the Department of Justice.
A September 2022 GAO report outlined how CISA, the FBI and Secret Service were working together to “provide assistance in preventing and responding to ransomware attacks on tribal, state, local and territorial government organizations,” but identified gaps in “aspects of six of seven key practices for interagency collaboration,” as well as concerns from respondents about “challenges related to awareness, outreach and communication.”
While the report recommended that DHS and DOJ “address identified challenges and incorporate key collaboration practices in delivering services to tribal, state, local and territorial governments,” the watchdog’s recommendations remained unaddressed as of December 2022.
Tuesday’s review is GAO’s third report in a four-part series on high-risk cybersecurity concerns that the federal government should immediately address. The previous two reports issued by GAO in its series similarly found that federal agencies were not doing enough to respond to identified vulnerabilities and operational deficiencies.
The first review, released on Jan. 19, found that federal agencies had failed to implement almost 60% of the cybersecurity recommendations issued by the watchdog since 2010. The subsequent high-risk report, issued on Jan. 31, found that agencies had not fully implemented almost 21% of GAO’s recommendations for safeguarding federal systems and information since 2010.
By Dr. Darío Gil, Senior Vice President and Director of IBM Research
KEY POINTS
Quantum computing technologies are rapidly progressing toward demonstrating application advantages for business and science.
And while this progress creates risk to today’s encryption schemes, quantum-safe cryptography solutions that exist today will protect our most-critical data.
The time is now for entire industries to understand how they can benefit from quantum computing, for organizations to educate their workforce — and for everyone to have a quantum-safe cryptography migration plan.
It’s been called the next big wave in computing. And it has the potential to revolutionize our approach to solving big problems, from how we discover new materials for a sustainable future to life-saving drugs to how we manage financial risk. I expect this to be the decade quantum computing arrives, but what exactly is it — and how does it impact the business world?
In short, it’s a way of computing that uses quantum physics to process information in a completely different way. Quantum computers approach complex problems differently by creating entangled multidimensional spaces where the patterns linking data can become clearer. Basically, they can find patterns that classical computers can’t. That means we have a completely new and different way to explore complicated problems that today’s computers can’t solve efficiently.
For the first time in the history of modern information technology, we will witness a fundamental new branch of computing emerge. As a scientist, I am thrilled about the possibilities of computing in the quantum realm, and as a business leader, I find these advances striking, particularly when I think about the potential applications. Carmakers, airlines, energy companies, healthcare providers, financial services firms and research organizations are already looking into quantum computing as a way to discover new products and services they could hardly have imagined a few years ago.As quantum computing becomes a reality, here’s what business leaders need to know.
Where quantum computers can help
Businesses are already looking at how they can use quantum computers to improve logistics, predict the price of financial options and research new materials for batteries. Daimler AG, for example, has been investigating how quantum computing could help develop next-generation lithium-sulfur batteries that could be more powerful and last longer than what’s available today. Bosch has begun exploring use cases in the field of materials science for fuel cells, electric engines and advanced sensors. And banks like HSBC are exploring the potential of quantum computing to develop new approaches to derivatives pricing, sustainability, risk and fraud.
Of course, it’s not always easy to know which problems a quantum computer can help with. That’s why businesses interested in how they could benefit from quantum also need to be thinking about the skillsets necessary to make the most of the new technology.
“As a scientist, I am thrilledabout the possibilities ofcomputing in the quantumrealm, and as a business leader,I find these advances striking,particularly when I think aboutthe potential applications.”
How to build a quantum workforce
Right now, 29 universities worldwide have master’s degree programs in quantum technologies. I see an opportunity for businesses to step in and help higher education train tomorrow’s workers, including undergrads, with the skills they’ll need to help industry apply quantum computing. IBM is already working with almost 100 academic institutions around the world, including two dozen historically black colleges and universities (HBCUs), to help educate traditionally underrepresented students in quantum information science.
Another source of talent will come from upskilling the existing workforce by teaching them how to program today’s quantum computers. Tools exist today that can translate common programming languages into a language the quantum computer understands — making it easier for quantum computers to tackle a unique industry problem.
Although businesses will need highly skilled personnel to help put quantum computing to work, some areas of the technology will be familiar and integrate seamlessly with existing operations. Because quantum computing is delivered over the cloud, for example, most companies will not need to maintain the computers themselves. That means businesses can incorporate quantum computing into their existing hybrid cloud architectures.
I often get asked, how many employees should I dedicate to exploring quantum computing? The answer is never zero.
Act now to keep your business secure
Amid the buzz about quantum computing are concerns that these machines will be able to break modern encryption — and business leaders are right to be concerned. While there’s been recent speculation that an algorithm, designed for classical computers, might be able to harness existing quantum computers to crack today’s most widely used protection schemes, let me be clear: this research has not been verified, and we have a long way to go before any quantum computer has the capability to decrypt RSA-protected data.
However, bad actors are already using an approach best described as “harvest now, decrypt later,” which means data can be stolen now and stored in the hopes of using a future quantum system for decryption. Thankfully, new quantum-safe approaches to encryption exist, have been verified by peer review-published research, are under consideration for government standards and can already be put in place to protect data and systems now for when that day comes.
Plan for the future of computing
Government funding and attention has raised quantum computing’s profile higher than ever, in part thanks to the National Quantum Initiative and the CHIPS and Science Act. These laws help fuel the future of quantum by accelerating research, expanding the quantum supply chain and providing more opportunities for researchers to explore business and science applications of quantum systems.
The bottom line for businesses is that now is the time to figure out how you’re going to take advantage of quantum computing. A true quantum industry is emerging with a growing ecosystem of startups, academia, national labs and industry partners using quantum computing devices every day — and this is just the beginning.
Save the Date: Feb 16, 2023 – Cloud Applications and Development #CBNE
Beginning at 3pm followed by a networking happy hour at Coffee Bar 1010 at 4pm.
This CBNE we will be discussing the latest advancements in cloud applications and development technology. Join industry, academia, and government leaders to discuss topics such as developing cloud-based applications, deploying and scaling cloud applications, and other related topics. You will also have the opportunity to network with peers and get valuable insight into the current state of cloud computing.
♦️Amanda S. | Jonathan Payton | Joel Scharlat | Matthew Weaver | Kaleb Hunter | Katharine Reinboldt | Jeff Rose | Michael Schwartz and CHEVERLY | Donovan Applewhite | Luke Wright | Sam Hanson | Steve Karam | Dr. Paul de Souza |
healthcarereimagined 