Global threats to computer networks require friendly nations to pool resources and share information
BRIG. GEN. JETH REY, DIRECTOR OF COMMAND, CONTROL, COMMUNICATIONS AND COMPUTER SYSTEMS, U.S. CENTRAL COMMAND
Eighteen months after my attendance at the 2019 Central Region Cyber Conference (CRCC), the image that stands out in my mind is one of side-by-side collaboration. During a table-top exercise, cyber professionals from across the central region worked together to reveal gaps in our mutual defenses. The level of cooperation was remarkable. Since I became U.S. Central Command’s director of Command, Control, Communications and Computers Systems (J6), I continue to be encouraged by the willingness of our partners to share information and contribute to the overall understanding of shared threats.
Cyber professionals understand the importance of working together. The cyber battlespace is shared, vulnerable and under persistent attack. Our enemies are becoming emboldened in the cyber domain, and attacks are increasing in frequency and severity. Persistent cyberspace campaigns, calibrated below the level of armed conflict, pose a long-term risk to the prosperity, security and innovation of the United States and its allies and partners. I am encouraged to see positive movement on the cooperation front; however, attacks from adversaries require a more assertive, proactive posture in cyberspace to deter targeted activities designed to erode our military advantage.
To emphasize the criticality of defensive cyber operations, it helps to look at attacks in the commercial sector in terms of the imposed financial costs. According to recent reports, the average cost to corporations of a data breach is $4 million globally, while cyber attacks cost, in aggregate, more than $3 trillion annually. Further, these costs are estimated to increase 11% each year! Despite the increase in malicious activity — certainly in the commercial sector, but also in government and the military sphere — I am encouraged by improvements cyber professional are making across the theater.
The importance of cooperation
The most significant advancement in cyber security within the Central Region is an increased willingness to share information and learn from other nations. Over the past decade, the theater has experienced a major cultural shift because partners are increasingly open about cyber crimes, intrusions, attacks on critical infrastructure and data exfiltration. Though the desire to keep such attacks private is a natural tendency, we as a community and a coalition can only get stronger by improving mutual defense tools. Not a single country or organization is immune to the effects of malicious cyber actors. The more open and transparent we are among partners and allies, the more likely we will be able to defeat common adversaries.
I am encouraged by examples of cyber partners working together. CRCC events have become more interactive with rich dialogue shared across the full cyber spectrum. Major investments in bilateral and multilateral exercises have resulted in demonstrated improvements of partner capabilities. During Eager
Lion 19, cyber-savvy troops from Jordan defended the exercise network from attack, while Saudi Arabia, Iraq and Kuwait sent observers. Eagle Resolve, planned for 2022, will also feature cyber events, a first for that particular exercise. Further, Army Central Command hosted its fifth Cyber Warrior Competition at Camp Arifjan, Kuwait, in May 2019. The event advanced cyber defense and hunt capabilities while providing a forum for cyber warriors to learn from each other and demonstrate U.S. and Kuwaiti cooperation. The Kuwaiti Cyber Defenders won the 2019 competition.
Collaborative cyber exercises allow our most skilled technicians to learn from each other and determine how best to defend their own networks and infrastructure. Following the advice of their cyber professionals, many partner nations are beginning to request Foreign Military Sales cases from the United States to improve cyber capability and provide for increased interoperability and collective defense of their nations. These forward-thinking militaries will ensure their nations are better positioned to operate within a coalition.
As exciting and promising as these accomplishments might be, consideration of our adversaries’ capabilities can be sobering. Some of our adversaries have cyber forces over 100,000 strong, and they are becoming increasingly more sophisticated. They view cyberspace as an arena where the United States’ overwhelming military, economic and political power is vulnerable and can be neutralized. Iranian attacks, for example, have advanced from simple website defacements to destructive attacks designed to destroy data and systems, including critical infrastructure. As our governments and industries become more reliant on technology, these efforts also provide more opportunities for malicious actors to exploit. Our enemies’ cyber forces are well funded, skilled and continuously probing for weaknesses.
In light of these challenges, it is in the U.S. Department of Defense’s mandate to work with allies and partners to strengthen cyber capacity, expand combined cyberspace operations, and increase bi-directional information sharing to advance mutual interests. If we are not investing in machine learning, artificial intelligence and shared networks and marching toward combined planning, operations and web tool development, we may cede our competitive advantage, especially as we expand our networks and information system requirements.
To combat the health risks associated with the COVID-19 pandemic, many industries rushed to provide telework capabilities for their employees. Essye Miller, then principal deputy to the U.S. Defense Department’s chief information officer, said: “With the increased telework capability comes an increased attack surface for our adversary.”
Gen. David Goldfein, then chief of staff of the U.S. Air Force, reported that enemies are already working to exploit vulnerabilities associated with telework. The present realties of remote working emphasize that we must strike a balance between operational necessity and trained cyber security personnel to protect our systems.
Another challenge to cyber security professionals is the outsourcing of domain management to “trusted” third parties. Many governments and industries are looking to outside entities to secure their information systems, believing that outsourcing will save time and money. Based on my own experiences with leading transformative efforts in information technology (IT), I believe purchasing IT services provides tremendous value. However, defense leaders must carefully consider external service providers before granting them access to networks and data. Chief information officers (CIOs) must protect data as if it were the most sacred resource within their area of responsibility. We must assume cyberspace is a contested and compromised environment, and our focus should be “transport agnostic.” Data is our primary concern.
As the CENTCOM J6, my concern is the protection and availability of data within any application or storage facility. Many organizations and governments are considering cloud computing as a way to save money within their IT departments. U.S. Department of Defense CIO Dana Deasy testified that any cloud solution would undergo friendly penetration testing to ensure data is safe from adversaries.
The advent of 5G technology will offer opportunities and challenges to Central Region nations. Middle Eastern and North African nations are expected to be the first in the world to launch commercial 5G networks. Because these networks transfer massive amounts of sensitive personal, corporate and government information, they are particularly attractive targets for adversaries. With persistent access to a partner’s 5G network, an adversary could engage in widespread espionage, threaten the privacy/human rights of citizens globally, conduct information operations, engage in economic coercion or disrupt critical infrastructure in a crisis.
Further, many nations are rightly concerned with the security risks associated with Chinese infrastructure and hardware, especially because existing statutes require Chinese companies to cooperate with the Chinese intelligence community. In fact, evidence of backdoors or security vulnerabilities have been found in a variety of Chinese devices across the world. This is a major concern for the public and private sectors because low-cost installations and services (at least initially) are enticing to countries eager to adopt the technology.
Another major problem facing our militaries is related to supply chain management. Numerous risks are associated with the supply chain including:
- Security vulnerabilities within the supplier systems
- Third party data storage
- Compromised software or hardware
- Physical security of suppliers
The important thing to remember about supply chain risks: It is a problem not just for IT or cyber security providers but for logisticians and resource managers. The latter should be just as invested in mitigating the supply chain risks as the former. Supply chain management is a collective problem that requires collective responsibility to resolve. We must address these challenges across functional lines of responsibility and share strategies for improvement. Given the global nature of the telecommunications supply chain, the Defense Department must operate effectively around the world, even if networks have been compromised.
Our cyber adversaries are well funded, skilled and largely nameless, and it is critical that Central Region partners continue to build on our collective strength. Our power lies in the relationships and trust that we have worked decades to build. We all recognize that we are engaged in a continuous competition against strategic adversaries, rogue states, and terrorist and criminal networks.
Russia, China, Iran and North Korea all use cyberspace as a means to challenge the United States and its allies and partners with a recklessness they would rarely attempt in other domains. With that perspective, I remain optimistic and inspired to further build toward a future of seamless, combined cyberspace operations planning and execution with our Central Region partners.
Although it was unfortunate that we had to postpone the 2020 CRCC, we will take advantage of this operational pause to reimagine the next CRCC. My team will be bringing in speakers who will stretch our thinking because as cyber professionals we must challenge norms and demand innovations to increase security. Together we will secure the critical information and infrastructure required to enable mission assurance.