Cyber operations are playing an increasingly greater role in modern warfare. To U.S. military officials, the battlefield is no longer limited to the land, sea and air. In this new defense paradigm, protecting and attacking computer networks are just as important to national security.
The Pentagon admitted as much in April when it acknowledged launching cyber attacks against the Islamic State. "We are dropping cyber bombs. We have never done that before," Deputy Secretary of Defense Robert Work said at the time. "Just like we have an air campaign, I want to have a cyber campaign. I want to use all the space capabilities I have."
More recently, the National Security Agency said it’s first cyber troops will be ready for deployment this fall, perhaps as soon as September. These troops are part of the military’s Cyber Mission Force, which will eventually include 6,200 people divided into 133 teams. This unit is the largest in the military dedicated to defending and attacking computer networks.
Half of the Cyber Mission Force teams will handle guarding military networks from attacks while 20 percent will be assigned to combat operations. Around 10 percent will work to protect the nation’s infrastructure and five percent will be dedicated to what the Department of Defense called “support teams.”
Dedicating a team to defend infrastructure is a very smart decision. While attackers will always go after the armed forces, the targets that are typically the weakest in a country, as well as the ones that can cause great harm and massive public panic if they’re crippled, are those related to infrastructure. Chaos would ensue if attackers took down the industrial control systems at an oil refinery or tampered with the pumps that move water from a reservoir. Your local power company's defenses are no match for the hacking tools a nation-state has at its disposal.
Truthfully, I’m surprised only 10 percent of the teams are handling infrastructure given all there is to protect. In addition to the usual utility providers that handle gas, water and electricity, I’d add ISPs and banks to the list of critical service providers. The Internet is part of our daily lives. We use it to communicate, conduct business and store information. Without Web access, many of us can’t function. As for banks, the major financial institutions have hardened their networks and have detailed incident response plans in place for when they’re attacked. My concern lies with the smaller, regional banks that lack the technology and security staff to detect and stop attacks.
I’d also extend infrastructure to include food and beverage manufacturers, particularly around securing their industrial control systems. While these companies may know what’s happening on their endpoints and have traditional security tools in place like firewalls or antivirus programs, often times the systems controlling the machines in a factory are overlooked. Food poisoning is easy to carry out if an attacker can program a machine to add more or less of a certain ingredient, for example.
Understandably, some organizations may have privacy concerns over working with the U.S. government and granting the NSA access to sensitive operational information. Keep in mind that a majority of the Cyber Mission force appear to be analysts. They’re going to look at network data and figure out if the organization is under attack. Given the lack of security talent, many companies struggle to fill these roles. The government, on the other hand, is providing these employees and this service. And don’t forget, the U.S. government may have already amassed information on companies and citizens using clandestine means.
Then there’s the valid argument that the private sector is better equipped than the government to defend computer systems from attacks. While this is probably true for major, multinational organizations with deep pockets, there are tons of smaller companies that could probably use some help with security. Every company, regardless of revenue, industry or employee headcount, is a target for hackers.
There are many questions about exactly how the Cyber Mission Force will function, including how it will interact with other government agencies that handle cyber operations, and just how hands-on the NSA’s force will be when working with infrastructure providers. Will these troops be delving into network architecture and hardening it? Those answers are still unknown.
But the NSA has at least one thing right: every attack is a series of decisions made by a person, a point that’s sometimes forgotten by the people who handle defense.
"I always tell [our workers], 'Don't ever forget that at the end, we're dealing with a choice that some human made on a keyboard somewhere else in the world,' " said Michael Rogers, the director of the NSA and the person who will oversee its Cyber Mission Force. "There was a man or woman on the other end of this."
Israel Barak is Cybereason’s CISO.