Over the past year I've been fortunate enough to give my "The Interim Years of Cyberspace: Security in a Domain of Warfare" at a few different conferences. I had also been working on a publication and going through the security/editorial process for the Air Force's Air and Space Power Journal. The piece was published a few days ago in their quarterly journal at:
I wanted to take a moment to reach out to the InfoSec Island community on this topic.
I know many of you are busy and may not read the piece, so I'll quickly summarize some of the key points and apply them more directly to the civilian community (my article was specifically for a military audience but many of the lessons are applicable):
There are a number of lessons useful to the cyberspace domain to be learned from airpower's "interim years" period between WWI and WWII where airpower was properly vectored.
A unified mlitary approach is more beneficial to securing a domain of warfare. The point to my discussion here is that we do not need a "cyber force" but instead need everyone working together more effectively. The Navy and Army fighting over the role of airpower forced Congress to create the Air Force (given that I'm an AF Officer I'll note that it was a good move). That was needed for airpower but it's not needed for cyber power. However, currently everyone seems to be fighting over who gets to put "cyber" into their job titles and mission duties to get the money that follows. This is entirely the wrong approach as we should all be working together. That's a very easy thing to say and a hard thing to accomplish but I would reach out to all of you to try to avoid FUD to the best you can. I know members in this community largely do the right thing but improperly claiming everything you do is "cyber" related is only hurting the domain as a whole.
Airpower had the ability to make influential political statements that transcended its own destructive capability. Strategic bombing, as an example, made many more statements to Russia and China during Vietnam than it did to the Vietnamese. I'd like to point out to the civilian community that we all, as educated members in this domain, need to realize that sometimes the capabilities we develop and advocate for have enormous consequences. As you all are leaders and experts in your own right I would ask that in your pushing the cyber domain that you think about those more strategic actions. For example, the hacker that thinks he is helping the community out but is acting independently and actually takes down foreign targets could cause significant backlash.
Like airpower, cyber power's technologically advanced nature allows it to blur the lines of war; thus we must wield it responsibly. This point spoke mostly to the security of our own domain and citizens following the use of cyber power. For example, if you put some very powerful 0-days into a weaponized capability it is likely going to be used against you in the future. I think nations and governments around the world are still trying to figure out that one and in what regards (Stuxnet served as a case study but it was one of the first true case studies for this, the domain in that regard is very new). This could be a whole debate topic on reponsible disclosure but I know that topic gets messy fast. Instead I would just say please be aware of the fact and help educate those around you.
The nature of war is not limited by technological advancements. This one largely speaks more to the military but I would note to the civilians who are still in disbelief that cyber can cause devestating, life changing, or life threatening actions to reconsider your position. Again, I think the members of this community largely get that but I have met plenty who do not. Advocating cyber power must be done responsibly and ethically. That is to say we must understand the capability without taking it to the extreme of FUD or to the other extreme of shrugging it off. Cyber power capabilities can absolutely lead to human loss of life, but not as easily as some want to claim.
- Airpower used a varied approach to secure the domain and so must cyber power. This point really tries to advocate to the military to think outside the box and develop assets and capabilities that go beyond simply being bound to the "attack" or "defense" scenarios. Largely we will need the employment of threat intelligence and other developed capabilities to counter threats. In addition, to each of those people that say "defense isn't doable" and "it's only a matter of time before you get hacked" I would ask you to rethink your position and break out of that thought process. Defense is doable.
Those are the five lessons that I have in the paper. The rest of the paper speaks largely to my thesis of empowering commanders with actionable intelligence, having the government work better with the civilian community to protect the homeland (especially critical infrastructure), and the massive need for education in the cyberspace domain. I have a lot of respect for the InfoSec Island community and the many members here that I've been able to meet and interact with over the past few years. Your inputs and ideas have always been valued by me.
My biggest push to you all, and reason for posting here, is to continue (or honestly in some cases start) acting as true leaders by educating others. You all are experts and leaders in a variety of ways and that expertise is needed. It is easy to sit back and say "well they just don't get it" or to talk about Company X or Nation Y's leadership in a bad light. Instead I would challenge you to go inform those individuals.
When I present on this topic I speak largely about each individual's "sphere of influence" and what you alone can do. At times it may seem like people are ignoring you or you aren't accomplishing much but I would say that each of your spheres' of influence have large and beneficial impacts. Use that influence to educate so that leaders at all levels can make better informed decisions. Many leaders honestly do not "get it" but it's not because they do not want to; many just need the community's help.
As always thank you all for your time and for your own leadership. I have gained much from being a part of the InfoSec Island community.
***Robert M. Lee is a US Air Force Cyberspace Operations Officer but this piece and his views do not constitute an opinion or endorsement by the US government, Department of Defense, or Air Force. His views are his own***