Drivers and Strategies for DIB Cyber Readiness

Apr 20, 2022 | DTJ Online

Takeaways

  1. A resilient Defense Industrial Base (DIB) requires cybersecurity readiness and public-private partnerships for cyber upskilling…but to date, no unified approach has been defined.
  2. NDTA’s Cybersecurity Best Practices Committee prioritized strategies to prepare for a unified approach by bringing together representatives from small and large DIB members, Department of Defense (DOD) leadership, and Applied Learning & Teaching leaders from the education community.
  3. This NDTA working group aligned on five cybersecurity strategies related to both the US DIB and international defense.

Across the 50 US states and five territories, Americans witness the country’s burning platform of cybersecurity challenges from daily breaches in the news and their own experiences. In response, the White House has issued Executive Orders to urgently strengthen the nation’s cybersecurity1  and critical infrastructure systems2  underlying everyday life. The DIB and the Transportation Systems sector form a major intersection of these alarms. Attention on the DIB and Transportation Systems in this context is part of the series of presidential policy directives that define the country’s 16 Critical Infrastructures3,4 going back to 19985  and 20036.  

Fast-forwarding to 2021, US Critical Infrastructure protection across all 16 sectors still depends on public-private collaboration because the private sector, rather than the government, controls the majority of the assets. Public-private collaborations, especially in the Financial Service and Communications sectors, have effectively aligned big businesses and the government on the US National Infrastructure Protection Plan.7 However, no public-private collaborations to date have succeeded in mobilizing everyday behavior change on cyber-readiness among small businesses across the DIB, the transportation sector, or the other 14 critical infrastructures. The US Cybersecurity and Infrastructure Security Agency (CISA) does offer a reporting capability8 in addition to its National Initiative for Cybersecurity Education (NICE) training and exercises.9 The fact that virtually all Americans know they can call 911 to report a physical emergency, but few Americans realize they can access CISA’s incident reporting system to report a cyber emergency underscores that the US mobilization of cyber-readiness is still getting started.

For small business cybersecurity within the 16 Critical Infrastructures, a set of shared national strategies needs to evolve that address the cyber threat from two directions: 

  1. Cyberattacks that cause so much damage small businesses cannot afford to recover.
  2. Cyber protocol compliance requirements that outstrip the system capabilities or budgets of smaller businesses.

In short, leaving small businesses behind as the DOD increases its dependence on larger defense contractors shrinks both DIB capabilities for innovation and the opportunities for approximately 60 million people10 who make up nearly half of the nation’s private workforce. 

“The number of Defense Industrial Base small businesses has shrunk by more than 40% over the last decade. After the pandemic, 1 in 7 small businesses within the Defense Industry say they are unlikely to return to pre-pandemic profitability,” according to Deputy Assistant Secretary of Defense for Industrial Policy Jesse Salazar in his May 2021 testimony to the US Senate.

Since the first Internet cyberattacks in the late 1980s, no administration has mobilized a united strategy to meet this challenge. Reversing that course requires a consensus on a disciplined innovation process to address the burning platform. 

Informing the National Agenda
As a potential first step, the US Senate gave an undisputed voice vote of approval in June 202111 for the nomination of Chris Inglis as the first National Cyber Director reporting to the President. With a portfolio to coordinate across the whole of government, his role offers an opportunity to develop a whole of nation mobilization of cyber-readiness to meet America’s cyber challenge. 

To inform the national agenda, the National Defense Transportation Association’s President, VADM (Ret.) Andy Brown and the Cybersecurity Best Practices Committee brought together a working group of industry, academic, and government leaders across all modes (air, land, sea, and space). The goal was to prepare an effective shared understanding of: 

  • The external forces or Drivers of that challenge; and
  • The Strategies required to address those external forces.

Those Drivers and Strategies reached a draft consensus on DIB cybersecurity as follows: 

DRIVERS (External Forces) FOR PUBLIC-PRIVATE MOBILIZATION OF CYBER-READINESS ACROSS THE DEFENSE INDUSTRIAL BASE

  • Increasing Cyber Threats. Cyber attack tools are innovating and proliferating at a faster rate than the adoption of effective prevention and response.
  • Disruption by the 4th Industrial Revolution. The transition to Networked Artificial Intelligence & Big Data creates skill and employment gaps for the current workforce.
  • Great Powers Flux. New dynamics of cyber, air, land, sea, space, economics, and the environment continue to re-align military power. 
  • Complex Interdependence. US and China maintain a unique adversarial relationship while also being each other’s largest offshore trading partners.
  • Industry Ecosystems with Shared Objectives. Nations, enterprises, and individuals increasingly operate as members of industry ecosystems with shared objectives by geography, market category, etc. Effective Ecosystem Leads (e.g., US Transportation Command, Defense Logistics Agency, and market leaders by category) engage the creativity of each ecosystem member in accordance with their shared objectives.
  • Challenges of Sustainable & Inclusive Growth. Demand for Sustainable & Inclusive Growth is expanding alongside increasing global uncertainties (e.g., climate change, cyber threats, political unrest, limited resources, and pandemics).
  • Digitally Organized Piracy. Illicit activities are being facilitated by new forms of less traceable cryptocurrencies.
  • Lack of strong and trusted global institutions and standards. Tensions are increasingly related to the issues of joint physical & digital defense domestically and internationally.
  • Questions on information integrity. Data availability is increasing exponentially while data reliability is decreasing.
  • The unknown. We don’t know what we don’t know.

STRATEGIES THAT RESPOND TO THE DRIVERS FOR PUBLIC-PRIVATE MOBILIZATION OF CYBER-READINESS ACROSS THE DEFENSE INDUSTRIAL BASE – through Ecosystem-wide Prevention, Preparedness, Response, & Recovery

Domestic DIB-related strategies

  • Nationwide upskilling across the private and public sector through a disciplined innovation process…with an identified leader for the process the way MIT’s Vannevar Bush was chosen to lead the science community mobilization during World War II.
  • Measuring Results in a more systemic way with anonymized vulnerabilities analysis after each attack that models the analytic discipline of the Centers for Disease Control’s weekly MMWR (Morbidity and Mortality Weekly Report). 

International defense related strategies12

  • Creating a CYBER equivalent to the Fourth Geneva Convention for shared agreements on the limits of cyberwarfare where possible (e.g., avoid targeting of hospitals).
  • Creating a CYBER equivalent to the International Committee of Red Cross and the Congressionally-chartered American Red Cross to provide immediate systemic support to those harmed by cyber incidents. This parallels for cyber the mass care provided by the International Red Cross during natural disasters or other conflicts. 
  • Creation of a CYBER equivalent of the International Atomic Energy Agency (IAEA) to serve as an internationally recognized and governed body that can systemically investigate and begin to enforce agreed upon global standards. The way the IAEA used its United Nations-chartered mandate to investigate the Chernobyl and Fukushima nuclear incidents parallels the Cyber Safety Review Board (CSRB) which has been newly created by the recent Presidential Executive Order to investigate cyber incidents. The CSRB’s role aligns with the National Transportation Safety Board’s role for investigating transportation incidents.

All these strategies directly benefit small business DIB members who otherwise will be left without the necessary resources to fend for themselves in the 30+ years of cyberattacks.

1 https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/

2 https://www.whitehouse.gov/briefing-room/statements-releases/2021/07/28/national-security-memorandum-on-improving-cybersecurity-for-critical-infrastructure-control-systems/

3 https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil

4 https://www.cisa.gov/sites/default/files/publications/ISC-PPD-21-Implementation-White-Paper-2015-508.pdf

5 https://fas.org/irp/offdocs/pdd/pdd-63.htm 

6 https://georgewbush-whitehouse.archives.gov/news/releases/2003/12/20031217-5.html

7 https://www.cisa.gov/national-infrastructure-protection-plan

8 https://us-cert.cisa.gov/forms/report

9 https://www.cisa.gov/cybersecurity-training-exercises

10 https://cdn.advocacy.sba.gov/wp-content/uploads/2019/04/23142719/2019-Small-Business-Profiles-US.pdf

11 https://www.politico.com/news/2021/06/17/senate-confirms-chris-inglis-cyber-495075

12 Proposed by Microsoft President Brad Smith

 

By Ted Rybeck Chair, Benchmarking Partners, & Chair, NDTA Cybersecurity Best Practices Committee

Share This