Chapter 10: Preserve and Employ the Military Instrument of Power
This pillar comprises implementing defend forward in day-to-day competition to counter adversary cyber campaigns and impose costs, as well as being prepared to prevail in crisis and conflict. It is important to note that the military instrument of power is intended to complement, rather than supplant, other instruments.
This pillar focuses on two key aspects: implementing the military component of defend forward and securing the resilience of key weapon systems and functions.
The recommendations here focus on ensuring that the US protects its ability to employ the military instrument of power.
STRATEGIC OBJECTIVE #1: GROW THE CAPACITY OF THE CYBER MISSION FORCE (CMF) TO MEET THE SCOPE OF THE THREAT AND GROWING MISSION REQUIREMENTS
Key Recommendation: Congress should direct the Department of Defense to conduct a force structure assessment of the Cyber Mission Force (CMF).
Direct the Department of Defense to Create a Major Force Program (MFP) Funding Category for US Cyber Command
- A new MFP funding category for the US Cyber Command would provide it with acquisition authorities over goods and services unique to the command’s needs; it should also provide a process to expeditiously resolve Combatant Command/Service funding disputes.
Expand Current Malware Inoculation Initiatives
Review the Delegation of Authorities for Cyber Operations
Reassess and Amend Standing Rules of Engagement (SROE) and Standing Rules for Use of Force (SRUF) for US Forces
Cooperate with Allies and Partners to Defend Forward
Require the Department of Defense to Define Reporting Metrics
Assess the Establishment of a Military Cyber Reserve
Establish Title 10 Professors in Cyber Security and Information Operations
STRATEGIC OBJECTIVE #2: ENSURE THE SECURITY AND RESILIENCE OF CRITICAL CONVENTIONAL AND NUCLEAR WEAPONS SYSTEMS AND FUNCTIONS
As adversary threats become more sophisticated, the US should be able to address the challenges in protecting its essential military systems and functions.
Key Recommendation: Congress should direct the Department of Defense to conduct a cybersecurity vulnerability assessment of all segments of the NC3 and NLCC systems and continually assess weapon systems cyber vulnerabilities.
While Congress & DoD have already taken critical steps to improve weapons systems cybersecurity, barriers to effective cybersecurity still remain, such as the lack of a permanent process to periodically assess the cybersecurity of fielded systems. It is crucial to also evaluate how a cyber intrusion or attack on one system could affect the entire mission.
With DoD systems more connected than ever, cybersecurity measures must take a more integrated approach and take into account the impacts of cyber vulnerabilities across systems. Routine testing should be conducted to stress-test mission critical systems and processes in light of an evolving threat environment, and the results should be communicated to Congress.
Additionally, DoD must enforce cybersecurity requirements for systems that are in development early in the acquisition lifecycle, ensuring that they remain baked into the front end of the process, rather than “bolted on” later.
Require Defense Industrial Base Participation in a Threat Intelligence Sharing Program —
- Currently, intelligence sharing programs exist, but they are insufficient. The companies most capable of participating are large prime contractors, however, DoD also relies on small to medium sized companies/subcontractors, which leads to two issues: 1. DoD lacks a complete view of supply chain, and, 2.Smaller entities with fewer resources to devote to cybersecurity may provide an opening for adversaries to access information paramount to national security.
- Therefore, Congress should legislatively require companies that make up the Defense Industrial Base to participate in a threat intelligence sharing program that would be housed at the DoD component level; should contain key elements such as: Incentives for certain types of specifically delineated information sharing, such as incident reporting, further empowerment of and resources to the NSA’s Cybersecurity Directorate, and a shared and real time picture of the threat environment.
Require Threat Hunting on Defense Industrial Base Networks
Designate Threat Hunting Capability Across the Department Of Defense Information Network
Assess and Address the Risk to National Security Systems Posed by Quantum Computing
- To fully understand and prepare to counter the risks of quantum computing to national security systems, Congress should include language in the FY2021 NDAA that requires DoD (NSA) to comprehensively assess the threats and risks posed by quantum technologies to national security systems and develop a plan to secure those systems.
This assessment should include:
- Specific recommendations for addressing identified risks and anticipated resource requirements
- A proposed framework for how to prioritize the defense of different national security systems and a timeline for implementation
- An assessment of ongoing effort to develop quantum-resistant cryptographic standards, including expected timelines for that development, budget shortfalls in public/private efforts to reach such a standard, and the feasibility of alternate quantum resistant models, such as quantum cryptography