Unlike four of the five domains of warfare — air, land, sea, space and cyber — cyber is manmade. This affords unique latitude to shape the future of this still emerging domain.
"If you think about it, cyberspace is really the one environment that we're fighting in that we can actually change. We created it in the first place — by 'we' I mean [the Defense Advanced Research Projects Agency]," Kerry Long, program manager at Intelligence Advanced Research Projects Activity, said at the CyberCon conference hosted by Federal Times in Washington on Nov. 16. Long was referencing how DARPA invented what is now commonly known across the world as the internet.
"You can't change the air for the Air Force, you can't change the water for the Navy … but we can change cyberspace," he said. Long noted that in the next 10 years, cyberspace will continue to become more hazy. He anticipates that everyone across the world will use computing assets in large, commercial clouds.
"We're going to be operating workloads with the Chinese and the Russians on the same infrastructure — or certainly there's going to be that push," he said, noting that the intelligence community tried to resist but eventually caved, paying Amazon to build it a cloud. "We basically went to the commercial world and said: 'We're not going to build our own infrastructure this time, you build it for us.' And it looks a lot like what's already out there."
"In the next 10 years, how are we going to defend this space, and since we're building it, knowing what we know now, what changes? At DARPA, we didn't know what was coming — it wasn't DARPA's fault the internet became so hard to defend," Long said. "But it will be DARPA's and IARPA's fault if the next internet — which is going to be a massive cloud — isn't more defendable. This is what we're trying to invest our money in."
According to Long, with advancements in software and virtualization technology, cyberspace can look however anyone wants it to. Thus, the question becomes: What should this space look like? Developers should be able to solve problems related to how to perform big data analytics on a million workstations that weren't ever designed to be a good sensor, he said.
Director of National Intelligence James Clapper hit on a similar theme in testimony in front of the House Permanent Select Committee on Intelligence on Thursday. The challenge, he said, is the fundamental fact that the internet is unsecure. "Anytime you have a dependency on the internet, we're going to be playing catch up and reaction to defending our networks," he said.
Clapper has harped on this tone previously. In September, he said threats and actors in cyberspace such as hacktivist collectives, terrorists and nation states — all with different objectives — "operate on the very same internet."
"Sometimes all this makes me long for the … Cold War when the world essentially had two large, mutually exclusive telecommunications networks; one essentially dominated by the United States, and the other … dominated by the Soviet Union and Europe allies," he added.
Deputy Defense Secretary Bob Work also told the committee that the Department of Defense is taking a concerted effort at securing the "internet of DoD things."
"All of our weapons systems that we generally operate today were designed in an era where cybersecurity threats were not all that stressing," he said. "So going through all of the different systems we have, identifying all the cyber vulnerabilities and prioritizing those has been a big focus of the department."
DoD recently undertook an effort to reallocatefunds to purge all of its weapon systems to discover and mitigate these vulnerabilities.
Aside from the technical components and the infrastructure, there are legal, policy and doctrinal issues still to be hashed out. "The other issue I would mention is the creation of the substance and psychology of deterrence in the cyber realm," Clapper told the House committee. "That’s been a challenge. The issue there is whether you react on a binary basis or symmetrical basis, if you have a cyber assault and you respond in a cyber context, or do you retaliate some other way. I think that is going to be a challenge for the country."
Cyber deterrence has been a much-discussed and belabored policy in a domain where anonymity is the norm. "It took hundreds of years to develop law of the sea, which is maybe a rough analog to where we are with cyber. We haven’t had enough time yet to develop that body of law," Clapper said. "Until there are some norms developed and we have a firm definition of what deterrence means and this is recognized by both state and non-state actors, we’re going to have a problem with cyber defense."
Clapper also starkly outlined the difficulties of deterring non-state actors in cyberspace vis-à-vis nation states. Conveying deterrence to nation states is easier because everyone recognizes that there are mutual vulnerabilities. The greater challenge, he said, is on non-state actors, "which over time are going to develop more capabilities in the cyber realm to commit to render attacks. I think the notion of building a sense of deterrence, the psychology of deterrence in non-nation state entities is going to be difficult."
Clapper noted progress with the Chinese stemming from the agreement minted between Washington and Beijing in September 2015 not to conduct cyber espionage on intellectual property to benefit private companies.
With everyone sharing the same cloud infrastructure in the future, actions in cyberspace will have to be examined much more carefully.
"We would be arguing that if we take this down, we’re taking down Wall Street as well as the Chinese defense ministry," Long said.
From an intelligence perspective, all of the intelligence community’s information will be in this cloud, he said, and if the intelligence community messes with the cloud, which it will, given its information is hosted there, it will have to think about how that is going to happen. When breaking into another country’s assets, the intelligence community isn't too concerned how it will affect the adversary’s stock exchange or industries, but in the future, nations will have a reason for concern with everyone being more connected.
Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.