Five Questions With: Francesca Spidalieri

Francesca Spidalieri is a Pell Center Fellow for Cyber Leadership at Salve Regina University who has published extensively on the topic of cyber security. As experts from across the country, including U.S. Defense Secretary Chuck Hagel, descend upon Newport to take part in Defense Innovation Days, she talks about the evolution of cyber threats to the United States.

PBN: You’ve famously said that there are only two kinds of businesses, those who know they’ve been hacked and those that don’t yet know they have been hacked. While it’s more likely that everyone in the defense department is vigilant about hacks, is the nature of cyber attacks on national defense different from that on private industry?

SPIDALIERI: Cyber attacks are pervasive and diverse. Unfortunately, they spare no target — regardless of whether private or public. Government agencies, military sites, government contractors and private companies alike have all suffered cyber attacks in recent years. The bottom line is that the main difference between the defense department and private industry is in the role that these two entities play within our society and in the resources they have at their disposal, rather than the nature of the cyber attacks themselves.

While cybersecurity should not be viewed as a military problem alone, the U.S. military relies extensively on cyberspace and its information and networks for its missions, and military networks are increasingly the target of cyber attacks, exfiltration and espionage. Moreover, the military would be called upon to respond, probably kinetically, in the case of a major cyber attack that produces death, damage, destruction or high-level disruption similar to the results that a traditional military attack would cause.

- Advertisement -

The growing scope and sophistication of cyber threats and the development of cyber tools as technical weapons have been accompanied by another realization: that there are far too few people — whether civilian or military — equipped with knowledge sufficient to protect the information infrastructure, improve resiliency and leverage information technology for strategic advantage. Government agencies and departments suffer from a particularly dire need of cybersecurity experts, as they often lose their best personnel to the private sector, who can attract top-level talent with lucrative salaries and plentiful career opportunities.

The U.S. Navy, for example, relies heavily on computer networks and satellites for its weapons systems and command and control, yet it desperately needs cybersecurity experts for a panoply of activities. They must not only protect computer systems ashore, each warship’s self-contained network, and the intranet shared with the Marine Corps, but they must also coordinate ships, planes and personnel. Similarly, security of satellites is paramount as they underpin nearly all U.S. military functions with communications, target and weather data, along with warning of missile launches.

Cyber espionage and cyber sabotage can not only speed up an enemies’ development of their own defense technologies, but it can also impose severe consequences for U.S. forces engaged in combat, as enemies can knock out communications, corrupt data and cause computer-based weapons to malfunction. A well-executed cyber attack could shut down or disrupt military command, control, communications, computers, intelligence, surveillance and reconnaissance (C4ISR) systems, and jeopardize the execution of entire military missions. The consequences for the U.S. military, and national security, could be devastating.

PBN: Given that national defense has to take cybersecurity as a major point of attack, how much of the defense department is deployed in cybersecurity? And how much of the defense budget is dedicated to cyber operations and cyber defense? Is it enough?

SPIDALIERI: Investment in cybersecurity has been on a steady increase in the past few years, even as the defense department budget slashed numerous other programs and activities as part of ongoing efficiency measures and funding cuts.

The proposed 2015 Defense budget — the first request in 13 years not based on U.S. forces being involved in a foreign war — painted a picture of the military moving toward fewer soldiers, reduced spending, and a greater reliance on technology and defense innovation. The $495.6 billion budget request included more than $5 billion in spending related to cyber, an amount that had already more than doubled in 2014 from 2013. The money will be spread across the various defense components and activities as part of comprehensive DoD plans to ramp up cyber operations. With the cyber funding distributed across the military — almost certainly including classified budgets — exact figures and programs are less than clear.

The Pentagon’s cybersecurity budget outline calls for spending almost $23 billion through fiscal 2018 to expand efforts on initiatives from protecting computer networks to developing offensive capabilities and information-assurance systems to increasing cyber operations.

In addition, while the Pentagon is bringing troop levels to their lowest level since the beginning of World War II, the size of cyber forces is on the rise. The U.S. Cyber Command, which manages military cyberspace operations and ensures the security of DoD information networks, is in the process of increasing its personnel from 900 at the beginning of 2013 to 4,900 by 2016. At the service’s component cyber commands, the Army will add 660, the Navy 1,000, the Air Force 2,000 and the Marines about 700 over the same time frame.

Whether these numbers are sufficient will depend on how the money and additional personnel will be used. The most important investments are supposed to be made in protecting critical infrastructures, developing cyber-attack capabilities for use against adversaries, and enhancing overall security of DoD networks and systems. Attention to risk-mitigation strategies and increased transparency will also be needed, especially in the post-Snowden era.

PBN: Is there greater vulnerability in the major defense weapons systems to hacks, or might enemies of the United States look to the more modest defense systems, say the Coast Guard, to find weaknesses to exploit? Why?

SPIDALIERI: A successful cyber attack to major defense weapons systems could cause damages of unimaginable proportions, but this type of attack would also be the hardest to plan and carry out, since those systems are highly protected and hardened. Hackers and cyber criminals are more and more looking for the weakest link within an organization, be it a disgruntled employee with trusted access to sensitive systems and information — think of Edward Snowden — or somebody who has not received the proper training, or does not take security seriously, or prizes convenience over security by sidestepping basic security practices. Thus, targeting a less valuable but more accessible target, such as a more modest defense system or lower-ranking official, is increasingly the strategy that hackers will employ.
Modern militaries rely almost exclusively on cyberspace to move information to decision makers — commanders and troops — provide targeting information for their weapons systems, and assure their situational awareness. This increasing dependence on cyberspace, alongside the growing array of tools used for cyber attacks, adds new elements of risk to the nation’s security and new vulnerabilities for the U.S. military. Indeed, strong cybersecurity skills, the ability to obtain, process, analyze, manipulate and correlate data, while impeding the ability of the adversary to do the same, will be the deciding factor for military success and resiliency.

PBN: Is the military focusing on the right tools and strategies? What other areas (e.g. training, cyber operations, cyber defense, etc.) should they focus on? Why?

SPIDALIERI: I believe a lot more needs to be done to educate a new cadre of cyber-strategic military leaders and personnel. Cyberspace education should be central for all military personnel, because future conflicts will inevitably feature a cyber component, and we must be prepared to address this reality or risk grave harm to national security. Yet, as one of my studies found (“Joint Professional Military Education Institutions in an Age of Cyber Threats”) the training of America’s next generation of military leaders and officers has often remained locked in time, focused on traditional military paradigms and unable to convey an understanding of the underpinnings of the new digital battlefield.

Advanced militaries around the world are embedding cyber capabilities in their existing force structures, and military planners are incorporating cyber attack into their doctrines and plans. Cyber-based technologies are vital to U.S. military operations — everything from transmitting secure information via encryption to a drone strike thousands of miles away relies on it — and our adversaries know this. As soldiers, sailors, airman and Marines turn their attention from incoming missiles to cyber weapons, their training also has to evolve.

No captain of a ship would say: “I don’t know anything about the ocean, but I hired somebody to drive the ship.” Similarly, future generations of military leaders and government officials who have to navigate a digitized world need to have a deep understanding of the cyber context in which they operate. We don’t need to transform all our military leaders into computer scientists or engineers, but they must hone strong knowledge of cyberspace, the ability to make military and policy decisions based on knowledge of cybersecurity risks and potential impacts, and the knowledge necessary to leverage cyberspace advantages to create effective strategies.

PBN: Do you think that the cybersecurity landscape for national defense will look different in a decade? Why and how so? Will innovation play a major role in whatever changes take place and where will it take place?

SPIDALIERI: There can be no question that the cybersecurity landscape will continue to evolve dramatically in the next decade. Although we have already seen incredible advances in technology and innovation in the past two decades, we are only at the beginning stages of this new era, and more change is inevitable. Innovation will certainly play a huge role both in the military and commercial realms. The military is already planning to increase its use of robotics and smart, networked unmanned systems on land, air, and sea—including, airborne drones, robotic trucks, unmanned underwater minehunters — for its missions, particularly as troop levels decline.

Cyber threats will also continue to grow in scope and sophistication as more people and institutions become reliant on these technologies. Cyber threats, in fact, will only intensify and multiply as state and non-state adversaries continue to embrace its attractive ratio of low entry costs and high reward potential. We cannot eliminate all the vulnerabilities inherent to cyberspace — if anything, because cyberspace is so vast and growing every day — but we can make it more difficult for hackers and cyber criminals to penetrate our networks and steal or disrupt our information.

New technologies, firewalls, encryption techniques, and other defense systems will continue to be constantly developed in labs around the world, but we cannot expect these new technologies alone to protect our information, critical infrastructure and national security. No matter how good a particular technology is, if it is not effectively adopted and implemented within an organization, and correctly used by skilled personnel, outsider and insider cyber threats are bound to continue to take us by surprise and challenge the U.S. ability to establish both a competitive and security advantage in cyberspace.

The key question is not whether the United States can develop the most powerful cyber capabilities in the world — we can. The question, is whether our leaders — be they military or civilian — are equipped with the knowledge necessary to protect the things that matter in the information age and to leverage those things to our strategic advantage.

No posts to display