Purpose: The Air Force Cyber College is organizing a cyber strategy conference utilizing strategic design methodologies to answer the question of: What is the cybersecurity story of the third offset?
Overview: The problems facing the United States military and government in cyberspace are threat and vulnerability proliferation in our critical infrastructure and national security systems. Strategic thinking about cyberspace needs to move left of threat. Instead of having a reactive strategy, strategic guidance needs to be proactive.
It is conventional wisdom that typical defense-in-depth measures for cybersecurity are breached on a daily basis. From its inception, security has been an afterthought in the design of software and hardware. America is vulnerable because of our dependence on insecure technology infrastructure dependencies.
According to a 2013 Defense Science Board report, hackers have breached the designs of more than two dozen weapons systems. The report’s authors state that “[t]he widespread theft of intellectual property from the DOD and US industrial base, could position prospective adversaries with the knowledge needed to employ countermeasures to advanced US military systems, and also shorten a given adversary’s research and development timelines for such countermeasures.” Until our nation becomes more resilient and defended on the cyber front, a lot of the technologies and organizational changes to allow for the emergence of a third offset may not be attractive.
In 2017 the DSB recommended the creation of a “Cyber-Resilient “ ‘Thin Line’ of Key U.S. Strike Systems: The DoD must devote urgent and sustained attention to boosting the cyber resilience of select U.S. strike systems (cyber, nuclear, non-nuclear) and supporting critical infrastructure in order to ensure that the United States can credibly threaten to impose unacceptable costs in response to even the most sophisticated large-scale cyber attacks.”
In the early years of airpower, the US Air Force shaped an aerospace industry. The rapid pace of technological change involving partnerships between the military and industry influenced the development of airframe designs and engines. In cyberspace today, similar partnerships can be forged between the military and industry to enhance the design and development of secure software and hardware. Moreover, security should be designed in from the start. We still may be able to create a small piece of cyber in which we can operate with impunity – but this will not scale to the whole net. If we do create it, we won’t want it to scale, as the objective will be to keep others out.
Even if technology exists, the United States needs a flexible and adaptive strategy to defend against the full range of cyber threats based on the complexity of how those threats operate. The current national cybersecurity strategy has moved significantly forward, but is not sufficient to disrupt advanced threats in cyberspace. Since at least 2003, national strategy has focused on creating a secure cyberspace. The foundations of the current cybersecurity strategy are sound as a necessary baseline, but cybersecurity will always be imperfect, and capabilities are needed that can compensate for flaws in the system. Civilian organizations must become more than mere victims to protect their own systems and become partners in in information sharing. They must be incorporated into strategy development.
The conference will focus on all aspects of cyberpower. Topics of interests include, but are not limited to:
Cyber resilience, cyber assurance.
Developing cyber policy and strategy based on levels of resilience. If we have a “thin line” what cyber options should be on the table?
Assuring critical missions in a contested cyber environment by identifying and mitigating vulnerabilities, and understanding threat actors
Strategies of threat management using diplomatic, informational, military and economic levers of national power
Norms for targeting, signaling, escalation, and de-escalation in the conduct of cyber conflicts
Whole-of-Society cooperation strategies for sustaining efforts over decades with top-notch leaders and technologically diverse staff
Mapping societal cyber dependencies
Explorations of technologically possible near-to-long-term threats
Hypotheses about adversary approaches to using the third offset against us
Strategic Design Sessions: Strategic design sessions will convene in specific tracks over the course of two days. Participation will be by invitation only from the organizer to ensure that the right level of expertise is present in the discussions who have both the academic and military experience to ground actionable results. Working groups will be facilitated, moderated, and recorded to capture research findings, and aid in the production of proceedings.
Conference Outcomes: Produce actionable recommendations to the Air Force and DOD in the short term, and contribute to the academic body of literature in the medium term. Establishing the Air Force Cyber Strategy Conference as an annual event where experts across the government, private sector, academia and civil society come together to craft experientially informed policy recommendations is a long term goal.