US military learning cybersecurity lessons from businesses

In its new cyberdefense strategy, the Pentagon is drawing on lessons about agility, lifecycle management and supply-chain protection that have already been learned by private corporations.

The "Defense Strategy for Operating in Cyberspace" calls for industry best practices such as promoting secure computing by users, sound network design and secure network management.

BACKGROUND: U.S. international cyberspace policy sounds good; will be hard to implement

It calls for mimicking private-sector businesses practices for securing networks. "DoD will integrate the private sector's continuous renewal method to harden its own computing devices and sustain its cyber hygiene best practices," the strategy says.

"Cyber hygiene must be practiced by everyone at all times; it is just as important for individuals to be focused on protecting themselves as it is to keep security software and operating systems up to date."

The initiative relies on the private sector to carry out some of its goals. For example, it calls on ISPs to work with the government to mitigate risks that affect military networks.

The strategy calls for cooperation with private industry to shore up supply chains and minimize risks posed by products and services that come from firms in other countries. Counterfeit products also pose a risk that needs to be mitigated, the DoD says.

The military will shorten its lifecycle for network infrastructure to fall in line with common private industry practices -- 12 to 36 months versus the current seven or eight years.

"To replicate the dynamism of the private sector and harness the power of emerging computing concepts, the DoD's acquisition processes for information technology will adopt five principles," the document says. These principles are:

* Match the acquisition process with technology development lifecycles.

* Employ incremental testing and development rather than deploying monolithic systems.

* Sacrifice some customization for speed of deployment.

* Impose different levels of oversight-based department prioritization of critical systems.

* Improved security evaluation of all new systems. "No backdoor can be left open to infiltration; no test module can be left active."

In addition to drawing on corporate practices, the Pentagon policy statement offers up some initiatives that businesses might learn from, but often are too vague to offer clear steps that might be taken.

* Build a culture of information assurance through training and imposition of higher penalties for malicious activity.

* Employ secure cloud computing. (The document doesn't offer details on how it will secure its cloud resources, which is an ongoing challenge of corporate IT security professionals.)

* Develop more secure architectures and operating concepts. (The document doesn't detail what they are.)

The Pentagon says it will rely on Silicon Valley to rapidly produce new technologies that could bolster defenses and change the way the Internet works. "DoD will explore game changing approaches, including new architectures, to strengthen DoD's defense capabilities and make DoD systems more resistant to malicious activity. DoD will pursue revolutionary technologies that rethink the technological foundations of cyberspace," the cyberspace strategy says. "To do so, DoD will partner with leading scientific institutions to develop new, safe, and secure cyberspace capabilities that are significantly more resistant to malicious activity."

That could be a boon for high-tech businesses, particularly those businesses that can act quickly to develop new technologies. "DoD will also promote opportunities for small and medium-sized businesses, and the Department will work with entrepreneurs in Silicon Valley and other U.S. technology innovation hubs to move concepts rapidly from innovative idea, to pilot program, to scaled adoption across the DoD enterprise," the strategy says.

This work will include collaboration with academia and other elements of the government as well.

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityindustry verticalsgovernment

More about LAN

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts