Strategic Context:

• The Speed of Trust by Stephen M.R. Covey
• Learning to Think Strategically by Julia Sloan
• The Watchman’s Rattle: Thinking Our Way Out of Extinction by Rebecca Costa
• Linked: How Everything is Connected to Everything Else and What It Means for Business, Science, and Everyday Life by Albert-Laslo Barabasi
• Start With Why: How Great Leaders Inspire Everyone to Take Action by Simon Sinek
• Good to Great: Why Some Companies Make the Leap…and Others Don’t by Jim Collins
• Complexity: The Emerging Science at the Edge of Chaos by Michael Waldrop

Leadership:

• Team of Rivals: The Political Genius of Abraham Lincoln by Doris Kearns Goodwin
• Execution: The Discipline of Getting Things Done by Larry Bossidy and Ram Charan

Military Science:

• The Sling and the Stone: On War in the 21st Century by Colonel Thomas X. Hammes

Intel and Security Affairs:

• Insurgency, Terrorism, and Crime: Shadows from the Past and Portents for the Future by Max G. Manwaring and Edwin G. Corr

Related posts:

1. 2012 CSAF Reading List – Every Airman an Innovator
2. 2010 CSAF Reading List Announced

The 2012 Chief of Staff of the Air Force Reading List.

Many of these titles, including e-book versions, are available at base libraries…

1. A Country of Vast Designs: James K. Polk, the Mexican War and the Conquest of the American Continent by Robert W. Merry
2. Airpower for Strategic Effect by Colin Gray
3. Catch-22 by Joseph Heller
4. Freedom Flyers: The Tuskegee Airmen of WWII by J. Todd Moye
5. Paradise Beneath Her Feet: How Women are Transforming the Middle East by Isobel Coleman
6. Physics of the Future: How Science Will Shape Human Destiny and Our Daily Lives by the Year 2100 by Michio Kaku
7. Start with Why by Simon Sinek
8. The Forever War by Dexter Filkins
9. The Hunters: A Novel by James Salter
10. The Party: The Secret World of China’s Communist Leaders by Richard McGregor
11. The Words We Live By: Your Annotated Guide to the Constitution by Linda R. Monk
12. Unbroken: A World War II Story of Survival, Resilience, and Redemption by Laura Hillenbrand
13. Adapt: Why Success Always Starts with Failure by Tim Harford

Related posts:

1. 2010 CSAF Reading List Announced
2. 2011 CSAF Professional Reading Program

As anticipated, this week the DoD released the unclassified report of the DoD Strategy for Operating in Cyberspace (DSOC) (pdf download).

DoD Press Release (14 July 2011):

 The Department of Defense released today the DoD Strategy for Operating in Cyberspace (DSOC).  It is the first DoD unified strategy for cyberspace and officially encapsulates a new way forward for DoD’s military, intelligence and business operations.

“It is critical to strengthen our cyber capabilities to address the cyber threats we’re facing,” said Secretary of Defense Leon E. Panetta.  “I view this as an area in which we’re going to confront increasing threats in the future and think we have to be better prepared to deal with the growing cyber challenges that will face the nation.”

Reliable access to cyberspace is critical to U.S. national security, public safety and economic well-being.  Cyber threats continue to grow in scope and severity on a daily basis.  More than 60,000 new malicious software programs or variations are identified every day threatening our security, our economy and our citizens.

“The cyber threats we face are urgent, sometimes uncertain and potentially devastating as adversaries constantly search for vulnerabilities,” said Deputy Secretary of Defense William J. Lynn III.  “Our infrastructure, logistics network and business systems are heavily computerized.  With 15,000 networks and more than seven million computing devices, DoD continues to be a target in cyberspace for malicious activity.”

The DoD and other governmental agencies have taken steps to anticipate, mitigate and deter these threats.  Last year, DoD established U.S. Cyber Command to direct the day-to-day activities that operate and defend DoD information networks.  DoD also deepened and strengthened coordination with the Department of Homeland Security to secure critical networks as evidenced by the recent DoD-DHS Memorandum of Agreement.

“Strong partnerships with other U.S. government departments and agencies, the private sector and foreign nations are crucial,” said Lynn.  “Our success in cyberspace depends on a robust public/private partnership.  The defense of the military will matter little unless our civilian critical infrastructure is also able to withstand attacks.”

On 14 July 2011, Deputy Secretary of Defense William J. Lynn III also provided remarks on the cyber plan at the National Defense University, Washington, D.C. Click through to read the speech.

Thank you Hans. Returning to NDU is especially meaningful for me.  I was a fellow here at an evocative time.  Reagan was President.  Nuclear conflict with the Soviet Union dominated defense scenarios.  And the Berlin Wall appeared to forever separate two mutually-antagonistic world-systems. Yet even at the height of the Cold War, epoch-making forces were at work.  We did not know it at the time, but the fall of communism was less than a decade away.  Nor did we foresee the explosion and global spread of information technologies.  The networks that became the internet were up and running the year I was here.  We had no idea they would change history. For all the capability information technology enables in our military and beyond, it also introduces new vulnerabilities.  In 2008, a foreign intelligence agency penetrated our classified computer systems.  Today, the cyber threat poses dangers to our security that far exceed what happened three years ago. My purpose today is to outline a strategy for confronting these threats – the Department’s first ever Strategy for Operating in Cyberspace. The cyber environment we face is dynamic.  As such, our strategy must be dynamic as well.  So while today is an important milestone, it is only one part of the Department’s efforts to learn and adjust through time. Addressing hostile cyber activities against our nation will necessarily involve many parts of our government.  White House Cyber Security Coordinator Howard Schmidt is here today, as are friends and colleagues at other departments and agencies.  From DoD, I want to particularly thank Principal Deputy Undersecretary for Policy Jim Miller, cyber policy lead Bob Butler, DoD CIO Teri Takai, Cybercom Commander General Keith Alexander, and General James Cartwright, Vice Chairman of the Joint Chiefs of Staff.  Keeping cyberspace secure will also require the perspectives and capabilities of those with whom we share this space—especially private and commercial users. Many of these users have already been affected by criminal activity.  And while identifying criminal activity in cyberspace is of concern, this is not the Defense Department’s primary concern.  Rather, our concern is specific to activities that threaten our mission to protect the security of the Nation.  We do not know the exact way in which cyber will figure in the execution of this mission, or the precise scenarios that will arise.  But the centrality of information technology to our military operations and our society virtually guarantees that future adversaries will target our dependence on it.  Our assessment is that cyber attacks will be a significant component of any future conflict, whether it involves major nations, rogue states, or terrorist groups. Tools capable of disrupting or destroying critical networks, causing physical damage, or altering the performance of key systems, exist today.  The advent of these tools mark a strategic shift in the cyber threat—a threat that continues to evolve.  As a result of this threat, keystrokes originating in one country can impact the other side of the globe in the blink of an eye.  In the 21st Century, bits and bytes can be as threatening as bullets and bombs. But disruptive and destructive attacks are only one end of a continuum of malicious activity in cyberspace that includes espionage, intellectual property theft, and fraud.  Although in the future we are likely to see destructive or disruptive cyber attacks that could have an impact analogous to physical hostilities, the vast majority of malicious cyber activity today does not cross this threshold. In looking at the current landscape of malicious activity, the most prevalent cyber threat to date has been exploitation—the theft of information and intellectual property from government and commercial networks.  This kind of cyber exploitation does not have the sudden payoff of a bank heist or the dramatic impact of a conventional military attack.  But by blunting our edge in military technology, and enabling foreign competitors to copy the fruits of our commercial innovation, it has a deeply corrosive effect over the long-term.  It is hard to know how much damage this digital thievery does to our economic competitiveness and national security, but a recent estimate pegged cumulative economic losses at over a trillion dollars. Today, sophisticated cyber capabilities reside almost exclusively in nation-states.  Here, U.S. military power offers a strong deterrent against overtly destructive attacks.  Although attribution in cyberspace can be difficult, the risk of discovery and response for a major nation is still too great to risk launching destructive attacks against the United States.  We must nevertheless guard against the possibility that circumstances could change, and we will have to defend against a sophisticated adversary who is not deterred from launching a cyber attack. Terrorist groups and rogue states must be considered separately.  They have few or no assets to hold at risk and a greater willingness to provoke.  They are thus harder to deter.  If a terrorist group gains disruptive or destructive cyber tools, we have to assume they will strike with little hesitation.  And it is clear that terrorist groups, as well as rogue states, are intent on acquiring, refining, and expanding their cyber capabilities. So we stand at an important juncture in the development of the cyber threat.  More destructive tools are being developed, but have not yet been widely used.  And the most malicious actors have not yet obtained the most harmful capabilities.  But this situation will not hold forever.  There will eventually be a marriage of capability and intent, where those who mean us harm will gain the ability to launch damaging cyber attacks.  We need to develop stronger defenses before this occurs.  We have a window of opportunity—of uncertain length—in which to protect our networks against more perilous threats. To prepare our military for emerging cyber threats, we have developed a DoD Cyber Strategy.  This strategy holds that our posture in cyberspace must mirror the posture we assume to provide security for our nation overall.  Namely, our first goal is to prevent war.  We do this in part by preparing for it.  And we do so while acknowledging and protecting the basic freedoms of our citizens. The steps we have taken to respond to the cyber threat has prompted discussion in recent weeks about “cyber-war” and its implications.  As we release the DoD Cyber Strategy, it is important to address this topic head on. Commentators have asked whether and how the U.S. would respond militarily to attacks on our networks.  And this speculation has prompted concerns that cyberspace is at risk of being militarized—that a domain overwhelmingly used by civilians and for peaceful purposes could be fundamentally altered by the military’s efforts to defend it.  The concern here, as in other areas of our security, is that the measures put in place to prevent hostile actions will negate the very benefits of cyberspace we seek to protect. We have designed our DoD Cyber Strategy to address this concern. It should come as no surprise that the United States is prepared to defend itself.  It would be irresponsible, and a failure of the Defense Department’s mission, to leave the nation vulnerable to a known threat.  Just as our military organizes to defend against hostile acts from land, air, and sea, we must also be prepared to respond to hostile acts in cyberspace.  Accordingly, the United States reserves the right, under the laws of armed conflict, to respond to serious cyber attacks with a proportional and justified military response at the time and place of our choosing. Our ability to identify and respond to a serious cyber attack is however only part of our strategy.  Our strategy’s overriding emphasis is on denying the benefit of an attack.  Rather than rely on the threat of retaliation alone to deter attacks in cyberspace, we aim to change our adversaries’ incentives in a more fundamental way.  If an attack will not have its intended effect, those who wish us harm will have less reason to target us through cyberspace in the first place. The logic behind denying the benefit of an attack rather than relying exclusively on the threat of retaliation flows from the nature of cyberspace itself.  The internet was designed to be open, transparent, and interoperable.  Security and identity management were secondary objectives in system design.  This lower emphasis on security in the internet’s initial design not only gives attackers a built-in advantage.  It can also make intrusions difficult to attribute, especially in real time.  This structural property of the current architecture of cyberspace means that we cannot rely on the threat of retaliation alone to deter potential attackers.  Some adversaries might gamble that they could attack us and escape detection. An important element of our strategy is therefore focused on denying or at least minimizing the benefit of an attack.  If we can minimize the impact of attacks on our operations, and attribute them quickly and definitively, we may be able to change the decision calculus of an attacker.  Enhancing our defenses also increases the resources needed to mount a successful attack, thereby making cyber attacks even less attractive to our adversaries. This emphasis on cyber defenses illustrates how we are both mindful of those who would do us harm using cyber means, but also committed to protecting the peaceful use of cyberspace.  Far from “militarizing” cyberspace, our strategy of securing networks to deny the benefit of an attack will help dissuade military actors from using cyberspace for hostile purposes.  Indeed, establishing robust cyber defenses no more militarizes cyberspace than having a navy militarizes the ocean.  This commitment to peace through preventive defense is at the heart of our DoD Cyber Strategy and the Administration’s overall approach to cyberspace. With this understanding, let me turn to the five primary pillars of our strategy. First, as a doctrinal matter, the Defense Department is treating cyberspace as an operational domain, like land, air, sea, and space.  Treating cyberspace as a domain means that the military needs to operate and defend its networks, and to organize, train, and equip our forces to perform cyber missions. Second, we are introducing new operating concepts on our networks, including active cyber defenses.  These active defenses use sensors, software, and signatures to detect and stop malicious code before it affects our operations—thereby denying the benefit of an attack. The third and fourth pillars of our strategy recognize the interconnectedness of cyberspace and the diversity of uses to which it is put, by individuals, in our economies, and across nations.  Because cyberspace is composed of many interwoven networks that perform many different functions, ensuring its peaceful use will require efforts on many fronts.  The men and women of the military, other government agencies, our allies, the private sector, and indeed, the citizens of cyberspace must all play a role. The third pillar specifically recognizes that a number of non-military networks support important military functions.  This is especially true when it comes to the power grid, transportation system, and financial sector.  So to protect our military capability, we must work with the Department of Homeland Security and the private sector to protect the nation’s critical infrastructure. Our fourth pillar carries this logic of interconnectedness to our allies and international partners.  Our goal with them is to build collective cyber defenses.  Collective cyber defenses will help expand our awareness of malicious activity and speed our ability to defend against ongoing attacks. Fifth, our strategy aims to fundamentally shift the technological landscape of cyber security.   Simply put, we want to enhance network security to reduce the advantages the attacker presently enjoys relative to the defender on the internet.  Leveraging the nation’s technological and human resources to increase the security of network technology is not only in our best interest.  A more secure and resilient internet is in everyone’s interest. Over the past year, we have made progress in each of these five pillars. To centralize the operation and defense of our networks, we stood up U.S. Cyber Command and made it fully operational.  We have established supporting activities in each of the military services.   And we are now training our forces to thwart attacks that compromise our operations.  Although no network will ever be perfectly secure, our military networks today are better defended, and our cyber hygiene more effective, than before. On the international front, we have partnered with Australia, Canada, the United Kingdom, and our NATO allies.  And under the President’s International Strategy, we will seek greater cooperation with more nations in the coming months. We have also committed half a billion dollars in R&D funds to accelerate research on advanced defensive technologies.  Our research agenda includes novel approaches to improving network security and defense.  We imagine a time when computers innately and automatically adapt to new threats.  We hope for a world when we can not only transmit information in encrypted form, but also keep data encrypted as we perform regular computer operations.  Having data encrypted 100% of the time would be a revolution in computer security, greatly enhancing our ability to operate in un-trusted environments. Lastly, we have made substantial progress in working with private industry and the rest of government to make our critical infrastructure more secure.  I would like to spend the final part of my remarks discussing this crucial area and its importance to national security. To date, malicious cyber activity has been directed at nearly every sector of our infrastructure and economy.  The I.M.F., Citibank, Sony’s PlayStation Network, the secure token provider RSA, Google, NASDAQ, and multiple energy firms have been targeted.  Cyber intruders have been so effective that even companies employing sophisticated commercial defenses have also fallen victim.  In fact, our venue here today, the National Defense University, has been struck.  The NDU website and its associated server were recently compromised by an intrusion that turned over system control to an unknown intruder. The country’s critical infrastructure has also been probed.  Because much of this critical infrastructure supports military operations, its failure could compromise our abilities to protect the nation.  Our military bases and installations are part of—and not separate from—the critical infrastructure on which all Americans depend.  Ninety-nine percent of the electricity the U.S. military uses comes from civilian sources.   Ninety percent of U.S. military voice and internet communications travel over the same private networks that service homes and offices.  We also rely on the transportation system to move military personnel and freight, on commercial refineries to provide fuel, and on the financial industry to process our payments. Significant disruptions to any one of these sectors could impact defense operations.   A cyber attack against more than one could be devastating.  The integrity of the networks that undergird critical infrastructure must therefore be considered as we assess our ability to carry out national security missions. In the United States, the Department of Homeland Security has responsibility for protecting critical infrastructure.  In the past year, we have signed a memorandum of agreement with DHS to seamlessly coordinate our cyber security efforts.  Wehave established a joint planning capability and exchange of personnel in our cyber operations centers.  And we are helping Homeland Security deploy advanced defensive technologies on our government networks. The critical infrastructure the military depends upon also extends to the private companies that build the equipment and technology we use.  Their networks hold valuable information about our weapons systems and their capabilities.  The theft of design data and engineering information from within these networks undermines the technological edge we hold over potential adversaries. It is a significant concern that over the past decade, terabytes of data have been extracted by foreign intruders from corporate networks of defense companies.  In a single intrusion this March, 24,000 files were taken. When looking across the intrusions of the last few years, some of the stolen data is mundane, like the specifications for small parts of tanks, airplanes, and submarines.  But a great deal of it concerns our most sensitive systems, including aircraft avionics, surveillance technologies, satellite communications systems, and network security protocols.  The cyber exploitation being perpetrated against the defense industry cuts across a wide swath of crucial military hardware, extending from missile tracking systems and satellite navigation devices to UAVs and the Joint Strike Fighter. Current countermeasures have not stopped this outflow of sensitive information.  We need to do more to guard our digital storehouses of design innovation. Toward that end, the Department of Defense, in partnership with DHS, has established a pilot program with a handful of defense companies.  This program provides these companies with more robust protection for their networks.  In this Defense Industrial Base—or DIB—Cyber Pilot, classified threat intelligence is shared with defense contractors or their commercial internet service providers along with the know-how to employ it in network defense.  By furnishing this threat intelligence, we are able to help strengthen these companies’ existing cyber defenses. In this way, the DIB Cyber Pilot builds off existing capabilities that are widely deployed through the commercial sector.  By leveraging infrastructure that already exists, the pilot suggests we can provide substantial additional protections across our critical infrastructure for only a fractional increase in cost. In the DIB Cyber Pilot, the U.S. government is not monitoring, intercepting, or storing any private sector communications.  Rather, threat intelligence provided by the government is helping the companies themselves, or the internet service providers working on their behalf, to identify and stop malicious activity within their networks.  The pilot is also voluntary for all participants. Although we are only beginning to evaluate the effectiveness of the pilot, it has already stopped intrusions for some participating industry partners.  And through the information sharing the pilot promotes, we not only halted intrusions.  We also learned more about the diversity of techniques used to perpetrate them. The DIB Cyber Pilot breaks new ground in recognizing the interconnectedness of cyber and the important role of stakeholders in thwarting attacks.  We have much to do to protect our critical infrastructure from sophisticated intrusions and attacks.  But by establishing a lawful and effective framework for the government to help operators of critical infrastructure defend their networks, we hope the DIB Cyber Pilot can measurably enhance the security of our nation’s critical infrastructure. We are a long way from the world I knew while a fellow at NDU.  Superpower competition has faded, yielding a strategic environment that is unlike anything we could have imagined.  Whereas the Berlin Wall once divided us, now we are more interconnected than ever. Our responsibility is to acknowledge this new environment and adapt our security instruments to it.  That is the purpose of the DoD Cyber Strategy.  We must prepare.  We must recognize the interconnectedness of cyber.  And we must be mindful of the many ways cyberspace is used–as a peaceful instrument of global communications, as a tool for economic growth–and, also, as an instrument to threaten and sometimes cause harm.   Given this broad landscape of activity in cyberspace, we must both protect its peaceful, shared uses as well as prepare for hostile cyber acts that threaten our national security.   The strategy we are announcing today helps establish that balance.  It provides a framework for us to promote our nation’s values in this vital civilian space while carrying out our duty to protect the nation. Thank you.

Related posts:

1. White House Cyberspace Policy Review

Today’s cyber warfare news:

By LOLITA C. BALDOR Associated Press

WASHINGTON June 22, 2011 (AP)

President Barack Obama has signed executive orders that lay out how far military commanders around the globe can go in using cyberattacks and other computer-based operations against enemies and as part of routine espionage in other countries.

The orders detail when the military must seek presidential approval for a specific cyber assault on an enemy and weave cyber capabilities into U.S. war fighting strategy, defense officials and cyber security experts told The Associated Press.

Signed more than a month ago, the orders cap a two-year Pentagon effort to draft U.S. rules of the road for cyber warfare, and come as the U.S. begins to work with allies on global ground rules.

The guidelines are much like those that govern the use of other weapons of war, from nuclear bombs to missiles to secret surveillance, the officials said.

Read more at Yahoo News…

Related posts:

1. Cyberwar…Our Next Pearl Harbor?

Via Air & Space Power Journal: “The Cyber Warfare Professional” (PDF)…

Related posts:

1. China’s Cyber Warfare “Blue Army”
2. Cyber Combat: The Next Military Frontier

From the Executive Summary of the White House Cyberspace Policy Review conducted January 2009:

The President directed a 60-day, comprehensive, “clean-slate” review to assess U.S. policies and structures for cybersecurity. Cybersecurity policy includes strategy, policy, and standards regarding the security of and operations in cyberspace, and encompasses the full range of threat reduction, vulnerability reduction, deterrence, international engagement, incident response, resiliency, and recovery policies and activities, including computer network operations, information assurance, law enforcement, diplomacy, military, and intelligence missions as they relate to the security and stability of the global information and communications infrastructure. The scope does not include other information and communications policy unrelated to national security or securing the infrastructure. The review team of government cybersecurity experts engaged and received input from a broad cross-section of industry, academia, the civil liberties and privacy communities, State governments, international partners, and the Legislative and Executive Branches. This paper summarizes the review team’s conclusions and outlines the beginning of the way forward towards a reliable, resilient, trustworthy digital infrastructure for the future.

Download PDF.

Related posts:

1. Department of Defense Strategy for Operating in Cyberspace
2. Cyberwar Nominee Sees Gaps in Law

BEIJING (Reuters) – China must boost its cyber-warfare strength to counter a Pentagon push, the country’s top military newspaper said on Thursday after weeks of friction over accusations that Beijing may have launched a string of Internet hacking attacks.

The accusations against China have centered on an intrusion into the security networks of Lockheed Martin Corp and other U.S. military contractors, and deceptions intended to gain access to the Google e-mail accounts of U.S. officials and Chinese human rights advocates.

But the official newspaper of the People’s Liberation Army said it was Beijing that was vulnerable to attack, in a news report that surveyed the Pentagon’s efforts in cyber security.

Read more here: China military paper urges steps against U.S. cyber war threat – Yahoo! News.

Related posts:

1. China Calls U.S. Culprit in Global ‘Internet War’
2. Secretary Gates Discusses the Cyber Threat at the IISS Shangri-La Security Dialogue
3. China’s Cyber Warfare “Blue Army”

Chinese government-backed hackers may be systematically planting cyberbombs across U.S. computer networks according to Richard Clarke in this WSJ op-ed.   In support of this argument, that China has a hand in these attacks and not just run-of-the-mill hacker/swindlers, Mr. Clarke contends:

Cyber criminals don’t hack defense contractors—they go after banks and credit cards. Despite Beijing’s public denials, this attack and many others have all the hallmarks of Chinese government operations.

Mr. Clarke continues:

There is no money to steal on the electrical grid, nor is there any intelligence value that would justify cyber espionage: The only point to penetrating the grid’s controls is to counter American military superiority by threatening to damage the underpinning of the U.S. economy. Chinese military strategists have written about how in this way a nation like China could gain an equal footing with the militarily superior United States.

The op-ed is worth a read if you’re staying current on cyber threats and the larger geopolitical situation.

Mr. Clarke was a national security official in the White House for three presidents. He is chairman of Good Harbor Consulting, a security risk management consultancy for governments and corporations. He recently authored the book, The Next Threat to National Security and What to Do About It. 

Related posts:

1. China Points the Finger at U.S. as Primary Cyber Threat
2. China Calls U.S. Culprit in Global ‘Internet War’
3. China’s Cyber Warfare “Blue Army”

A few cyber links…

Panetta Voices Concern About Cyber Warfare Threat (Washington Post, 10 June 2011)

The Fog of Cyberwar: What Are the Rules of Engagement? (Scientific American, 13 June 2011)

The Online Threat.  Should We Be Worried About a Cyberwar? (The New Yorker, 1 November 2010)

No related posts.

Secretary Gates explains how the Pentagon’s new cyber policy would be implemented with regard to the persistent threat of cyber attacks emanating from China…

Via Foreign Policy:

Related posts:

1. China Points the Finger at U.S. as Primary Cyber Threat
2. China’s Cyber Warfare “Blue Army”
3. China’s Guerrilla Cyber Assault on America