At the Defense Information Systems Agency, more than 600 million emails come in during a 30-day period. Is it a surprise that all but 98 million — a scant 16 percent — end up blocked due to their malicious or spammy content?
With the stakes as high as they are in cybersecurity, it shouldn't be, and the Defense Department is taking cyber threats seriously in an evolving landscape of conflict.
"We've got the ability to block a lot of bad things coming in off emails," LTG Alan Lynn, DISA director, told audience members at the C4ISR & Networks/Federal Times CyberCon 2015 conference in Arlington, Virginia, Nov. 18. Hence the heavily filtering of email: "We recognize the enemy will use the Internet to recruit, to take down SCADA [supervisory control and data acquisition] systems. In short, we expect a cyberattack as a prelude to war."
And yet that future war — at least in the traditional sense — hasn't come, despite an onslaught of cyberattacks that arguably could serve as such preludes. Lynn said that is, at least in part, because the threshold isn't yet well-defined.
"What's interesting is no one knows where the red line is yet. When do you cross the line into kinetic war?" he said. "There's an economic cyber Cold War playing out right now. Imagine that a country is working the long war fight; they're not interested in one-day tactical advances, but the 20-year cyber takedown of a Sony, Target ... name your company. It costs pennies to conduct those attacks, but millions of dollars to fix. That economic equation is troubling enough but if the goal over time is to erode global consumer confidence in the U.S. … think about that and think about where we're headed."
Lynn was hesitant to discuss specific incidents and threats, particularly recent reports that a subcontractor allowed uncleared Russian employees work on and allegedly inject malware into DISA networks. But theoretically, industry is on the hook in those types of situations, Lynn said.
"We can't do business without industry, but everyone has to be held accountable for their actions on our networks. That's why we need 100-percent identity assurance," Lynn said. "So I think you'll see a future where as we write contracts, we write that industry partners providing services have to be at the security levels we expect, follow [security technical implementation guides] and have the ability to pass [command cyber readiness inspections], for example."