Strategy in cyberspace should be treated like the strategy used in traditional military battle spaces, according to Ray Letteer, chief of the cyber division of the Command, Control, Communications, and Computers (C4) Department at Headquarters of the U.S. Marine Corps, who spoke at Tenable’s GovProtect17 on June 21.
“Where is our battle space, where are we going to engage the enemy? We take a look at what is commonly called ‘key terrain,’ ” said Letteer. “In some cases, people in cyber have tried to use that term as well to get across a construct that there’s a particular thing here that I’ve got to have to be able to protect: information, or the environment, or the hardware.”
According to Letteer, officials and network managers within the government don’t even know the entirety of what is on their networks, a situation that would never be acceptable in physical combat.
“We don’t even know what we’ve got. We just have people who don’t know what’s on the network,” said Letteer, saying that he was once given a report that his people only knew 70 percent of what was on the network. “Would we go into battle when we only know 70 percent of the environment we’re going to go into? Heavens, no.”
Retired Air Force Maj. Gen. Earl Matthews, vice president of enterprise security solutions and enterprise services for public sector at DXC Technology and former director of cyberspace operations and CISO in the Office of the Secretary of the Air Force, said that the way the military deals with cyber is the same attitude that they used to have toward space.
“When we started with space, it was the same thing, we treated it separately. And it wasn’t until the first Gulf War that it started becoming more ubiquitous and integrated into military operations. Cyber is the same way. We’re trying to treat it differently when it’s not. It’s just another part of the overall operational framework, and it needs to be put into that lens,” said Matthews. “This is a mission area that is never going to go away.”
Letteer said that people often overcomplicate cyber, and suggested a three-part method of addressing it.
“To me, cyber is just three things: connections, communications, and cognizance. The connections: it’s that network, it’s that wire, it’s that Ethernet. Is it fiber? Is it signal? The communications: is it zeros and ones? Is it a light pulse? Is it a voice? And then the most important part of it is cognizance. It’s the information behind it, the intelligence we put behind it. Is it business information, financial information, health care information?” said Letteer. “I’m not trying to undermine the complexity of the concerns that we all have, that we have to work with every day, by all means. But still, let’s not overcomplicate the problem to such an extent that we lose focus. And we are losing focus.”
Due to the high cost of personnel, Letter said that he is a passionate advocate of automation in cybersecurity, and added that though the government seems to be moving in the right direction, it is doing so too slowly.
“The art of the possible has been done, we just have to have the ability to push and to do it,” Letteer said. “We need to change our mind-set, we need to make ourselves more agile.”