Last week, two very interesting documents related to US national cyber security concerns and efforts were released. The first is the testimony of Director of National Intelligence James Clapper before Congress on the Intelligence Community's assessment of the cyber threats facing the United States. The second is the "Commanders Vision and Guidance" for US Cyber Command, the Defense Department component focused on cyberspace. Both have garnered coverage already, and both offer important insights into US government cyber security efforts - the former into the threats the US governments is preparing to respond to, and the latter into the ways in which the government is building capabilities to engage in that response.
The two documents both feature interesting material - whether in the form of new information, or more commonly the compilation and distillation of information that was previously available elsewhere, but from numerous disparate sources.
The Clapper testimony features some fairly definitive US Government cyber attack attributions - and some more awkward attributions framed in terms of being the assessment of private sector "security experts" or something similar...
"Unknown Russian actors successfully compromised the product supply chains of at least three ICS vendors so that customers downloaded malicious software (“malware”) designed to facilitate exploitation directly from the vendors’ websites along with legitimate software updates, according to private sector cyber security experts."
"Iranian actors have been implicated in the 2012-13 DDOS attacks against US financial institutions and in the February 2014 cyber attack on the Las Vegas Sands casino company."
"The North Korean Government was responsible for the November 2014 cyber attack on Sony PicturesEntertainment (SPE), which stole corporate information and introduced hard drive erasing malware into the company’s network infrastructure, according to the FBI."
...as well as some interesting analytic assessments:
"These threats come from a range of actors, including: (1) nation states with highly sophisticated cyber programs (such as Russia or China), (2) nations with lesser technical capabilities but possibly more disruptive intent (such as Iran or North Korea), (3) profit-motivated criminals, and (4) ideologically motivated hackers or extremists."
"With respect to ISIL, since last summer, the group began executing a highly strategic social media campaign using a diverse array of platforms and thousands of online supporters around the globe. The group quickly builds expertise in the platforms it uses and often leverages multiple tools within each platform. ISIL and its adherents’ adept use of social media allows the group to maximize the spread of its propaganda and reach out to potential recruits."
The Cyber Command vision document includes some interesting morsels as well... It says Cyber Command must "Operationalize the Cyber Mission Set," which includes the need to:
"Utilize appropriate authorities and policies, especially in our role as part of the federal government’s response to attacks on critical infrastructure in the United States."
"Generate teams trained and ready to act in support of combatant commanders, align command and control, and implement enabling capabilities for maneuver elements so that in partnership with other governmental and private organizations, we can defend the nation’s vital interests and infrastructure."
"Develop integrated approaches to operating, defending, and causing effects in cyberspace, and enable operational-level integration with US government partners."
While this language is not specific, it certainly has interesting implications for the Cyber Command role in defending the homeland. Interestingly, while these two lines mention the military's Reserve components...
"The workforce— military (both active and reserve), civilian, and contractor—is the Command’s greatest resource."
"We must partner with industry and make effective use of the unique talent inherent in our reserve force to redefine relationships and create unity of effort across public and private sectors."
...there is notably no mention of the National Guard. It is not clear what can - or cannot - be read into that omission, but it seems notable given the recent discussion and focus on the Guard and cyber security.
This paragraph is fascinating, with lots of intricacies that are not easy to parse out:
"We will employ traditional terminology, operational concepts, and tactics, techniques and procedures (TTPs) where possible, emphasizing cyber’s similarity to other mission sets. We will improve integration and synchronization of the planning, execution, and assessment of cyberspace operations with joint war-fighting processes. Even as we support other Commands, we will shift our mindset from enablers to operators, from supporting to supported, and from administrators to warfighters as we integrate cyber into new ways of defending, fighting, and partnering."
Overall, there is some very interesting stuff here. It seems that we are beginning - in fits and starts - to have much more honest and realistic national discussions about cyber threats and what cyber capabilities might be brought to bear on the various threats facing the country. It has been a long time coming.
(Note: All bolded text is done by this post author to draw attention, rather than being bolded in the original source documents)