Much of what passes for analysis of cyber threats these days is episodic and anecdotal. I confess, reluctantly, that despite my own best efforts I sometimes fall into that trap. I also confess that sometimes anecdotes are clarifying and symbolic, as with the Mandiant APT-1 report last month. Still, it is always welcome when someone with good analytic capability steps back and takes a deeper, more nuanced dive into the problem of cyber vulnerability.
Readers of this blog who are interested in cyber topics will therefore very much want to read a new report from the Defense Science Board, "Resilient Military Systems and the Advanced Cyber Threat." Most readers will highlight the conclusion that the US "cannot be confident that our critical Information Technology (IT) systems will work under attack from a sophisticated and well-resourced opponent utilizing cyber capabilities in combination with all of their military and intelligence capabilities (a "full spectrum" adversary)." For those who want a deeper summary, this article in Signal is quite useful. Some of the notable longer term pieces of interest in the report include recommendations:
- For enhanced counter intelligence capability to address supply chain vulnerabilities.
- For a new tiering methodology for ranking cyber threat actors and then employing risk analysis against this tiering structure
- For enhanced intelligence collection (mostly likely HUMINT) against the high end cyber threat actors; and
- That USCYBERCOM establish its own FFRDC to model,war game and red team cyber ops concepts.