With an approach to cybersecurity that is “grounded in real-world experience,” the U.S. Department of Defense recently announced its 2023 DoD Cyber Strategy, which updates the Pentagon’s plan published five years ago and outlines how the department will address current and future security issues that face the nation.
While several lawmakers on Capitol Hill received copies of the full document, Defense Department officials also published an unclassified, two-page “fact sheet” for the public in late May. A more detailed public version is expected later this year.
The main significance of 2023 is to update and supersede the previous DoD Cyber Strategy released in 2018, which helped define concepts such as “defend forward” – the policy of actively disrupting malicious cyber activity before it can affect the U.S. mainland. The document also ensures that the Pentagon’s strategy is aligned with the White House 2023 National Cybersecurity Strategy, released in March.
In publishing the document, defense officials noted the current war between Russia and Ukraine helped inform the new strategy and these hostilities “demonstrated how cyber capabilities may be used in large-scale conventional conflict.”
While the unclassified version of the 2023 strategy references threats from Russia, China, North Korea, Iran and transnational criminal groups, the Pentagon also outlines its plans for further investment in cyber capabilities and partnering with allies and others, including other federal agencies and the private sector, which own much of the nation’s critical infrastructure.
The document also details that building cyber capabilities and developing skills is a key DoD initiative over the next several years.
“The Department will optimize the organizing, training, and equipping of the Cyber Operations Forces and Service-retained cyber forces,” according to the fact sheet. “Furthermore, DoD will invest in the enablers of cyberspace operations, including intelligence, science and technology, cybersecurity, and culture.”
For tech and security pros, the updated DoD strategy shows not only the need to deter cyber threats but also the role that skilled employees will have in ensuring these incidents are mitigated, noted Michael Caruso, vice president for FedRAMP assurance at security consulting Coalfire.
“Deterrence of cyber warfare offenses is critical to the DoD’s cyber security strategy for 2023 and beyond,” Caruso recently told Dice. “The common theme across the four complementary lines of effort involves fostering information sharing between allied nations and within the cybersecurity industry, while also bolstering cyber training and readiness capabilities.”
Developing Skills That Meet Security Challenges
While the Pentagon is updating its cyber strategy, several industry insiders and experts noted that one significant issue is not changing: the federal government and private industry partners still need as many skilled workers as possible to fulfill these types of missions.
One study from September 2022 put the number of open public-sector cybersecurity positions at about 40,000, and the federal government now needs tech and cyber professionals who are efficient in areas such as cloud computing and artificial intelligence, said Samuel Kinch, director of technical account management at security firm Tanium.
“The need hasn’t changed. Yes, we need people with artificial intelligence, data analytics and cloud skills, but that is just a shift in skillsets,” Kinch told Dice. “The need to attract and maintain highly diverse employees will continue to exist as cyber requirements shift over time. The ongoing challenge is how companies and the government maintains their personnel.”
The DoD’s cybersecurity approach and priorities also show a need for those who understand business impact assessments, for those workers who can prioritize potential threats, and those tech professionals who can engage outside of the IT organization on cybersecurity, noted John Gallagher, vice president of Viakoo Labs at security firm Viakoo.
These types of skills are not only valuable within the federal government but also for private enterprises that are targeted by the same threat actors and nation-state groups using similar techniques.
“Private industry, like the U.S. government, cannot prevent attacks or protect against every possible vulnerability. That naturally forces a focus on resilience from being attacked and should force organizations to prioritize their cybersecurity efforts on hardening assets that are critical to the success of the business,” Gallagher told Dice. “In addition to making the business more resilient, it also challenges the security team to be more engaged and proactive with the line of business and form joint plans to ensure that the business can recover quickly.”
Coalfire’s Caruso added that the DoD Cyber Strategy puts a strong emphasis on supply-chain attacks—an incident where a threat actor infiltrates a network through a third-party partner or provider—and both government and private industry need workers who understand these vulnerabilities.
“Skills needed for the modern cybersecurity professional are constantly evolving,” Caruso said. “In order to tackle current and future challenges, public and private sector security experts should hone in on understanding supply-chain attacks. Gartner predicts that, by 2025, 45 percent of global organizations will be impacted in some way by a supply-chain attack.”
Preparing for a Cyber Future
While the 2023 DoD Cyber Strategy is not as groundbreaking as the 2018 plan, the document shows that significant cyber threats will continue to test the resilience of government and private networks. This will require tech pros to develop skills that mitigate these risks.
“Cybersecurity is national security and must be prioritized as such. Protecting critical infrastructure and the services that people rely on from cyberattacks is as important as protecting it from physical attacks because the consequences have the potential to be equally devastating,” Darren Guccione, CEO and co-founder of Keeper Security, told Dice. “When used for political purposes, these cyberattacks may be part of a larger effort to threaten operations, destabilize a government or disrupt critical infrastructure such as power grids, transportation networks and financial institutions.”
These ongoing cybersecurity trends show why recruiting talent from government agencies like the Defense Department remains an important initiative for private firms and why developing skills to keep up with adversaries is crucial, noted Ed Debish, director for public sector technical account management at Tanium. He noted three areas where taking cues from the government can help all businesses to become more secure.
“The first is operational experience in actively defending and protecting our nation’s critical infrastructure against multiple adversaries and malicious cyber actors,” Debish told Dice. “Second, they bring critical leadership experience and skills. Leadership is arguably the most important trait when trying to create high-performing organizations or bring a team together to solve an issue. Lastly, the DoD is a Gordian knot of acronyms, jargon and ever-changing processes. Having a former government employee or service member in a private sector company can significantly help navigate the pre-defined sea of confusion.”