Military cyber security a fragmented mess; progress won't happen until we have industry consensus
THE MIL & AERO BLOG, 27 Oct. 2015. I'm not sure if the U.S. military is capable of coming up with adequate cyber security measures to protect its data and communications networks from dire threats posed by international hackers.
If we're honest with ourselves, military cyber security today is a fragmented mess of competing standards and programs; the Navy, Air Force, and Army all are taking their own directions in cyber security. It's much the same in other federal agencies. The point is that no one is on the same page, everyone does things differently, and no consensus cyber security standards are emerging.
Some are suggesting that one federal agency -- like the Defense Information Systems Agency (DISA), the National Institute of Standards and Technology (NIST), or the National Security Agency (NSA) should impose uniform cyber security standards on the military and other federal agencies.
I think an approach like that is bound to failure. Try to imagine NIST telling the military what to do as far as cyber security is concerned. The military has its own way of doing things, as do many other federal agencies. Fragmentation continues to reign.
I remember back in the late 1980s when the Navy and Army tried coming up with their own embedded computing and networking standards. Anyone remember the Next-Generation Computer Resources (NGCR) program, or the Standard Army Vetronics Architecture (SAVA)? I thought not.
These were noble efforts, and based on industry standards, but they failed because they attempted to impose technology standards without user and supplier buy-in. Industry didn't support the NGCR and SAVA programs because it didn't make economic sense to do so. Navy shipboard electronics and Army vetronics simply represented markets that were too small for industry to get excited about.
It wasn't until the military finally acknowledged industry standards like VME and Ethernet that consensus military embedded computing standards finally started taking shape.
I fear that cyber security today is following much the same path as those failed military standards initiatives. Each military service is trying to impose its cyber security standards on users and suppliers, and expects industry to follow along. I doubt if we'll see much traction.
Where the military has had some success in standardizing on technology is when military leaders follow consensus standards in industry. It wouldn't surprise me to see cyber security standards eventually coming out of industry that the military could adopt.
Industry is struggling with cyber security just like the military is. Banking, airlines, and e-commerce are fat targets for hackers, and are coming up with ways to safeguard their data and communications networks. They simply have to. We'll see the day when big corporations can't get the insurance they need without acceptable cyber security measures in place.
These will be the standards to watch, and the military would do well to pay attention. Proprietary and service-specific cyber security standards may make sense technologically, but to work well in the long term they will need widespread industry support.
It could be that the future will see industry cyber security standards emerging from the imperative to protect national and international commerce. When industry agrees on cyber security standards, the military likely will follow.
Until then we'll see continuing fragmentation among military cyber security standards and programs, lackluster industry support, and an unchecked and terrifying cyber threat from hackers representing national adversaries, terrorist groups, or just rogue threats.
I'm really hoping that things can get sorted out before we see an digital Pearl Harbor.