Afghanistan Mistakes in Cyber
Before I begin, let us take a minute to remember the 13 Americans and hundreds of Afghans who have lost their lives in the wake of the United States military’s withdrawal. This event has dominated the news for weeks as enraged and saddened members of the defense community find different ways to explain or cope with this result. I myself will not opine on the root cause of the hysteria in Afghanistan. Some have said the US military failed to build trust from the start while others think senior leaders should have known better and threatened to resign. I do hope that if any leaders committed gross negligence, the government discovers that and holds the negligent accountable.
We do know one thing though: the Taliban regained control of Afghanistan. The US occupied Afghanistan for 20 years and the regime we put in place fell in 10 days. In other words, the US occupation failed to make robust or resilient change in the region. The changes made in Afghanistan relied on US military presence and fell apart as soon as troops left. Again, one might argue that this was inevitable, and lasting change in Afghanistan was impossible. Even if that is true, the US military can certainly create a robust and resilient system on its own terrain right? Of course attackers will succeed sometimes, but the system can withstand most attacks and recover from all others. The military would not use its bomb and leave strategy to conduct defense and security of its own systems, right? Right? RIGHT!??
Wrong. Department of Defense’s strategy towards cybersecurity and cyber defense suffers from the same failed mentality in Afghanistan. The strategy has unfortunately hinged on traditional military practices which no longer work. We certainly should not rely on traditional combat analogies to make decisions on sound cyber strategy, but this analogy reaches into a deep-rooted culture and mindset of military leaders beyond strategy or tactics in a single domain. Many military leaders want a set of completable operations which are battles that they can win or lose.
These leaders therefore desire to define security actions as “operations” which one can complete in order to disrupt an adversary in cyberspace. The DoD put this strategy in action with its Cyber Mission Force. Within the Cyber Mission Force, Cyber Protection Teams focus on protecting DoD networks, but their activities are temporary. Cyber Protection Teams receive a mission and only perform defense on that mission for the time that they have. This limits them to threat hunting, digital forensics, and incident response rather than persistent system monitoring. Sorry Anton. The Air Force goes a step further to call its security operations tools “weapons systems,” and lock it into all of the restrictions and practices that come with a fighter jet.
The Air Force has tried to improve this state of affairs. The Air Force has stood up several Mission Defense Teams that provide sustained, and persistent security for DoD systems (which the Air Force laughably calls innovation). These teams, of course, still play by the rules of “cyberspace operations,” but this is real progress.
As much as the DoD wants to force-fit traditional operations into the cyber domain, Afghanistan has shown us that this does not even work in a kinetic campaign. Protection of DoD assets will not succeed with “cyberspace operations” or mission-based cyber defense. We must look at cyber defense and cyber security as long term, persistent problems which we combat with persistent improvement of hygiene and security operations. While I write mostly about security operations (this is my specialty), I actually think hygiene is more important. We should focus on building and supporting resilient systems over the long term, not rushing in, defending, and leaving. Otherwise, the adversary will retake their ground in 10 days or less.
