Earlier this week, I came across some coverage about some of the Australian Department of Defence’s (DoD) cyber-security strategies. While not completely fair, I found it an interesting study in contrasts between the Australian strategies/tactics and those recently outlined by the United States DoD.
Toney Jennings, CoreTrace CEO and a former Air Force information warfare officer, recently blogged on the US DoD’s “Strategy for Operating in Cyber-Space”. The main objective of his “DoD Cyberspace Strategy: Is the DoD really ready to embrace new technologies & companies???” post was to openly challenge the US DoD to modify their procurement and evaluation processes to enable small and innovative companies to assist in cyber defense. However, Toney also made a few other key points. Most relevant to this post is that Toney highlighted that the document was extremely high level and highly prone to status quo thinking and actions, e.g.,
“Unfortunately, a significant portion of the document is simply reiterating the government’s ‘business as usual’ tactics. I’ve got to believe that for the five strategic initiatives, the DoD already has active programs in place. Therefore, the first question that comes to mind is how effective are these defenses? I suspect that the fundamental problem with the existing defenses is that the government is using traditional security solutions that don’t measure up against evolving cyber attacks. The root of this problem stems from the fact that the government continues to favor status-quo, ‘no one ever got fired for buying from’ large companies and contractors.”
Which brings me to the Australian DoD. In contrast to the high-level US cyberstrategy document, the Australian DoD’s “Strategies to Mitigate Targeted Cyber Intrusions”” plan is detailed, well-researched and supported, and focused on proactively solving security problems rather than blindly reinforcing outdated and ineffective strategies. There is a nice blend of old and new in the list of thirty-five mitigation recommendations, with a strong recommendation to implement the top four strategies. According to the DoD’s Defence Signals Directorate (DSD):
“While no single strategy can prevent this type of malicious activity, the effectiveness of implementing the top four strategies remains unchanged. Implemented as a package, these strategies would have prevented at least 70% of the intrusions that DSD analysed and responded to in 2009, and at least 85% of the intrusions responded to in 2010.”
I strongly recommend reading the whole document, but here are the four key strategies:
1. Patch applications e.g. PDF viewer, Flash Player, Microsoft Office and Java. Patch or mitigate within two days for high risk vulnerabilities. Use the latest version of applications.
2. Patch operating system vulnerabilities. Patch or mitigate within two days for high risk vulnerabilities. Use the latest operating system version.
3. Minimize the number of users with domain or local administrative privileges. Such users should use a separate unprivileged account for email and web browsing.
4. Implement application whitelisting to help prevent malicious software and other unapproved programs from running.
I sincerely hope the the US DoD will take a page from their Australian counterparts. Learn, adapt, and survive. It is a far better strategy than simply staying pat.
Brilliant comparison JT. I just returned from addressing the Australian Defense Magazine’s first Cybersecurity Summit in Canberra. The Australian presenters seemed to accept that the US was ahead of Australia in cyber preparedness. The US presenters were there to share their vast wisdom. Yet, as you point out, Australia has actually been more clear headed and strategic about cyber defense.
Thank you very much, Richard. Coming from a researcher and author as steeped in the cyberwar discussion as you are, I truly appreciate it. I think the US security folks are far better prepared and far more proactive in their consideration of new approaches than the “Department of Defense Strategy for Operating in Cyberspace” document shows. I am sure it is a limitation of the document’s messaging objective, but I really liked the thoroughness of the Australian plan and felt it needed more exposure.
Thanks again.
JT
[...] this week, I wrote a post comparing the cybersecurity strategies of the United States and Australian Departments of Defense. In that post, I applauded the [...]