The entirety of the internet is an infinite attack surface. Figuring out how to secure the information and communications transported through the cyber domain is a daunting task, and it’s one that the Pentagon’s Protecting Critical Technology Task Force is exploring all options to meet. Including, even, a reduction in transparency and a return to security through obscurity.
“The task force that I'm associated with is protecting today in order to ensure that there's a tomorrow,” said Major General Thomas Murphy, director of the Protecting Critical Technology Task Force. “ It might be a little bit of hyperbole there. But I would tell you that if our weapon systems don't work the way that they're intended at a time and place of our choosing, we're going to have a serious problem.”
Murphy’s remarks came as part of the Fifth Domain Cybercon conference held in Arlington, Virginia, November 12, 2019. The task force is housed in the office of the Secretary of Defense, and was stood up in October 2018. The task force describes its broad mandate as protecting “critical technologies wherever they reside.”
To that end, the force is looking at improving cybersecurity in the companies that make military technology, or the industrial base; protecting military technology R&D, be it at universities or labs; block foreign investment and acquisition of military technologies, largely though not exclusively through export controls; and to deny access to those technologies to adversaries.
Of particular concern is not just the loss of intellectual property, but of existing technology being adapted by rivals or used to find weaknesses in deployed weapons.
“We've in effect become the R&D base for our adversary’s capabilities,” said Murphy. “My task force isn't here to stop stealing because stealing is bad, although it is, it's to stop it because it's causing the erosion of the lethality of the Joint Force.”
One approach Murphy outlined for meeting all those security goals is creating a tiered ranking of suppliers based on how critical their technology is. The third-party supplier that makes screws for a prime doesn’t need to know much more than the dimensions of the screws, and provided they aren’t taking in and holding on to more critical information than the screws, that supplier could operate at a lower threshold of security. Once the prime company, or university, or third-party supplier needs to know critical information, then Murphy proposes it be held to a higher standard of cybersecurity practice, or else it will be unable to receive the contract.
In order to hold contractors to those standards, the Pentagon has to first develop the standards, which is part of the big push behind the Cybersecurity Maturity Model Certification (CMMC), with an expectation that those requirements will be part of contracts issued in fall 2020.
In the meantime, Murphy floated a somewhat more radical solution to the discovery and exploitation of critical technology by adversaries. In the name of national security, Congress could legislate a layer of opacity over mandated transparency in military programs, which itself would have an impact on how the press is able to cover new developments.
“I mean, I read an article this morning. I read these every day. We're giving the adversary a map, and it actually has the X marks the spot on it. We're telling them what companies to go look at what universities who's doing research on things,” said Murphy. “And I keep hearing, well, that's legislation that makes us do that. Well, change legislation. We don't need to be so open.”
If the adversary is as sophisticated as Murphy describes it, capable of repurposing military research through exfiltrated bits on unsecured computer networks, it is unclear how much obscurity would be needed to mitigate the threat, or if it would even work against such a foe.