In a Federal Computer Week article today titled "New threats compel DOD to rethink cyber strategy" they explore the DOD's shift from Network Security (information assurance) to Risk Management (mission assurance).

There have been a number of high profile incidents over the last few years - mostly involving the theft of sensitive data.  For example: Titan Rain (starting in 2003):  Several govern ment agencies and defense contractors had a level of information stolen equivalent to the Library of Congress. In 2009 the Pentagon’s $300B Joint Strike Fighter Project for the F-35 Fighter had its plans stolen. Also in 2009 hackers reportedly stole a classified PowerPoint slide deck that details South Korean and U.S. strategy for fighting a war with North Korea.

Data protection technology and insider threat protection are another area in which the technology is already available to help reduce the risk of confidential data loss or the undermining of data in critical information systems.

“The tradecraft of the attackers has really advanced in the last few years,” said Thomas Fuhrman, senior vice president at Booz Allen Hamilton. “And they're also very agile. There’s a whole range of threats, but the threats that matter — where we see exfiltration, threats of compromising national security command and control systems — this comes from a very sophisticated adversary.” And based on what analysts see, he said, “They respond to fixes we implement very rapidly.”

In addition, Fuhrman said, there is the proliferation of tools that make it easier for adversaries to attack DOD and other networks — as evidenced by the Iraqi insurgents’ interception of Predator video. “So you expand the range of people who are in this space by the availability of the tools to the work.”

“Security isn't the mission,” Conway said. “Security is an enabler of the mission. That's one of the things Cyber Command is hopefully going to get their arms around to present a choice to the operator: Here's your risk if you don't do any security, here's your risk if you do everything secure, and here's a spectrum of everything in between. That’s a really complicated thing, but the operator needs to know how dependent they are on cyber” and make a decision on what risks are acceptable, he said.