3 next steps for strengthening mission assurance

3 next steps for strengthening mission assurance
Aug 21, 2019
"Security is like oxygen. You tend not to notice it until you begin to lose it, but once that occurs, there is nothing else that you will think about."
What is Mission Assurance?
Mission Assurance is a framework of best practices for promoting and safeguarding an organization’s resilience. While it cannot 100% guarantee security, entities that fail to follow its guidelines leave their core operations and tools at a much greater risk of attack. Security professionals are expected to apply Mission Assurance within their organizations and constantly seek ways to strengthen its application.

Individual security is a basic human need, just like breathing oxygen. As we go about our daily lives, we hope and trust that our communities, schools, job sites, places of worship, country, and travels near and far will be safe. But security is never free: it takes close collaboration between public and private institutions to combat an increasing number of cyberattacks and keep our critical functions safe.

There are three essential steps we need to take to secure and defend the homeland: framing the problem, aligning complex interdependencies, and moving cybersecurity to the forefront of Mission Assurance.

Step 1: Frame the problem

The most critical step to developing a solution is to first frame the problem correctly. Organizations, like individuals, are apt to develop solutions before completely analyzing and framing the issue—leading to unnecessary risks. At the strategic level, framing problem sets accurately is essential to the survivability of the nation and its way of life.

History is prologue as near-peer power competition returns. A resurgent Russia and an ascending China vie for greater international influence, and their objectives are being pursued through intensified diplomatic, informational, military, and economic activities—including cyberattacks. Iran and North Korea pose security challenges to the U.S. and international community where regional activities, like missile launches and mining of international waterways, threaten the global order.

U.S. national critical functions are among the most pressing of potential vulnerabilities. Large, successful attacks could devastate the safety and well-being of citizens. Mission Assurance addresses the current threat-scape by framing the problem and developing solutions that allow for the continuous operation of core functions—from the household to the national level, which includes homeland security and defense organizations.

Supporting military forces deployed in harm’s way takes precedence over forces at home station, and understandably so. But the competition for resources requires trade-offs: sustaining the readiness of deployed forces puts investments at risk in equipment modernization and infrastructure sustainment, and if these investments are delayed, the combat effectiveness of deployed military forces can be eroded. This is why those responsible for sustaining the infrastructure (i.e., installations, ports, road and rail networks, depots, etc.) must protect mission-essential functionality.

There is no longer a distinction between the “home and away” games, as the lines dividing national security, defense, and homeland security continue to blur. For too long, security has been framed in relation to the application and management of conflict in the domains of land, air, sea, and space. One cannot frame a problem correctly without considering cyberspace as a domain too. Threat management paradigms must include a multi-domain framework where bellicose activity is recognized in all areas with shared responsibilities across sectors.

Combatant commanders need to actively champion Mission Assurance in operational planning. The changing character of international conflict involves “emerging technologies like artificial intelligence, hypersonics, machine learning, nanotechnology, and robotics [that] change in the character of war.” From large-scale war to activities just short of war, emerging technologies could threaten national security and resilience when used by those who seek harm U.S. interests.

Framing the problem may yield a solution involving traditional responses to such foreign and domestic attackers. Leaders are seeking ways to promote an increasingly joint Mission Assurance mindset, where success relies on inclusivity in operational planning, not siloed action.

Step 2: Align complex interdependencies

Mission Assurance objectives center on the intricacies of multi-domain operations among homeland security and defense stakeholders within the public and private sectors. Cross-sector cooperation is required to reach alignment—as the stakes are far too high in Mission Assurance to allow for silos.

When conflict is viewed in the context of multi-domain operations without respecting international borders, aligning efforts between the Departments of Defense and Homeland Security is insufficient for finding the best solution. Within the federal government alone, each agency has its own mission, chains of authority, priorities, funding, and personalities that are shaped by their respective cultures. Aligning interdependencies grows more complex when incorporating other governmental agencies from the state, local, tribal, and territorial levels. The matter is further stressed when including the private sector.

Shared Mission Assurance responsibilities and assessments go a long way toward aligning interdependencies. Leaders must encourage teamwork to protect the critical functions of each organization, at every level, and remain resilient in all domains—especially cyberspace. From the military to the private industry, the impact of potential future attacks hangs in the balance of effective communication and collaboration across all sectors.

The U.S. and the world could face catastrophic outcomes if cyberattacks were to simultaneously affect multiple national critical functions. As such, improved collaboration among public and private institutions is an urgent need for Mission Assurance moving forward.

Step 3: Move cybersecurity to the forefront of Mission Assurance

International relations, national critical functions, organizational missions, business transactions, and individual actions are heavily influenced by what happens in cyberspace. The digital superhighway—with bits traveling at the speed of light—affects individual and collective security. Applying Mission Assurance without treating cybersecurity as a principal consideration will yield, at best, a false positive. Namely, one may feel secure initially, until cyber-borne threats become a reality.

21st-century history is replete with cyber-events that caught individuals, organizations, and nations off guard—cutting them off from the cyberspace domain upon which livelihoods and security depend. Cyberattacks are many, including, but not limited to, denial-of-service, distributed denial-of-service, phishing and spear-phishing attacks, password attacks, and man-in-the-middle attacks. Such attacks have led to the theft of personal, corporate, and classified information, loss of revenue, and even the loss of situational awareness.

By moving cybersecurity to the forefront of Mission Assurance, leaders and operational planners enter "Step 1 Problem Framing" without diminishing its importance to humankind. Adversaries use cyberattacks as a precursor to cross-border incursions and armed conflict. Russian incursions into Georgia (2008) and Ukraine (2013) were preceded by cyberattacks that caught governments worldwide off-guard. Maintaining proper situational awareness is necessary for Mission Assurance to achieve its aim—namely, a resilient organization capable of performing its core functions continuously.

When bellicose activity from a threat actor against its target isn’t taken seriously, it’s often due to flawed beliefs and imagination. Outlooks changed the morning after December 6, 1941 (Pearl Harbor) and September 10, 2001 (9/11). The 9/11 Commission Report stated that “the 9/11 attacks revealed four kinds of failures: in imagination, policy, capabilities, and management.”

How do we prevent these failures of imagination? It begins with a recognition that human existence is linked heavily to cyberspace, and that Mission Assurance must therefore prioritize cybersecurity to identify those gaps in processing information that lead to the loss of situational awareness. By examining the critical gaps and opportunities for progress, we can strengthen Mission Assurance against emerging threats—and bolster the security of our nation.

International hackers have developed a cheap, effective means of taking down nation-state competitors. These attacks continue to increase, and a lack of preparedness makes critical infrastructure an easy target. Cybersecurity must be at the forefront of mission assurance to mitigate these threats.

Despite legislative progress in recent years, adversaries using asymmetric means of disrupting infrastructure remain an increasing threat to U.S. cybersecurity. The DoD and its partners have significant hurdles to overcome to protect the country from foreign cyberattacks. Only clear directives and synchronized leadership efforts can help us catch up—and (re)claim, with confidence, the security that sustains us.

For more information on developing innovative strategies to address current and future threats to the nation, read our report on “Strengthening Defense Mission Assurance Against Emerging Threats,” produced in collaboration with Auburn University.

Subscribe to get our latest insights