Originally published on November 18, 2022 by Velos Solutions
It’s no secret that adversaries at home and abroad treat the U.S. as a target. They work tirelessly to infiltrate our networks, compromise our communications, frustrate our foreign policy goals and undermine our interests. They target us directly and, increasingly, through our Partner Nations – countries with whom we share common values and national security interests. These are countries with whom we actively collaborate and share information with to safeguard those common values and interests.
The security and stability of our Partner Nations directly impacts U.S. security and stability. Because of this, the U.S. created the Foreign Military Sales/Foreign Military Financing (FMS/FMF) programs to supply and support these countries. Traditionally, this support was in the form of physical items, such as planes, tanks or secure radios. However, cybersecurity has traditionally not been treated with the same level of importance, nor staffed with the same level of expertise – although defensive cybersecurity capability is now arguably more critical than aircraft or armor.
When our Partner Nations’ networks are compromised, which is happening more and more often, we are unable to communicate or securely engage with them. And when we are unable to share strategic and tactical plans, perform exercises together and conduct military mission simulations, the security and relationship of both the U.S. and its Partner Nations is degraded.
LTG Charles Hooper, US Army and former Director of the Defense Security Cooperation Agency (DSCA) underscored the critical importance of Partner Nation cybersecurity when he said: “Just as our traditional alliances are defined by the military capabilities of the strongest partners, our corresponding coalition data networks will be defined by the weakest nodes in the network. The central challenge we will face is how to develop these capabilities together with our diverse allies and partners.”
Compromise does not only come in the form of cyber-attacks. It can come in the form of predatory involvement. Many U.S. Partner Nations lack the funding or the experience to manage their cybersecurity or fall prey to nations that have hostile agendas. These hostile nations actively woo the Partner Nations, trying to sell them ideas and technology that only serve the interests of the hostile nation.
For instance, the U.S. is currently working with an African country whose network and security infrastructure were provided at a very low cost by an Asian competitor. This Asian competitor has a global agenda that is often at odds with foundational diplomatic principles. Increasingly, that competitor is using its access to the Partner Nation’s network infrastructure to directly influence the Partner Nation’s foreign and domestic policy institutions in ways that support the Asian country’s agenda.
The U.S. should not be leaving a gap for a competitor like this to fill. We should have worked with that Partner Nation in advance to ensure that known, trusted technologies were put in place and functioning so that our relationship with the country in question would be strengthened and a secure data pipeline would be in place. This would enable us to engage and share the data and information needed to advance our mutual interests.
This is just one example of many. We are in a daily battle for hearts, minds and networks. But there are several systemic and cultural obstacles that we need to address before we can win this battle.
The current U.S. Government’s grant-aid system cannot effectively address the need for Partner Nations to acquire the cybersecurity technology they need. The system is in need of a major overhaul to meet the cyber security needs of Partner States. Acquisition, funding, staffing, and the approval process all need to change to meet this immediate threat in a timely manner.
Partner Nation cybersecurity acquisition can be supported by the FMS/FMF programs. These funding programs, managed by DSCA, can be used to help our Partner Nations achieve the level of cybersecurity needed to stabilize and protect their network infrastructure. In particular, the DSCA directs Security Cooperation Organizations (SCOs) to assist Partner Nations, whenever possible, in strategic planning and decision-making for the “procurement of U.S. equipment, training and services,” as long as the procurement is aligned with the Partner Nation’s strategic environment, technological capabilities and budget constraints.
However, currently, there isn’t a joint program office to address the cybersecurity requirements of Partner Nations. And this is necessary to make the use of FMS/FMF an effective reality. For example, in the United States European Command Area of Responsibility (EUCOM AOR), the responsibility for cybersecurity acquisitions has been delegated to a service-specific program office. This office is under-resourced, historically experiences high turnover due to overwork and is without its own contract vehicles.
As a result, contracting delays in excess of two years are commonplace. But that timeline doesn’t work for cybersecurity acquisition, given the operational tempo of cyber attacks, which is now down to once every 11 seconds. And it doesn’t meet the needs of the ongoing acquisition required to ensure effective countermeasures because cybersecurity software often makes significant advances every twelve months. By the time a purchase arrives at its destination, the technology is already outdated. During that time, cybercriminals and nation-state actors have likely been in place for 197 days or longer.
The White House National Security Strategy report released in October characterizes the world as becoming “more divided and unstable” and calls out this heightened competition between democracies and autocracies as the most critical trend we are facing.
The State Department has taken a proactive approach to advocate for cybersecurity efforts among Partner Nations by building consensus about frameworks and developing a cyber-deterrence initiative. And the Biden administration recently gave the State Department greater influence over foreign cyber campaigns and technology, including the creation of the first U.S. ambassador at large role for cyberspace and digital policy.
However, there is a shortage of security awareness or technological knowledge within the embassies themselves. Only the largest embassies have someone on staff with a professional understanding of cybersecurity. Even within the larger embassies, what little expertise exists, is focused on the cybersecurity needs of the agencies themselves and not their host nation. Most embassy staff only have a superficial knowledge of the U.S. cybersecurity industry, not enough to assess purchase requirements. Very few of those assigned responsibility for cybersecurity within U.S. embassies can identify the range of cybersecurity providers or discuss the various cybersecurity solutions necessary to address a Partner Nation’s requirements.
Embassies need focused education, training and resources that help them break down the basics of cybersecurity and effectively assess a Partner Nation’s capabilities and their needs for acquisition. Without this, the security of sensitive communications between the U.S. Government and our Partner Nations cannot be assured.
The U.S. and its Partner Nations are in a strategic competition with our geopolitical adversaries over network influence and dominance. Until the U.S. is able to systematically support Partner Nations’ cybersecurity acquisition efforts in a timely manner and as long as there is little expertise within U.S. Embassies abroad, Partner Nations will continue to be a weak link in the interconnected chain of digital communications and data sharing across the global network infrastructure.
The State Department and DoD acquisition efforts require a reboot, along with more training and resources for cybersecurity-specific acquisitions. At Velos Solutions, we have the practical experience and a few ideas on how to move the mission forward. We look forward to continuing the conversation.
Visit Velos to learn more.