Policy Paper 5: Is Policy Effective?
What is effective? Merriam-Webster’s dictionary defines effective as: producing a decided, decisive, or desired effect. With that in mind, it is possible for any policy to be effective. That is until it isn’t then revisions are implemented to bring the policy in to compliance. Ultimately, the policy is only as effective as the compliance of the user. It is common knowledge that humans are the bane of every IT and cybersecurity department. From Wizard’s First Rule by Terry Goodkind: “People are stupid.” As such the effectiveness of any policy is predicated on the user, the organization’s effectiveness threshold, and the threat. Only one of which we cannot control, educate, or predict.
A proper cybersecurity policy is necessary for any organization. It provides the standards, guidance, and responsibilities to those who use or access the workstation. The military takes special care to ensure a program is properly assembled and functioning properly. This paper will attempt to establish the policies efficacy. These policies include Air Force Instruction (AFI) 17-130, Defense Forward and Persistent Engagement, Acceptable Use, and Information Warfare in a time of Peace.
Within AFI 17-130 there is an overall view of what is contained inside the document, roles and responsibilities, and cybersecurity framework. The latter, cybersecurity framework, is the heart of why the Air Force policy AFI 17-130 is effective as it is modeled after or heavily borrows from the NIST Cybersecurity Framework whose core function is Identify, Protect, Detect, Respond, and Recover.
Defend Forward and Persistent Engagement has two aspects to it. First, Defend Forward is a strategy that imposes a cost response to “disrupt malicious cyber activity at its source.” What this means is that if the United States perceives or is actively attacked it will respond in kind below the level of armed conflict. Persistent Engagement on the other hand is a proactive approach to cybersecurity where it patrols the cyberspace to stop or prevent threat actors from acting.
Most organizations have an Acceptable Use Policy (AUP) which is simply an agreement between the organization and the user to remain within preestablish guidelines. AUPs can change and be updated overtime to impose a restriction or lift it based on the needs of the user or the allowances of the organization. It should be noted that AUPs from an organization’s point of view can be seen as a control to deter unacceptable user behavior vice desirable and effective security behaviors.
Finally, Information Warfare in a time of peace works to ensure the US has the means to have the upper hand below the level of armed conflict. It also provides a path for the US to lessen kinetic forces and equipment by investing in top-of-the-line cyber capabilities which is significantly less expensive.
However, as stated at the top of the paper, the effectiveness of any policy is based on the users and the organization’s view and is subjective to the owner/user. If we based the military’s cybersecurity policies on the CIA triad, then yes, they are indeed effective.
References:
Marion II, William (2020). AIR FORCE INSTRUCTION 17-130. Retrieved from https://static.e-publishing.af.mil/production/1/saf_cn/publication/afi17-130/afi17-130.pdf
NIST. (2018). Risk management framework for information systems and organizations: Risk Management Framework for Information Systems and Organizations. https://doi.org/10.6028/nist.sp.800-37r2
US Cyber Command PAO. (2022). Cyber101 – Defend Forward and Persistent Engagement. U.S. Cyber Command. https://www.cybercom.mil/Media/News/Article/3198878/cyber101-defend-forward-and-persistent-engagement/
Doherty, N. F., Anastasakis, L., & Fulford, H. (2011). Reinforcing the security of corporate information resources: A critical review of the role of the acceptable use policy. International Journal of Information Management, 31(3), 201–209. https://doi.org/10.1016/j.ijinfomgt.2010.06.001
Bernsen, D. (2021, December 18). War in all but name. The Strategy Bridge. https://thestrategybridge.org/the-bridge/2021/4/26/war-in-all-but-name