The committee believes that operational dimensions of information systems security have received far less attention and focus than the subject deserves in light of a growing U.S. military dependence on information dominance as a pillar of its warfighting capabilities. Furthermore, the committee believes that it is urgent that DOD greatly improve the execution of its information systems security responsibilities.
One critical aspect of improving information systems security is changing the DOD culture, especially within the uniformed military, to place a high value on it. With a culture that values the taking of the offensive in military operations, the military may well have difficulty in realizing that defending against information attack is more critical and more difficult than conducting an information attack against an adversary. Senior DOD leadership must therefore take the lead to promote information systems security as an important cultural value for DOD. The committee was encouraged by conversations with several senior defense officials, both civilian and military, who appeared to take information systems security quite seriously. Nevertheless, these officials will have a limited tenure, and the need for high-level attention is a continuing one.
A second obstacle to an information systems security culture is that from an operational perspective good security often conflicts with getting things done. And because good information systems security results in nothing (bad) happening, it is easy to see how the can-do culture of DOD might tend to devalue it.