Why Do We Need a Cyber Strategy?

>> Jacquelyn Schneider: My goal here is twofold. One is I wanna level our knowledge about what we've learned in the last decade about cyberspace and us strategy. The second thing I wanna do is convince you. Here's the polemic in the piece that cyber matters, even if it doesn't matter, for the evocative, scary ways in which we originally thought cyber mattered ten years ago.

And that strategy, while wonky and a bit unwieldy, actually really matters. And for those that pay attention to the details about how strategy is drafted and implemented, that we can actually make a very large difference in us cyber policies by focusing on strategy. So those are my two overarching goals.

So I have to start with the bang, right? So why did people think that cyber mattered for ten plus years? And I think a large part of it has been a relationship with nuclear weapons. So when we first started hearing about the language of cyberspace, it came with it, the same language we talked about nuclear weapons, cyber Armageddon.

The first known cyberattack that actually caused physical effects was a cyberattack on Iranian centrifuges that caused them to spin out of. And go in such an unwieldy way in which they were actually able to push back the Iranian nuclear program for a short period of time. So there's been an intimate relationship between cyber and nuclear weapons, really, from the beginning of us cyber strategy.

So much so that at the beginning, the United States actually put cyber command and cyber capabilities underneath strategic command, which is the command that is typically in charge of nuclear weapons. And so, for the US, this relationship has always been extremely intimate. We think of cyber and cyberspace as a highly strategic domain.

But it wasn't just about nuclear weapons. Increasingly, we realized that cyberspace had an intimate relationship with the way in which we fought modern warfare. So every bit about the modern battlefield is digitally enabled, whether it's the folks on the ground calling in airstrikes, from a version of an iPad to the Air operations center.

And the battle management centers that are all kind of built on this foundation of digital technologies. So at the same time that the US realized that cyber mattered, potentially for this strategic thing, they were also realizing, shoot, cyber also matters for how we fight and who wins and loses wars.

And really, that was one of the big focus for the first five years about how the US thought about building its cyber capabilities. But it was a bit of a red herring, because while cyber is an extremely important part of modern warfare, extremely important part about thinking about strategic stability.

Really where it matters is the digital economies, the infrastructure, the way in which we receive our pharmaceuticals, the way we fly, the way we transit on trains. Everything about modern economies is built on digital capabilities. And because of those digital capabilities, we find that this is also the area in which cyberspace matters the most.

So while the US was extremely focused at this high strategic level on nuclear weapons and conventional military planning. In reality, where cyberspace has played the most important role to the us government, society and economy has been in how cyberspace undergirds the critical infrastructure and the modern way that we live.

So obviously, you need a strategy because that's a very complicated set of issues that cyberspace crosses across. So what's the point of strategy for those of you who have lived in the policy world for a while? That strategy, there's kind of a strategy for everything. And how do you evaluate what is a good strategy from what is a bad strategy?

So I'm gonna proffer here that good strategy does three things. The first, and I think this is actually the most important, and actually where most strategies fail, is articulating priorities and goals. So we don't care about everything. There are things that we know are more important than others in cyberspace.

This is extremely challenging because, as I just showed from those three slides, almost everything touches cyberspace. So how do you determine what is the most important? This is where the rubber hits the road for most of the us decisions, figuring out what it's going to prioritize. The second thing which a good strategy does, is it signals to adversaries and to some extent, allies what we care about.

What are the red lines, the implicit thresholds? The explicit thresholds at some point at which we do not tolerate adversary behavior or in which we're going to support allies? So is there something that happens in cyberspace that the United States has credible means of punishment or is willing to punish?

And that has really fluctuated over the years for the United States. And finally, and this is the wonky part, the part that people kind of gloss over. It's not the beautiful writing, it's not the kind of the canon form of strategy, but this is where it really strategy matters, and that is in the implementation of strategy.

How does it delegate lines of effort to subordinate organizations? So when you're talking about something as complicated cyberspace that touches the public sector, the private sector, the military and the nuclear realm. How do you determine who in the us government is doing what, who should be authorized to do what, and what are the delineations and the ways in which they're going to cooperate and contribute.

And that is where great strategy becomes implemented. Okay, so why do we care about cyber? I know it's 830 in the morning. It seems a little boring. So let me give you kind of a rundown about why the us government thinks it cares about cyber. And I'll start with the external threat.

So the cyber strategies over the last few years have identified a few players as the common external threat. The top two are Russia and China. And I would say before Ukraine, we clearly put Russia at the top of this list. Russia has been the most prolific and most audacious actor in cyberspace over the last 20 years, largely drawing on their expertise in intelligence, whether it was the former KGB going into the GRU and the FSB.

And then we saw recently their kind of foray into information operations and the Internet research agency. So the Russians have been very busy in cyberspace, really since the nineties, but with effect since the two thousands so early attacks on Estonia. But we also saw that the Russians were combining cyber operations with conventional operations, going back to their early operations into Crimea and then leading up into what we see today in Ukraine.

That said, a lot of the estimates about how effective the Russians could be if they unleash their cyber arsenal seem to me perhaps an overestimation when you look at how they were actually able to implement operations against Ukraine. And we'll talk more explicitly about those lessons and what that means for us cyber strategy at the end.

So the Russian focus is generally on pairing cyber operations with either a strategy of trying to create disorder and confusion. Or to pair it with conventional operations in order to increase the chance that a Russian military, which is a little more outdated than, for example, the Chinese or the United States, stand a fighting chance.

The Chinese are a little bit different. So the Russians have, in the past, not really cared about being identified, especially in a lot of their operations that are co located with their conventional operations. The Chinese, at first were far more covert, but they have moved into what I would call as a mass exploitation of information.

And so you start seeing that the Chinese are looking at very large scale data breaches all the way back to the office of Personnel Management. And so their focus has been on taking as much information as possible. A lot of that is used for intellectual property theft. So the idea being that you're stealing information that then is siphoned back into chinese industry and used to compete against american, european and other asian allies in order to kind of leapfrog other states.

So it's kind of the cheating version. The other thing that the Chinese are known to do is use information in order to build a large database of information for potential conflicts in the future. What we don't see the Chinese doing in the same way that we do the Russians.

The Russians are keen to create exploits that create effects. The Chinese usually sit on exploits. So what you mostly see from the Chinese is spying, not trying to degrade a physical capability. So far, we also see that the Chinese are using more mercenaries, so they're trying to decrease the chance that the US will identify operations with the Chinese.

And so more of a centralization of cyber operations occurring under Xi Jinping. So you have a prolific use of cyber spying, as well as an increasingly audacious use of mercenaries and cyber proxies in order to decrease the chance that the US will escalate against the Chinese. So those are probably the most competent of the two actors, just for a sense of scale.

The chinese estimates are at about 40,000 hackers. The United States has about 68000 cyber professionals that they have at cyber command. Of those six to 8000 cyber professionals, only a very small percentage of those are what we would consider hackers. So in terms of scale, you're looking at a very, very large scale, highly prolific set of actors in the chinese, more in the nuisance category, where we put Iran and North Korea.

So Iran and North Korea are both actors that are extremely busy in cyberspace. You see them conducting operations that are a lot less sophisticated than the Russians or the Chinese, but nevertheless very active. And so the Iranians have been very busy in cyberspace, really since Stuxnet, and they have launched a series of attacks against regional countries.

Shamoon is one of the most famous, where they're going after core critical infrastructure and resources within countries that they disagree with in terms of foreign policy. The Iranians have also launched a series of attacks on Us banking with significant effect. There was a whole campaign that the Iranians had a few years ago going after US dams and US banking interests.

And it got a lot of media attention, mostly because it was very ineffective. They were caught quite often, and some of the dams they were targeting turned out to be kind of like a very, very small scale. So big nuisance actor has not had a lot of significant success against the United States in some of our core critical infrastructures.

North Korea is a bit of a different player. I think we would most likely think of North Korea when we talk about the Sony attack, in which the Kim regime was very upset about a pretty bad movie that came out. That was making fun of the Kim family and probably would have been ignored if the North Koreans had not had such a kind of big attack against Sony, caused Sony pictures huge economic costs.

But it was a bit of a sloppy cyber attack. It was quickly attributed to the North Koreans. And so that's kind of what they're known for. Where they've moved in the last five to six years is using cyber attacks as a way to generate resources for the Kim regime.

So you have a lot of ransomware basically. They're very, very good criminal actors at this point. And so they're raising money for the Kim family. And then I think the most prolific threat today is actually criminal actors. So I alluded to this when it comes to the North Koreans, but there's a series of criminal actors that are kind of just ignored tacitly, that are in Russia, eastern Europe, and a bit in China.

And so these are criminal actors that are focused on critical infrastructure in order to gain revenue. And they are the most prolific, also the most rational and extremely competent actors in this cyberspace. So for those of you who have worked on any government, it, you would know that if you have a problem with your computer, it's really, really hard to get somebody to fix it.

But if you have a ransomware attack, they actually are really, really good at making sure that you can pay. So you find some of the best customer service in the world with these criminal ransomware actors. They will help you use, they will help you pay. They will help you figure out bitcoin.