Enduring Challenges for Cyber Strategy

>> Jacquelyn Schneider: So, this leaves questions, the Biden administration is currently crafting their next cyber strategy. Are we going to see more of the Obama administration rehash? Are we going to see a Trump rehash? Or are we gonna find that there are some continuities from both Obama and Trump? And I think where there are questions is in four main areas.

One is kind of, what are the role of norms, and how prominently is it going to play in strategy? The second is deterrence, does deterrence matter in cyber, and should it be a huge part of the strategy? The third is escalation, assumptions about escalation shape almost all of us cyber strategy.

And then the fourth, and fifth are about public private relationships, and the role of trust. Cyber is more fizzled than bang, so, how do you build a strategy for something that is constantly fizzling? Very important, but you don't see big bang effects. And I think that's gonna be the challenge for the Biden administration.

So, on the first question about norms, is cyberspace the wild wild west? I'm gonna argue here no. There are two norms, one emerged, and one second emerging. The first norm that has emerged is that cyber operations do not lead to violent retaliation. This means that states like China, are going to be more likely to conduct cyber operations to steal information, because they don't worry that someone's going to bomb them because of it.

That's bad news. On the good news side, states aren't worried that this is going to lead to war, so that's good. The second norm that's developing is that, it is inappropriate to target civilian infrastructure. And we see this actually occurring through the UNGGE, but, also there seems to be some sort of restraint that's occurring from the Russians.

And the United States needs to think in its future cyber strategy whether it should be an advertent policy entrepreneur for this norm, and actually have a declared restraint policy that it will not target critical infrastructure, so that's a debate that's occurring right now. The second question is about deterrence, the Obama administration really focused on deterrence and all of its strategies, but there's been significant academic research.

I've worked a lot in war games, and experiments to try and see whether cyber deterrence really works. And the reality is that, cyber deterrence is not effective for the vast majority of cyber operations that occur today. So, the ransomware activity, the criminal activity, the spying, deterrence is not an appropriate frame.

But, there might be a role for cyber deterrence when it comes to nuclear strategic impacts, right? So, how do we deter someone like Russia from conducting an attack against US nuclear command control and communications. And that's the type of strategic target that we actually have credible deterrence by punishment options.

So there is a role for deterrence in strategy, but it's probably a limited role. The big question I think, that's happening right now in the Biden administration is whether we can talk about deterrence by denial, which is creating both defense, and resiliency to convince adversaries that it's not worth taking significant cyber attacks.

And that's where in the past, it's kind of been a hand waving strategy, but we'll probably see more of it in the coming strategy. And then, there's a big question about whether cyber operations can be used as a signal or as a tool for deterrence, are these useful?

If you read a lot of work in, the Washington Post, you'll see that a lot of journalists are concerned about cyber operations being used for signaling and it leading to escalation to war. Academic research shows that these are actually not effective signals for deterrence, and that future strategy should probably avoid including them as a major tool for deterrence.

And then the big question that has been in the last two administrations, was whether cyber operations was going to lead to escalation. So, this is the big concern under the Obama administration, was that this would turn into Cyber Pearl Harbor. And this cover is actually from right at the beginning of the Ukraine-Russia conflict.

So there was a lot of fear at the beginning of that conflict, that cyber operations were gonna turn this into a nuclear war. It turns out the Russians were just gonna do war anyway, the cyber stuff was more of a side gig. And so, I think what we found is that cyber really doesn't serve as a deliberate escalation mechanism.

But it's also probably not something that's causing peace in the world, which is an argument that's put out by some academics. Instead, what we're seeing is that cyber operations have a constant relationship with violence, not to incite violence, but instead to increase the information control. To see who has the most information, so they can figure out who to target, how they get support from international organizations, and then how to degrade confidence in institutions.

And I think that's kind of where we see the largest strategic impact of cyber, is in its ability not to act as a bomb, but instead to act as a termite, where it's actually eating at the foundations of the trust that we have in the digital components of society.

And that really brings me to kind of looking ahead, right? So, the Biden administration is currently working on their next cyber strategy. So, I think this cyber strategy needs to focus very much on the role of trust. So the true impact of cyber operations, is not on whether a nuclear bomb works or not, it's whether we believe cyber operations have effect on whether a nuclear bomb works or not.

The big effect that cyber operations have was on our trust,. Can we trust the digital technologies, the zeros and the ones that underline our bank accounts, that underline digital currencies? Can we trust the security in those digital resources? Can we trust our digital weapons? Can we trust that we know the right targeting information?

That the information that's displayed or that AIML uses to process for common operating pictures and situational awareness is the actual true depiction. This is where cyber really matters, because it degrades the trust that we've built, that we need to have in order to combat and fight modern conventional wars.

And then I think what we've seen from 2018 on, is that cyber operations can actually have a real large effect in the trust in digital governance, and the trust that societies have in each other. Whether that's because of information operations, the balkanization of social media, and the creation of enclaves of individuals, and this is kind of the not sexy part.

All of our information, whether it's our marriage certificates, death certificates, our taxes, they're all now digitally held. And if you can't trust that digital information, what does that mean for local governance? How does the ability to be able to trust that our information is held by government? How does that relate to the basic things that we do within our local societies?

So, we have to create a strategy that deals with cyber operations that act more like termites than bombs. And as a homeowner, I can tell you that it's not fun to invest in those kind of foundational, boring things, but, strategy has to be able to deal with those things, or the US is going to fail in cyberspace.

I've kind of hand waved the very complicated relationship that occurs here between the public and the private. The vast majority of cyber attacks occur against private companies, and yet how do we share information between private companies, and the US government, and vice versa? And what should the authorities, and the roles be for the US government?

Do we want us military on private networks? What should the relationship be between the US military, DHS, the National Guard, and our election infrastructure? These are actually extremely complicated political questions, and that's something that has not been completely worked out in previous strategies. And I think finally, for a strategy to be successful, they really have to think about how do you implement and operationalize resiliency and trust.

These are increasingly becoming buzzwords, but, a good strategy identifies how different agencies actually go about implementing these things, and what measures of effectiveness could be. And right now, the US is not at that point. So that is kind of the future of strategy, that's my kind of my polemic going out to you.

So with that, I know I've spent a lot of time talking up here, I wanna open this up for question and answer, so we can talk about the really interesting part of the ten decades of US cyber strategy.

>> Audience 1: Hi, thank you for the talk. I wanted to ask, what do you think is the role of research institutions and universities in educating cadres for cybersecurity and creating good strategies?

>> Jacquelyn Schneider: Yeah, I actually think academia has played an extremely large role in building out these strategies. If you're working in government, you have bureaucratic interests, when you're developing a cyber strategy, a policy, legislation, and not a lot of time to validate your assumptions. So, I worked for cyber command for a while as a reservist in my other hat, and so, I was the officer in charge of figuring out how you implement deterrence.

Well, it turns out it was more about this complicated balancing of these different organizations that were vying for power. Academia, we don't have that problem, right? So I can sit on a problem for multiple years, I can generate data, I can evaluate data, and I can say, hey, these assumptions that you're going in with, empirically, I don't have proof for them.

And that's actually what happened with escalation, so, if you look at the last two strategies, there were strong assumptions about cyber escalation. That was really limiting the way the US government used its cyber resources. So, scholars became interested. I ran war games for the first series for three years.

I ran survey experiments. I conducted interviews. I did historical case analyses. And I said, actually, my data shows actually very limited evidence of cyber escalation. And I wasn't the only one, there were academics at West Point, at Marine Corps University, at Georgetown, at Harvard, all doing different evaluations of different types of data.

Kudos to the US government and cyber command, they actually brought all the academics together, and we said, here is all of our research about cyber escalation. And then that informed the Trump administration's cyber strategy, and some of the changes and assumptions about cyber escalation. So, I think academia has the ability to stare at a problem for a long time evaluate data, and then, help policymakers and folks who are learning about strategy to evaluate their assumptions.

And I think the other thing that academia can do is sometimes show government where it has its own biases. And say, I see that you've done this, but I think this is because you're trying to increase the amount of budget you have. And that's something that I think academia does a really good job of.

>> Audience 1: Ma'am, you alluded to some of it, but I was wondering if you could expound a little bit further, sorry, I'm right here.

>> Jacquelyn Schneider: Okay, sorry.

>> Audience 1: In talking about the kind of emerging norm of the non-targeting of civilian infrastructure, where is that line starting to be drawn, specifically when we start talking about dual use, or the potential for dual use?

And how does that then complicate the policy discussions of, the inability to mobilize National Guard cyber forces over state lines, the inability to mobilize against, somebody attacking Amazon web servers, even though that houses military data? The dual use line is very fuzzy, so seeing how that then scopes and scales into the public private relationship, I was wondering if you could just expand a little further.

>> Jacquelyn Schneider: Yeah, this is a really good question, especially your example about the Amazon web services. Because Amazon you would think of as a traditionally civilian, I don't think people would even think of that as a defense industrial based company. And there are not clear rules about how it houses government information versus how it houses private information.

So, for those of you who don't know the cloud is a real place, it's usually like a warehouse full of servers, right? And so, you could actually physically have information that is sensitive or government stored in the same geographic location as your photos from spring break vacation. And so, that creates an actual dual use target that is a legitimate target actually, in cases of conflict, so this is an emerging question.

I think that question will continue to be worked out. It's nowhere near a norm where people can agree on what is civilian and not. But, there are other lines where I think people can agree, healthcare. I think states are increasingly agreeing that health care is a place that should be off limits.

That said, criminal actors are propagating ransomware attacks against hospital systems at a rate we've never seen before. But, there are increasingly understandings, even between China, Russia, and the United States, that that's not appropriate, and that that wouldn't be an appropriate state target. Power, not so much, right? That's seen as more of a dual use.

And so, I think there are kind of implicit norms that are developing about what would be considered true civilian only infrastructure. And then, there are states that I think will manipulate, and will intentionally entangle in order to decrease the incentives for states to attack. But that's, I think, the next stage of the norm.

You see, when norms emerge, you have kind of a big idea, and then you have a refinement of the idea. I think where we are is at the big idea that in general, there's this idea that targeting civilians is bad. And then, how that can actually get implemented in a more explicit way, that will be the refinement of the idea.

>> Audience 2: Hi.

>> Audience 3: Hi, good morning I wanted to thank you for your time. And my question delves more deeper in terms of your perspective on education policy. In the sense of, for many students in the United States, typically it's taught with just regular programming, but not necessarily teaching students how to hack.

In order for us to engage with other countries in the next 20 years, do you believe that we should have more hacking courses for students? Thank you.

>> Jacquelyn Schneider: Yes, this is a pretty big initiative coming out of the National Cyber Director's office, a man named Chris Inglis is running that.

I worked on this, actually, for part of the Cyberspace Solarium is we need to build the workforce. There's, I said, 40,000 Chinese hackers, and the US has a lot less, and some of that comes down to an underinvestment in STEM. And so, the US government has some burgeoning policies, and burgeoning programs that are supposed to invest, especially at the lower levels, the K-12, into increasing just basic digital literacy.

I like programs that invest in that broadly. As you all know, programming languages change, the technical characteristics change, but investing broadly in K-12 is important. The other thing that the US government is invested in, and there's an NSA, National Security Agency program, that provides incentives for colleges and universities to have different cybersecurity course accreditation.

And the idea then is to propagate the amount of cybersecurity majors that there might be, starting from community colleges. And then, on the final end, and this is kind of something that's being developed, is more funding and resources into top universities to be able to develop more programs at places like Stanford, Carnegie Mellon.

The problem that some of these kind of top graduate programs have had, has been talent. So there's been not enough coming through the K-12 that are American. So we have kind of a talent problem. And then the other problem the United States have, we have very strict and kind of arbitrary rules about clearances.

And so, even when we educate folks, and we create talent, it's then hard to bring them into the US government because there are so many restrictions on who can get a clearance.