The Evolution of U.S. Cyber Strategy

>> Jacquelyn Schneider: I got you, you're a captive audience. But now you guys get to talk about cyber for an hour. And to make it even more fun, we're gonna to talk about strategy as well, two things that are about as wonky as it gets. So we're gonna to try and take the next hour to take something that is kind of wonky, kind of niche, and hopefully get you to understand, one, why it matters.

And two, for you to understand the bureaucratic politics, the big ideas, the reason why our strategy has developed the way it is. And hopefully by the end of this you have a little bit of a knowledge about who's who in the zoo when it comes to US cyber strategy.

And you're ready to all sit on the next commission that builds the strategy and make them even better. Okay, so why do we care? I think sometimes you get up and you talk about cyber, and you guys hear ones and zeros, and that's right. But one of the reasons why cyber is such a big problem is because cyber hits at the most strategic level.

So the first cyber attack that's known to create physical effects was actually the Stuxnet cyber virus. Which was a reportedly US and Israeli virus that attacked the Iranian centrifuges and caused them to spiral out of control. Now ever since then, the relationship between cyber and nuclear has been intricately linked.

And so you have kind of open-source reporting of cyber attacks on the development of, for example, ballistic missiles in North Korea. You have discussions about the digitization of nuclear command control and communications. So the digital information and cyber have a direct impact on strategic stability, but they're also tied into every other level of modern warfare.

So today the way in which states fight war, it's completely impossible to separate the digital. The digital technology that undergirds modern warfare starts at the foundational level with how you send command and control, how you gather intelligence, how you store data, how you process data, how you disseminate data.

But that data goes from these kind of large command centers, and it ends up in almost every single weapon system and right down to the infantry level. So you have F-35s that are called the flying clouds because of the data that they share amongst each other. You have JTACs, those guys on the field calling in airstrikes, and they're reliant on things like iPads, and tablets, and software that are giving them real time updates about what's happening so they can drop missiles and bombs.

And all of these digital capabilities come with inherent cyber vulnerabilities. But really, the big reason why we're here today, the big reason why cyber is so important, is not necessarily just because it has a relationship with nuclear weapons, or that it factors into who wins in modern warfare.

But because digital technologies undergird every single portion of modern society. Whether it's the economy, governance, how we communicate with each other, how we buy things, how we make things, how we travel, how we get healthcare. All of these things are reliant on digital technology, and therefore vulnerable to cyberattacks.

And really, it's the civilian world in which we see the vast majority of these digital attacks on the effects of cyber. All that's to say cyber's a big gnarly problem. It's a big gnarly problem for the United States that has strategic implications, it has operational warfare implications, and more importantly it has implications for the civilian world, for economies, for governance, for how we interact.

When you have a problem that is this big, that is this gnarly, and this difficult to deal with, it becomes very difficult for the federal government to figure out how they're going to harness their limited resources to deal with the problem. And that's where strategy comes in. Because the purpose of strategy is to take these gnarly, difficult problems, and assign priorities and goals to signal to adversaries.

And then at the best, strategies actually delegate lines of effort so that everyone in the federal government knows this is what we care about, this is why we care about it, and this is who does what. It seems pretty simple, it doesn't show up in most strategies. So most strategies have some elements of these things, but are often lacking in some of them, it is very difficult to do all of these things well.

So why do we need this strategy in the US, why is this so difficult? There is an internal threat, but there's also a really significant external threat. So the external threat includes, and this is kind of the list that comes down from the Department of Defense in terms of their prioritization.

You have Russia, China, North Korea, Iran, and a series of different ransomware actors. And I think when I briefed this a few years ago I probably would have put Russia first and then China. It's hard to know kind of who is the best in this bunch, Russia certainly was assessed to be the best but has done not as well in Ukraine as would have been expected.

But what has been remarkable is how good the criminal actors have become, and how pervasive ransomware and other criminal cyber acts has really defined the cyber landscape. And so you have this really complicated landscape where you have both state actors and non-state actors, and yet the federal government needs to figure out how they're going to deal with both of them.

So what does the US do? So we're gonna go back in time, we're gonna go back to the mid-2000s which were the good old days, for you guys that might seem a long time ago, for me that was a second ago. So the first strategies start in the mid-2000s to the early 2010s.

Those were golden years for me, but I'm gonna say these were golden years for cyberspace. So if you guys wanna get into your time zone, in your time capsule, before Facebook was really bad, there wasn't really a Twitter. The Internet was still this place where you were sharing information, where you all of a sudden had so much more knowledge, that e-commerce was booming.

The Internet seemed like this remarkable way to create interdependencies that were really great for the global economy. This is the same time period where you had the Arab Spring, this is 2006, and you had people in the streets and they were using social media to stand up for democracy.

And the Obama administration looks at this and it looks so promising, and they put out in 2011 the International Strategy for Cyberspace. I think it's useful, actually, to read a little bit of what they saw of the world back then. They said the digital world is no longer a lawless frontier, nor the province of a small elite.

It is a place where the norms of responsible, just, and peaceful conduct among states and peoples have begun to take hold. One of the finest examples of a community self-organizing, a civil society, academy, private sector, and governments work together democratically to ensure its effective management. There was a real belief at that time that if we just allowed as many people as possible to have access to the Internet, that this would lead to democracy, that the Internet was good with a capital G.

And so you saw that in the way the Obama administration initially approached cyberspace, their focus at the time was on responsible norms. At that time they're working with the United Nations and other multilateral institutions to create groups of people that are getting together and setting up what they see as the potential for the Internet.

At the same time, the Department of Defense is a little bit less optimistic. So you see the creation of what would be considered a war-fighting organization, and that's led by the guy in the picture right there, General Alexander. So General Alexander was head of the National Security Agency, which is the primary signals intelligence organization in the Department of Defense.

And he saw what was happening in cyber, and he thought I don't see all golden, right, I see threats, I see real dangers. And so at the same time that the Obama administration is trying to propagate norms and working on kind of Internet as good with a capital G, we have this stand up of an early version of what would become cyber command, which is the Department of Defense war-fighting command to combat cyber threats.

Now things change by the second half of the Obama administration, and you see a real shift from the beautiful golden ages of the Internet to what I would consider a kind of sobering cyber reality. So this is the same time period as the North Korean attack on Sony, it's the same time period that the Iranians launch a massive campaign against US banks and dams.

You have a massive breach of the Office of Personnel Management, and the Chinese steal over 22 million records of US employees. And then at the end of their administration, you have the Russian hack into the DNC. So what looked beautiful and promising, slowly starts turning into a bit of a cyber nightmare for the Obama administration.

And they adjust as they start seeing, hey, there's actually a lot of threats here. And it's not that the Internet will necessarily create democracy, but that it can actually become a threat to democracy, and that's a pretty big shift for the administration. They are trying at this time period to organize the federal government to deal with cyber.

And this is what we call an I-chart, so it's really hard to read, right? I'm sure some of you guys have done some graphic design courses, this is horrible.

>> Jacquelyn Schneider: This was the document during the end of the Obama administration that delineated who did what in the federal government.

So every single bullet, every single word, every single acronym on this page went through about 500 iterations. What you're seeing here is the unofficial official lines of effort and responsibility for the US government under the Obama administration. So what's really significant about this, this is a representation of a huge bureaucratic fight.

So you see three big organizations there, you see DOJ and FBI, you see DHS and you see DoD, what is interesting is what each of those is going to do. So under the Obama administration, the Department of Defense actually plays a relatively small role when it comes to cyber strategy.

So the focus is defend the nation from attack, and deter. The primary for most of the protect missions, that's most of the attacks that are occurring against what we call the dot Com, the civilian portions of the United States, as well as the dot Gov, so that's the federal, is Department of Homeland Security which at the time is a really new organization.

So the Department of Homeland Security is kind of scrambling here, they have a whole lot more responsibilities. Meanwhile the Department of Defense is not super thrilled about DHS, which is this upstart, slightly annoying agency, having so many roles and responsibilities. They're effectively the lead in the vast majority of cyber-attacks that are occurring.

And then you have DOJ and FBI, and DOJ and FBI are in charge of dealing with all crime. So all of a sudden the Department of Defense, which is the largest organization in the federal government, it's also potentially the organization that kinda first identifies that this is a really big problem and threat, it's really a sideline player.

So DOJ, FBI, and DHS are far more powerful when it comes to this. Just so you guys know, you can write this down, this is called the bubble chart. And if you talk to anybody who was doing cyber between the years of 2012 to 2016 and you say hey, I saw the bubble chart, they'll be, it'll be a moment, you guys will share something.

So this becomes an extremely important document. And it represents actually kind of the first motion, the first kind of forward motion that the US government takes towards actually aligning objectives with lines of effort. So I can make fun of them a lot, but this is actually a pretty significant advancement right here for US strategy.

So that moves us into the Trump administration, now it's complicated, right. At this point, as Trump is taking power, we're on the cusp of this kind of Russian thing which is really contentious, and you've got NSA and cyber command that are trying to reconcile with what was potentially an election interference.

But at the domestic side, you have a Trump administration that doesn't necessarily want to deal with that. And then you have an internal group of people, the Trump administration, which initially starts out to be pretty well qualified people, but ends up becoming a bit of a revolving door of people leaving the National Security Council.

So I put here cyber unleashed question mark, what it really was was kind of ignoring cyber. But at the same time, the people who were in charge used that kind of space to experiment. So we go from the Obama administration, and the Obama administration that focuses on deterrence, be prepared, let's work on norms against attacks on critical infrastructure.

But at the same time they're really, really nervous about using offensive cyber operations. So they build this entire authorities process which makes it extremely difficult for any offensive cyber operations to be approved. Basically you have to have the Department of State, the DOJ, the DHS, all them and the NSC, all approve an attack before the Department of Defense can take an attack.

So you don't see a lot of offensive cyber happening during the Obama administration. And in fact, recently General Nakasone testified that there is no public evidence of any offensive cyber-attacks that occurred under the Obama administration. And the real concern is that escalation, they thought that if we used offensive cyber that this would open a Pandora's box, and therefore they were keen to show restraint.

So the Trump administration comes in and they're much more risk accepted. You have new folks in charge at the Department of Defense and in the office of Secretary of Defense's office. Meanwhile you have Paul Nakasone who is now in charge of cyber command, and he's a tactical commander who is extremely forward leaning.

So in 2018 a new DoD cyber strategy comes out, and it actually comes out before the national security strategy which is kind of a no no, but they lean forward, they decide to take the initiative. And the DoD cyber strategy introduces this concept of defend forward, they don't define it, it's a funky term.

But what we end up accepting that it is is that they are going to be more forward leaning and use more offensive cyber operations, potentially even preemptively, instead of holding back and waiting. They decide that they aren't as worried about escalation, that they think that the US can take cyber attacks without leading to violence.

And so you have a risk acceptant and forward-leaning commander in Nakasone. You have a Trump administration that isn't really watching everything that's going on, and has created all these new authorities for the Department of Defense. And so you get a lot of experimentation that's occurring in the Department of Defense, and also in CISA which is a new organization that stands up under the Department of Homeland Security in order to share information with the civilian side.

So you see that there is all this experimentation occurring, does offensive cyber work, does it lead to escalation, you end up in this kind of experimentation phase. So that leads us to the Biden administration. And when the Biden administration takes over there's all these questions like, is defend forward going to go away?

Are we gonna to go back to the Obama policies, is deterrence gonna to be the big thing again? And I think what we end up getting is a bit of a, it's actually not a huge shift from the Trump administration, it's just more a maturation of it. So I'm gonna to call this the cyber rebalance and resilience, see, I tried.