From Offense to Defense: America’s Cyber Strategy Pivot

>> Jacquelyn Schneider: All right, so they're building this strategy, and Biden administration's full of, like, super smart people. It takes them a little bit of time to build these strategies, maybe because there are so many smart people. But what happens while they're building this strategy is Russia invades Ukraine. And so, we have a big lessons learned that end up influencing strategy from Ukraine, and what do we learn?

The first thing that we learn, is that defense, which is kinda boring, and information sharing, which also sounds boring, are really, really, really important. So all that effort that needs to get put into the way in which we disseminate information about cyber. Which sounds wonky and really, like, not worth paying attention to cuz we'd rather talk about cyber and nuclear weapons.

Now, the meat is in the defense and the information sharing, so we learned that. We also learned that cyber doesn't work like bombs. So there was a lot of focus in the Obama administration and the Trump administration about thinking about cyber as a substitute for bombs, missiles, conventional kinetic weapons.

And what we find when it gets to Ukraine, is that's not really the case. Really, cyber is about stealing information and keeping somebody else from stealing your information. Potentially, it's also about manipulating information and keeping, decreasing others access to information. But it is about information and intelligence. And the key to winning is not having the biggest cyber bomb, but instead, who has the cyber capabilities that allow it to survive longer, so the key is resilience.

And we find that cyber increases the fog of war, and its success is in creating inaction, not necessarily in creating effects. Interestingly enough, one of the big assumptions under the Obama administration, that cyber operations would necessarily lead to violence, we find no evidence of Ukraine and Russia. Instead, what we find is that cyber operations are often used after they're already dropping bombs.

So, cyber ends up playing a much smaller part in escalation than other conventional weapons. And then finally, that information campaigns are vitally important. So all of these lessons that the Biden administration is learning from Ukraine is now coming into their strategy. And so the first cyber rebalance they do is administrative.

So, at the end of the Trump administration, the Cyberspace Delirium Commission, which was a bipartisan commission led ostensibly. I mean, Angus King, Mike Gallagher, Jim Langevin, heavy kinda bipartisan influence, has, issues a series of legislative suggestions. And one of the legislative suggestions is, hey, you guys need to create a national cyber director that needs to be appointed, that is at the same level as a department or agency head.

And that national cyber director effectively becomes the cyber czar. So whereas in the Trump administration, we weren't sure who was in charge all the time, no offense.

>> Jacquelyn Schneider: The idea was that the national cyber director, be clear, we'd clearly know who was in charge of cyber. They wouldn't be, like, a self appointed cyber czar, it would be somebody that was congressionally approved.

And so the national cyber director stands up under Biden. But not everyone likes this, right? So this is a bureaucratic shift, and who does the national cyber director take power from? The NSC. So it decreases the power of those who are leading cyber portfolios in the NSC. So that, who was writing the strategies under the Obama administration and under the Trump administration?

So there becomes a bit of a bureaucratic shuffle, a bureaucratic, I don't wanna call it an infight, but a bureaucratic readjustment and rebalancing. Figuring out kind of who is the strategic lead for thinking about how we use cyber in the federal government. And so you see these four kind of faces that are up on the board, these are some of the most talented people in cyber, but they're also extremely strong personalities.

You have Ann Neuberger, who is the charge of kind of technologies in the National Security Council and came from the NSA. You have Chris Inglis, who becomes the national cyber director and was previously the deputy at NSA. You have Jen Easterly, who starts running CISA, and Mikhay Oyang, who runs the DoD policy cyber.

I put all these faces up because these offices end up having different powers under the Biden administration. And so these people have kind of a really interesting role in shaping who decides, who does what in this strategy. What ends up happening is the national cybersecurity strategy comes out after the national security strategy, which is as it should be.

But before the national defense cyberspace strategy, also as it should be. So Chris Inglis office writes it, and it lays out who's in charge of key priorities and who ends up being the winner here. CISA. So CISA, which is a part of the Department of Homeland Security. Remember that bubble chart I showed you before, and the bubble chart, like, kind of made it look like they were all equal.

But it looked like DHS might have more capabilities. By the time we get to the Biden administration strategy, it's clear that DHS is the lead for the vast majority of cyber incidents that are occurring. And in the strategy, the strategy clearly lays out who is in charge of what.

And so just to give you a sense, I think I did a control f for CISA, they come up like, 55 times. They have this implementation checklist, and it says, who's the lead, who's the secondary? Which is pretty remarkable, actually, for a strategy. CISA is there almost every time.

You guys you wanna know how many times DoD is the lead in the implementation?

>> Jacquelyn Schneider: None. So it's really interesting. What you see once we get to the Biden administration is that we are squarely focused on threats to the American public, American civilian society. And that the DoD is focused almost entirely on strategic threats, and adversary and campaign fighting.

So, we've fully taken the Obama lines in the road and really implemented them, and they've really matured. So if you guys wanna read this strategy, be real blunt, it's kinda boring. But it's kinda boring because it's actually a really mature strategy. Previous strategies grappled a lot with, like, what do we, who are we?

What are these big ideas? By the time you get to the Biden administration strategy, it's a clear representation that America knows what matters when it comes to cyber. They know where their priorities are, and it's about attacks on the civilian homeland, and it has matured and it's much more sophisticated.

They also, there's a big kind of, the big kind of theoretical shift is instead of talking about deterrence or defending forward, or attacking, you have a focus on resilience. So that is a major rebalance. We're not talking about protecting and defending against all threats, but instead that we're gonna take some attacks and we're still going to survive.

The strategy itself focuses on legislation, it focuses on implementation, and most importantly, it tries to rebalance efforts. So instead of the private sector being able to kind of create as much, create digital technology as much as they want, but the federal government doesn't regulate. It's really, really heavy on regulation.

So it offers a lot of Sticks to try and incentivize those who create and implement digital technologies to take some of the risk and repercussions of cyber threats. Now, that requires pretty significant legislation, which it's not clear that they'll be able to pair those two together, but that's a very, very significant shift from other strategies.

So far, the DOD cyberspace strategy has not come out. We just have talking points, but it's pretty similar to 2018. We don't have defend forward anymore, but we have these, like, defend the nation, prepare to fight, protect, build enduring advantages. In general, deterrence, which the first ten years of cyber strategy was the primary pillar, is now only in a part of the DOD cyberspace strategies.

So you've seen a real shift in the kind of theoretical concepts. Okay, so I have taken you through now about 22 decades of cyber strategy. Almost all of you are awake. So I just wanna help you understand, kind of what are the big themes and questions that they're having to wrestle with as they put this together, and what does that mean for the next round of cyber strategy?

And I think it would say there are four themes that they're grappling with. Norms, deterrence, escalation, and public private relationships. And how each administration dealt with each of these concepts is why we see differences in each of the strategies. In terms of norms, I think the overarching question for all of these presidential administrations is, is the cyberspace the wild wild west?

You saw in 2011, the Obama administration really felt like the Internet would collectively create its own norms, that there was a real possibility that people would police themselves. And by the end of their administration, that just doesn't seem possible. Now, that said, I think there has been progress made in defining kind of the limits of what is acceptable and not acceptable behavior in cyberspace.

So attacks on civilian critical infrastructure outside of a major combat, that is inappropriate. And by attacks, I mean things that actually cause physical damage. UEC states relatively restraining themselves on that. What the US is trying to shape the norms on is whether states think it's appropriate to use cyber attacks to basically generate economic effects.

So ransomware, intellectual property stealing, that's a norm that I think is currently being contested mainly between US and China, but also US and North Korea. The second big question is deterrence. So the beginning, the first few strategies, you really see that they're focused on deterrence. They're like, I don't know what to do with this cyber thing, so we're just gonna deter it.

And then you see, in the Trump administration, they really reject deterrence almost wholesale. Say, I don't think we can do this, at least at the Department of Defense level. And by the time you get to the Biden administration, the thinking has matured, sophisticated. There's been a lot of experimentation occurring under Nakasone.

So they're thinking more about deterrence only at the strategic level, and thinking less about cyber as a useful signaling tool and more as something that has to be used in concert with other kind of diplomatic, economic, and military means.

>> Jacquelyn Schneider: I'll spare you even more deterrence, but we can talk about that in question and answer.

And then escalation. And escalation becomes one of these huge assumptions throughout all of the cyberspace strategies. So is cyber going to cause escalation? Is it going to create de escalation? So there's actually a bit of that assumption in the Trump administration work, or does cyber really have little impact on escalation?

For the presidential administrations that were concerned about cyber escalation, you see a lot of restraint and creating a lot of authorities and regulations that decrease the offensive use of cyber by the United States. The Trump administration, on the other hand, you see that there's a loosening. And they start viewing cyberspace as potentially a great foreign policy tool to be able to coerce states without having to resort to violent physical means.

I think that has come under question after seeing little efficacy in the face of the Ukraine Russia conflict for cyber as a coercive tool. And so now they're really thinking about, like, okay, maybe cyber actually doesn't have a huge impact on escalation to violence. And so instead of focusing on war and violence and how cyber affects it, we need to think more about how cyber affects the economy and governance.

And then one of the big questions is, what is the role of the government, and what is the role of the DOD in defending cyber? And what are the legal and appropriate lanes in the road between the federal government and others when it comes to cyber. So a really good example here is elections.

Who should be in charge of defending the US against election interference? Well, the DOD has a large claim to be made. We're the most capable. We should do it. But there's a tension here where do you really want the Department of Defense and policing our election capabilities? So you're dealing, you're grappling not only with kind of who is the most capable when we're thinking about what should the federal government do.

But also kind of like, what is appropriate, what is the right thing to do in terms of civil military, norms and what is most useful for civil society, and then also recognizing that in cyberspace, the private sector is actually far more capable than the private government. So if the private sector is where most of the threats are occurring, where almost all the vulnerabilities are, and also the capabilities, how does the federal government, what does the federal government have to give if the private sector is kind of the more capable actor here?

And these are all questions that each of the administrations is dealing with. So looking ahead, because I really would like a little bit of time for a conversation, what are, how we can summarize the development of cyber strategy. So, interestingly enough, big difference between some of these administrations.

But from the Obama administration to the Trump administration, and finally to the Biden administration, each one of them really does believe in a norm of a free and open Internet. And it opens the beginning of each one of their cyberspace strategies. It's notable that even in administrations that had fundamentally different views of the world, that they all believed that the Internet should be a place to have open and free communication and open and free flow of goods.

Now, over time, these strategies have become more cynical. They have become less and less optimistic about how easy it will be to achieve the free and open Internet. And so whereas the Obama administration initially thought they could just get everyone to agree that this was a good idea, by the time we've gotten to the Biden administration, there's a more mature understanding of the difficulties of achieving this norm of a free and open Internet.

And I actually think we see a lot of significant maturation in thinking about, therefore, who does what in the federal government. Less concern also, remember, I started this talk, I guess, a long time ago with this picture of nuclear weapons, trying to get your attention. Interestingly enough, I think the conversation in cyber has moved away from that.

And that's a good thing, right? So we are less concerned with these big Strategic cyber, nuclear, and are more concerned with what's happening day to day, which are the cyber attacks on mom and pop businesses, which are the cyber attacks on your public schools and your universities, your hospitals, the things that are happening all the time.

And I think because of that and realization that most of the threat is occurring in the private sector, we've moved away from this being something that is primarily about the Department of Defense to something that is concerned with the private sector and information sharing. And how that might not be sexy, to focus a lot on how we share information, but how important this ends up being to actually creating effective cyber strategies.

And then finally deterrence it's still there. They can't get rid of it. It's in the defense cyberspace strategy talking points. But it really, its role has really become limited where it was such a huge pillar of cyber strategy. And now we recognize that it's really only a small portion of what we do in cyberspace.

That's a pretty significant change. So I'm putting my two cent out there. So what would I do if four years from now I'm working on the cyber strategy, how do we mature this forward? And I think the words that still have not been coming up enough in these strategies is trust, because so much of cyber really is about how cyber affects our trust.

And do we trust that the digital tools we have are not manipulated? Do we trust that the money that shows up in our accounts is really there? Do we trust that it has value? Do we trust that our votes end up going where they're supposed to go? Do we trust that our marriage certificates and our birth certificates and all our important records are being housed in digital and spaces that are protected?

These are really, really important trust mechanisms. And I think we don't focus enough about trust, and we talk too much about attack and defense. We also need to think about strategy and cyber operations a lot more like termites and a lot less like bombs. Cyber is not how a bomb comes through the roof.

A cyber attack is not gonna destroy the roof. Instead, it eats away at the foundations, whether those are the foundations of economies, governance, or the foundations of how digital weapons work. And too much focus on something coming through the roof and not enough on how we maintain those foundations.

The relationship between public and private remains complicated, and it's probably the most enduring problem, especially for the United States, because we have a very kind of interesting, both capitalists and also democratic but sometimes it's a mess, right? Like, it's difficult to figure out. There are not clear lanes in the road for public and private for everything.

And so that transfers over to cyber. And then finally, I commend the Biden administration for emphasizing resiliency. There's a real important theoretical movement for it to think of success in terms of resiliency. And I think Ukraine has cemented that in our understanding of who wins wars, because it's not necessarily who wins wars in the first ten days, right?

It's not necessarily whether we evade all cyberattacks. It's whether we have the resiliency to be able to take a cyberattack and then come back up, to be able to take cyber attacks and have them only affect us in a marginal way over a short amount of time, as opposed to creating a binary where they either function or don't function.

And that I think that if we, there's a relationship here where if we're able to increase cyber resiliency, we're also able to restore trust, and that has implications for economies, weapons and governance. All right, so we have effectively gone through two decades of cyber strategy. I am eager to hear all your questions and brilliant comments.