The Digital Fog of Cyberwarfare: Navigating America’s Future Challenges

>> Audience 1: Thank you so much for your talk. I've read your articles in foreign affairs before. In the readings assigned, you mentioned the role of cyber strategy in countering disinformation. My question is, who decides what constitutes disinformation, and how do you prevent those entities from violating First Amendment freedoms?

>> Jacquelyn Schneider: This is complicated. This is a really, really difficult question, which I think the federal government has been struggling with how to deal with this. So this actually has had a big impact rate on the Department of Defense. So, I love the Department of Defense. They're like a really, really good bureaucratic player.

So when they see something that would potentially increase their budget, and authorities, they're on it. So disinformation, they saw it and they're like, yeah, I see you. I think we can do that. We can take that. And so there was a whole conversation about what the Department of Defense's role would be in combating disinformation.

And the roadblock that came up was, what is disinformation? What role does the Department of Defense have in policing? What many of these activities turned out to be either from. There's a lot of seeds that are domestic but also interact very closely with domestic. So even if it starts from a foreign government, that it immediately interacts with the domestic.

And so what role should the DoD have in that? And I think actually they stepped the DoD back quite a bit, because as soon as you start grappling with that question. You start grappling with a much more uncomfortable question about what role the military should play in determining what is truth when it comes to domestic politics.

So I think the move has been to focus more on CISA and DHS, but they're still, they are still figuring out what the lines in the road are for disinformation. I will say, I think under the Trump administration, there was a bit of, I don't know if they were agnostic or didn't wanna jump into it or actively didn't believe they should, but they left it up to social media.

And each one of these social media companies all came up with their own version of what combating disinformation meant. And so you ended up with this. I mean, as a social scientist, it was like a natural experiment of, like, what works and what doesn't. I think we got more what doesn't than what does.

Then the Biden administration comes in and they, okay, it's time for the federal government to take those lessons learned and see if we can come up with a federal government strategy. And they've struggled, and it's become politicized. It's extremely, extremely difficult. So I don't have a good answer for you.

But to say that I think that they recognize, it's a very hard question because of that, there has not been a lot of forward movement on it.

>> Audience 2: Hello, thank you so much for your presentation. That was super informative. So I know you walked us through a lot of kind of the history of the different kind of bureaus that manage cybersecurity and how that's evolved over the years.

I know the government was a little bit late to the game in terms of recognizing cybersecurity as an emerging field. The first kind of actual mention of a structural position, I believe, was in 1998 with the national coordination, counter terrorism and cybersecurity infrastructure, something. But I know that in terms of the Department of Defense, there's been a lot of fluctuation in terms of the delegation of power in between administrations.

I know that in more democratic administrations under Obama, it was much more centralized and then it was much more decentralized under Trump and has remained more centralized under Biden. And I was wondering if this kind of flip flop or back and forth of centralization. And just who has power is beneficial because it allows us to deal with these issues in a more flexible way and also kind of try these different approaches.

Especially as the field of cybersecurity evolves so incredibly quickly, or if you think that a more kind of structured and permanent approach would be more beneficial. Because then we could figure out who specifically what to permanently are dealing with what issues, cuz as you mentioned, there's a domestic interest and then also an international interest.

>> Jacquelyn Schneider: Yeah, great question. And here's where I think, actually, I would commend the US government. I think there's a decent amount of learning that has occurred here. As you said, under the Obama administration, extremely centralized. Under the Trump administration, extremely decentralized. Then you get to the Biden administration, and the question is, what are they gonna do?

And I actually wrote OpEd or too, at the time, because there were rumors circulating that they were gonna go back to the highly centralized authorities that the Obama administration had put into effect. But actually, here we can see learning they didn't. They took the authorities that had been created by the Trump administration, and I think they tweaked around the edges, but they largely stuck with delegation of many authorities to cyber command.

And so here's an example where the kind of general, the Trump administration, kind of ignoring cyber, ends up being kind of beneficial because you end up learning a lot. And so you can see across these three administrations a lot of learning. And one of the commendations, I would say, is that the reason why you can see this kind of learning across administrations and they are able to update, but not update to dogmatic standards is because this issue is so boring that it's generally bipartisan.

So nobody cares. My aunt, she has no idea. She just wants to get on her computer. She's not mad at Biden. She's not mad at Trump. She's not mad at Obama. Who cares? And that can be really helpful. So you have these ability to cross party lines. The legislation that came out of the Cyberspace Solarium Commission, I mean, it's a commendation to the executive director, Mark Montgomery.

His ability to take those recommendations and turn them into legislation is a how to book on how to turn a commission into policy. And part of why he was able to do that was because you had Gallagher and you had Langevin and they were able to work hand in hand.

And I think because cyber has been kind of ignored by the general population that we're able to see learning across administrations. If Biden had come in and done exactly what Obama did and decided this is the democratic president way, as we're gonna do this, then that would not have been good learning.

But here we see an administration that actually there were a bunch of people from the Obama administration. So they maybe would have attended, but they looked at the evidence, they saw what had occurred and decided, hey, we don't actually see signs of escalation. We see that we can have these more relaxed authorities, and the DoD does use it professionally, and we're able to tweak those rules based on learning.

And so I think one for the US government.

>> Audience 3: Hi, thanks a lot for the excellent talk. My question sort of relates to this idea of what cyber operations really are. And you hinted at that with one of your mentions on a slide of cyber as an intelligence contest.

So I understand there's this debate in the literature of whether cyberops are usually a tool of intelligence gathering or covert operations, rather than state competition and effects in that manner. So what might that debate mean for US cyber strategy, and especially for working with allies in that space to perhaps do joint operations or something like that?

>> Jacquelyn Schneider: Yeah, so I think, so I'm gonna paraphrase, I think your question. The question is about, is cyber primarily a tool of intelligence and gray zone and something fundamentally different than kinetic weapons, or can cyber be analogous to things like bombs and missiles, is that about right? And I think we really wanted it to be bombs and missiles at first, I mean, you should read their early stuff from, I mean, brilliant people, right?

But they were writing things in foreign affairs that were like cyber Armageddon, Cyberpural Harbor, Cyber 9/11, and we were gonna cyber nuke people, and it just wasn't what happened. But the focus on this, the focus on making cyber look like a bomb, was a big distraction. It took a lot of our time and effort, I mean, both in terms of weapons acquisition and the way we organize the Department of Defense, and also kind of as a scholar, there's a lot of bad stuff about that.

Really bad, cyber is, is a lot of analogies, and we wasted a lot of time doing this kind of cyber analogy thing. But going back to the correct cyber analogy, it probably is more like intelligence, right? Cyber is about information fundamentally, it doesn't look like a bomb, but information is important, and the way it affects strategic outcomes is important.

And so reframing towards that cyber as information, instead of how cyber creates a physical effect, is very useful in terms of thinking about how we acquire systems, how we build out systems, how we build out capabilities. We actually have a very limited amount of cyber capabilities within the Department of Defense, that's generally not a technology problem.

That's a manpower problem, we don't have enough people. So you have to decide, are my people doing cyber response? Are my people doing cyber as information? And I think the focus initially was to make it look like a weapons package, and now it is more and more looking about how you integrate cyber across all levels of warfare, recognizing that it's more information and less a bomb.

>> Audience 4: Hi, thank you so much, I find this fascinating, so boring to me.

>> Jacquelyn Schneider: Good, good.

>> Audience 4: But based on the more recent instances, and I'm gonna put it kindly and say, misuses of confidential information by government officials. How would you suggest that we prevent the human ignorance factor, as I like to call it, from weakening us from the inside, especially with our sources and methods?

>> Jacquelyn Schneider: So you mean like the disclosure of cyber information?

>> Audience 4: Yeah, the spreading of how we get our intel, where it's coming from, what we're using it for, things like that?

>> Jacquelyn Schneider: Yeah you know there's a nice way of doing this, which it's called the intel ops trade off, right?

So there's a trade-off between information and holding onto that information for sources and methods versus using that information to achieve an operational effect. I think if you look at kind of the early stages of the Russian invasion in Ukraine and how the Biden administration revealed information there, you see maybe a good example of somebody of a process that thought through, we should reveal this even if it gives up some means because it helps.

Where it's gonna be less effective is when we're looking at leaks or, I mean, Snowden probably was the biggest impact on US technical intelligence maybe ever. So that kind of insider information where sharing sensitive information for classified reasons or when they're using classified information in order to shape domestic politics can be really damaging.

The challenge is how you restrict that information, when there's so much information, how do you determine who has a need to know? Is it the airman in Cape Cod? Does he need it? It actually is really difficult when you have a giant bureaucracy, so I think on one level, you have strategic decisions about whether presidents are making the right strategic decision about what to classify and declassify.

And on the other hand, you have a series of bureaucratic choices about how you keep security within the realm of, within professionals, and that is hard because you're basically trading off efficiency and effectiveness for security. And how do you do that, so I think it's gonna be an ongoing challenge for those in the cyber field.

>> Audience 5: Perfect, good afternoon. Thank you very much for coming out today, I'm sure we all appreciated it. I was just curious, as is often the case when dealing with state to state relations. What is gonna be the line and what is gonna be kind of the standard for cybersecurity.

We obviously don't want to see a scenario where everybody's attacking everyone with cyberspace, so are you optimistic about, or do you have any sort of preliminary, or has the government perhaps developed some? It's a new technology, preliminary standards for what is the range and scope of cyber attacks and of the information you can get using cyberattacks?

>> Jacquelyn Schneider: Yeah, I think this is a norm that is constantly in flex, right? So for me, I actually think that the vast majority of cyber attacks may be inappropriate, but not illegal, or inappropriate but not reach the threshold of war. But what that norm is and whether there are red lines is really contested, and each administration takes a different approach.

The Biden administration, for example, I thought it was very interesting. The Chinese did a massive cyber exploitation through a Microsoft exchange vulnerability, coming off the heels of a Russian exploit into a piece of hardware that huge amounts of information, right? For me, I saw that, and I was, Touche Russia, Touche China.

Not good for us, but also, I wish we had done the same thing, these were completely, to me, appropriate versions of spying. The Biden administration came out and said, these are not appropriate because they were too big in scale. I thought, well, that's kind of a hard norm, so for me, I think that there is definitely, when attacks by state actors have a physical effect on civilians, that's a no no, and I think too often we make this too complicated.

So Biden came out and was, okay, don't attack critical infrastructure, and here's the 16 critical infrastructures, and here's how we think about him, and it was really convoluted. I thought, no, no, no, you just come out and you say, I'm not going to attack your civilians. I am not gonna cause physical harm to your civilians, that's not appropriate outside of war, it's not appropriate in war, it's clear, right?

Just say the same thing in cyber, so if you are attacking a hospital and that is causing people to die, that is inappropriate and potentially could cause war, or you're justifiable. And I think if we take it to that simple level, fundamentally, it's about humans, and whether you're creating, the threshold to me is violence against humans and violence against civilians in particular.

And military combatants are a more legitimate target even outside of war. So they're working on it, they're definitely not clear enough, I was actually really hopeful that the defense cyberspace strategy would come out. Because I thought they might be trying to tackle this a little bit, but it still hasn't been released, so I'm not sure where they're gonna go.

Maybe that's why it hasn't been released, it's still considered too contentious.

>> Audience 6: Thank you so much for the fascinating talk. So you emphasize that cyber operations do not escalate to violence in real-life with the evidence taken from the case of Ukrainian war. And I'm just wondering if it could be different in other cases.

So for example, you're probably aware that the main source of North Korean government budget is by their hackers stealing cryptocurrencies. And this stolen money could be used for developing stronger and more number of nuclear weapons, which could be actually used for threatening the US, or South Korea, and Japan.

So what are your thoughts on it?

>> Jacquelyn Schneider: So that's true, you're right that it's actually a remarkable strategy by the North Koreans using ransomware attacks in order to fund their ballistic missile and nuclear program. I wouldn't say that's a direct effect to violence. When I'm saying that you don't see cyber effects lead to violence, I mean a direct.

So if that cyber attack that North Korea is conducting, that ransomware attack, has not led the United States to launch a physical attack against North Korea, and why? Because in the end, the physical components of deterrence, missiles, nuclear weapons, artillery, deter the United States from taking any attack against the North Koreans.

That's not in the cyber domain or economic. So in the end, even though this cyber thing has strategic implications, the foreign policy options that America has is limited by deterrence of big physical objects. So I think that's kind of where it comes back to, is that in the end you'll use cyber, if you're already to go to physical cyber to create violence, if you're already using physical weapons to go to violence.

>> Audience 7: So as the United States military moves into multi-domain operations, how effective is the new doctrines being written adopted across echelon? Or do you see bureaucratic politics at play where some services are less or not inclined to adopt to a focus to cyberspace?

>> Jacquelyn Schneider: Yeah, right now, multi-domain operations, it's a buzzword.

And what that means in practice is still really varies so I think it would be hard. I think the services are, like you pointed out, they're still in a series of bureaucratic fights. Not only about how much they integrate cyber, but how they think about building their digital infrastructure to actually do multi-domain battle.

I think that each services approaches cyber in their kinda service identity way. So the army is probably closest to thinking about cyber as a part of their core warfighting units. And you have cyber embedded inside of infantry, artillery, that kind of, you think about it as it relates to ground operations.

For the air force, cyber becomes a weapons platform just analogous to an aircraft. But they are also thinking about embedding cyber within cyber like defense specialists within core warfighting units. Like within kind of fighter wings, for example, you have a cyber person that does vulnerability and weapon systems, that would be an advancement.

And then the Navy, you've seen the same kind of, you have these divisions between surface warfare, undersea warfare, and the aviators. And figuring out where cyber goes in these kind of subcategories that are so important to how the Navy develops. So bottom line is, each service is bringing its own kind of service identity to their development of cyber.

And actually, if you're really interested in this question, I recommend you email @ericalonerganda and jacksnyder@columbiauniversity. Because they have a paper looking directly at how strategic culture within the services affects how they allocate cyber resources.

>> Jacquelyn Schneider: Yeah.