America is still trying to win the last cyber war
During a DHS-run conference in New York City in July of last year, Vice President Mike Pence promised that the Trump Administration would give the American people “the strongest possible defense” in cyberspace to address a “cyber crisis” that was “inherited” from the previous administration.
Since that announcement, the White House has rolled out a new National Cyber Strategy and the Pentagon has implemented a complementary Defense Cyber Strategy. Between the two documents and other official public announcements from the military and intelligence community, three key themes emerge: A newfound bias toward action in cyberspace to counter adversaries’ cyber operations, an emphasis on threats to the U.S. economy as the preeminent national security threat caused by those cyber operations, and a tougher approach to securing the supply chain on which the U.S. military and civilian critical infrastructure rely. Even though it is still early days, from where I sit in the private sector, the change in strategy mostly makes good sense for the American people but with a few key deficiencies left to be addressed.
The most important change to U.S. policy in cyberspace has been the move toward “persistent engagement” by U.S. cyber warriors. No longer confined to their cyber barracks, U.S. forces are now expected to “defend forward” and engage hostile foreign cyber threats anywhere worldwide before they can launch attacks, or to disrupt especially harmful espionage operations in progress.{mosads}
While the Vice President’s characterization of having “inherited” the previous status quo in cyberspace was uncharitable — the problem spans multiple administrations — it was based on a kernel of truth: For years, responses that could have protected Americans and deterred adversaries were held up by government processes that required the President himself to authorize cyber activities. This didn’t work when the malicious activities on the other side were authorized by a colonel, or a criminal, and were carried out not one-at-a-time but by the thousands annually. At some point indecision on the part of the U.S. became a decision unto itself, and that flawed decision-making process has been reversed so that cyber threats to national security can be more appropriately addressed as needed.
The Administration has also changed America’s national security posture to one that reflects a concern about winning a long, ongoing, multi-faceted competition affecting our national security in addition to longstanding concerns about preventing one-off, catastrophic events. That change in tone and resources is most evident in the National Cyber Strategy’s emphasis on economic threats, especially from China, which span not only traditional remote cyber operations to steal intellectual property, but also cyber-assisted human insider threats, legal mechanisms for forcing the transfer of intellectual property that can be informed by surveillance of company executives via cyber means, and broad theft of business sensitive information on suppliers, customers, outside legal counsel, and other trusted contacts whose information might benefit Chinese companies in international competition.
Importantly, this strategy is backed up by the Intelligence Community’s 2019 Annual Threat Assessment, which highlights their concern that “Beijing will authorize cyber espionage against key US technology sectors when doing so addresses a significant national security or economic goal not achievable through other means.”
The last policy where President Trump’s signature has measurably moved the needle already is the new weight that supply chain security carries. While a longstanding counterintelligence priority, supply chain security has now become a core consideration for military acquisitions, alongside traditional measures of quality, cost, and timeliness of delivery. The June 2018 “Deliver Uncompromised” program is an enterprise-wide focus on software and hardware security so that, in increasingly complex and interdependent warfighting machines, no one component’s failure at cyber security will undermine the soldier or nation’s ability to fight. MITRE Corp. said it best in their study for this new strategy: “We are in an era of adversarial asymmetric warfare for which we have no comprehensive deterrence.”
Here much work remains to be done. My experience has been that China and other actors often know our supply chains better than we do, having used their extensive cyber spying apparatus to illicitly acquire corporate, military, and personal information used to piece together how nuts and bolts become Navy warships and Air Force bombers.{mossecondads}
Worse still, Beijing does so in a whole-of-society effort that looks not only for classified programs and their contributors, but at interesting American original research at universities and new products at small businesses that might one day be useful — either on the battlefield or as a national economic competitive advantage. Chinese group APT40, which in 2015 and prior focused almost exclusively on naval intelligence gathering, had returned in force by 2017 mixing those traditional military efforts with compromises at key foreign investors whose economic activity Beijing wanted to displace and elite U.S. universities whose best thinking they wanted to absorb. By targeting this information before it is classified, China has been able to gain access to secrets before they even officially become secret — and by doing so at schools, on personal email accounts and at private places of business, they are doing so for the most part outside the protective efforts of the U.S. Government.
So, while the Trump Administration has made great progress to bring U.S. cyber policy into line with the realities of the modern Information Age conflict, I remain concerned that not enough is being done to prepare for the next fight: a potential Great Power conflict, most likely with China, in which advanced technologies such as artificial intelligence, genetic editing, and space-based warfare would play a decisive role.
Efforts to undertake joint attribution of cyber threats with allies are a good start, though still mostly focused on threats to governments themselves. I remain an optimist that diplomacy, especially on cyber issues, can play a critical role in averting this future, but in the event that those efforts fail, then future historians may well look back on our country’s current efforts and wonder why at least as much attention was not paid to the plight of the data controlled by the brilliant PhD post-doc as to less critical, but nonetheless classified, military networks.
Christopher Porter is the Chief Intelligence Strategist of cybersecurity company FireEye. A Senior Fellow at the Atlantic Council, Porter previously served 9 years at the CIA where he was the cyber threat intelligence briefer to the White House in 2015.
Copyright 2023 Nexstar Media Inc. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed. Regular the hill posts