Cyber Is Not Always The Answer

The Cyber Edge
April 1, 2016
By George I. Seffers
E-mail About the Author

Intrusions into U.S. networks do not necessarily require a cyber return of fire.

China, Russia and Iran all have been blamed for brazenly intruding into U.S. government or military networks, and government officials have pointed a finger at North Korea for breaking into Sony Pictures’ computers. While an eye-for-an-eye approach may sound tempting, a cyber response is not necessarily the best solution, says Aaron Hughes, deputy assistant secretary of defense for cyber policy.

Hughes, who was appointed in May 2015, oversees the development and implementation of cyber policies, strategies and plans that guide the U.S. Defense Department’s efforts in cyberspace. He takes issue with suggestions from some quarters that a nation-state-sponsored attack against U.S. networks justifies a counterattack. “It’s important for folks to recognize that cyber is not the solution to everything. A cyber response is not always the right mechanism to respond to a cyber event that happens to us,” he says.

The criteria for countering cyber intrusions are no different than for more traditional attacks, he points out. “Senior leaders will take a look on a case-by-case basis and determine the best capabilities for a U.S. government response. A cyber event is not necessarily different than a physical event in terms of when there’s a threat to national security and what mechanism would be best to respond with,” Hughes adds.

He calls for greater public awareness of government roles and responsibilities in the cyber world. “There’s a lot of education that goes along with that,” he says, adding that people need to understand the different functions of the various departments and agencies. 

The Defense Department defends its own networks, systems and information, and it protects the nation against attacks of significant consequence. The State Department takes the lead on diplomacy, including last year’s agreement with China to curb cyber-enabled theft of intellectual property. The Department of Homeland Security (DHS) defends domestic cyber assets in U.S. government networks and collaborates with the private sector and critical infrastructure companies, and the FBI investigates criminal cyber activities. 

“I know it’s cliche to say it, but cyber is truly a whole-of-U.S.-government effort. I’m collaborating on a week-to-week basis with my colleagues from DHS and the State Department and other departments in the U.S. government to make sure that we provide the broadest set of recommendations and capabilities to U.S. decision makers to respond to our policy needs,” Hughes explains. “I’m making sure folks don’t lose sight of the fact that cyber is not a panacea for everything that’s happening in the cyber domain.”

Reports of intrusions into government networks may lead people to ask whether the United States truly is deterring adversary behavior. But that is not the right question, he indicates. “I would shift that a little bit and ask what we’re trying to deter. We’re trying to deter activities that have national security implications, and we’ve done a good job of that,” Hughes states. “Our adversaries recognize that there would be serious consequences if there would be any significant cyber attack on the United States.”

Cyber attacks are, of course, an international concern. In addition to last year’s agreement with China, a number of countries are involved in ongoing discussions to define international norms of behavior in cyberspace. Although the Defense Department is not directly involved in diplomatic discussions with China, Hughes praises the 2015 agreement as “a big step forward” on cyber norms. He hints that other announcements could be forthcoming. “We expect that through United Nations conversations, additional norms could potentially be agreed upon,” he offers. 

Hughes lists his “absolute number one” priority as implementing the Defense Department’s cyber strategy released one year ago. The strategic goals include building and maintaining cyber forces and robust international alliances and partnerships; defending the department’s information network; guarding the homeland and national vital interests against disruptive or destructive cyber attacks; and designing cyber options to control conflict escalation. 

“My office has overall leadership for the implementation of the cyber strategy,” he says. “[The] cyber policy [office] has the lead for tracking the implementation; reporting up to the secretary and the deputy secretary on our progress; and ensuring that we are pulling the appropriate blocking and tackling to meet the milestones set forth in the strategy.” The cyber policy office works with an array of other offices and organizations, including the U.S. Cyber Command, the Joint Staff, the chief information officer and the Office of the Undersecretary of Defense for Acquisition, Technology and Logistics.

While the strategy covers a five-year period, implementation is a little ahead of schedule—and for good reason. “I’ll say this with a chuckle. It’s under the leadership of [Defense] Secretary Ash Carter. He said, ‘You’re not going to take five years to implement this strategy. You’re going to do it in a much shorter period of time,’” Hughes reports. “There has been a laser focus on the need for the department to up our game and make sure that we’re meeting the secretary’s intent.”

Accomplishments associated with implementing the strategy include codifying additional policies to help Cyber Command operate more effectively and conducting exercises to refine Defense Department collaboration with the DHS and the FBI in the case of a major cyber event. “We’re also working to improve the policies that allow the stand-up of the cyber mission force: the missions they would take on and how they’re aligned across the combatant commands,” Hughes says, adding that he cannot go into detail.

The strategy implementation has not been without difficulty. Interdependencies—the need to accomplish tasks in one area before making progress in another—have been more extensive than expected. “With an enterprise as vast as the cyber force, there are always going to be challenges. When we originally outlined a broad project plan for some of these lines of effort—build-out of the cyber mission force, defense of department networks, our ability to defend the nation, some of our international partnerships, some of our capability building—we didn’t take into account when we codified some of those objectives either the resourcing or interdependencies between those,” Hughes reveals. 

But his team already has overcome some strategy implementation challenges. “We’ve been able to get programs funded that maybe weren’t supposed to be funded until later in the implementation,” he says. He cites the persistent cyber training environment as one example. “This is going to be a new training environment that will allow us to do mission rehearsal and capability training, and it will be much more efficient with the use of our cyber ranges globally. That is an example where we’ve been able to accelerate the timeline for a critical need for the command to build our training capacity,” he says. “We really needed buy-in from the services in their capacity to man, train and equip [forces], along with the exercise and training functions that Cyber Command is currently executing.”

Hughes says the department will continue to see accomplishments in the coming months. “We’re continuing to improve the efficiency of the cyber mission force, effectiveness of the command, the development of a variety of cyber capabilities and ensuring the policies to support that force are in place,” he says.

So far, flexibility has been critical to implementing the strategy. “We’ve vectored and shifted as appropriate to overcome some of the obstacles,” Hughes states.

Enjoyed this article? SUBSCRIBE NOW to keep the content flowing.


Share Your Thoughts:

"“It’s important for folks to recognize that cyber is not the solution to everything. A cyber response is not always the right mechanism to respond to a cyber event that happens to us,” he says."

Quite so. A very simple and effective response can easily be an appropriate significant and attractive dollar payment in exchange for a binding undertaking/memorandum of understanding to stop an unfolding cyber event and/or an imagined possible and thought highly likely to be initiated event.

After all, it is not as if the cost to save something/everything deemed valuable and worth defending, was rescued by anything expensive whenever it is just pretty paper/fiat promissory notes. Indeed, such payments are a mutually beneficial godsend in that they can be freely spent on all manner of things and services which immediately returns the investment back to source .... for further engaging investment opportunities/zeroday vulnerability exploits.

Thanks for commenting, AMANFROMMARS! And thanks for your input and insights. We really do appreciate it.

I know this is a short article and there is not time to go into details, but I believe defining terms would be helpful. The statement “I’m making sure folks don’t lose sight of the fact that cyber is not a panacea for everything that’s happening in the cyber domain" is unclear because the term cyber is not fully understood. In this case, I believe the author is talking about cyber counter attacks or a cyber response as noted in the 2nd paragraph. I don't believe terms such as cyber, cyberspace, cybersecurity, cyber defense and many others are understood very well.

Also, saying that we've done a good job because we haven't had a major cyber attack on the US seems to understate the significance of the massive amount of data that has been compromised across the DoD due to cybersecurity breaches. Thanks for conisdering these comments.

Sorry for the delayed response, TD. I missed your comment when it came in. You are correct. About the only thing people agree on when it comes to cyber is that there is no agreement on how to define cyber.

Thanks for your comments!

Cyber is a stealthy, practically anonymous and sublimely intelligently designed, virtual team terrain with all manner of irregular and unconventional beta future solutions for present unfolding problems, TD. And to understand and be able to enable and driver effective use of its Almighty IT Power and Base Energy, whilst also curtailing and punishing wanton abuse and misuse with AIMasterly Cyber Command and Control, is a Quantum Force with no restraining equal.

Take care out there. Competition is fierce and fertile and opposition futile.

Thank you for your comments and insights, AMANFROMMARS. We really appreciate it!

Share Your Thoughts: