Cyber Is Not Always The Answer
Intrusions into U.S. networks do not necessarily require a cyber return of fire.
China, Russia and Iran all have been blamed for brazenly intruding into U.S. government or military networks, and government officials have pointed a finger at North Korea for breaking into Sony Pictures’ computers. While an eye-for-an-eye approach may sound tempting, a cyber response is not necessarily the best solution, says Aaron Hughes, deputy assistant secretary of defense for cyber policy.
Hughes, who was appointed in May 2015, oversees the development and implementation of cyber policies, strategies and plans that guide the U.S. Defense Department’s efforts in cyberspace. He takes issue with suggestions from some quarters that a nation-state-sponsored attack against U.S. networks justifies a counterattack. “It’s important for folks to recognize that cyber is not the solution to everything. A cyber response is not always the right mechanism to respond to a cyber event that happens to us,” he says.
The criteria for countering cyber intrusions are no different than for more traditional attacks, he points out. “Senior leaders will take a look on a case-by-case basis and determine the best capabilities for a U.S. government response. A cyber event is not necessarily different than a physical event in terms of when there’s a threat to national security and what mechanism would be best to respond with,” Hughes adds.
He calls for greater public awareness of government roles and responsibilities in the cyber world. “There’s a lot of education that goes along with that,” he says, adding that people need to understand the different functions of the various departments and agencies.
The Defense Department defends its own networks, systems and information, and it protects the nation against attacks of significant consequence. The State Department takes the lead on diplomacy, including last year’s agreement with China to curb cyber-enabled theft of intellectual property. The Department of Homeland Security (DHS) defends domestic cyber assets in U.S. government networks and collaborates with the private sector and critical infrastructure companies, and the FBI investigates criminal cyber activities.
“I know it’s cliche to say it, but cyber is truly a whole-of-U.S.-government effort. I’m collaborating on a week-to-week basis with my colleagues from DHS and the State Department and other departments in the U.S. government to make sure that we provide the broadest set of recommendations and capabilities to U.S. decision makers to respond to our policy needs,” Hughes explains. “I’m making sure folks don’t lose sight of the fact that cyber is not a panacea for everything that’s happening in the cyber domain.”
Reports of intrusions into government networks may lead people to ask whether the United States truly is deterring adversary behavior. But that is not the right question, he indicates. “I would shift that a little bit and ask what we’re trying to deter. We’re trying to deter activities that have national security implications, and we’ve done a good job of that,” Hughes states. “Our adversaries recognize that there would be serious consequences if there would be any significant cyber attack on the United States.”
Cyber attacks are, of course, an international concern. In addition to last year’s agreement with China, a number of countries are involved in ongoing discussions to define international norms of behavior in cyberspace. Although the Defense Department is not directly involved in diplomatic discussions with China, Hughes praises the 2015 agreement as “a big step forward” on cyber norms. He hints that other announcements could be forthcoming. “We expect that through United Nations conversations, additional norms could potentially be agreed upon,” he offers.
Hughes lists his “absolute number one” priority as implementing the Defense Department’s cyber strategy released one year ago. The strategic goals include building and maintaining cyber forces and robust international alliances and partnerships; defending the department’s information network; guarding the homeland and national vital interests against disruptive or destructive cyber attacks; and designing cyber options to control conflict escalation.
“My office has overall leadership for the implementation of the cyber strategy,” he says. “[The] cyber policy [office] has the lead for tracking the implementation; reporting up to the secretary and the deputy secretary on our progress; and ensuring that we are pulling the appropriate blocking and tackling to meet the milestones set forth in the strategy.” The cyber policy office works with an array of other offices and organizations, including the U.S. Cyber Command, the Joint Staff, the chief information officer and the Office of the Undersecretary of Defense for Acquisition, Technology and Logistics.
While the strategy covers a five-year period, implementation is a little ahead of schedule—and for good reason. “I’ll say this with a chuckle. It’s under the leadership of [Defense] Secretary Ash Carter. He said, ‘You’re not going to take five years to implement this strategy. You’re going to do it in a much shorter period of time,’” Hughes reports. “There has been a laser focus on the need for the department to up our game and make sure that we’re meeting the secretary’s intent.”
Accomplishments associated with implementing the strategy include codifying additional policies to help Cyber Command operate more effectively and conducting exercises to refine Defense Department collaboration with the DHS and the FBI in the case of a major cyber event. “We’re also working to improve the policies that allow the stand-up of the cyber mission force: the missions they would take on and how they’re aligned across the combatant commands,” Hughes says, adding that he cannot go into detail.
The strategy implementation has not been without difficulty. Interdependencies—the need to accomplish tasks in one area before making progress in another—have been more extensive than expected. “With an enterprise as vast as the cyber force, there are always going to be challenges. When we originally outlined a broad project plan for some of these lines of effort—build-out of the cyber mission force, defense of department networks, our ability to defend the nation, some of our international partnerships, some of our capability building—we didn’t take into account when we codified some of those objectives either the resourcing or interdependencies between those,” Hughes reveals.
But his team already has overcome some strategy implementation challenges. “We’ve been able to get programs funded that maybe weren’t supposed to be funded until later in the implementation,” he says. He cites the persistent cyber training environment as one example. “This is going to be a new training environment that will allow us to do mission rehearsal and capability training, and it will be much more efficient with the use of our cyber ranges globally. That is an example where we’ve been able to accelerate the timeline for a critical need for the command to build our training capacity,” he says. “We really needed buy-in from the services in their capacity to man, train and equip [forces], along with the exercise and training functions that Cyber Command is currently executing.”
Hughes says the department will continue to see accomplishments in the coming months. “We’re continuing to improve the efficiency of the cyber mission force, effectiveness of the command, the development of a variety of cyber capabilities and ensuring the policies to support that force are in place,” he says.
So far, flexibility has been critical to implementing the strategy. “We’ve vectored and shifted as appropriate to overcome some of the obstacles,” Hughes states.