Cyber Experts Sound the Alarm
The U.S. must continue to make inroads in the cyber domain, especially through its younger generation, or it "will lose the war."
The worldwide cyber conflict is only going to increase and the risks and devastating economic impacts will continue to mount. The United States and other "like-minded" countries must spring into action, increase their cyber warfare capabilities, put in place national cyber policies and promulgate stronger international cyber laws to fend off aggressive cyber actors, warned experts at the CyConUS 2017 conference in Washington, D.C., on November 7. The event was co-hosted by the Army Cyber Institute, West Point and the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE), Tallinn, Estonia.
To Lt. Gen. Robert Caslen, USA, superintendent, U.S. Military Academy, West Point, cyber is now a critical component of a nation’s power. That power must be developed and used lawfully to combat the growing “dark side of the web.” With today’s cellphones having more computing power than all of NASA had in 1969 when it placed two astronauts on the moon, the U.S. military strategy must advance in this new global information environment. The ability of global actors to mount breaches everyday will only become more sophisticated.
For Lt. Gen. Paul Nakasone, USA, commanding general, U.S. Army Cyber Command, one important perspective “is that our adversaries are antagonists,” he said. “Their capabilities are ever increasing.” At first it was exploitation of data, then disruption and after that destruction. Before it was attacks on networks or a series of networks, now it also is data and critical infrastructure and key resources.
"I think that we are starting to see the trailers [preview] of the future war,” Gen. Nakasone warned. Actors that the United States has not thought of, non-nation states, anonymous, proxy adversaries, will have an impact as antagonists against countries, the general predicted. They are not only going after military networks, they are going after the economic might of that nation. “They are going after the key terrain that they know is fundamental to how a country operates.”
The amazing rate of change in the cyber domain is creating a vulnerable platform. “There are 3.8 billion users on the Internet today users and 2.7 billion social media users,” he said. “It took radio 38 years to hit 50 million users; it took Twitter nine months.”
In the last several years, the DOD has taken steps to move forward in the cyber domain. All of the services have created cyber commands—even the Coast Guard. The problem is that “we are out running our headlights,” Gen. Nakasone said. “We are learning so much, with our forces, our doctrine, our strategy, that we are well forward than where we thought we would be.” The Army, “with an incredible amount of work” has quickly improved its cyber capabilities in the last three years. The Army is currently working on its third doctrine, which examines cyber electromagnetic activities. The “game changer” for the general is the 6,187 men and woman military and civilian across 133 cyber protection teams who are providing both offensive and defensive support in his department. The teams have made inroads in particular against the cyber presence of ISIS in the last year.
Before, ISIS was essentially uncontested in cyberspace, pushing its propaganda. “Not so any more,” Gen. Nakasone said. The Army has worked every day to combat those ideas in the cyber domain, on social media, contesting the ISIS message. “We have taken that on and that narrative is no longer true.”
He admitted that the “true talent” in cyber within his teams lies with the lower-ranking soldiers. “It’s the lieutenants, it’s the sergeants, it’s the young captains that have this remarkable talent,” he shared. “I don’t know too many Army units where the E-6 knows more about what they are going to do than the O-6.” And of those talented cyber coders, he identified so-called “super-powered coders” that have 50 to 100 times the ability of their peers. In the last nine-to-12 months, Gen. Nakasone has seen these super coders develop the ideas to take ISIS down in the cyber world. Senior leaders, who may not be as adroit in coding or in the cyber domain, still have an important leadership role and in terms of vision. However, the senior leaders have to recognize that having the talent “at the bottom” changes the paradigm on how the Army must train and mentor them to confront the ever-present cyber threats.
Comparatively, David Brumley, director, CyLab, and professor of electrical and computer engineering at Carnegie Mellon University—who identifies as a hacker—opined that there are limits to having just humans as cyber defenders. He stressed that in a person versus person battle, “the human effort doesn’t scale.” Instead, “We can train computers to hack,” he said, which can help the United States regain the asymmetrical advantage in the cyber domain. This use of artificial intelligence (AI) would not necessarily wholly replace people, but would “augment” their efforts, he advised.
Either way, Brumley said, it is important to increase the United State’s abilities in hacking, offensively and defensively.
Chief of Staff of the Army Gen. Mark A. Milley, USA, also sounded the alarm regarding the new “multidomain battle” that the United States is facing. “We are at the leading edge historically of technology that will fundamentally, significantly change warfare.” He noted that in the cyber war, “We are not going to get it right, but we have to get it less wrong than our opponents and then work to adapt and innovate.”
Gen. Milley also is turning to the younger generation of soldiers “to step up and figure out how to fight the cyber war.” Directing his words to soldiers who were 25 years old or younger, he said, “This is going to be a fundamental, significant change that you are going to have to come to grips with and you are going to have to lead the way.” He acknowledged that people “his age” did not have the answers. While senior leasers have “enough brains to recognize the fact that we are in the midst of a change,” it falls to this next generation to figure out how to successfully fight the future war. “That rock is going in your rucksack,” he said. “And we will be counting on you for the future.”
In an effort to strengthen its cyber abilities, the Army is pursuing the Cyber Direct Commissioning Program to recruit additional cyber professionals into the service. The service needs civilians to join Army Cyber, the general said. “We need to attract the best minds in cyber.” The program would allow cyber experts to serve full time for in the Army for 24 to 36 months. “Let them serve the United States. Let them do some good for us. They’ll feel good, and we’ll feel good,” he said. In addition, the DOD has to improve its working efforts on cyber with interagency partners, academia, industry and allies or the United States risks “losing a war.”
Meanwhile, Ambassador Marina Kaljurand, Global Commission on the Stability of Cyberspace (GCSC), and former Estonian foreign minister, warned that the massive expansion of the Internet of Things only increases the potential for cyber vulnerabilities. In her perspective from Estonia, Kaljurand implored nations to have a huge amount of political courage in dealing with cyber. Estonia has learned “the importance of having our house in order” as far as cybersecurity—the need to get legal frameworks together, outline strategies, implement action plans and have a clear overall response.
In addition, countries battling cyber conflicts must get support from all stakeholders, she said. “The government can’t be alone in tackling cybersecurity.” Her country of 1.3 million people has limited resources and personnel as compared to other countries, but is “very focused” on cybersecurity, and as a result has advanced cybersecurity practices.
On the global stage, international laws are poorly demarcated for cyber issues, Kaljurand emphasized. The U.N. is working to tackle the problem, albeit with challenges; discussions are currently raising awareness for the need for cyber mandates or a framework regarding cyber crime. “Clear decision-making is needed,” she said. And there is a growing need for like-minded countries to join in the effort against the cyber actors. “We are at a critical turning point in the world,” Kaljurand warned.
Estonia is also currently working to understand and form policies regarding the legal status for AI, Kaljurand said. The country first started looking at how to regulate self-driving cars, but found that policies shouldn’t be so narrow. Estonia is thinking outside the box and looking at AI “as a person.” It is currently drafting an AI-related law and hopes to have it completed soon.