Cybersecurity Turns Holistic
Even the U.S. Cyber Command needs the public to join in the effort.
The entire nation must engage in an informed debate about cybersecurity and how to stop the damage being inflicted by adversaries through cyberspace, says the director of intelligence for the U.S. Cyber Command. Brig. Gen. Matteo Martemucci, USAF, J-2 for the U.S. Cyber Command, says this debate must explore whether the roles played in cyber defense stay the way they are or change.
“While we in the Defense Department continue to advance our engagement efforts and our posture to defend the nation and to enable joint operations around the world, it is critical that we as a society engage in this broader discussion about the roles of the Defense Department, the rest of the government, corporations and individuals in the collective defense against these threats,” he states.
The constraints put on the military to defend its portion of cyberspace are appropriate, he adds. But the debate is needed to avoid an expectation gap where the public incorrectly thinks the military will defend all aspects of cyberspace. This debate must include all the sectors of the U.S. economy and society that have a stake in cybersecurity. “There is absolutely a role for private citizens and corporations to partner with a whole-of-nation approach,” the general states.
“An informed American public and an engaged industrial base are critical elements of this whole-of-nation approach we are trying to take in the defense of the nation,” the general declares. “That defense is against threats from peer competitors that are enabled by the cyberspace domain.”
Gen. Martemucci states that the threats to the United States begin with China and Russia. Knowing the threat from those two countries is a guiding principle for enabling the command’s full-spectrum operations to mitigate the threat, he adds.
Cybermarauders have been raiding the U.S. economy for years, pirating away trade secrets and money in what Gen. Martemucci calls “death by a thousand cuts.” This long-term, systematic exfiltration of intellectual property has inflicted great harm to the U.S. economy, and it will continue without steps to stop it.
While many people fear the potential for a cyber 9/11, Gen. Martemucci does not share that concern as strongly. He is more concerned about long-term systematic theft of U.S. intellectual property that has formed the foundation of the country’s economic prosperity. The death by a thousand cuts is far more insidious, he emphasizes, because it is long-term and doesn’t rise above the national pain threshold in any single case. So, its effects are not as apparent, but they are severe nonetheless.
“Global competitors like China can compete only by cheating—and they’re doing just that,” the general charges. “My greatest fear is that we won’t collectively understand this competitive threat until it’s too late.”
The cyber threat landscape is only going to increase, he maintains. “Intelligence and espionage is one of the world’s oldest professions, so that’s certainly not new. What is new is the ease with which cyberspace enables nation-states and nonstate actors to conduct this kind of espionage.
“What’s also new is that competitors like China turned their state espionage apparatus toward the American economic engine, which is driven by private industry operating in a free market,” he continues. “And [the Chinese] are doing so with very little consequence.
“The discussion about the impact, and the consequences, is absolutely critical,” he declares.
“We cannot take our eyes off any of the threats that we have identified in our national defense strategy,” he explains. “That’s why China is our pacing threat and number one priority; Russia shortly thereafter. China’s an economy on the rise; Russia’s an economy on the decline. Russia is also a demographic in decline. The statistics are pretty incredible when you look. With respect to Iran and North Korea, they will remain and continue to remain threats to the nation, and they will get the attention they deserve and the priority that they’ve been given.”
For the public, basic cyber hygiene is an important first step. “Make yourselves and your networks a hard target,” he says. This includes regular patching, using trusted providers, maintaining good password discipline, for example.
But the most important step is self-education, particularly on the origin and nature of threats. Information professionals need to know the categories of U.S. intellectual property that are most targeted by adversaries, the most common types of ransomware and on which sectors of the economy cyber criminals focus, the general suggests. Information on these subjects is widespread and available to most people, he adds.
And a reciprocal and equally important activity is for the public to be more discerning about its information. “We all must become savvy consumers of information,” he offers. “We’ve got to think critically when engaging online and adopt what we call a zero-trust mindset.” People need to be inquisitive about with whom they actually are engaging online, the general posits, and only click on a trusted or verified source. A corollary is to think carefully about to whom people entrust data. “In doing these things, we can shrink the attack surface and make ourselves hard targets,” he says.
Gen. Martemucci emphasizes that people must avoid letting anonymous tweets, memes or social media posts frame an issue for them. Instead, they must learn about issues from a diverse range of reputable sources. “Think tanks, academic institutions, government, journalistic outlets—they’re all producing informed opinion and pretty good research to inform this necessary debate,” he says. It may take more work to read a reputable op-ed or policy white paper than to digest a string of tweets or Facebook posts, but the issue of information accuracy “is far too important to default to the easy.”
Those who understand the nature of the threat can grasp these points, he continues. Doing these activities make people and organizations less attractive targets, and these basic principles of cyber hygiene afford a degree of security better than doing nothing at all.
“The truth is out there,” he states. “It just takes some work to get to it.”
Gen. Martemucci relates that his team at the Cyber Command has spent much of the past year exploring engagement opportunities with think tanks and academic institutions. “We know that, in the cyberspace domain, we’ve got as much to learn about the threat landscape from those outside the Defense Department than from within,” he declares.
CYBERCOM’s DreamPort unclassified facility, built with the Maryland Innovation and Security Institute in Columbia, is designed to spur collaboration among the command, industry and academia. Its goal is to seek solutions to shared cybersecurity challenges through technology acceleration, and it already has generated in real hardware and solutions that have equipped cyber forces, Gen. Martemucci says. “We manage the shared risk, and we reap the shared reward,” he notes.
Partnerships are not limited to U.S. entities, however. “The threat doesn’t discriminate,” the general states. “Our allies and partners are as affected as we are, and we share a goal of mitigating those threats.”
He cites Hunt Forward in Estonia as an example of international cyber cooperation. The command has teams forward deployed in its persistent engagement strategy in Hunt Forward, and it can provide lessons learned to other U.S. government partners through the Department of Homeland Security and the FBI. While increasing understanding of techniques and tools, Hunt Forward also exposes adversary tradecraft so that cybersecurity providers can improve defenses at scale.
Some of the cyber partnerships with other nations are bilateral, while others are part of coalitions, Gen. Martemucci allows. These partnerships are constantly changing, but he views them as being on an upward trajectory. The command will continue to expand the international partners bilaterally and through coalitions, he adds.
The U.S. military has begun to adapt the doctrine to multidomain operations to cyberspace. “I am encouraged by the fact that our respective tribes and stovepipes have really begun to merge capability in new and innovative ways,” the general notes. “Aircraft are no longer just delivery means of a bomb or a means to pass fuel. They can be both, or all these things, at the same time. They can be an access means to a network, they can be a collection means—and it doesn’t have to be an aircraft. It can be a ship or a backpack on a soldier’s back.
“These are all things that we are making great strides to normalize and operationalize,” he continues. “But our adversaries watch and learn and copy, and I supposed that’s the way since we began to bear arms.”
The general offers that he still has great confidence that although adversaries may attempt to copy the U.S. innovation model, they will truly never replicate it. Accordingly, he believes that multidomain operations will remain a U.S. comparative and competitive advantage for some time.
And above all, security must be part of cyber efforts from the beginning. “In the past, security has been an afterthought,” he points out. “The very networks that we began with were designed by their nature to be open and sharing—the Internet itself. And we tried to apply our existing security structures on top of and after the fact. But that was a generation ago. Our capability development, our acquisition process, has really advanced, and now there is no weapon system development program—or program of any ilk—that does not have security as a foundational piece of its development.
“I’m confident that, while [this security is] not perfect, we have matured as a department and our acquisition and our operational employment process are absolutely baking in security,” Gen. Martemucci continues.
This cybersecurity thrust must be constant, not just a measure known for running in fits and starts, he says. “We recognize that just baking it in in the beginning and washing our hands of it is not enough. This is a continuous iterative involving process. We can never rest when it comes to security, and we have legions of folks who are dedicated to ensuring real-time, all-the-time, managing and updating of our security apparatus.”