Uniting Public and Private Cyber Warfare
To defend against full-scale cyber warfare, the United States will need more than just the military’s U.S. Cyber Command. The nation will require more of an integrated defense, a combination of government, military, private sector and academia.
While the core mission of the nation’s cyber warfighting command is to defend the United States, it is not large enough in scale, said Lt. Gen. Chris “Wedge” Weggeman, USAF (Ret.), former commander, Air Forces Cyber, and managing director, Cyber and Strategic Risk, Deloitte.
“The central core mission of U.S. Cyber Command is to defend the nation in cyberspace,” Weggeman explained. “We have organized these units of action to do that, in the Cyber National Mission Force, their task forces, and all the other Cyber Mission Force teams. But does anyone think that 150 teams are going to defend this nation and all of its cyber terrain and cyberspace? It's never going to happen. It is unobtainable.”
Weggeman spoke with Lt. Gen. Robert Skinner, USAF (Ret.), former director of the Defense Information Systems Agency, and founder and president of Skinner’s Strategic Solutions, as well as Maj. Gen. Bradley Pyburn, USAF (Ret.), former chief of staff, U.S. Cyber Command, and managing director, Cyber Strategy and Transformation, Deloitte.
The cyber military experts spoke on February 4 at the AFCEA Rocky Mountain Cyberspace Symposium, held February 2-5 in Colorado Springs, Colorado.
And while the Cyber Command “still has the right mission,” Weggeman noted, the scale of our potential attack surface and the threats and abilities of our cyber adversaries are such that the United States needs reinforcements.
“Our attack surface as a nation is approaching infinity, so I really think it literally just gets down to the physics of speed and scale needed to defend a nation,” Weggeman stated.
For Pyburn, the ties to the critical infrastructure must also grow for cyber defense.
“When you think about operational technology, industrial control systems, SCADA, public utilities, all these kinds of things that we know are at risk, cyber plays a huge part in that,” he offered. “How we as a nation bring in industry partners, bring in academia, bring in the private-public relationships, I think that is an underserved area, where we have got to be better at as a nation.”
Naturally, such an integrated construct would require legislative, policy and other actions, Pyburn added.
Incentives would also be effective. “I think you've got to find ways to incentivize the behavior you want,” Pyburn suggested. “Legislation, policy, that is all great, but it typically comes with an empty bank account; there's no investment behind it.”
From a military technology adoption perspective, including for cyber capabilities, the experts see contracting as an impediment. Weggeman advised military leaders and industry alike to spend time really understanding the solicitation and contracting cycle.
“One of the things that I know now I'm still learning is the critical nature of understanding contracts and how we bring a capability to bear in the government space,” he said. “And what is an OTA [other transaction authority], what is a CSO [commercial solutions opening], and how do you get them? There are pockets of excellence in every service and shop, and the acquisition leader knows how to do that, but the acquirer, the requirer, the operator, you got to focus on how those three people are linked at the hip, and how you can run with scissors and find that contracting path that brings the capability to bear quickly.”
Reflecting on his time as commander, including at the 24th Air Force, Weggeman stressed that he wished he had been more assertive about contracting.
“[It is] one of the things that I wish I had focused a little bit more time on,” he said. “We could have gone faster had I been more knowledgeable as the commander. Because we own the risk. We own the people, risk the mission, the force, and I let too much of that stuff kind of percolate slowly in the contracting. I needed to be more active to go, ‘How do I help you cut through all this, and let's go get [the] mission done.”
Even if there's not a sale to be had, at least initially . . . how can you understand the problem, to build that relationship to where there may not be money now, but there may be money later. There's a trust that you build.
In addition, the government should find more productive ways to communicate and speak with industry, the cyber experts noted.
“After 33 years in the Air Force and the joint world, I think we have terrified our young officers, civilians and noncommissioned officers into thinking that they can't talk to industry,” Pyburn said. “It is, ‘You’ve got to be careful. You have to have 12 attorneys with you. It's very dangerous. You may not make it back alive.’ That is one of the fundamental flaws I think we have. It has to be OK to have these conversations, and from an industry perspective, we want to know what your hardest problems are, so that we can go figure out how to help you solve it. And to do that, you have to be able to communicate with us.”
Skinner warned industry against transactional actions, just to get business. Instead, companies should be honest, build trust and be clear about what their solutions can and cannot do.
“We have got to be careful of having transactional discussions and relationships, because too many times it is about, ‘OK, how can we sell you [what we want]’ or ‘I only want to solve a one particular problem versus understanding the complexity,’” Skinner advised. “Even if there's not a sale to be had, at least initially, it should be about how can you understand the problem, to build that relationship to where there may not be money now, but there may be money later. There's a trust that you build.”
Lastly, the cyber experts are hopeful that policy will follow that embraces the concept of integrated national cyber defense—especially policy from government leaders, such as the National Cyber Director Sean Cairncross, who reportedly is drafting and unofficially circulating a strategy.
“I feel like there's a lot in there that is right about the idea of, ‘How do we make ourselves prickly to the adversaries?’” Weggeman pondered. “How do we as a nation impose costs on the adversaries when they try to attack us. And so, I do think we have an awakening. I am hopeful we will see some policy changes. And more importantly, I hope we will continue to have the dialogue.”
“We have to get back to what is cyber deterrence for our nation,” Pyburn said. “I am optimistic that we are embarking on that integrated defensive team.”
“I want us to get into full-blown integration, and how do we integrate this team? How, in warfighter lexicon, do we fight, because that is the only way we will scale and defend this nation, in my opinion,” Weggeman added. “That is the only way.”
The Rocky Mountain Cyber Symposium is co-hosted by the AFCEA Rocky Mountain Chapter and AFCEA International. SIGNAL Media is the official media of AFCEA International.
Comments