How to Compete in Cyberspace
Cyber Command’s New Approach
(By Paul M. Nakasone and Michael Sulmeyer - August 25, 2020 – Foreign Affairs Magazine)
In early October 2019, personnel from U.S. Cyber Command landed in Podgorica, the capital of Montenegro, at the invitation of the country’s government. Montenegro has faced increased harassment from Russia since joining NATO in 2017, and the Cyber Command team was there to investigate signs that hackers had penetrated the Montenegrin government’s networks. Working side by side with Montenegrin partners, the team saw an opportunity to improve American cyber defenses ahead of the 2020 election.
After a “hunt forward” mission has been completed, Cyber Command works with other parts of the U.S. government to disclose its findings. The findings enable the U.S. government to defend critical networks more effectively and allow large antivirus companies to update their products to better protect their users. The net effect of the many hunt forward missions that Cyber Command has conducted in recent years has been the mass inoculation of millions of systems, which has reduced the future effectiveness of the exposed malware and our adversaries.
The hunt forward mission to Montenegro represented a new, more proactive strategy to counter online threats that reflects Cyber Command’s evolution over the last ten years from a reactive, defensive posture to a more effective, proactive posture called “persistent engagement.” When Cyber Command was established in 2010, the operative assumption was that its focus should be on trying to prevent the military’s networks from being infiltrated or disabled. But a reactive and defensive posture proved inadequate to manage evolving threats. Even as the military learned to better protect its networks, adversaries’ attacks became more frequent, sophisticated, and severe. We learned that we cannot afford to wait for cyber attacks to affect our military networks. We learned that defending our military networks requires executing operations outside our military networks. The threat evolved, and we evolved to meet it.
In 2008, a cyber attack compromised the Defense Department’s unclassified and classified networks. The incident provided a wake-up call about the need to protect American secrets from foreign hackers and led to the creation of Cyber Command in 2010 to organize that effort. Cyber Command protects U.S. military networks, defends the United States from significant cyber attacks, and directs cyber effects operations abroad. Its force consists of over 6,000 service members, civilians, and contractors who work at its headquarters at Fort Meade in Maryland and at bases in Georgia, Hawaii, and Texas.
Over the first decade of its existence, Cyber Command learned that merely securing network perimeters does not provide sufficient defense. As a result, we have changed the way Cyber Command defends Department of Defense networks in three ways. First, we have increased our focus on what happens inside our own networks, not just on the walls around them. Our 68 cyber protection teams proactively hunt for adversary malware on our own networks rather than simply waiting for an intrusion to be identified. The cyber protection teams have improved the speed and effectiveness with which we detect, quarantine, and eject intruders from the military’s networks.
Second, we have adopted a different way of thinking about networks: as legendary cryptographer Claude Shannon put it, “assume that the enemy knows the system,” and treat every host, server, and connection as potentially hostile. Although this proactive approach, known as “zero trust” in the cybersecurity community, is not new, we are scaling its adoption across the military’s networks. The goal is simple but strategic. We aim to prevent toeholds from turning into beachheads so that a single compromise will not threaten the military’s ability to accomplish its mission.
Third, we are cultivating a mindset of accountability in which military commanders treat the defense of computer networks as an essential requirement, not an afterthought to be dealt with only after something goes wrong. This “command-centric” approach reflects the fact that military commanders cannot assess the readiness of their forces without accounting for the security of the networks on which those forces depend. In 2017, when tensions on the Korean Peninsula were high, we realized that an important Department of Defense network in the area was vulnerable. Proactive leadership ensured that this mission-critical method for commanding and controlling forces was quickly secured. Lessons from this and other incidents have informed our efforts to treat networks as an area of operations led by a single commander. By aligning authority and accountability for network operations, applications, enterprise services, and cybersecurity, commanders have gained improved insight into threats, as well as the capabilities to defeat them.
These proactive defensive measures on our networks have provided an essential boost to our cybersecurity, but they are insufficient in the evolving threat environment. We have learned that we also have to “defend forward,” outside our networks. Every day, more actors execute more sophisticated attacks against more civilian and military targets. The Chinese government uses cyber capabilities to steal sensitive data, intellectual property, and personal data from the U.S. government and U.S. businesses at great cost to the U.S. economy and national security. In May 2020, the FBI and the Department of Homeland Security warned about the People’s Republic of China’s efforts to compromise medical research into COVID-19 vaccines. The PRC supplements those cyberspace operations with influence campaigns to obscure international narratives about their activities.
Russia uses cyberspace for espionage and theft and to disrupt U.S. infrastructure while attempting to erode confidence in the nation’s democratic processes. Iran undertakes online influence campaigns, espionage efforts, and outright attacks against government and industrial sectors. North Korea flouts sanctions by hacking international financial networks and cryptocurrency exchanges to generate revenue that funds its weapons development activities. Violent extremist organizations have used the Internet to recruit terrorists, raise funds, direct violent attacks, and disseminate gruesome propaganda.
In the face of these threats, the U.S. government has changed how it will respond. In 2018, Congress clarified the statutory authority for military cyber operations to enable Cyber Command to conduct traditional military activities in addition to the mostly preparatory operations to which it had been limited previously. That same year, the White House released a National Cyber Strategy, which aligned economic, diplomatic, intelligence, and military efforts in cyberspace.
At the Department of Defense, a new National Defense Strategy in 2018 focused the military on the need to expand the competitive space between the United States and its adversaries. Part of that expansion needed to occur in cyberspace. To that end, Cyber Command was elevated to the status of a unified combatant command, which gave cyber issues a more powerful voice within the Department of Defense. Increased authorities and funding soon followed. DoD also released a new cyber strategy, which for the first time enshrined the concept of defend forward. This updated approach acknowledged that defending the United States in cyberspace requires executing operations outside the U.S. military’s networks and that the country cannot afford to wait for attacks to come its way.
Cyber Command implements this defend forward strategy through the doctrine of persistent engagement. The idea behind persistent engagement is that so much of the corrosive effects of cyber attacks against the United States occur below the threshold of traditional armed conflict. Yet much of Cyber Command’s combat power had been devoted toward preparations in the event of future contingencies. We realized that Cyber Command needs to do more than prepare for a crisis in the future; it must compete with adversaries today.
This doctrine of persistent engagement reflects the fact that one-off cyber operations are unlikely to defeat adversaries. Instead, U.S. forces must compete with adversaries on a recurring basis, making it far more difficult for them to advance their goals over time. For example, publicly releasing adversary malware obtained during hunt forward missions to the cybersecurity community makes that malware less effective because defenses can be tuned to detect and defeat it. Additionally, cyber effects operations allow Cyber Command to disrupt and degrade the capabilities our adversaries use to conduct attacks.
The persistent engagement doctrine also emphasizes the need for Cyber Command to enable its partners, including by providing indications and warnings to other parts of the government. To that end, we have invested in platforms that facilitate faster sharing of indications and warnings across federal, state, and local governments. One example of this is a new “9-line” incident reporting standard that offers streamlined reporting and response for National Guard units across the country. My goal has been to institutionalize and expedite this kind of enabling assistance.
Some have speculated that competing with adversaries in cyberspace will increase the risk of escalation—from hacking to all-out war. The thinking goes that by competing more proactively in cyberspace, the risk of miscalculation, error, or accident increases and could escalate to a crisis. Cyber Command takes these concerns seriously, and reducing this risk is a critical part of the planning process. We are confident that this more proactive approach enables Cyber Command to conduct operations that impose costs while responsibly managing escalation. In addition, inaction poses its own risks: that Chinese espionage, Russian intimidation, Iranian coercion, North Korean burglary, and terrorist propaganda will continue unabated. So the question is how, not whether, to act. Just like the rest of the U.S. military, cyber forces abide by widely accepted principles of international law, and when they take direct action, they narrowly tailor the effect.
The National Security Agency is a critical Cyber Command partner. The two organizations are not one and the same: although one of us (General Nakasone) leads both, and although both are headquartered at Fort Meade, they are charged with different missions. The NSA produces signals intelligence and, through its cybersecurity mission, protects National Security Systems. Cyber Command defends military networks and directs cyberspace operations against adversaries. Yet because of the overlapping nature of the threats they face, the common domain in which they work, and their shared focus on defending the nation, the two organizations work closely together.
The power of this partnership can be seen in how Cyber Command and the NSA worked together to protect against meddling in the 2018 midterm elections. Experts from both organizations formed the Russia Small Group (RSG), a task force created to ensure that democratic processes were executed unfettered by Russian activity. It shared indicators of potential compromise, enabling DHS to harden the security of election infrastructure. It also shared threat indicators with the FBI to bolster that organization’s efforts to counter foreign trolls on social media platforms. And Cyber Command sent personnel on several hunt forward missions, where governments had invited them to search for malware on their networks. Thanks to these and other efforts, the United States disrupted a concerted effort to undermine the midterm elections. Together with its partners, Cyber Command is doing all of this and more for the 2020 elections.
Cyber Command’s partnership with the NSA also has been central to the online fight against the Islamic State, or ISIS. As part of a previous assignment as head of the army component of Cyber Command, one of us (General Nakasone) led the task force charged with fighting ISIS in cyberspace. The terrorist group’s propagandists used to spread their message on Twitter, YouTube, and their own websites. Today, because of our efforts, they have a much harder time doing so. At the height of its influence, ISIS published magazines in multiple languages, but it now struggles to publish in anything other than Arabic. At the same time as the U.S.-led coalition of conventional forces has prevailed over the physical caliphate, Cyber Command’s efforts have helped defeat the virtual one.
For all their power and results, however, cyberspace operations are not silver bullets, and to be most effective, they require much planning and preparation. Cyber Command thus works closely with other combatant commands to integrate the planning of kinetic and nonkinetic effects. Cyber Command’s capabilities are meant to complement, not replace, other military capabilities, as well as the tools of diplomacy, sanctions, and law enforcement. And they are often used in cooperation with foreign military partners, who bring different skills and techniques to the table. The West’s united front against the Soviet Union kept the Cold War cold; likewise, today, the United States and its allies are building unity of purpose to promote respect for widely held international norms in cyberspace.
Militaries succeed when they embrace new technologies aimed at planning for the next war, not fighting the last one. Cyber Command is committed to working with the private sector to harness emerging technologies. Given that some of the most innovative thinking today is happening in the offices of American tech companies, we would be shortsighted if we were not pursuing partnerships with them. Such partnerships should of course be voluntary—companies can decide on their own if and when it makes sense to work with Cyber Command—but partnering with technology companies has been one of Cyber Command’s top priorities.
Many leading U.S. companies find themselves on the frontlines of competition in cyberspace. Working collaboratively where we can allows us to improve collective defense and stay a step ahead of our adversaries. This is all the more important as technology continues to advance. It is not hard to imagine an AI-powered worm that could disrupt not just personal computers but mobile devices, industrial machinery, and more. Like AI, fifth-generation (5G) wireless networks offer promise and peril with exceptionally fast speeds that underpin ubiquitous connectivity. Such networks can enable authoritarian states to monitor and control their citizens. That is why the United States continues to stress the importance of supply-chain integrity and the dangers of relying on technology from authoritarian countries.
One of the first hurdles to overcome in our effort to increase cooperation with private-sector companies was finding a place to meet their workers. Because so much of what Cyber Command does is sensitive, it proved challenging to host an unclassified meeting at an unclassified location with people who were not affiliated with the U.S. government. Therefore, we created DreamPort, a facility not far from our headquarters at Fort Meade. DreamPort is not just a building; it is a signal that Cyber Command is receptive to outside thinking. In 2019, for example, it served as an incubator for an effort to bring the aforementioned zero trust approach to network security to the Defense Department, allowing private companies with more experience with this concept to offer advice about what would and would not work for the military. DreamPort also hosts promising high school and college interns from nearby schools, who bring fresh ideas and in return, receive mentoring and a chance to return full-time when they finish their studies.
Readers may ask: how can Cyber Command compete with private-sector salaries? The answer is that what appeals to so many of our recruits is the opportunity to serve their country in a relatively novel domain of conflict and the chance to avail themselves of world-class training and high-stakes assignments. Where things get complicated, however, is that for those in uniform, professional advancement usually involves rotating to new jobs and assignments every few years. Some view this as a perk, but for many who are forgoing salaries at tech companies, such constant interruption can be frustrating—even a deal breaker. This is why we value relationships with organizations like the National Security Innovation Network, which provides access to a diverse talent pipeline, from college interns to advanced degree professionals.
The good news is that each of the military’s service branches has made great strides in transforming cyberspace operations into more of a profession and less of a trade. A decade ago, military personnel rotated out of cyber positions frequently, whereas now, the Army, Navy, Air Force, and Marines have encouraged professionalization by offering personnel in this area repeat assignments, specialized training, and incentive pay. But to retain the best of the best, more experimentation and flexibility is needed. When a service member does leave for the private sector, we should take that as affirmation that we are developing people with the right mix of skills. At the same time, we should do all we can to encourage those who leave and make it easier for them to rejoin the national security community down the road.
Ten years ago, Deputy Secretary of Defense William Lynn wrote a prescient article in Foreign Affairs about the military’s growing role in cyberspace. Many of his observations have stood the test of time. Cyberspace remains a domain where adversaries attempt, as he wrote, “to overcome overwhelming U.S. advantages in conventional military power,” attackers still benefit from “low barriers to technological innovation,” and Cyber Command still must “work with a variety of partners inside and outside the U.S. government.”
But much has changed in the past ten years. Our adversaries have abused open platforms for sharing knowledge and views by creating troll farms for disinformation. Terrorists have used the Internet to control forces and recruit new members. Portions of critical infrastructure, such as the power supply in Ukraine, have been disabled. Advances in artificial intelligence, autonomous vehicles, and 5G networks will only complicate this landscape of threats.
In large part to account for these and other changes, Congress established the Cyberspace Solarium Commission in 2019 to prepare for the next ten years and consider new approaches to keeping the United States safe in cyberspace. Readers of the commission’s extensive report will see thoughtful and deliberate proposals to improve the nation’s approach to cybersecurity and its resilience in the face of the threats we just described.
A point of consensus among these and other proposals is that to compete, U.S. cyber forces should continue to be more proactive and implement the strategy to contest our adversaries’ malicious activity online. But our actions must also remain consistent with the law of armed conflict and other important international norms. In this way, we are protecting U.S. interests from cyber threats and staying true to the nation’s core values. As threats continue to evolve online, U.S. Cyber Command will remain ready to defend the United States in the years ahead.