Assessing US capabilities in cyberspace


Participants at Cyber Guard 2016 works through a training scenario during the nine-day exercise Suffolk, Va., June 16, 2016. (DoD Photo by Navy Petty Officer 2nd Class Jesse A. Hyatt)

Prior to inauguration, then-President-elect Donald Trump promised to issue an executive order on cybersecurity within days of taking over the presidency. In the weeks after being sworn-in, President Trump make a few moves toward this promise, even going so far as working up a draft order and scheduling a signing, though it never took place.

Over the course of a couple weeks, a draft of a potential order leaked to the Washington Post; White House staff initiated a controlled leak of the order that was never signed; and a third, more comprehensive draft found its way to former Homeland Security Assistant Deputy Secretary Paul Rosenzweig.

Among the proposals and directives outlined in the three drafts are four cyber reviews, including a full-scale assessment of the nation’s capabilities in cyberspace.

Slideshow: 5 vulnerabilities that should be in Trump’s cyber review
Video: Top cyber threats for the U.S.
Story: Options for incentivizing private-sector cybersecurity

The review, to be co-chaired by Secretary of Defense, Secretary of Homeland Security and the director of the NSA, will identify initial sets of capabilities needing improvement to adequately protect critical infrastructure as well as review the workforce to ensure the U.S. has “a long-term cyber capability advantage.” Recommendations will include steps to ensure agencies are organized, tasked, resourced and provided with necessary legal authority to meet mission needs.

While noting it is unclear what a final version of this order might include – provided a final version is ever published, as the White House has denied the initial draft came from within its walls – experts and former government officials offered what such a review might return to the president.

Most agreed that the language and scope of the drafts are non-controversial, as they look to assess the posture of the U.S. For example, from the language, it would appear as though the review is not merely looking to assess offensive capability, but defensive, as well.

Michael Sulmeyer, director of the cybersecurity project at the Belfer Center for Science and International Affairs at Harvard University’s Kennedy School, said DHS’s inclusion in the review signals the leaning toward defensive capabilities, as DHS is in the protection business.

Trey Herr, a cybersecurity fellow at New America and who previously worked at DoD to develop a risk assessment methodology for information security threats, said a final draft might afford more time for a review, as the 60 days set aside in the initial draft might be too short. (Rosenzweig’s draft has slightly altered timelines, such as 90 days for a DoD assessment of “warfighting capabilities.”)

Herr also offered three areas the report might bring back to the president. The first, he noted, is an examination and assessment of the relationship between the NSA and Cyber Command – which he described as healthy – given that there is talk of splitting the two organizations. Cyber Command is heavily reliant on the infrastructure and workforce at NSA and a split could affect the former’s capabilities.

Second, Herr cited a shortfall in the workforce, as there are currently not enough folks to staff the mission and the review might recommend Cyber Command take on a more aggressive role in equipping the workforce for personnel coming from the services.

Third, as the U.S. has significantly increased in cyber capability – even in the last five years – Herr said the final report might include missions that were not initially envisioned when organizations such as Cyber Command stood up to include influence operations on par with what Russia is alleged to have done in the 2016 election.

Joshua Corman, director of the Cyber Statecraft Initiative at the Atlantic Council, said he believes there has been too much of a focus on offense recently, to the detriment of defense. He said the focus on defense and soft targets has been lost and while the U.S. has great capability in offense, it is also uniquely vulnerable and in some cases might have more to lose than others given its large attack surface.

As such, a significant review of defensive capabilities is necessary.

Corman also noted that there has been more of an eye toward more capable cyber actors – mainly nation states – offering there needs to be an assessment of sub-state and non-state actors. While the draft order addresses a review of adversaries, assessing capabilities ties in directly.

Much criticism has surrounded the cyber fight against the Islamic State group, as well. Cyber Command was originally stood up to combat more capable actors and it has struggled to address lower threshold enemies. A capabilities review will have to focus on methods to combat these high intent, low capability actors, Corman told FifthDomain, adding these are a serious set of adversaries that have not been sufficiently factored into national security cyber.

Moreover, raising defenses and thus cutting out these lower threshold enemies clears the herd and makes attribution easier, he said, because upon getting to the nation-state level, there are norms, sanctions and other levers of deterrent power available that aren’t with non-state actors.

Herr added that he hopes the review outlines the demands that are being placed on the intelligence community and collection apparatus different from the military. A lot of the infrastructure for offensive cyber lies on the intelligence operations side and as Cyber Command and NSA separate, it will be important for this review to highlight where this split could create a shortfall in capabilities.