House hearing gives glimpse into cyberwar threats, challenges, opportunities

healey.jpg

Jason Healey, nonresident senior fellow for the Cyber Statecraft Initiative with the Atlantic Council, testified before the House Armed Services Committee on March 1, 2017. (Photo Credit: House Armed Services Committee)

Cyber continues to be a domain of warfare in which there are more questions than answers and in which defining the specific problems is as tricky as finding the solutions will prove to be.

That was the overriding theme conveyed Wednesday by an expert panel and members of the House Armed Services Committee in a hearing on the threats, challenges and opportunities of cyberwarfare in the 21st Century.

The hearing touched on many of the major, recurring issues the U.S. government and military continue to wrestle with in developing a comprehensive strategy and holistic national policy for cyberwar.

New America Foundation Senior Fellow Dr. Peter Singer described the current environment as “not the kind of cyberwar envisioned, with power grids going down in fiery cyber ‘Pearl Harbors.’ Instead, it is a competition more akin to the Cold War’s pre-digital battles that crossed influence and subversion operations with espionage.”

To address the current reality, Singer submitted 30 written recommendations, with his opening remarks highlighting three specifically. The first is activities for deterrence, which for Singer should include “disentangling NSA from Cyber Command,” referring to the current structure in which Adm. Michael Rogers oversees both entities, although each has different missions and capabilities.

The second is cyber resilience – the ability of systems to withstand cyberattacks without disruption to core operations.

The third is social media as a battleground in information warfare. Singer called for recreating the Cold War-era Active Measures Working Group, whose purpose was to counter Russian “influence” campaigns, such as the use of what Russian’s call “useful idiots” to spread propaganda.

In opening remarks, U.S. Naval Academy Faculty and RAND Corporation Adjunct Management Scientist Dr. Martin C. Libicki noted that an effective deterrence capability consists of four components: Attribution, thresholds, credibility and capability. Of these, Libicki said U.S. cyber capability is the one “least in doubt,” and it’s “the other three that need attention.”

Libicki said cyberattack attribution, while currently “better” than in past years, is still “not good enough.”

By thresholds, Libicki means the types of actions that merit retaliation and to what degree. Such thresholds are difficult to define. “Until we have a way to determine thresholds, we may have to limit reprisals,” Libicki said.

Credibility arises from making our enemies believe we are capable and willing to carry out reprisals for cyberattacks. Libicki urged, “Don’t make public attributions if we’re not going to reply.”

The final panelist was Atlantic Council Nonresident Senior Fellow for the Cyber Statecraft Initiative Jason Healey, who began opening remarks by focusing on the short list of what isn’t a problem in cybersecurity right now. Healey then noted that in cyber, as in other areas of current conflict, “Where deterrence isn’t working is in the gray area between peace and war.”

The unique qualities of so-called gray-zone conflicts have been a popular topic in military circles in recent years, as the U.S.’s globally dominant conventional military tries to adapt to adversaries who increasingly employ unconventional means that fall short of provoking a conventional military response. Such activities include cyberespionage, nonlethal cyberattacks and information warfare.

Healey’s recommendations included developing “cyber influence teams” at NSA to combat information warfare online. Like Singer, Healey said NSA and U.S. Cyber Command should be split.

Finally, Healey said a significant challenge remains determining the best use of government resources and bolstering national cybersecurity strategy with private-sector capabilities. As to the future of the five domains of warfare, “Cyber is the most unclear,” Healey said.

On the cyber threats front, panelists discussed the usual suspects – Russia, China and the Islamic State group (ISIS) – and the unique challenges each proposes.

Singer called the 2016 cyberattacks by Russia on the Democratic National Committee and Republican National Committee “arguably the most important cyberattack campaign in history.” Singer later warned that the U.S.’s “failure to respond to Russia has incentivized other threat actors.”

Libicki said ISIS is the most sophisticated adversary we face in information operations and online propaganda. Asked about how the U.S. might counter information warfare, Healey agreed with Singer’s proposal for resurrecting the Active Measures Working Group and said “DOD should clearly not be the lead” in countering information warfare. Healey advocated a “whole of government approach.”

Asked about our greatest vulnerabilities to “asymmetrical threats,” Singer quoted a Pentagon weapons tester who said the U.S. has “significant vulnerabilities” in every major weapons system. Libicki pointed to “heterogeneity and legacy systems” as major threats. Libicki advocated thinking about “end-to-end vulnerabilities,” because that’s how U.S. enemies think. Healey said the internet of things represents a major threat and should be a focus.

Many of the U.S. opportunities in cyber stem from new thinking about operational and tactical deployment. Following a gradual split of NSA and Cyber Command, Singer said U.S. Special Operations Command is what cyber “can and should evolve to.”

Like Special Operations Command, U.S. cyber operations should be global while capable of focusing at the theater level, Singer said. Healey shared this view, pointing to how the military has historically handled high-demand, low-density assets, keeping them in a centralized place to support multiple missions and operations.

Singer advocated better integration of cyber into “muddy boots” training environments, with cyber education in offensive, defensive and social media tactics for all soldiers. Libicki noted, “One of the biggest shortfalls in cyber is you have technical people who can’t talk policy and policy folks who can’t talk technical.”

Healey said he sees an opportunity to build strong public-private partnerships in everything from information sharing to incident response. Healey argued Ft. Meade and the Pentagon “will never be the best responder” to many types of cyber incidents. Rather, Healey said the private sector should be the “supported,” rather than “supporting,” incident responders in many cases. As an example, Healey said a former public-sector colleague, who had joined Verizon Communications, told him of Verizon’s ability to “bend cyberspace” in response to a cyberattack.

A great challenge, but also an opportunity, is the cybersecurity talent shortfall, projected now and for the foreseeable future as in the millions. Singer advocated for a cyber human resources strategy because, on the whole, cyber is “not a problem of zeros and ones. It’s a human problem.” As an example, Singer said the U.S. could develop a U.S. Cyber Corps, which would be like the Reserve Officers’ Training Corps for cyber. Another idea is to form the cyber equivalent of the Civil Air Patrol, in which members are not military proper but can help when needed, such as red-team training exercises and in responding to emergencies.

Vulnerabilities in the military supply chain received much discussion. The threats span software-based attacks on intellectual property to embedded vulnerabilities in military hardware purchased overseas. The consequences range from lost battles to a lost arms race, with Singer noting, it’s “impossible to win an arms race when you’re paying for the R&D for the other side.”

Healey said the focus should be on “trusted systems on untrusted components,” citing DARPA’s High-Assurance Cyber Military Systems (HACMS) program as an example.

The recent release of the Tallinn Manual 2.0 sparked discussion on international law and cyberwarfare norms. Libicki said that such efforts, while promising, face hurdles. “International law is only as good as countries are willing to put muscle behind enforcing it.” He then pointed back to what constitutes thresholds and proper responses. There are currently “disagreements about what constitutes legal behavior,” Libicki noted.

Asked the greatest policy challenge the U.S. faces, Libicki reemphasized understanding “end-to-end vulnerabilities,” and Healey pointed to the current lack of thinking about the future. Singer said the greatest challenge is defense, partly because “it’s not as sexy” as offense, but also because we don’t understand “cross-domain impacts,” or “how something in one area affects other areas.”

With the amount of money slated to be spent on cybersecurity, a key enabler of accountability is metrics, a historically challenging area of security, Libicki noted. Singer said we need to better determine success of influence and information campaigns, or stated differently, “How well did we hack your hearts and minds.”

And what do emerging technologies mean for cybersecurity? Libicki emphasized the continued importance of human beings, “who understand offensive and defensive capabilities in broader military strategy and can offer an integrated perspective.”

Singer pointed to several coming “disruptions” in cyber, including artificial intelligence (AI) and quantum computing. “We don’t know yet whether it will privilege the offense or defense,” he said.

Healey thinks emerging technologies “will aid offense much more than defense.” AI’s supplanting of human talent in cyber will “come more quickly than we think it will – maybe in the next 10 years.”