Irregular Warfare Podcast - Cyberspace as a Battlespace: Irregular Warfare through Bits and Bytes
Episode Date: November 19, 2021What is the intersection between cyber and irregular warfare? Should the United States consider cyberspace a typical or exquisite domain? How did the counterterrorism fight serve as a proving ground f...or the application of these emerging capabilities? This episode examines the character of cyber warfare—both in its relationship to irregular warfare and in its applicability to broader national security approaches—and features a conversation with Dr. Jacquelyn Schneider and Admiral Mike Rogers. Intro music: "Unsilenced" by Ketsa Outro music: "Launch" by Ketsa CC BY-NC-ND 4.0
Transcript
Discussion (0)
Hi everyone, thanks for listening to the Irregular Warfare podcast.
My name is Shauna Sinnott, and I am the co-director of the Irregular Warfare Initiative.
Before we begin today's episode on the topic of cyberspace and irregular warfare,
we want to highlight that applications are now open for the Irregular Warfare Initiative's 2022 Non-Resident Fellowship.
Non-Resident Fellows will play a key role in contributing written content on irregular warfare,
driving public discourse, and bridging the gap between scholars and practitioners in the IW space.
We are looking for a cohort that represents a variety of backgrounds and experiences.
So whether you are an academic, a practitioner in the interagency or joint force, or an international
applicant, we look forward to receiving your application. Please engage with us on Twitter,
LinkedIn, or Facebook for a link to the form, which will close to applications on 3 December 2021. Thanks for listening,
and we hope you enjoy this episode.
This is an operational domain in which we do a set of very traditional functions. We maneuver.
We conduct defensive operations.
We do reconnaissance.
We do attacks.
We do a whole wide range.
We do influence activities.
I think the way people understood cyber initially was just kind of incorrect.
It does take time and coordination.
And I think that people were like, oh, well, I thought this was magic pixie dust. This is not magic pixie dust. Well,
I don't need to use it then. Like, I'll just go back and drop a JDAM on it. Like,
I know exactly how to plan that. I know exactly what the uncertainty term is of that.
Welcome to episode 40 of the Irregular Warfare podcast. I am Shauna Sinnott, and I will be your host today along with Abigail Gage.
Today's episode considers the role of cyberspace as a domain of regular and irregular warfare,
from the counterterrorism fight in the post-911 era to the great power conflict of today.
We open today's episode by establishing the intersection of cyber and irregular warfare.
Our guests explain how the United States leverages cyberspace to achieve effects from the tactical to the strategic levels,
drawing on the experience of Joint Task Force Ares to illustrate how cyber activity was
effectively executed in the fight against the Islamic State. They go on to apply these lessons
to the contemporary security environment. Dr. Jacqueline Schneider is a Hoover Fellow at
Stanford University, former senior policy advisor
with the Cyberspace Solarium Commission,
and a reservist currently assigned
to Space Systems Command.
Admiral Mike Rogers retired from the US Navy in 2018
after nearly 37 years of naval service,
rising to the rank of four-star admiral.
He culminated his career with a four-year tour as commander,
United States Cyber Command, and director, National Security Agency.
You are listening to the Irregular Warfare podcast,
a joint production of the Princeton Empirical Studies of Conflict Project
and the Modern War Institute at West Point,
dedicated to bridging the gap between scholars and practitioners
to support the community of irregular warfare professionals.
Here's our conversation with Mike and Jackie.
All right, Admiral Mike Rogers, Dr. Jackie Schneider, welcome to the Irregular Warfare podcast.
Abigail and I are thrilled to have you here today to talk about cyber.
Thanks for the opportunity.
Yeah, excited to be here.
So we'd like to start by doing some scene setting.
Yeah, excited to be here.
So we'd like to start by doing some scene setting.
Where cyber operations fit into our understanding of both irregular warfare and in just the general national security space.
So Mike, if you could start, how should we contextualize cyber within our understanding
of the current security environment, particularly as we're talking about IW?
Right.
of the current security environment, particularly as we're talking about IW?
Right. Well, first to me, I find irregular warfare doctrinally and from a definition perspective, I do not like the way we refer to it. I mean, go back in time. We really,
as a military DOD, in the US at least, started talking about the concept of irregular warfare
in the late 1990s. And then in the aftermath of 9-11,
it really came to the fore as we were trying to ask ourselves, so we created a military at that
time, let's say circa 2001, we created a military that was largely focused and optimized for a
conflict with the Soviet Union, which we believed, if it went military, was going to be very traditional
in the sense of large maneuver elements with a strong physical dimension to it, operating in
very traditional domains. We find ourselves then post 9-11, and we're trying to figure out,
so what's the context that helps us conceptualize the world we find ourselves in now, where
it's not about head-to-head confrontation between large, conventional, kinetic kinds
of capabilities, and is much more about how are we going to apply our skills, our capabilities,
and our resources of military, and when we're focused on the questions of legitimacy and
influence with respect to populations, much
more closely aligned to the coin or the counterinsurgency arena.
The reason why I find it a little challenging with cyber is, so if we think IW, we tend
to focus on legitimacy and influencing the population.
And for me, I'm going, cyber is elements within that.
I'm going, cyber is elements within that. But on the other hand, cyber has a much broader set of applications to include much more conventional warfare, if you will, just using non-traditional
means. And Jackie, I'm sure she has a perspective. Yeah, I think it's interesting. I think it's
especially interesting from your point of view, because at the time that you were in command,
there was, and I think this is really important for people to understand the evolution of the way the U.S. thinks about
cyber operations, is that cyber command at that time was a subunified command under strategic
command. So on one hand, you have a group of military officers that really thinks of cyber
operations as something that comes before conflict, that is
this thing that looks like irregular warfare. But at the opposite end of the spectrum, I think you
had an entirely different narrative coming from strategic command, which was that cyber was
strategic and different and in the same bin of weapons as nuclear weapons. And I think the
inability to put cyber in existing bins and analogies was a real difficulty
as senior policymakers were trying to figure out what was the right and most appropriate
way to use cyber operations.
Because at least in the Obama era, and you can correct me if I'm wrong, but the perception,
at least from the outside, was that there was a significant amount of restraint coming
from the Obama administration when it came to the use of cyber operations. So they weren't really thinking of cyber operations as irregular warfare or this
thing that could occur prior to conflict. They thought of it in the same bin as strategic weapons,
which would create large scale strategic effects, which therefore should be like relatively
restrained and only held at the highest levels. And I thought that that actually caused a lot
of problems when
it came to experimentation and thinking about the integration of cyber operations, both in these
like early stages of conflict, but also thinking for like, okay, we can use this in this kind of
influence way and within asymmetric conflict, but also kind of how do we integrate it into
our more standardized war plans when we're thinking about
kind of competitors that look more like near peer competitors. I think like the difficulty in
finding an analogy that would fit for cyberspace has really, I think, at least in those initial
years, really stunted kind of the evolution and innovation when it came to cyberspace.
I think you're largely right. I'm
going to disagree in one segment. While I believe that that's true, boy, man, I was so frustrated at
times with, you know, why is this? You view this almost as a nuclear weapon. I kept arguing,
look at the way our competition slash adversaries, the Russians, the Chinese, the North Koreans,
and the Iranians, look at the way they're using cyber. They don't
view this as a nuclear weapon. Why are we self-restraining ourselves here? Our competitors
view cyber as a capability which brings less risk and offers them a greater range of potential
opportunities and options. And yet we are at the opposite end of the spectrum. Our leadership
believed that cyber was escalatory,
highly risky, and therefore should be viewed somewhat like nuclear weapons. And the only way
in the end we were able to change minds, which was interesting to me, I thought, so how do I turn the
bureaucracy against itself, so to speak? And the solution we came up with within the team was, I
said, guys, we need to use the CT fight to show the tactical
implications and capabilities of just what we can do. And it was funny, while they were uncomfortable,
you know, in many ways, given that strategic concern, when we started talking about,
let's use the CT fight as a bit of a laboratory to highlight what we can and cannot do, as well as
gain a sense for how do you command and control, delegation of authorities, execution of activities,
deconfliction between operations and intelligence. I said, look, we can flesh all of that out
using ISIS, for example, as a target. I think that this is a really good place to take one step back and
baseline what these cyber operations are. So I'd love, Jackie, if you'd go first, just talk a little
bit about how cyberspace operations create advantages for the United States national
security mission and how it can enhance our overall national security. I think sometimes
it's useful to think about like,
what are cyber operations? So back in the day, when I was a reservist working for Admiral Rogers
in the J5, they were developing this thing that was the joint publication that basically defined
what cyber operations were. And if any of you've ever worked with doctrine writers,
oh, they're just awful to work with. They're so
particular about the words that you use, but not in like- You mean no offense to any doctrine
writers listening to the podcast today. They know who they are. I mean, not in like a, oh,
the English language sense of way, but like the way in which words are used in doctrine is
extremely, extremely deliberate. So I remember starting work in cyber command as
a reservist, but also as a PhD student. And I was working on cyber and I kept saying cyber,
cyber, cyber. And oh my gosh, the doctrine writers, it was like flames coming out of their head
because you are never allowed to use cyber as a noun on its own. It is an adjective that is
modifying a noun. But I think that's actually like, it drove me slightly crazy,
but actually it helps to understand when we think about cyber. So cyber operations, I think,
is a nice way to talk about the noun, which is cyber. And if you think about cyber operations,
there may be like two giant bins, and that's cyber offense and cyber defense. And those are
really, really big bins, but like underneath cyber defense are a series of kind of tactical things that you do in cyber defense. And then under cyber offense,
there's, you know, cyber attacks, but then there are these other things like cyber network
exploitation, cyber spying, right? Like, or cyber enabled information operations, which is maybe it
has an element of cyber attack because you're getting an
access, right? Or you're exploiting access to put information out, but the actual kind of
information itself is not necessarily an attack. And so the vast majority of what we see today
is more on the cyber defense or the cyber network exploitation. For it to become an actual cyber attack, it has to manipulate information or
delete information or block your access to information or on like the very, very, very
rare cases actually create physical effects, physical manifestations of the loss of data.
Almost everything that happens nowadays is kind of on the cyber virtual, the cyber spying side of the
house. But I think this distinction between kind of cyber attacks versus cyber espionage, it's still
something that is really murky. Now, the DoD, I mean, if people are like kind of doctrine geeks,
you can look at how the Department of Defense defines these things. And I think they're very
deliberate about their definitions of what each of these things are, because then these definitions have implications
for what the U.S. thinks is responsible or legal in terms of kind of who does them,
and then what is appropriate in how we respond to them. But if you look at kind of just public
conversation about cyber operations, they lump a lot of things in cyber attacks that the U.S. would not really kind of call a cyber attack.
This is actually, I've been surprised how big the difference is here between the information technology community and And the national security community is a little more worried about when you frame something as a cyber attack, what are the legal ramifications? What are the
ramifications for big theories of deterrence and kind of more foreign policy and national security?
So I think, look, to try to help, because certainly in my time, I always thought one of my
jobs, and I thought of the team at Cyber Command and elsewhere, part of our job was to be educators
and evangelists
to try to help people understand. So what are we talking about? So the first thing I always started
with was, look, cyber is an operational domain, much as the air, the space, land, with a few
differences. Number one, it's man-made. It's the one domain that is man-made. But like any operational domain, it has key terrain.
It actually has a physical aspect to it.
I reminded people, look, every single IP address or server we're going after anywhere in the
world has a physical manifestation.
There is a physical and a virtual component to this, guys.
And we've got to think in both dimensions if we're really going to optimize what we're going to do here. I also thought the idea of a domain within the DoD arena,
I thought was powerful because my view was, look, this is an operational domain in which we do a
set of very traditional functions. We maneuver. We conduct defensive operations. We do reconnaissance.
we conduct defensive operations we do reconnaissance we do attacks if you will we'll talk about that in a minute we do a whole wide range we do influence activities cyber is a tool
to enable us to do a wide spectrum of things it's not just well it's just about the defensive side
or it's all about attacks and you know jack you may, but I told everybody during my time at Cyber Command,
you guys got to be really measured about the way you use the word attack.
There is a very precise legal definition under the law of armed conflict with respect to
this.
Let's be very specific and very measured in the terminology that we use to describe this
activity.
One other point I would make, something that Jackie said, which I thought
great context for everybody, you also need to think about cyber activities more than just a
data or informational range. I said, look, we could use cyber as a tool to manipulate data.
We can use cyber as a tool to manipulate infrastructure through software, so to speak.
We can use our capabilities in cyber to
create physical impact. We can degrade, deny, destroy. And I always thought to myself, guys,
if we're not careful, we're really going to limit ourselves conceptually. Because remember what
doctrine is. Doctrine is designed to help us understand and conceptualize both the context
of where we operate in, but also how we operate
and how we apply all of these tools and capabilities that the DoD develops.
Hey, how do you employ them? How are they best considered? How do we put them in a context that
we understand? What's the right conceptual framework and the legal framework that we
need to know? That is the value of doctrine. The challenge gets to be you can't let doctrine
end up being a straitjacket that prohibits evolution learning and the idea that particularly
in an area like cyber where the rate of change is so high, guys, look, what we're writing today,
two or three years from now, we're going to look back and go, you know, it fit a time and place,
but it doesn't necessarily reflect where we are. I just think that's the nature of this arena, if you will.
I feel like that's spoken as a true Navy man.
The Navy, just doctrine in the Navy is like, meh, the Army, you know, you write that doctrine, that is it.
But then we don't follow it because our enemy wouldn't know what we're going to do.
I want to take this idea of cyber is ever-changing and fast-paced, but to
me, there's a bit of a dichotomy in cyber that it is very fast-paced and things change rapidly,
but the missions themselves can take a very long time to develop. And Hollywood has given us this
idea that you can type a couple buttons and the hacker is in. I never thought from an executionist
standpoint, I don't like the phrase long-term. The phrase I used exactly what I told the secretary, for example, when he told me he was December,
literally three days before Christmas. I think this is like December the 21st,
2015. Secretary Carter says to me, we're doing the final update on the global ISIS fight before
Christmas. So it's a CENTCOM commander, it's the special operations commander, it's myself.
Christmas. So it's a CENTCOM commander, it's the special operations commander, it's myself.
And we're briefing him on what we're doing, both collaboratively, as well as individually on the in the fight against ISIS, really. And he starts talking to me about, hey, you got to show me what
cyber can do. And I said, Okay, sir, let me give you a few thoughts. Number one,
this is not like I have a red button on my desk and I'm just going to press the red button. I wish I could tell you we can generate capability and specific targeted effects in a matter of minutes or hours, but without preparation, that is highly unlikely.
talking, depending on what you want us to do, days to weeks to months. Now, I said, sir, that is not unlike the conventional world. How long does it take you to prep, to move forces, to do reconnaissance,
to execute intelligence and insight activities? How long does it take us in the department
to set up for protracted campaigns or kinetic fights? Sir, you don't do that in hours. You generally do that
days, weeks, months. Cyber, in many ways, is the same kind of thing. And just as you're used to
this idea of, hey, it's going to take me six months to get enough capacity and capability
into the Middle East, for example, to execute a major sustained operation, sir, cyber has many
of the same attributes. We just can't achieve the level
of specificity if you only give us hours and days. That's just not likely to generate your outcome.
The other point I try to make is, the other reason why you want to be very careful from a time
point is precision is everything in cyber. If we are not precise, the second and third impacts we
are going to have
can be really significant and have strategic implications for us. And I'm not talking about
we overshoot the target in a drone operation and we put the hellfire 35 meters to the north
and we take out a structure. I'm going, sir, this could be much more significant if we're not
careful. If time is an important resource in
conducting a cyber operation, what other resources and assets go into building an operation?
Well, I was going to say back on this other question, I think there was a time period,
and I think a little of this continues, where cyber was really perceived as kind of like magic
pixie dust. So we're going to like plan what we normally do, and then we're going to like
sprinkle some cool cyber stuff on it.
And I mean, part of this is because I think the way people understood cyber initially was just kind of incorrect.
And there was this early vignette of the Israelis taking out the surface-to-air missile capabilities with cyber,
and that allowed them to drop bombs without the radars even turning on. And as people have gone back and looked at
that case, it's like, oh, actually, this is probably more like jamming. It's probably not
a cyber thing. But I think that vignette and that real belief that we were going to be able to use
cyber as this magic pixie dust, I think it informed a lot of the early thinking. And then people got
disappointed when they realized it wasn't magic pixie dust and that you would have to spend
time and resources to gain accesses and that persistent accesses things that would come for
instance like i mean the most like the golden access would be you know an access inside a hard
hardware right that would take years you know and, whereas other types of accesses would not take years, but none of these accesses
are simple buttons, right?
You're trying to find an access.
And especially if it's a really lucrative access that leads to a lot of different types
of access to data or access to infrastructure, it does take time and coordination.
And I think that then people were like, oh, well, I thought this was magic pixie dust.
This is not magic pixie dust. Well, I don't need to use it then. Like, I'll just go back and
drop a G-dam on it. Like, I know exactly how to plan that. I know exactly what the uncertainty
term is of that. And I kind of know how people are going to respond to it because we've been
doing it for a really long time. And then you kind of lost this utility. I do think that that
conversation is becoming more mature.
And a lot of it because of the efforts that Mo Rogers took in his time. There was a really big debate about whether finding accesses prior to using them was going to lead to escalation.
And the authorities for even getting an understanding of where there might be
vulnerabilities and accesses could be, was tightly, tightly held.
And he had to make an argument to many different people that, guys, this is not the same thing as
attacking somebody. It's not going to be necessarily escalatory. And it led to actually a lot of
research, this public discussion led to a lot of research on the academic side about, okay, well,
when do cyber operations lead to escalation?
And what operations can states conduct without worrying that this is going to lead to nuclear war?
That sounds like something that's very hard to test.
Well, I mean, it is and it isn't. This is not nuclear war. So in the nuclear realm,
like you really can't test a lot of the escalation dynamics, because thank God it hasn't happened.
But in cyber operations, you actually have these operations occurring all the time. We have huge amounts of data. So we are actually able to
do a lot more empirical analysis of the impact of cyber operations on escalation than we were ever
able to do or ever should be able to do when it comes to the nuclear domain. So I actually think
we know a lot more about how humans interact and behave and respond to cyber operations than we ever did about nuclear weapons. Yeah, I would really footstop what Jackie
just said. I mean, the analogy I used to use was because we would get into these really rigamaroles
about does just accessing a network for cyber command, does that somehow represent escalation or risk to a level where authority
for that must be controlled at the secretary or presidential level, which really used to frost me
because my attitude would be, do you know the authority I have as the director of the National
Security Agency with respect to networks around the world? Nobody, and I mean nobody, requires me to get approvals for us to do network penetration for
intelligence work. Why is there that apprehension, Mike? Why do you think that people see it so
differently? Is it just comfort with SIGINT? It's the fact that, look, number one, most people don't
understand the ins and outs of SIGINT. I was a signals intelligence officer for 32 years.
Most people don't understand the ins and outs of it, number one. Number two, we'd been doing it for so long, and it was such a specialized area, and we had been able to do it without significant risk. I think their view was, well, there's a precedence, there's a set of established procedures. Hey, that's fine. And my attitude always was, what makes you think that's not transferable or not applicable to traditional military operations?
I think the public discourse has not helped either.
I mean, if you look at a lot of Sanger's articles, they really like connotate.
So there was we found, you know, Chinese in this network, they're going to shut down all of these electrical grids.
in this network, they're going to shut down all of these electrical grids. And there was a report in like 2016, just as like the persistent engagement and the cyber command vision was
coming out that was like, hey, look, the US is implanting malware in Russian electric grids.
Now the Russians are threatening nuclear war. And it was like this very, very like high,
high stress, high tension article. And then all of us academics were looking at this and
we don't have any indications that this kind of escalation has ever happened. And then some
academics really believe this escalation could happen. So what I did is I developed a bunch of
war games to put people in the scariest situation possible. And okay, now we're in this worst case
scenario. Is cyber operations going to lead to nuclear war? And no, like not in
the ways in which that we were so scared. And we can talk about this more, but there are kind of
implications for inadvertent escalation and accidents, but it's not the kind of deliberate
fear creating that we were really worried about in those early years. And that I still think that
like gets worried about in public discourse. This is actually one of my findings. Cognitively, people don't respond rationally to cyber incidents. They
underplay their vulnerability. So they don't respond to cyber. They have anxiety, but they
don't have fear. And this is great for escalation because it means that you don't get these kind of
deliberate incentives. So I'd like to take what Jackie said about some of her research and some of these findings about how individuals interact
with understanding escalation and fear, anxiety about cyber to something Mike said earlier about
the use of cyber capabilities in fighting the Islamic State. And I'd like to use that to shift
to talking about task force areas as, I don't know if you would describe it as almost a proving ground of how all these capabilities can come together in a venue
that might have been more comfortable for many in the national security community. Mike, can you
introduce us to what that concept was and how that established some of the ways that we engage in
cyberspace today? Sure. So, and as I said, in December of 2015, literally a few days before
Christmas, when I get told, Mike, you got 30 days to show what Cyber Command can do using cyber in
the fight against ISIS. One of the things I said was, okay, I can do a series of very narrow,
very quick things that will not achieve the outcomes that you want, quite frankly.
I said, but if we're really going to do this for real, we need to spend time thinking about, very quick things that will not achieve the outcomes that you want, quite frankly.
I said, but if we're really going to do this for real, we need to spend time thinking about,
so how would we execute this? What's the command and control? What's the operational framework we're going to use? And when I went back out to Fort Meade and sat down with the team at Cyber
Command, I said, guys, what do we do in the department when we're trying to bring together
a disparate set of capabilities and organizations for a sustained fight with the defined particular target or area? In our case,
it was the target was defined, not the area. And I said, you know, guys, we create joint task
forces. That's how we fight. That's how we maneuver. That's how we execute command control
at this level, given this time dimension of sustained effort. This isn't something we're
going to do for three months and declare victory. And it's not something that I thought just one
service or one component could do. And so I talked to the team about, we need to create
a joint task force that brings together the different capabilities of cyber within our
components, as well as it gives us a command
control structure that we can use to coordinate with the kinetic fight that's ongoing, because
guys, we've got to synchronize what we're doing. So with the JTF that was in Iraq, as well as with
CENTCOM, I said, in addition, this gives us a mechanism to tie in our allies, particularly in
this scenario, the Australians and the Brits. And then it also gives us the mechanism to tie in our allies, particularly in this scenario, the Australians
and the Brits. And then it also gives us the ability to create a deconfliction and coordination
mechanism with the intelligence community. Because we have to acknowledge we're going to be
maneuvering and we're going to be executing operations in the same battle space that the
intel world does. And the team came back to me and said, hey, JTF, we think we agree,
sir, is the way to go. And we want to call it JTF Ares, the God of War. And I'll be the first to
admit, I felt personally, and I said this to then Lieutenant General Nakasone, who I had selected
to command it. I said, Paul, we're going to use this to show this department and this government
just what we can do, and that we can operationalize
cyber in a way that we can be comfortable with, we can coordinate and de-conflict,
we can more readily understand, and we can ensure integration with a broader set of activities out
there. That's what JTF Ares is going to do. Can I say that I think that the development
of task forces from Cyber Command, it's extremely innovative. And I think it sometimes gets overlooked by like all the changes in doctrine. I think that the movement to task forces is maybe the most revolutionary change in the way we execute cyber. about organizing all sorts of different types of military power, especially outside of a
O-Plan construct, which increasingly very few of our conflicts fit within the O-Plan construct.
So as a military innovation scholar, I actually think that this is a really great case study for
other people to look at, is the development of task forces and what that means for operational
effectiveness in this, I'll say it, gray zone. And I did not pay Jackie to say that. I want to skate that for the record.
I've written it before, but nobody picks up on it. Nobody wants to talk about task force
organization. What about the rest of the government? This wasn't just an effort of
military power, right? Where you were integrated with other agencies and resources?
Yeah, but in this case, because of the nature of the conflict and the capabilities, when it came to actual execution and broad concept
of operations, that was largely driven from a military dimension, given the mission that we
were given. I'm not arguing cyber writ large. I'm just saying for given that particular mission,
because remember, it was a DOD driven mission. This wasn't the interagency
came to the DOD or the White House said, hey, look, we're going to put together a coordinated
strategy. This was much more within the assigned mission space to DOD. Okay, let's come up with
a construct that enables us to execute cyber activities in a very tactical way, but with
strategic implications. And that was interesting.
Within the JTF Ares, we did activities from very tactical battlefield operations where we would
synchronize cyber events with kinetic events occurring in the battle spaces in Iraq and Syria,
or we would use cyber as one element of a strategy combined with very traditional physical,
some of them activity,
but very physical activities that, quite frankly, were designed to drive ISIS to do some particular
things that facilitated or increased the probability of success with follow-on physical
activities. That was one of the parts I really loved working with the commanders in Iraq and
at CENTCOM. So we did things from the tactical, and then we were doing things up with using JTF
areas up to the strategic, where we were trying to argue, we should use this capability to degrade
their informational capabilities, for example, to degrade their, not, notice, I didn't say
totally remove or wipe out, because I always said, guys, that's totally unrealistic. But
can we degrade their informational activities and capabilities? Can we degrade their financial? And to do that, we're going to need a much broader set of partners.
So when we got to that level of activities with JTF Ares, we're spending time with the State
Department. We're spending time in the White House. We're spending time with our allies.
We're spending time trying to deconflict as well as gain greater intelligence insight to inform
our specific targets.
I want to just follow up on what you said about a tactical cyber operation. Is a tactical cyber
operation one where it has tactical effects or it is implemented on the ground? And how is that
different from what might be done at a higher level?
For me, I define tactical as the effect is localized, the effect is very specific,
and the effect tends to be shorter in duration.
Okay. So it doesn't mean that you necessarily have a cyber operator out in the field doing that tactical operation. It could happen from anywhere, but it's a tactical effect.
Right. With respect to cyber, again, I thought that was a really limiting factor.
Do not focus on the how.
Hey, are you doing this from an operator that's actually physically in the AOR?
Are you doing this using an operator who is under the operational control of the supported
commander?
I just thought at times, it's a little bit like supporting fires to me.
I used to argue, and fortunately, in the end, the department bought it. But I said,
we apply supporting capabilities in tactical activities all the time without the supported
commander having direct op-con or operational control. Cyber should be no different. And yet,
at times, we would get into these endless debates about, well, if you're going to do cyber in my AOR or in
my assigned area of activity, I have to control it. And I kept saying, guys, this is not going to work.
Jackie, earlier you mentioned that the Joint Task Force for Cyber was an innovative construct and
it was very effective against ISIS. Now we're transitioning to great power competition. You
could argue we have transitioned to great power competition while still fighting terrorism.
How is this construct going to translate to the next fight?
And what should we be thinking about when it comes to the differences?
You know, if you look at how the Joint Task Force construct, especially in relation to
cyber, has evolved since JTF Ares. The public discussion is about, you know,
the joint task force or stand that stood up
about election security and Russia.
And both of these task forces,
at least before SolarWinds,
were seen as very successful.
And they had a timeline.
And task forces that have a timeline to end are great
because you are focused towards a goal and an effort, and then you can disband.
I am concerned about how the joint task force concept ends up being implemented when we look
at a great power competition that could be extremely long-term. And competition is not
just about developing the best technologies. It's also about who can persevere in this competition the longest, right?
And the concern I have with the task force model and some of our doctrines that are advocating
for persistent engagement and kind of constant thinking about the adversary and constant
contact is how do we figure out when we're successful?
And then how do we disband? How do
we end these things? And how expensive and like, how big of a suck do they become? Where we how do
you break China into task forces? And then how do we determine whether we're more or less successful?
And then how do how do we get out of this without going broke? And that's my concern, is that I just don't know.
I've yet to see kind of measures of effectiveness for task forces that don't have a bit of a timeline for when they're complete.
What really matters is, in some ways to me, less the task force construct and a little bit more about, so what specific missions are you giving them?
bit more about, so what specific missions are you giving them? Because as to Jackie's point,
doctrinally, joint task forces are supposed to reflect specific mission needs in which there's a requirement for a certain level of command and control. There's a desire to bring together
multiple capabilities, multiple components, multiple services, And the mission is very specific and very narrowly defined.
We tend not historically use JTFs for these broad, never-ending.
For example, why would you create a JTF that says your job is to lead the fight in a conflict
with China or in the short of conflict, but in the crisis or day-to-day competition?
I would be going, that's not really what a JTF is
optimized to do. I think Jackie makes a very good point there. So I'll start with Jackie for this
one. Again, without taking the lessons from Aries and applying them to the U.S.-China relationship,
for example, has your work found that the United States comfort level with what we're willing to do in cyberspace is different in U.S.-
China relations because of how we understand that escalation environment? I mean, I think this is
evolving. There was a big shift in the Trump administration to take more risk and delegate
down more authorities in cyberspace. You also saw new doctrines like the Department of Defense,
this idea of defend forward, and then cyber
commands idea of persistent engagement. And it doesn't look like that's going to be reined in
by the Biden administration, you see a lot of support for more forward leaning. And there's
a lot of question about what defend forward and persistent engagement are. For me, I think about
this as kind of cyber operations prior to violent conflicts that are attacking the adversary's cyber capabilities.
So you're not attacking civilian infrastructure. Instead, you're attacking the resources that the
PLA is using to conduct cyber operations. And I can see that kind of tit for tat between China
and the United States continuing and escalating in the amount of tit for tat that's occurring. But I don't see a scenario, a likely
scenario, where cyber operations are the instigating or galvanizing incident that then leads to violent
conflict. I think one of the questions that we have, if violent conflict were to emerge,
and, you know, I think we imagine this conflict is something where both China and the United States
is trying to mitigate escalation so that this conflict stays kind of relatively geographically confined and also, you know,
confined in terms like not becoming a nuclear war. I can see cyber operations being a huge part of
that conflict. And I think one of the largest question marks is whether China would consider
attacking civilian infrastructure, US civilian infrastructure in the midst of that type of crisis. And I think Chinese thinking on that has evolved a lot. In 2015, it really seemed
like they would do that. And they have kind of backed down some of that rhetoric since then.
And then for the United States, whether the United States would do something like that.
If I was in that meeting, and I was able to give a recommendation, I would recommend that the US
restrain itself from cyber attacks against civilian infrastructure. I actually am on record
saying I think that the U.S. should have a no first use policy on cyber attacks against civilian
infrastructure. But you can imagine that cyber attacks are going to play a large impact on the
networked types of warfare that both China and the United States are increasingly dependent on.
Yeah. So again, I'd be careful about the way we're using the word attack,
because that can mean a whole lot of different things. And remember, the whole idea behind
defending forward and precision engagement was not just about attacks or attempts to impede or deny
or disrupt opponent cyber activity. It also talked about, because we promulgated this before I left,
we talked about the idea that this was designed to help us, how could we generate more understanding?
How could we generate and perhaps influence? And how could we use activities in cyber short
of conflict as potential components of deterrence. And that's really what those things
were designed, were part of the argument that we made. I do agree with Jackie. Look, and I was part
of those. In fact, the last PC principles meeting I attended in the White House with Secretary
Mattis and I, we made the argument and it was adopted. We have got to fundamentally change,
our NPD 13 approach
to how we're using cyber. And so you saw the Trump administration, to Jackie's point,
was both more comfortable delegating authority within cyber, but also was more comfortable in
executing activities. And not just offensive activities, if you will. They were more
comfortable executing it. As the Biden team takes over,
rather than reverting back to the last Obama administration, again, I was part of both the
Obama and the Trump team. I agree with Jackie. My sense is, because I know them all, we all
worked together during the Obama timeframe. I don't sense a desire to go back to the way things
were in the second Obama administration. But I do think, to Jackie's point, there is a broad consensus within this team that we really need to think about while
we acknowledge offensive use of cyber may be appropriate in some scenarios. We need to be
very measured and we need to be very specific and we need to think really long and hard before we
start going after civilian
associated infrastructure. What I think is going to be interesting as I look forward is, so what
is the international consensus on all of this? At the moment, it's a lot of individual nations with
views and we haven't yet been able to develop the norms of behavior, the kind of unwritten,
what's acceptable and not acceptable that we have been able to do in the kinetic world. We haven't really gotten there yet
in cyber. And I wonder, is the focus of the near term, hey, how can we start to address that?
So you raise international norms and the UN has attempted to establish some international norms, but our main adversaries, particularly Russia and China, aren't really known for respecting those norms.
And that can really have an impact on how the U.S. views deterrence.
And is deterrence even possible when we talk about what Russia and China are willing to do in this arena?
Yeah, well, hey, Jackie, tee up what you guys talked about in the
Solarium Commission. Well, I actually had a difference of opinion in how the deterrence
piece got written up in the Solarium Commission. And now we've hit the inside scoop.
Yeah. I'm not a huge fan of, I think, layered deterrence is what they came up with. I will say
for me, I think that cyber deterrence works at
the strategic level. I think that we are able to successfully deter adversaries like Russia and
China to not conduct high strategic cyber attacks, attacks against civilian infrastructure with large
scale effects, for example. I think we can probably even, if we focus on it, maybe deter
attacks on nuclear systems. I do not think deterrence is effective below that. So I think we can probably even, if we focus on it, maybe deter attacks on nuclear systems.
I do not think deterrence is effective below that.
So I think there is a role for deterrence.
It's at the strategic level.
And at the low level, the deterrence is generally not very effective in this domain.
What's considered low level?
I think most stuff in deterrence cyber is not deterrable.
Now, there are like two types of deterrence, deterrence by punish and deterrence by denial.
And in general, investments in denial, which are generally kind of defensive measures that make it more costly for actors to conduct nefarious actions in cyberspace.
Those are always useful.
They're never going to be 100 percent successful, but they're boring.
You know, it's like investing in resiliency and redundancy and two-factor authentication.
And here you heard it.
Jackie believes deterrence is boring.
Well, I mean, I'm just saying a lot of people don't want to hear the answer is these really
boring kind of security things, you know?
I think people want the more the fun and the excitement of deterrence by punishment,
but I think that only works at the very highest level for cyberspace.
The way I would phrase it is, look, do I believe that there are some aspects of deterrence that
are applicable within the cyber arena? Yes. On the other hand, I keep hearing people want to
take the nuclear deterrence concepts and argue that they work in cyber. And I'm going, guys, it's not a direct translation.
There's some fundamental differences in the cyber arena.
We also need to differentiate between deterring attacks and deterring activity.
You know, take a look at the power grid, for example.
Nation states conducting reconnaissance, penetrating the power grid with a view to try to understand it
so that they might potentially, in the event of a conflict, place it at risk, is a very different deterrent question than can you deter adversaries from actually engaging in activities that degrade, deny, or destroy our electrical infrastructure?
infrastructure. They're not the same thing to me. And I think the latter we can, the former gets to be really difficult. And you certainly see that's the way the Chinese and the Russians think. You
can tell that's the way they view this. They don't see that as escalatory behavior because their view,
their argument kind of internally is, well, we're not really denying it or degrading it or disrupting
it. But one of the things about norms that was
interesting was we tried to make a, we the US, at times we tried to make part of the norms
discussion, are there types of targets as well as types of activity that should be beyond
acceptable, that should be viewed as abnormal and therefore not within the acceptable range
of activities within cyber. We never really defined it well. And I thought the other challenge
with norms was, my argument always was, guys, start simple, start small. And yet I would be
part of these interagency processes at times. They wanted to come down with the, here's the
50 things that we want to
make as norms. And I'm going, we're never going to get a consensus among 200 plus nations to 50
different things. Could we start small and build over time? I always thought that was a much
smarter approach. Let's move to implications. Jackie, what do you think are the implications
for the policymakers and the practitioners? And Mike, opposite, what are the implications for the academic and scholarly research communities?
trod. And I think if practitioners could just stop focusing on deterrence, that would just be a lovely, we can move forward. You know, the reality is something that we haven't talked about in this
conversation at all, is that what scholarly work finds time and time again, is that the impact of
cyber operations is on private sector, it's on degradations of trust, it's on effects on the
economy. And I think the Biden administration is
well aware of this and they're moving towards, you know, making movements on ransomware,
but this kind of really complicated relationship between proxy actors and mercenaries and criminal
gangs and the relationship with the state, with Russia, with China, how many of these things are
sanctioned versus are sanctioned
versus not sanctioned? And then what are the foreign policy tools that you have and the
military power tools that you have to deal with these types of actors and operations that are
kind of intentionally created to obfuscate who is really behind them, or to slow down or to keep the
United States from having a concerted approach.
So I think the more we can look at kind of those really nuanced relationships between the state
actors and the non-state actors and then what kind of foreign policy tools that we can use,
I think that's kind of an enduring problem. And for me, again, focused on, so Mike,
what would you say to the academic world? Look, I understand Jackie's frustration on the deterrent side, but I still always used to tell my academic, and I tried to work this within Cyber Command. We brought on board a scholar in residence. I said, guys, there's a conceptual and academic piece to this that we want to help be a part of and help foster because there's so many brains out there that we should be taking advantage of. I still think the
academic world can help us build a conceptual framework for deterrence that is understood.
I'll be honest, most people find it so nebulous right now. I'd love us to get down to a much more
practical piece of it. Number two, I always liked academics' views on organizational constructs.
The reason I say that is, look, the greatest
change arguably in my 37 years was a change that was imposed upon the department by the outside
in the form of Goldwater-Nichols. And I actually had combat time in my record in the pre-Goldwater-Nichols
days in Grenada and Beirut. And my takeaway from Grenada is this is a cluster. So I really like outsiders at times
taking a look at organizational constructs and command and control, because I think at times
they're less biased and they're not as influenced by history. And I find that really refreshing at
times. And then lastly, what can the academic world do to help the government, not just the
military, but the government, how do we work our
way through this public-private set of challenges? Because the majority of this domain is in the
private sector, not in the public sector. The majority of the targets are in the private sector,
not the public sector. And the majority of the infrastructure through which we execute activities is in the private
domain, not the public domain.
So trying to understand how we make this work a little bit easier and how we acknowledge
that, look, we just cannot afford a wall where we say, hey, on one side, the government's
going to do its thing.
On the other side, the private sector is going to do its thing vis-a-vis cyber.
I just don't think that really gets us where we need to be. See, he waits till the end to say the
organizational politics, because we could do a whole nother discussion where we just ask about
how it feels to be dual-headed running Cyber Command and NSA. So one last rapid fire question.
Yep.
This is a pervasive domain and pervasive type of interaction between the United States and
everyone else.
So for this particular topic, I'd ask you both, what keeps you up at night when you
think about the threats that the United States faces in cyber?
Let's see.
Number one, it's much less to me something that fundamentally keeps you awake in the sense that, for example, I used to hear some of my bosses used to use the Pearl Harbor analogy all the time, which I just didn't like at all this activity, think about what its implications are instead of,
well, I'm waiting for the next bolt out of the blue that really causes significant harm and pain.
And that is not the best framework for us to be thinking how we're going to work through
these challenges. But the short answer for me is what keeps me awake at night?
Nothing keeps me awake, but I really worry that we are not optimized between government
and the private sector. And I'm not blaming either side here, but we are not optimized between government and the private sector.
And I'm not blaming either side, but we are not optimized for the realities of this world of cyber.
I think for me, it's kind of how we've moved to more and more dependence on AI and highly,
highly digital dependence.
and highly, highly digital dependence.
And I worry about how cyber attacks can decrease our confidence and our trust
as we move to more and more digital currencies
and digital...
You look at the way information has influenced US governance
and how we trust our democratic institutions in that. I worry about
that a lot. And I worry that democracies are maybe more vulnerable to future threats than
other countries. And I don't have a solution for those things. And so those are the things
that bother me. Well, that's all we have time for today. Admiral Mike Rogers, Dr. Jackie Schneider,
thank you so much for being here today. This was really great.
And I would only add thank you very much. Jackie, it's always a pleasure. I saw how good you were when you were at Cyber Command. It's great to see that you continue to serve the nation, both from an academic perspective, but also in your role as a reserve officer, you know, in the Air Force. Thanks so much for what you do every day.
Air Force. Thanks so much for what you do every day. And thank you, Shonda and Abigail, for putting this together and giving me an opportunity. It is a rare opportunity. See, I think, Emma Rogers,
you were there. You led Cyber Command through an extraordinarily historic time. And so it is
a real honor to get to hear exactly what was going on as you were making these decisions.
Thank you so much.
Thanks again for listening to Episode 40 of the Irregular Warfare podcast. We release a new episode every two weeks. In our next episode, Laura and Andy
discuss organizational change for irregular warfare forces with retired General John Allen,
former commander of NATO International Security Assistance Force and U.S. forces in
Afghanistan, joined by Simon Aitken, author of Changing of the Guard, the British Army Since 9-11.
Following this, Andy and Kyle discuss coalitions in the irregular warfare
with a focus on the U.S. and Australian perspectives with ambassadors Doug Lute and Duncan Lewis.
Please be sure to subscribe to the Irregular Warfare podcast so you don't
miss an episode. You can also follow and engage with us on Twitter, Facebook, or LinkedIn.
If you enjoyed this discussion, please leave us a review on Apple Podcasts.
One last note, what you hear in this episode are the views and positions of the participants
and do not represent those of West Point or any other agency of the United States government.
Thanks again, and we will see you next time.