Irregular Warfare Podcast - Securing the Cyber Domain: Exploring Cyber Policy in the Department of Defense

Episode Date: June 16, 2023

Be sure to visit the Irregular Warfare Initiative website to see all of the new articles, podcast episodes, and other content the IWI team is producing! Is it possible to deter adversaries in the cybe...r domain—and if so, how? What should the US Department of Defense be learning from the role of cyber in the war in Ukraine? How do activities in the cyber domain overlay on—and influence—irregular warfare? In this episode, hosts Matt Moellering and Adam Darnley-Stuart are joined by two expert guests. Ms. Mieke Eoyang is the deputy assistant secretary of defense for cyber policy and Dr. Erica Lonergan is an assistant professor at the Army Cyber Institute at West Point and coauthor of the book Escalation Dynamics in Cyberspace. Together, they examine some of the deeply challenging questions presented by the increasing prominence of cyberspace as a warfighting domain. Intro music: "Unsilenced" by Ketsa Outro music: "Launch" by Ketsa CC BY-NC-ND 4.0

Transcript
Discussion (0)
Starting point is 00:00:00 I would just say that the United States believes very strongly in our commitments even when it comes to warfare but also when it comes to our behavior in the cyber domain. So if an adversary decides that they are going to try and inflict harm and say take down and harm a hospital that does not mean the United States is going to likewise disrupt a hospital. We drew a lot of our cyber deterrence thinking from Cold War models of deterrence, whereas Russian strategic thinking sees deterrence as a logistic factor. Welcome to episode 81 of the Irregular Warfare podcast. I'm your host, Matt Muller, and today I'll be joined by my co-host, Adam Darnley-Stewart.
Starting point is 00:00:49 Today's episode is our third installment of the IWI Project on Cyber, where we look at how the Department of Defense handles cyber policy and strategy. Our guests take a holistic look at the nation's different cyber policies and strategy, and how they apply to the Department of Defense. They then look at cyber's role in integrated deterrence and how this may be different from previous notions of deterrence. Finally, they conclude with a discussion on the great implications of how cyber has impacted the war in Ukraine, the limitations of tactical cyber,
Starting point is 00:01:18 the prospects of a cyber service, and what this means for irregular warfare practitioners in great power competition. Ms. Mika Ouyang is the Deputy Assistant Secretary of Defense for Cyber Policy, where she is responsible for the establishment of DoD cyberspace policy and strategy, guiding DoD cyber activities, and managing key relationships across the U.S. government and its allies. Previously, she served as the Senior Vice President for the National Security Program at Third Way, leading their national Security Program and founding the Cyber Enforcement Initiative.
Starting point is 00:01:47 Part of that, she held multiple staff roles in Congress. Dr. Erica Lonegan is an Assistant Professor in the Army Cyber Institute at West Point. She is also a research scholar in the Soltzum Institute of War and Peace Studies at Columbia University. Previously, Erica served as a Senior Director on the U.S. Cyberspace Solarium Commission. Finally, she co-authored the book Escalation Dynamics in Cyberspace, which was published recently. You are listening to a special series of the Irregular Warfare podcast, a joint production of the Princeton Empirical Studies of Conflict Project and the Modern War Institute at West Point, dedicated to bridging the gap between scholars and practitioners
Starting point is 00:02:29 to support the community of irregular warfare professionals. Since recording this episode, the DoD has released an unclassified fact sheet detailing the release of the classified DoD cyber strategy, which can be found on the podcast website. Here's our conversation with Ms. Mika Ouyang and Erika Lonergan. Mika, Erika, thank you for joining us on episode 81 of the Irregular Warfare podcast. Thanks so much for having me. Really looking forward to it. Great to be here. Really excited for this conversation. Mika, as Deputy Assistant Secretary of Defense for Cyber Policy, can you talk a little bit about your current position and responsibilities? Yeah. And it's sort of a weird thing because not a lot of people know what OSD policy is and then sort of what is cyber policy inside of that. You know, what policy is responsible for is a lot of the civilian advice to the secretary
Starting point is 00:03:15 that has to do with, right, how do we deal with other countries? How do we deal with the interagency? I'm the senior civilian in the department who thinks full time about cyber. There are a lot of other people who think about cyber as part of their other responsibilities, but I'm the one who has all cyber all the time. And so what that means is that I am overseeing the department's cyber operations and thinking about not just can we do something, but should we do something? And also interacting with foreign partners, helping try to explain what the department does. Also, my office is responsible for writing the defense cyber strategy.
Starting point is 00:03:53 When we talk about cyber policy, obviously one of the most recent and important documents was the March 2nd release of the U.S. National Cyber Security Strategy. the US National Cyber Security Strategy. And over the past couple of years, there's been a sway of released US national security documents, such as the NDS, the update of the irregular warfare annex to the NDS. Could you please unpack a little bit on what your office's role in those release of those documents were from your perspectives? Yeah, happy to unpack a little bit the strategic framing that governs how the Defense Department does cyber. So we have not only the National Security Strategy, which was released by the White House, which sets the broad prioritization and strategic guidance for how we are approaching the world. We also have the National Defense Strategy, which talks about how
Starting point is 00:04:41 the Department of Defense approaches those things. And one of the big changes for the NDS is its focus on integrated deterrence. You know, we talk about the priorities there as defending the homeland, deterring strategic attacks, deterring aggression and being prepared to prevail in conflict, and then building a joint resilient force. Then we also have the national cyber strategy, which governs cyber across not just national security and the military, but cyber as a whole of government, whole of nation approach. And that document talks about a couple of different things, one of which is particularly significant for us in the Department of Defense, which is pillar two, the disrupt pillar, which talks about the need for the U.S. government to be able to disrupt malicious cyber activity that is coming at the United States. And in that, we work very closely with our law enforcement colleagues who have the ability to bring legal actions and
Starting point is 00:05:38 takedowns of ransomware, arrests of individuals, things like that. And we work closely with them on the disrupt portion, which I know is very interesting to your listeners. And unfortunately, I'm not going to be able to go into a lot of detail about what the Department of Defense is doing to disrupt malicious cyber actors in this unclassified podcast. But we think about that. A couple other things from the NDS, right? China as the pacing threat, Russia as an acute challenge, and the need to not only be ready for conflict, but in a cyber academic perspective, is that cyber sort of explicitly plays a pretty significant role in some of those pillar concepts in the NDS. And so it gets a number of shout outs in the concept of integrated deterrence, right? Because integrated deterrence is about integrating across capabilities, not just different types of military capabilities,
Starting point is 00:06:45 but sort of the broader suite instruments of national power and cyber is part of that, as well as thinking broadly about like the spectrum of conflict. And so I think the NDS presents these questions of sort of what is the role of cyberspace in integrated deterrence. And then when it comes to campaigning, cyber figures, I think, even more prominently in how the NDS conceptualizes what campaigning is. I mean, the military does campaigns, right? This isn't a new concept. But thinking about campaigning as something that is more active and that takes place sort of short of war, we see a lot of sort of natural, I think, parallels to cyberspace.
Starting point is 00:07:26 So I just wanted to kind of highlight those two points that cyber really does figure pretty prominently in the national defense strategy, which I think reflects this consensus that's evolved over the past decade plus within the broader department about how integral cyberspace is not just for modern conflict, but for modern competition as well. Yeah, and I just want to footstomp something that Erica said there about integrated deterrence, because I think it's really important that people understand that our theory of deterrence in cyber has really evolved here, that what we're talking about is not necessarily cyber for cyber, right, that what we're talking about is not necessarily cyber for cyber, right, a tit for tat just in the cyber domain, but that things that happen in the cyber domain can have responses in the physical
Starting point is 00:08:13 world, and that those responses can include all elements of national power, from economic responses, diplomatic responses, economic responses, all the way up to depending on the scope of the cyber incident could include military responses. And so when you're thinking about how to respond in the cyber domain, it's not just what can the cyber domain deliver, but it's what can you deliver across the full range of things that might be appropriate, which gives policymakers a wider range of tools to be able to impose consequences on an adversary based on what might matter to them, where the cyber response may or may not have particular value to the adversary, depending on what we are thinking about there. When you mentioned integrated deterrence and cyber, that's a uniquely American
Starting point is 00:09:02 way of viewing the problem, especially under the Biden administration. And I contrast it to other countries like Russia that see cyber and information operations as more closely linked, if not the same thing. Do you believe that integrated deterrence is the American way of linking information operations and cyber? Yeah, I mean, I think generally how you frame that is accurate in terms of how Americans, or at least the policy world, tends to think about cyber as something distinct from information war, although doctrinally, cyber is part of the information environment.
Starting point is 00:09:30 I think an interesting point, though, that's related to the sort of distinction between maybe how the U.S. conceptualizes cyber and information as sort of more distinct and, you know, Russia sees a broader sort of continuum of information warfare that includes and kind of integrates cyber. Russian strategic concepts also have a different sort of continuum of information warfare that includes and kind of integrates cyber. Russian strategic concepts also have a different view of deterrence than we do, which I think is an important and kind of related point. And I think it's something that has kind of stymied some of the early discussions, getting back to what we were talking about earlier, in terms of how the policy establishment thinks about cyber deterrence. We drew a lot of our cyber deterrence thinking from Cold War models of deterrence, specifically nuclear deterrence, which we all know at this point that's not a perfect match to the challenges of cyberspace. Whereas Russian strategic thinking sees deterrence as
Starting point is 00:10:23 along a spectrum, right? And they have a concept of intra-war deterrence. And I believe China does as well, which we don't necessarily have. And so I wouldn't advocate for American strategic thinking to adopt or emulate the perspectives of some of our most significant adversaries and challengers. However, I do think it's important to recognize that there are certain domains and environments where taking this sort of binary view is not particularly helpful or isn't really conducive to the realities of operating in this environment. And so, you know, just like we think about deterrence as this binary thing where it's either on or it's off, and the use of force is an indicator of deterrence, you know, that doesn't comport to cyberspace, right? Because
Starting point is 00:11:13 you see malicious activity happening routinely. I think we need to kind of interrogate that. I also think we need to have a more kind of cohesive view of the relationship between the cyber environment and the information environment. Although cyberspace can be a vehicle for causing information effects, but cyberspace can be a vehicle for other things too, right? And so we need to make sure at the same time that we're not just thinking about the cognitive dimension of cyberspace, but thinking about the full range of sort of effects that the cyber domain can enable. I do think that the cyber information divisions in the department, right, like we have different combatant commanders who set policies related to those things. But really, it is about how do we
Starting point is 00:12:00 manage the cognitive function of warfare from a defensive and an offensive perspective? And, you know, people sometimes think about information warfare as the winning of hearts and minds, but there's another element to information warfare, which is about how do you change the calculus or perceptions of a foreign adversary in a sort of narrow and precise, like military sense, or like a particular unit and like how do we think about whether or not we could lower morale or enhance overconfidence or you know whatever the cognitive effect is that would be most beneficial to us at the time i do think that the cyber domain and the information that transits it has become much more complicated. And from a counter
Starting point is 00:12:46 intelligence and operational perspective, there's a lot more that you need to understand about the way that the domain works in order to successfully conduct information operations within it. And I think, right, in the United States, people try to sort of sweep in the public affairs function into the information operation space. I think that that's a little bit tricky because, like, as the United States, our view is people are entitled to truthful information about all kinds of things, including their military. Is that an information operation or is that just our obligation to keep the American people informed? But when you think about some of the more narrow information operations, I think it's really important that the operators really understand the environment in which they are operating and the ways in which they can be detected both by the adversary, but more importantly, by the media or the private sector, which has, you know, as we have encouraged them to increase their cybersecurity, have many, many more ways to detect inauthentic behavior because they're trying to eliminate inauthentic behavior writ large on their platforms. So like this is an area where as the domain is evolving,
Starting point is 00:13:57 it's really important that our understanding of how to operate in this domain evolves to state of the art. And that is actually a skill set that is not necessarily one that naturally goes with people who fast rope out of helicopters, but may come with people who spend a lot of time trying to penetrate adversary networks. And so I think that there are these questions about like, what makes the most sense for us in the department, given the evolving nature of the domain? That's not a settled question, but I think it's an important one that we have to think about as we move forward and as our operations in this domain mature. Thank you for those insightful responses. I took note during the discussion regarding your remarks on deterrence during conflict and the importance of escalation control. This leads me to the question of how do we effectively manage escalation during conflict
Starting point is 00:14:48 as opposed to during competition and the incorporation of influence effects and outcomes within the broader scope of information warfare. In your opinions, what are the most significant opportunities in future cyber strategies to meet the demands of a contemporary competition? And is there additional room for manoeuvre or greater freedom of action that we should be pursuing, not only from a US standpoint, but also in building a coalition engaging with our allies and partners? I do think like one of the things that's significant for the Department of Defense is the 2018 cyber strategy, which said we will defend forward and was an acknowled experience post 2018 and the authorities that the department has has given us a lot of operational experience that helps us understand what works and what works most effectively in this space and maybe what is not as effective.
Starting point is 00:16:06 in this space and maybe what is not as effective. And so like there are a lot of complex things in this. And so I think it's important for us to learn lessons. I think that that's also an important thing for us to be able to have conversations with close allies about how we do this because the domain itself is very noisy. And so how we think about coordination, deconfliction, managing shared escalation risk, these are all conversations that we have to be able to have with other countries as they think about how they mature their own cyber capabilities. The UK just put out a white paper on their new national cyber force, which was created just a few years ago, which integrates elements of GCHQ and MOD into a sort of operational force command. And they put out this white paper, Responsible Cyberpower in
Starting point is 00:16:50 Practice. And that paper, similar to the 2018 DoD US Cyber Strategy, talks more transparently about the role of offense in cyberspace, as well as, to Mika's point, thinking more in a more nuanced fashion about what cyber is good for, what are its limitations, how do we think about addressing potential escalation risks and unintended effects. So I do think from an ally to partner perspective, there is this, what I would see as sort of a positive trend to be more transparent about these concepts. And I think that will facilitate a more productive conversation within the broader defense policy community, with the American people, with allies and partners
Starting point is 00:17:32 about what are these capabilities good for? What are its left and right limits? You know, how do military forces and capabilities and resources fit into broader national strategies and policies? And so I think we are seeing this, what I would say is sort of a positive trend around actually having these conversations. Granted, a lot of it is, it has to be kept secret for good reasons, but when it comes to these sort of broader themes and ideas, that should be sort of open for discussion.
Starting point is 00:17:59 I really appreciate Erica raising that because the title of that document, right? Responsible Cyberpower in Practice, is really important because we see a lot of adversary activity on the networks and we make some assumptions about what their intentions are for that. conflict and to our obligations to Geneva Conventions and other things to be a responsible state power, even when it comes to warfare, but also when it comes to our behavior in the cyber domain. And so for us, as we think about what we do and don't do, things that we believe in other domains, precision, avoiding harm to civilians, things like that. Those things apply in cyber as well. We don't just get a pass on our ethics and morality about armed conflict because it's in the cyber domain. So like even where adversaries may choose to do certain things, if an adversary
Starting point is 00:18:59 chooses to use chemical weapons, that doesn't mean that we, the United States, use chemical weapons. If an adversary decides that they are going to try and inflict harm and say, take down and harm a hospital, that does not mean the United States is going to likewise disrupt a hospital. We believe in those things. We believe in responsibility across all domains of conduct. And I think it's important that we start being able to talk about some of that because it's important to say what a responsible power is in practice. I completely agree. And I think that puncturing the mystique around the role of the Defense Department in cyberspace is important to reinforcing that idea that there is responsible behavior in cyberspace. And I think the problem with not having those conversations is that you end up with a lot of speculation
Starting point is 00:19:47 that is probably erroneous, right, about what the military is doing in cyberspace. And so we should, in a democratic society, have these conversations and make sure that how we behave and operate in the domain is consistent with our values and the norms that we're trying to uphold. And I would say that it's even more important in cyberspace because cyberspace touches so much of
Starting point is 00:20:08 civilian life, right? We know the trope that the infrastructures, 85% of it is owned by the private sector. Cyberspace is not just a domain of conflict that's confined to the military. It is a fundamental integral part of our democratic institutions, of our society, of our economy. So we have to make sure that we're having those conversations about what it means to apply military power in cyberspace in a democracy, in a context where we have these sort of values and ideals that we're trying to uphold. So Miki, you unpacked a few, probably the primary example on how to rationalise for the operators or practitioner what a cyber effect in the ethical component might look like, like we don't attack hospitals and you mentioned chemical weapons as
Starting point is 00:20:54 an example equivalent to one of the physical domains. Would you be able to unpack or just give some other examples of what you mean by potential unethical adversary actions in cyber domain because i think especially from a practitioner's experience at the moment i think some practitioners are finding it difficult to rationalize but understand when we say unethical adversary actions in cyber domain and then we follow it up with like chemical weapon attacks and nuclear weapon attacks they still don't i think quite tweak so could you please give some further Yeah, I think one of the things for the United States military is that, right, we believe in basic principles in warfare, right? Discrimination, proportionality. When you translate that into the cyber domain, what that means is that we have obligations to be able to do exactly what we intend to do. The United States military,
Starting point is 00:21:48 generally speaking, believes in precision. But in the cyber domain, what that means is that you want to try and avoid spillover effects and unintended consequences that might risk greater escalation than what you originally intend, or that could cause harm to groups that you did not intend to harm. But precision takes time. And in the physical domain, we spend a huge amount of resources and time on R&D to ensure that our weapons are as precise as possible. We are learning what that means in the cyber domain to make sure that we are as precise as possible and making sure that we do what we intend to do. And that requires some care and forethought. Just to sort of briefly add to that, I would also say that there's a misnomer about cyberspace that it's this wild, wild west where, like, no one can come to any agreement about what acceptable behavior is. And that's just not true, right? The United States has
Starting point is 00:22:49 agreed to, as well as have many of the countries around the world, a set of norms about appropriate behavior in cyberspace. Now there's a gap between agreeing to norms and actually being able to enforce those norms, right? But the U.S. government has for many years articulated a view of what constitutes appropriate behavior. And if you look back, for example, at the, I think it was in June 2021 summit in Geneva between President Biden and President Putin, according to the reports about that summit, President Biden referenced civilian critical infrastructure. We have 16 sectors of critical infrastructure in the United States and said those should be off limits to cyber attacks, right? So that's just another example of thinking about, you know, what is appropriate behavior and what is irresponsible behavior in cyberspace. So kind of the previous conversation we had was the importance of other
Starting point is 00:23:38 government actors. And in addition to other governments, one of the aspects that makes the cyber domain different is the importance of private sector cybersecurity actors. What are some of the tangible changes that are being made to improve these relationships and include them in the greater DOD strategy of cybersecurity more in depth? lessons that we've learned from the Russia-Ukraine conflict has been the strategic impact that private sector actors can have on the cyber landscape. So the migration to cloud infrastructure at the outside of the war for the Ukrainians protected huge amounts of essential data for them from Russian cyber attack, right? The delivery of Starlink terminals into Ukraine made a huge difference to their ability to be able to continue communications in that space. And then we also see a variety of non-state actors, not even corporate actors, but non-state actors conducting a range of
Starting point is 00:24:40 disruptive activities in the cyber domain on both sides of that conflict. You know, Russian cyber criminals who continue to conduct ransomware and disruptive attacks all over the world. There is this Ukrainian free cyber army that we are not affiliated with, but they are doing a variety of things. And so I think that there are important questions about what that means. I think for us in the United States, responsible cyber actors also means like you are taking responsibility for the actors who are doing that kind of activity. And so I think on the spectrum of state responsibility, we think
Starting point is 00:25:17 that states should take responsibility for the legitimate offensive activity that emanates from their territory. But I think that one of the challenges of this conflict that we will all have to wrestle with is what is the role of the private sector in armed conflict? And the Geneva Conventions that define combatants and non-combatants at the end of World War II, before people really even conceptualized an internet, there are questions about what it means for private sector actors and their support of the information domain that enabled the Ukrainian people to share what was happening to them in the world and the strategic importance of that. What is the civilian right to information and to be able to communicate in armed conflict when one party or
Starting point is 00:26:06 the other tries to take that away? What is the baseline assumption about the free flow of information and whether or not you can route one country's traffic through another country? I think these are important things that we have not really wrestled with, and they're important questions that are raised by this conflict and that I think will persist as we go forward into future conflicts. Yeah, just circling back to this question about partnership and the role of the private sector, I think that partnership is really essential for all departments and agencies when we think about cybersecurity because, again, I look at the disproportionate role of private actors. But it's really important for the DOD because while the Defense Department has the mission
Starting point is 00:26:50 of sort of defending the nation in cyberspace, it's doing that by looking outwards. As the 2018 strategy talks about maneuvering in gray space and red space, like outside of domestic networks, right? But to make sense of and understand how adversary behavior that's taking place outside of domestic networks, right? But to make sense of and understand how adversary behavior that's taking place outside of the United States might impact critical infrastructure. You need effective partnerships
Starting point is 00:27:14 to sort of glean those insights from owners and operators of critical infrastructure to make sense and make meaning of behavior that you're observing outside. So I think partnerships is really important. There have been efforts. I think General Nakasone has testified to Congress about some of these emergent sort of pilot projects to collaborate with different critical infrastructure sectors to kind of work on operationalizing that idea. But, you know, partnering with the private sector
Starting point is 00:27:42 is critical for the military and cyberspace in a way that's distinct from other domains. up activity that was a whole of government activity and the department supporting CISA and FBI to ensure that critical infrastructure providers had the information they needed to secure themselves against potential Russian disruptions against critical infrastructure, which we were all very worried about at the outset of the conflict. what you saw there is a provision of actual, useful, actionable intelligence to the private sector so that they could then incorporate that into their defenses and not an attempt by the government to say, I'm going to step in and do it for you. And I think that that's actually really important because I think it would be incredibly difficult for the U.S. government to have the technical talent, the manpower that
Starting point is 00:28:50 might be necessary to step in and provide that so that we could sort of follow the information and control the information all the way through. We are going to have to be in a position where we can share sensitive intelligence on a relevant timeline to enable the private sector to improve their defences against attacks that we may see coming. And that, I think, is a big shift for us as a department and as a whole of government effort, which I think has worked really well in this time of heightened tensions and concern and conflict. Might switch tack a little bit now and talk about some tactical aspects of cyber, especially some lessons learned from a practitioner's perspective. As this is a regular warfare podcast, a lot of the listeners do come from the special operations community.
Starting point is 00:29:38 And a shift towards cyber has been something discussed through processes like the information tribe, just as one of many examples. However, for most practitioners, the actual implementation hasn't always been clear at the tactical or even operational level for them. So when thinking about traditionally regular warfare effects and activities like sabotage and information operations, there's clearly some clear vectors available in cyberspace and the cyber domain that potentially need to be unpacked further by tacticians so they can get their head around some of these gnarly cyber subjects on how to approach cyber as a vector. How can SOF members within their own communities better understand and integrate cyber tools and procedures, not only into their own TTPs, but also when they're operating with partner forces? Yeah, I think it's a real challenge because I think unlike the way special operators operate at the tactical level through kinetics, to be able to have effects in cyber, we often talk about this subversive trilemma, right? You
Starting point is 00:30:38 think about cyber as sabotage, and there are these three factors, speed, impact, and control. And there are these three factors, speed, impact and control. And, you know, you worry about like you're trading off speed and impact so that if you want to have something that's really impactful, you're going to need to take some time to be able to prepare that. That I think poses a challenge for tactical delivery because it's not like you're going to have a utility belt full of cyber tools that you could just choose from and like throw at any given moment. Like you're going to have to think very carefully about what the effect is that you want to deliver. What is the network on which you're going to deliver that effect? And that takes some detailed analysis of what the systems code are on that. And so I think that there is this challenge of like,
Starting point is 00:31:45 as you think about the ways that special operations forces have traditionally operated, does that make sense with the time preparation specificity that you need in the cyber domain? I think from a defensive perspective, it's really important that special operators understand the risk to mission that comes from poor defensive perspective, it's really important that special operators understand the risk to mission that comes from poor defensive cyber and that they are working with partners to ensure that they think about, you know, how to make sure that they can continue,
Starting point is 00:32:15 that they are resilient, all of those things. But, you know, I think as we think about the delivery of that in the cyber domain, I think sort of going back to first principles and thinking through like, does this in fact make sense to try and deliver at the point of contact? Can it move that quickly with all of the criteria that you need? And I think that's something that the community itself is going to have to wrestle with. But the sort of front-end thinking that needs to be able to deliver cyber, I think, is something we have to work through. Yeah, and just to build on that and this idea of the sort of subversive trilemma, right, where you have these trade-offs between different goals,
Starting point is 00:33:00 whether it's speed or impact or control, I think that one of know, one of the additional challenges of like pushing cyber to the tactical edge that's related to this trilemma is that cyber, as Mika sort of alluded to, is it's a fragile capability in some ways. And so, you know, at the pointiest tip of the spear, right, it's important to have confidence in the reliability of your effects, right, that you important to have confidence in the reliability of your effects, right? That you could cause a particular effect against a particular target at the desired time, not too late, not too early, and that you can even do it in the first place, right? Given that
Starting point is 00:33:35 access can be ephemeral and unpredictable, right? So just because you're able to cause an effect at time T doesn't mean you could do it at time t plus one when it's actual like execution time right so i just think that having these conversations is really important right because i think there's been this view that's been projected for a long time that cyber is this cool special magic weapon that can do these cool things and it's true there are unique attributes of cyberspace that can make it really useful for certain things and in some ways can make it a better substitute for kinetic capabilities, right? Because it doesn't cause physical destruction, right? Tradecraft can be
Starting point is 00:34:15 conducted with reducing the risk of attribution. It can be reversible, right? That's a value. There's stealth, there's all this stuff, but it's also fragile and it can be unreliable and ephemeral. And so at the tactical edge, like those questions of reliability are really important. And so I do think that having like these kinds of conversations where we talk with more openness and kind of nuance about what cyber is good for and what are its limitations, I think is really important for thinking about how we incorporate it into tactics and operations. limitations, I think, is really important for thinking about how we incorporate it into tactics and operations. Yeah, I think it's also really important to, you know, as we look at the Russia-Ukraine conflict, recognize how difficult integrating cyber into kinetic warfare is and how
Starting point is 00:34:56 to take advantage of that successfully. We watch the Russian cyber operations that occurred at the outset of the war. You look at the Viasat hack, you look at the volume of activity, which has been well reported by Microsoft and others, there's a significant amount of cyber activity. But it did not significantly diminish Ukrainian will or capability to defend their own territory and defeat a conventional military that was much greater in size than itself. And so then you also see, and this was reported in the Microsoft report, after an initial wave of cyber attacks, they basically went dark for a period of time. And that shows you the difficulty of being able to continuously adapt to changing conditions on the battlefield and the ways in which planning and integration in cyber are a challenge.
Starting point is 00:35:47 And then, you know, we've seen a lot of wiper malware, DDoS attack type things coming out to affect Ukrainian systems. You're not seeing the same scale of sophisticated attacks like you saw with Viasat. And so, you know, by observing the adversary's use of cyber in this space and the difficulty of integrating that in a timely way with kinetic effects, you begin to see where they struggle, where we can learn valuable lessons for ourselves in how we need to think through the use of cyber. And of course, we're not the only ones learning these lessons. Just really quick on the Viasat example, if you don't mind,
Starting point is 00:36:30 just because I think that's a really fascinating example. Because Viasat in theory, it's consistent with the idea of using cyber as a shaping tool in the initial phases of a conflict to disrupt command and control, right, and communications, right? Like, so it fits with these ideas about how we think about integrating cyber into conventional campaigns.
Starting point is 00:36:49 And the operation itself, as has been reported by Microsoft and others, like, worked, like, operationally. Like, it did what it was supposed to do in many ways, but Russia couldn't capitalize on it for a number of reasons, one of which was Ukrainian resilience, right? Like the ability to shift to redundant, resilient communications capabilities. And so I think that just underscores how we think about cyber, because even in a case like Viasat, where the operation itself was successful in that it did what it was intended to do, it couldn't be capitalized on by the adversary because of the resilience of the defender. So I think that's a really just fascinating example of how we think about
Starting point is 00:37:29 cyber and warfare. Yeah. And that example also really indicates like how we need to think about the net effect of cyber. It's not just how good the adversary is on offense. Defense gets a vote, right? Like the old saying, like defense wins championships, like the Ukrainian defense versus the Russian offense, it's what is the net effect there? And Ukraine had had many years of experiencing Russian cyber attacks to recover from them in the years prior to, since the seizure of Crimea and even before to get better on cyber defense. So like as we think about how to value cyber in this space, I think looking at other examples is very helpful for us to understand that. And this is really the first time that we
Starting point is 00:38:19 are seeing cyber capabilities used in a conventional armed conflict. And so it is, I think, a bonanza for academics like Erica and others who study these things to be able to unpack this. And I think, you know, this is still an ongoing conflict. Tactics continue to change and shift. We don't know everything that's happened here. I think the Ukrainians have been somewhat forthcoming, but not totally forthcoming given the operational concerns that they have about what has happened here. And I think that we will be studying this as a seminal conflict in the cyber domain for many years to come. So based off all those lessons learned from the Russian-Ukraine war, what are the biggest lessons learned for the force preparedness standpoint from the Russian invasion of Ukraine? Yeah, I would say on this, good cyber defense matters.
Starting point is 00:39:08 Resilient infrastructure matters. I think about like four essential things for us working with the defender and the cyber domain. One is making sure that you have secure communications from us to them so that you can continue to share intelligence and information in a way that is secure. Making sure that you have secure C2, right? Making sure that a entity in the fight is able to securely communicate with its own troops. That's item number two. Three would be making sure that you're able to continue to communicate with the world.
Starting point is 00:39:40 And on that, the lessons that in terms of preparedness is making sure that you can continue to get your message out. Zelensky's ability to communicate with his own people and the world, the videos that the Ukrainian people put out of Russian tanks entering their villages and towns, the ability to tell that tale denied Russia the information environment that it was trying to create about denazification or, you know, Ukrainian provocation here. It completely obliterated that narrative so that it was very clear the Ukrainian people were defending their homes, their territory against aggression. And so they were able to get that truthful narrative out. They could not be silenced in that. And that
Starting point is 00:40:25 was a strategic benefit to them. And then the last thing is, you know, and this goes to the migration of the Ukrainian data at the eve of the conflict, their ability to preserve essential government function, the data, the functions that they needed to be able to continue to operate as a country and not fall apart were really important. And so as you think through, all right, what do we need to be able to do? You think through those four things. I think for the Department of Defense, we would continue to focus on one and two, right? Secure communications with partners and our ability to securely communicate with our own forces. The ability to communicate to the world, that's often something provided by
Starting point is 00:41:05 the private sector. And some of that essential government function is also private sector enabled through cloud infrastructure or private sector cybersecurity. Those are the business networks on which countries depend for day-to-day peacetime operations. And so those are all really important things to have thought through. One of the things that I say to people about cyber is that you operate on a risk management framework. And so you take a look at what kinds of risks your enterprise is going to have to encounter, and then you manage for that risk. The thing that Russia-Ukraine tells us is that we could disagree about how likely or how imminent armed conflict should be, but armed conflict should be a risk in your risk management framework that you have thought about in advance of conflict. How are you protecting your data? How are you ensuring continuity of your enterprise?
Starting point is 00:42:00 How are you thinking about resilience in advance of the conflict's outset? Because if you get to the conflict and you haven't thought about it, the risk of falling apart and not being able to recover quickly, it is too late. And so it's got to be in the risk management framework for everyone to think about in advance of D minus or D zero. Yeah. I also think to that point, one of the challenges as we think about risk management with respect to geopolitical triggers of cyber events is that as part of
Starting point is 00:42:34 the Shield Up campaign, right, the U.S. government communicated to critical infrastructure that there was this impending conflict. You know, Russia was likely to invade Ukraine, and this might cause reverberations in cyberspace because we have a fact pattern of states, you know, responding to broader geopolitical patterns with targeting the private sector through cyber means. of thinking about, or a granular way of thinking about how that risk may be changing over time as the dynamics of the conflict are evolving, right? And so we had this crystallized moment at the outset of Russia's invasion where everyone sort of had, you know, galvanized awareness around potential cyber threats to the private sector, to critical infrastructure. Then it didn't materialize in the way, and this is a good news story, right? It didn't materialize in the way that a lot of people expected. But, and this is a conversation I'd love to see in the broader sort of cyber expert community, is talking about how that risk might be changing over time.
Starting point is 00:43:35 As dynamics unfold on the battlefield or in broader geopolitics, how does that change the risk profile to critical infrastructure in the United States, right? It's not this on-off thing. It's hard to sustain that vigilance over time. And firms can't put their socks on constant alert posture for a year, right? That's just not feasible. So how can we get more granular about thinking about risk over the course of these sort of long-term, long-time horizon geopolitical events where risk is likely to change as the events themselves unfold. There's been a lot of discussion on potential of a cyber force.
Starting point is 00:44:12 Based off Russia and Ukraine, do you believe that that's something that is a discussion that needs to be furthered? Or do you think that we just need to fix a lot of the ways that we integrate cyber into our force already? We have been asked by Congress to look at force generation and to look at alternate models of how cyber could be organized. And so we are in the process of doing that. I would just say on the cyber force model versus the current model versus some other model, there are pros and cons to every model. There are things that, right, there might be some efficiency in having a cyber force under a single service-like approach that has some disadvantages in ensuring that the cyber needs of all the other services are met. There are challenges on a multi-service joint
Starting point is 00:44:59 model too, which is that different services approaches to cyber can complicate the management of a joint force. You know, you could do a civilianized model, which might help you with retention, but that also has some challenges when it comes to our ability to refresh and our ability to have military personnel involved in this. The challenge on that is that whichever model you pick, you will immediately forget the advantages that that model brought you because you will persistently wrestle with the challenges of that model. And so if you're going to shift off the current model, I think it's really important that we look carefully at what the pros and cons are and take an honest look at those things because the cons of that model, whichever model we choose,
Starting point is 00:45:42 are the things that will be the challenge for the department going forward and the things that we will get beat up on by Congress and in the media. And so there is no model that is without downside. And so I think it's a question of like, what do you prioritize in your optimization of a model? We want to take a careful, detailed look at this, especially given where the department cyber capabilities have matured to at this point, because a reorganization is a very disruptive thing to do. There are challenges on a multi-service joint model, too, which is that different services approaches to cyber can complicate the management of a joint force. approaches to cyber can complicate the management of a joint force. You know, you could do a civilianized model, which might help you with retention, but that also has some challenges when it comes to our ability to refresh and our ability to have military personnel involved in this. The challenge on that is that whichever model you pick, you will immediately forget the
Starting point is 00:46:39 advantages that that model brought you because you will persistently wrestle with the challenges of that model. And so if you're going to shift off the current model, I think it's really important that we look carefully at what the pros and cons are and take an honest look at those things because the cons of that model, whichever model we choose, are the things that will be the challenge for the department going forward and the things that we will get beat up on by Congress and in the media. And so there is no model that is without downside. And so I think it's a question of like, what do you prioritize in your optimization of a model?
Starting point is 00:47:17 We want to take a careful, detailed look at this, especially given where the department cyber capabilities have matured to at this point, because a reorganization is a very disruptive thing to do. And so we need to make sure that we understand why we're doing the thing that we're doing. We're not making any decisions about that without careful consideration, not only of the model itself, but of what an implementation to that model might look like. And so I think that, you know, I don't have an answer for you right now about whether or not the cyber force model is the right answer, but we owe the world a lot of analysis about what that might look like before any recommendations are made. I think if there is going to be a cyber service, right, like a separate cyber force, like, you know,
Starting point is 00:48:12 how Space Force was created several years ago, I think a really important thing to get right, to make this point about thinking carefully about what this looks like, is the culture. You know, each service, you know, Army, Navy, Air Force, has their own service cultures, right, that define core components of their identity and how they conceptualize warfighting, like what it means to be a warfighter. And the Army is different than what it means to be a warfighter in the Navy.
Starting point is 00:48:38 And so getting the culture right, if there is a cyber service, will be really essential because kind of pulling together a lot of the threads we've been talking about today, cyber is a domain of conflict, but it's different from the other domains in ways that really affect how states should organize and develop strategy and doctrine and operate in and through it. And so I think one of the things that, and this is, you know, above my pay grade, but whoever is thinking about these questions, I think really should be thinking carefully about culture and because culture also affects personnel and workforce. And we know that this country in
Starting point is 00:49:15 general faces, you know, pretty significant challenges in the cyber workforce. It's a challenge, not just in the military, it's in the broader federal government, in the broader civilian world. And so getting the culture right, I think will be a critical aspect of how we think about this question if you had one key takeaway the bumper sticker for lack of better terms for policymakers practitioners and academics what would you recommend that bumper sticker to be i think resilience resilience is a great bumper sticker. We talk about resilience in different ways. You know, weighing in as an academic, I think we need some really good academic theorizing about like, what does resilience mean? What does it mean during peacetime? What does it mean during conflict? How do we measure it? How do we know when we're resilient? What's the difference between resilience and defense, resilience and deterrence? I think that's really right for a conversation about resilience. So I would put that on a bumper sticker. Oh, I hate this question because I really hate bumper stickers, notwithstanding that I spent
Starting point is 00:50:15 a lot of my career in the political branches because it does feel like cyber is so much more complicated and nuanced than I think people think it is. I think people think that cyber is one thing and cyber is not just one thing. We use that terminology to cover a wide range of defense, secure by design, offensive activity. And so I think it's really important that when we talk about cyber, we always ask ourselves, what do you mean by that and what are you trying to accomplish? Which is the opposite of a bumper sticker. It's how do we go back people not think that it is one thing. Because otherwise, when we And I'm like, that is definitely not what I do. I do the opposite end of that. But the phrase itself has come to be this bumper sticker under which thousands of different things. But it's actually more confusing, right?
Starting point is 00:51:39 Is it information operations? Is it network defense? Is it a secure development environment? operations? Is it network defense? Is it a secure development environment? It is very hard for people. They can often talk past each other in cyber if they are not specific about what part of cyber they are working on. Erica, Mika, thank you very much for joining us on the Irregular Warfare podcast. Thanks for having us. Thanks so much. This is great. Thank you again for joining us for episode 81 of the irregular warfare podcast and our third installment of our series on cyber we release a new episode
Starting point is 00:52:12 every two weeks in the next episode karl talks with vlad router and lieutenant general retired about proxy warfare following that julia Julia and Alex delved into avoiding corruption in security systems abroad with ambassadors Patterson and Ike and Barry. Be sure to subscribe to the Irregular Warfare podcast so you don't miss an episode.
Starting point is 00:52:36 The podcast is a product of the Irregular Warfare Initiative. We are a team of all volunteer practitioners and researchers dedicated to bridging the gap between scholars and practitioners to support the community of irregular warfare professionals. You can follow and engage with us on Facebook, Twitter, Instagram, YouTube, or LinkedIn.
Starting point is 00:52:54 You can also subscribe to our monthly e-newsletter for access to our content and upcoming community events. The newsletter sign-up is found at irregularwarfare.org. If you enjoyed today's episode, The newsletter sign-up is found at irregularwarfare.org. all that you hear in this episode are the views of the practitioners and not those that represent Princeton, West Point or any other agency of the US government thanks again and we'll see you next time Thank you. Thank you.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.