Irregular Warfare Podcast - Securing the Cyber Domain: Exploring Cyber Policy in the Department of Defense
Episode Date: June 16, 2023Be sure to visit the Irregular Warfare Initiative website to see all of the new articles, podcast episodes, and other content the IWI team is producing! Is it possible to deter adversaries in the cybe...r domain—and if so, how? What should the US Department of Defense be learning from the role of cyber in the war in Ukraine? How do activities in the cyber domain overlay on—and influence—irregular warfare? In this episode, hosts Matt Moellering and Adam Darnley-Stuart are joined by two expert guests. Ms. Mieke Eoyang is the deputy assistant secretary of defense for cyber policy and Dr. Erica Lonergan is an assistant professor at the Army Cyber Institute at West Point and coauthor of the book Escalation Dynamics in Cyberspace. Together, they examine some of the deeply challenging questions presented by the increasing prominence of cyberspace as a warfighting domain. Intro music: "Unsilenced" by Ketsa Outro music: "Launch" by Ketsa CC BY-NC-ND 4.0
Transcript
Discussion (0)
I would just say that the United States believes very strongly in our
commitments even when it comes to warfare but also when it comes to our
behavior in the cyber domain. So if an adversary decides that they are going to
try and inflict harm and say take down and harm a hospital that does not mean
the United States is going to likewise disrupt a hospital.
We drew a lot of our cyber deterrence thinking from Cold War models of deterrence, whereas Russian strategic thinking sees deterrence as a logistic factor.
Welcome to episode 81 of the Irregular Warfare podcast.
I'm your host, Matt Muller, and today I'll be joined by my co-host, Adam Darnley-Stewart.
Today's episode is our third installment of the IWI Project on Cyber, where we look at how the Department of Defense handles cyber policy and strategy.
Our guests take a holistic look at the nation's different cyber policies and strategy, and
how they apply to the Department of Defense.
They then look at cyber's role in integrated deterrence
and how this may be different from previous notions of deterrence.
Finally, they conclude with a discussion on the great implications
of how cyber has impacted the war in Ukraine,
the limitations of tactical cyber,
the prospects of a cyber service,
and what this means for irregular warfare practitioners
in great power competition.
Ms. Mika Ouyang is the Deputy Assistant Secretary of Defense for Cyber Policy,
where she is responsible for the establishment of DoD cyberspace policy and strategy,
guiding DoD cyber activities, and managing key relationships across the U.S. government and
its allies. Previously, she served as the Senior Vice President for the National Security Program
at Third Way, leading their national Security Program and founding the Cyber Enforcement Initiative.
Part of that, she held multiple staff roles in Congress.
Dr. Erica Lonegan is an Assistant Professor in the Army Cyber Institute at West Point.
She is also a research scholar in the Soltzum Institute of War and Peace Studies at Columbia
University. Previously, Erica served
as a Senior Director on the U.S. Cyberspace Solarium Commission. Finally, she co-authored
the book Escalation Dynamics in Cyberspace, which was published recently. You are listening to a
special series of the Irregular Warfare podcast, a joint production of the Princeton Empirical
Studies of Conflict Project and the Modern War Institute at West Point, dedicated to bridging the gap between scholars and practitioners
to support the community of irregular warfare professionals. Since recording this episode,
the DoD has released an unclassified fact sheet detailing the release of the classified DoD
cyber strategy, which can be found on the podcast website. Here's our conversation with Ms. Mika Ouyang and Erika Lonergan. Mika, Erika, thank you for joining us on episode 81 of the Irregular
Warfare podcast. Thanks so much for having me. Really looking forward to it. Great to be here.
Really excited for this conversation. Mika, as Deputy Assistant Secretary of Defense for
Cyber Policy, can you talk a little bit about your current position and responsibilities?
Yeah. And it's sort of a weird thing because not a lot of people know what OSD policy is and then sort of what is cyber policy inside of that.
You know, what policy is responsible for is a lot of the civilian advice to the secretary
that has to do with, right, how do we deal with other countries? How do we deal with the
interagency? I'm the senior civilian in the department who thinks full time about cyber.
There are a lot of other people who think about cyber as part of their other responsibilities,
but I'm the one who has all cyber all the time.
And so what that means is that I am overseeing the department's cyber operations and thinking
about not just can we do something, but should we do something?
And also interacting with foreign partners, helping try to explain what the department does.
Also, my office is responsible for writing the defense cyber strategy.
When we talk about cyber policy, obviously one of the most recent and important documents was the March 2nd release of the U.S. National Cyber Security Strategy.
the US National Cyber Security Strategy. And over the past couple of years, there's been a sway of released US national security documents, such as the NDS, the update of the irregular
warfare annex to the NDS. Could you please unpack a little bit on what your office's role
in those release of those documents were from your perspectives?
Yeah, happy to unpack a little bit the strategic framing that governs how the
Defense Department does cyber. So we have not only the National Security Strategy, which was released
by the White House, which sets the broad prioritization and strategic guidance for how we
are approaching the world. We also have the National Defense Strategy, which talks about how
the Department of Defense approaches those things. And one of the big changes for the NDS is its focus on integrated deterrence.
You know, we talk about the priorities there as defending the homeland,
deterring strategic attacks, deterring aggression and being prepared to prevail in conflict,
and then building a joint resilient force.
Then we also have the national cyber strategy, which governs cyber across not just national security and the military, but cyber as a whole of government, whole of nation approach.
And that document talks about a couple of different things, one of which is particularly significant for us in the Department of Defense, which is pillar two, the disrupt pillar, which talks about the need for the U.S. government to be able to
disrupt malicious cyber activity that is coming at the United States. And in that, we work very
closely with our law enforcement colleagues who have the ability to bring legal actions and
takedowns of ransomware, arrests of individuals, things like that. And we work closely with them
on the disrupt portion, which I know is very interesting to your listeners. And unfortunately, I'm not going to be
able to go into a lot of detail about what the Department of Defense is doing to disrupt malicious
cyber actors in this unclassified podcast. But we think about that. A couple other things from
the NDS, right? China as the pacing threat, Russia as an acute challenge, and the need to not only be ready for conflict, but in a cyber academic perspective, is that cyber sort of
explicitly plays a pretty significant role in some of those pillar concepts in the NDS. And so
it gets a number of shout outs in the concept of integrated deterrence, right? Because integrated
deterrence is about integrating across capabilities, not just different types of military capabilities,
but sort of the broader suite instruments of national power and cyber is part of that,
as well as thinking broadly about like the spectrum of conflict. And so I think the NDS
presents these questions of sort of what is the role of cyberspace in integrated deterrence.
And then when it comes to campaigning, cyber figures,
I think, even more prominently in how the NDS conceptualizes what campaigning is. I mean,
the military does campaigns, right? This isn't a new concept. But thinking about campaigning as
something that is more active and that takes place sort of short of war, we see a lot of sort of
natural, I think, parallels to cyberspace.
So I just wanted to kind of highlight those two points that cyber really does figure pretty
prominently in the national defense strategy, which I think reflects this consensus that's
evolved over the past decade plus within the broader department about how integral cyberspace
is not just for modern conflict, but for modern competition as well.
Yeah, and I just want to footstomp something that Erica said there about integrated deterrence,
because I think it's really important that people understand that our theory of deterrence in cyber
has really evolved here, that what we're talking about is not necessarily cyber for cyber, right,
that what we're talking about is not necessarily cyber for cyber, right, a tit for tat just in the cyber domain, but that things that happen in the cyber domain can have responses in the physical
world, and that those responses can include all elements of national power, from economic responses,
diplomatic responses, economic responses, all the way up to depending on the scope of the cyber
incident could include military responses. And so when you're thinking about how to respond in the
cyber domain, it's not just what can the cyber domain deliver, but it's what can you deliver
across the full range of things that might be appropriate, which gives policymakers a wider range of tools to be able
to impose consequences on an adversary based on what might matter to them, where the cyber
response may or may not have particular value to the adversary, depending on what we are thinking
about there. When you mentioned integrated deterrence and cyber, that's a uniquely American
way of viewing the problem, especially under the Biden administration.
And I contrast it to other countries like Russia that see cyber and information operations
as more closely linked, if not the same thing.
Do you believe that integrated deterrence is the American way of linking information
operations and cyber?
Yeah, I mean, I think generally how you frame that is accurate in terms of how Americans,
or at least the policy world, tends to think about cyber as something distinct
from information war, although doctrinally, cyber is part of the information environment.
I think an interesting point, though, that's related to the sort of distinction between
maybe how the U.S. conceptualizes cyber and information as sort of more distinct and,
you know, Russia sees a broader sort of continuum of information warfare that includes and kind
of integrates cyber. Russian strategic concepts also have a different sort of continuum of information warfare that includes and kind of integrates cyber.
Russian strategic concepts also have a different view of deterrence than we do, which I think is an important and kind of related point.
And I think it's something that has kind of stymied some of the early discussions, getting back to what we were talking about earlier, in terms of how the policy establishment thinks about cyber deterrence. We drew a lot of our cyber deterrence thinking from Cold War models of
deterrence, specifically nuclear deterrence, which we all know at this point that's not a perfect
match to the challenges of cyberspace. Whereas Russian strategic thinking sees deterrence as
along a spectrum, right? And they have a concept
of intra-war deterrence. And I believe China does as well, which we don't necessarily have. And so
I wouldn't advocate for American strategic thinking to adopt or emulate the perspectives
of some of our most significant adversaries and challengers. However, I do think it's important to recognize
that there are certain domains and environments where taking this sort of binary view is not
particularly helpful or isn't really conducive to the realities of operating in this environment.
And so, you know, just like we think about deterrence as this binary thing where it's either on or it's off, and the use
of force is an indicator of deterrence, you know, that doesn't comport to cyberspace, right? Because
you see malicious activity happening routinely. I think we need to kind of interrogate that. I also
think we need to have a more kind of cohesive view of the relationship between the cyber environment and the information
environment. Although cyberspace can be a vehicle for causing information effects, but cyberspace
can be a vehicle for other things too, right? And so we need to make sure at the same time that
we're not just thinking about the cognitive dimension of cyberspace, but thinking about
the full range of sort of effects that the cyber domain can enable.
I do think that the cyber information divisions in the department, right, like we have different
combatant commanders who set policies related to those things. But really, it is about how do we
manage the cognitive function of warfare from a defensive and an offensive perspective?
And, you know, people sometimes think about information warfare as the winning of hearts
and minds, but there's another element to information warfare, which is about how do
you change the calculus or perceptions of a foreign adversary in a sort of narrow and
precise, like military sense, or like a particular unit and like
how do we think about whether or not we could lower morale or enhance overconfidence or you
know whatever the cognitive effect is that would be most beneficial to us at the time i do think
that the cyber domain and the information that transits it has become much more complicated. And from a counter
intelligence and operational perspective, there's a lot more that you need to understand about the
way that the domain works in order to successfully conduct information operations within it. And I
think, right, in the United States, people try to sort of sweep in the public affairs function
into the information operation space.
I think that that's a little bit tricky because, like, as the United States, our view is people are entitled to truthful information about all kinds of things, including their military.
Is that an information operation or is that just our obligation to keep the American people informed?
But when you think about some of the more narrow information operations, I think it's really important that the operators really understand the environment in which they are operating and the ways in which they can be detected both by the adversary, but more importantly, by the media or the private sector, which has, you know, as we have encouraged them to increase their cybersecurity, have many,
many more ways to detect inauthentic behavior because they're trying to eliminate inauthentic behavior writ large on their platforms. So like this is an area where as the domain is evolving,
it's really important that our understanding of how to operate in this domain evolves to state of the art. And that
is actually a skill set that is not necessarily one that naturally goes with people who fast
rope out of helicopters, but may come with people who spend a lot of time trying to penetrate
adversary networks. And so I think that there are these questions about like, what makes the most
sense for us in the department, given the evolving nature of the domain? That's not a settled question, but I think it's an important one that we have to think about
as we move forward and as our operations in this domain mature.
Thank you for those insightful responses. I took note during the discussion regarding your remarks
on deterrence during conflict and the importance of escalation control. This leads me to the question of how do we effectively manage escalation during conflict
as opposed to during competition
and the incorporation of influence effects and outcomes
within the broader scope of information warfare.
In your opinions, what are the most significant opportunities in future cyber strategies
to meet the demands of a contemporary
competition? And is there additional room for manoeuvre or greater freedom of action that we
should be pursuing, not only from a US standpoint, but also in building a coalition engaging with
our allies and partners? I do think like one of the things that's significant for the Department of Defense is the 2018 cyber strategy, which said we will defend forward and was an acknowled experience post 2018 and the authorities that the department has has given us a lot of operational experience that helps us understand what works and what works most effectively in this space and maybe what is not as effective.
in this space and maybe what is not as effective. And so like there are a lot of complex things in this. And so I think it's important for us to learn lessons. I think that that's also an important
thing for us to be able to have conversations with close allies about how we do this because
the domain itself is very noisy. And so how we think about coordination, deconfliction, managing shared escalation risk,
these are all conversations that we have to be able to have with other countries as they think
about how they mature their own cyber capabilities. The UK just put out a white paper on their new
national cyber force, which was created just a few years ago, which integrates elements of GCHQ
and MOD into a sort
of operational force command. And they put out this white paper, Responsible Cyberpower in
Practice. And that paper, similar to the 2018 DoD US Cyber Strategy, talks more transparently about
the role of offense in cyberspace, as well as, to Mika's point, thinking more in a more nuanced
fashion about what cyber is good for, what are its limitations, how do we think about
addressing potential escalation risks and unintended effects.
So I do think from an ally to partner perspective, there is this, what I would see as sort of
a positive trend to be more transparent about these concepts.
And I think that will facilitate a more productive conversation
within the broader defense policy community, with the American people, with allies and partners
about what are these capabilities good for? What are its left and right limits? You know,
how do military forces and capabilities and resources fit into broader national
strategies and policies? And so I think we are seeing this, what I would say is sort of a positive trend
around actually having these conversations.
Granted, a lot of it is,
it has to be kept secret for good reasons,
but when it comes to these sort of broader themes and ideas,
that should be sort of open for discussion.
I really appreciate Erica raising that
because the title of that document, right?
Responsible Cyberpower in Practice, is really important because we see a lot of adversary activity on the networks and we make some assumptions about what their intentions are for that. conflict and to our obligations to Geneva Conventions and other things to be a responsible
state power, even when it comes to warfare, but also when it comes to our behavior in the cyber
domain. And so for us, as we think about what we do and don't do, things that we believe in other
domains, precision, avoiding harm to civilians, things like that. Those things apply in cyber as
well. We don't just get a pass on our ethics and morality about armed conflict because it's in the
cyber domain. So like even where adversaries may choose to do certain things, if an adversary
chooses to use chemical weapons, that doesn't mean that we, the United States, use chemical weapons. If an adversary decides that they are going to try and inflict harm and say,
take down and harm a hospital, that does not mean the United States is going to likewise
disrupt a hospital. We believe in those things. We believe in responsibility across all domains
of conduct. And I think it's important that we start being able to talk about some of that
because it's important to say what a responsible power is in practice.
I completely agree. And I think that puncturing the mystique around the role of the Defense
Department in cyberspace is important to reinforcing that idea that there is responsible
behavior in cyberspace. And I think the problem with not having those conversations is that you end up with a lot of speculation
that is probably erroneous, right,
about what the military is doing in cyberspace.
And so we should, in a democratic society,
have these conversations and make sure
that how we behave and operate in the domain
is consistent with our values
and the norms that we're trying to uphold.
And I would say that it's even more important in cyberspace because cyberspace touches so much of
civilian life, right? We know the trope that the infrastructures, 85% of it is owned by the private
sector. Cyberspace is not just a domain of conflict that's confined to the military. It is a fundamental
integral part of our democratic institutions, of our society,
of our economy. So we have to make sure that we're having those conversations about what it means to
apply military power in cyberspace in a democracy, in a context where we have these sort of values
and ideals that we're trying to uphold. So Miki, you unpacked a few, probably the primary
example on how to rationalise for the operators or practitioner what a cyber effect in the ethical
component might look like, like we don't attack hospitals and you mentioned chemical weapons as
an example equivalent to one of the physical domains. Would you be able to unpack or just
give some other examples of what you mean by potential unethical adversary actions in cyber domain because i think especially
from a practitioner's experience at the moment i think some practitioners are finding it difficult
to rationalize but understand when we say unethical adversary actions in cyber domain and then we
follow it up with like chemical weapon attacks and nuclear weapon attacks they still don't i think
quite tweak so could you please give some further Yeah, I think one of the things for the United States military is that, right, we believe in
basic principles in warfare, right? Discrimination, proportionality. When you translate that into the
cyber domain, what that means is that we have obligations to be able to do exactly what we intend to do. The United States military,
generally speaking, believes in precision. But in the cyber domain, what that means is that
you want to try and avoid spillover effects and unintended consequences that might risk greater
escalation than what you originally intend, or that could cause harm to groups that
you did not intend to harm. But precision takes time. And in the physical domain, we spend a huge
amount of resources and time on R&D to ensure that our weapons are as precise as possible.
We are learning what that means in the cyber domain to make sure that we are as precise as possible and making sure that we do what we intend to do.
And that requires some care and forethought.
Just to sort of briefly add to that, I would also say that there's a misnomer about cyberspace that it's this wild, wild west where, like, no one can come to any agreement about what acceptable behavior is. And that's just not true, right? The United States has
agreed to, as well as have many of the countries around the world, a set of norms about appropriate
behavior in cyberspace. Now there's a gap between agreeing to norms and actually being able to
enforce those norms, right? But the U.S. government has for many years articulated a view of what constitutes appropriate behavior. And if you look back, for example, at
the, I think it was in June 2021 summit in Geneva between President Biden and President Putin,
according to the reports about that summit, President Biden referenced civilian critical
infrastructure. We have 16 sectors of critical infrastructure in the United States and said those should be off limits to cyber attacks, right? So that's just
another example of thinking about, you know, what is appropriate behavior and what is irresponsible
behavior in cyberspace. So kind of the previous conversation we had was the importance of other
government actors. And in addition to other governments, one of the aspects that makes
the cyber domain different is the importance of private sector cybersecurity actors.
What are some of the tangible changes that are being made to improve these relationships and include them in the greater DOD strategy of cybersecurity more in depth?
lessons that we've learned from the Russia-Ukraine conflict has been the strategic impact that private sector actors can have on the cyber landscape. So the migration to cloud infrastructure
at the outside of the war for the Ukrainians protected huge amounts of essential data for them
from Russian cyber attack, right? The delivery of Starlink terminals into Ukraine made a huge
difference to their ability to be able to continue communications in that space. And then we also see
a variety of non-state actors, not even corporate actors, but non-state actors conducting a range of
disruptive activities in the cyber domain on both sides of that conflict. You know, Russian cyber criminals who continue to conduct ransomware and disruptive attacks
all over the world.
There is this Ukrainian free cyber army that we are not affiliated with, but they are doing
a variety of things.
And so I think that there are important questions about what that means.
I think for us in the United States,
responsible cyber actors also means like you are taking responsibility for the actors who are
doing that kind of activity. And so I think on the spectrum of state responsibility, we think
that states should take responsibility for the legitimate offensive activity that emanates from
their territory. But I think that one of the
challenges of this conflict that we will all have to wrestle with is what is the role of the private
sector in armed conflict? And the Geneva Conventions that define combatants and non-combatants at the
end of World War II, before people really even conceptualized an internet, there are questions
about what it means for private sector actors and their support of the information domain that
enabled the Ukrainian people to share what was happening to them in the world and the strategic
importance of that. What is the civilian right to information and to be able to communicate in armed conflict when one party or
the other tries to take that away? What is the baseline assumption about the free flow of
information and whether or not you can route one country's traffic through another country?
I think these are important things that we have not really wrestled with, and they're important
questions that are raised by this conflict and that I think will persist as we
go forward into future conflicts. Yeah, just circling back to this question about partnership
and the role of the private sector, I think that partnership is really essential for all departments
and agencies when we think about cybersecurity because, again, I look at the disproportionate
role of private actors. But it's really important for the DOD because while the Defense Department has the mission
of sort of defending the nation in cyberspace, it's doing that by looking outwards.
As the 2018 strategy talks about maneuvering in gray space and red space, like outside
of domestic networks, right?
But to make sense of and understand how adversary behavior that's taking place outside of domestic networks, right? But to make sense of and understand
how adversary behavior that's taking place
outside of the United States
might impact critical infrastructure.
You need effective partnerships
to sort of glean those insights
from owners and operators of critical infrastructure
to make sense and make meaning of behavior
that you're observing outside.
So I think partnerships is really important. There
have been efforts. I think General Nakasone has testified to Congress about some of these
emergent sort of pilot projects to collaborate with different critical infrastructure sectors
to kind of work on operationalizing that idea. But, you know, partnering with the private sector
is critical for the military and cyberspace in a way that's distinct from other domains.
up activity that was a whole of government activity and the department supporting CISA and FBI to ensure that critical infrastructure providers had the information they needed to
secure themselves against potential Russian disruptions against critical infrastructure,
which we were all very worried about at the outset of the conflict. what you saw there is a provision of actual, useful, actionable
intelligence to the private sector so that they could then incorporate that into their defenses
and not an attempt by the government to say, I'm going to step in and do it for you.
And I think that that's actually really important because I think it would be
incredibly difficult for the U.S. government to have the technical talent, the manpower that
might be necessary to step in and provide that so that we could sort of follow the information and
control the information all the way through. We are going to have to be in a position where we can
share sensitive intelligence on a relevant timeline to enable the private sector to
improve their defences against attacks that we may see coming. And that, I think, is a big shift for
us as a department and as a whole of government effort, which I think has worked really well in
this time of heightened tensions and concern and conflict. Might switch tack a little bit now and talk about some tactical aspects of cyber,
especially some lessons learned from a practitioner's perspective.
As this is a regular warfare podcast, a lot of the listeners do come from the special operations community.
And a shift towards cyber has been something discussed through processes like the information tribe, just as one of many examples.
However, for most practitioners, the actual implementation hasn't always been clear at the tactical or even operational level for them. So when thinking about traditionally regular warfare effects and activities like sabotage and information operations, there's clearly some clear vectors available in cyberspace and the cyber domain that potentially need to be unpacked
further by tacticians so they can get their head around some of these gnarly cyber subjects on how
to approach cyber as a vector. How can SOF members within their own communities better understand and
integrate cyber tools and procedures, not only into their own TTPs, but also when they're operating
with partner forces? Yeah, I think it's a real challenge
because I think unlike the way special operators operate at the tactical level through kinetics,
to be able to have effects in cyber, we often talk about this subversive trilemma, right? You
think about cyber as sabotage, and there are these three factors, speed, impact, and control.
And there are these three factors, speed, impact and control. And, you know, you worry about like you're trading off speed and impact so that if you want to have something that's really impactful,
you're going to need to take some time to be able to prepare that. That I think poses a challenge
for tactical delivery because it's not like you're going to have a utility belt full of cyber tools
that you could just choose from and like throw at any given moment. Like you're going to have to think very
carefully about what the effect is that you want to deliver. What is the network on which you're
going to deliver that effect? And that takes some detailed analysis of what the systems code are
on that. And so I think that there is this challenge of like,
as you think about the ways that special operations forces
have traditionally operated,
does that make sense with the time preparation specificity
that you need in the cyber domain?
I think from a defensive perspective,
it's really important that special operators understand
the risk to mission that comes from poor defensive perspective, it's really important that special operators understand the risk to mission that comes from poor defensive cyber and that they are working with
partners to ensure that they think about, you know, how to make sure that they can continue,
that they are resilient, all of those things. But, you know, I think as we think about the
delivery of that in the cyber domain, I think sort of going back to first principles
and thinking through like, does this in fact make sense to try and deliver at the point of contact?
Can it move that quickly with all of the criteria that you need? And I think that's something that
the community itself is going to have to wrestle with. But the sort of front-end thinking that needs to be able to deliver cyber,
I think, is something we have to work through.
Yeah, and just to build on that and this idea of the sort of subversive trilemma, right,
where you have these trade-offs between different goals,
whether it's speed or impact or control,
I think that one of know, one of the additional
challenges of like pushing cyber to the tactical edge that's related to this trilemma is that
cyber, as Mika sort of alluded to, is it's a fragile capability in some ways. And so,
you know, at the pointiest tip of the spear, right, it's important to have confidence in the
reliability of your effects, right, that you important to have confidence in the reliability of your effects,
right? That you could cause a particular effect against a particular target at the desired time,
not too late, not too early, and that you can even do it in the first place, right? Given that
access can be ephemeral and unpredictable, right? So just because you're able to cause an effect at
time T doesn't mean you could do it at time t plus one when it's actual
like execution time right so i just think that having these conversations is really important
right because i think there's been this view that's been projected for a long time that cyber
is this cool special magic weapon that can do these cool things and it's true there are unique
attributes of cyberspace that can make it
really useful for certain things and in some ways can make it a better substitute for kinetic
capabilities, right? Because it doesn't cause physical destruction, right? Tradecraft can be
conducted with reducing the risk of attribution. It can be reversible, right? That's a value.
There's stealth, there's all this stuff, but it's also fragile and it can be unreliable
and ephemeral. And so at the tactical edge, like those questions of reliability are really
important. And so I do think that having like these kinds of conversations where we talk with
more openness and kind of nuance about what cyber is good for and what are its limitations,
I think is really important for thinking about how we incorporate it into tactics and operations.
limitations, I think, is really important for thinking about how we incorporate it into tactics and operations. Yeah, I think it's also really important to, you know, as we look at the
Russia-Ukraine conflict, recognize how difficult integrating cyber into kinetic warfare is and how
to take advantage of that successfully. We watch the Russian cyber operations that occurred at the
outset of the war. You look at the Viasat hack, you look at the volume of activity, which has been well reported by Microsoft and others,
there's a significant amount of cyber activity. But it did not significantly diminish Ukrainian
will or capability to defend their own territory and defeat a conventional military that was much
greater in size than itself. And so then you also see, and this was
reported in the Microsoft report, after an initial wave of cyber attacks, they basically went dark
for a period of time. And that shows you the difficulty of being able to continuously adapt
to changing conditions on the battlefield and the ways in which planning and integration in cyber are a challenge.
And then, you know, we've seen a lot of wiper malware, DDoS attack type things coming out to affect Ukrainian systems.
You're not seeing the same scale of sophisticated attacks like you saw with Viasat. And so, you know, by observing the adversary's use of cyber
in this space and the difficulty of integrating that in a timely way with kinetic effects,
you begin to see where they struggle, where we can learn valuable lessons for ourselves in how
we need to think through the use of cyber. And of course, we're not the only ones
learning these lessons.
Just really quick on the Viasat example,
if you don't mind,
just because I think that's a really fascinating example.
Because Viasat in theory,
it's consistent with the idea of using cyber
as a shaping tool in the initial phases of a conflict
to disrupt command and control,
right, and communications, right?
Like, so it fits with these ideas about how we think about integrating cyber into conventional
campaigns.
And the operation itself, as has been reported by Microsoft and others, like, worked, like,
operationally.
Like, it did what it was supposed to do in many ways, but Russia couldn't capitalize
on it for a number of reasons, one of which was Ukrainian resilience, right? Like the
ability to shift to redundant, resilient communications capabilities. And so I think
that just underscores how we think about cyber, because even in a case like Viasat, where the
operation itself was successful in that it did what it was intended to do, it couldn't be capitalized
on by the adversary because of the resilience of the defender. So I think that's a really just fascinating example of how we think about
cyber and warfare. Yeah. And that example also really indicates like how we need to think about
the net effect of cyber. It's not just how good the adversary is on offense. Defense gets a vote,
right? Like the old saying, like defense wins
championships, like the Ukrainian defense versus the Russian offense, it's what is the net effect
there? And Ukraine had had many years of experiencing Russian cyber attacks to recover
from them in the years prior to, since the seizure of Crimea and even before to get better on cyber
defense. So like as we think about how to value cyber in this space, I think looking at other
examples is very helpful for us to understand that. And this is really the first time that we
are seeing cyber capabilities used in a conventional armed conflict. And so it is, I think, a bonanza for
academics like Erica and others who study these things to be able to unpack this. And I think,
you know, this is still an ongoing conflict. Tactics continue to change and shift.
We don't know everything that's happened here. I think the Ukrainians have been
somewhat forthcoming, but not totally forthcoming given the operational concerns that they have about what has happened here. And I think that we will be studying this as a seminal conflict
in the cyber domain for many years to come. So based off all those lessons learned from the
Russian-Ukraine war, what are the biggest lessons learned for the force preparedness
standpoint from the Russian invasion of Ukraine? Yeah, I would say on this, good cyber defense matters.
Resilient infrastructure matters. I think about like four essential things for us working with
the defender and the cyber domain. One is making sure that you have secure communications from us
to them so that you can continue to share intelligence and information in a way that is secure.
Making sure that you have secure C2, right?
Making sure that a entity in the fight is able to securely communicate with its own
troops.
That's item number two.
Three would be making sure that you're able to continue to communicate with the world.
And on that, the lessons that in terms of preparedness is making sure that you can
continue to get your message out. Zelensky's ability to communicate with his own people and
the world, the videos that the Ukrainian people put out of Russian tanks entering their villages
and towns, the ability to tell that tale denied Russia the information environment that it was trying to create about
denazification or, you know, Ukrainian provocation here. It completely obliterated that narrative so
that it was very clear the Ukrainian people were defending their homes, their territory against
aggression. And so they were able to get that truthful narrative out. They could not be silenced
in that. And that
was a strategic benefit to them. And then the last thing is, you know, and this goes to the
migration of the Ukrainian data at the eve of the conflict, their ability to preserve essential
government function, the data, the functions that they needed to be able to continue to operate
as a country and not fall apart were really important. And so as you think through,
all right, what do we need to be able to do? You think through those four things. I think for the
Department of Defense, we would continue to focus on one and two, right? Secure communications with
partners and our ability to securely communicate with our own forces. The ability to communicate
to the world, that's often something provided by
the private sector. And some of that essential government function is also private sector
enabled through cloud infrastructure or private sector cybersecurity. Those are the business
networks on which countries depend for day-to-day peacetime operations. And so those are all really
important things to have thought through. One of the things that I say to people about cyber is that you operate on a risk management framework. And so you take a look
at what kinds of risks your enterprise is going to have to encounter, and then you manage for that
risk. The thing that Russia-Ukraine tells us is that we could disagree about how likely or how
imminent armed conflict should be, but armed conflict should be a risk in your risk management framework that you have thought about in advance of conflict.
How are you protecting your data? How are you ensuring continuity of your enterprise?
How are you thinking about resilience in advance of the conflict's outset?
Because if you get to the conflict and you haven't thought about it, the risk of falling
apart and not being able to recover quickly, it is too late.
And so it's got to be in the risk management framework for everyone to think about in advance
of D minus or D zero.
Yeah.
I also think to that point, one of the challenges as we think about
risk management with respect to geopolitical triggers of cyber events is that as part of
the Shield Up campaign, right, the U.S. government communicated to critical infrastructure that
there was this impending conflict. You know, Russia was likely to invade Ukraine, and this might cause reverberations in cyberspace because we have a fact pattern of states, you know, responding to broader geopolitical patterns with targeting the private sector through cyber means.
of thinking about, or a granular way of thinking about how that risk may be changing over time as the dynamics of the conflict are evolving, right? And so we had this crystallized moment
at the outset of Russia's invasion where everyone sort of had, you know, galvanized awareness around
potential cyber threats to the private sector, to critical infrastructure. Then it didn't materialize
in the way, and this is a good news story, right? It didn't materialize in the way that a lot of people expected.
But, and this is a conversation I'd love to see in the broader sort of cyber expert community,
is talking about how that risk might be changing over time.
As dynamics unfold on the battlefield or in broader geopolitics,
how does that change the risk profile to critical infrastructure in the United States, right?
It's not this on-off thing.
It's hard to sustain that vigilance over time.
And firms can't put their socks on constant alert posture for a year, right?
That's just not feasible.
So how can we get more granular about thinking about risk over the course of these sort of long-term, long-time horizon geopolitical events where risk is likely to change as the
events themselves unfold. There's been a lot of discussion on potential of a cyber force.
Based off Russia and Ukraine, do you believe that that's something that is a discussion that needs
to be furthered? Or do you think that we just need to fix a lot of the ways that we integrate cyber
into our force already? We have been asked by Congress to look
at force generation and to look at alternate models of how cyber could be organized. And so
we are in the process of doing that. I would just say on the cyber force model versus the current
model versus some other model, there are pros and cons to every model. There are things that, right, there might be some efficiency in having
a cyber force under a single service-like approach that has some disadvantages in ensuring that the
cyber needs of all the other services are met. There are challenges on a multi-service joint
model too, which is that different services approaches to cyber can complicate the management
of a joint force. You know, you could do a civilianized model, which might help you with
retention, but that also has some challenges when it comes to our ability to refresh and our ability
to have military personnel involved in this. The challenge on that is that whichever model you pick,
you will immediately forget the advantages that that model brought you because you will persistently wrestle
with the challenges of that model. And so if you're going to shift off the current model,
I think it's really important that we look carefully at what the pros and cons are and
take an honest look at those things because the cons of that model, whichever model we choose,
are the things that will be the challenge for the department going forward and the things that we will get beat up on by Congress and in the media.
And so there is no model that is without downside.
And so I think it's a question of like, what do you prioritize in your optimization of a model?
We want to take a careful, detailed look at this, especially given where the department cyber capabilities have matured to at this point, because a reorganization is a very disruptive thing to do.
There are challenges on a multi-service joint model, too, which is that different services approaches to cyber can complicate the management of a joint force.
approaches to cyber can complicate the management of a joint force. You know, you could do a civilianized model, which might help you with retention, but that also has some challenges
when it comes to our ability to refresh and our ability to have military personnel involved in
this. The challenge on that is that whichever model you pick, you will immediately forget the
advantages that that model brought you because you will persistently wrestle with the challenges of that
model. And so if you're going to shift off the current model, I think it's really important that
we look carefully at what the pros and cons are and take an honest look at those things because
the cons of that model, whichever model we choose, are the things that will be the challenge for the
department going forward and the things that we will get beat up on by Congress and in the media.
And so there is no model that is without downside.
And so I think it's a question of like, what do you prioritize in your optimization of
a model?
We want to take a careful, detailed look at this, especially given where the department cyber capabilities have matured to at
this point, because a reorganization is a very disruptive thing to do. And so we need to make
sure that we understand why we're doing the thing that we're doing. We're not making any decisions
about that without careful consideration, not only of the model itself, but of what an
implementation to that model might look like. And so I think that, you know, I don't have an answer
for you right now about whether or not the cyber force model is the right answer, but we owe the
world a lot of analysis about what that might look like before any recommendations are made.
I think if there is going to be a cyber service, right, like a separate cyber force, like, you know,
how Space Force was created several years ago, I think a really important thing to get right,
to make this point about thinking carefully about what this looks like, is the culture. You know,
each service, you know, Army, Navy, Air Force,
has their own service cultures, right,
that define core components of their identity
and how they conceptualize warfighting,
like what it means to be a warfighter.
And the Army is different than what it means to be a warfighter in the Navy.
And so getting the culture right, if there is a cyber service,
will be really essential because kind of pulling
together a lot of the threads we've been talking about today, cyber is a domain of conflict,
but it's different from the other domains in ways that really affect how states should
organize and develop strategy and doctrine and operate in and through it.
And so I think one of the things that, and this is, you know, above my pay grade,
but whoever is thinking about these questions, I think really should be thinking carefully about
culture and because culture also affects personnel and workforce. And we know that this country in
general faces, you know, pretty significant challenges in the cyber workforce. It's a
challenge, not just in the military, it's in the broader federal government, in the broader civilian
world. And so getting the culture right, I think will be a critical aspect of how we think
about this question if you had one key takeaway the bumper sticker for lack of better terms for
policymakers practitioners and academics what would you recommend that bumper sticker to be
i think resilience resilience is a great bumper sticker. We talk about resilience in different ways. You know, weighing in as an academic, I think we need some really good academic theorizing about like, what does resilience mean? What does it mean during peacetime? What does it mean during conflict? How do we measure it? How do we know when we're resilient? What's the difference between resilience and defense, resilience and deterrence? I think
that's really right for a conversation about resilience. So I would put that on a bumper
sticker. Oh, I hate this question because I really hate bumper stickers, notwithstanding that I spent
a lot of my career in the political branches because it does feel like cyber is so much more
complicated and nuanced than I think people think it is.
I think people think that cyber is one thing and cyber is not just one thing.
We use that terminology to cover a wide range of defense, secure by design, offensive activity.
And so I think it's really important that when we talk about cyber, we always ask ourselves, what do you mean by that and what are you trying to accomplish? Which is the opposite of a bumper sticker. It's how do we go back people not think that it is one thing. Because otherwise, when we And I'm like, that is definitely not what I do.
I do the opposite end of that.
But the phrase itself has come to be this bumper sticker under which thousands of different things.
But it's actually more confusing, right?
Is it information operations?
Is it network defense?
Is it a secure development environment?
operations? Is it network defense? Is it a secure development environment? It is very hard for people. They can often talk past each other in cyber if they are not specific about what part
of cyber they are working on. Erica, Mika, thank you very much for joining us on the Irregular
Warfare podcast. Thanks for having us. Thanks so much. This is great. Thank you again for joining
us for episode 81 of the irregular
warfare podcast and our third installment of our series on cyber we release a new episode
every two weeks in the next episode karl talks with vlad router and lieutenant general retired
about proxy warfare following that julia Julia and Alex delved into avoiding corruption
in security systems abroad
with ambassadors Patterson
and Ike and Barry.
Be sure to subscribe
to the Irregular Warfare podcast
so you don't miss an episode.
The podcast is a product
of the Irregular Warfare Initiative.
We are a team of all volunteer
practitioners and researchers
dedicated to bridging the gap
between scholars and practitioners
to support the community of irregular warfare professionals.
You can follow and engage with us on Facebook, Twitter, Instagram, YouTube, or LinkedIn.
You can also subscribe to our monthly e-newsletter
for access to our content and upcoming community events.
The newsletter sign-up is found at irregularwarfare.org.
If you enjoyed today's episode, The newsletter sign-up is found at irregularwarfare.org. all that you hear in this episode are the views of the practitioners and not those that represent Princeton, West Point or any other agency of the US government
thanks again and we'll see you next time Thank you. Thank you.