Cyber Scene #53 - Cybersecurity: Under (Mostly) New Management

Cyber Scene #53 -

Cybersecurity: Under (Mostly) New Management

One mere month post-US Presidential Inauguration, Washington, D.C., and environs have catapulted into very significant changes in the way cybersecurity is supported and optimized. Military commanders largely remain, to date, providing continuity to include the Chairman of the Joint Staff, Vice- Secretaries of the Services (the Secretaries themselves are civilians), and the Combatant Commands to include the Commander of Cyber Command (USCYBERCOM). However, the nomination and quick confirmation of a swath of talented, experienced cyber experts are advancing the success of even near-term efforts to protect and defend not only the Constitution, but its beneficiaries as well.

In addition to the other cybersecurity players noted in the January 2021 Cyber Scene, Gen. Lloyd Austin, who retired in April 2016, received a waiver for less-than-7 years of retirement and then flew through Senate confirmation. This included a detailed discussion on cyber. Prior to SecDef Austin's confirmation by the full Senate on 22 January, the Senate Armed Services Committee (SASC) first addressed the subject of his being a civilian leader, and then elicited the following from the now new SecDef:

"I believe the Department must effectively counter these campaigns by taking proactive action to: generate insights about the adversary's cyber operations and capabilities; enable its interagency, industry, and international partners to create better defenses, and; acting, when necessary, to disrupt adversary cyber actors and halt malicious activities."

SecDef's deputy, Dr. Kathleen Hicks, confirmed on 4 February by a voice vote (an indicator of broad support), also faced the SASC. She too, addressed cyber, stating that she was supportive of the proactive CyberCom approach executed as part of DoD's 2018 Cybersecurity Strategy and wanted more clarification on this strategy. Hicks adds: "China and Russia's malicious cyber campaigns seek to diminish U.S. military advantages and economic security. The department must be proactive to understand an adversary's cyber operations and capabilities…and should work with U.S. interagency, industry and international partners to counter adversary cyber actors."

Examples of the new military cybersecurity's forward thrust abound. Public discussion of these initiatives includes inter alia, three separate examples to strengthen and implement cybersecurity strategy: Space Command, Special Operations Command (SOCOM), and the National Guard, all provided by C4isrnet's Mark Pomerleau.

First, in early February 2021, the new Space Command began receiving its first cyberwarriors from the U.S. Air Force. According to Chief of Space Operations General Jay Raymond, "Why it's so important…is that they will understand cyber terrain of space…and help us protect this critical domain from that threat." These guardians are intended to build Space Command's mission defense teams, aligned with the Air Force's cyber squadron work. These specialized cyber defense teams will protect Air Force missions and installations.

Second, on 18 February, Pomerleau reported the 1st Special Forces Command's creation of an Information Warfare Center at Fort Bragg. Although some focus is on psychological operations, cyber is the platform--an artillery piece through which "influence rounds" can be delivered, according to 1st Special Forces Commander COL Croot. The objective is to protect the military's digital footprint in tactical operations: "protecting Green Berets from sophisticated snoops." He used as an example an earlier exercise where a commander ordered everyone off social media one month prior to the training; during the training, the commander displayed to the troops all the footprint revelations, including how many people had deployed and from what base, their destination, their mission, and where their families lived, all from their digital footprints--quite a "close to home" lesson calling for increased cyber-based protection.

In the third example, the journalist explores the story of National Guard units from four states continuing the relatively new creation of Cyber Protection Battalions in the Army National Guard in support of USCYBERCOM. When the umbrella organization, Task Force Echo, was created in 2017, it was the largest mobilization of reserve forces in cyberspace. This is the fifth iteration involving a total of 600 guardsmen. It supports the Army's 780th Military Intelligence Brigade, which conducts protective operations against malicious cyber actors. While not brand new, it is highly "renewable."

The co-authors of the -landmark Cyber Solarium Commission bill passed in March 2020-- the Senate's Angus King and House's Michael Gallagher --discuss progress on cyber in Northrop-Grumman's Weekly Cyber Report audio podcast. This bipartisan, bicameral strategic cyber bill plays out on multiple domestic and international levels. While the audio veers toward the role of cyber in the 6 January attack, it also asks the co-authors on the general progress of the bill's implementation. Sen. King expresses his delight with the pace of implementation, noting that as of 27 January 2021, 26 of the 50 recommendations have already been implemented over 7-8 months. The recommendations call for not centralization, but "coordination and harmonization." The co-authors are still looking for international expansion and a Department of State individual to take on his international issue of cyber information sharing and greater conferring with partners and allies on China toward an international-norms-based order. Rep. Gallagher closes by recalling his own military service and noting that cyber's weak link is human mistakes that are difficult to eliminate wholly, as human beings are, well, human.

In a completely separate perspective on this issue by Washington Post's Ellen Nakashima, the author underscores a remaining bridge to be crossed between the White House and Congress regarding cyber policy. Congress wants more oversight, while the White House is concerned about lawmakers "exerting influence of a critical area of national security." Part of the dilemma revolves around the White House 60-day review of the role of a national cyber director to advise the president on policy and strategy and to be Senate-confirmed in public hearings. Sen. King refers to this as "one throat to choke." This part of the above-cited Cyber Solarium Commission package was passed in November 2020. It seems that the former administration did not take action on this; it now falls to President Biden.

The resurrection of the National Security Council (NSC) cyber leader, which had been deleted by former NSC Adviser John Bolton, has already been named Anne Neuberger. Nakashima describes Neuberger as "arguably the most powerful White House cyber position ever." The article also notes her close working relationship with National Security Adviser Jake Sullivan and CyberCom Commander Gen. Nakasone. However, the NSC, from the adviser her/himself down, is not subject to Senate confirmation or Congressional influence. On the one hand, Sen. King believes that if the cyber leader is exclusively in the NSC, lacking Senate confirmation will give it neither continuity nor stature required. The White House reportedly believes that "…running cyber policy from outside the NSC--creating a sort of "Shadow NSC" for cyber--is not the most effective way to do it."

Even as the dilemma remains with supporters for each of the two possible options, some are looking for a compromise in a division of labor between non-military and military, and private versus foreign ally entities. Sen. King concludes by saying: "These two functions can be complementary and should be. I'm not going to fault the administration for moving to shore up our cyber defenses. I just think they need to take the next step."

On the same day, the above Washington Post article was published, Defense One's Mariam Baksh recounts both Neuberger's White House press briefing updating the response to Solar Winds and noting the preparation of a multi-part Executive Order (EO) on the hack. She noted that 8-12 items are to be included in the EO. However, since it involves nine federal agencies and 100 companies, there are legal issues in the private sector sharing with the federal government that still need work.

Baksh also reported that the week before, the House Homeland Security Committee heard from former Cybersecurity and Infrastructure Security Agency Director Chris Krebs. He confirmed the issue that federal agency contracts have with vendors, which prohibits them from sharing cyber incident information across the government. Krebs goes on to say that Solar Winds is "…not the only malicious cyber activity of likely Russian origin, either for us or our allies or partners, so as we contemplate future response options, we're considering holistically what those activities were."

As for the judicial view, Lawfareblog's Tasha Jhangiani on 17 February follows up on the U.S. government's insufficient capacity for responding to cyberattacks, Russian or otherwise. After a short synopsis, the issue of a "cyber state of distress" is discussed in the framework of the Cyber Solarium Commission's recommendation. The result of this declaration would trigger a Federal Emergency Management Agency (FEMA)-like mechanism for resources to resolve the crisis. Jhangiani continues that the current Presidential Policy Directive 41 "…fails to give federal agencies the authority, funding or resources needed to assist non-federal entities in the event of a significant cyber incident." It is noted that the Commission would give Homeland Security the authority to trigger the availability of these resources. This does not appear to be included in the 26 initiatives in the bill already implemented.

So is Russia, as malicious as it is, the principal threat to the U.S., its partners, and allies? Likely not. Syndicated New York Times Columnist Thomas Friedman among many others, believes that Russia has fallen to #2, ceding first place to China. In his somewhat hyperbolic but fundamentally factual "Vladimir Putin Has Become America's Ex-Boyfriend From Hell," he maintains that Russia has been hollowed out, has become far less powerful than in the past, is economically and demographically bereft, and has generally relegated to "stalking the U.S" through hacks and election-meddling, and that Putin is "…relishing the notion that so many Americans think he installed…" the former U.S. president. Russia is also less lethal due to the February 2021 extension of the NEW START nuclear treaty between Russia and the U.S. The running metaphor is forceful as well as wildly entertaining.

So, as we await a spectrum of breaking cyber news and look next month at China, take a peek at Wired's February edition. Exceptionally, it is completely dedicated to three chapters of one new book entitled "2034: A History of the Next World War." Although the upcoming book on which the issue is based is supposedly fictional, co-authors Elliot Ackerman and Admiral (ret) James Stavridis claim in their discussion with Wired that year 2034 is coming too soon in reality.