COMMENTARY: Nothing encapsulates the cybersecurity challenge for the incoming administration more than the oft-quoted statement by Gen. Paul Nakasone, the recently retired former head of U.S. Cyber Command, the NSA and the Central Security Service, who said:
“If we find ourselves defending inside our own networks, we have lost the initiative and the advantage.”
The threat landscape morphs daily, and while new AI technologies will play a significant role in defeating our adversaries in cyberspace, a more offensive cyber policy may be the most potent weapon we can deploy.
So with the Trump administration about to take power in January, can we expect more offensive cyber operations in the months and years ahead?
I think so. Ramping up a kinetic war is far different than unleashing a team of warfighters in cyberspace. Traditional warfare has big risks and comes with a big price tag. Not so with cyber.
[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
Traditionally, military operations that occur outside a theater of battle or when there’s no defined state of hostilities require presidential approval to execute: United States Code: Title 10 is the basis for military authority.
However, Operation Neptune Spear, the op to terminate Osama bin Laden, was conducted under Title 50, rules governing espionage and clandestine activity. SEAL Team Six carried out the intelligence-oriented action only after obtaining presidential approval—a long and cumbersome process.
Operation Olympic Games, the famous cyber sabotage campaign against Iranian nuclear infrastructure, required presidential authorization across two administrations—another arduous process. Even though the actions were inherently cyber, this campaign was against a fixed physical target.
Cyber warfare requires different policies and new ways of thinking. A prior policy under Presidential Decision Directive-20 (PDD-20) during the Obama administration required a substantial amount of White House approval for offensive and defensive operations. The operational tempo slowed—not because of technical capabilities—but because of policy.
The shift to a new approach began in 2018 in the first Trump administration with National Security Presidential Memorandum-13 (NSPM-13), which targeted new authorities for offensive cyber operations and delegated them to the Defense Secretary. The result was more cyberspace operations in a few months than in 10 previous years—a concept called persistent engagement.
A 2018 report in C4isrnet.com indicated that these more offensive activities were helping the military more effectively stay with our adversaries.
However, the nature of offensive military cyber operations means they are classified. The problem with our classified policies is that we almost never hear about the successes: only the failures discussed under the glaring light of Congressional oversight.
The United States continues to face a multitude of new and evolving threats from hostile nation-states such as China, Russia, North Korea, and Iran, as well as continued aggression by proxies and transnational cybercriminal organizations. Some interesting changes are under way now, and new approaches can potentially affect significant changes to cyberspace policy.
As a result of Solar Winds (state-sponsored) and Colonial Pipeline (transnational cybercriminal organization), in May of 2021, President Biden issued his cybersecurity executive order (EO). Between calling for the implementation of cyber tools considered table stakes already (MFA, encryption), the order pushed back on legacy government approaches and called for modern solutions.
Another more recent cyber incident, China-backed Salt Typhoon’s telcom attack, has triggered additional discussions calling for creating an independent U.S. Cyber Force. The arguments for and against this continue, even though in April of this year, our biggest adversary in cyberspace (China) developed a dedicated organization called the Cyberspace Force.
A glaring example of the cost of failing to prevent aggressive cyber espionage by nation-states like China is the introduction of the newest Chinese stealth fighter, the J-35, which looks like a cookie-cutter duplicate of the F-35, the most expensive weapon system ever developed by the Department of Defense. China may have saved $40 billion dollars in R&D alone.
North Korea continues to seek out new ways of generating hard currency to fund its military and nuclear ambitions through the remote IT worker scam. Iran has indicated it will expand uranium enrichment efforts while still aggressively pursuing lower-risk offensive cyberspace operations.
And never count Russia out. Even with the war in Ukraine, Russia continues to engage in attacks against critical infrastructure in the United States.
President Teddy Roosevelt famously said, "Speak softly and carry a big stick." The big stick isn't fancy AI-based tech, military hardware, or the latest gadgets. It's a clearly stated policy backed up by all those tools. The real measure of success won't be the number of successful attacks against our adversaries, but the absence of attacks against us.
The new administration has made it clear they prefer less kinetic warfare. If that happens, it will be about policy and not technology, and I believe the policy will be more fifth domain (cyberspace) warfare.
Morgan Wright, chief security advisor, SentinelOne
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
