This is the first article in a three-part series on President Obama’s record on cybersecurity issues.
In future conflicts involving U.S. forces, hybrid warfare incorporating disinformation operations like the election-season email hacks will be “the norm, not the exception,” and the government needs to be better organized to counter them, a senior Obama administration defense official told FedScoop’s sister publication CyberScoop.
“The majority of the future fights we will be in will encompass this cross-domain activity and there will absolutely be information warfare components: Disinformation, [and] engagement with the public [by our enemies] to to turn discourse against us,” said Aaron Hughes, deputy assistant secretary of Defense for cyber policy.
“It’s going to be the norm not the exception as we go forward,” he told CyberScoop in a wide-ranging interview, looking back at the Obama administration’s record of achievements and defeats on the cybersecurity issue over the past eight years. “We need to be postured … to defend ourselves against that.”
For the vast and sprawling Department of Defense bureaucracy, balkanized by institutional fault-lines and riven by turf conflicts and baronial friction, cybersecurity has always been a management challenge as much as anything — getting everyone on the same page.
Hughes says the Pentagon’s 2015 Cyber Strategy was a game-changer in that regard. The 40-page document superseded an earlier 2011 strategy and followed the set-up of U.S Cyber Command and the start of the stand-up of the 6,200-strong Cyber Mission Forces.
The 2011 Strategy for Operating in Cyberspace had first declared cyberspace an “operational domain” — somewhere the Pentagon expects to fight wars. Hughes called it a “foundational” document, produced “as we were first thinking through how we wanted to organize to fight.”
“Four years on, we’d matured,” he said of 2015 strategy. “We’ve set up Cyber Command, we’ve got our cyber mission forces.”
But the key to the success of the 2015 strategy was its implementation, he said. “We’ve made great progress … irreversible progress across the lines of effort” it identified, Hughes explained, adding that the department was ahead of schedule on completing many of its milestones.
The 2015 policy established a principle cyber adviser within the Office of the Secretary of Defense. The PCA headed a small team that Hughes described as “a project management staff on steroids.”
“They’re working with the offices [agencies and other Pentagon elements that have to implement the strategy] … to make sure that we’re staying attuned to any issues that come up, staying intent on the deliverables,” he said.
As a result, the implementation was ahead of schedule in many areas, he said.
“Where the original timeline for completion … took us out to sometime in 2019, we’ve been able to accelerate that in certain areas and according to the PCA team we’re close to upwards of 75-80 percent complete” with more than two years still to go.
Hughes said another driving force behind the 2015 strategy was that DoD officials wanted to be more “open kimono” in their public statements about the U.S. military’s cyber capabilities — both to try to tilt the balance of perception among Americans after Edward Snowden’s revelations about widespread domestic surveillance, and to be clearer with allies and adversaries as a way of avoiding misunderstandings and unintentional escalation.
“There was also a desire to be more transparent in how we’re operating … not only with the American people in a post-Snowden world, but also how we’re operating to our allies, to our adversaries … to be clear about what our key missions are and how we’re structured. To provide much more fidelity about how we’re going to operate in this domain,” he said.
“For the first time in the 2015 strategy we talked in an unclassified setting about our development of offensive cyber capabilities how we are using the military planning process to fully integrate those cyberspace effects into our operations if directed by the president,” he said.
But the most consequential achievement, Hughes said, was the stand-up of the Cyber Mission Forces. “That initial operating capability for 133 [CMF] teams across the force was a huge milestone,” he said, which had taken “yeoman’s work across the department.”
The CMF teams were slated to reach full operating capability sometime in fiscal 2018, he said. But alongside that, the teams were “evolving” into “what we’re calling CMF 2.0 — do we have the right mix of skill sets and work roles on each of the teams, what should the mix between analysts, targeters, on-net operators, support staff [and] developers,” he said, listing the open questions officials will have to answer as they fine-tune the military’s cyber-fighting capability.
When it came to cyber, he said, officials were in the unenviable position of “flying the plane while still building the plane.”
Hughes noted there were other “key milestones and objectives” the department had met, particularly concerning its relationship with major defense contractors, collectively referred to as the defense industrial base or DIB.
“We’ve been promoting cyber-threat awareness, doing information sharing,” he said.
Hughes concluded by discussing what he said was the poorly appreciated technical expertise of U.S. military and intelligence agencies in attributing cyberattacks.
“Attribution is less of a technical challenge and more of a policy decision,” he said, implying the government could always find out who was behind a hacking attack even if they chose not to reveal it.
What was at stake was not a technical challenge but rather a policy calculation, he said “Is there a benefit to messaging that attribution publicly at the time, is there a benefit to messaging it privately? … There are many levers of national power we can exercise in response, not limited to public naming and shaming.”