In order to foster better innovation of new and novel capabilities, the federal government should talk more openly about offensive cyber operations, a top Pentagon cyber official said.
“To conceptualize [the] idea of offensive cyber, we need to be talking about it. It’s not a secret anymore that we do these things,” Christopher Cleary, principal cyber adviser for the Navy, said Thursday at the annual Navy Summit hosted by the Potomac Officers Club.
Cleary noted that federal agencies need industry’s help in designing capabilities for warfighters, but if they can only discuss new technologies or concepts behind closed doors, that can inhibit some companies’ ability to get their products into the hands of the government.
Coming from a small business technology startup, Clearly explained that it was hard to market new technologies to the government because in order to purchase them, there needed to be an established requirement for them.
“We just invented it. It’s brand new … How do you break that cycle to bring technology that is innovative in at speed and scale?” he said. “It’s hard to use your dollars on something that at the end of the day, the government may or may not want to go off and go do. To be perfectly honest with you, I think we see that a lot in the offensive cyber game.”
For many years, the government refrained from ever mentioning the words “offensive cyber” in public. Cleary said in 2008 when he joined U.S. Cyber Command’s predecessor organization Joint Functional Component Command – Network Warfare, officials couldn’t even say “offensive cyber” in some Sensitive Compartmented Information Facilities (SCIF).
Clearly explained the need to not overclassify concepts to allow for more frank discussions with industry.
“Some of the things that we’ve classified I see at DEFCON [cybersecurity conference] later that year. We build some sort of tool in a SCIF somewhere and we go to DEFCON, I see some 18-year-old kid that just did it in his basement,” he said. “Is that a secret or is it just we’re over classifying things that people are doing in industry all day long? … In reality, this stuff happens all over the place. It doesn’t require a nation-state level of commitment or resources to do some of these things.”
The specifics — such as the 1s and 0s, the targets, and the actual techniques for access — should remain classified, Cleary said, but the notion behind some of them shouldn’t.
“But the basic conversation we have to get more comfortable about having in the open. And it can’t be ‘Oh, Chris, I’d like to talk to you about this, come over to my facility [and] we’ll sit in the SCIF,’” he said. “I’m building a capability that does this kind of classical effects. Not a secret. How do we have this conversation?”
Cleary noted that while his office doesn’t specifically have funds to spend on capabilities, he can help point members of industry in the right direction and get them in contact with the people that do have the money, resources and requirements.
One reason the Navy needs to talk more openly about offensive cyber and IT-related issues is to help inform the rest of the department, he said. Given most of these capabilities and concepts exist at highly classified levels, much of the rest of the force doesn’t always know what they do.
Cleary said most submariners can likely articulate the composition of a carrier air wing. However, the information warfare community writ large is less understood.
“If I go to the aviation community right now and say, ‘Can you tell me what the cyber mission force is,’ they go ‘what?’ There’s no awareness of these other things that we’re doing in the Navy because they’ve been classified and just not discussed,” he said.
“The surface warfare community, the aviation community, the submariners — most of what happens in the information warfare community is a secret to them. We have to be more open and get a message of what the information warfare community does … what that brings to the rest of the Navy so those organizations can figure out and integrate into their mission spaces,” he added.