DOD Cyber Policy Chief: We’ve Deterred Destructive Cyberattacks

cybrain/Shutterstock.com

Featured eBooks
Digital Transformation
Read Now

Federal IT Modernization Still a Major Challenge

Read Now

DHS’ next chapter as an enterprise services provider

Read Now

What's happening in health tech

Read Now
Joseph Marks By Joseph Marks,
Senior Correspondent

By Joseph Marks

|

Departing DOD cyber policy chief Aaron Hughes talks cyber deterrence, offense and hiring in an exit interview with Nextgov.

When President Barack Obama took office, one of intelligence officials’ top fears was a “cyber Pearl Harbor,” a catastrophic and destructive cyberattack that resulted in mass casualties and destruction of property.

One major reason that hasn’t happened is because the massive power and stated policy of the U.S. military—cyber and otherwise—have deterred any would-be attacker, says Aaron Hughes, the Defense Department’s top cyber policy official.

It’s proven more difficult, however, to deter nondestructive breaches such as the Russian government-backed leaks from Democratic political organizations that wreaked havoc on the 2016 presidential campaign, the deputy assistant secretary of defense for cyber policy said.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

Nextgov spoke with Hughes recently about cyber offense, cyber deterrence and hiring and retaining cyber experts as he approaches the end of his term with the Obama administration.

Nextgov: Has cyber deterrence improved during your tenure with the Obama administration?

Hughes: What’s different in the past two years is we just have a more evolved capability to offer to decision-makers in terms of what message they would like to send in response to a malicious cyberattack. We have a maneuver force in the Cyber Mission Force that can provide a military component for whatever the whole-of-government recommendations might be.

When people ask, ‘how are you deterring in cyberspace?’ it’s not just a cyber vs. cyber [response]. As you’ve seen with the most recent response to the Russian activity, we were able to implement sanctions. In the Chinese context, we’ve done indictments. There’s law enforcement capabilities, financial implications, a diplomatic component and the Department of Defense will provide military options.

Nextgov: Are we doing well enough on deterrence given the steady drumbeat of breaches?

Hughes: My counter to the folks who say we have no deterrence strategy is: ‘Let’s think through what we’re trying to deter.’ If we’re trying to deter an adversary from conducting a cyberattack of significant consequence in the form of loss of life, financial implications, foreign policy implications, disruption of property, I think the totality of the U.S. government’s instruments of national power has deterred those types of attacks.

[When it comes to] malicious cyber activity in the form of espionage or other intrusions into networks, that is activity we’re only able to deter through improved defenses and the resiliency of our networks.

Nextgov: Is it appropriate to focus so intensely on destructive cyberattacks when simpler breaches, especially the Russian election meddling, have done so much damage?

Hughes: My point in saying we’re doing a good job by deterring destructive attacks wasn’t to put aside the fact that we need to have cognizance and potentially expand our thinking to deter other forms [of cyber hostility]. Going back to Sony, since then, we’ve had much more increased engagement with the private sector. [Homeland Security Department] is the lead on that, with DOD and the FBI in support.

With respect to the [Russian] influence campaign, there are a number of ways the president announced we’re responding to that. I think that’s one lesson we’ll take back and improve on how we can prevent those types of incidents in the future, provide better options or [options that are] more costly [for the enemy] for the president to choose from going forward.

Nextgov: What are the most important things your office has worked on during the Obama administration?

Hughes: Over the course of my two years, the milestone that sticks out most pointedly would be the release of our most recent cyber strategy in April of ‘15. That was coordinated across the department with some pretty specific goals in mind, most importantly to, in an unclassified fashion, be as transparent as possible with respect to our missions in cyberspace—defense of [DOD Information Network], support to defense of our national assets and being able to provide [cyber] options for combatant commanders.

That was [also] the first time we talked in an unclassified fashion about the fact we have offensive cyber capabilities and we plan, as part of our normal military planning process, to integrate those into broad campaign plans. We’ve been driving hard on the implementation of the various objectives associated with that strategy for my two-year tenure here.

If you look back more broadly on the entirety of the Obama administration, obviously, there’s the creation of Cyber Command, its maturation over the last six or seven years and the milestone, last fall, when [it] met the requirement for initial operating capability.

Nextgov: DOD has acknowledged it’s pursuing offensive cyber capabilities, but hasn’t offered many specifics. Is that enough?

Hughes: I think that’s evolving from a policy perspective. [Defense] Secretary [Ash] Carter has been pretty clear that we’re integrating all of the department’s capabilities across all five domains to hasten the defeat of ISIL so that includes both space and cyber.

But the cyber domain is different from the nuclear context or other kinetic options because of the fragility of the capabilities. Our access is dependent on vulnerabilities in adversaries’ systems, so should we choose to declare some of those capabilities, it gives the opportunity for some of those adversaries to defend against them.

Nextgov: Rudy Giuliani, who will be a major cyber adviser to President-elect Donald Trump, has said the U.S. has better cyber offense than defense. What do you make of that?

Hughes: The predominance of everything we’re doing in the domain, upward of 90-95 percent of all our operations, are in defense of DODIN and command and control functions.

The difference between offense and defense is that defenders need to be right 100 percent of the time and, in the offensive context, you only need to be right once. [Also], a lot of it is a human element so our defenses are only as strong as our weakest link. So, I wouldn’t say we’re necessarily behind on defense, but defense is just much, much harder.

Nextgov: Trump has suggested DOD may lead a review of critical infrastructure cybersecurity.

Hughes: I don’t want to speak to policies of the incoming administration. As of right now, the department’s missions are to focus on the defense of DOD network systems and information.

I understand the president-elect has talked about an expanded DOD domestic role, but I think conversations would need to happen. We’d need to consider how CYBERCOM is structured [and] what its resources are if that’s an additional mission we are to take on. I’d raise that question again post Jan. 20 with the new team.

Nextgov: Has cyber hiring improved since you joined DOD? What else needs to happen?

Hughes: The last two years, the [National Defense Authorization Act] has provided us with the ability to have more rapid hiring authority for certain personnel supporting CYBERCOM and at some service cyber components, some CIO functions and some of the functions at [Defense Information Systems Agency].

We’ve also considered how to handle the movement of trained military members once they are on the cyber mission teams.

We’re taking, on average, two to three years to have a fully trained and mission ready operator [who will] do the mission for 12 to 18 months. [If] we transition them back into a more general IT function or some other part of the service then and start from scratch, I think we’re doing ourselves a disservice with respect to the readiness of the Cyber Mission Force.

I was briefed recently [that] around 30 percent of one of the services’ members [who] were rotating from a CMF billet would go to another CMF team. Others were much lower than that. We don’t want to spend all that time training someone and then have to completely retrain their replacement.

Nextgov: Where should your office focus for the next four years?

Hughes: We’re focused on meeting the FY 17 requirements of the NDAA, [including the] elevation of CYBERCOM to a unified combatant command. Also, there’s the required certification of the secretary that certain conditions have been met before we disestablish the dual-hatted leadership between [National Security Agency] and CYBERCOM.

There’s no deadline or time horizon for that, so we’ll continue to look at what that elevation means for CYBERCOM, what are the resource implications, how are we ensuring that CYBERCOM’s acquisition and other increased responsibilities as a unified combatant command are being met.

Nextgov: Where do you see DOD cyber operations in the long-term future, 20 years out?

Hughes: In the 20-year time horizon, you’ve had a set of junior officers that are in leadership roles where they have grown up with cyber and the global connected nature of our society as something that is very day to day. We also have senior decision-makers that understand the ramifications of disruptions in that connectivity.

I think we’ve absolutely improved the resiliency of our networks, we’ve improved our ability to deliver mission assurance and mission effects globally in a contested environment and we’ve come to a relatively steady state of how cyber effects and cyber defense are integrated into our instruments of national power. We [also] will likely be in an almost steady state of conflict with our adversaries for control of the information domain. 

NEXT STORY: Trump Appoints Baltimore Real Estate Developer To Tech Team

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.