Departing DOD cyber policy chief Aaron Hughes talks cyber deterrence, offense and hiring in an exit interview with Nextgov.
When President Barack Obama took office, one of intelligence officials’ top fears was a “cyber Pearl Harbor,” a catastrophic and destructive cyberattack that resulted in mass casualties and destruction of property.
One major reason that hasn’t happened is because the massive power and stated policy of the U.S. military—cyber and otherwise—have deterred any would-be attacker, says Aaron Hughes, the Defense Department’s top cyber policy official.
It’s proven more difficult, however, to deter nondestructive breaches such as the Russian government-backed leaks from Democratic political organizations that wreaked havoc on the 2016 presidential campaign, the deputy assistant secretary of defense for cyber policy said.
» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.
Nextgov spoke with Hughes recently about cyber offense, cyber deterrence and hiring and retaining cyber experts as he approaches the end of his term with the Obama administration.
Nextgov: Has cyber deterrence improved during your tenure with the Obama administration?
Hughes: What’s different in the past two years is we just have a more evolved capability to offer to decision-makers in terms of what message they would like to send in response to a malicious cyberattack. We have a maneuver force in the Cyber Mission Force that can provide a military component for whatever the whole-of-government recommendations might be.
When people ask, ‘how are you deterring in cyberspace?’ it’s not just a cyber vs. cyber [response]. As you’ve seen with the most recent response to the Russian activity, we were able to implement sanctions. In the Chinese context, we’ve done indictments. There’s law enforcement capabilities, financial implications, a diplomatic component and the Department of Defense will provide military options.
Nextgov: Are we doing well enough on deterrence given the steady drumbeat of breaches?
Hughes: My counter to the folks who say we have no deterrence strategy is: ‘Let’s think through what we’re trying to deter.’ If we’re trying to deter an adversary from conducting a cyberattack of significant consequence in the form of loss of life, financial implications, foreign policy implications, disruption of property, I think the totality of the U.S. government’s instruments of national power has deterred those types of attacks.
[When it comes to] malicious cyber activity in the form of espionage or other intrusions into networks, that is activity we’re only able to deter through improved defenses and the resiliency of our networks.
Nextgov: Is it appropriate to focus so intensely on destructive cyberattacks when simpler breaches, especially the Russian election meddling, have done so much damage?
Hughes: My point in saying we’re doing a good job by deterring destructive attacks wasn’t to put aside the fact that we need to have cognizance and potentially expand our thinking to deter other forms [of cyber hostility]. Going back to Sony, since then, we’ve had much more increased engagement with the private sector. [Homeland Security Department] is the lead on that, with DOD and the FBI in support.
With respect to the [Russian] influence campaign, there are a number of ways the president announced we’re responding to that. I think that’s one lesson we’ll take back and improve on how we can prevent those types of incidents in the future, provide better options or [options that are] more costly [for the enemy] for the president to choose from going forward.
Nextgov: What are the most important things your office has worked on during the Obama administration?
Hughes: Over the course of my two years, the milestone that sticks out most pointedly would be the release of our most recent cyber strategy in April of ‘15. That was coordinated across the department with some pretty specific goals in mind, most importantly to, in an unclassified fashion, be as transparent as possible with respect to our missions in cyberspace—defense of [DOD Information Network], support to defense of our national assets and being able to provide [cyber] options for combatant commanders.
That was [also] the first time we talked in an unclassified fashion about the fact we have offensive cyber capabilities and we plan, as part of our normal military planning process, to integrate those into broad campaign plans. We’ve been driving hard on the implementation of the various objectives associated with that strategy for my two-year tenure here.
If you look back more broadly on the entirety of the Obama administration, obviously, there’s the creation of Cyber Command, its maturation over the last six or seven years and the milestone, last fall, when [it] met the requirement for initial operating capability.
Nextgov: DOD has acknowledged it’s pursuing offensive cyber capabilities, but hasn’t offered many specifics. Is that enough?
Hughes: I think that’s evolving from a policy perspective. [Defense] Secretary [Ash] Carter has been pretty clear that we’re integrating all of the department’s capabilities across all five domains to hasten the defeat of ISIL so that includes both space and cyber.
But the cyber domain is different from the nuclear context or other kinetic options because of the fragility of the capabilities. Our access is dependent on vulnerabilities in adversaries’ systems, so should we choose to declare some of those capabilities, it gives the opportunity for some of those adversaries to defend against them.
Nextgov: Rudy Giuliani, who will be a major cyber adviser to President-elect Donald Trump, has said the U.S. has better cyber offense than defense. What do you make of that?
Hughes: The predominance of everything we’re doing in the domain, upward of 90-95 percent of all our operations, are in defense of DODIN and command and control functions.
The difference between offense and defense is that defenders need to be right 100 percent of the time and, in the offensive context, you only need to be right once. [Also], a lot of it is a human element so our defenses are only as strong as our weakest link. So, I wouldn’t say we’re necessarily behind on defense, but defense is just much, much harder.
Nextgov: Trump has suggested DOD may lead a review of critical infrastructure cybersecurity.
Hughes: I don’t want to speak to policies of the incoming administration. As of right now, the department’s missions are to focus on the defense of DOD network systems and information.
I understand the president-elect has talked about an expanded DOD domestic role, but I think conversations would need to happen. We’d need to consider how CYBERCOM is structured [and] what its resources are if that’s an additional mission we are to take on. I’d raise that question again post Jan. 20 with the new team.
Nextgov: Has cyber hiring improved since you joined DOD? What else needs to happen?
Hughes: The last two years, the [National Defense Authorization Act] has provided us with the ability to have more rapid hiring authority for certain personnel supporting CYBERCOM and at some service cyber components, some CIO functions and some of the functions at [Defense Information Systems Agency].
We’ve also considered how to handle the movement of trained military members once they are on the cyber mission teams.
We’re taking, on average, two to three years to have a fully trained and mission ready operator [who will] do the mission for 12 to 18 months. [If] we transition them back into a more general IT function or some other part of the service then and start from scratch, I think we’re doing ourselves a disservice with respect to the readiness of the Cyber Mission Force.
I was briefed recently [that] around 30 percent of one of the services’ members [who] were rotating from a CMF billet would go to another CMF team. Others were much lower than that. We don’t want to spend all that time training someone and then have to completely retrain their replacement.
Nextgov: Where should your office focus for the next four years?
Hughes: We’re focused on meeting the FY 17 requirements of the NDAA, [including the] elevation of CYBERCOM to a unified combatant command. Also, there’s the required certification of the secretary that certain conditions have been met before we disestablish the dual-hatted leadership between [National Security Agency] and CYBERCOM.
There’s no deadline or time horizon for that, so we’ll continue to look at what that elevation means for CYBERCOM, what are the resource implications, how are we ensuring that CYBERCOM’s acquisition and other increased responsibilities as a unified combatant command are being met.
Nextgov: Where do you see DOD cyber operations in the long-term future, 20 years out?
Hughes: In the 20-year time horizon, you’ve had a set of junior officers that are in leadership roles where they have grown up with cyber and the global connected nature of our society as something that is very day to day. We also have senior decision-makers that understand the ramifications of disruptions in that connectivity.
I think we’ve absolutely improved the resiliency of our networks, we’ve improved our ability to deliver mission assurance and mission effects globally in a contested environment and we’ve come to a relatively steady state of how cyber effects and cyber defense are integrated into our instruments of national power. We [also] will likely be in an almost steady state of conflict with our adversaries for control of the information domain.