16 November 2019

Two years in, how has a new strategy changed cyber operations?

By: Mark Pomerleau

By 2013 U.S. networks were already were under constant attack from sophisticated nation-state actors. Hackers stole millions of sensitive records from the Office of Personnel Management, gained access to White House networks and destroyed dozens of computers at Sony Pictures from thousands of miles away.

But the Department of Defense’s own cyber teams couldn’t hit back or work on enemy networks abroad because, officials said, the rules for such operations were incredibly stringent. In fact, one U.S. senator said DoD didn’t conduct an offensive operation for five years. That’s not to say the United States sat idly by in cyberspace — experts pointed to covert strikes and intrusions — but it does mean the Pentagon rarely or never used cyber operations as an overt response or to flex its power.

That was then. Now, it’s been nearly two years since the U.S. Cyber Command first publicly mentioned new approaches to cyber operations, known as defend forward and persistent engagement. The defend forward policy was formalized in the DoD cyber strategy in October 2018 and is best described as DoD working on foreign networks to prevent attacks before they happen. The way Cyber Command meets those goals is through persistent engagement, which means challenging adversary activities wherever they operate.

During that time, Cyber Command appears to have conducted at least three operations according to reporting from the Washington Post, Yahoo News and Reuters. This includes disrupting internet access at a Russian troll factory to protect the integrity of U.S. elections and operations against Iran.

The new philosophy has engendered praise, criticism and confusion among experts. One lawmaker said the White House is stonewalling oversight of the new operations. Academics have questioned whether the strategy will indeed slow hacking from the United States’ enemies. Because of the sensitivity of operational details, the Pentagon rarely discusses how the new strategies have worked. But based on interviews with military officials and several cyber experts this is the story of how, in two years, a new strategy is forcing the national security community to rethink cyber operations and the strategy’s long-term effects.

What is persistent engagement?

Perhaps the best way to understand persistent engagement is to consider what cyberspace looked like to military leaders before 2018 and after.

A senior Defense Department official told Fifth Domain that when it came to defensive cyber operations then, the department was reactive, not proactive. For offensive operations, a series of approvals slowed down the pace. Combined, this created a gap, preventing the department from keeping up with threats.

Military leaders recognized the problem. In a bit of foreshadowing, Adm. Michael Rogers, the previous head of Cyber Command, described to Congress in April 2018, how the government planned to stop cyberattacks:

“My goal as a commander is to try to get ahead of problem sets before they occur. Our vision is about how do you tie the power of intelligence, and the insights that generates, with the operational capability the DoD has invested in the Cyber Command structure … how do we use it in a way that attempts to forestall the opponent’s ability to gain advantage in the first place? Failing that, how do we stop that activity before they have significant impact?”

He added that the government needed to get more comfortable using its cyber capabilities outside of warzones. The formal document that first described persistent engagement and defend forward, Cyber Command’s command vision, was finalized in January 2018. Rogers retired a few months later.

Sen. Mike Rounds, R-S.D., who chairs the Senate Armed Services cybersecurity subcommittee, described searching for hackers as akin to capturing mice.

“Number one, you’ve got to be able to have mouse traps in the house. Second of all you’ve got to plug the holes where the mice are getting into the house … But it’s also very important that you put offensively, that you put out bait on the outside and trap as many of those mice as possible before they ever get into the house,” he told Fifth Domain. “That’s what this is all about. Tracing them down to where they’re at and taking these mice and rats out before they can get into our house.”

National security experts have used a different analogy: the Cold War.

But what’s different this time, Joshua Rovner, School of International Service professor at American University told Fifth Domain, is that the point agency is a military organization, not an intelligence agency. Rovner worked as a scholar-in-residence at the National Security Agency and Cyber Command from 2018 to 2019.

“In the past the lead players would have been CIA, other members of the intelligence community. Now you have a military command with a traditional military hierarchy that is operationalizing this. That is peculiar,” he said. “That is part of the reason why I think that people are trying to grapple with what persistent engagement means in practical terms because you do have a military organization, which is responsible for implementing an intelligence contest. That’s going to take time to figure out. That’s going to take some growing pains.”

Enabling global cyber ops

Think of a carrier off the coast of a nation or a forward-operating base. The military wants to operate as close to the enemy to see what they are planning and either stop it or tip off others. For cyber, this could mean contacting the FBI, the Department of Homeland Security or another nation.

Last year, Congress gave the military new authorities that allow Cyber Command to operate outside U.S. networks and outside of declared warzones such as Syria and Afghanistan. The White House also issued an updated policy to the Obama administration rules governing the approval process for cyber operations called National Security Presidential Memorandum-13 (NSPM-13). Taken together, these helped to pave the way for DoD to contest and get ahead of cyberattacks, officials have said.

The new process “allows our national cyber forces to be able to offensively go after what we think are causing problems for us,” Rounds said.

The old process “was so full of limitations and it had so many places in which it had to have approvals from different parts of government that we never did an offensive operation in five years.”

This new way of doing business also allows the military to be better prepared if a conflict were to occur.

“If you’re not maintaining a forward presence and staying persistently engaged, when something does happen and you need to address it, you’re not in a position to be able to address it,” Gary Brown, professor at the National Defense University and the first senior legal counsel for Cyber Command, told Fifth Domain. “The idea is that you gain your access, then you camp and wait for when intelligence sources tell you that something nefarious might come out of a given network.”

Military officials have said it is imperative that U.S. cyber operators are active in neutral and adversary networks to disrupt their activities.

“Our Air Force doesn’t stay in hangars on the ground and never take off and fly in the air," Gen. Paul Nakasone, the head of Cyber Command said, according to NBC News. “They’re flying every single day. They’re flying missions to provide us warning … they provide a show of force sometimes. Its’s the same concept in cyberspace … We don’t wait for something to happen to us.”

A danger of being too aggressive and active?

In a September briefing, former national security adviser John Bolton used blunt language to describe what a series of new authorities and policies will mean: The United States will be more aggressive in cyberspace.

The White House document as part of the changes to policy is NSPM-13.

But with these new authorities, and with NSPM-13 in particular, some experts in the national security community were concerned about a potential lack of coordination with the whole-of-government approval process.

A senior DoD official countered that NSPM-13 “demands” interagency coordination, and that government leaders have ample opportunity to voice complaints or offer alternate options before a cyberattack.

Moreover, another official said the new process has been perceived as more fair to leaders and agency involved, a change from years past. Unlike in the past, government leaders now know what to expect and Cyber Command more tied into the whole-of-government.

Other experts have worried that concepts such as defending forward could send the wrong signals to adversaries and even allies.

“The thing that potentially makes allies nervous … is that we could be inside their networks without them knowing it,” Brown said. “For close allies and reliable allies, the U.S. would be happy to tell them, ‘Look some part of your network is being used in aggression toward us so can we help you or can you take care of this issue?’ I don’t really see that as a big problem.”

The official said that despite potential friction, DoD is working with allies and partners daily.

“The good news is that in almost every situation I can think of, U.S. Cyber Command is working closely with someone else — a foreign partner or ally, another U.S. agency, you name it — to support operations. They work hard at those relationships every day,” he said. “But sure, even the closest of allies occasionally see some friction in their relationships. What makes these relationships so effective and powerful is that they work through it, and do that effectively because of shared interests and values to counter common challenges.”

Rovner said he has not seen evidence that partners were upset about U.S. actions. However, he added that since no government owns cyberspace, creating an effective defense means working with the private sector as well as other foreign governments.

Unlike freedom of navigation operations in international waters or flights in international airspace, there is no agreed upon international cyberspace equivalent.

“As soon as you’re sailing out of the harbor, as soon as you pass the break water, you’re sailing in networks that other people built for their own purposes. When the U.S. says ‘gray space,’ they mean other people’s personal property,” Jason Healey, a senior research scholar at Columbia University specializing in cyber operations, told Fifth Domain. “It’s like if the Navy wanted to take over rain or say that they can operate in any river or stream or puddle in the world. We are all dependent on this cyberspace. It is touching all of our lives. It’s incredibly intrusive and vulnerable and we’re treating it as if the fact that it’s a war fighting domain that the Russians, Chinese, Iranians, North Koreans are using is the most important fact.”

Cyber Command’s theory is that over time, this constant engagement and “sailing” of cyberspace around the world will have a cumulative effect on adversaries.

Others are more skeptical.

“It stands to reason that a more assertive approach in cyberspace is going to help you generate more information,” Rovner said. “Whether or not that has any effect on adversaries’ behavior I think is to be determined … I’m not that optimistic that we’re really going to change behavior at that level … at least not in the near term.”

He added that at the very least, defend forward will make the work of hacking harder.

Congressional overseers

Despite broadly agreeing with DoD’s new direction for cyber operations, congressional committees are still wrapping their arms around the new approach and what it means for oversight. Notably, committee leaders have yet to see the NSPM-13 document itself that outlines the approval process for cyber operations.

“Unfortunately, the White House has still not provided access to documents related to its more aggressive cyber strategy, including NSPM-13,” Rep. Jim Langevin, D-R.I., and chairman of the Armed Services Intelligence and Emerging Threats and Capabilities Subcommittee, wrote to Fifth Domain. “That is simply unacceptable. Effective oversight requires having a rubric on which to gauge an administration’s actions, yet the White House continues to refuse to provide that rubric.”

Rounds noted that on the Senate side, while he also has not seen the document, he received a briefing on the difference between the old guiding policy document and found the description acceptable.

“My understanding is that if I wish to read the document, I could,” he said.

He added that new quarterly briefings, as mandated by the fiscal year 2018 National Defense Authorization Act, are helpful for the committee to understand what Cyber Command is doing.

“It doesn’t mean that it’s perfect and it doesn’t mean that we still don’t do oversight and ask questions and there is more work to be done,” Rounds said.

Langevin said from an oversight perspective DoD needs to ensure that its strategic vision “reflects the realities of our engagement in cyberspace.

Going forward

While the new concepts are about two years old, some academics have already begun questioning the sustainability of such an open-ended approach.

“If we’re persistently engaging, does that ever end? The problem with persistent engagement is it promises to do too much all the time and doesn’t articulate priorities,” Jacquelyn Schneider, fellow at the Hoover Institution, told Fifth Domain. “The good thing persistent engagement did was it changed the narrative from cyber being a one-off thing and a strategic event that occurs and then we respond … What it did not do was actually articulate strategy.”

Schneider said the Pentagon has not made it clear how the military will have enough people, or money. “This is like Afghanistan and Iraq,” she said.

A senior defense official said Cyber Command is focused on winning cyber fights against China, Russia, Iran, North Korea, violent extremist organizations, known collectively within the national security community as the 2+3. Already, protecting elections appears to be a longrunning mission for the department.

But the official said readiness is a priority for Cyber Command because “only with a ready force can the command execute their missions and compete” with those players.

“Part of this issue is how does U.S. Cyber Command measure and assess readiness across the services. Another part is about seeing the expertise and experience of how their force grows as they spend more time on mission,” the official said. “It’s an important byproduct of persistent engagement: that competition with the 2+3 reinforces the skills, the discipline, and the instincts to work collaboratively with partners and, when the order is given, to take action.”

Most government officials have pointed to the operations before the 2018 midterm elections as a sign of the success of the new approach. Others have explained that it will likely take more time to see how this plays out.

“I just am somewhat skeptical of the ability to fundamentally change other states’ behavior simply by becoming more assertive in cyberspace,” Rovner said. “I understand the logic of it but I’m a little bit skeptical both that it will work quite like and that we’ll be able to measure it. In this case, in cyberspace, it’s also going to be very difficult to say we are winning, this is exactly what we’re supposed to be doing.”

In terms of what policy makers should consider going forward, Healey, writing in the Journal of Cybersecurity described four conditions that policymakers should insist upon before throwing more support behind persistent engagement.

They include: a timeline for success, criteria for failure, a “throttle” that would allow the National Security Council to be able to moderate cyber operations and a sunset of the new strategies.

Ultimately, cyber is one tool in the U.S. arsenal and experts have cautioned that it will be hard to point directly to a more assertive cyber posture as the one thing that changes the calculus of adversaries.

“Suppose that 20 years from now we look back and we seem to have reached a kind of stable relationship with China in cyberspace and in our diplomacy in general,” Rovner said. “What was the cause of that? Was it new changes in U.S. cyberspace policy? Was it U.S. economic sanctions? Was it a change in U.S. diplomacy or actual freedom of navigation operations and naval movements? Unpacking what actually caused the change in behavior is going to be really, really difficult especially because we’re talking about cumulative effects over time where lots of little things are supposed to lead to a big result.”

No comments: