President-elect Trump has stated that he is going to task the Joint Chiefs to come up with a plan to defend U.S. critical infrastructure in cyberspace. That in turn has generated a number of opinion pieces and conversations lamenting the fact that the President-elect does not understand that the military should not be in charge of private sector cybersecurity.
I agree with that and from my experience, no one in Cyber Command thought they should be responsible for private sector cybersecurity. We did feel strongly that the military has a responsibility to defend the nation in cyberspace just as it has responsibilities in the physical domains of air, land, maritime and space. The private sector is the first line of defense and in most cases, will be left to its own devices. However, in the event the country is threatened at the strategic level from a cyber-attack, the federal government is obligated to act.
Many argue there is almost nothing the military can do to protect private industry from cyberattack. There I disagree. The military operating in concert with the rest of the federal government has two distinct capabilities that cannot be duplicated in the private sector.
First, the military can leverage the all-source capabilities of the intelligence community (IC). If you have not worked closely with the IC, you do not understand how powerful it is to have access to information gleaned from human intelligence, signals intelligence, geo-spatial intelligence, open source intelligence, foreign materials exploitation and other intelligence disciplines. No one in the private sector has access to all those sources of information nor do they have the capacity to synthesize the information into actionable intelligence.
Our challenge continues to be sharing the information with the private sector in a way that either provides warning of an attack or allows defenders to prioritize their efforts based on adversary capability and intent. We must get better at identifying and targeting by sector information that would be actionable by private entities. Then we need to expedite the process of stripping out the classified bits so it can be distributed quickly and preferably, by machine. Finally, we need to build trust and confidence so this sharing is a two-way street. Even at its best, the IC does not see everything and the private sector has visibility on critical information that completes the picture.
The second unique capability possessed by the military is the ability to kill the archer. Most of our time in cyberspace is spent catching arrows. As the French figured out in 1415, catching arrows is not that much fun. We have to be able to kill the archer. Some downplay our capability to do this and further fear that blocking an attack would require the military to monitor all the internet traffic coming into the U.S. That is a poor characterization of what is necessary to position a force in cyberspace that can stop an attack at the source. And it unnecessarily inflames the privacy versus security debate.
Our biggest limitations in being able to kill the cyber archer revolve more around our failure to define red lines in cyberspace coupled with ill-defined national policy regarding how we will use cyberspace operations in combination with other elements of national power to defend ourselves. It is really important to work these policy issues out now and get on to a meaningful understanding of cyber as part of national security policy. China and Russia have certainly figured it out.
If you like this, please share it. Also check out my website, www.thecyberspeaker.com and my Facebook page, facebook.com/thecyberspeaker.
