WASHINGTON — To stay at the cutting edge of technology and ahead of budding adversaries, U.S. Cyber Command is trying to increase its partnership with the commercial technology sector.
In an article published in Foreign Affairs on Aug. 25, Gen. Paul Nakasone, head of the National Security Agency and Cyber Command, and Michael Sulmeyer, senior adviser to the commander, argued that partnering with the government is not only necessary for success in cyberspace, but is mutually beneficial.
“Given that some of the most innovative thinking today is happening in the offices of American tech companies, we would be shortsighted if we were not pursuing partnerships with them. Such partnerships should of course be voluntary — companies can decide on their own if and when it makes sense to work with Cyber Command — but partnering with technology companies has been one of Cyber Command’s top priorities,” they wrote. “Many leading U.S. companies find themselves on the frontlines of competition in cyberspace. Working collaboratively where we can allows us to improve collective defense and stay a step ahead of our adversaries. This is all the more important as technology continues to advance.”
Cyber Command and the NSA have been on a yearslong tour to woo the private sector and Silicon Valley back into its good graces following disclosures from former contractor Edward Snowden that detailed global espionage.
Leaders have delivered speeches at major hacker conferences and taken frequent trips out to Silicon Valley to assuage concerns and recruit firms back to their side, with then-chief of Cyber Command and the NSA Adm. Michael Rogers saying in 2016: “If we can’t generate value for both [sides], that’s not a partnership … [it’s] a transaction.”
One of the ways Cyber Command and the NSA have delivered on this mutually beneficial relationship is by publicly disclosing enemy activity and malware discovered through operations. Cyber Command, through malware releases on VirusTotal, and the NSA, through advisories issued by its new cybersecurity directorate, seek to both burn these tools used by adversaries and provide a warning to companies to patch their systems for customers.
Nakasone and Sulmeyer wrote that an artificial intelligence-powered worm, for example, could disrupt all kinds of devices, from personal systems to those used for industrial machines. Cyber Command and the NSA see themselves as critical in using their authorities to gain insight into networks and foreign operations as well as act to prevent cyberattacks to defend the nation.
Nakasone has sought to broaden partnerships more generally in his tenure at Cyber Command. Private sector partnership is much more multifaceted, however, than just getting companies to share information and systems.
A top member of the Cyberspace Solarium Commission wants the DoD to conduct threat hunting on defense companies' networks.
“There are some vendors and some entities who CYBERCOM is looking to build good relationships with that actually supply and sustain their operations. Others that they’re relying on to carry out their normal defensive functions. Then there’s also this third set that I wouldn’t say are targets but those whose infrastructure is likely to be a venue for CYBERCOM’s operations as they’re looking to defend forward past their own networks,” Trey Herr, director of the Cyber Statecraft Initiative at the Atlantic Council, told C4ISRNET.
Herr explained that some of the difficult work for Cyber Command is traversing through the complicated reality that in order to conduct its operations, it must operate on the networks of many companies abroad without telling them.
However, the government needs the help of these companies to perform some of its most important operations.
“The government cannot conduct offensive and defensive cyber operations, including countering foreign interference, without a close partnership between private and public sector. There is a lot of technology that is being harnessed for good to help protect cybernetic systems, but the impact of COVID on IT makes security more important and diffuse than ever,” Philip Reiner, CEO of the Institute for Security and Technology, told C4ISRNET, using an acronym for the novel coronavirus disease.
The company seeks to help solve national security problems by bridging the divide between businesses and government. Certainly, the military has recognized that it needs private industry to equip its warriors and build the systems on which it conducts operations.
“Militaries succeed when they embrace new technologies aimed at planning for the next war, not fighting the last one. Cyber Command is committed to working with the private sector to harness emerging technologies,” Nakasone and Sulmeyer wrote.
The best and brightest in this arena exist in the private sector, but as some observers have documented, the Department of Defense has missed the boat in years’ past.
The DoD “missed the commercial space revolution. It missed the move to cloud computing, it missed the advent of modern software development. It missed the centrality of data. And it missed the rise of artificial intelligence and machine learning,” Christian Brose, the former staff director of the Senate Armed Services Committee, wrote in “The Kill Chain: Defending America in the Future of High Tech-Tech Warfare.”
Herr added that regular communication between security teams at companies and Cyber Command should be the goal.
“Companies and agencies ‘borrow’ their security architectures, so they need a much better understanding of national security concerns and most won’t see malware published by [Cyber Command] on Twitter,” said Reiner, who also formerly served on the National Security Council and at the DoD.
Moreover, there must be a public discussion of what offensive cybersecurity will look like over the next decade, Herr said, and what the responsibilities of an entity like Cyber Command are relative to these private companies.