The nominee to be the next chairman of the Joint Chiefs of Staff advocated before Congress for an integrated approach to protect the nation from the daily barrage of cyber incidents by nation-state adversaries operating below the level of armed conflict.
Army Gen. Mark Milley, responding to senators both at his confirmation hearing July 11 and in answers to a prehearing questionnaire regarding cyber capabilities, pushed a familiar line championed by U.S. Cyber Command: partnerships.
“Strategic competitors such as Russia and China are conducting persistent malicious cyber campaigns to erode U.S. military advantages, threaten our infrastructure, and reduce our economic prosperity. We are taking the initiative to deny, disrupt, degrade and expose these malicious cyber activities, which threaten the Defense Department, U.S. interests, and the American people,” he said in prewritten answers.
“This initiative includes collaboration with other U.S. government departments and agencies, private industry and international allies and partners to ‘defend forward’ by preemptively responding to and disrupting these threats well before these activities reach their intended targets and cause harm.”
Defend forward is a subset of Cyber Command’s new operating concept persistent engagement, which posits that the United States must meet adversaries daily below the threshold of armed conflict as a means of combating their malign behavior in kind. Defend forward, as part of the concept, means fighting those adversaries in networks as far from the United States as possible.
Milley noted that operating below the level of armed conflict in cyberspace is both feasible and necessary.
“We need to compete daily by persistently engaging and defending forward to disrupt, deter and deny malicious cyberactivity,” he said.
Milley also noted that while the Department of Homeland Security’s focus is domestic, the Department of Defense is focused externally on those that threaten the nation. This trope has pushed by DoD as its contribution to whole-of-nation defense using its unique authorities to act outside the United States to defeat threats before they reach the homeland, as well as provide advance intelligence to law enforcement and industry.
“Through a series of partnerships with DHS and sector-specific agencies such as the financial and energy sectors, DoD should provide expertise and experience needed to support our critical infrastructure partners' efforts to anticipate, prevent, and respond to significant cyber incidents,” Milley wrote to senators.
“The DoD and the Cyber Mission Force represent key agencies for coordinating active and unified defenses of networks and our populations. Unique capabilities include: the global network of military-to-military partnerships, capacity for intelligence gathering and analysis, and the ability to plan and operate in a coalition environment.”
Milley told senators that improvements must be made to defense networks and systems, as well as infrastructure networks within the broader United States, saying they are key vulnerabilities to cyberattacks by adversaries.
Examples he provided of partnership efforts include sharing of threat information and collaborative analysis of vulnerabilities and threats.
Cyber Command has begun to post malware discovered to a public forum as a means of both better informing the larger community to patch potentially affected systems, but also as a means of disrupting ongoing campaigns by outing the tools being used.
The chairman of the Joint Chiefs of Staff’s role in cyber has grown recently as they are now responsible for global integration in cyber and coordination of cyber activities managing assets across the regional combatant commands.
The character of war is evolving, and so has the Joint Staff's part in integration efforts.
The need to establish the chairman as the global integrator arose with the understanding of the evolved nature and character of war in which it is unlikely the impacts of a conflict will be confined to a single geographic region.
As such, Milley, if confirmed, will have a large role to play in the cyber game.
He wrote to senators that DoD does have the necessary authorities to conduct operations, but maintained he will work with the critical stakeholders to ensure DoD’s processes are streamlined to enable operations and coordinate as required.
“If confirmed, I will make recommendations to the Secretary regarding force structure vs. the strategic environment, acknowledging both budgetary considerations and increased threats borne in and through cyberspace,” he wrote.
During oral testimony, without going into too much detail due to classification, Milley explained DoD is increasing its capabilities in cyberspace.
He also drew a correlation between these increased capabilities and their deterrent effect against would be adversaries.
“At the end of the day, we have to have those offensive capabilities, too, and in the theory of deterrence, if they know that we have an incredible offensive capability, then that should deter them from conducting attacks on us in cyber,” he said, noting a good offense is the best defense.
Some experts point to the flawed approach the military has taken when it comes to deterrence and cyberspace.
The more the United States brags about its cyber capabilities, the more it invites the surprise attack, Jay Healey, research scholar focusing on cyber at Columbia University, told Fifth Domain. The way to gain an advantage is to sucker punch or strike hard, he added, noting, most of the dynamics of cyber say actors better get their attack in early.
Other experts have pointed to the notion that given the unique position of the United States — its heavy reliance on digitally connected systems to run the power grid and financial system to name a few — that it is more digitally exposed to cyber actions than other nations, meaning the United States can be more easily deterred in cyberspace than others. This, despite the incredible cyber arsenal America possesses.
Healey has previously pointed to examples in which the United States did not take counter actions against Russia for fear their malware implants in the country could be activated or they could create serious chaos in the 2016 presidential election, farther than the social media trolling.
“There is no evidence the Russians made any specific threat, for example, and they did not need to brandish their cyber capabilities in a demonstration attack to make it credible or increase the value of the signal. Apparently, their access and perceived capabilities and intent alone were enough,” Healey wrote.
“There is now a well-documented instance of cyber deterrence. That example is part of most likely the most consequential cyberattack ever — the interference in the US presidential election of 2016. And for all the agonizing about deterrence theory and posture in the United States, it was the United States who was deterred.”