WASHINGTON — As the US faces responds to an increasingly volatile cyber landscape, with threats and attacks coming from state and non-state actors, responsibilities and responses will increasingly be governmentwide, a top US cyber official said Friday.
"Cybersecurity is a whole-of-government domain," in which the Defense Department works with the Department of Homeland Security and the FBI, said Aaron Hughes, the DoD's Deputy Assistant Secretary of Defense for Cyber Policy. This means that the US has a variety of options in how to respond to hostile incursions, and that the response to a cyber attack is not automatically a counter-attack in cyberspace.
After last year's hack of Sony Pictures Entertainment, which US officials blamed on North Korean hackers, the US responded with financial sanctions, said Hughes, speaking at an event hosted by the Center for Strategic and International Studies.
"Our response will always take into consideration a whole-of-government approach," he said, with the DoD's extensive capabilities representing one option among many.
Paul Stockon, a non-resident CSIS fellow and managing director at Sonecon, suggested that the government expand its cyber efforts to include state National Guard national guard forces to provide support for water, power and other critical infrastructure.
"Because they are right there in the state, they can train on the operating technology systems in collaboration with utilities in a way that's going to be essential for mission effectiveness," he said.
Hughes said his office is working on policies to better articulate how that can happen.
Harvey Rishikof, a Washington-based attorney who specializes in cyber and chairs the advisory committee for the American Bar Association Standing Committee on Law and National Security, noted that while it is tough to define boundaries in cyberspace and when to response to attacks, and when incursions rise to the level that requires an appropriate response, the DoD’s offensive cyber capabilities play an important role in deterring attacks. Top level discussions, like the recent negotiations around the US-China agreement on cybersecurity, help define a broader understanding of what the US and other actors in cyberspace find acceptable and notunacceptable.
"The amount of destructive capability that cyber has that has not taken place is a demonstration that there is a working norm that we all sort of agree to at this point," he said. "It's a very good sign for the dialogue at a certain level."
Stockon agreed, noting that preventing attacks from happening is not the only effective deterrent.
"We sometimes think that deterrence by denial is somehow separate and distinct from threats of retaliation. The two go hand in hand," he said. "The better prepared we are, the more resilient we are to be able to survive and reconstitute our ability to retaliate, the better off we are going to be."
Earlier, USCYBERCOM deputy commander Lt. Gen. James K. McLaughlin outlined CYBERCOM's five goals: to build the capacity to operate in the cyber domain; to defend the DoD's network and secure its data; to integrate cyber capabilities with combatant commanders across the military; to defend the US from significant cyber attacks, and develop and foster forward-thinking partnerships with innovators in the cyber realm.
"We are also learning, if you are charged to defend a specific mission area," such as a missile defense network, "to prioritize the critical terrain within a distributed complex network to understand what has to exist and be functioning in the face of attack," he said. "How do you make that part resilient? How do you actively defend it so that a commander can still get his or her job done?"
Email: aclevenger@defensenews.com
Twitter: @andclev
