WASHINGTON — The Department of Defense is at an “inflection point” when it comes to cyberspace and cyber operations and must consider the role of the people behind cybersecurity systems, according to a top official.
With adversaries increasingly using cyber operations to undermine national security, whether by stealing intellectual property or conducting influence campaigns to sow discord among the American public, the Defense Department has moved to a more offensive approach. This was enabled by new authorities from Congress and the executive branch and culminated in the 2018 DoD cyber strategy.
As the Pentagon weighs how best to respond to and to deter ongoing digital onslaughts, the department is thinking more broadly about cyberspace operations.
“There is another aspect to this that’s not just about the systems. It’s really about the human beings behind the systems,” Mieke Eoyang, deputy assistant secretary of defense for cyber policy, told reporters during a Defense Writers Group breakfast Oct. 20. “How do we think about using cyber in ways that affect the adversary’s calculus, what is the effect on the cognitive domain and what is it that we as humans need to think about for a defensive mindset?”
The department’s understanding of cyber is evolving with more operational experience, she said.
For example, in recent years, to some degree, there has been a tighter linkage of information operations and cyber operations to deter malicious activity aimed at the U.S., such as purported messages to Russian cyber operatives letting them know they know who they are and what they’re doing.
To get better at linking cyber and information operations, Eoyang said intelligence is key.
“One of the challenges for us as we think about the cognitive domain is making sure that we are understanding the strategic orientation, goals and objectives of adversaries,” she said. “From that perspective we want to make sure that cyber operations fit into a broader strategic frame that makes sense in the regional context and the IO operations do the same.”
“One of the challenges that you see, especially as you think about the cognitive domain, is that it requires a lot of intelligence collection,” Eoyang continued.
“Because you have to really understand the other side, what they’re thinking, what their goals are,” she said. “That is one of those areas where as we think about how to go forward, as we switch from 20 years of counterterrorism focus to the great power competition and China as the pacing threat, we need to understand better and more deeply the intelligence context.”
The department, under what it has discussed as integrated deterrence, is taking a hard look at the role of cyber across other domains. Eoyang said this evolution in the department’s thinking will be clear in forthcoming documents such as the cyber posture review and cyber strategies.
She also said traditional models of understanding warfare don’t necessarily apply to the cyber sphere.
Cyberspace is ephemeral, she said, and using terms like warfare and domains — and even discussing cyber tools as “weapons” — isn’t accurate because the space can change so rapidly.
“When we think about warfare in all the other domains in which the department operates, air, maritime, land and even space, there is a geography and a location to that that allows you to target and think about boundaries, locations, bases, which is not the same as in cyberspace,” she said. “In cyberspace, it is a very ephemeral domain in many ways as people update their systems, as they patch vulnerabilities, transit within the domain is not necessarily linear. Some of that mental model of the physical domain in which the department operates for most of its warfare is not the same as in cyber.”
Cyberspace requires a new way of thinking, she said, noting a certain port will always be in the same location, but an IP address can disappear and reappear while programming languages can change.
This is one of the reasons for “constant contact” in the cyber domain, a pillar of the department’s cyber strategy. U.S. Cyber Command has sought to achieve this through persistent engagement, which involves challenging adversary activities wherever they operate.
“You have to constantly be in contact to be able to understand what the environment is like,” Eoyang said.
Since gaining new authorities allowing Cyber Command to be more assertive and conduct significantly more operations, defense officials have said they don’t need further authorities. Eoyang agreed.
“It’s a question of execution of authority and how we posture ourselves to sustain and continue to operate and to make full use of those authorities,” she said. “There are many things that go into effective operations, authorities is just one piece of it. There’s also manning, resourcing, doctrine, all of these other things and all of that as we get more experience in the operational space, we can continue to evolve.”
Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.