Cyber Risk Wednesday: Operationalizing Cyber Strategies

On February 27, 2019, as part of its Cyber Risk Wednesday event series underwritten by Raytheon, the Atlantic Council’s Cyber Statecraft Initiative hosted a public panel discussion on how the United States can operationalize its cyber strategies. In 2018, the Department of Defense, Department of Homeland Security, and the White House all released their own cyber strategies. As the increasingly complex cyber landscape continues to evolve, it is essential that the US can execute on these high-level strategies to provide a solid strategic framework for advancing US interests through enhanced cybersecurity.

Moderated by Scowcroft Center for Strategy and Security US Navy Senior Fellow CDR Joshua VerGow, the panel largely agreed on what the US needs to work towards regarding cybersecurity strategies but differed on priorities and implementation. RADM Bill Leigher, Director of Department of Defense Cyber Warfare Programs at Raytheon Intelligence, Information, and Services, echoed the five themes from General Nakasone’s recent testimony before the Senate Armed Services Committee, claiming that the US must focus on its warfighting ethos, the readiness of its cyber force, its strategic partnerships, operating infrastructure, and how its cyber force fits into the modern strategic landscape of great power competition. Ms. Madeline Mortelmans, Principle Director for Cyber Policy in the Office of the Under Secretary of Defense for Policy, focused on how cyber has become a key component of the US national security imperative, emphasizing the DoD’s efforts to “break cyber out of the geek ghetto.” She also highlighted several key changes and outcomes that have already occurred within the DoD, such as new Pathfinder projects to defend US critical infrastructure and an agreement to provide offensive cyber support to NATO operations.

While all the panelists agreed that the recent changes have been positive and that the strategies themselves are strong, Jason Healey, Nonresident Senior Fellow at the Cyber Statecraft Initiative at the Atlantic Council and Senior Research Scholar at Columbia University’s School of International and Public Affairs, stated that the US needs to think more about the long-term implications of these strategies. He emphasized that forces are always in tension when it comes to cyber, and that a strategy of persistent engagement is a good approach to counter the inherent friction that occurs with any cyber operations. He also called on American leaders to keep themselves informed on the evolving cyber activities of other nations.

Following their opening remarks, panelists explored what the US’ cyber priorities should be going forward. RADM Leigher focused on the need for force-wide readiness and clear command and control policy. Ms. Mortelmans stated that she believed that a more complex and robust workforce, new relationships and partnerships both domestically and internationally in order to address this shared space collaboratively, and an increase in day-to-day cyber operations needed to be priorities for the DoD and the US. Mr. Healey spoke about the long-term dynamics of cyber interactions and the role of private sector and mentioned the importance of metrics to determine how these strategies affect operations and policy.

The panel also addressed how to make the relationship between the public and private sector stronger and more collaborative, an important issue as so much of the cyber “fight” takes place within private industry. Mr. Healey discussed the possibility of “defense support to the private sector,” and even recommended establishing a “joint task force that is just there to provide support to the private sector.” Ms. Mortelmans laid out two types of DoD relationships, each with a distinct set of responsibilities. Organizations that provide goods and services to the DoD are under “contractual obligations that require them to meet certain standards, reveal when they have been compromised, and cooperate with us in those situations.” Organizations that voluntarily cooperate with the DoD and the US government have a different set of responsibilities. By encouraging communication and collaboration between DHS, DoD, and the private sector, it benefits each actor and allows them to focus on their strengths while helping to establish a more collaborative and secure nation.