Why cyber capabilities are more important than strategy

The Senate version of the 2018 defense bill calls for the creation of a cyber strategy, but one former DOD official says the U.S. must focus on capabilities and authorities first.

concept cybersecurity art
 

Sen. John McCain (R-Ariz.) has not been subtle in his calls over the last year for the U.S. to develop a cyber deterrence strategy, and the Senate's freshly minted 2018 defense bill now directs the Pentagon to create a comprehensive cyber strategy.

The Senate Armed Services Committee report "encourages the new administration to immediately prioritize the development of a cyber deterrence strategy that emphasizes both deterrence by denial and deterrence by consequence imposition."

The draft NDAA outlines a U.S. cyberspace and cyber warfare policy that states "that the United States should employ all instruments of national power, including the use of offensive cyber capabilities, to deter if possible, and respond when necessary, to any and all cyberattacks or other malicious cyber activities that target United States interests…"

But, Eric Rosenbach, former chief of staff to the Defense secretary, told FCW on the sidelines of the July 13 Defense One Tech Summit that the more important provision of the Senate NDAA is the cyber posture review that the DOD must complete by March 1, 2018.

Rosenbach said there is an existing DOD strategy, and that the more immediate concern is making sure U.S. Cyber Command has the capabilities to defend and deter -- and that policies are adjusted to leverage those capabilities.

"It's really important to have the capability first, because the capability is the options that you bring to the secretary of defense or to the president and national security advisor," he said. "Once those options are there, they need to make policy decisions that bolster deterrence and that's where there will probably need to be a shift to a more aggressive posture from a policy perspective."

"I think working on technologies that help with forensics and attribution is really important," he added, saying that attribution is essential to deterrence.

"But when it comes down to it, we have to be more muscular and we need that offensive capability as well and continue to develop that," he said.

Rosenbach said offensive capabilities have matured significantly over the last five years.

"It's very difficult to make hard policy decisions if you don't know that you have capabilities that you can depend on, [that] react the way they are supposed to in cyberspace that you can predict," he said. "So I think now it's at the point where the authorities will not be a problem if you make a good case and can explain how the capabilities are going to work."

On the defensive side, Rosenbach said that while DOD networks are "pretty secure," and the rest of the federal networks are getting better, government needs to focus on making elections infrastructure more robust and helping "campaigns in a way that isn't too onerous that doesn't cross the boundaries of government and politics."

While Rosenbach said the capabilities need to come first, there is no question that the U.S. needs to build up its cyber deterrence posture.

During the summit, Rosenbach expressed serious concern over Russia's efforts to interfere in the U.S. election and its alleged intrusions into U.S. power infrastructure. He said that is a sign of U.S. failure to deter Russia.

"The Russians and a lot of other bad guys think they can get away with putting malware on our grid, manipulating our elections and doing a lot of other bad things, and get away with it because they have," he said.

Rosenbach argued that the U.S. is at risk until it is able to change that perception.

"When there's a strategic scenario in the world when it makes a difference as to the leverage we have on the Russians," he said, "in the back of our minds we'll think, 'well crap, they have malware in our grid and they may use that to do something to us.'"

"It's going to change a major foreign policy decision," he said.