Making the National Cyber Director Operational With a National Cyber Defense Center

The White House illuminated at night in Washington, D.C. (Robert Scoble, https://tinyurl.com/y5v2h5jk; CC BY 2.0, https://creativecommons.org/licenses/by/2.0/) The Biden administration has doubled down on cybersecurity, adding two senior positions in the Executive Office of the President: a new deputy national security advisor for cyber and emerging technology and a new national cyber director. To avoid churn within the administration and confusion elsewhere, the administration should clearly define the roles of these two positions. Perhaps the most critical role for the Office of the National Cyber Director (ONCD), one unsuited for the deputy national security advisor, is to lead interagency planning and operational coordination for cyber defense; it should fulfill this role through a new National Cyber Defense Center (NCDC).  The United States needs a proactive whole-of-nation cyber defense campaign to bolster national security in the face of adversaries’ sustained efforts to steal U.S. intellectual property, sow disinformation, gather sensitive intelligence, and prepare to disrupt or destroy U.S. critical infrastructure through cyberspace. This cyber defense campaign should have four key elements: cyber deterrence, active cyber defense, offensive cyber actions in support of national cyber defense, and incident response. Planning and coordinating such a cyber defense campaign is an inherently interagency task, but it would fit poorly in the National Security Council (NSC) because of the NSC’s past difficulties with operational roles and its staff ceiling of 200. Such interagency planning and coordination would also fit poorly in the departments of Homeland Security, Defense, or Justice, or in the intelligence community, because none of these institutions has the full range of authorities necessary to the task.  An NCDC needs to comprise personnel detailed from key departments and agencies, and liaisons from the private sector. Fortunately, such staffing is implicitly authorized in the recent legislation creating the ONCD. The degree of whole-of-government and whole-of-nation planning and coordination we propose for the NCDC would go beyond what the Cyberspace Solarium Commission has specifically recommended for the ONCD. This comprehensive approach is essential in the face of adversaries who are deliberately exploiting the seams between U.S. departments’ and agencies’ authorities, and between the U.S. government and the private sector. Without an NCDC, the ONCD will fail to move the needle in improving the U.S. cybersecurity posture. Roles of the National Cyber Defense Center The NCDC would conduct cyber defense campaign planning and coordinate U.S. government actions below the level of armed conflict, while also conducting contingency planning for cyber defense in the event of crisis or war. In support of each of these roles, the NCDC would plan and coordinate four intertwined lines of effort: cyber deterrence, active cyber defense, offensive cyber actions in support of defense, and incident management.  On a day-to-day basis, below the level of armed conflict, the NCDC would plan and coordinate a sustained cyber defense campaign across the U.S. government, while also enabling appropriate coordination with the private sector, state and local governments, and key allies and partners. This cyber defense campaign would focus particular attention on China and Russia, as the most capable cyber adversaries of the United States, but would also address North Korea, Iran, the Islamic State and other cyber adversaries.  The importance and urgency of having a proactive, coordinated and sustained whole-of-nation cyber defense campaign is difficult to overstate. The stakes in the ongoing competition below the level of armed conflict include the health of U.S. democracy, social cohesion, and U.S. technology advantages that undergird the nation’s military edge and economic growth.  The NCDC would also lead interagency contingency planning for cyber defense of the United States in the event of a crisis or conflict. The most important work would focus on China and Russia, which have extensively infiltrated U.S. critical infrastructure with implanted cyber capabilities of a scale and sophistication that far exceed any other potential U.S. adversaries . In the event of a severe crisis or conflict, China and Russia could use cyber weapons to hobble the U.S. military, cripple the U.S. economy, and sabotage systems that deliver life-critical services— all while conducting cyber-enabled disinformation and deception efforts to sow discord among the American people.  Contingency planning for cyber defense in crisis or conflict would improve the U.S. posture to deter aggression or coercion and would also inform cyber defense campaign efforts below the level of armed conflict. On the one hand, an overly passive U.S. approach below the level of armed conflict could invite adversaries to keep pushing out the limits until U.S. leaders finally feel compelled to respond with decisive force. On the other hand, an overly aggressive approach by the United States could cause a spiral of escalation. A well-calibrated approach in peacetime—based on an assessment of adversary interests and goals, and an explicit assessment of escalation risks (which requires contingency planning for crisis or conflict)—is needed to minimize the prospects of both failed deterrence and inadvertent war. More broadly, U.S. cyber defense activities in peacetime provide the essential foundation for cyber operations in crisis or conflict, and so are essential to improving the U.S. ability to deter war. The organizations, processes, and trust relationships needed to inform and shape an effective active cyber defense of U.S. critical infrastructure, rapid decision-making for coordinated countermeasures at home and offensive cyber operations overseas, and cyber incident management cannot be created instantaneously when a crisis arises—they must be developed, exercised, and matured in peacetime if they are to be available in the event of crisis or conflict. U.S. peacetime cyber activities, including private-public partnerships that enable the real-time sharing of sensitive information and coordination of actions, provide a “platform” for cyber operations in crisis and conflict; adversary perceptions of these U.S. capabilities in action can help to reduce the risk of great power war. In furtherance of these two roles, the NCDC would plan and coordinate four interrelated lines of effort. Cyber deterrence aims to reduce adversaries’ perceived benefits and increase the perceived costs of major cyber intrusions, attacks or cyber-enabled campaigns. Such sustained adversary efforts have included China’s theft of intellectual property and Russia’s efforts to sow domestic discord in the United States. Because of the extensive vulnerabilities of existing U.S. networks, deterrence by denial will not be adequate against advanced adversaries, particularly China and Russia. Deterrence by cost imposition will be essential; this requires intelligence-driven planning to help policymakers assess what responses may be sufficient to promote deterrence but not so strong as to lead to undesired escalation. Shifting from a reactive to a proactive cyber deterrence posture will require integrating diplomatic, informational, military, financial, intelligence, and law enforcement tools, as well as coordination with the private sector and U.S. allies and partners.  Active cyber defense presumes that advanced adversaries, China and Russia in particular, have substantial resources and highly skilled teams that will allow them to penetrate even well-protected U.S. networks and systems. Active cyber defense aims to rapidly detect and mitigate intrusions, increase the attacker’s “work factor” (time and resources required to achieve its aims by expanding laterally, exfiltrating information, and the like), and reduce the attacker’s confidence that intrusions have succeeded and that any information extracted is accurate. Examples of active cyber defense tactics including “hunting” for cyber intrusions on one’s own (and partners’) networks, creating “honeypots” and “tarpits” to lure and trap cyber intruders in decoy servers, embedding false information on networks that may mislead intruders, and publicly releasing insights into adversary cyber tools and tradecraft. Active cyber defense is increasingly being conducted by both the U.S. government and the private sector, but not in a comprehensive coordinated campaign approach. There is much room for improved sharing of operationally relevant (timely and specific) information, intelligence and insights. Offensive cyber actions in support of cyber defense can be both necessary and appropriate, as exemplified by U.S. Cyber Command’s reported operations to thwart the Russian Internet Research Agency troll far
Making the National Cyber Director Operational With a National Cyber Defense Center posted first on http://realempcol.tumblr.com/rss