OPINION — “Right now, the offensive side has all the capability and we on the defensive side have got to run a new defense.” That was John Sherman, the Defense Department’s Acting Chief Information Officer (CIO) when asked what keeps him up at night during a House Armed Services Subcommittee hearing on Information Technology and Cybersecurity on Tuesday, June 29, 2021.
“We are going to run a new defense,” Sherman said, “and it’s going to involve making it about the data in the systems as well as artificial intelligence (AI); how we can bring that [AI] to bear so we don’t segment ourselves and have-to-have tens of thousands of defenders doing the work that a set of AI algorithms [can do].”
Sherman is no amateur on the subject. He was the Intelligence Community’s CIO where he introduced advancements in cloud computing, cybersecurity and interoperability capabilities. Before that, as a CIA Deputy Director, he built up the agency’s Open Source Enterprise.
That same day, June 29, Gen. Paul M. Nakasone, the director of the National Security Agency and head of U.S. Cyber Command described in specific terms the challenge ahead. Speaking virtually to the WEST 2021 Conference of the U.S. Naval Institute and Armed Forces Communications and Electronics Association, Nakasone said, “The scope of what we need to defend and protect has dramatically expanded.” He described the Defense Department’s information network as composed of 15,000 sub-networks, 3 million users, 4 million computers, 180,000 mobility devices, 84 different Defense Department-run internet access points, and 605 million website requests a day.
“We used to think about cyberspace as merely the need to protect these computer networks,” Nakasone said. “And while it’s a good place to start, the attack surface is much broader. We need new ways to keep it safe.” For example, he described the need to now protect Navy and Marine weapons systems and the ability to get them new software updates even when ships are out on months-long deployments.
Sherman told the House panel, “Cyber security is my top priority as CIO, along with modernization.” He said that while the fiscal 2022 budget lists $5.5 billion for cyber security, “there’s more in the budget that we ought to be able to reflect,” such as computer protection programs purchased from vendors. “Software capabilities and networks are also critical to our success,” he said. “[We] will release a software modernization strategy later this summer that builds on already developed guidance. We are dedicated to delivering resilient software capability at the speed of relevance.”
When asked about current risks, Sherman said, “The main priorities are all being answered in the President’s budget, but we do have some risk areas.” He singled out weapons systems and critical infrastructure, “recognizing that our adversaries are going to be coming after those two.” Moving beyond just the Department of Defense Information Network, which is under his charge, Sherman said, “Looking at weapons systems and elsewhere…because some of these programs were started in the 90s when cybersecurity was in a different place, we have a better way to come at this type of area where we’re carrying some risks that I want to do a better job of working with our colleagues in the Department,” mentioning Gen. Nakasone specifically.
Software capabilities and networks are also critical to our success.
—John Sherman, Acting Chief Information Officer (CIO) of the Defense Department
Toward the end of the hearing, Rep. Scott Franklin (R-Fla.), a veteran with 26 years as a Navy pilot, brought up the subject of accountability around cybersecurity. “In the physical domain,” Franklin said, “a commander would be held accountable if he or she lost equipment or mishandled it. To what extent do you believe commanders are held sufficiently accountable for not caring for DoD information systems in their care?”
Sherman described that responsibility as “an evolving area” which he, as a former Army officer, felt passionate about. “If you roll out of a motor pool without proper ammunition or fuel on your [Bradley] fighting vehicle, or push a ship off the dock etRcetera, you’re held accountable for that. Part of it is how we can ensure there is instrumentation and that the commanders and the ship drivers and the maneuver commanders know what’s going on – on their weapons platforms. So, if there’s going to be accountability on this, we’ve got to be able to monitor what exactly is going on there.”
Sherman said the subject is being looked at. “We have brought this up to our leadership and have some work to do on it,” he added.
“I agree,” Franklin said, “From a Navy standpoint, it’s always been known that the captain is ultimately responsible. It doesn’t matter if he or she is on the bridge if the ship goes aground. You’re relieved of command and, at some point, we’re going to have to understand that the potential damage from cyber intrusions are going to be just as serious as those.”
To what extent do you believe commanders are held sufficiently accountable for not caring for DoD information systems in their care?
—Rep. Scott Franklin (R-FLA), former Navy pilot
At the same time that Sherman and Nakasone were focused on cyber defense, the Defense Advanced Research Agency (DARPA) was receiving proposals for feasibility studies on two innovative AI offensive information warfare systems to combat what is called “digital authoritarianism,” a term that describes an authoritarian regime’s use of technology “to surveil, repress, and manipulate domestic and foreign populations.” At least, that was the description given by Josh Baron, a DARPA Information Innovation Office Program Manager, in his June 8, Defense One article.
One DARPA program is called Measuring the Information Control Environment, or MICE. It wants to develop artificial intelligence technology to “measure how digitally authoritarian regimes repress their populations at scale over the internet via censorship, blocking, or throttling,” according to a DARPA proposal made public June 1. The proposal said, “There is a need for real-time, comprehensive tools that establish ground truth for how countries are conducting domestic information control. This capability would enable the Department of Defense to strengthen existing United States Government efforts to help curtail repressive actions in cyberspace by either raising awareness (and establishing norms) or by the development of tailored capabilities to combat these repressive actions.”
The second DARPA proposal is to study the feasibility of Mobile Anti-Totalitarian HumaNets (MATH), the purpose of which is to use smartphones to disseminate information within highly censored environments where speed of message delivery is not of primary importance.
A HumaNet is an unmonitored and fully decentralized smartphone-to-smartphone message delivery network that is resistant to surveillance and blocking, albeit at a cost of significant delay. It exploits smartphone capabilities and human behavior to create decentralized networks where a sender routes a message towards a receiver based on pre-determined places and times that the receiver is likely to be located.
DARPA used two examples to show situations where a MATH would be useful. One was described as “messaging by military personnel seeking rescue from behind enemy lines where conventional communication might enable identification, geolocation or time correlation and put the individual at risk for capture…” The other was where there was a need for “creating a decentralized service enabling sharing of information that totalitarian regimes would otherwise suppress.”
On both offense and defense, cyber is becoming the weapon system of the future.
Pulitzer Prize Winning Journalist Walter Pincus is a contributing senior national security columnist at The Cipher Brief. He spent forty years at The Washington Post, writing on topics from nuclear weapons to politics. He is the author of Blown to Hell: America’s Deadly Betrayal of the Marshall Islanders (releasing November 2021)