U.S. Cyber Command is shifting the way it measures success from solely military outcomes to how the command enables other government agencies to defend against foreign offensive cyber threats.
Brig. Gen. Timothy Haugh, who is in charge of Cyber Command’s Cyber National Mission Force, said on Tuesday at an event hosted by the Atlantic Council that success is “not necessarily [about] the department’s outcome,” but is instead about “how can we enable our international partners [and] our domestic partners in industry to be able to defend those things that are critical to our nation’s success.”
Haugh said Cyber Command is doing its job right if agencies are taking their own actions: State Department issuing démarches, Department of Homeland Security releasing alerts, and Treasury Department announcing sanctions “based off of information that is derived from our operations.”
In the past, Haugh said he believes that these outcomes may not have been considered as wins.
This shift in benchmarking comes amid newfound leeway at the Department of Defense to launch offensive cyber measures. Last year, President Donald Trump issued a revamp to the White House’s offensive cyber policy, which federal Chief Information Security Officer Grant Schneider last week deemed an “operational success.”
The Pentagon likewise released a new strategy that enabled it to “defend forward,” and lawmakers gave the Pentagon increased authority in the National Defense Authorization Act of 2019.
Haugh’s comments come at a time when Cyber Command’s newfound authorities have been put into action. The command was reportedly able to successfully disrupt activities of the Russian-backed Internet Research Agency prior to the 2018 midterm elections.
“While you certainly want U.S. Cyber Command to support other agencies’ actions, Cyber Command’s core role remains defending the nation in cyberspace, including using offensive capabilities when directed to do so,” Jamil N. Jaffer, former senior counsel to the House Intelligence Committee, told CyberScoop.
Gen. Paul Nakasone, the commander of Cyber Command and the director of the National Security Agency, suggested in this quarter’s Joint Force Quarterly that “success is determined by how we enable and act. In persistent engagement, we enable other interagency partners.”
“This is definitely what Cyber Command should be doing and thinking,” a former DHS senior cyber adviser told CyberScoop. “Cyber Command’s actions, just like any other military command, should be focused on achieving national strategic goals. In physical space, traditional military activity can directly impact the national strategic goals through numerous ways and do so positively. But I don’t believe this ‘primacy’ of the military translates to cybersecurity.”
The U.S. has also increasingly been willing to call out cyber-espionage over the last few years. By the end of 2018, the government had issued more hacking charges against foreign entities than the prior five years combined, Deputy Assistant Attorney General Adam Hickey said at the Atlantic Council event.
Despite that push, Jaffer said more was needed from other government entities to thwart the country’s adversaries.
“When it came to responding to cyber attacks, the [Obama administration] largely limited itself to naming-and-shaming and sanctions actions, along with some indictments, which to be fair, was more aggressive than ever before, but that still wasn’t enough to really stop the bleeding,” Jaffer said.
Nakasone said in the Joint Force Quarterly interview that the notion of “defending forward” is crucial for success in the future.
“How do we warn, how do we influence our adversaries, how do we position ourselves in case we have to achieve outcomes in the future?,” Nakasone said. “Acting is the concept of operating outside our borders, being outside our networks, to ensure that we understand what our adversaries are doing. If we find ourselves defending inside our own networks, we have lost the initiative and the advantage.”