As an assistant professor at the U.S. Naval War College, focuses her research on national security and political psychology as they pertain to cybersecurity and autonomous technologies. She draws insights from war games about what warfighters and other stakeholders would deem acceptable in conflict scenarios.
Schneider talks about the challenge of recruiting technological talent to the military, given the promises of the private sector. She also discusses the complex issue of what works and what doesn’t when it comes to deterring cyberattacks against the U.S.
Disclaimer: The views Schneider expresses in this interview are her own and she was not speaking on behalf of the U.S. Naval War College.
CyberScoop: Starting off pretty broadly, what are some of the biggest challenges the military is facing in terms of protecting critical infrastructure and its own infrastructure from cyberattacks?
Jacquelyn Schneider: I think the greatest challenge is understanding what the vulnerabilities are and what the cascading effects of those vulnerabilities are to conventional operations or physical effects. And so because it’s hard to visualize what the extent of the effects might be, I think that makes it hard for people to conceptualize how important the threat is.
CS: You wrote recently about the cultural divide between the private sector and the military and the effect that has on recruitment. What obstacles are there in the military when it comes to recruiting for cyberdefense positions?
JS: Yeah, we have a lot of trouble. We have a talent problem and one of the biggest problems that we have with recruiting and retaining talent is that we don’t even know what kind of talent we’re looking for. So that’s the biggest problem. I don’t think we understand how large the talent delta is between what we have or what we’re recruiting for currently and what’s in the private sector. And because of that, I don’t think we see the same level of urgency that we do in some of the other domains, like pilots, for example. We know there are not enough fighter pilots because it’s really clear to measure what skills a fighter pilot has. Right now we don’t really have a great way to measure the skills that we need within our military cyber populations and compare that to what’s out in the private sector.
The other huge problem — this is a pet peeve of mine — is that sometimes when we talk about this in the military circles, we say, “Well, it’s fine because we’ll use the reserve or we’ll use the [National] Guard, and so it’s not really a problem because we have this way of bringing people in, not full-time.” But the reserve and the Guard, those aren’t magic pixie wands either, and they have problems themselves with recruiting and retaining talent. You’re asking people to sacrifice time from very lucrative civilian jobs, where they spend a lot of time and effort. And then quite often we’re not letting our reservists even do a lot of hands-on work because they’re spending so much time with aging IT to try and stay up on standard military requirements like getting their physical health assessment or signing their performance report using the right version of Internet Explorer, which is not the most updated version of Internet Explorer.
CS: Do you think there’s a gap between what the public thinks matters and what actually could threaten us?
JS: I definitely think there’s a gap. I think that we have maybe focused on too many low level potential threats without because we thought that it mattered to the American public. I’ve heard over and over again, people say, “Oh, the American public would be up in arms if their iPhones didn’t work.” And I actually don’t agree with that. I was in New York for 9/11, so I’ve seen how people can rally around each other and how little these kind of technological conveniences people need when push comes to shove. And so I’m not sure I agree that that would set Americans over the edge.
But I wish that there was maybe more of a public outcry about about safeguarding our governance and our institutions from, from cyberthreats. I think that there are probably pockets within the American government that understand how grave the threat is to some of these institutions and some parts of governance, and that probably is something that we need to figure out how to have a better conversation with the American public and not do it in a partisan way. This is truly something that is truly about America regardless of what you feel politically.
CS: There has been a lot of debate recently over what an appropriate response would be to a devastating cyberattack on the U.S. and whether a kinetic or even nuclear response would be warranted in terms of deterrence. Do you think the U.S. needs to work on its deterrence against cyberattacks?
JS: I think there’s actually a big move within national security circles to kind of throw cyberdeterrence out right now. I think that we have used cyberdeterrence too pervasively over the last eight years and thinking about trying to deter everything. I think there is a real role for deterrence of very significant attacks, but they have to be attacks that kind of hit the threshold of what the domestic population cares about in order to use deterrence by punishment — which is threatening to attack and various domains or use sanctions. In order for that to be credible, it has to be a pretty high threshold that people care about.
I think we should be very specific, at least in our own policies, about what we care about deterring. And once you’ve identified those things that we care about deterring, then we can have very credible punishment responses. It means making it more difficult just with technology and with defensive measures for state and non-state actors to create large-scale effects and part of deterrence by denial as having resiliency. And that means thinking about “How do we operate if the digital infrastructure goes down? Do we have a backup? Do we have a way to do this paper? Is the data stored in lots of different places so that if one data center is attacked, we have ability to back up?” So it’s thinking about those kinds of setups in our infrastructure.
And I think that there’s something outside of deterrence, which I’ve been calling “counter-cyber-operations,” which is the use of the U.S. government and all its ways — whether that be military, whether that’d be economic, whether that be diplomacy — to try and degrade adversaries’ offensive cyber-operations. So you can think about this a little more like counterintelligence than you would an attack, where you’re just decreasing your adversary’s ability to take that attack against you. And if we think about that in that way — with counter cyber-operations, deterrence by punishment for a very few select types of targets, and deterrence by denial for the vast majority of our vulnerabilities — then I think that could start looking a little bit more like a strategy and a little bit less like us trying to play pick-up.