The push to allow U.S. Cyber Command to go on the offensive is welcomed by former Chairman of the Joint Chiefs of Staff Adm. Mike Mullen, who says that nation-states targeting the U.S. need to pay a “fairly significant price” for their actions.
“I’ve thought for some time we were going to have to go on offense,” Mullen told CyberScoop. “Our training says until the enemy starts to pay a price, it pretty much has an open runway. I think that line has to be drawn, and we have to respond, and they need to pay a fairly significant price for what they’re doing.”
Mullen, who led the joint chiefs from 2007-11, said he is comfortable with Cyber Command taking on these offensive measures as part of its rise to a unified combatant command. The unit was officially given that distinction in May.
His comments come as he assumes the chairmanship at ITC Global Advisors, the newly formed cybersecurity advisory wing of ITC Secure.
During the interview, Mullen touched upon allowing private entities to hack back, the ZTE controversy and how the Department of Defense should embrace cloud computing.
The interview has been lightly edited for length and clarity.
CyberScoop: There’s been a lot of talk around Washington regarding the notion that private entities should be able to hack back if they’ve been attacked. Do you think the government should give companies the ability to hack back and go on the offensive?
Adm. Mike Mullen: I don’t how we come to grips with the threat unless the private and government sectors are working together. There are major companies that do not want to share anything with the government. This is a very difficult time in terms of data, in loss of tools, that kind of thing. And look at the private side, the CEOs that have been marched out of their jobs due to lack of cyber capabilities. There’s great tension between security and privacy. How we come to grips with that … I don’t think that’s out there yet.
So to specifically answer your question, I haven’t seen a path where I could authorize a company, say, Sony Pictures, to respond to the North Korean government. So what about responding to criminal hackers? There is a heated debate about that, about what we should authorize, and what’s OK. That’s an open question. I don’t think there is much wisdom in letting private entities respond offensively to state-sponsored cyber intrusions.
CyberScoop: Another part of the conversation around offensive capabilities stems from the White House pushing Cyber Command to be more offensive. With the recent elevation to its own combatant command, is the offensive push a smart strategy for how to utilize that force?
Adm. Mike Mullen: The elevation was inevitable. It was going to have to become its own four-star command. I think in a case like Sony, Cyber Command would be the one to respond. I’ve thought for some time we were going to have to go on offense. Our training says until the enemy starts to pay a price, it pretty much has an open runway. I think that line has to be drawn, and we have to respond, and they need to pay a fairly significant price for what they’re doing. I would be very much for legal, regulated application of offensive capabilities.
CyberScoop: Speaking of threat actors, I would like to get your thoughts on the ongoing struggles with ZTE. China has long been considered our adversary in cyberspace, and over the past 18 months, the government has really started to tighten up with regards to what companies they want operating in the U.S. Do you think the government is handling the ZTE case well or would you go about it in a different manner?
Adm. Mike Mullen: I think those cases are indicative of the challenges we have down the road, in particular with China. I, along with many, am confused about ZTE. They’re a company that has been sanctioned twice now for giving away U.S. technology to China, a country that in many ways is a potential enemy until proven otherwise. So, I think giving our technology away needs to stop.
We’ve worked a long time to keep Huawei out of the U.S., and I strongly concur with those actions. So then I get confused about what’s the difference between Huawei and ZTE, and I haven’t seen much, other than they’re two different companies.
The bigger question is what we are going to do, long term. How does this fit in to our relationship with China, particularly when you talk about how intertwined our economies are, the whole issue with the trade war, and what are we going to do about technology? How do we stay competitive in the future and how do we see us against this China 2025 program? There’s a lot there.
CyberScoop: I would love to get your thoughts on the DOD’s need to move to cloud. The JEDI contract seems to be positioned more for commercial cloud rather than hybrid or on-premises cloud environments. What’s your perspective on what DOD needs in terms of modernizing its it infrastructure? Is commercial cloud the right fit?
Adm. Mike Mullen: We should be in the cloud. I don’t think there’s any question about that. I would be very comfortable saying that DOD is spending a ton of money, and moving to the cloud could save a ridiculous amount of money. But getting there, particularly when we build systems the way we have in DOD, where everybody builds their own cloud, I know enough about those complexities and trying to get them in one solution. It’s enormously challenging.
CyberScoop: So how should DOD balance the different factors? There’s this need for the DOD and the military branches to stay innovative and competitive with adversaries. What do you think DOD needs to do to position itself in terms of whether it relies on commercial cloud or on-premise vendors?
Adm. Mike Mullen: I’ve been through a couple cloud drills, specifically with respect to security. If cloud providers can’t provide security for even unclassified information, they are not going to be around long. So they’ve invested an enormous amount to keep data secure. I think anyone who is going to make the decision to guard data should make that investment.
I do think the various levels of classification, we have to figure out what the crown jewels are and make sure that literally nobody has a chance at those. However, I do think there is a substantial opportunity well outside the “crown jewel” space. You can go into the commercial cloud and be secure. I mean, when the CIA puts a significant amount of its life in the cloud…it’s worked pretty well. However, that doesn’t mean that everybody should use the exact same model.
Billy Mitchell contributed to this report.