Podcast transcript: Should the US cyber army be more aggressive?

Podcast transcript: Should the US cyber army be more aggressive?

This automatically-generated transcript is taken from the IT Pro Podcast episode ‘Should the US cyber army be more aggressive?’. To listen to the full episode, click here. We apologise for any errors.

Adam Shepherd

Hello, I'm Adam Shepherd and you're listening to the IT Pro Podcast. Over the last decade or so, the cyber security industry has had to cope with a growing and particularly troublesome threat in the form of nation state attacks. These can take many forms, but at their heart, they all revolve around a foreign power exploiting technological vulnerabilities to destabilise their enemies and give themselves an advantage. In recent years, China, Russia and North Korea have repeatedly been accused of using these tactics against the US. So is it time that the US started fighting back with cyber attacks of its own? This week, I'm joined by IT Pro's US managing editor Justin Cupler, and staff writer Zach Marzouk to discuss whether or not America's cyber forces should take a more aggressive stance. Thanks for joining me, guys.

Justin Cupler

Thanks for having us.

Zach Marzouk

Hey, how's it going?

Adam

So to start off with, I think it's worth talking about what the US military's cyber capabilities currently look like. Now, Zach, I know you've been doing some research into this.

Zach

Right now, the US has something called the United States Cyber Command. And I was looking into this because I think we were talking about whether or not the US should have a cyber force of some kind. And then we stumbled across this organisation. And I was actually quite surprised that they don't have a cyber force. The United States Cyber Command is it sits in the DoD, but it's not a military service branch. So right now, there are six branches in the military service, which include the army, marine corps, navy, and air force. Now the Cyber Command sits like below it, as something called a unified combatant command. And it, what they've basically done is taking military units and splice them together to try and I guess, counteract cyber attacks from other countries. The components that make it up from like the Air Force, the Navy, the army, and the Marines. I don't know if that's, you know, the best organisational structure for dealing with cyber attacks, or ensuring that you have the right cyber defences in place. And there's definitely a case to be made as to whether they actually need a proper cyber force going forward.

Adam

Now, I think it's worth pointing out that the US Cyber Command was only recently upgraded to a unified combatant command that was under the Trump administration. Now, that's the highest level military command structure. It's on par with Spec Ops, the Special Operations Command, and it goes alongside the regional command structures. So there's one for North America, one for Europe, one for South America, etc, etc. But, Zach, you're right in pointing out that it's not a separate branch of the military. So let's talk them about some of the advantages that would come from having a dedicated cyber force that occupies the same kind of status as the Army or Navy. Justin, what are your thoughts on this?

Justin

I think the, if you bring it up to that level, they're are positives and negatives, positively is is they would have, of course, more budget, more capabilities and things like that. But the negative side of this and impacts are right now actually, it also because it's still a part of the military. But a big impact is going to be military combat is very strictly regulated. So they, if they were part of the military, it'd be very difficult for them to go out and do offensive attacks without having been attacked first, rules of engagement come into into into effect at that point. So if we're not engaged, we can't go out and engage back. So there's some positive and negative there, you have the budget coming in and an actual dedicated structure that they can put together and build and encompass all the branches in the military in one space in cover the entire nation, but you have that other side of it's going to be heavily heavily regulated, and maybe even less, less offensive than it is now.

Adam

And I think that's a very important point that we will come back to later in this discussion around the ability to launch offensive strikes without kind of specific provocation. So we've talked already about some of the military branches from which Cyber Command pulls its resources and personnel, the army, the Navy, etc. What other law enforcement agencies and other cyber resources does Cyber Command and the US military in general pull from, does it have any kind of links with the CIA, the FBI, any other kind of existing law enforcement, federal branches?

Justin

Now because it's a because it's its military, and we're talking about the CIA and NSA and things like that it's highly highly secretive. So there's some speculation out there and everything, but my understanding of it is, it does not pull any resources from places like the CIA, NSA and things like that, because they are completely separate branches. We can get into later about how the CIA could actually take this and push it forward, make it a more offensive thing, we'll get to that later. But currently, no, they, from my understanding of it, all the resources are pulled from the military, they bring in folks who are cybersecurity experts. And they pull these people in to the Cyber Command from colleges and so forth.

Adam

So the the NSA in particular, latterly, the FBI and CIA as well, but the NSA in particular, has been really, really hot for a long time on cybersecurity and technology in general. Is the US military up to the same standard of sophistication, let's say in terms of technology, and in terms of cybersecurity, in particular, do we think?

Justin

In my opinion, given the they've they've been going at cybersecurity, since like, 1972. So it's not something new in that in that aspect. But given it's only established since 2010, I and they, they have never really specialised in it until 2018. I don't think they're up to par with what the NSA, CIA can do at this point. These These are folks who work covertly who have things that nobody knows that they have, and they can, they can go out there and attack directly. Whereas the military has fewer resources, because they now have to spread across different areas you have to spread to, you know, they have the weapons and they have people with instead they have all these other areas that their funds are going to so don't believe the military quite has that capability, which again, we can tie back into later about the the CIA possibly taking this over.

Zach

I think just related to that point, they may be severely limiting themselves, if they're only choosing a talent pool from the military. We're talking about a country which has, you know, Silicon Valley, and and all the cybersecurity specialists that are there. So if it does go on to establish the cyber force, it might actually help them a lot to look beyond the military, for recruitment. I know we've just published a feature piece about why you should like recruit military veterans, I believe. But I think we need to go a little bit further than that.

Justin

Yeah, there's actually a study that they found that's from the International Institute for Strategic Studies, they actually said the US is the top cyber superpower in the world. And part of that was our education and our, our access to equipment. But one of the downsides they're talking about is our ability to go out there and attack because of the segmentation of our military and everything.

Adam

So in terms of recruiting, to the military, from the private sector for cybersecurity, and kind of cyber warfare, if you like, specifically, that's something that other countries are very, very good at. And we should say that this discussion is slightly complicated by the fact that Justin, as you mentioned, this is to do with, you know, the military and national security. So details on any of the specifics of this, both in the US and for other countries, is extremely sketchy. You know, there is a lot that we just don't know. But one thing that we do pretty much know is that countries like Russia and China are actually really good at subcontracting their, particularly their offensive cyber security stuff to the private sector effectively. And whether that's actual security companies or criminal organisations, which has been known to happen. It's it's a real example of a a state organisation bringing private sector expertise into its kind of into its capabilities.

Justin

Yeah, I think I think part of our problem here, the problem here is twofold. The first is the US government is a little leery on some contractors in the cybersecurity area. I mean, Edward Snowden, just right there alone. They're a little wary about that at this point. And then the other issue is the recruitment into the military. So they try to recruit people into the military. No, Russia will go out there and recruit anybody for this, this role. In the US, they have very, very strict requirements for anybody going into the military, unless you are a contractor. If you have not 2020 vision, you have asthma, you have a bad back, you have a risk condition, any kind of condition. Whether you are a communications person, a press secretary, or a cybersecurity person. If you have any of these issues that might impact someone who's going to war, you still can't join our military. You take me, for example, it was probably three years ago, four years ago, I actually applied for a communications job as a writer, and they actually turned me down because of my asthma, cause I would have had to go through basic training, I would have to go through all the same things that a normal military person have to go through which I can't do according to their rules. So then they have to go to contractors. And the problem is, is, again, they're a little bit leery about contractors, when it comes to cybersecurity, because of the Snowden issue and other issues you've had in the past.

Adam

It's crazy to me that in order to do what is essentially a desk job, you have to be held to the same physical standards as somebody who is going to be you know, a field combatant, that seems you know, just just really, really limiting for a country that wants to compete on the same kind of level, as countries that don't apply the same logic.

Justin

I think that is one of the important factors that would probably have to change if they really push forward. And again, this will all tie back into the whole conversation about the CIA.

Zach

Yeah, you're also gonna have to really compete with the private sector. And if you're telling someone who's interested in cyber security, you have to come and do boot camp first for you know, two months, or whatever it is. Or you can go to Silicon Valley, get a, you know, high paying job, and just get into Silicon Valley life. I think it's quite an easy decision for for many cyber security experts.

Adam

Yeah, absolutely. And that kind of brain drain effect is a big concern for, well, for any public sector organisation that's looking to recruit technical talent. But I would imagine for the for the military in particular, it's a it's a big concern.

So let's dig into then some of the some of the other attitudes to this around the world. What kind of military cyber capabilities do other countries have?

Justin

When you look at the big ones are China, Russia, North Korea, which on the list I was telling you about what from the I, what is it, the IISS, they were ranked eight, nine and 11, respectively, China was eight, Russia was nine and North Korea was 11. Their issue, their things are is they are more offensive, of course, they are constantly penetration testing countries, China, during times of peace is actually notorious for just going out there and testing everything, all those little hacks you get from China is them seeing where our vulnerabilities are. And so they can note them instruct them whenever, whenever the time is right during warfare.

Zach

I would say that there's a fairly low barrier to entry when it comes to cyber attacks, especially when you compare it to fighting the US on on the sea, land or the air, you've got this whole new space where the US seems to be fairly unprepared. And it's maybe very tempting to just enter that and pull some resources into it. I don't think it's going to be very expensive to do so. And it can be quite effective, not only, you know, taking taking down critical infrastructure, but also in terms of like psychologically, because, you know, if the fuel pumps go down, for whatever reason, because of an infrastructure attack, or like the colonial pipeline attack, it can send out panic among the population.

Adam

Yeah, absolutely. And I think that's a really, really good point. If any country wants to engage the US in a typical, you know, a typical ground conflict, you've got the cost of not only training the necessary amount of soldiers, equipping them, all the rest of it, you've got the cost of mechanised infantry, tanks, troop carriers, planes, all of the tech infrastructure that you need to support that. Whereas if you are engaging in offensive cyber operations, you need much, much less resources. Essentially, all you need is as many it people as you can get together in a room with, you know, a couple of servers for, let's say, six months, until they've managed to crack whatever it is you're wanting to target. Instead of spending trillions on personnel and equipment, you've got just a time investment. And that's basically all you need. So cyber forces are in development, not just in the US and the countries we've already spoken about. Norway and Germany both have relatively recently formed cyber forces. The UK last year announced plans for its own National Cyber force. Now all of those are largely defensive in nature. They're focused on preventing some of the attacks that we've already spoken about attacks on businesses, attacks on critical infrastructure, all of that kind of stuff. They're not as focused on directly mounting offensives against enemy enemy groups or enemy nation state actors. And this makes a contrast to some of the operations that we've spoken about already. But it's worth pointing out that the US has already conducted some offensive strikes that we know of. So the Internet Research Agency, which is a state linked Russian troll farm, essentially, that conducts for want of a better word psyops, that was taken down in the, during the 2018 midterms to limit the potential for interference. Now, that was, the Internet Research Agency in particular, was one organisation that was accused of interfering in the Democratic primaries in 2016. And that was taken down by the, the US Cyber Command. The US Cyber Command also engaged in a strike on Iranian computer systems that we used to plan an attack on oil tankers in the Persian Gulf.

Justin

If you go way back, even before the creation of the US cybercom, it's actually back in 2008, the US hit Iran also, they hit a thousand centrifuges to that were enriching uranium back in 2008, so it's not a new thing.

Adam

Our old favourite Stuxnet. Stuxnet is the go to example for offensive cyber operations. But again, it's it's worth pointing out that Stuxnet, although it is widely accepted that that particular attack, which was meant to as you say, destabilise Iran's nuclear programme, it's widely accepted that that was a joint operation by US intelligence, and Israeli intelligence. But nobody to date has ever formally confirmed that we don't know for sure that that was the US. And that begs the question, how many offensive cyber operations has the US carried out that we just don't know about? You know, as we've mentioned already, there are very good reasons why states and intelligence agencies and all of the other kind of various departments don't really talk about the the kind of operations that they do. So there's a very real chance that the US is doing this kind of stuff. And we just don't know about it.

Justin

Yeah, there is a chance but the chances of it actually being any ties whatsoever to the military is highly unlikely, because again, we come into the rules of engagement, the rules of war, what we are or are not allowed to do, which which we adhere to, sometimes pretty, pretty tightly. So to think that they would actually strike someone that wasn't a threat, a direct threat, would be doubtful, in my opinion. Now, uranium enrichment that is a direct threat. If you're enriching uranium, there's only one reason you're enriching uranium. That's a direct threat. So striking them would be not a problem, you know, getting getting the authority to do that. But just to go out and start striking systems because they think there's a problem, that I doubt would happen.

Zach

I think it is quite hard to establish all the facts here. It seems to be like, very murky. There's a case from I think 2019 where the US, according to the New York Times, supposedly US military hackers were targeting Russian power plants. However, President Trump dismissed the allegations and called it fake news as you can probably guess. But the Russians were definitely, definitely said that the attacks had come from the US. So yeah, it's quite hard to establish exactly what's happening. And if there are any attacks going under the radar.

Adam

Hmm. One interesting point on what you mentioned Justin around kind of justification for, for attacks without a defined provocation, let's say, is that the 2018 DoD cyber strategy placed a really firm emphasis on what they termed defending forward so rather than being reactive, in terms of responding to threats, it placed a much firmer emphasis on stopping hostile cyber attacks at their source before they could have an impact. So pre emptive strikes essentially or as, you know, as near as makes no odds.

Justin

Yeah, I think that that puts out a good a good word, but the thing is, is there's still rules behind it, they still have to go through the proper chain of command to get the authority to do these things. So they may have that put out there that yes, it's going to be a defence forward, but it's still defence so they still have to go and say Okay, we're defending because of this. Here's the reason we're defending this, like the like the uranium enrichment and things like that, we're defending because we have a good lead that this is happening. So we need to do this. So yeah, they can defend forward but they still have to have that proper provocation of some sorts to go after them.

Adam

What position then does that put the US in in terms of establishing itself as a kind of cyber superpower, if you like? I mean, clearly, we've seen that the organisations that the US is most contending with in cyberspace don't necessarily subscribe to those kinds of rules of engagement, particularly when it comes to cyber stuff, does that kind of focus on due process, if you like, leave the US at a bit of a disadvantage?

Justin

It does. But there there is, there are ways around this. So while the military is very heavily regulated, it'd be very difficult to have a cyber force in the military, because of all those regulations. If we were to take that idea, and push it over to one of our more covert agencies, CIA, FBI, as I was implying before, if they push that over to the CIA, suddenly, those rules of engagement go away to a point. Because they are covert, they can do essentially whatever they want, because nobody knows what exactly they're doing. Um, so that's one of the points that I read is that in the future, the future of our cyber army may not be a cyber army. It's going to be a cyber police force that will go out there and find those those those hackers and the nation state attackers, and hit them first with nobody actually knowing.

Adam

Yeah, and that notion of a cyber police force, I think is very important because as we were alluding to earlier, a lot of the state backed activity that is targeting the US in recent years, hasn't always been from military or even state intelligence operatives. It's been subcontracted to criminal groups in those countries for plausible deniability. So the, you know, to pick an example at random, the Russian government can turn around and say, Oh, no, it wasn't us that unleashed this, you know, devastating ransomware attack, it was those naughty cyber criminals who absolutely weren't acting under our direct orders and supervision, no, honest, promise. And so fighting that kind of activity, you know, you can't necessarily use that as a pretext for a military strike, because it wasn't provably carried out by or under the orders of the military.

Justin

Yeah, and that's exactly where the CIA can come in. And they are, they are capable to go after private citizens. Because that's, that is what they do, they can get the permission and the required clearances to do that. And sometimes, again, they sometimes don't even get clearance, they just go take care of it and get out.

Adam

So we've talked a lot about the justifications needed for launching a military cyber action. And you know, what, what counts as a proportional response and all that kind of stuff. But at what point does a cyber attack lead to a physical war?

Zach

Yeah, I think this is known as what's called a grey zone, where the attacks are carried out, come just below a certain threshold for a US military response. I mean, it's interesting to see if that threshold is changing, as time goes on, as we've seen from the last year, you know, they've had attack after attack, and no military response for now, thankfully. Biden did say earlier this year that the US could end up in what he called a shooting war, which is a actual physical war with a major power as a result of a cyber attack. So it's definitely something he's I guess, paying attention to.

Adam

Yeah, it's an interesting kind of grey area, as you mentioned, because there is an argument to be made that cyber attacks actually end up being more damaging than a shooting war as it were. Because cyber attacks, as we've seen, can impact everyone in a given country, the Colonial Pipeline attack, for example, while that wasn't necessarily state sponsored, the effect that it had on the US was pretty catastrophic. And if it was, if it was state sponsored, and if it was carried on for a kind of concerted period of time, rather than just kind of holding it until they got the ransom paid and then restoring the services. If that carried on for a number of months, let's say the effect of that would be absolutely catastrophic for the US economy, for its military operations, if it can't get the fuel that it needs to kind of air bases and that kind of thing. And, you know, not to mention all the attacks that there has been on healthcare systems in the US and around the world. Whereas in a shooting war, you have kind of the impact on on ground troops and on civilians in the given combat zone. But beyond that, the effect is, I would argue, relatively limited.

Zach

Yeah, for sure. So I would say that US civilians are involved more when it comes to cyber cyber war, whereas other civilians in proxy wars are impacted a lot more in potentially more horrifying ways, but they're taking the action to the US.

Adam

So then, with that in mind, should the US military be putting more effort into stopping cyber war versus preventing or resolving shooting wars?

Justin

I in my personal opinion, I think the the way it needs to go is is the way I spoke before is is don't leave it in the hands of the military. It is too hamstrung, its hands are tied behind its back half the time, they do not have the recruiting capabilities, they don't have the technical capabilities as some of our other agencies. And those other agencies are primed for this kind of stuff. They have the kind of leeway to handle these things. So why put it in the in the in the hamstrung military side, and you can put it over to the CIA? Let them handle it, and they can go offensive and do all the things that the military can't do. Now, should the military still be focusing on defending it's, it's it's it's processes? Its networks and things like that? Absolutely. Which was the original, the original focus of this, this department. So should they go back to that? And just stick to that? Yes. But I think the actual offensive and the penetration testing and the tapping on different systems to find out where their weaknesses are, I think that should go directly over to the CIA, the agency that can actually do this kind of thing. legally.

Adam

Yeah, as legal as the CIA ever is.

Zach

I agree with Justin here, I think it needs to be taken out of the hands of the military. I'm not sure if in their eyes, they see cyber spikes as like a physical location when, in fact, it spans the whole the US, I think this the power needs to be taken to like, establish a real cyber force. And, like the other countries that you mentioned, Adam, I think more priority needs to be placed on the defence. And that's not only on when it comes to the military, or, you know, important assets, I'm talking about organisations and businesses across the whole country having like a whole of nation approach, when it comes to cyber defences, and making sure they have the right, security implemented, because otherwise, they might get caught in the middle of like, as collateral damage. And suddenly, you know, food infrastructure goes down for some reason or another.

Adam

Now, it's worth pointing out that there are agencies that currently are kind of tasked with dealing with this kind of thing. So CISA being the most kind of obvious one, the cybersecurity and infrastructure security agency, that deals with a lot of a lot of kind of private sector attacks and a lot of private sector kind of security concerns. And that's a standalone federal agency. But I do agree with you Zach in that there needs to be, as you say, more of a kind of whole of nation approach where it's not agencies working in kind of largely in isolation, but with a degree of cooperation, there needs to be a vastly expanded federal level agency that can deal with cyber threats, both at home and abroad in a criminal and potentially nation state context. Of course, the other argument to make is that while the military is slightly hamstrung in how it can respond to cyber threats in the offensive operations that it can mount, that may be a good thing. There is a question to be raised, I think, in this whole discussion of, okay, yes, Russia and China and the like, can operate with much more deniability. They can be much more underhanded, let's say, I guess, in terms of what kind of operations they mount and how they accomplish them. Do we necessarily want to match them on those terms? Or is there a value in taking the high road for want of a better term?

Justin

I think that argument is twofold. Because there's two sides of this, this this, this coin. So one thing is going to be the public's view on it in the US. If we suddenly have a an agency that can just hack whomever, penetrate whoever, without much oversight, the public might start worrying Well, what about my computer? What about my, my my smartphone? Are they tapping me? We're already paranoid enough over here. If they push it, if they push that envelope that's going to push push those people even further to the point where they think that everything's being tapped. So that is one problem there. But then on the international side, yeah, you get to that point where it's like, okay, at what point do you do you back off and say, Okay, I'm not gonna play your game, I'm gonna stick within the rules and do this the right way. But again, if you're doing this covertly, as our CIA is actually really good at surprisingly, I don't think it would be as easily detected. Because even even when China does it, we're oftentimes guessing, if it's Russia, we're oftentimes guessing if it's Russia, so that would be kind of the same thing, they would think it's us, but there's no actual confirmation of it. But the other side of that is Russia, China, Iran, they don't need confirmation. They don't need it, they will just come back after you unlike us.

Zach

Hmm, I think there's a danger that any attack the US carry out, might be responded to more vigorously by their opponent. And if they don't have the right defences in place already, which, once again, we see from the last year, they don't necessarily do, don't necessarily have, it might might worry them a little bit to go all out on attacks.

Adam

It sort of puts me in mind a little bit of the Cold War, which Yeah, I'm sure will not come as a surprise to any of our any of our listeners that, that there's some parallels to be picked up there. And I think we are slowly coming towards a similar point to where the US and Russia in particular reached with regards to nuclear missiles, that idea of mutually assured destruction, the idea of, Okay, well, we can both absolutely cripple each other. And everyone knows that. So if nobody makes the first move, then everything's more or less cool. And I think we're kind of coming towards that point, particularly with the kind of the growth of critical infrastructure attacks that we've seen. So then, how well prepared do we think the US is to compete at the top level of kind of cyber operations on the global stage?

Justin

So I think to the point you guys are making about it needs to be more of an umbrella. An umbrella agency that covers in our nation and overseas covers a world cybersecurity, protecting the US. I think that is a key point here is of having CISA, NSA, CIA, all these different the military, the different branches of the military, instead of having all of them doing these these things, put under one big agency that then cover us and I think that is a safest bet for for us to be properly prepared.

Zach

Yeah, I agree with Justin, I think the US needs to, I guess, unify its talent, communication and collaboration across cybersecurity into one central location. The real danger here is that right now, its opponents across the globe are looking on and I guess licking their lips, seeing how easy it is to make an impact on the country by sending a link to a government worker and an email address or something. So it's definitely something that needs to be, to scale up fairly rapidly and put into action to protect the nation.

Adam

Absolutely. Well, I'm afraid that's all we've got time for this week. But if you've enjoyed this week's episode of the IT Pro Podcast, Zach and Justin will be joining us once a month to deep dive into more US IT issues, so stay tuned.

Justin

Thanks for listening, everybody!

Zach

Thank you, bye!

Adam

You can find links to all of the topics we've spoken about today in the show notes and even more on our website, itpro.co.uk. You can also follow us on Twitter at @ITPro as well as Facebook, LinkedIn, and YouTube. Don't forget to subscribe to the podcast wherever you find podcasts to never miss an episode. And if you're enjoying the show, leave us a rating and review. We'll be back next week with more analysis from the world of IT. And until then, goodbye.

ITPro

ITPro is a global business technology website providing the latest news, analysis, and business insight for IT decision-makers. Whether it's cyber security, cloud computing, IT infrastructure, or business strategy, we aim to equip leaders with the data they need to make informed IT investments.

For regular updates delivered to your inbox and social feeds, be sure to sign up to our daily newsletter and follow on us LinkedIn and Twitter.