Lawfare Daily: Cybersecurity Challenges and Opportunities

[Intro]

Michael Sulmeyer: We have to make sure that those at the federal level are able to provide the kind of assistance to those at the local level to truly help get ahead of these sorts of threats, and then, heaven forbid it happens, but react fast, mitigate the damage, and recover as quickly as possible.

Daniel Byman: It's the Lawfare Podcast. I'm Daniel Byman, the foreign policy editor of Lawfare, and I'm here with Michael Sulmeyer, who was the senior Department of Defense official for all aspects of cyber policy and will soon be coming to my program at Georgetown University to join me as a fellow professor.

Michael Sulmeyer: When you're in the national security space, by default to me, it seems like it's an international matter that can be very much improved and you can gain a lot of insight by working with foreign partners and allies.

Daniel Byman: Today we're talking about cybersecurity challenges for the United States and the best response for the U.S. government and for governments around the world.

[Main podcast]

First of all, can you simply talk about the cybersecurity threat landscape today? When you entered the Biden administration, what did it look like and how did it change during your time in government?

Michael Sulmeyer: Thanks, Dan. It's, it's great to be with you and I'm a long-time listener, but first-time caller for the Lawfare Podcast series, and so it's great to be able to be back with the Lawfare community. I was involved with it before I went back into government in 2019 and have been a big fan for a long time.

When, when I look at the threat landscape, I think the traditional way folks work through this is, you know, look at, look at the bad guys and make some generalizations. You know, I, I think the, the way I'd offer is that first from, from my experience at the Defense Department for the last several years, one of the main missions is you have to be ready across all the, the bad threat actors for the worst day, for, for a true conflict.

And so part of how I see the threat landscape is how is the military doing? How's the Defense Department doing on being ready for a truly bad day in cyberspace? And I, I saw a lot of maturity over time, over those four plus years, in how the military is preparing what we could think of as its readiness right in advance of a potential conflict. So I think that is a very good development.

The second thing is that there still remains obviously, a significant amount of espionage that is conducted through cyberspace. So espionage has conducted all sorts of ways, but there's been all sorts of public reporting, obviously over the years and, and over a decade of, of espionage that goes on using computers, computer network operations, and generally cyberspace.

And I think the, the debate on that has generally gone between two poles. First pole would be, we don't want to be the victim of any of that. And the second pole would be, everyone does this. And how do countries manage their responses to something that, in effect, everybody, everybody spies. So having to walk between those two poles when it comes to cyber espionage is something that I know the Biden administration grappled with a lot, and I have no doubt the current administration will have to do that as well.

The final thing about the threat that I would just point out is I think we've, we've really seen how ransomware and these kinds of extortion based attacks—not espionage, but attacks through cyberspace—affecting local communities in the United States and around the world, hospitals, schools—those are, those are still a serious risk. And we have to make sure that those at the federal level are able to provide the kind of assistance to those at the local level to truly help get ahead of these sorts of threats, and then, heaven forbid it happens, but react fast, mitigate the damage, and recover as quickly as possible.

Daniel Byman: So you've already brought in a lot of different potential threats, and some of those of course, are Department of Defense threats, but a lot of it goes outside the Department of Defense or is done in conjunction with defense officials. Could you talk a little bit about roles and missions? Who's responsible for what on the government side?

Michael Sulmeyer: So a lot of the, the way I think from someone like me who comes from the, the military side, though I, I never served, but in the Title 10 or armed forces side of Cyber Operations, that is largely the away game. And so there's a series of institutions that are really involved in the away game, like DOD and the military services, U.S. Cyber Command.

There's also a number of institutions that are involved much more in the home game, and that's the FBI and that's DHS. And so for the Federal Bureau of Investigation, their primary role: investigate the violations of crime, of criminal acts within the homeland and bring those perpetrators to justice. Those perpetrators may be abroad, and so it may be very difficult to get them to justice, but the law enforcement role, that's a, a home game based on U.S. statutes and, and domestic authority. And DHS too, as the overseer of the sector-specific agencies and how the homeland is protected, again, a a home game type of entity.

One entity that falls in the middle a little bit, we keep coming back to from earlier is the National Guard. The National Guard, those individuals report to a governor and so are, are military, but actually are at the disposal of a governor to determine how to be employed and often have a lot more authority at home.

And so if you were to draw a spectrum for roles and missions, you could have a home game on one side, away game on the other side, and then try to line up different agencies along that kind of a spectrum. So I hope that helps our, our listeners get a feel for who does some of what.

Daniel Byman: Absolutely. I wanna drill down on a few particular vulnerabilities in, in the cyber realm. So one is critical infrastructure. Can you explain, you know, both how you see the threat, but also what are some of the important measures for defense from a cyber perspective?

Michael Sulmeyer: Here, the threat to critical infrastructure is much more visible now than it was ten years ago because the number of companies like Microsoft and others have written about the threat to critical infrastructure at home. And it's not a situation of a series of anonymous comments to one reporter and it makes it way into a, a news article, but is not sourced. You know, the, now the story is out, and there's a lot of technical detail that's available that can shed light on the, the true threats to critical infrastructure, not just from intrusions through cyberspace, but pre-positioning of attack and other types of software that could pose a really bad day.

There are three real challenges, at least three challenges that critical infrastructure defense poses. First, it's not just IT, but also OT. So for those taking notes at home, hang a star by OT. Operational technology is a little different than IT or information technology.

It's one thing to manage cybersecurity across georgetown.edu, a big IT domain. It's another thing when you're also having to manage the cybersecurity of how power generation and water purification, physical systems interact with those networks as well. That's the, the OT. And generally operational technology doesn't get updated very often. It's historically not been written with a lot of security in mind, and so you, you end up with a lot of vulnerability there. So the OT-IT nexus is really crucial when it comes to defending critical infrastructure 'cause you have to do both.

Second, there are issues of federalism. That is, it poses big, federal and national security risk, but states and local municipalities are often closer to the management or governing of critical infrastructure, and even sometimes the ownership of critical infrastructure. And so you get issues about jurisdiction, you know can, what can the federal government do, but what does the state government or local municipality actually need to do hands on?

The third element—if the first was OT-IT and the second was federalism—the third I'd, I'd hang a star by is public private partnership. No doubt. You know, this is one, one of these phrases that everybody loves to, to mention and has for, for decades, but for critical infrastructure security, usually a piece of critical infrastructure is owned or operated by a non-government entity, which means government has in some cases very limited authority to actually direct change and improvement. And so the opportunity is to mature the public private relationship with certain key owners and operators before there's an incident, so that when the call for help goes out the government and other experts have something to work with. They know who to call, they know who to talk to, and some familiarity to jump in and help.

So those are three issues that I hope help our listeners understand a little bit about the challenges of defending critical infrastructure from, from cyber issues.

Daniel Byman: Now, if we shifted to supply chain vulnerabilities, which people have talked a lot about in recent years, how would that picture be adjusted? Or is it really the same sorts of factors?

Michael Sulmeyer: It can be some issues on, on OT, IT—kind of depends on the, the prime, depends on the, the largest upstream entity and the kind of business that they're in. But for the, for the Army for example, that's a, that's a large institution that has a lot of subcontractors, a lot of contractors, a lot of subcontractors, lots of subs of subcontractors, and so a very complex web of entities.

And I think largely we've looked at supply chain vulnerability from cyber related intrusions as something that we, we know is important—it, it's no longer head in the sand kind of business. The Biden administration jumped right in on that very early on, and I've no doubt that the current administration will focus on that too. But increasingly, I think there are opportunities to provide cybersecurity as a service to those near the end of a supply chain who have no shot at realistically defending themselves against a nation state adversary.

So where I hope the conversation goes increasingly on supply chain cybersecurity is not, you know, what information can be laundered and provided four weeks after a big prime contractor learns about it, figures out how to get the word out, but instead, what kind of environments can be developed securely from the start where subcontractors and others who have no shot can just do their work in an environment that's already secured, and helps them spend more time on their mission, more time on their role, and less on having to also figure out how to be cybersecurity experts.

Daniel Byman: As you know, artificial intelligence is kind of sweeping much of the discourse on tech issues, and some of it I'm sure is overstated, but at the same time, AI does seem to be changing a lot of cyber policy and cyber vulnerabilities. Can you talk a little bit about how you see AI changing the threat, but also if AI could be effectively leveraged to improve defenses as well?

Michael Sulmeyer: The, the leveraging it for defenses is a big opportunity. Let me—I, I'd rather conclude the discussion on AI on a positive note with, with that.

So the two, you know, concerns obviously, to start there, are first that it makes disinformation and those adversary or competitor nation states who really seek to weaponize information against us—it, it can make their lives easier. It can make it easier to perpetrate that kind of a, of a campaign.

It also could allow a low level organization or entity that's trying to figure out how to conduct aggressive cyber activities—it could help them get better faster, and so can, can replace or at least accelerate a training curve for malicious entities to make them more dangerous.

But on the plus side, as you mentioned, there's a big opportunity for the cybersecurity business—that is, the defense business—to unpack code that has been layered upon for decades, that has become so complex, and that in most cases stays complex because companies maintain the need to support legacy builds and legacy systems and don't cut bait with, with the oldest technology. There's opportunities to utilize AI to help us unpack that complexity, identify bugs that could become exploitable, hopefully before others have a chance to exploit them. So it's a big opportunity on the cybersecurity side.

Daniel Byman: You've mentioned when we discussed roles and missions, the complexity of the number of actors, you've also talked about private ownership. When we're thinking about cybersecurity regulations, how do we think about harmonizing these across different jurisdictions of national security—and more broadly, I'll say, across society—given that it's such a, so many actors are involved in the solutions to these problems.

Michael Sulmeyer: The R word has gone in and out of fashion a little bit when it comes to cybersecurity. There was a time, 10, 15 years ago, R word was a swear word, and regulation was absolutely seen as something that would trade off innovation, would somehow cripple the ability for companies to innovate and make money.

More recently, I think there was a, a sense that if the regulations for cybersecurity could be foundational enough and common enough to preempt a variety of, of local differences—that is if, if companies could shoot for one standard or, you know, that was common—that that would actually help lift all boats. And I think here, you know, you saw the National Cyber Director Office take a, take a run at, at this during the last administration.

And I think now, from, from what I understand, it, it's something that is difficult as a word for folks to get behind, but I don't think folks have really distanced themselves from saying some form of baseline common standards to protect the most valuable and vulnerable entities in the country is required because the threat environment has changed so drastically.

This is not an environment where ISIS is the primary challenge that is faced in national security. If you're serious about saying China poses the most aggressive competitive threat, then your cybersecurity policy—not your offense policy, your cybersecurity policy—should reflect that accordingly.

And so I think what we'll see happening is two things. We're gonna see a resurgence of states trying to put forward their own ideas for regulation or baseline standards and see which take. And so you'll get a little bit of confusion as a result, but you'll see some innovation.

The second thing I think we'll see is insurance will become somewhat of a backstop for—or in the absence of—explicit regulations. Insurance companies will keep an eye on the evolving threat environment and different companies, if they don't keep up with being mindful of that threat environment will be less insurable at a certain point, or their premiums will go up. So I will also be looking at the insurance world to see how they react given the different posture on regulations going forward.

Daniel Byman: One challenge that, you know, we are trying to address as teachers at Georgetown University, but it's a broader challenge than a few students here or there, is the need for skilled people who understand the dangers, but also have the technical skills to deal with cybersecurity threats and the necessary response.

How big is the talent shortage and are there things you feel the government or universities or private sector should be doing to address it?

Michael Sulmeyer: I spent a tremendous amount of my time at DOD focused on talent, or, or in wonderful DOD terminology because we can't just say talent, we would say force generation, and we would drop our voice two octaves every time we said it.  But the issue at DOD is we have, right, two types of humans. We have those in uniform and, and we have those outside of uniform. Both are critical sources of talent when it comes for, for cybersecurity.

What I have found, at least over several years of working in and with the Department of Defense—I'm gonna limit my observations on talent to the DOD adjacent world of talent, just because that's what I know and I feel like I wanna stick to my brief—but for folks who come in who are attracted to working on issues about cybersecurity or cyber operations, there are very unique opportunities that are not available elsewhere. But the culture of the organizations that they join privileges and encourages other types of work as a condition of getting promoted and advancing in a career.

For the Navy, for example, not to pick on the Navy, but the Navy is very much a culture of going to sea. It's not a shock, at least it shouldn't be a shock to anyone listening that the Navy cares a lot about going to sea. And so it's taken a long time for Navy leadership to get comfortable with having a career field that's treated as its own independent thing where we're not gonna invest very significant sums of national treasure in training someone to conduct very exquisite things with a computer and then send them to see, to paint the battleship gray. And that obviously is a little bit of an exaggeration, but culture in these organizations matters a lot when it comes to force generation and talent.

And so what we were really trying to work on for the last year or so was building sustained mastery for civilians and those in uniform to be able to say that if we're going to invest all this money in training you to do these very, very complex things, we need to keep you in these roles. And that means we need to find ways to promote you, to develop your career, to allow you to move around while still having you utilize that investment we made in you that the taxpayers made in you, to do very, very difficult things online.

Developing those independent career paths was helped a tremendous amount by the creation of the Cyber Excepted Service. This is something that Senator Rounds and others on the armed services community really led the way on, and so we have the legislative authority to do it now. We just have to make sure in the implementation that is follow through.

The, the hitch, I would say in what we're seeing right now with the cuts to probationary workforce folks—and Rob Joyce made this point at an open hearing last month—that sometimes when folks come in through an accepted service like the Cyber Excepted Service, they are easier targets for the efficiency cutters.

So what I am really not thrilled about seeing happening is the risk that we cut the very people that we've created, these special hiring authorities and these special career paths that we cut them because they don't, they may not have the kinds of civil service protections to make them difficult to cut, but they're prized individuals. There's not that many of them, but they're prized because of what we've invested in them to do.

So that's my biggest worry when it comes to talent management—sorry, force generation—going forward.

Daniel Byman: Can I ask just as a, a continuation of that last point? One thing that I think makes some of the tech fields a little different is that experience and knowledge don't always go together, that you can have someone who's been in the field for 15 or 20 years in most cases, and they're better at their job than someone who's not been there as long.

But with tech, often you have new technologies that younger people are simply more proficient at. Does that show up in the cyberspace or is it more traditional kind of learn on the job, get better and better as you go along?

Michael Sulmeyer: It's another reason why I think optimizing towards mastery is, is so important because the more time you stay on a hard target and the more time you stay in the field developing as a professional from a novice to an apprentice, you know, to a master, the more exposure you should be given and should have to new technologies that are developing, whether it's new vendors, whether it's new products, or whether it's a way to just completely be done with an old way of doing business.

And I think it's one of the reasons that I'm so excited to come to Georgetown, Dan, because under, you know, your leadership and, and SSP, what we are really trying to do with a, with a class of civilians and as well in some of those in the armed forces is how do you accelerate that opportunity to learn about new technologies and figure out what can be most impactful to your mission and to help that next generation get a jumpstart for that type of issue spotting.

Daniel Byman: I wanna shift gears a little bit. We've talked about coordination across government. We've talked about coordination with the private sector, and also some of the federalism issues. But how much is cybersecurity done in conjunction with U.S. allies and partners? Is this something that is, you know, there is a dependence with allies and partners, or coordination? How should we think about how global this effort is?

Michael Sulmeyer: It's a great point, Dan, because so much of cybersecurity in the national security world is an international matter.

I would point to an article that I co-wrote with General Nakasone many years ago in Foreign Affairs where we open with a story of international collaboration through what is called a hunt forward operation, and that is different than the defend forward strategy, although upon further reflection, one can imagine a different nomenclature of things that would make it a little easier to distinguish.

But while defend forward was the strategy from 2018 and the first Trump administration. Hunt forward was a particular type of operation where at the invitation of a foreign partner, U.S. forces would be invited to join a foreign partner to look for evidence of malicious activity. And then we could take certain steps to inoculate at scale based on what we learned and that insight that was generated.

So there's a tremendous amount of potential with allies and partners when it comes to cybersecurity, but also if you think about just the force laydown of the Defense Department and how many countries the Department of Defense is active in at any given time, their cybersecurity risk at some point becomes our cybersecurity risk.

And so, when you're in the national security space, by default, to me, it seems like it's an international matter that can be very much improved and you can gain a lot of insight by working with foreign partners and allies.

Daniel Byman: Michael, I've gone through my question list, but is there anything more substantive I should be asking you before we, we end this?

Michael Sulmeyer: Dan, if, if, if it's okay to break protocol, I'm sure, but I'd love to ask a question of, of you, and because I am rusty coming back to civilized world after, you know, five, five, six years away.

I'm interested in how the broader national security community—not the cyber people but how the broader national security people—see the challenges posed by cyber attacks, and if they think that actually life has moved on and now it's all about AI and cyber, you know, so hot yesterday, but that's not a, that's not a real thing anymore. Or it has, is there an appreciation that the threat has grown alongside the, the rise in the threat from China. I, I'd just be interested in the non-cyber person's view on cyber threats and challenges.

Daniel Byman: So I'll give you my, my truly non-expert view of all this. So part of it in terms of, you know, what is the latest shiny object, certainly AI has taken the place of cyber.

However, the Ukraine war, I think really showed the importance of cyber defense to many people. The repeated Russian attacks on different parts of Ukraine's critical infrastructure and government attempts to take down power as well, and the role of the private sector in all that, in playing important roles in helping defend Ukrainian systems. So I think was a very vivid reminder of the importance of cyber.

To me a bit like air defense, where, you know, it's the sort of thing we need air defense, we need cyber defense, everyone nods, but when you actually see attacks happening and realize the tremendous potential of these. It really forces you to pay attention to, you know, does the United States have the necessary defenses?

Also, as you said, as it's been more and more an emphasis on China in particular, there's a recognition that, you know, truly here is a peer in terms of technological capacity—that this is certainly not just not ISIS, but it's also not Russia, that this is a country that you know, really has world class scientists, world class engineers and is investing heavily in this capability.

So the good news for people in this community is I think there's a real recognition of the importance of all this. However, part of the, I will say, you know, good news is also a bit of bad news, which is when there are problems and failures, so far they haven't been dramatic. And what that has meant is people can kind of brush it off and say, well, you know, sure it's important, but people often miss the potential, I think, for some more truly catastrophic losses.

But I think there has been a maturity on the non-expert side in recognizing the necessity of a very strong cyber capability on defense, I, I think there is less understanding of offensive possibilities on the cyber side—and I certainly put myself in that category—but of how this could really facilitate war fighting and in general serve as a very strong instrument for the United States if things get much darker in a conflict with China.

Michael Sulmeyer: I think that's a, that's a great set of points, Dan, and, and I really should have mentioned on your last question about allies and partners, the Ukraine example, because it really does show that defense pays.

And a lot of times we struggle for examples, but in this case, the work that Ukraine put in with U.S. entities and other entities ahead of the invasion paid off. It's hard to argue. It, it paid off. And it's a little easier when you're an entity and you say, oh gosh, maybe can we do that another day, or, we really don't, we've got other things we have to do.

It's a, it's a great reminder that when things really go wrong, you're, you're gonna appreciate the fact that you made some early investments, time and relationships and capability development in case a bad day really comes. And, and for them it did. And, and thank goodness the relationships were there. So it's a great point, Dan.

Daniel Byman: And it's nice also to end our podcast on an up note. So Michael Sulmeyer, thank you so much for joining us today,

Michael Sulmeyer: Dan Byman, thanks so much for having me on. Great to be back again with the Lawfare community and joining Georgetown in the fall.

Daniel Byman: The Lawfare Podcast is produced in cooperation with the Brookings Institution. You can get ad-free versions of this and other Lawfare podcasts by becoming a Lawfare material supporter at our website, lawfaremedia.org/support. You'll also get access to special events and other content available only to our supporters.

Please rate and review us wherever you get your podcasts. Look out for other podcasts including Rational Security, Allies, The Aftermath, and Escalation, our latest Lawfare Presents podcast series about the war in Ukraine. Check out our written work as well at lawfaremedia.org.

The podcast is edited by Jen Patja and our audio engineer this episode was Cara Shillenn of Goat Rodeo. Our theme song is from Alibi music. As always, thank you for listening.