Submitted by: Daryl Haegley Director, Mission Assurance & Cyber Deterrence at the DOD and (CS)²AI Fellow
Wednesday, March 24, 2021
The Biden administration has doubled down on cybersecurity, adding two senior positions in the Executive Office of the President: a new deputy national security advisor for cyber and emerging technology and a new national cyber director. To avoid churn within the administration and confusion elsewhere, the administration should clearly define the roles of these two positions. Perhaps the most critical role for the Office of the National Cyber Director (ONCD), one unsuited for the deputy national security advisor, is to lead interagency planning and operational coordination for cyber defense; it should fulfill this role through a new National Cyber Defense Center (NCDC).
The United States needs a proactive whole-of-nation cyber defense campaign to bolster national security in the face of adversaries’ sustained efforts to steal U.S. intellectual property, sow disinformation, gather sensitive intelligence, and prepare to disrupt or destroy U.S. critical infrastructure through cyberspace. This cyber defense campaign should have four key elements: cyber deterrence, active cyber defense, offensive cyber actions in support of national cyber defense, and incident response. Planning and coordinating such a cyber defense campaign is an inherently interagency task, but it would fit poorly in the National Security Council (NSC) because of the NSC’s past difficulties with operational roles and its staff ceiling of 200. Such interagency planning and coordination would also fit poorly in the departments of Homeland Security, Defense, or Justice, or in the intelligence community, because none of these institutions has the full range of authorities necessary to the task.
An NCDC needs to comprise personnel detailed from key departments and agencies, and liaisons from the private sector. Fortunately, such staffing is implicitly authorized in the recent legislation creating the ONCD. The degree of whole-of-government and whole-of-nation planning and coordination we propose for the NCDC would go beyond what the Cyberspace Solarium Commission has specifically recommended for the ONCD. This comprehensive approach is essential in the face of adversaries who are deliberately exploiting the seams between U.S. departments’ and agencies’ authorities, and between the U.S. government and the private sector. Without an NCDC, the ONCD will fail to move the needle in improving the U.S. cybersecurity posture.
Roles of the National Cyber Defense Center
The NCDC would conduct cyber defense campaign planning and coordinate U.S. government actions below the level of armed conflict, while also conducting contingency planning for cyber defense in the event of crisis or war. In support of each of these roles, the NCDC would plan and coordinate four intertwined lines of effort: cyber deterrence, active cyber defense, offensive cyber actions in support of defense, and incident management.
On a day-to-day basis, below the level of armed conflict, the NCDC would plan and coordinate a sustained cyber defense campaign across the U.S. government, while also enabling appropriate coordination with the private sector, state and local governments, and key allies and partners. This cyber defense campaign would focus particular attention on China and Russia, as the most capable cyber adversaries of the United States, but would also address North Korea, Iran, the Islamic State and other cyber adversaries.
The importance and urgency of having a proactive, coordinated and sustained whole-of-nation cyber defense campaign is difficult to overstate. The stakes in the ongoing competition below the level of armed conflict include the health of U.S. democracy, social cohesion, and U.S. technology advantages that undergird the nation’s military edge and economic growth.
The NCDC would also lead interagency contingency planning for cyber defense of the United States in the event of a crisis or conflict. The most important work would focus on China and Russia, which have extensively infiltrated U.S. critical infrastructure with implanted cyber capabilities of a scale and sophistication that far exceed any other potential U.S. adversaries. In the event of a severe crisis or conflict, China and Russia could use cyber weapons to hobble the U.S. military, cripple the U.S. economy, and sabotage systems that deliver life-critical services— all while conducting cyber-enabled disinformation and deception efforts to sow discord among the American people.
Contingency planning for cyber defense in crisis or conflict would improve the U.S. posture to deter aggression or coercion and would also inform cyber defense campaign efforts below the level of armed conflict. On the one hand, an overly passive U.S. approach below the level of armed conflict could invite adversaries to keep pushing out the limits until U.S. leaders finally feel compelled to respond with decisive force. On the other hand, an overly aggressive approach by the United States could cause a spiral of escalation. A well-calibrated approach in peacetime—based on an assessment of adversary interests and goals, and an explicit assessment of escalation risks (which requires contingency planning for crisis or conflict)—is needed to minimize the prospects of both failed deterrence and inadvertent war.
More broadly, U.S. cyber defense activities in peacetime provide the essential foundation for cyber operations in crisis or conflict, and so are essential to improving the U.S. ability to deter war. The organizations, processes, and trust relationships needed to inform and shape an effective active cyber defense of U.S. critical infrastructure, rapid decision-making for coordinated countermeasures at home and offensive cyber operations overseas, and cyber incident management cannot be created instantaneously when a crisis arises—they must be developed, exercised, and matured in peacetime if they are to be available in the event of crisis or conflict. U.S. peacetime cyber activities, including private-public partnerships that enable the real-time sharing of sensitive information and coordination of actions, provide a “platform” for cyber operations in crisis and conflict; adversary perceptions of these U.S. capabilities in action can help to reduce the risk of great power war.
In furtherance of these two roles, the NCDC would plan and coordinate four interrelated lines of effort.
Cyber deterrence aims to reduce adversaries’ perceived benefits and increase the perceived costs of major cyber intrusions, attacks or cyber-enabled campaigns. Such sustained adversary efforts have included China’s theft of intellectual property and Russia’s efforts to sow domestic discord in the United States. Because of the extensive vulnerabilities of existing U.S. networks, deterrence by denial will not be adequate against advanced adversaries, particularly China and Russia. Deterrence by cost imposition will be essential; this requires intelligence-driven planning to help policymakers assess what responses may be sufficient to promote deterrence but not so strong as to lead to undesired escalation. Shifting from a reactive to a proactive cyber deterrence posture will require integrating diplomatic, informational, military, financial, intelligence, and law enforcement tools, as well as coordination with the private sector and U.S. allies and partners.
Active cyber defense presumes that advanced adversaries, China and Russia in particular, have substantial resources and highly skilled teams that will allow them to penetrate even well-protected U.S. networks and systems. Active cyber defense aims to rapidly detect and mitigate intrusions, increase the attacker’s “work factor” (time and resources required to achieve its aims by expanding laterally, exfiltrating information, and the like), and reduce the attacker’s confidence that intrusions have succeeded and that any information extracted is accurate. Examples of active cyber defense tactics including “hunting” for cyber intrusions on one’s own (and partners’) networks, creating “honeypots” and “tarpits” to lure and trap cyber intruders in decoy servers, embedding false information on networks that may mislead intruders, and publicly releasing insights into adversary cyber tools and tradecraft. Active cyber defense is increasingly being conducted by both the U.S. government and the private sector, but not in a comprehensive coordinated campaign approach. There is much room for improved sharing of operationally relevant (timely and specific) information, intelligence and insights.
Offensive cyber actions in support of cyber defense can be both necessary and appropriate, as exemplified by U.S. Cyber Command’s reported operations to thwart the Russian Internet Research Agency troll farm in the 2018 and 2020 U.S. elections. While the Defense Department would retain the lead for offensive cyber operations, embedding its cyber defense-focused efforts in an interagency campaign would better posture the U.S. to deal with the reality that cyber adversaries are operating increasingly from within U.S. territory as well as overseas (as was reportedly the case in the expansive SolarWinds and the Microsoft Exchange cyber penetrations). U.S. Cyber Command’s actions in support of the 2018 and 2020 U.S. elections have been widely applauded for being carefully considered and well coordinated. However, as adversaries increasingly buy, lease, or hijack U.S. infrastructure to conduct subsequent cyberattacks, the United States will need greater interagency coordination between the actions taken domestically and abroad to be successful.
Cyber incident response will always remain a key part of U.S. cyber defense efforts, quite simply because the United States faces capable and committed cyber adversaries. Unlike the other lines of effort proposed for the NCDC, a well-rehearsed interagency process for cyber incident response is already established. However, because cyber incident response is so intertwined with the other NCDC lines of effort, the NCDC should provide oversight of interagency Cyber Unified Coordination Groups. These were established under Presidential Policy Directive 41 to coordinate U.S. government responses to major cyber incidents. In parallel, the NSC would be able to shift its focus from operational coordination to strategic decision-making and oversight, including prioritizing U.S. government support in the event of widespread cyber intrusions or attacks, and holding the NCDC and the national cyber director accountable for conducting its operational role.
To enable the NCDC’s planning and coordination efforts, it will need to share information and provide a shared perspective of the current situation including a visualization of potential developments, and do so at appropriate classification levels. This requires not only a platform for secure information sharing but also a platform for conducting (human and machine) simulations and analyses aiming to anticipate the most likely and most dangerous future adversary courses of actions—including responses to actions that the United States might take.
Providing shared perspectives on the current situation and future developments, through tailored visualization tools based on a wide range of data sources, and at various classification levels, would be a key role of the NCDC. Such a continuous net assessment process could not “predict” precisely what the adversary will do, but over time with continued reality-testing it would help improve the United States’s ability to anticipate, deter, defeat and/or respond swiftly to potential adversary courses of action.
A continuous net assessment process for cyberspace would be supported by intelligence/counterintelligence assessments and informed by tabletop war-gaming, modeling and simulation, and results from cyber range activities. Such a net assessment process would help highlight areas where additional information and intelligence is most needed. Because adversaries are adapting as they exploit emerging cyber vulnerabilities, this net assessment process could also generate testable hypotheses regarding next adversary moves, so that intelligence assets can be directed appropriately, defensive measures taken and offensive measures preplanned. To counter adapting adversaries, this net assessment process must exploit new technologies such as artificial intelligence and machine learning.
NCDC Organizational Structure and Staffing
Figure 1, which shows a potential organizational structure for the National Cyber Defense Center, illustrates the need for interagency planning and coordination outside the U.S. government to improve U.S. cyber posture.
Figure 1. Potential organizational structure of the National Cyber Defense Center.
The director of the NCDC would report to the national cyber director. The organizational structure of the NCDC could, and probably should, evolve over time, but a few guiding principles should be followed:
The NCDC director should be a senior civilian with both senior-level U.S. government and private-sector experience, and the support of the national cyber director and the deputy national security advisor for cyber and emerging technology.
The vice director should also be an experienced public leader, with complementary expertise and background, and would likely be active duty, a reservist, or a member of the National Guard.
Deputy directors should, as a group, have experience across all key departments and agencies, including the departments of Homeland Security, Defense, Justice, State, and Treasury, as well as various elements of the intelligence community.
Offices should be organized not by department or agency, but by function, with each having an interagency composition and comprised mainly of detailees from key departments and agencies.
To ensure a continued focus on cyber adversaries, critical planning and coordination activities should be organized as “country cells” (China, Russia, and the like), staffing for each of which would be drawn from multiple departments and agencies.
Federal cyber centers, such as the Federal Bureau of Investigation’s National Cyber Investigative Joint Task Force and the Department of Homeland Security’s Cyber and Infrastructure Security Agency (CISA) Central, would continue their work, while supporting planning and coordinated campaigns orchestrated by the NCDC.
Similarly, the intelligence community’s Cyber Threat Intelligence Integration Center would see the NCDC as a critically important customer—even as it continued to provide strategic intelligence to the NSC—as it would build on its capacity to provide operationally relevant and timely intelligence to the NCDC.
The NCDC would be an extraordinarily lucrative target for cyber espionage and attack and, as such, it would need a top-notch chief information officer and chief information security officer, who would both need to exemplify as well as enable a diverse set of advanced tools and techniques for active cyber defense.
How a National Cyber Defense Center Would Operate
The NCDC’s interagency staff would conduct planning, coordinate already-approved interagency actions, and raise new proposals and any concerns regarding department or agency noncompliance with the NSC. The NCDC director would also request approval for new activities from the department(s) or agency head(s) with the requisite authorities, sending the request simultaneously to the deputy national security advisor for cyber and emerging technology for interagency consideration. The deputy national security advisor would have the prerogative—and the responsibility—to determine whether to call for NSC meetings, and if so with what urgency at what level (full NSC chaired by the president, Principals Committee chaired by the national security advisor, Deputies Committee chaired by the deputy national security advisor, or a supporting interagency working group).
For extremely urgent decisions, department and agency heads could approve actions prior to interagency consideration. In this case, an operation could be initiated before the NSC had given its concurrence. The relevant department or agency head would be accountable to the president for justifying the choice to proceed. In cases that involved both urgency and limited escalation risks, this decision authority could be delegated further over time, with the objective of having as many actions as reasonably possible delegated to department and agency heads. Of course, the president may still direct execution, or nonexecution, of a proposed new activity at any time.
Making Use of the Office of the National Cyber Director’s Authorities
The legislation creating the Office of the National Cyber Director (ONCD) specifies a range of responsibilities that would be appropriately executed by the NCDC. Table 1 shows that the enabling legislation for the ONCD already provides authorities for each of the four key lines of effort proposed for the NCDC, as well as for the coordination of U.S. government engagement with the private sector.
Table 1. NCDC-related responsibilities and the associated statutory text highlighting the national cyber director’s relevant responsibilities.
Why the ONCD Is the Right Place for the NCDC
The NCDC would not fit in the NSC, quite literally, given the legislative cap of 200 personnel on NSC staffing. Even if the cap were increased, the NSC staff should be focused on coordinating and overseeing the implementation of strategy and policy, not conducting ongoing campaign planning and coordinating operations.
Placing the NCDC in CISA, or in another department or agency, would be a prescription for failure. Developing and coordinating the execution of national campaign and contingency plans for cyber defense—plans that really matter—will require departments and agencies to share sensitive operational planning and intelligence; a standing interagency body in the Executive Office of the President is needed to make this work. In addition to the question of location is the question of seniority: An NCDC director reporting to the CISA director would sit two levels below the Deputies Committee, whereas an NCDC director reporting to the (Principal-level) national cyber director could operate at the Deputies level. Anyone with experience working in the U.S. interagency process understands how important these differences of location and seniority would be in practice.
This reality raises a bit of a conundrum: In the same defense authorization bill that created the ONCD, Congress mandated the creation of a Joint Cyber Planning Office (JCPO) in CISA with the mission of developing plans for cyber defense operations. Congress might in principle be persuaded to reverse itself, but there is another viable option: The director of the JCPO could be dual-hatted as the lead for private-sector and state/local government engagement in the NCDC. Wearing the CISA “hat,” this person could make use of all Homeland Security authorities as JCPO director; wearing the NCDC “hat” with presidential top-cover, this person would have significant additional influence with others beyond the reach of Homeland Security authorities, including national security departments and agencies, and U.S. allies and partners.
Setting a Course for Success
Like all organizations, an NCDC will have growing pains and will make mistakes. The goal for the U.S. cyber posture should be to advance to a new national cyber defense culture and an organization within the next 18-24 months. This timeframe will allow for mistakes and learning to arise from war games and simulations, rather than in the real world.
The NCDC could achieve an initial operating capability with fewer than 100 personnel, perhaps with as few as 30 to 40 . Although the enabling legislation for the Office of National Cyber Director caps total personnel at 75, the legislation specifically allows for the ONCD to “utilize, with their consent, the services, personnel, and facilities of other Federal agencies.” Thus, for example, a 100-person NCDC that was 60 percent detailees would count only against 40 of the allowed 75 Office of National Cyber Director slots.
To succeed over time, the NCDC will need to compete successfully for its share of talented cyber professionals. Given the importance of this national center, the president might direct department and agency heads to provide their best personnel to field an all-American cyber defense “dream team” and could further make a personal appeal to industry CEOs. Over the course of a decade or so, after there had been five or more rotations of detailed/assigned personnel from the U.S. government and private sector, there could be a cadre of 250 or more highly trained, experienced, and networked personnel who had rotated through the NCDC.
This reality creates an important opportunity for the NCDC to serve as a flywheel for interagency and national-level training and education on cyber defense (including in particular experiential learning through exercises and real-world operations). An NCDC leadership team would work to maximize this benefit, through training and education efforts, and the encouragement of continued professional relationships among those who had served in the NCDC.
If an NCDC existed today and functioned reasonably well in its planning and operational coordination missions, and in its net assessment function, any proposal for its elimination would clearly create a major gap in the ability of the U.S. government to compete in cyberspace below the level of armed conflict and, if necessary, to coordinate national cyber defense in the context of a crisis or war. That gap exists today, and is evident to U.S. competitors and adversaries, thus putting U.S. national security at avoidable risk.
This piece is based on research supported by the Johns Hopkins University Applied Physics Laboratory (APL), where the authors serve as senior fellow (Miller) and consultant (Butler). The views expressed are solely those of the authors, and not of any U.S. governmental agencies or departments, of APL, or of any other organizations.