How to Compete in Cyberspace: An Accompaniment

Here’s some highly recommended reading for serious students of cybersecurity and foreign intelligence: “How to Compete in Cyberspace” by Gen. Paul Nakasone and his senior adviser, Michael Sulmeyer. Nakasone, who is the director of the National Security Agency (NSA) and commander of U.S. Cyber Command, is a smart, action-oriented leader. He and Sulmeyer write well and clearly. If you don’t have time to read the article, here are the four main points that I took from it; if you do read it, perhaps these four points will make certain aspects of it clearer.

First, the article reviews some of the main security risks that emerge from digital network technology. Nakasone writes:

Our adversaries have abused open platforms for sharing knowledge and views by creating troll farms for disinformation. Terrorists have used the Internet to control forces and recruit new members. Portions of critical infrastructure, such as the power supply in Ukraine, have been disabled. Advances in artificial intelligence, autonomous vehicles, and 5G networks will only complicate this landscape of threats.

The article goes on to imagine an artificial intelligence (AI)-powered worm—a malware program that replicates to spread itself—that “could disrupt not just personal computers but mobile devices, industrial machinery, and more.” The authors note that, like AI, fifth generation (5G) wireless networks “offer promise and peril with exceptionally fast speeds that underpin ubiquitous connectivity.”

I have written at length about the promise and peril of digital network technology, and the ways in which it has overall tended to erode both security and privacy—albeit with significant positive effects in areas like convenience and connectivity. Nakasone’s characterization of emergent cyber risks is sound and should be sobering. The U.S. national cyberattack surface is large and growing.

Second, Nakasone’s article characterizes our main cyber adversaries using the intelligence community’s familiar, 2+3 framework: China, Russia, Iran, North Korea and violent extremists. But it is worth noting the similarities and differences between these five adversaries in the article’s carefully worded descriptions of the threats that they pose (emphasis added):

• “The Chinese government uses cyber capabilities to steal sensitive data, intellectual property, and personal data from the U.S. government and U.S. businesses at great cost to the U.S. economy and national security. In May 2020, the FBI and the Department of Homeland Security warned about the People’s Republic of China’s efforts to compromise medical research into COVID-19 vaccines. The PRC supplements those cyberspace operations with influence campaigns to obscure international narratives about their activities.” As I have written elsewhere, it may be difficult for outsiders to appreciate the centrality of China as a source of foreign policy and national security challenges for the current and any future administration.
• “Russia uses cyberspace for espionage and theft and to disrupt U.S. infrastructure while attempting to erode confidence in the nation’s democratic processes.” Note the contrast in Nakasone’s description of how and why China and Russia use influence operations, and compare it to the recent public statement from the intelligence community about the two countries’ political preferences and operations undertaken to put those preferences into effect. The intelligence community’s position is that China opposes Trump and uses “public rhetoric” to complain about his administration, while Russia favors him and uses “a range of measures” to that end. This statement from the intelligence community may feel heroically honest to insiders who may have had to overcome many internal challenges to see it issued; to outside critics, by contrast, it may seem to fall a little short of the standard of candor and plainspokenness in offering current, accurate and objective intelligence assessments that the American people deserve. Regardless, however, Nakasone has a lot more to say about Russia, which in many ways is the center of his article, as I discuss below.
• “Iran undertakes online influence campaigns, espionage efforts, and outright attacks against government and industrial sectors.” Note here the reference to “outright attacks.” Nakasone elsewhere asserts that “so much of the corrosive effects of cyber attacks against the United States occur below the threshold of traditional armed conflict.” But he also warns that “much of Cyber Command’s combat power had been devoted toward preparations in the event of future contingencies.”
• “North Korea flouts sanctions by hacking international financial networks and cryptocurrency exchanges to generate revenue that funds its weapons development activities.” Here the emphasis is on revenue-generating activities for the cash-strapped regime. Nakasone heavily emphasizes interagency cooperation in cyber, discussing how the NSA and Cyber Command share information and otherwise cooperate with the Department of Homeland Security (DHS) and the FBI. He’s also undoubtedly aware of the criminal charges and other legal action taken by the Department of Justice involving North Korean hackers and cyber thieves (most recently, here), as discussed here.
• Finally, Naksone writes that “[v]iolent extremist organizations have used the Internet to recruit terrorists, raise funds, direct violent attacks, and disseminate gruesome propaganda.” This has been a trend from al-Qaeda’s Inspire magazine and Anwar al-Awlaki’s videos to the Islamic State. Nakasone touts the cyber successes the U.S. has enjoyed against the Islamic State in particular: “The terrorist group’s propagandists used to spread their message on Twitter, YouTube, and their own websites. Today, because of our efforts, they have a much harder time doing so. At the height of its influence, ISIS published magazines in multiple languages, but it now struggles to publish in anything other than Arabic. At the same time as the U.S.-led coalition of conventional forces has prevailed over the physical caliphate, Cyber Command’s efforts have helped defeat the virtual one.”

Third, Nakasone’s article explains “defend forward” and “persistent engagement” in U.S. cyber policy. As he points out, these concepts have been part of public U.S. doctrine since 2018. The core idea, as he explains it, is that “defending our military networks requires executing operations outside our military networks.” In private-sector cybersecurity lingo, this would be something like the shift from EDR to XDR—that is, a shift from “endpoint detection and response” to “extended detection and response,” in which cybersecurity requires both a wider aperture and a more proactive approach to detecting and countering cyber threats.

Nakasone gives two examples of defend forward in action, both involving Russia. In 2019, he reports, U.S. personnel were invited to Montenegro “to investigate signs that hackers had penetrated the Montenegrin government’s networks.” This “hunt forward” mission identified malware and was part of enabling “mass inoculation of millions of systems” in the U.S. against attacks. The idea was that by “[w]orking side by side with Montenegrin partners” on the threats against Montenegro, there was for the U.S. “an opportunity to improve American cyber defenses ahead of the 2020 election.”

The second example in which defend forward was applied to good effect was through the Russia Small Group—a NSA/Cyber Command task force created to ensure that democratic processes were executed unfettered by Russian activity—and related efforts to secure the U.S. midterm elections in 2018 (Nakasone discussed this previously in congressional testimony in February 2019). Nakasone provides four sentences about the Russia Small Group’s work, and it seems to me that each sentence is very carefully worded and full of meaning:

[The Russia Small Group] shared indicators of potential compromise, enabling DHS to harden the security of election infrastructure. It also shared threat indicators with the FBI to bolster that organization’s efforts to counter foreign trolls on social media platforms. And Cyber Command sent personnel on several hunt forward missions, where governments had invited them to search for malware on their networks. Thanks to these and other efforts, the United States disrupted a concerted effort to undermine the midterm elections.

To understand defend forward and persistent engagement, it’s worth reading those four sentences at a slow cadence more than once.

Finally, the article explains why the NSA and the U.S. intelligence community generally need to partner with the private sector. I’ve written about this elsewhere, and I think Nakasone is spot on. He says:

Militaries succeed when they embrace new technologies aimed at planning for the next war, not fighting the last one. … Given that some of the most innovative thinking today is … in American tech companies, we would be shortsighted if we were not pursuing partnerships with them.

One of the central problems here, however, is that while the U.S. government struggles to develop those partnerships, America’s adversaries enjoy nearly seamless integration with quasi-private cyberattackers who act both for personal and for national gain. In a traditional net assessment between open societies and authoritarian ones, public-private partnerships is an area of significant and growing competitive advantage for the authoritarians.

It’s a hard problem for open societies to solve, but even so I think the U.S. is not doing very well with it. There are challenges on both sides, but one thing that needs to change at Nakasone’s own agency is the deeply ingrained reluctance to celebrate success. The NSA has good stories to tell about how it has protected the American people, and Nakasone’s accounts of events in Montenegro and with the Russia Small Group are representative, albeit limited, examples.

But far too many of the good stories go untold. I myself have struggled in vain against disclosure limits to tell the story of the Real Time Regional Gateway, described as “a complete change in how signals intelligence was provided to the tactical warfighter” in this National Cryptologic Museum exhibit, and featured in this television interview with the former deputy director of the NSA. These limitations on disclosure hinder efforts to develop a broader base of support for the agency’s good work (and may also shield it from criticism for its mistakes). To be sure, there is always a balance to be struck—too much disclosure can risk intelligence sources and methods—but I am not alone in worrying that the balance is miscalibrated in favor of secrecy and that more imagination should be brought to bear on enabling disclosure.

To be clear, I am saying not only that disclosure can be good for civil liberties and privacy, in exposing abuses and aiding reform, but also that it can be good for security, even if awkward in the short term. To fulfill its mission in the long term, the NSA needs trust and support from the American public—and disclosure can help enable that. In other words, security hawks should be pushing for more disclosure, not less.

If you’ve gotten this far, you have a high enough pain tolerance and a strong enough interest in the subject matter that you should really read Nakasone’s article. I hope this post will help inform your engagement with it.