The 10th annual Billington CyberSecurity Summit concluded yesterday in Washington, DC. Here are a few highlights from yesterday's sessions.
Warfighting in the fifth domain. Major General Dennis Crall, US Marine Corps, presently serving as Deputy Principal Cyber Advisor and Senior Military Advisor for Cyber Policy in the Department of Defense, framed military cyber policy thusly: "This is all about outcomes." He offered three salient considerations for US military cyber policy:
- "Lethality." This has three aspects: authorities (and these need to be not only the right ones to authorize sound operations, but they also need to be "deep enough" to enable forethought and anticipation), processes (which need to be repeatable, and to enable operators to use the authorities they've been given), and capabilities (a trained force with the tools necessary to accomplish a mission).
- "Partnerships." Such partnerships are both domestic (where partners often have authorities the military lacks) and international (where allies cooperate to share information within a framework that affords a common level of protection).
- "Reform." At bottom this is a way of keeping faith and trust by applying scarce resources in the most effective and affordable ways possible.
CISA's vision. It's clear that the 2020 US elections will be the first big test of the Department of Homeland Security's youngest agency. Christopher Krebs, Director of the US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, discussed the vision he expressed for CISA at Auburn University earlier this summer. The agency has, he said, five principles of execution and two goals. The principles are:
- Operate with the statutory authority to collaboratively lead critical infrastructure protection.
- Be results-driven.
- Remain risk-focused.
- Work consistently with Constitutional rights and national values.
- Execute and engage as one agency, in one fight, as one team.
CISA's goals are to "defend today" and "secure tomorrow." The agency's priorities include securing government networks (and this includes rendering appropriate support to state and local governments), securing elections, protecting soft targets and crowded places, and defending industrial control systems. "In 2020, we're going to lead," Krebs concluded, returning to the central challenge of election security. "We're not going to let the Russians or the Chinese in."
Three lessons the United Kingdom has drawn from recent cyber history. Ciaran Martin, CEO of the UK's National Cyber Security Centre, began his talk with an appreciation of the US-UK Special Relationship. He cautioned the audience that as they heard his lessons learned, they must bear in mind that the US and UK, while sharing much history and many values, remain in many respects very different countries. The lessons derive from the realities of the environment in which we live. We're defending open, digital societies. Prosperity is a social concern, and critical infrastructure presents a serious national risk. Cyber security is at base about defending a way of life. We face a formidable set of adversaries. Russia is a determined, aggressive, disruptive opponent. Our commercial environment today is one in which our businesses are under routine, continuous Chinese assault. North Korea and Iran are active and implacably hostile. Transnational cybercrime has become, cumulatively, a grave threat to the digital economy. And state actions have come to have serious collateral effects quite apart from the effects they're designed to have on their intended targets. Both WannaCry and NotPetya illustrate this. Operating in this world has led Martin to three conclusions. First, "Government matters." The Internet is a public good, but well-intentioned calls for public-private partnership have proven a recipe for inaction. Instead, governments should take responsibility for detection, resilience, and making technology safer. Second, we must "think carefully about our own footprints." Cyberspace may be an operations domain, but fundamentally it's a peaceful domain, and we must act with this in mind. Finally, governments need to look to the future, and that means looking for effective deterrence.
The event was widely covered by the media. Some of the stories filed on the Summit are linked below. We'll finish our own coverage of the event early next week. (In the meantime, a quick cautionary pro tip to consumers of news: "crypto" is not necessarily synonymous with "alt-coin," or "cryptocurrency." And that's no secret.)