Podcasts
Caveat
Ep 162
Caveat 2.23.23
Ep 162 | 2.23.23

The stand up of U.S. Cyber Command.

Show Notes
Transcript

Charlie Moore: We had a thing called Cyber Command, but it reported to a combatant command known as Strategic Command and then was commanded by the head of the National Security Agency - at that time, Admiral Rogers. So it was commanded by an intelligence personnel. It was not a war-finding command. We hadn't built out all of our teams. And probably more important than that, we didn't, as a government, have a solid policy for how we were going to conduct cyberspace operations.

Dave Bittner: Hello, everyone, and welcome to "Caveat," the CyberWire's privacy, surveillance, law and policy podcast. I'm Dave Bittner. And joining me is my co-host, Ben Yelin from the University of Maryland Center for Health and Homeland Security. Hello, Ben. 

Ben Yelin: Hello, Dave. 

Dave Bittner: Today, Ben discusses a proposed California law that would restrict so-called reverse warrants. I've got a ruling from the 4th Circuit on the First Amendment right to film police. And later in the show, my conversation with Charlie "Tuna" Moore, former deputy commander of U.S. Cyber Command. He's discussing the stand up of U.S. Cyber Command, the development of U.S. cyber policy and the development of D.O.D. cyber policy. While this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. 

Dave Bittner: All right, Ben, we have a lot to cover today. Why don't you start things off for us here? 

Ben Yelin: Sure. Before I get to my story for this week, just a quick preview of next week. As we're recording this today, there's going to be an oral argument at the Supreme Court on the Section 230 cases. One of them is related to Google. The other is related to Twitter. So just to preview that, we are going to discuss those at length in the next episode. And hopefully I'll get the chance to do what every good lawyer loves to do and settle in with some nice hot cocoa and listen to the two hours of oral arguments. 

Dave Bittner: Get your bucket of popcorn. 

Ben Yelin: Exactly. Get that bucket of popcorn... 

Dave Bittner: Right. I... 

Ben Yelin: ...Out. It's going to be highly entertaining, I suspect. Might be a little bit contentious, as well. 

Dave Bittner: Yeah, I'm already seeing articles in the news of people saying, yeah, the Supreme Court has the opportunity to ruin the internet (laughter). 

Ben Yelin: Yes. Well, they've already ruined a lot of other things. So, you know, the internet, that's just par for the course. 

Dave Bittner: Right, right. All right. We'll look forward to that. 

Ben Yelin: Exactly. Exactly. So look for that on next week's episode. My story today is about a proposed California law. It was proposed by an assembly member from the Oakland, Calif., area named Mia Bonta. And this would protect people seeking abortion and gender-affirming care from dragnet digital surveillance. So there's been an effort from the California ACLU and affiliated groups to get a member to sponsor legislation like this that attacks these so-called reverse warrants. 

Dave Bittner: OK. 

Ben Yelin: So these reverse warrants, as we've talked about, is a type of dragnet surveillance where law enforcement compels tech companies to search the records and reveal the identities of all people who have driven down a certain street, been in a given location. Those, of course, are referred to geofence warrants... 

Dave Bittner: Right. 

Ben Yelin: ...Or something like keyword warrants, where law enforcement would compel a Google to hand over all of the information of everybody who searched the word abortion or gender-affirming care in a given time period. And law enforcement would be able to obtain perhaps hundreds, if not thousands of records. This is a - an actual problem. It's not something that's made up. Between 2018 and 2020, Google alone received more than 5,700 reverse warrant demands. And I think the urgency is heightened by the attacks in other states besides California on reproductive rights. So I think the fear is that people will go to California to search abortion care or, alternatively, the type of gender-affirming care that's being outlawed in lots of different states across the country. 

Dave Bittner: Right. 

Ben Yelin: And law enforcement from those states would try to compel California companies, like Google, to hand over these records. So who was in the vicinity of the Planned Parenthood in Sacramento between this time period on November 8 - that type of thing. California already has pretty broad restrictions on surveillance related to abortion rights since California's a very pro-choice state. They've already passed statutes that restrict government surveillance on abortion rights. 

Dave Bittner: Right. 

Ben Yelin: The reason this legislation would be necessary is law enforcement could try and do an end-around and compel these types of reverse warrant searches for maybe the grocery store next to the Planned Parenthood clinic... 

Dave Bittner: Oh (laughter). 

Ben Yelin: ...Something like that, where you're kind of tricking the tech companies to comply with these demands without directly targeting abortion care or gender-affirming care. So I was - this proposed legislation certainly opened my eyes. It was promoted by the Electronic Frontier Foundation, like I said, the California ACLU and reproductive justice, civil liberties and other privacy groups. The sad part of this story is that I went to actually read the text of the bill. 

Dave Bittner: OK. 

Ben Yelin: And I don't know what broader lesson this tells us, except that there are some bills that are introduced for messaging purposes. And before you get too excited about drastic policy change, you should take just a keen look at the details here... 

Dave Bittner: Oh, boy. 

Ben Yelin: ...Because all this legislation does is express the intent of the legislature to enact legislation to preserve our right to safely seek reproductive and gender-affirming care in the digital age by protecting us from unconstitutional reverse demands. So it presents a bunch of findings about mass surveillance methods, defines what these types of reverse warrants are and then says it's the intent of the legislature to enact legislation to preserve these rights. 

Dave Bittner: So why is this even a bill? 

Ben Yelin: You are the legislature... 

Dave Bittner: (Laughter). 

Ben Yelin: ...Enact a bill to preserve these rights. 

Dave Bittner: Right, right. It's like a pre-bill? Like, well, I don't understand. Why allow this? 

Ben Yelin: So my inkling is that they don't have the political support to actually enact the bill. 

Dave Bittner: OK. 

Ben Yelin: But you can get enough assembly members and state senators on record as supporting this as a concept, maybe that's grounds for momentum for future legislation. There are other restrictions on reverse warrants in California and an additional states. So it's not like these types of warrants - geofence warrants, keyword search warrants - are completely unprecedented. This would be taking it in a different direction because it would specifically target warrants in these two topic areas - for gender-affirming care and for abortion rights. But, you know, without actually putting pen to paper and developing this policy, there are just too many unanswered questions to know whether the policy would be effective, whether it would work, whether it would achieve its intended goals. So I guess I was just kind of disappointed that all of these groups got together to promote a piece of legislation that's kind of just a, hey, somebody should do something about this piece of paper. 

Dave Bittner: Right. We resolve to tell everyone that someone should do this. Oh, that would be us. 

Ben Yelin: Yeah... 

Dave Bittner: (Laughter). 

Ben Yelin: ...Exactly. It would be one thing if - so some states will do things like pass a resolution encouraging their own members of Congress to pass federal legislation. 

Dave Bittner: OK. Yeah. 

Ben Yelin: That's pointless, too. But in a different kind of way. I mean, federal legislators have no obligation to listen to state legislatures. 

Dave Bittner: Right, right. 

Ben Yelin: But at least, you know, that's all that the state of California could do to effect change at the federal level. But to say that we expressed the intent that the California state legislature pass legislation of this sort just seems like a total copout when you're the legislature. 

Dave Bittner: Right. 

Ben Yelin: At least debate a bill of substance. And if you can't - you know, if you can't actually get an agreement on the substance, at least do what legislatures do best and punt it to some type of blue ribbon commission... 

Dave Bittner: (Laughter). 

Ben Yelin: ...To study the issue and come back with findings that would help guide future legislation. 

Dave Bittner: Could this be messaging to that, you know, that lawman in Texas who's looking to extend the long arm of the law that, hey, we're working on - we - you - we've got you in our sights? 

Ben Yelin: Yeah. I mean, I think that's exactly what it is. It's a call to red states to say us as policymakers in California are serious about protecting the rights of citizens of other states to come to our state to seek abortion rights and gender-affirming care. 

Dave Bittner: OK. 

Ben Yelin: And we are willing to go above and beyond and to curtail some of these surveillance methods. And frankly, I mean, there are huge problems with geofence warrants and keyword warrants. They're extremely problematic because there's no particularity to the search. So from a Fourth Amendment perspective, it's hard to know how these types of warrants pass Fourth Amendment muster when they're very frequently overbroad. And courts have had a really hard time wrestling with this issue. 

Dave Bittner: Yeah. 

Ben Yelin: So yeah, I think it's a message to these redder states that California will take all measures within reason to protect the rights of red state citizens to come to California to seek this care without subjecting themselves to criminal prosecutions in their home state. 

Dave Bittner: Right. All measures except actually putting a bill that does something about it... 

Ben Yelin: Right. Exactly... 

Dave Bittner: ...In front of the legislature (laughter). 

Ben Yelin: ...Maybe the bill drafters were busy that day and they just tried to put something together to express the intent, the wishes, of the legislators in Sacramento. 

Dave Bittner: Let me... 

Ben Yelin: So it's something I'll look out for. Maybe this is just the opening salvo, and there's going to be some language with meat on the bones in a future legislative session. 

Dave Bittner: Yeah. 

Ben Yelin: But, you know, I sort of think it's a little maybe off-putting for so many advocacy organizations to shoot their shot, to really take a stand on something that's pretty limited in its actual applicability. 

Dave Bittner: So a couple questions for you on process here, or - so these were reverse warrants. Are they actually warrants? Does someone have to go in front of a judge and convince the judge that they have a good case that this - to make here? 

Ben Yelin: So, generally, yes. 

Dave Bittner: OK. 

Ben Yelin: But in some cases, depending on the state, depending on the jurisdiction, you can subpoena these records based on reasonable suspicion and not rising to the standard that there's probable cause that a crime had been committed. 

Dave Bittner: OK. 

Ben Yelin: So in many cases, these are - they're definitely warrants of sorts, but sometimes the standard is lessened from the probable cause standard to a reasonable suspicion standard. 

Dave Bittner: And forgive my ignorance here, but what is the standard for interstate cooperation? In other words, to go back to our example, you know, law enforcement from Texas, to what degree can they compel the citizens of California to do something? 

Ben Yelin: Well, you know, as you mentioned, the long arm of the law can certainly have an effect. 

Dave Bittner: Yeah. 

Ben Yelin: It is within the right of the attorney general of Texas, or whatever district attorney of Texas, to seek records from tech companies based in California. 

Dave Bittner: OK. 

Ben Yelin: It would be California prohibiting companies from handing over those records to red states. Certainly, there are some constitutional issues involved here. Not to get too in the weeds, but for those of you lawyers listening, there might be kind of a dormant commerce clause issue here since we want to maintain strong economic relationships between states. That's why, you know, marriages that are recognized in one state are recognized in other states. Driver's licenses that are recognized in one state are recognized in other states. And if you inhibit that type of interstate commerce, which I think legislation like this may do in kind of a backhanded way, then that might run into constitutional problems. But generally, California has the right to regulate the companies that are headquartered in California. 

Dave Bittner: Right. 

Ben Yelin: So this would be a case of Texas using their prerogative of seeking the records, but California using their prerogative of banning big tech companies from releasing these records to the relevant authorities in Texas. 

Dave Bittner: So without any legislation from California, as things currently stand, would a California tech company be able to say to Texas law enforcement, no? 

Ben Yelin: You can't really do that. I mean, if you get a court order or even a legally valid subpoena, then you are compelled to comply with it. 

Dave Bittner: OK. 

Ben Yelin: Sometimes the big tech companies, if they have enough resources, will fight the subpoenas or the warrants that they find particularly intrusive to privacy, and so maybe they do that in these circumstances. I don't know exactly how that's worked in practice, but you can always have an Apple FBI situation from 2015, where... 

Dave Bittner: Oh, yeah. 

Ben Yelin: ...Law enforcement just goes too far, and the company says, we're going to fight you in court on behalf of our subscribers. So that may happen. It's usually easier for the companies for that not to happen because that involves a lot of litigation. It's also not the best idea to get on the bad side of prosecutors from other states. 

Dave Bittner: (Laughter). 

Ben Yelin: You want to maintain good relationships with them... 

Dave Bittner: Yeah, OK. 

Ben Yelin: ...'Cause they could always try to hold you accountable, as they have. I mean, there's a lot of legislation in these very types of states that are trying to put restrictions on how, say, a Google operates within the state of Texas. We've talked about some of those pieces of legislation on this podcast. So yeah. 

Dave Bittner: OK. All right. Well, we'll keep an eye on it. That's an interesting one, for sure. We'll have a link to that in the show notes. 

Dave Bittner: My story this week comes from the folks over at Techdirt. This is an article written by Tim Cushing, and it's titled "Fourth Circuit Latest to Say Filming Cops is Protected by the First Amendment." So this involves a North Carolina resident named Dijon Sharpe who was - he was in a traffic stop, and he was livestreaming his traffic stop. And the police officer, Officer Helms, noticed that he was livestreaming it and tried to take Mr. Sharpe's phone away, reached through the car window. He said he could record the stop but could not stream it to Facebook Live because that threatened officer safety. Let us pause for a moment, Ben. I have seen this claim made before by law enforcement. I remember law enforcement tried to make the case that people being able to tag the location of law enforcement on Waze, the... 

Ben Yelin: Yes. 

Dave Bittner: ...You know, the GPS software, was a threat to law enforcement because then people would be able to know where the police were and where the police weren't. 

Ben Yelin: Yeah, there was a big crackdown on that in Maryland several years ago. I mean, I remember that. It was a big problem that Waze would tell you where the cops are located. If you see the cop car logo, you know... 

Dave Bittner: Yeah. 

Ben Yelin: ...Take a different route. 

Dave Bittner: (Laughter) Right. So I don't think the police made any, you know, progress with that. I don't think that argument held water. And indeed, in this case, the 4th Circuit is agreeing that argument does not hold water. To get to the - sort of the meat of the topic here, in the opinion, the circuit court said recording police encounters creates information that contributes to discussion about governmental affairs, so too does livestreaming disseminate that information, often creating its own record. We thus hold that livestreaming a police traffic stop is speech protected by the First Amendment. Ben, how important is this? 

Ben Yelin: I think it's quite important. There's been mixed precedent from various circuits on this question, and we've seen a lot of cases where a third party, somebody who's not involved in a traffic suit, is recording the interaction. 

Dave Bittner: Right. 

Ben Yelin: And generally, those are protected First Amendment rights. But what's unique about this case is that the individual, Dijon Sharpe, was - the individual who was pulled over was the one taking the video, so this was a unique case in that respect. And the argument that the officers made and the police department made that this threatened officer safety didn't hold water, and that's very significant 'cause, generally, I think courts give a good amount of discretion to law enforcement officials... 

Dave Bittner: Right. 

Ben Yelin: ...In a given situation, like a traffic stop, to determine what would threaten officer safety. They're the ones who have the on-the-ground experience. If they feel threatened, then they're threatened. And this is the 4th Circuit saying not so fast. 

Dave Bittner: Yeah. 

Ben Yelin: You might feel threatened, but there is a constitutional right at stake here. And the First Amendment issues are pretty profound because there's been such a long-running political conversation about the constitutionality of these types of traffic stops, police discretion or indiscretion, that curtailing this type of activity on behalf of the person being pulled over would be an inhibition on First Amendment rights. 

Dave Bittner: So it's interesting here also that Mr. Sharpe has a lawsuit against both the police force and the individual officers. The officer - the part against the officers got dropped because of qualified immunity, and I guess because this right had not yet been established at the time of the traffic stop... 

Ben Yelin: Yeah. 

Dave Bittner: ...Qualified immunity kicks in? 

Ben Yelin: That's right. Qualified immunity kicks in. Their - Officer Helms, who's the named officer in this case, was acting in good faith because it wasn't clearly established at the time of the traffic stop that forbidding a passenger from livestreaming their own traffic stop violated the First Amendment. So there's no precedent. There's no court ruling that the officer in that case can rely on. So because of qualified immunity, which means that the cop is shielded, generally, from immunity if the cop is not doing something that's clearly illegal - because of that principle, the officer is not going to personally face consequences here. But we do have this precedent that there is a First Amendment right to record traffic stops, which means if any good officer is reading Techdirt or otherwise staying up to date on the 4th Circuit, they're going to know that from now on, you can't, in good faith, unless there really is a specific threat to your safety, stop somebody from recording the interaction. That would be a violation of First Amendment rights. 

Ben Yelin: Now, I'm sure there might be, based on future cases, some exceptions that develop. If there are exigent circumstances, if the perpetrator is using the fact that he or she is videotaping to try to extract a concession from law enforcement, if a weapon is involved, you could see those as the types of edge cases where maybe law enforcement could credibly claim that their safety has been threatened. But at least now, officers should know within the Fourth District, which is the mid-Atlantic region, that... 

Dave Bittner: Is that us? 

Ben Yelin: That's us. 

Dave Bittner: OK. 

Ben Yelin: Here in Maryland... 

Dave Bittner: All right. Good (laughter). 

Ben Yelin: ...We are under the watchful eye of the 4th Circuit. So if you or I are pulled over - we might not want to do this, but we certainly could based on this decision, take out our phones and record the interaction. We might get our phones slapped out of our hands, but technically, the cops are no longer allowed to do that. So that's the precedential value of this case. 

Dave Bittner: I suppose I'm just trying to think of an example where the safety issue could hold water in a livestreaming situation. I could imagine, you know, somebody gets pulled over in the middle of a busy - you know, like, in a city, let's say, you know, close to where they live. And so members of their community can see, hey, you know, Bob's being hassled by the cops right now. We should go down there and do something about that, right? (Laughter) So if you - if the livestreaming was able to summon up some kind of an angry mob, then I suppose you could have a case that it could threaten officer safety. 

Ben Yelin: Yeah. I think that's going to be the edge case is... 

Dave Bittner: Yeah. 

Ben Yelin: ...Like, a prominent member of the community is pulled over. 

Dave Bittner: Right. 

Ben Yelin: They start livestreaming, and they say, hey, everybody who's following this, come down to the intersection of such-and-such and such-and-such... 

Dave Bittner: Right. 

Ben Yelin: ...And let's start a riot. 

Dave Bittner: Right. Right. Right. 

Ben Yelin: That could jeopardize officer safety. 

Dave Bittner: Yeah. 

Ben Yelin: The thing is, those were not the facts of this particular case. So... 

Dave Bittner: Yeah. 

Ben Yelin: ...The court can't really opine on something like that until it actually happens, or at least they shouldn't opine on that until it actually happens. 

Dave Bittner: (Laughter) Right. Right. 

Ben Yelin: Sometimes they do, and they come up with their own hypotheticals. But yeah, I mean, you could certainly see a situation where livestreaming would present a kind of threat. Particularly if it's during a period of civil unrest and there are limits on law enforcement resources, you know, drawing groups of people to a particular law enforcement interaction could certainly jeopardize public safety. 

Dave Bittner: Right. 

Ben Yelin: And I can understand that from law enforcement's perspective. But I think what the court is saying here is there shouldn't be a per se rule prohibiting somebody from recording these interactions 'cause that per se rule would be a violation of the First Amendment. 

Dave Bittner: Yeah. We still think that this is on its way to the Supreme Court, that it's inevitable? 

Ben Yelin: I do. I mean, I think there's been enough disagreement among circuit courts that this is the type of case - maybe it's not this case in particular, but maybe there's a closer edge case where the Supreme Court weighs in on this as a constitutional right. So that's definitely something we'll look at - we'll look out for. You know, when you have the conflict between officer safety and public safety and First Amendment rights, there's always a good chance that that's going to make its way up through our court system, and that's exactly what we have here. 

Dave Bittner: Yeah. All right. Well, we will have a link to that Techdirt story in our show notes. 

Dave Bittner: We would love to hear from you. If there's something you'd like us to cover on the show, you can email us. It's caveat@thecyberwire.com. 

Dave Bittner: Ben, I recently had the pleasure of speaking with Charlie Moore. He goes by the nickname Tuna back when he was an aviator. But he's also the former deputy commander of U.S. Cyber Command. And we are discussing his experience helping to stand up U.S. Cyber Command, along with the development of U.S. cyber policy. Here's my conversation with Charlie "Tuna" Moore. 

Charlie Moore: Yeah, so my background - the first 25 years of my career was totally based on the flying aspect of things, primarily flying the F-16 and being given the opportunity to command at many different levels, up through the wing level twice. And the last wing was a one-star general officer position. I went on deployment. After that position for a year, when I came back, I was sent to work for the Chairman of the Joint Chiefs on the Joint Staff. And of the many portfolios that I was given to be responsible for, one of them was cyber. And this was early 2015 - late 2014, early 2015 timeframe. And if you know a whole lot about where the Department of Defense was holistically, anyway, from a cyber perspective, it was quite a mess. And... 

Dave Bittner: Yeah. And how so? How so? 

Charlie Moore: Well, we still hadn't stood up our warfighting command that we have now called U.S. Cyber Command. We had a thing called Cyber Command, but it reported to a combatant command known as Strategic Command and then was commanded by the head of the National Security Agency at that time, Admiral Rogers. So it was commanded by an intelligence personnel, was not a warfighting command. We hadn't built out all of our teams. And probably more important than that, we didn't, as a government, have a solid policy for how we were going to conduct cyberspace operations, specifically offensive cyberspace operations. And we didn't have a way to really get the authorities that we needed because we didn't have that policy. We did not have a strategy inside the department for the execution of those forces. And so, therefore, we hadn't developed a lot of tactics, techniques and procedures for how we wanted to conduct cyberspace operations. So it was very early on, and everything was still very nascent at that time period. 

Dave Bittner: So what was your part in standing up U.S. Cyber Command and kind of getting things under control or making order out of that chaos? 

Charlie Moore: Yes. So while on the Joint Staff, my first job was really to figure out, internal to the department, how we were going to conduct these operations and coordinate them, synchronize them, integrate them with our warfighting commands and across all the other domains of warfare, being the air, land, maritime, sea, et cetera. And so that was a pretty tough challenge in and of itself. But then in 2017, I was asked to go up to Fort Meade, formally join U.S. Cyber Command and become their first director of operations. We still weren't a combatant command at that point, but we believed the writing was on the wall that the department was going to make the decision to make U.S. Cyber Command a warfighting command and that we were going to have to operationalize this entity, meaning bring it from out of just being an intelligence function and intelligence information-gathering function and figure out how to warfight in the domain. And I was asked to go up there because of my previous warfighting experience in the air domain and the idea that I could help operationalize what we were going to do. 

Dave Bittner: Is there a notion that cyber most resembles any of the particular services? In other words, you know, is it most like the type of things the Army does or the Navy or the Air Force? 

Charlie Moore: Yeah, that's a great question, Dave. I think that it's obviously extremely unique for a wide variety of reasons, and I'm sure your listeners would understand. If I was going to pick a domain of warfare that's the closest, it would be the air, ironically enough, just because we're talking about something that operates at speed, that has a breadth and depth of reach from a global perspective that you really don't see in other warfighting domains, and it comes with a level of precision that you don't always necessarily see in the other warfighting domains. So if I was going to pick one of the domains of warfare that it most closely represents, it would be the air. 

Dave Bittner: Well, let's talk about the specific skills, then, that you brought to the table here. I mean, as someone with a long career in the Air Force, when you're looking at the challenges of cyber, what were those previous lessons that you learned along the way that really served you well? 

Charlie Moore: I think the biggest thing was this was a going to be a warfighting domain, and our going-in position was that the principles of warfare that the United States have developed and honed over many, many decades and centuries, quite frankly, would still apply. And so it was very, very important that we looked at those and figured out how we would utilize them inside the cyber domain. For instance, in 2017, when I got there, we were really focused on being reactionary. We were very focused on defense. We did not have a policy in place or a strategy in place that really allowed us to effectively employ from an offensive perspective. 

Charlie Moore: Now, to any warfighter, being on the defense and being reactionary is absolutely something you always want to avoid at all costs. You always want to be on offense. You always want to be driving the fight. And the old saying about a good offense is the best defense holds true in this domain as well. So it was really about looking at those principles and then figuring out how to apply them to the cyber domain from a warfighting perspective. But we had a lot of work to do. We had to continue to build out our teams, our offensive teams, our defensive teams, our support teams. We had to work on getting a policy in place that would allow us to actually operate based on our theory of fighting in the space and in the domain. We had to develop a strategy for how we were then going to actually employ those forces. And then we actually had to go and execute, build out our infrastructure, build out our tools, build out our weapons. So it was a full-court press across the spectrum. 

Dave Bittner: What was the sense of where we stood in terms of - if you compared us to both our allies and our adversaries, what were our capabilities? As you looked inwardly, you know, where do we stand? Where did we stand at the moment when you were - when you were going through the standing up of Cyber Command? 

Charlie Moore: So we always had the capabilities, and we obviously had extremely talented, innovative, qualified personnel, the best in the world, that could operate inside this domain. Just as they had done from an intelligence perspective, we knew that they could be the best warfighters, cyber warfighters and cyber warriors in the world. But we really weren't allowing them to operate. So the biggest thing that we needed to do was to work with the administration at that time in 2017 to get a policy in place. And that policy didn't exist. 

Charlie Moore: And because of it, I really described this at that time as break glass in time of war command and cleanup on Aisle 6 command, meaning we continue to have cyber incidents, not only inside the federal government - if you think back to the Office of Personnel Management event that took place in 2015, one of the largest thefts of PII probably ever. If you think about the fact that we had even some of our Joint Staff in the Pentagon, the Joint Staffs' unclassified networks attacked by a foreign nation-state. If you think back to Sony Pictures, if you get into the private sector, in 2014. And all these events, they - the White House - and this cuts across many administrations - would always come to the Department of Defense and say, well, what can you do? Well, first, we need you to go help clean up on Aisle 6 - in other words, help fix the problem that currently exists, figure out what the gaps and seams were, mitigate those problems so this doesn't happen again and make sure they have a series out of the networks. OK, we can do that. 

Charlie Moore: And then it was always, well, what can you do in response? And most of our capabilities were geared towards warfighting. So should we end up in conflict with Nation X, we can do the following things to help support that warfight. The problem is there's a big gap there between being responsive and being reactive to cleaning up after events and warfighting. It's the spectrum that we live in every single day. Our adversaries were taking full advantage of this space. So we were routinely being hit not just inside the DOD but the government and even the private sector with cyber events that were occurring what we would say below the level of armed conflict or use of force. But they were having significant events. We couldn't perform those same types of operations because the lack of policy at the time. 

Dave Bittner: What's the cyber equivalent of a shot across the bow? I mean, you know, you have these capabilities. You spin them up. And I'm thinking of traditional kinetic war fighting. You know, you go out, and you do testing, you do training, and your adversaries can generally get a notion of what you're up to and perhaps what your capabilities are. Does that track to the cyber domain? 

Charlie Moore: It does in some ways. But one of the big challenges with the cyber domain, of course, is it's very hard to predict - because of how quickly technology advances, very hard to predict what the next threat inside this domain will be. So if you think about the traditional spaces - air, land, maritime, even space - and you think about how good the intelligence community is in the United States and with our friends and allies, we do a very good job of paying attention to what our adversaries are doing, what type of capabilities they're developing, where they're going to take those things, so that we can then try and stay ahead and be prepared to counter those capabilities or defeat those types of capabilities. In the cyber domain, things can literally come out of nowhere. And they may not come from a nation-state. They come - may come from a criminal organization that's just trying to make money, but then those are adapted by a nation-state to use them for their military purposes or larger national-level purposes. So that's one of the big challenges. 

Dave Bittner: I'm curious. As a leader, what was it like for you just in terms of internal diplomacy, you know, getting - you have a lot of different organizations who have different interests, different pressures that are on them to perform. How do you get them all on the same page to support the effort? 

Charlie Moore: Yeah. You're hitting on one of the very, very key challenges of this domain. When you look across the government and even the - to include the private sector and our friends and allies, everybody has equities inside this space. That's very different than the other warfighting domains. So I go back to what I was talking about, not having a policy in place that really allowed us to operate. So in 2017, we began working really, really hard, not only inside the department but with the other departments and agencies in the executive branch, to develop a policy that would help us do exactly what you're getting after. That turned into what's known as National Security Presidential Memorandum 13, so NSPM 13. And this was the first policy document that described what we would be allowed to do in the offensive cyberspace realm against who we would be allowed to do it, and it would bookend, obviously, those authorities. And as long as we operated with those authorities and we stayed below the level of use of force or armed conflict, we could operate at speed. We could get out of just defending our blue networks and being reactionary, get into red space and to adversaries' networks, figure out what they're doing and try and stop any type of actions before they take place. 

Charlie Moore: I like to use the analogy of we like to go find the hunters and the folks that are about to shoot their arrows and take those archers out before we're dodging arrows back here in blue space, back inside the United States and inside of our networks. And so that policy document delegated those authorities for the first time to the secretary of defense and then down to the commander at U.S. Cyber Command. The other thing that it did, specific to your point, Dave, is it put in place a very specific process by which what we're doing is required to be shared across the interagency so that all equity concerns could be addressed and so that, essentially, we weren't stepping on each other inside this space and causing some type of impact, let's say, to intelligence-gathering operations while we were trying to perform some type of offensive cyberspace operations. 

Dave Bittner: And how has that been going? I mean, when you stepped away, what was your feeling in terms of how far along we'd come and what was left to be done? 

Charlie Moore: So great strides were made. You know, our, really, first test, once we got this policy in place in 2018, in the summer, was defense of the 2018 midterm elections. So that's a no-fail mission. The president of the United States made it very clear to the commander of U.S. Cyber Command, General Nakasone, who made very clear to me as his director of operations at the time this is a no-fail mission. We were not going to let a foreign power interfere in our election processes, and we were going to do our best to mitigate any attempts to influence those processes as well, using the cyber domain. And so I'm happy to tell you that we performed exceedingly well. And folks that did have their sights set on performing those types of operations were pretty much decimated by our operations. 

Charlie Moore: And, of course, we went on to do the same thing in the election of 2020 and 2022, most recently. But after our successes in 2018, and we proved that we could do this, and we could coordinate across the interagency, and we could coordinate with our friends and allies and that we wouldn't see unnecessary escalation in the space by doing what we need to do to defend America, more and more of our services were requested, not only inside the department but obviously from our civilian leadership, for the types of things that we could do. So our success bred more opportunity, and those opportunities bred more success. And the operations have just continued to grow since that time period. And it's led to a lot of great successes in terms of our ability to defend the nation. 

Dave Bittner: Ben, what do you think? 

Ben Yelin: This is really kind of an uplifting and encouraging story. It was very unclear how our national security apparatus was going to deal with cyberthreats several years ago 'cause I think a lot of the traditional foreign policy tactics that we use are not applicable in the cyberworld. 

Dave Bittner: Yeah. 

Ben Yelin: And time was certainly of the essence because, obviously, cyberthreats threats have been increasing, and as he mentioned, there were threats to our election systems, certainly, post-2016. So the fact that they were able to come up with these sets of policies and really develop this unit over the past several years I think is a real success story. 

Dave Bittner: Yeah, absolutely. All right. Well, again, our thanks to Charlie Moore for joining us. We do appreciate him taking the time. 

Dave Bittner: That is our show. We want to thank all of you for listening. The "Caveat" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Ben Yelin: And I'm Ben Yelin. 

Dave Bittner: Thanks for listening.

Caveat
Podcast Info
HOST(S):
Dave Bittner
Ben Yelin
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Ben Yelin, JD, is the Program Director for Public Policy & External Affairs at the University of Maryland Center for Health and Homeland Security, where he consults public and private entities on homeland security, cybersecurity and emergency management policy. He is also an adjunct faculty member at the University of Maryland Francis King Carey School of Law, where he teaches courses on electronic surveillance and the Fourth Amendment.
Schedule: Wednesdays
Creator: CyberWire, Inc.