Rob Joyce, White House Cybersecurity Coordinator, said, "In an environment like the one we have, we're going to get hacked, and we need to be able to bounce back rapidly." And indeed resilience was a common theme, which suggested strongly how the traditional dilemma Clausewitz formulated—will you concentrate on reducing your own friction, or increasing that of the enemy—is resolved in current thinking.
The view from US CENTCOM.
General Joseph Votel, Commander of US Central Command (CENTCOM), delivered the final keynote and a perspective on cyber operational art as applied in his theater.
"Cyber has no boundaries," Votel observed, and the barriers to entry are low. Adversaries needn't have conventional forces; they can do damage online. It's a military truism that if you defend everywhere, you defend nowhere. So, he said, finding the key terrain in cyberspace is the critical first step.
Mission assurance is job one.
He characterized CENTCOM as "alert and vigilant to the cyber threat." In his Middle Eastern area of responsibility, the adversary in cyberspace is principally Iran, with violent extremist groups running a close but distinct second. The challenges they face are social, economic, and political instability (exploited by hostile governments), proliferation of weapons of mass destruction, and the growth of violent extremist organizations.
Iran is top threat to long-term stability in the region. Votel sees it as particularly dangerous because it operates entirely in the "grey zone" of surrogate and online combat. It benefits from instability. Recent disagreements between Saudis et al. and Qatar are an example of such grey zone instability that Iran has been able to exploit to its own advantage.
Votel offered three takeaways. First, his number one priority in cyber is mission assurance. Second, our approach to conflict in cyberspace is hampered by some existing policies and postures. Our geographical focus is one, as is our practice of pushing decisions about cyber operations to the highest levels of the National Command Authority. At the strategic level pushing such decisions up makes sense, he thought, but at the operational level securing approval to act becomes "so cumbersome as to make cyber operations irrelevant, and that's a problem."
His third takeaway is that they're working to integrate cyber across all our operations. But they're operating with constrained resources.
The rise of the virtual caliphate.
The challenges, Votel thinks, are as always are on the operational as opposed to the strategic level. "As we've taken away the physical caliphate, a virtual caliphate has arisen. We need to defeat ISIS in cyberspace." He closed with a plea for more collaboration in cyberspace.
Votel's concerns about the rise of a virtual caliphate center on that enemy's information operations capabilities, especially its proven ability to recruit and inspire online. "ISIS's most significant capability is its ability to shape the information environment." Those are indeed real concerns for which no comprehensive solution has been publicly offered.
It's noteworthy that General Votel's consideration of cyberspace is firmly in the American tradition of concentrating on reduction of one's own friction to make it easier to operate against the enemy. The success of this orientation can be easily seen in the rapidly progressing reduction of the territory ISIS holds to insignificance. The approach has much to recommend it, drawing as it does on the traditional American excellence in logistics, organization for combat, and command and control.
But it may also contribute to an explanation of why the country that invented modern mass marketing continues to struggle with information operations. To reduce ISIS's mindshare would increase its friction, and would require answering—credibly and effectively—the jihadist ideas ISIS has successfully offered. How this might be done remains an unanswered questions.
But it's still good to reduce your own friction.
That said, no thinking person would regard reducing one's own friction as a mistake. Tanium's Ralph Kahn, in a conversation at the end of the Summit, emphasized that a solid operational posture depended on getting the IT hygiene right: harden, patch, and train. The more these can be automated, the better. And Kahn thinks these tasks do lend themselves to automation—the Services call this "compliancing," and for all the sound advice about the centrality of risk management and insufficiency of checklists, "compliancing" is by no means a bad word.
So automation can not only reduce policy friction, and friction in testing and deployment, it can also, Kahn argues, reduce the friction of tight labor market.