Lawmakers expressed concern Tuesday regarding the United States’ ability to deter malicious activity in cyberspace.

“Do you think we’ve done enough over the last four years to deter our adversaries like China and Russia and Iran and North Korea by being essentially in a defensive crouch in the cyber world and not developing offensive plans and capabilities that can hold at risk the things that they hold most dear?” Sen. Tom Cotton, R-Ark., asked Katie Sutton, President Donald Trump’s pick to be assistant secretary of defense for cyber policy at her confirmation hearing.

Sutton would be the second official to hold that role since Congress created it in the fiscal 2023 annual defense policy bill.

“As I think Sen. Cotton characterized it, we’re not going to be able to defend ourselves if we’re in a defensive crouch at all times. We need to have both the capability for offensive cyber, but also I believe we need a stated doctrine,” Sen. Angus King, I-Maine, said. “Everyone in the world knows our doctrine of deterrence in nuclear armaments, for example. People should also understand a doctrine of deterrence that if you attack us in cyberspace, there will be a response.”

King has raised the issue of cyber deterrence, or lack thereof, at almost every cyber hearing before the Senate Armed Services Committee in recent years. He has voiced concern that there isn’t a coherent cyber deterrence strategy. In fact, at a confirmation hearing for now retired Gen. Paul Nakasone to be the head of U.S. Cyber Command seven years ago, King asked the nominee if adversaries feared the U.S. in cyberspace, to which Nakasone answered they don’t.

“There’s no price to pay for our adversaries. I hope in your counsels within the Defense Department and in the administration you’ll argue for a serious and substantial cyber deterrent stated policy. If it’s not stated, a deterrent doesn’t work,” King told Sutton at Tuesday’s hearing.

For her part, Sutton noted that if confirmed, she would work to make sure the U.S. has the right posture and it is well-articulated.

“The defender has to be wrong every time, [but] the adversary only has to be right once. I think that goes to show that while we need strong defenses, we are not going to deter the adversary with defenses only. And that if confirmed, I will work to strengthen our offensive cyber capabilities to ensure the president has the options he needs to respond to this growing threat,” she said.

In response to written questions from the committee, Sutton noted that a critical part of her role, if confirmed, would be to improve the nation’s defenses and digital deterrent.

“Deterrence is possible in cyberspace and can be made more effective through a combination of denial, resilience, and credible responses. If confirmed, I will review the capabilities we have in our toolkit, integrate military cyberspace capabilities with other tools of national power, and restore deterrence in the cyber domain. One of my core goals as ASD Cyber Policy will be to ensure the Department has the offensive and defensive capabilities and resources necessary to credibly deter adversaries from targeting the United States,” she wrote. “Under President Trump and Secretary [Pete] Hegseth’s leadership, I understand that DoD is laser-focused on restoring deterrence across all domains, including cyber, and will be assertive in addressing China’s unacceptable intrusions on civilian and government networks. While increasing our offensive cyber capabilities is critical, DoD must also remain vigilant in defending its own networks and critical infrastructure.”

Recent Chinese intrusions into U.S. critical infrastructure have raised concerns among American government and private sector leaders that Beijing could be prepping the battlespace for a potential conflict.

Officials in the Trump administration have expressed their desire to beat back Chinese efforts and develop a more offensive cyber footing.

Experts and officials have acknowledged that deterrence doesn’t have to be tit-for-tat in cyberspace, but senators expressed the need for more public-facing offensive capabilities against malicious activity.

Prior to 2018, the military conducted very few cyber operations. Experts and former officials have noted that there historically has been a risk aversion to conducting offensive ops in response to certain activities because it could be viewed as escalatory — a notion that has been largely disproven through academic research, especially given in recent years cyber activities have been viewed as a less escalatory response than traditional kinetic action.

Cyber Command’s “defend forward” concept — which involves operating on networks outside the United States in order to confront threats before they ever reach domestic networks, achieved through persistent engagement and challenging adversary activities daily and wherever they operate — was viewed as a remedy to that inaction. It sought to demystify cyber ops by conducting them consistently to give U.S. forces more reps and demonstrate to senior leaders what they could do.

Some of the authorities that were developed in 2018 by the executive branch and Congress and were foundational to enabling a more offensive posture for Cybercom, deserve a relook, according to Sutton.

“The cyber domain is continuing to evolve and the one constant that I’ve seen in being involved in this domain for over two decades is that the rate of change is exponential. My top priority if confirmed in this role will be to address this change with speed and agility in the department … I believe we’re at a point where we need to reevaluate those [authorities] and make sure that we’re postured to be able to respond to the increasing speed of cyber attacks and that we are able to address the incoming impacts of AI,” she said.

Those authorities include the first Trump administration’s National Security Memorandum-13, which prescribes the process by which cyber operations are conducted and coordinated in the interagency. Lt. Gen. William Hartman, acting commander of Cybercom, told the Senate Armed Services Subcommittee on Cybersecurity last month that that policy has increased the command’s ability to execute cyber operations tenfold.

Another important move previously made was Congress clarifying that cyber is a traditional military activity, clearing bureaucratic and interagency hurdles and allowing Cybercom to conduct critical preparations in cyberspace without a “hot” conflict present.

Sutton also pledge to change the culture around offensive cyber, noting that a decade ago there was hardly any mention of the term “offensive cyber” among U.S. officials. She pointed to the parallel of how the intelligence community would keep vulnerabilities for its own use, but now it seeks to share them more with industry to better defend themselves.

“I think that same culture change needs to happen in how we discuss cyber deterrence,” she said in response to Sen. Tim Kaine, D-Va., who questioned why the Defense Department can’t be more candid in discussing offensive activity more publicly.

“We talk about offensive operations in other military domains — the number of sorties we were flying against [ISIS], we know when there’s a U.S. bombing in Yemen against Houthis, we’re aware of it. But we don’t talk about what we do offensively in cyber very much,” he said. “It ends up making the public very aware that we’re under attack because [of] the news stories a couple of times a year about successful cyber attacks. But the public never hears about our use of the offensive cyber capacity to impose costs on those who are attacking us. Why can’t we be a little more candid with the American public about our offensive use of cyber so that they’re aware that we’re not just playing defense all the time but that we actually have an offensive capacity that we use?”

Part of the reason the U.S. government has been hesitant to discuss offensive cyber more openly is to avoid tipping off adversaries. If a vulnerability is known by the target, it can be patched and cut off as an avenue for attack.

The post Senators press DOD cyber policy nominee to push for deterrence doctrine appeared first on DefenseScoop.

Sutton — who is currently chief technology advisor to the commander and director of Pentagon operations at U.S. Cyber Command and had been a professional staff member on the Senate Armed Services Committee focused on cyber — will be the second official to hold this position, which was created by Congress in the fiscal 2023 annual defense policy bill.

That position was established due to the growing role of cyber in society and the U.S. military. Many in Congress wanted to elevate the role of cyber policy within the Defense Department to the ASD level.

As the Trump administration looks to fill out its cyber policy personnel at the Pentagon, multiple press outlets last week reported Laurie Buckhout was selected to serve as the Deputy Assistant Secretary of Defense for Cyber Policy, which was the top cyber policy position in the department until the ASD position was created.

A retired Army colonel, Buckhout was an electronic warfare officer and has been outspoken about the degradation of the Army’s and U.S. military’s EW capabilities relative to adversaries. She recently ran for Congress in North Carolina as a Republican, but was defeated by Democrat Don Davis.

These top cyber policy roles will be integral in helping the department navigate critical cyber issues, namely, the evolution of U.S. Cyber Command via an initiative dubbed Cybercom 2.0. That effort was initially meant to not only provide a holistic examination of the command and its forces to better posture it for the future — given its structure remained largely untouched since its inception over a decade ago in a less dynamic environment — but also bunch together multiple congressional reports that lawmakers required of the DOD in several annual defense policy bills.

“What we see now as Cyber Command 2.0 is the command’s efforts to build domain mastery to achieve a competitive advantage in the cyber domain. Through these efforts, we will be enhancing total force readiness and our innovation,” Gen. Timothy Haugh, Cybercom commander, said last week at the Cyber Workforce Summit in Washington.

The effort has four main buckets: a new force generation model for how each service provides cyber forces to Cybercom; a talent management model; an advanced training and education center to ensure forces are more ready when arriving to their units and have specialized training if needed; and a cyber innovation warfare center that could focus on rapid innovation and capability development.

It has been reported that Defense Secretary Pete Hegseth has directed those efforts be expedited by several months, something some in Congress support.

Haugh told senators at a Senate Select Committee on Intelligence hearing Tuesday that for the 2.0 effort he was asked to produce recommendations for the SecDef on how to manage, develop and equip cyber talent. That plan was brought to Hegseth, who told the command to go faster. Based on Hegseth’s guidance, Cybercom is moving forward with the rest of the department, according to Haugh.

The post Trump nominates former congressional staffer for top Pentagon cyber policy job appeared first on DefenseScoop.

As cyber has become a ubiquitous part of society, so too is it an integral part of military operations. Congress, in the fiscal 2023 annual defense policy bill, directed the creation of a new position within the Office of the Secretary of Defense to oversee all of cyber policy — the assistant secretary of defense for cyber policy — elevating the role of cyber, which sources and officials noted signifies the importance and maturity of digital capabilities within DOD.

“It’s the maturation of cyber,” Sen. Mike Rounds, R-S.D., the ranking member on the Senate Armed Services Subcommittee on Cybersecurity, told DefenseScoop in an interview. “We put it at the assistant secretary level because you will never have another confrontation, worldwide confrontation, without first having a cyber event.”

Rep. Morgan Luttrell, R-Texas, a member of the House Armed Services Committee, said these types of threats have increased and told DefenseScoop “we have to stay aggressive.”

Previously, cyber and cyber policy oversight within the Pentagon was spread too thin, according those interviewed.

“When we were talking with the folks responsible for this portfolio, we wanted to know how are you handling that huge portfolio of threats. They said, ‘Well, with regard to cyber, we delegate it,’” Rounds said. “That convinced us that it was necessary to take a look at cyber and make that a separate area of study and a separate area of responsibility with the appropriate authorities.”

The assistant secretary of defense for space policy had been overseeing cyber — serving as the principal cyber adviser to the secretary of defense — as well as nuclear, counter-WMD, space and missile defense policy, a huge portfolio. Additionally, there was a deputy assistant secretary of defense for cyber policy.

This created the need to move cyber out and provide a new office with the bandwidth to focus on these issues and consolidating all the various roles.

“Cyber needed to be pulled out from space. It’s the fastest changing domain of warfighting right now and it needs specific focus,” Mark Montgomery, senior director of the Foundation for Defense of Democracies’ Center on Cyber and Technology Innovation and former executive director of the congressionally mandated Cyberspace Solarium Commission, said in an interview.

Within the hierarchy of defense officials and offices at the Pentagon, ASDs, as they’re known, fall beneath undersecretaries, which are just below the secretary and deputy secretary roles.

“I think it’s very significant and I think it’s necessary … In the [Pentagon] function follows form. Nothing significant happens without the DASD behind it and nothing important can be done without an ASD behind it,” Tom Wingfield, a senior international and defense researcher in RAND’s Department of Defense and Political Sciences and the deputy assistant secretary of defense for cyber policy from 2019 to 2021, said in an interview. “I think this is absolutely the right direction for cyber to be moving within the building and within the department.”

Others pointed to the fact it took over a year to officially create the office and nominate an official to lead it, drawing congressional ire.

Michael Sulmeyer, currently the principal cyber adviser for the Department of the Army, was nominated for the ASD role in March and the office was officially created later that month.

The Senate Armed Services Committee favorably passed Sulmeyer’s nomination to the full Senate by voice vote at the start of a hearing July 30, following his July 11 confirmation hearing. He could be confirmed by the full Senate later this week ahead of Congress’ August recess.

Shadow service secretary?

Some interviewed noted that the new position puts a civilian official on par with the commander of Cybercom. Cybercom is atypical within the DOD as a combatant command with service-like authorities such as acquisition and setting training standards for the services. In fact, officials have maintained that Special Operations Command, which also possesses these qualities, was the template for the organization.

Congress modeled the ASD for Cyber Policy position off the Socom and ASD for Special Operations and Low-Intensity Conflict relationship, creating what some deemed a shadow service secretary.

“The committee intends for the Assistant Secretary of Defense for Cyber Policy to provide service secretary-like functions for U.S. Cyber Command, mirroring the current relationship that exists between Special Operations Command and the ASD for Special Operations and Low Intensity Conflict,” Sen. Jack Reed, D-R.I., chairman of the Senate Armed Services Committee, said at Sulmeyer’s confirmation hearing. “It will be important for your office to not only support Cybercom’s growth, but also to maintain strong civilian control and oversight of the command.”

As a warfighting organization, Cybercom is constantly in the fight while also having to focus on administrative tasks such as budgeting, resourcing, acquisition and manpower. While some sources didn’t totally agree with the shadow service-like secretary analogy, most agreed that this higher level of oversight would help to unburden Cybercom, which earlier this year received enhanced authorities allowing the command to be in direct control and management of planning, programming, budgeting and execution of the resources to maintain the cyber mission force, known as enhanced budget control.

“We’ve seen a lot of maturation in terms of the authorities that Cybercom has been granted. You need that corresponding credible civilian oversight to make sure that those authorities are being leveraged in appropriate ways,” Erica Lonergan, an assistant professor in the School of International and Public Affairs at Columbia University, said in an interview. “Some of the enumerated roles and responsibilities of the new ASD position are things like overseeing the budget, overseeing how Cybercom is using its new EBC authorities and things like that.”

In fact, Cybercom commander Gen. Timothy Haugh in April noted that the combination of the new authorities and the new ASD role puts the Defense Department’s enterprise in a position to realize the next generation of digital capabilities.

“I think the assistant secretary of defense does unburden Cyber Command from having to be the lead advocate inside the department,” Montgomery said.

For Congress, the office provides a focal point to coalesce various areas into a cohesive vision.

“It provides us with an opportunity to actually be able to acquire the weapons systems on a more timely basis. And second of all, it allows us the ability to put the manpower in place and to train the manpower more quickly. You need both. You need not only the tools, but you got to have the educational requirements in place as well,” Rounds said. “I’ve watched the development of Cybercom over the last decade. They’ve become more sophisticated and clearly more capable. Now, as we mature those weapons systems and those defensive capabilities, it’s important that we be able to acquire the necessary resources as quickly as possible. This is our opportunity with the assistant secretary position to elevate that, to get the decisions made as quickly as possible.”

Oversight and bureaucracy

Some indicated that it will be natural for there to be growing pains with the new position given anytime new bureaucracy is established, it creates new channels for reporting and oversight.

“Whenever you are creating a new office or structure within the Department of Defense, there are going to be growing pains. There’s no way around that,” Emerson Brooking, director of strategy and resident senior fellow at the Digital Forensic Research Lab of the Atlantic Council Technology Programs, said in an interview.

Brooking, who was also one of the authors of the 2023 DOD Cyber Strategy, added that the new budget control authorities for Cybercom come with oversight expectations from Congress and those must be routed through the proper bureaucratic lanes.

“It can’t just be Congress direct to Cybercom. It’s not good for civilian control and it’s not really the best situation for Cybercom to be in either because decisions being made may lack adequate context or top cover, which can be provided if they’re routed properly through OSD Policy with clear oversight of the secretary and his representatives,” he said.

Others noted that there will also likely have to be several deputy assistant secretary positions added beneath the ASD to handle a variety of cyber areas. Wingfield said the ASD will need a variety of so-called DASDs to be fully effective.

“Right now, it’s really a shoestring effort. Whether it takes more people from policy, or more focus from inside the building, the idea of deciding what DASDs are needed inside cyber policy — do you need one for cyber, do you need one for information and the fight that would cause was with the special operations community? Do you need one for electronic warfare? Do you need one for emerging technologies?” he said. “You can imagine different portfolios of DASDs within that would be the natural evolution beyond the minimal state we’re at now with just the former DASD of cyber policy and the [principal cyber adviser].”

Given all that cyber touches right now, it’ll be important for the new position to also seek to ingrate cyber into other areas and domains within DOD.

Moreover, there are tight linkages between electronic warfare and cyber as well as the information domain and cyber.

Sulmeyer, in a questionnaire from senators ahead of his confirmation hearing, acknowledged the new office has responsibilities for certain electronic warfare topics that relate closely to cyber, and he committed to working with officials to discuss additional duties and responsibilities. He also noted that information operations are often complementary to cyber operations and promised to examine how the current assigned responsibilities have evolved and how they align against current and future threats.

Sulmeyer will be entering the office at a critical time for cyber within the department as calls for an independent military service focused exclusively on cyber grow louder, given the incongruencies of the way each service presents forces to Cybercom and readiness issues associated with those forces. There are currently identical provisions that have passed both armed services committees in each chamber of Congress directing an independent study on the matter.

“Indeed, the first challenge you will face is meeting the personnel manning and retention goals for our Cyber Mission Forces. The Defense Department faces significant difficulties in training and retaining personnel for key positions requiring special skills,” Reed said at Sulmeyer’s confirmation hearing. “In order to mature the cyber force and advance our nation’s capabilities to conduct cyber operations, the military services must provide qualified and trained personnel to Cybercom on time and at the beginning of their tours.”

Sulmeyer told senators in his questionnaire that he will prioritize the evaluation of force generation models to determine the most effective and efficient approaches to “build combat power and sustained readiness to defend the nation from cyber threats,” vowing to work closely with Haugh on executing the command’s service-like authorities.

Many agreed that Sulmeyer is the right person at the right time for the role. Previously, he served as director for plans and operations for cyber policy in the Office of the Secretary of Defense, before departing government to head the Cybersecurity Project at the Harvard Kennedy School’s Belfer Center. He then came back to the Biden-Harris administration to serve as a special assistant to the president and senior director of cyber policy at the National Security Council, and senior adviser to Paul Nakasone — the most recent commander of Cybercom — before transitioning to his current role as principal cyber adviser for the Army.

Rounds noted that Congress wanted a cyber expert to be the inaugural ASD for Cyber Policy given the importance of the role and cyber in the DOD, adding that Sulmeyer “fits that bill perfectly at this stage of the game.”

Moreover, his vantage of a service principal cyber adviser best postures him to understand the ins-and-outs of cyber issues within the department.

“Sulmeyer is the right guy. Having a guy come from a service PCA role means he really understands the acquisition challenges cyber command is facing,” Montgomery said. “There’s no one better positioned than a serving service PCA to be the first assistant secretary, because all the shortfalls, all these challenges are ones he’s dealing with on a micro level, on a single service level, that he’ll now have to deal with on a macro level across all the services.”

The post New assistant secretary of defense position signifies maturation of cyber within the department appeared first on DefenseScoop.

As mandated by the fiscal 2023 National Defense Authorization Act, Congress directed the Pentagon to create the office, elevating cyber policy within the Office of the Secretary of Defense.

The department had not established it in the timeline lawmakers initially desired — sparking some backlash — opting to take more time to study what would fall under the purview of that office such as the possible inclusion of electronic warfare and information warfare.

It was eventually created March 20, per the release.

“In standing up this office, the Department is giving cyber the focus and attention that Congress intended,” Sasha Baker, acting undersecretary of defense for policy, said in a statement.

The assistant secretary will be the primary senior official for overall supervision of Department of Defense cyber policy and operations, sitting beneath the undersecretary of defense for policy, the Pentagon said. The official will also serve as the principal cyber advisor for the DOD.

According to the release, the existing deputy assistant secretary of defense for cyber policy will report through the new assistant secretary.

The Pentagon said the responsibilities of the new office include, among others:

• Developing, coordinating, assessing and overseeing the implementation of DOD cybers policy and strategy.
• Overseeing and certifying the DOD’s cyberspace operations budget and providing fiscal and budgetary oversight to U.S. Cyber Command’s $3 billion annual execution with their enhanced budget authority.
• Monitoring programs and activities associated with implementation of cyber workforce development, recruitment and retention. 
• Overseeing integration of cyberspace operations and capabilities into operations and contingency plans.
• Developing DOD cyber policy guidance on private sector outreach, engagement and agreements.
• Leading the DOD implementation of national-level cyberspace policies.
• Leading the development, implementation and oversight of cybers-related activities for security cooperation.

President Biden announced last week his intention to nominate Michael Sulmeyer to serve in the new role. Sulmeyer is currently the principal cyber adviser for the Army and has held multiple positions in the Pentagon, Cybercom and National Security Council related to cyber policy and operations.

Until Sulmeyer is confirmed by the Senate, Ashley Manning is serving in the position as the official performing the duties of the assistant secretary.

The post DOD officially establishes new cyber policy office appeared first on DefenseScoop.