Lawmakers expressed concern Tuesday regarding the United States’ ability to deter malicious activity in cyberspace.

“Do you think we’ve done enough over the last four years to deter our adversaries like China and Russia and Iran and North Korea by being essentially in a defensive crouch in the cyber world and not developing offensive plans and capabilities that can hold at risk the things that they hold most dear?” Sen. Tom Cotton, R-Ark., asked Katie Sutton, President Donald Trump’s pick to be assistant secretary of defense for cyber policy at her confirmation hearing.

Sutton would be the second official to hold that role since Congress created it in the fiscal 2023 annual defense policy bill.

“As I think Sen. Cotton characterized it, we’re not going to be able to defend ourselves if we’re in a defensive crouch at all times. We need to have both the capability for offensive cyber, but also I believe we need a stated doctrine,” Sen. Angus King, I-Maine, said. “Everyone in the world knows our doctrine of deterrence in nuclear armaments, for example. People should also understand a doctrine of deterrence that if you attack us in cyberspace, there will be a response.”

King has raised the issue of cyber deterrence, or lack thereof, at almost every cyber hearing before the Senate Armed Services Committee in recent years. He has voiced concern that there isn’t a coherent cyber deterrence strategy. In fact, at a confirmation hearing for now retired Gen. Paul Nakasone to be the head of U.S. Cyber Command seven years ago, King asked the nominee if adversaries feared the U.S. in cyberspace, to which Nakasone answered they don’t.

“There’s no price to pay for our adversaries. I hope in your counsels within the Defense Department and in the administration you’ll argue for a serious and substantial cyber deterrent stated policy. If it’s not stated, a deterrent doesn’t work,” King told Sutton at Tuesday’s hearing.

For her part, Sutton noted that if confirmed, she would work to make sure the U.S. has the right posture and it is well-articulated.

“The defender has to be wrong every time, [but] the adversary only has to be right once. I think that goes to show that while we need strong defenses, we are not going to deter the adversary with defenses only. And that if confirmed, I will work to strengthen our offensive cyber capabilities to ensure the president has the options he needs to respond to this growing threat,” she said.

In response to written questions from the committee, Sutton noted that a critical part of her role, if confirmed, would be to improve the nation’s defenses and digital deterrent.

“Deterrence is possible in cyberspace and can be made more effective through a combination of denial, resilience, and credible responses. If confirmed, I will review the capabilities we have in our toolkit, integrate military cyberspace capabilities with other tools of national power, and restore deterrence in the cyber domain. One of my core goals as ASD Cyber Policy will be to ensure the Department has the offensive and defensive capabilities and resources necessary to credibly deter adversaries from targeting the United States,” she wrote. “Under President Trump and Secretary [Pete] Hegseth’s leadership, I understand that DoD is laser-focused on restoring deterrence across all domains, including cyber, and will be assertive in addressing China’s unacceptable intrusions on civilian and government networks. While increasing our offensive cyber capabilities is critical, DoD must also remain vigilant in defending its own networks and critical infrastructure.”

Recent Chinese intrusions into U.S. critical infrastructure have raised concerns among American government and private sector leaders that Beijing could be prepping the battlespace for a potential conflict.

Officials in the Trump administration have expressed their desire to beat back Chinese efforts and develop a more offensive cyber footing.

Experts and officials have acknowledged that deterrence doesn’t have to be tit-for-tat in cyberspace, but senators expressed the need for more public-facing offensive capabilities against malicious activity.

Prior to 2018, the military conducted very few cyber operations. Experts and former officials have noted that there historically has been a risk aversion to conducting offensive ops in response to certain activities because it could be viewed as escalatory — a notion that has been largely disproven through academic research, especially given in recent years cyber activities have been viewed as a less escalatory response than traditional kinetic action.

Cyber Command’s “defend forward” concept — which involves operating on networks outside the United States in order to confront threats before they ever reach domestic networks, achieved through persistent engagement and challenging adversary activities daily and wherever they operate — was viewed as a remedy to that inaction. It sought to demystify cyber ops by conducting them consistently to give U.S. forces more reps and demonstrate to senior leaders what they could do.

Some of the authorities that were developed in 2018 by the executive branch and Congress and were foundational to enabling a more offensive posture for Cybercom, deserve a relook, according to Sutton.

“The cyber domain is continuing to evolve and the one constant that I’ve seen in being involved in this domain for over two decades is that the rate of change is exponential. My top priority if confirmed in this role will be to address this change with speed and agility in the department … I believe we’re at a point where we need to reevaluate those [authorities] and make sure that we’re postured to be able to respond to the increasing speed of cyber attacks and that we are able to address the incoming impacts of AI,” she said.

Those authorities include the first Trump administration’s National Security Memorandum-13, which prescribes the process by which cyber operations are conducted and coordinated in the interagency. Lt. Gen. William Hartman, acting commander of Cybercom, told the Senate Armed Services Subcommittee on Cybersecurity last month that that policy has increased the command’s ability to execute cyber operations tenfold.

Another important move previously made was Congress clarifying that cyber is a traditional military activity, clearing bureaucratic and interagency hurdles and allowing Cybercom to conduct critical preparations in cyberspace without a “hot” conflict present.

Sutton also pledge to change the culture around offensive cyber, noting that a decade ago there was hardly any mention of the term “offensive cyber” among U.S. officials. She pointed to the parallel of how the intelligence community would keep vulnerabilities for its own use, but now it seeks to share them more with industry to better defend themselves.

“I think that same culture change needs to happen in how we discuss cyber deterrence,” she said in response to Sen. Tim Kaine, D-Va., who questioned why the Defense Department can’t be more candid in discussing offensive activity more publicly.

“We talk about offensive operations in other military domains — the number of sorties we were flying against [ISIS], we know when there’s a U.S. bombing in Yemen against Houthis, we’re aware of it. But we don’t talk about what we do offensively in cyber very much,” he said. “It ends up making the public very aware that we’re under attack because [of] the news stories a couple of times a year about successful cyber attacks. But the public never hears about our use of the offensive cyber capacity to impose costs on those who are attacking us. Why can’t we be a little more candid with the American public about our offensive use of cyber so that they’re aware that we’re not just playing defense all the time but that we actually have an offensive capacity that we use?”

Part of the reason the U.S. government has been hesitant to discuss offensive cyber more openly is to avoid tipping off adversaries. If a vulnerability is known by the target, it can be patched and cut off as an avenue for attack.

The post Senators press DOD cyber policy nominee to push for deterrence doctrine appeared first on DefenseScoop.

A provision included in the Senate Armed Services Committee’s approved language for the fiscal 2024 National Defense Authorization Act, would mandate the new competition to be steered by the undersecretary of defense for research and engineering through 2025.

“The term ‘detection’ means a technology that can positively identify the presence of generative artificial intelligence in digital content” and the “term ‘watermarking’ means embedding a piece of data onto detected artificial intelligence generated digital content, conveying attribution to the source generation,” the bill text states.

It also notes that identified technologies could support each military department and the combatant commands — and possibly be transitioned into operational prototypes.

Gaining increasing popularity and interest across over the last nine months, generative AI underpins the making of large language models that can generate realistic and high-quality images and videos, sophisticated software code, entirely new datasets and more. The models continue to get more “intelligent” as humans train and use them. 

In a report accompanying their NDAA bill, SASC lawmakers acknowledged how they recognize the “tremendous” possibilities AI offers for breakthroughs that could transform healthcare, education, cybersecurity, defense and scientific research.

“However, the committee is concerned about present and unaddressed challenges to, and from, generative AI, including deepfakes, misinformation, malicious code, and harmful or biased content. These areas must be addressed as generative AI continues to advance and be used in a militarized fashion,” the report noted. 

One of their top areas of apprehension involves the potential outputs and lack of transparency around existing and future capabilities of this type of technology.

“The committee received testimony stating the risks that generative AI presents, including the application of some large models to develop very capable cyber weapons, very capable biological weapons, and disinformation campaigns at scale. Being able to quickly identify and label AI generated content will be critical in enabling real-time accountability, attribution, and public trust in government and Department of Defense systems,” per the report. 

This prize competition lawmakers envision could “provide benefits far beyond the specific technologies delivered, and also provide an opportunity to leverage the widest network of innovation providers possible to unearth new, innovative, or less-well-known techniques to address a less well-understood challenge,” they wrote.

According to SASC’s NDAA proposal, the secretary of defense would need to brief congressional committees on the department’s framework for implementing the competition, within 120 days of the bill’s enactment — and the initial event would be hosted within 270 days after it’s passed. 

Each year by Oct. 1 — until the project’s termination in 2025 — DOD would also need to supply appropriate defense committees with a full report on the results of the competition.

Sen. Angus King, I-Maine, is a key proponent of this provision and a new DOD-led competition to better pinpoint generative AI.

As “a member of the Senate’s informal AI Task Force, and with his experience and expertise as Co-Chair of the Solarium Commission, he saw this as a useful way to have the government’s capabilities be as current and innovative as the private sector’s thinking,” an aide for King told DefenseScoop this week.

Beyond the SASC, others in the government are pushing for solutions as well. The Biden administration’s top cyber advisor recently urged industry leaders in closed-door meetings to consider watermarking to help combat risks of AI-generated disinformation.

A reconciled version of the NDAA must be passed by the Senate and House and signed by the president before becoming law.

The post Senators propose new DOD-led prize competition for tech to detect and watermark generative AI appeared first on DefenseScoop.

Authorities to launch cyber effects have traditionally been held at the highest levels of government, while electronic warfare capabilities have been held at much lower levels on the battlefield.

While U.S. Cyber Command conducts and coordinates the offensive cyber operations at the strategic and operational levels, there has been a blending of sorts among organizations at the tactical level.

However, for the time being, it seems, Cybercom is leaving EW operations — and the closely related radio frequency-enabled cyber operations — to the services to conduct.

“Traditionally, the services had electronic warfare capabilities that they deployed with their forces … It is not part of my command. But again, a lot of the electronic warfare done is done in support of service requirements. They have service forces that do this,” Gen. Paul Nakasone, commander of Cybercom, told the Senate Armed Services Committee in March when asked about the relationship between EW and cyber and who is in charge of coordinating EW.

The worry, at least for one senator, is duplication of effort and how these effects will be coordinated and synchronized.

“I’m concerned that if electronic warfare is scattered among the services, it’s not going to have the attention, for example, that cyber has, because we have Cyber Command. And electronic warfare is definitely going to be part of the conflict whether it’s jamming or disabling satellite communications, those kinds of things. What you’re telling me is … it’s not part of your command and there’s no central command that controls it?” Sen. Angus King, I-Maine, asked Nakasone. “I worry about coordination and duplication, two sides of the same coin.”

Nakasone explained that Cybercom is now beginning to work closely with the other combatant commands regarding synchronization of the battlefield, noting “much in the same way we have tactical forces that assist the services, is there some type of national capability that we might need? And I think that’s something that we have to look very carefully at.”

Following Nakasone’s remarks, Cyber Command declined to offer greater detail regarding its role in electronic warfare, stating through a spokesperson that “the services have electronic warfare capabilities that deploys with their forces. Beyond that, there is no additional context to provide at this time.”

Cybercom has traditionally been focused on strategic, IP-based networks and targets from remote locations. However, as cyber and the electromagnetic spectrum have grown in importance — due to the preponderance of technologies and the sophistication of the threats the U.S. finds itself facing — there has been a convergence of sorts that has taken off at the tactical level.

Some services, namely the Army, but the Marine Corps as well, have developed tactically focused forces to exploit these capabilities, primarily through what are known as radio-frequency effects. These are essentially cyber effects that exploit WiFi or other wireless electronic systems using proximal or close access forces.

Additionally, as military targets are becoming harder to hack into, the Defense Department and the services are looking to combine cyber and electromagnetic effects to gain access to adversaries’ systems through radio-frequency means.

As these capabilities and forces mature, it is expected that these proximal forces could actually gain accesses and pass that off to high-end Cybercom operators remotely to exploit.

Before cyberspace emerged as a warfighting domain, the DOD had already developed an electronic warfare arsenal.

“Before we even thought about cyber, we had EW capabilities. However, due to the realities of digital convergence we need to rethink our approach to how we develop, test and execute these capabilities — as well as the policy and authorities frameworks that allow them to be utilized in a synchronized and integrated manner,” Charles Moore, the former deputy commander of Cybercom, told DefenseScoop.

“As we have developed our understanding of the cyber domain and cyberspace operations, it became obvious that there is a ‘duality’ to the domain … It’s a conduit for information that enables traditional warfighting capabilities and it’s a warfighting domain where you can achieve effects in and of itself.  It’s both things simultaneously. You have to understand this to capture cyberspace’s full potential. Very little of what we traditionally call EW does not rely on the cyber/digital domain,” he added.

The separation of these capabilities from an organizational standpoint has made sense given electronic warfare is done at the very local level while these cyber operations are done remotely, according to Bryan Clark, senior fellow and director of the Center for Defense Concepts and Technology at the Hudson Institute.

But, from a programmatic level, it is really problematic.

“Electronic warfare hasn’t gotten a lot of attention and priority from DOD over the last decade … DOD has not really fundamentally improved its ability to fight on offense, to go on offense in the electromagnetic spectrum. Whereas China and Russia have both improved their own capability,” Clark told DefenseScoop. “I think if you had a champion, like a Cyber Command, to advocate for electronic warfare, the DOD might get better at it. I think we’ve seen with cyber that the fact that Cyber Command is a one-stop shop for cyber capabilities makes them also a really strong voice in advocating for those programs. Whereas with the DOD, it’s all diffuse for electronic warfare. It’s hard for electronic warfare capabilities to get the same level of priority.”

The Pentagon hasn’t fully wrapped its arms around the notion of digital convergence yet, which has led to this stove-piping of capabilities, otherwise there would have been a much different and integrated approach to these capabilities, observers say.

“We wouldn’t still be stove-piping them and looking at them with different policy frameworks, different authorities, and different organizations within the department. We have to have a more holistic and strategic approach,” Moore said.

Clark added that given the divestiture of offensive electronic warfare capabilities across the services after the Cold War — such as jammers for electronic attack — most of the offense in the spectrum now involves cyber.

“Essentially, we’re using the spectrum as an alternative path to get into other people’s networks. That’s actually how offensive operations in the spectrum are done at this point,” he said.

“I think the DOD EW community would be well served by leveraging that and saying, ‘Here’s how we go on offense: we use cyber, we need to be thought of as another arm, basically, of Cyber Command.’ And Cyber Command should embrace that because [in] a lot of cases, opponents have gotten smart. They’ve firewalled their networks off so that Cyber Command can’t reach them from [its headquarters in Maryland at] Fort Meade because they have a standalone network that’s not connected to the internet,” Clark continued. “Cybercom is having to increasingly rely on these RF-enabled systems to actually get access to other people’s network. It would be probably good for both communities to be more open about this as being the way ahead.”

Others have noted that there have been discussions within the Pentagon regarding putting electronic warfare under Cybercom.

Congress has begun to take note of this convergence trend as well. In the most recent annual defense policy bill, Congress is requiring the Department of Defense to develop a strategy for “converged cyber and electronic warfare conducted by and through deployed military and intelligence assets operating in the radio frequency domain to provide strategic, operational and tactical effects in support of combatant commanders.”

These “service retained” forces are a distinction from the cyber mission force, which each service presents to and is owned by Cybercom, congressional language notes.

“Through detailed oversight of the committee, a gap was determined in the operational strategies for fielding emerging RF-enabled cyber capabilities,” James Inhofe, who at the time of the legislation was the ranking member of the Senate Armed Services Committee, said last year. “This provision is intended to ensure that the leadership of the department, combatant commands, and military services mature the strategy and capability development processes for these emerging capabilities.”

Cybercom has invested in electronic warfare capabilities for years. In its fiscal 2024 budget request, it asked for $65.4 million for research-and-development funds that go toward adapting electronic warfare technology and cyber-peculiar capabilities to gain access to target enemy forces.

This particular project will “enhance the open source Open CPI framework that will allow the services and USCYBERCOM to develop Title 10 off-net effects,” the budget documents state, referencing the portion of U.S. law pertaining to military operations.

The post Could US Cyber Command play a larger role in electronic warfare in the future? appeared first on DefenseScoop.