The ability of adversaries to attack in cyberspace with low consequence creates the need to impose friction and leads to the tenants of defending forward and continuous engagement with adversaries in cyberspace espoused in the National Cyber Strategy and the Department of Defense (DoD) Cyber Strategy, said Rob Joyce, senior adviser for cybersecurity strategy to the Director of the National Security Agency (NSA).
“The idea that they get free shots on goal, that they get to keep trying and trying until they succeed, is something we have to counter,” said Joyce, speaking at the Aspen Institute Cyber Summit on Nov. 8.
The discussion at the Cyber Summit focused largely on China and its efforts in cyberspace. On the heels of an agreement between President Obama and China’s President Xi Jinping in 2015, the United States saw a decline in cyberattacks coming from China, but has lately seen that number rise.
“I don’t know that a switch was flipped, but we’ve definitely seen the behavior erode in the last year, and we’re very concerned by those troubling trends” said Joyce. “It’s clear that they are well beyond the bounds today of the agreement that was forged between our countries.”
As the United States looks to respond to the rise in attacks, Joyce highlighted the ‘Defend Forward’ tenant in the National Cyber Strategy and the DoD Cyber Strategy as a strong option.
“We’ve decided that we’ve got to have one element of our national power be cyber capabilities. Looking at a strategy that says we’re just going to wait until the attacks come to us, and then we’ll defend them at the boundary…that’s not a winning strategy. A piece of this has to be engaging people who are seeking to do things that are illegal or immoral on our networks” he said.
However, the basics of defense remain the key piece to the Federal government’s approach.
“I think one of the things we’ve suffered from in cyber operations are these movie plot scenarios, where you put in two command lines and the problem goes away and people are deterred forever. Those primarily don’t exist. Just as we’re seeing a constant threat against us, we need to mount a constant defense,” said Joyce. “That includes the basics, of making sure you’ve really defended your network and built it in proper, architected ways, all the way out to using some of these capabilities to address the problem before it comes to us.”
Joyce noted that responding to attacks does not mean a solely cyber-for-cyber response.
“We recognize it is not just a cyber problem. We’re using all elements of the national power to address these, and part of it is the Department of Justice initiatives. There’s always been questions of, ‘why do you indict hackers if they’re never going to be brought to justice?’ I think there’s a great example, just recently, where we were able to work with partner governments to close on an indictment and bring somebody in where they will actually face the penalties for the actions they’re taking. That sends a strong message to the people they’re bringing into these illegal acts,” said Joyce. He later noted, “We rarely respond cyber on cyber.”