Cyber is the New Weapons System of the Future

| Walter Pincus
Walter Pincus
Senior National Security Columnist, The Cipher Brief

Pulitzer Prize Winning Journalist Walter Pincus is a contributing senior national security columnist at The Cipher Brief. He spent forty years at The Washington Post, writing on topics from nuclear weapons to politics.  He is the author of Blown to Hell: America’s Deadly Betrayal of the Marshall Islanders (releasing November 2021)

OPINION — “Right now, the offensive side has all the capability and we on the defensive side have got to run a new defense.”

That was John Sherman, the Defense Department’s Acting Chief Information Officer (CIO) when asked what keeps him up at night during a House Armed Services Subcommittee hearing on Information Technology and Cybersecurity on Tuesday, June 29, 2021.

“We are going to run a new defense,” Sherman said, “and it’s going to involve making it about the data in the systems as well as artificial intelligence (AI); how we can bring that [AI] to bear so we don’t segment ourselves and have-to-have tens of thousands of defenders doing the work that a set of AI algorithms [can do].”

Sherman is no amateur on the subject. He was the Intelligence Community’s CIO where he introduced advancements in cloud computing, cybersecurity and interoperability capabilities. Before that, as a CIA Deputy Director, he built up the agency’s Open Source Enterprise.

That same day, June 29, Gen. Paul M. Nakasone, the director of the National Security Agency and head of U.S. Cyber Command described in specific terms the challenge ahead. Speaking virtually to the WEST 2021 Conference of the U.S. Naval Institute and Armed Forces Communications and Electronics Association, Nakasone said, “The scope of what we need to defend and protect has dramatically expanded.” He described the Defense Department’s information network as composed of 15,000 sub-networks, 3 million users, 4 million computers, 180,000 mobility devices, 84 different Defense Department-run internet access points, and 605 million website requests a day.

“We used to think about cyberspace as merely the need to protect these computer networks,” Nakasone said. “And while it’s a good place to start, the attack surface is much broader. We need new ways to keep it safe.” For example, he described the need to now protect Navy and Marine weapons systems and the ability to get them new software updates even when ships are out on months-long deployments.

Sherman told the House panel, “Cyber security is my top priority as CIO, along with modernization.” He said that while the fiscal 2022 budget lists $5.5 billion for cyber security, “there’s more in the budget that we ought to be able to reflect,” such as computer protection programs purchased from vendors. “Software capabilities and networks are also critical to our success,” he said. “[We] will release a software modernization strategy later this summer that builds on already developed guidance. We are dedicated to delivering resilient software capability at the speed of relevance.”

The Cipher Brief hosts private briefings with the world’s most experienced national and global security experts.  Become a member today.

When asked about current risks, Sherman said, “The main priorities are all being answered in the President’s budget, but we do have some risk areas.” He singled out weapons systems and critical infrastructure, “recognizing that our adversaries are going to be coming after those two.” Moving beyond just the Department of Defense Information Network, which is under his charge, Sherman said, “Looking at weapons systems and elsewhere…because some of these programs were started in the [19]90s when cybersecurity was in a different place, we have a better way to come at this type of area where we’re carrying some risks that I want to do a better job of working with our colleagues in the Department,” mentioning Gen. Nakasone specifically.

Toward the end of the hearing, Rep. Scott Franklin (R-Fla.), a veteran with 26 years as a Navy pilot, brought up the subject of accountability around cybersecurity. “In the physical domain,” Franklin said, “a commander would be held accountable if he or she lost equipment or mishandled it. To what extent do you believe commanders are held sufficiently accountable for not caring for DoD information systems in their care?”

Sherman described that responsibility as “an evolving area” which he, as a former Army officer, felt passionate about. “If you roll out of a motor pool without proper ammunition or fuel on your [Bradley] fighting vehicle, or push a ship off the dock etRcetera, you’re held accountable for that. Part of it is how we can ensure there is instrumentation and that the commanders and the ship drivers and the maneuver commanders know what’s going on – on their weapons platforms. So, if there’s going to be accountability on this, we’ve got to be able to monitor what exactly is going on there.”

Sherman said the subject is being looked at. “We have brought this up to our leadership and have some work to do on it,” he added.

“I agree,” Franklin said, “From a Navy standpoint, it’s always been known that the captain is ultimately responsible. It doesn’t matter if he or she is on the bridge if the ship goes aground. You’re relieved of command and, at some point, we’re going to have to understand that the potential damage from cyber intrusions are going to be just as serious as those.”

At the same time that Sherman and Nakasone were focused on cyber defense, the Defense Advanced Research Agency (DARPA) was receiving proposals for feasibility studies on two innovative AI offensive information warfare systems to combat what is called “digital authoritarianism,” a term that describes an authoritarian regime’s use of technology “to surveil, repress, and manipulate domestic and foreign populations.” At least, that was the description given by Josh Baron, a DARPA Information Innovation Office Program Manager, in his June 8, Defense One article.

Join The Cipher Brief for an exclusive expert briefing on The Cutting Edge of Artificial Intelligence & National Security on Monday, July 12 – 1:30p – 2:30p ET featuring experts from the CIA, NSA and NGA.  Register today.

One DARPA program is called Measuring the Information Control Environment, or MICE. It wants to develop artificial intelligence technology to “measure how digitally authoritarian regimes repress their populations at scale over the internet via censorship, blocking, or throttling,” according to a DARPA proposal made public June 1. The proposal said, “There is a need for real-time, comprehensive tools that establish ground truth for how countries are conducting domestic information control. This capability would enable the Department of Defense to strengthen existing United States Government efforts to help curtail repressive actions in cyberspace by either raising awareness (and establishing norms) or by the development of tailored capabilities to combat these repressive actions.”

The second DARPA proposal is to study the feasibility of Mobile Anti-Totalitarian HumaNets (MATH), the purpose of which is to use smartphones to disseminate information within highly censored environments where speed of message delivery is not of primary importance.

A HumaNet is an unmonitored and fully decentralized smartphone-to-smartphone message delivery network that is resistant to surveillance and blocking, albeit at a cost of significant delay. It exploits smartphone capabilities and human behavior to create decentralized networks where a sender routes a message towards a receiver based on pre-determined places and times that the receiver is likely to be located.

DARPA used two examples to show situations where a MATH would be useful. One was described as “messaging by military personnel seeking rescue from behind enemy lines where conventional communication might enable identification, geolocation or time correlation and put the individual at risk for capture…” The other was where there was a need for “creating a decentralized service enabling sharing of information that totalitarian regimes would otherwise suppress.”

On both offense and defense, cyber is becoming the weapon system of the future.

Read more expert-driven national security insight, perspective and analysis in The Cipher Brief

The Author is Walter Pincus

Pulitzer Prize Winning Journalist Walter Pincus is a contributing senior national security columnist for The Cipher Brief. He spent forty years at The Washington Post, writing on topics from nuclear weapons to politics.  He is the author of Blown to Hell: America's Deadly Betrayal of the Marshall Islanders (releasing in November 2021)  He also won an Emmy in 1981 and the... Read More

Learn more about The Cipher Brief's Network here.


Share your point of view

Your comment will be posted pending moderator approval. No ad hominem attacks will be posted. Your email address will not be published. Required fields are marked *

One Reply to “Cyber is the New Weapons System of the Future”
  1. One of the biggest issues we have is right now across the InfoSec community, the average hacker has less than 10 years experience and a really immature and disconcerting issue of distraction by what i call “non issues” things like spending time on having terminology of linux changed because you read the new google handbook on inclusivity in servers. Which is time better spent, helping support the national security posture in your spare time or rallying other hackers and protesting that DNS is racist because it uses a master/slave configuration to “bind” a name to a number.. Traditional school and game theory while help with creation of solutions on the fly, the only way you’ll know how and when to adapt your payload because the active threat is sanitizing your path is to go through it, I find myself head to head with foreign threat actors all the time in dark corners of the internet, the longer I can distract teams of hackers keeping them focused on me while I troll them mercilously and run my list in my head of all accounts I care about and verify my security , the longer our teams from CISA and The Private sector have to make sure critical infrastructure and systems are patched and protected…

    There are two great technologies that will certainly help this in exponential ways, one of them I built AhuraAI we ran our Alpha test at Harvard which had amazing reaults, using the Ahura system we can accelerate the learning process buy up to 12.5X only limited by current GPU flaws, imagine if we added Ahura into DoD SkillBridge ( up skill and reintegrate warriors to civilian life and jobs with a drastically smaller gap between service and private, we could use professionals with military experience in infosec right now.

    the other program is an AI that darpa was overseeing the initial build of part with the DoD, for the life of me I can’t rembert the program name, it will essentially hack along side you and operate kinda like your real-time battle buddy to support you and make sure you are covered.

    We sure could also use some Mental Health telemedicine app access like to keep it all together after battling for 70+ hours straight at the keyboard because CiSA activated CERT after a Chinese security researcher accidentally on-purpose released a critical CVE proof of concept script into the wild and left it just long enough to go viral, just hours before the 100th anniversary of the CCP party causing chaos around the world while Xi stood on stage and basically declared war on Taiwan. I love orchestrated accidents.

    I say this on twitter and like 80% of the infosec community is sympathetic to the CCP and china as a whole, wish I had an answer to fix that lack of patriotism, makes my heart hurt.