As President and CEO of FusionX, Matt Devost focuses on cybersecurity and risk management. Devost told The Cipher Brief that offensive cyber operations should rest exclusively with the federal government.
The Cipher Brief: It seems like there is a lot of confusion about what offensive cyber-operations would look like, with many people picturing a Hollywood-style super hacker causing large-scale chaos with a couple keystrokes. What do offensive cyber-operations usually look like, and what are the typical goals?
Matt Devost: Fortunately, it is much more difficult to perpetrate the Hollywood style cyber attack with a sustained impact on critical infrastructure operations than is portrayed in the movies. A well-resourced attacker needs to spend months, if not years, gathering intelligence on a target, identifying an attack surface, and exploiting critical systems just to be in a position to launch an attack. Even if you make it that far, you need the technical knowledge about the infrastructure in order to devise an attack or series of attacks that will cause long-term failure.
Of course, offensive cyber operations aren't restricted to just attacking critical infrastructure with the intent to degrade it. There are many adversaries who are pre-positioning for an attack they might want to launch in the future. I often refer to that phenomenon as "time-shifted intent": they don't have the current intent to target critical infrastructure, but they can envision a future scenario where they might. Given that potential, they are preparing for that contingency today. It is a reality that I've been speaking to for several years and is increasingly acknowledged by senior intelligence officials.
Lastly, offensive cyber operations don't have to include a component of critical infrastructure attack like we see in the movies and can also support the full-range of strategic and tactical outcomes, such as intelligence gathering and targeting, counterterrorism, counter-proliferation, etc.
TCB: Does private industry have a role in offensive cyber or should that be the domain of the federal government? Why?
MD: I've always felt that offensive cyber operations should be the exclusive purview of the federal government and, as our laws are currently structured, private citizens or corporations engaging in offensive operations would be breaking the law. Given the global complexities and potential for misattribution and unintended escalation, the offensive domain is unlikely to expand into the private sector operating independent of government authorities. For example, defense and intelligence community contractors will continue to support government offensive operations, but a Wild West vigilante approach in the private sector will not be allowed.
That said, I think you'll see the private sector get much more proactive in blocking traffic on networks they own. We often see disinformation campaigns against attackers who have made it inside the corporation's firewall. For example, an attacker might be presented with a honeypot to provide a false sense of compromise and waste their time, or false data might be planted for an attacker to steal and pollute their decision-making process.
TCB: How has the offensive cyber landscape changed, and how do you expect it to change in the future? What types of capabilities should the U.S. invest in to maintain a competitive edge in this field?
MD: The most significant change in the cyber landscape has been the increased proclivity to actually employ offensive cyber operations. We've been investing in cyber capabilities for 20 years and are finally utilizing those capabilities to a much greater extent, not only in support of existing operations but as ambitious and independent cyber operations. To maintain an edge, the U.S. will have to continue to invest in a full-spectrum of capabilities, while also making investments in emerging technologies. This means fully accounting for the shift into areas like wireless, mobile, and mesh networks as well as tracking the impact of technologies like quantum computing.
The most substantial investments, however, won't be in tools, but in people with the appropriate technical skills as well as the creativity and ingenuity to skate where the puck is going to be.
TCB: How does the shortage of professionals with cyber-skills affect the ability of the United States to conduct cyber-operations, if at all? What can be done to alleviate this shortage?
MD: The cyber workforce will be one of the most critical capabilities the government develops. Given the existing shortfall of talent, the government will need to appeal to technologists from external industries as well as develop a set of educational programs and career roadmaps that build capability from within. My guess is you will see a capability that develops in a way that is comparable to special forces, with an exclusive focus on the cyber domain and specialized career tracks. That will include fostering a unique culture for the cyber forces as well.