As the Obama Administration enters its final week, the President’s foreign policy and security legacy is closely tied to two major themes: counterterrorism and cybersecurity. The Cipher Brief’s Fionnuala Sweeney asked Lisa Monaco, Assistant to the President for Homeland Security and Counterterrorism about these two critical elements and what she would prioritize for her successor.
The Cipher Brief: Even if the offensives against ISIL in Mosul and Raqqa are successful, can you be certain that ISIL will be less of a threat in the region and beyond? How do you see ISIL changing tactics?
Lisa Monaco: We are leading a Global Coalition of nearly 70 members to deliver a lasting defeat of ISIL. Two years ago, ISIL called out to recruits from all over the world to come to Mosul and Raqqa to participate in their so-called Caliphate. Today, ISIL fighters are under pressure from a complex advance by Iraqi Security Forces in Mosul and Raqqa is increasingly isolated as the Coalition's partnerships have grown in northern Syria. Nearly 50,000 square kilometers of territory once controlled by ISIL have been liberated, and hundreds of thousands of families have returned to their homes in Iraq and Syria. In addition, over 100 ISIL senior commanders have been removed from the battlefield, including most of their original top leadership council. I am confident that because of the comprehensive strategy we have put in place, and the momentum we have sustained, ISIL will be defeated.
Of course, our Global Coalition has always entailed much more than battlefield operations. ISIL represents a hybrid threat – part terrorist army, part insurgency, and part social media phenomenon. We have built a comprehensive strategy to tackle this challenge and keep the American people safe. We must not only empower our local partners to defeat ISIL, but we also need to help make their success stick, stopping another group like ISIL from rising again.
While we believe that ISIL has always maintained the desire to conduct attacks like we've seen in Paris, Brussels, and elsewhere, our ability to deny them safe haven in Iraq and Syria and stop the foreign fighter flow will make it much harder for them to plot attacks. We have also strengthened law enforcement and intelligence partnerships in Europe and elsewhere that have prevented attacks.
But there is still much more work to be done.
ISIL’s propaganda now emphasizes the "do it yourself” style of terrorism – and that's one reason the threat of so-called homegrown violent extremists will be with us for some time. We have over 100 Joint Terrorism task forces across the country that have helped support over 100 prosecutions in the last few years. We have worked with law enforcement, community leaders, and prosecutors to apply new strategies to deal with recruitment and radicalization at home and abroad. We are also addressing ISIL's attempt to radicalize individuals to violence. We stood up the Global Engagement Center at the State Department, which has successfully worked with partners abroad to counter the hateful messages that ISIL puts out to help prevent the recruitment of new extremists. Silicon Valley has also answered the President's call and stepped up to the challenge to deny ISIL's ability to take advantage of their digital platforms. Twitter, for example, has suspended 360,000 accounts due to reports of terrorist related content. This represents an 80 percent increase in such reports. Recently, Facebook, Microsoft, Twitter, and YouTube, joined forces to automatically remove terrorist content matching unique digital fingerprints.
Because of the work of this administration, the Global Coalition has the capacity and the will to address ISIL's shifting tactics. It is critical that, as a nation, we remain united in our efforts to defeat this threat.
TCB: We’re seeing the ground and air offensive against ISIL in Mosul. Have cyber tools been used in the fight? How?
LM: The Department of Defense seeks to deter attacks and defend the United States against any adversary that seeks to harm U.S. national interests, consistent with U.S. and international law. We are using all our tools to deal ISIL a lasting defeat that includes our cyber capabilities.
DoD’s cyber capabilities are being employed to deny ISIL leadership the ability to command forces, control populations, and inspire attacks against the United States and our allies and partners.
American cyber operations are directed towards targets that are clearly connected to ISIL—and calibrated with the utmost precision to minimize potential for collateral damage. Our attention to law and international norms is distinct from behavior we have seen from other actors in cyberspace in the past.
TCB: Do terrorist groups have the capability to launch sophisticated cyberattacks against critical infrastructure? And, if so, how can we apply the lessons previously learned regarding counterterrorism to future attacks in the cyber realm?
LM: The cyber threat is evolving rapidly—becoming broader, more prevalent, and more dangerous. I say “broader” because we’re becoming ever more reliant on information technology, which provides our adversaries a greater “attack surface.” More prevalent, because malicious actors—whether that’s criminal organizations out to make money, hactivists looking to promote their causes, terrorists seeking to recruit and radicalize, or nation states seeking to project power—have discovered that they can use cyberspace and the Internet as an effective tool to pursue their goals. More dangerous, with increasingly aggressive actors like Russia and others being willing to carry out disruptive and destructive attacks—as we saw with Iran’s denial of service attacks on American banks, and North Korea demonstrating its willingness to conduct destructive attacks against both other nation states as well as private sector companies.
One of the key lessons we’ve learned from our counterterrorism efforts has been the importance of sharing intelligence, coordination between federal agencies, and unity of effort. Working off that model, we have stood up the Cyber Response Group—akin to the Counterterrorism Security Group, an inter-agency policy body housed within the NSC focused on our counterterrorism mission—to serve as an interagency body to coordinate cyber operations and response policy. We also created the Cyber Threat Intelligence Integration Center, CTIIC—again akin to its counterterrorism counterpart NCTC—to bring together cyber intelligence to facilitate cyber action the same way that NCTC does for counterterrorism activities. Today, CTIIC provides a common picture of cyber threat activity to policymakers and operators, and it helps ensure that our government cyber centers, law enforcement, and network defenders have the information they need. From its threat summaries to in-depth assessments, CTIIC has become the place that senior policymakers turn for threat analysis. Going forward, CTIIC will be vital to our nation’s cybersecurity mission.
TCB: How does the United States ensure that it assigns accurate attribution to cyberattacks, despite at times being unable to acquire specific and comprehensive intelligence and information, while also ensuring that it responds appropriately and proportionally?
LM: We have improved our ability to attribute cyberattacks. And we have employed a framework that entails using all elements of the IC and law enforcement to investigate and identify the actor(s) involved—working with the private sector too.
When we have confidence in the attribution and can be confident that revealing the source of the incident won’t compromise our national security—for instance, by divulging sensitive sources and methods for gathering intelligence—and assess that public attribution will advance, rather than hinder, our national interests—we have done so. We then ensure we consider all elements of national power in response. We’ve employed this framework repeatedly over the last few years and have not strayed away from identifying malicious cyber activity, the actors who are doing it, and imposing costs using a range of tools. We’ve been clear that malicious cyber activity does not receive a free pass.
TCB: How should the government partner with entities in the private sector to ensure safety and security in cyberspace, including but not limited to the protection of information and effective responses to cyberattacks?
LM: We have a comprehensive and constructive partnership with the private sector, particularly when it comes to protecting our critical infrastructure, the vast majority of which is owned and operated by the private sector. There are really three parts to this partnership.
First, we work together to raise the level of cybersecurity across the nation's digital ecosystem. In 2013, we convened experts from industry, academia and civil society to create the National Institute of Standards and Technology (NIST) Cybersecurity Framework, which has become the gold standard for cybersecurity risk management, and have worked to expand its usage across the private sector. We have encouraged the formation of information sharing and analysis organizations, worked with Congress to enact tailored liability protections for private sector entities that share threat information with the government, and took steps to automate information sharing. We also launched public campaigns to promote cybersecurity awareness among consumers, including the “Lock Down Your Login” campaign encouraging consumers to better secure their identities online. We have given consumers more tools to secure their financial future by assisting victims of identity theft, improved the government’s payment security, and accelerated the transition to next-generation payment security. Finally, the President created the Commission on Enhancing National Cybersecurity to make recommendations for actions the Federal government could take over the next decade to strengthen cybersecurity in both the public and private sectors and bolster partnerships between the government and the private sectors. The Commission delivered those recommendations back in December.
Second, we partner with the private sector to disrupt malicious activity using network defense and law enforcement tools. So, for example, we’ve conducted a number of successful efforts to dismantle or take down botnets.
Third, we work together to respond to incidents when they occur. The directive President Obama signed in July, PPD-41, clarified the roles and responsibilities of Federal agencies in responding to significant cyber incidents by establishing a framework for how the federal government will coordinate internally and engage with the private sector in responding to significant cyber incidents. And I think that framework will be very useful going forward.
TCB: You most likely will be stepping down soon from this position. What advice would you give your successor?
LM: I’d tell my successor to stay focused on the very complex and wide-ranging array of threats that we face. It’s everything from terrorist threats, cyber threats, to emerging infectious diseases—and lots in between. It's an extremely complex environment in which we're operating, and I expect to be walking my successor through that landscape.
TCB: How would you assess the threats against the United States, and what are the three most critical problems/issues threatening the United States that your successor will have to drill down on immediately?
We face a complex array of threats—from terrorist and WMD to cyber threats to emerging infectious diseases and the intersection of technological advances across all these issues that pose both opportunities and risks.
When it comes to the terrorist threat, the President has directed us to stay vigilant and ensure that we are best postured to defend the homeland and partners against ISIL, al Qaeda, and other terrorists. The President has directed us to put ISIL on a path to lasting defeat—though we recognize that the next administration will need to carry forward this counterterrorism campaign to ensure ISIL cannot seek to regain a foothold in the aftermath of the Mosul, Raqqa, and Sirte campaigns. These days, we are particularly concerned about homegrown violent extremists who can strike with little or no warning and pose new challenges for the law enforcement and intelligence communities in identifying and disrupting potential threats. Our concerns that violent extremists could be inspired to conduct attacks inside the U.S. have not diminished. Constructive engagement with communities who are key to addressing the challenge may very well become a bellwether for success against this new kind of threat.
Dedicated men and women across the counterterrorism community—and across two administrations since 9/11—have worked to keep the country safe from a range of threats. The Obama administration has strengthened and enhanced structures in the decade and a half since 9/11 and approached this fight in a way that is durable and sustainable, taking care to institutionalize policy approaches so that the United States can continue to prosecute this mission in an effective and transparent manner.
At the same time, in the nearly four years that I have been in this position, I’ve found that cyber threats have consumed a greater and greater portion of the President’s morning briefing. I’ve been struck by the breadth of the threats that we’re facing—against the U.S. government, against the private sector. The range of actors that we are concerned about has grown, from nation-states, like Russia, Iran, China, North Korea, to non-state actors, to hacktivists, to your garden variety of criminal actors. And we’re seeing them employ a wide range of tactics across an ever growing attack surface called the Internet of Things. So when I think about the most critical issues my successor will face, cyber is at the top of the list.
Luckily, we’re not standing still when it comes to the cyber threat. Just as we have further developed institutions in the counterterrorism space, we have done the same in cyber as well. CTIIC, as I mentioned, was created by President Obama in February 2015 to help the U.S. government build understanding of foreign cyber threats to U.S. national interests to inform decision-making. It further integrates our understanding of these threats, embodied in an intelligence report produced several times a week, that is the go-to product for operators, analysts, and policymakers at all levels who want a quick grasp of the cyber threats that deserve attention. And rather than lapse into technical jargon, CTIIC puts new information in the context of the larger story, and they explain the activity in a way that makes the information accessible but still informative to a technical audience as well.
So that’s one critical asset as we work to confront the growing threat of cyber, and I’m sure the government will continue to evolve and strengthen our approach to various transregional threats in the coming years.
I’d also be remiss not to mention another area in which we’ve invested so much time and effort—addressing the outbreak of diseases before they have the potential to become epidemics. The world is familiar with U.S. leadership and efforts to stamp out Ebola in West Africa, which, all told, probably saved tens of thousands of lives, if not more. And we're helping to save countless more through our Global Health Security Agenda, a partnership we founded that now includes dozens of countries and international organizations that partner with us to address disease outbreaks early before they become epidemics.
There’s no question that there are a lot of serious challenges out there, but the United States has always proven itself up to the challenge and must continue to lead the world in addressing these shared threats for the future.