JUNE 24, 2019

War of the Web Cyberattacks are the new reality and the U.S. is ill-prepared MEGAN SCULLY ||| THE COMMON DEFENSE

From Top to Bottom, Cracks Are Showing in Our Defense

ark Esper was Carolina and Tom Cotton of Trump’s short list for the job with its standardized pay and President Donald Arkansas, both veterans; former has become, well, so incredibly incentive system, is struggling M Trump’s third pick Sen. Jon Kyl of Arizona, a leading short at a particularly precarious to compete with the private for Army secretary. Now he’s voice on nuclear issues; and re- time for the nation’s security. sector for the best talent in this suddenly the commander in tired Gen. Jack Keane, a former Most imminently, war with arena, Patrick Kelley writes, chief’s second acting Defense Army vice chief who has become Iran looms as a distinct possi- a worrisome fact that makes secretary this year, and third a fixture on Fox News, Trump’s bility. But, as this week’s cover it even more difficult for the Pentagon chief in Trump’s two favorite cable news network. package illustrates, the threats United States to compete. and a half years in office. When Shanahan bowed out go far beyond Tehran. And the A common phrase around the The West Point grad and Gulf last week, Esper was the obvious United States, frankly, is woe- Pentagon is that you can’t turn War veteran certainly checks — and perhaps only — choice. fully unprepared. an aircraft carrier around on a all the traditional boxes for the dime. Of course, the muscle of top Pentagon job. He’s a former America’s military allows it to congressional aide, Pentagon Instability in Pentagon leadership is only deter direct attacks and serve as official and defense industry the world’s policeman. But what executive. And by all accounts, the most visible challenge we face today good is it to simply outspend he’s made a solid name for him- adversaries when they aren’t self as the Army’s top civilian, “I don’t know him well. I’m As John M. Donnelly and wedded to the old ways, tied impressing Democrats and Re- not surprised by that being Gopal Ratnam write, China is to multibillion-dollar weapons publicans alike on Capitol Hill. the interim choice, I think it’s playing a long strategic game of systems with built-in political But his rapid rise from third- fine,” said Sen. Kevin Cramer, information warfare while the constituencies on both Capitol choice service secretary to the R-N.D., in what could hardly be United States fumbles to come Hill and in the Pentagon? very top of the massive defense described as a ringing endorse- up with a cohesive cyber strategy Our adversaries have the bureaucracy underscores a ment. “But it remains to be seen to counter these digital threats. luxury of thinking 10 steps bigger problem for an admin- whether he gets the nod, I guess, And it’s not just China. Rus- ahead while the United States istration that has struggled to for the permanent position.” sia, North Korea, Iran and even remains mired in an archaic attract interested and willing None of this means Esper is terrorist groups have realized planning system. In a rapidly candidates for the typically a bad choice for the job. Indeed, America’s weaknesses and are changing age of bits and bytes, coveted Cabinet spot. House Armed Services Chair- exploiting them. Information the expanse and expense of Patrick Shanahan, the man Adam Smith — hardly a operations and cyberattacks our gold-plated military — not department’s former deputy fan of the president’s — wasted have grown in recent years — in to mention the burdensome secretary who served as its act- no time praising Esper’s “track numbers, sophistication and bureaucracy that goes with it — ing chief for six months, wasn’t record of public service” and the damage they have wrought, can be more of a hindrance than exactly a big name in defense urging Trump to make the deci- Donnelly and Ratnam write. a help. circles prior to his appoint- sion more permanent. The United States, mean- That, perhaps more than ment to the Pentagon. Trump “Our national defense while, is stuck in its old habits. anything, will be the biggest ultimately announced his intent needs a confirmed Secretary of The slow churn of the Penta- challenge for the next Defense to nominate the former Boeing Defense as soon as possible,” gon bureaucracy simply can’t secretary. Is Esper up for it? He executive in May, after several Smith said in a statement last keep up with our more nimble very well may be. But it would other higher-profile (and argu- week. “We face a number of ex- competitors, Andrew Clevenger certainly be nice to have more ably more qualified) candidates tremely complicated challenges writes. And the government, than one candidate for the job. said they just weren’t interested. around the globe and it is in That list reads like a Who’s our best interest as a country to Who of GOP hawks, the very have stable, predictable leader- people who would normally vie ship at the Pentagon capable of for the secretary’s Pentagon withstanding internal political Analsysis by Megan Scully, E-ring office. They include pressure.” defense editor for CQ Roll Call. Sens. Lindsey Graham of South But it’s troubling that [email protected]

CQ | JUNE 24, 2019 5 SPECIAL REPORT: DEFENSE

14 JUNE 24, 2019 | CQ SPECIAL REPORT: DEFENSE Virtually Defenseless The national security establishment is woefully unprepared for the new era of cyber-warfare

By JOHN M. DONNELLY and GOPAL RATNAM

LAST FALL, WHEN THE NAVY was ex- grab the data on weapons systems,” Bayer amining gaping holes in its cybersecurity, says. “If you play Go, you want to grab the Of- its outside consultant leading the project or- fice of Personnel Management background dered his team to learn the ancient Chinese files on everybody,” referring to a 2014 hack strategy game Go. orchestrated by Beijing. In that board game, two players place black In the long game of information warfare, and white discs one by one onto a grid. The old strategies lose meaning. The battle is not players then slowly try to encircle each other in one region or another or over a particular until the victor completely envelops the los- time frame; it is everywhere and forever. The er’s pieces. traditional distinctions between civilian and The point, says Michael Bayer, the veteran military lose meaning because defeat in one Pentagon adviser who ran the Navy’s review, jeopardizes the other. The United States is, was to show that China and other foes are en- quite simply, playing the wrong game. circling and exploiting America’s weak flanks “I believe we are in a declared cyberwar,” rather than directly challenging its conven- Bayer says. “It is aimed at the whole of society tional military strengths. and the state. I believe we are losing that war.” Meanwhile, he says, American policymak- China, Russia, North Korea, Iran and ers tend to think in checkers or chess terms, even terrorist groups have for years been directly attacking an opponent. The Chinese waging — and, experts say, winning — con- play both games, but westerners generally do flicts in the so-called “gray zone” just below not know Go. the threshold that would trigger a U.S. mil- “If you play checkers or chess you want to itary response. A 2016 Pentagon report de-

CQ | JUNE 24, 2019 15

iStock SPECIAL REPORT: DEFENSE

fined it as “not yet war but not quite peace.” erwise disguising what is being done and by In the gray zone, two modes of fighting whom. The U.S. government also disguises dominate. The first, information operations, Cyberattack definition: its actions on many occasions. constitutes everything from broadcasting The need to cover up identity is why Rus- propaganda to using social media for spread- Cyberassault (n) sia has covertly conducted assassinations in ing information or misinformation. The sec- A cyberattack comes in many other countries and employed so-called “lit- ond tool is cyber. forms, and the goals vary too. tle green men” — paramilitary forces out of In these two realms, the U.S. military and Attackers’ goals may comprise Russian uniform — as they fought in neigh- civil society are virtually unprotected and will attempts to: boring Crimea. be for years, Pentagon experts have reported China, for its part, has used commercial — steal critical data and intellectu- in the last two years. fishing boats to overwhelm other countries’ al property; Kenneth Rapuano, the Pentagon’s assis- coast guards, among other guises. tant secretary for homeland defense and — force a victim to pay ransom to Nowhere is gray zone activity more intense global security, says the U.S. military is re- recover data that is encrypted by — and the perpetrators less identifiable — sponding to the challenge in cyberspace. hackers; than in the ether, because the barriers to entry But by most accounts, while America’s cy- — enable undermining of critical for cyber warriors are low and the possibility ber warriors have stepped up their attacks in infrastructure such as electrical of acting undetected is higher. the last year, including in Russia, the ability to grids or uranium-enrichment. “How can you effectively do deterrence defend U.S. networks has not kept pace. With- by punishment or deterrence by denial if you out a strong defense, offensive attacks can be can’t attribute a cyberattack and clearly con- invitations for disaster instead of deterrents. nect the dots to North Korea or Russia or Chi- And numerous experts say America’s na?” asks Gallagher. ability to fight offensively or defensively in compares this to a parasite that constantly But attribution is a double-edge sword, cyberspace is inadequate, with the required saps its host — but not so much as to trigger a says retired Army Gen. Keith Alexander, who focus, leadership and strategic thinking all full-scale white-blood-cell counterattack. headed the National Security Agency and woefully wanting. Thomas Modly, the Navy undersecretary, the U.S. Cyber Command. If the U.S. govern- “While we have made progress, it would thinks the Navy review got the cybersecurity ment were to provide clear attribution in all be fair to say we have a long way to go,” says problem right. cases, adversaries would use that knowledge Mike Rounds, the South Dakota Republican “Our vulnerabilities may make it so debil- to escape detection in the future, he says. “So who chairs the Senate Armed Services Sub- itating for us that we may not be able to get you end up with that kind of Catch-22.” committee on Cybersecurity. off the pier in San Diego if we had a major The military’s torpid response has been conflict,” Modly says. “This is not just a Navy Mounting Problem caused by bureaucratic inertia, the political problem. This is a national problem.” Information operations and cyberattacks dominance of traditional weapons and mili- Numerous experts — including Wisconsin in the gray zone have grown in recent years tary organizations, the distraction of the post- Republican Rep. Mike Gallagher, co-chair- — in number, sophistication and the damage 9/11 wars, and a failure to comprehend the man of the Cyberspace Solarium Commis- they have wrought. cumulative damage that was occurring and sion, a bipartisan panel created in May to China’s 2018 attack on a Navy contractor how rapidly modes of warfare were changing. study competition in the infosphere — call for gave that country access not just to details of a “We need to have the bombers and planes a nationwide public awareness campaign. key new anti-ship missile known as Sea Drag- and missiles to make sure we can defend the “Ultimately our success or failure in cyber on but also much of what the Navy knows country in a conventional conflict, but we also will come down not to algorithms or technol- about China’s maritime capabilities. need to face the reality, and gray zone conflict ogy but to human beings,” says Gallagher, It was the latest in a long series of hacks by is happening now and will continue to go who noted that he was not speaking for the China, which has reportedly stolen data on forward,” says Jim Langevin, the Rhode Is- commission. “Everyone who has a cellphone F-35 fighter jets, Littoral Combat Ships, U.S. land Democrat who chairs the House Armed in their pocket is in some ways on the front antimissile systems and drones operated by Services Subcommittee on Intelligence and lines of a geopolitical competition.” multiple U.S. military services. Emerging Threats and Capabilities. The broader U.S. economy has lost $1.2 The United States needs the kind of spur The Gray Zone trillion in intellectual property pilfered in cy- to action that came after Japan attacked Pearl America’s reluctance to use force, especial- berspace, according to the National Bureau Harbor in 1941; after Russia launched Sput- ly against nuclear-armed foes, and the coun- of Asian Research, a nonprofit group. The nik, the world’s first artificial satellite, in 1957; try’s reticence to violate human rights, despite Navy’s review team assessed that figure to be or when al-Qaida attacked New York and some exceptions, restrain it from reacting too an understatement. China has done most of Washington in 2001, several top analysts say. strongly — and U.S. adversaries know it. the damage. But America’s adversaries, mindful of this U.S. foes further reduce their chances of Russia has stolen and hacked in cyber- history, have stayed in the gray zone. Bayer suffering retaliation by using proxies or oth- space, too, but it has specialized in a massive

16 JUNE 24, 2019 | CQ George Frey/Getty Images Frey/Getty George DATA BREACH: China has reportedly stolen data on the F-35 fighter jet, such as this one at Hill Air Force Base in Ogden, Utah. information warfare campaign to influence Countries that have sophisticated offen- Yet without effective cyber-defenses, more U.S. elections by sowing dissent and planting sive cyber tools often are not prepared to de- aggressive overseas operations could come lies in U.S. social media circles. fend themselves in cyberspace, says Alexan- back to bite the United States, experts warn. In the most famous instance, Russian in- der, now CEO of cybersecurity firm IronNet. “Defense is a necessary foundation for telligence agents broke into the Democratic In the case of the United States, “I think offense,” the Defense Science Board, a Pen- National Committee computers in 2016 and we are making gradual moves toward that, tagon advisory panel, said in a report last disseminated stolen information. They also but I think there needs to be more,” he says. summer. “Effective offensive cyber capabili- attempted to break into election systems in “I believe it’s the government’s responsibil- ty depends on defensive assurance and resil- 21 states, gaining entry to at least seven of ity under the Constitution for common de- ience of key military and homeland systems.” them. Kremlin-backed operatives mounted a fense. Period.” social-media influence campaign to confuse The U.S. government shouldn’t distinguish Defenseless Defense American voters, tactics they have perfected between critical and non-critical sectors The Navy cybersecurity review, which was against former Soviet satellites such as Esto- when it comes to defending against cyberat- made public in March, was unsparing in its nia, Georgia and Ukraine. tacks, he says. criticism of the Navy, but the dramatic cri- North Korea, meanwhile, famously hacked To be sure, the United States is increasing- tique applies to the entire national security Sony Pictures in 2014 and stole company ly hitting back. establishment. Indeed, the report is a nation- data, according to U.S. officials. Iran, mean- On June 11, National Security Adviser al call to cyber arms. while, is widely believed to have been behind John Bolton publicly stated that the U.S. has Protecting information systems is not just a 2017 cyber assault on Aramco, Saudi Ara- stepped up its offensive cyber-assaults since one of the Navy’s many challenges, the Navy bia’s national oil company, among other so- last year, when President Donald Trump review team said, it is the main challenge — phisticated hacks. loosened restrictions on such campaigns. an “existential threat.” U.S. government computers aren’t im- Bolton said they would keep up “in order to As the Navy prepares to win “some future mune to such attacks. Out of 330 confirmed say to Russia, or anybody else that’s engaged kinetic battle,” the report said, it is “losing” data breaches in 2018 in U.S. federal, state in cyberoperations against us, ‘You will pay the current one. Defense contractors contin- and local governments, two-thirds were a price.’ ” ue to “hemorrhage critical data.” The Navy believed to be espionage by foreign govern- Four days after Bolton’s remarks, The New was No. 1 among 59 government depart- ments, Verizon reported in May. York Times reported that the United States, ments in the amount of its information found Even the Islamic State, or ISIS, has used in a classified operation, had penetrated Rus- on the so-called darknet, where criminals hacking and social media to great effect in sia’s energy grid not just with reconnaissance trade data. proselytizing for its so-called caliphate in Iraq probes but with malware that, if triggered, The current situation is the result of a and Syria. could disrupt Russia’s electrical systems. “national miscalculation” about the extent

CQ | JUNE 24, 2019 17 SPECIAL REPORT: DEFENSE

to which the cyber war is upon us, the re- 2017 that a second U.S. military that is truly nuclear use — assuming that U.S. nuclear port adds. cyber-secure be created as soon as possible, capabilities are sufficiently resilient,” the re- The threat, it says, is “long past the emer- because the one America has will not neces- port said. gent or developing stage.” The current phase sarily work. James Gosler of Johns Hopkins Applied should be known as “the war before the war,” A cyberattack on the military, the science Physics Lab, an author of this and other the report says. “This war is manifested in board said, “might result in U.S. guns, mis- cyber reports from the science board, says ways few appreciate, fewer understand, and siles, and bombs failing to fire or detonate the conclusions still stand, though he notes even fewer know what to do about it.” or being directed against our own troops; progress in addressing the problem over the Notably, the review team found that the or food, water, ammo, and fuel not arriv- past two years. vaunted U.S. military’s systems for mobiliz- ing when or where needed; or the loss of “Across U.S. society, we have a way to go ing, deploying and sustaining forces have position/navigation ability or other critical to get to where we have sufficient confidence been “compromised to such [an] extent that warfighter enablers.” — and the other guy does not have sufficient their reliability is questionable.” And if civilian and military attacks both confidence — that their measures will work,” The U.S. economy, too, will soon lose its occurred, the science board experts wrote, Gosler says, stressing that he is not speaking status as the world’s strongest if trends do not it could “severely undermine” the U.S. mili- for Johns Hopkins or the science board. change, the authors wrote. tary’s role at home and abroad. Rapuano, the Pentagon assistant secretary The Army and Air Force did not do simi- If cyber defenses are lacking, U.S. leaders who focuses most on cyber, says U.S. adver- larly sweeping reviews, but the Navy’s results not only will lack confidence in the reliabil- saries have “succeeded in waking up the gi- are being applied across the Defense Depart- ity of their offensive weapons but will also ant” that is the United States. ment. Army and Air Force spokesmen stress worry that any U.S. offensive response could The Pentagon, he says, is trying to imple- that they take cybersecurity seriously by trigger a potentially debilitating cyber coun- ment “as a matter of top priority” the Defense regular system evaluations, recruiting more terattack — one for which they have inade- Science Board recommendation to ensure cyber personnel and using emerging technol- quate defenses. that at least part of the military is at the high- ogy such as machine learning. The report chillingly warned that doubts est level of cyber readiness, starting with nu- about U.S. defense capabilities could cause clear weapons. Military Within a Military? a president to more quickly turn to nuclear Moreover, top Pentagon officials convene Nonetheless, to put it bluntly, the U.S. mil- weapons. weekly meetings to discuss progress at imple- itary and civil society are all but completely “If U.S. offensive cyber responses and menting cyber initiatives, Rapuano says. vulnerable to a cyberattack — by China or U.S. non-nuclear strategic strike capabilities “What you’re seeing is a consistent and Russia, in particular — so much so that the are not resilient to cyberattack, the President continuous turning of the screws in terms of Defense Science Board recommended in could face an unnecessarily early decision of pressurizing cyberspace as one of the highest priorities of the department,” he says. But Rapuano acknowledges there is much work to be done and says the Defense De- partment is in the middle of a transition that cannot occur overnight. “It’s challenging to integrate a whole new domain of warfare,” he says. “It’s still very novel. We’re in the early days of understand- ing cyber doctrine and operations. Cyber and other advanced technologies are changing the character and composition of warfare.” Rounds, of Senate Armed Services, says a recent presidential order and changes in the defense authorization law have made “a world of difference” in enabling U.S. cy- ber warriors to take the fight to the enemy overseas instead of merely blocking punch- es at home. Still, Rounds says, among the military’s do- mains — air, land, sea, space and cyberspace — the latter is “the weak point” and the one ELECTION INTRUSION: where the United States is “most challenged.” Wikileaks founder Julian Assange leaked emails “Our adversaries are very, very good,” hacked from Democrats. Rounds says.

18 JUNE 24, 2019 | CQ People Power Power in cyberspace is a function not so Progress Against Cyber Threats much of hardware or software as of human beings, experts say. People can be either the ultimate weakness or the biggest strength. n the last several years, Washington has begun to grapple with challeng- If the Chinese want to find and exploit es in cyberspace. Numerous experts call the moves necessary but not frailties in U.S. defenses, they can do it by sufficient. Without bipartisan support, positive steps will not gain traction, they say. “turning” just a handful of the millions of I Americans who have contact with classified Recent defense authorization bills have required testing of weapons and crisis response scenarios, assessments of threats and responses, greater or sensitive data. reporting to Congress on cyber-operations. The National Defense Authori- That is why China’s two major 2014 hacks zation Act now includes cyber among the major domains of warfare. into the personal information of more than The changes “have to survive administrations,” says James Gosler of the 22 million people — federal workers, contrac- Johns Hopkins University Applied Physics Laboratory, a longtime cyber tors, family and friends in Office of Personnel adviser to the Pentagon. Management databases — is worrisome. “Otherwise, every four years or so, you have to start over again. And if we People are also a weakness in that the lack do that, we’re probably losing ground at a rapid pace,” of cyber hygiene by just one employee of the government — or even of a small subcontrac- that are still ongoing to imple- SELECTED MILESTONES: tor who has difficulty affording the most thor- ment classified “cyber posture 2013: ough cybersecurity — can be the entryway for review.” ž U.S. director of national intel- a cyber break-in with strategic consequences. ligence lists cyber threats for žFall: In Operation Synthetic Auditors have repeatedly found that major the first time as the top threat in Theology, U.S. Cyber Command weapons such as antimissile systems have annual congressional testimony sends cyber-experts to Mace- been exposed to cyberattacks because of a on worldwide security perils. donia, Ukraine and Montenegro lack of simple computer hygiene: failure to to warn Russian agents who are use encryption or two-factor authentication 2017: trying to interfere in 2018 U.S. or proper passwords or, in one instance, leav- žSenate Armed Services Com- midterm elections that they are ing a room full of servers unlocked. mittee creates Subcommittee on being monitored and temporarily There is no way to know with 100 percent Cybersecurity. shuts down the Internet Research certainty that one’s defenses are working. Agency, a Kremlin-backed troll žDefense Science Board warns The best way to test them is to have cyber farm in St. Petersburg. United States “will not be able to “red teams” of qualified experts act as the ad- prevent large-scale and poten- versary and attempt to penetrate and disable 2019: tially catastrophic” computer U.S. networks. attacks by China or Russia and žMarch: Fiscal 2020 federal budget proposal calls for hike But the Defense Department also lacks a urges creation of a cyber-resilient sufficient number of qualified “red teams” military within the military. in cyber spending (quantify?). Grown by how much over how to test weapons. So each weapon is not test- many years??? ed long enough, and the threats they simu- 2018: late are not realistic, the Pentagon’s testing žMay: U.S. Cyber Command, ž March: Navy’s cybersecurity office says. which had been part of U.S. Stra- readiness review says United In fact, having an insufficient number of tegic Command, becomes the States “is losing” the cyberwar red teams, or teams lacking the right skills, 10th U.S. stand-alone combatant and has made a “national miscal- may in some ways be worse than having command. culation” in not dealing seriously none, because it can foster a false sense of se- enough with the threat. žAugust: President Donald curity, the top tester has said. Trump issues executive order žMay: Administration unveils However, it’s not just that the Pentagon’s loosening rules for authorizing order aimed at strengthening the cyber red teams are too few in number and offensive cyberattacks overseas. federal cyber-workforce. less capable than they should be. More fun- žSeptember: White House May: Lawmakers create bi- damentally, the entire enterprise is too “ad and Pentagon both complete partisan Cyberspace Solarium hoc,” says William LaPlante, a former Air cyber-strategies, and Pentagon Commission to explore policy Force acquisition chief who has long advised follows up with weekly meetings solutions. the Defense Science Board. What is needed is an institution that can regularly hold all programs to account on a regular basis and that is independent

CQ | JUNE 24, 2019 19 SPECIAL REPORT: DEFENSE

enough to unflinchingly deliver scath- waiting. Its newly minted fiscal 2020 ing assessments when necessary, says defense authorization bill (HR 2500) LaPlante, now a senior vice president would withhold 10 percent of the fiscal at Mitre Corp., a federally funded re- I believe we are 2020 money for Trump’s communica- search group. in a declared tions office until the exercise occurs. “This is going to be hard to put in “Unless these actions are exercised, place,” says LaPlante. “The system cyberwar. It is we won’t be prepared to confront bad doesn’t like these things, because they aimed at the things,” says Langevin, who began to are not the bearer of good news.” focus on cyber over a decade ago. “We Congress is starting to notice. When whole of society don’t want to do this on the fly.” the Senate debates its fiscal 2020 de- and the state. I Other major changes in organiza- fense authorization bill this month, it tions and behaviors are also needed. For may consider an amendment by Kan- believe we are its part, the Pentagon needs chief infor- sas Republican Jerry Moran and oth- losing that war. mation officers who are no longer oper- ers that would require the Pentagon to - Michael Bayer, ators of networks, but purely regulators assess within six months its cyber red Pentagon adviser of them, and who report directly to the teams — including “permanent, high- leaders of their organizations, which is end, dedicated” ones —and report the best practice in industry, experts say. back to Congress. The Navy has sought to create such It is not just the Pentagon that is an official — an assistant secretary for short on cyber-savvy personnel. As of information management — but has run April, America’s overall cyber workforce is Services press release last month on its fis- into congressional resistance. short 314,000 workers, a House Armed Ser- cal 2020 authorization bill, cyber was barely vices subcommittee said in a report made mentioned at the end. Bombs in the Age of Bytes public this month. Efforts are underway to Likewise, Bayer and his team found a Most analysts recognize that part of the deal with that problem as comprehensively as dearth of cyber references in Navy leaders’ reason U.S. enemies are fighting in the gray possible, but the country is starting from be- speeches and a scarcity of cyber-related zone is because America’s military has de- hind, and the government is especially hard- events on their calendars. terred those foes from fighting the United pressed to compete with high-paying Silicon “You wouldn’t even know that cyber is a States on the sea, air or land. So maintaining Valley firms. Top 20 problem,” he says. a strong deterrent in traditional arms is not Measured in dollars, cyber also does not open to question, most experts say. Leadership, Please stack up. Unclassified cyber spending across However, given that budgets will probably The main reason cyber is a people prob- the federal government in fiscal 2020 budget not grow considerably and may even come lem is that the human beings who are gov- request totals just over $17 billion, consider- down, the military may have to cut into its ernment leaders must step up their game, ably more than it was a few short years ago, spending for conventional weaponry to make experts say. Without sustained, senior-level but that’s only a bit more than 2 percent of room for more investment in offensive and attention, the United States will not shore up the roughly $750 billion annual national de- defensive digital weapons. its cyber vulnerabilities. fense budget. It’s becoming clearer that cyberattacks and In the past two years, Trump and leaders in Total security is unobtainable. But a higher disinformation campaigns are the domains the Defense Department and Congress have degree of confidence in the safety of U.S. sys- where adversaries with fewer resources and begun to significantly increase their atten- tems (military or electoral) and its offensive smaller militaries will challenge American tion to the problem, even though many law- cyber tools can be achieved, experts say. dominance, says Mark Warner of Virginia, makers contend that the administration has The way to get there is through a radical the ranking Democrat on the Senate Intelli- muddled the signal by getting rid of a White new commitment to cybersecurity driven by gence Committee. House cybersecurity coordinator’s position top political and corporate leaders. Continuing to spend at the same level on that they say is essential to getting all federal For one thing, the government must demon- conventional military strengths while also agencies working toward the same goal. strate its resolve by holding more exercises to boosting spending on the newer domains But their efforts are still dwarfed by the test cyber responses, according to lawmakers may not be possible without pushing defense challenge, many observers believe. and analysts. The Government Accountability spending to $1 trillion a year, and “further This inadequate attention is manifest in Office in 2016 urged U.S. military and civilian cutting out domestic discretionary spend- how infrequently U.S. leaders talk about leaders to hold a so-called Tier One exercise ing,” Warner says. cyber issues. On congressional defense com- with the private sector to gauge how to handle The Pentagon also needs to step up invest- mittees, cyber is essentially an afterthought an attack on domestic infrastructure. ment in and use of advanced technologies compared to weapons hardware and mili- The exercise is set for later this year, but the such as artificial intelligence because they of- tary pay and benefits. In the Senate Armed House Armed Services Committee is tired of fer multiplier effects, analysts say.

20 JUNE 24, 2019 | CQ focused heavily on the military, both conven- tional and nuclear, because that’s where the funding is.” Domestically, the Homeland Security Department does not have enough power, some say. C.A. Dutch Ruppersberger, formerly the top Democrat on the House Intelligence Committee, believes the NSA, which is based in his Maryland district, is doing well fighting information wars overseas. But Ruppersberger believes the govern- ment needs to create a new agency focused exclusively on domestic cybersecurity. “We have to keep continuing to make the issue of cybersecurity one of our highest pri- orities,” he says, citing China’s stated goal to

Christopher Polk/Getty Images Polk/Getty Christopher be the world’s superpower by 2049. SHOW-STOPPER: In 2014, Sony Pictures canceled the release of the film “The Interview” after hackers exposed company communications and threatened to attack theaters showing the movie. Victory Is Possible The last two years have shown hopeful The Pentagon’s 2020 budget proposal calls In the Pentagon alone, the new rules are signs of progress. for spending about $1 billion on artificial in- “not coordinated or deconflicted,” the House The congressionally created Cyberspace telligence programs, which “seems insuffi- Armed Services Committee’s fiscal 2020 de- Solarium Commission, which is aimed at de- cient when considering that AI has more po- fense authorization report says. vising strategy, doctrine and policy, may be tential to change the way we fight wars than one such positive sign. The panel is named any other emerging technology,” Susanna Civilians Equally at Risk after former President Dwight D. Eisenhow- Blume, a senior fellow at the Center for New Statutory limitations on the CIA and the er’s Project Solarium, which came up with a American Security, wrote in a paper pub- National Security Agency, meanwhile, have national strategy for combating communism. lished last month. barred the United States from responding Most experts say that what’s needed now is Policymakers in the Pentagon and other comprehensively to the broad disinformation just what was needed then. national security agencies also should step up and influence operations mounted by Russia, In a sense, it’s a geopolitical version of the use of artificial intelligence, says Mara Karlin, China and Iran. Go board game — patient, encircling, steady. of Johns Hopkins University’s School of Ad- Say, for instance, U.S. intelligence agencies The United States and its allies went after the vanced International Studies and a former are monitoring a Kremlin operative preparing Soviet Union’s weak spots, shining a light on top Pentagon official. a disinformation campaign. Once the Rus- its propaganda and falsehoods by using all Such applications, for example, could help sian agent launches the operation and Amer- means at the nation’s command, short of war. policymakers understand “who the Syrian icans start to see it appear on their laptops The good news is that the United States opposition is and think through the pathways and mobile devices “then it has to be handed has the resources and creativity to soon gain on how they are likely to act and respond,” over” to the FBI and the Homeland Security the confidence it now lacks in its ability to she says. Department, Warner says. hold its own in the ether. It is possible for the Several issues arise as officials try to im- Another reason for slow movement in the United States to get the upper hand, assum- prove federal oversight of cybersecurity and field of information operations is Americans’ ing changes are made. information warfare. For one thing, there understandable queasiness about engag- That’s what Bayer and his Navy cybersecu- must be more public-private information ing in propaganda, says retired Adm. James rity review team found in interviewing gov- sharing about threats and responses. That Stavridis, former commander of NATO forc- ernment officials, defense contractors and will probably require more declassification, es and of U.S. Southern Command. executives from companies such as Goldman but there are limits to that. But “it’s not propaganda,” he says. “It’s crit- Sachs and Amazon. In the private sector, cyber defenses aren’t ical to meet the adversary in that universe.” But to be successful, people need to wake cheap, and pose a burden for many smaller U.S. adversaries see information and po- up every day and worry about the nation’s cy- companies. And new government regulations litical warfare as key parts of their strategy, ber vulnerabilities. requiring contractors to adhere to cybersecu- says Seth Jones, an expert with the Center “You win this not just by changing struc- rity standards are so confusing that even larg- for Strategic and International Studies who tures and moving money,” Bayer says. “You er companies are having trouble complying, has advised military commanders in war win this by changing culture. That’s easy to surveys have shown. zones. But the United States, he says, “is still say and damn hard to do.”

CQ | JUNE 24, 2019 21 SPECIAL REPORT: DEFENSE SPECIAL REPORT: DEFENSE The Price of Naïveté U.S. security will continue to be threatened if we don’t counter disinformation

By GOPAL RATNAM

22 JUNE 24, 2019 | CQ

iStock ing today’s disinformation campaigns not only by the Kremlin but copycat attempts by China, Iran and others, says John Lenczows- ki, who served as President Ronald Reagan’s principal adviser on Soviet affairs, and one of the key players in the Active Measures Group. Given the role of social media in dissemi- nating information, the group should involve government agencies and technology com- panies, says Lenczowski, the founder and president of the Institute for World Politics. tanislav Levchenko, a KGB agent “How else do you fight against propagan- da, disinformation and active measures?” turned defector, told a Paris weekly Lenczowski asks. “You have to collect intelli- in 1987 that the Kremlin had been gence and expose it because a lot of this hap- pens in the darkness and that’s how criminals successfully tricking the West for 70 like to operate.” Syears because Americans and Europeans While Russia, China, Iran and others have tended to be naïve. strengthened their information warfare play- books in recent decades, the United States in- Soviet leaders capitalized on the “factor stead has dismantled its machinery for com- of elementary naïveté” among westerners bating disinformation, Lenczowski says. For about 20 years starting in 1954, the and “have used it for many years,” to spread CIA’s legendary counterintelligence chief disinformation, Levchenko said, in an James Angleton focused on Soviet deception and disinformation, and zealously tracked eerie preview of the tactics used by Russian down Russian moles he believed were provid- agents who created fake social media ing Moscow with feedback on its campaigns. accounts and spread disinformation during That focus dissipated when news reports revealed that the CIA had been spying on the 2016 election. Americans on the orders of President Lyndon B. Johnson to monitor anti-Vietnam War pro- Levchenko described the Kremlin’s Cold that would only kill people of certain races tests, in violation of the agency’s charter. The War-era effort as a “large machine,” with and ethnicities. resulting congressional investigations and as many as 15,000 people working full time Long before the advent of social media, intelligence agency reforms led then-CIA in Moscow alone in the “sphere of disinfor- these deceptions and many others had been Director William Colby to force Angleton’s mation.” But, he said, the number of gull- a staple of Russian disinformation efforts retirement. ible westerners was likely declining because and were meticulously tracked and exposed The Active Measures Group helped engi- many of Moscow’s tactics had been exposed. during the 1980s by the little-known U.S. Ac- neer the Soviet collapse, but fell victim to its “In the past two years a fairly large num- tive Measures Group, a multi-agency effort own success during the Iran-Contra scan- ber of Soviet forgeries have been caught,” led by the State Department. dal, which led several top National Security Levchenko told the Paris émigré weekly Russ- “The group exposed Soviet disinforma- Council officials to leave the White House. kaya Mysl, according to a State Department re- tion at little cost to the United States, but The United States downgraded key tools it port sent to Congress that cites the interview. negated much of the effort mounted by the used in the fight against the Soviet Union, in- “It has been known to everyone that these large Soviet bureaucracy that produced the cluding Voice of America and Radio Free Eu- were done by the Soviet service for document multibillion-dollar Soviet disinformation ef- rope that the Soviet dissident and writer Al- disinformation and this, of course, reflects fort,” according to a case study by Fletcher exander Solzhenitsyn once called the “most badly on the prestige of the Soviet Union.” Schoen and Christopher J. Lamb published powerful weapons we possessed during the It wasn’t just forged documents. Moscow by the National Defense University in 2012. Cold War,” Lenczowski says. ran a fake news campaign claiming that the The sustained exposure of the Kremlin’s dis- “Guns and rockets are more likely to be United States created the AIDS virus as a information helped convince Soviet leader funded according to strategic needs, but we form of biological warfare and convinced an Mikhail Gorbachev “that such operations never fund diplomacy or information policy Indian newsletter called Patriot to publish it. against the United States were counterpro- according to national strategic needs,” he says. The KGB also spread false news that the Unit- ductive.” “There’s a pandemic ignorance of the strategic ed States had developed an “ethnic bomb” It’s time to revive such tactics for expos- importance” of information strategy.

CQ | JUNE 24, 2019 23 SPECIAL REPORT: DEFENSE

FAKE NEWS: Russia convinced a newspaper in India, the Patriot, to publish a phony story about AIDS.

The current U.S. efforts at combating dis- Disinformation Project that was supposed to tegic and International Studies who has ad- information are still sporadic and anemic. be targeting the Iranian government but was vised military commanders in war zones. In 2011, the Obama administration created also aiming its fire against American journal- The National Counterterrorism Center, the Center for Strategic Counterterrorism at ists for being too soft on Tehran. established in the aftermath of the 9/11 at- the State Department with the goal of using Despite these feeble attempts, the United tacks to share terror threat information and Facebook and Twitter to push back against States “as a society and its policymakers view synchronize response, is an example of how a Islamic State propaganda. conflict in binary terms as hot or cold, war or coordinated approach works, Jones says. In 2016, the administration renamed it the peace terms,” says David Glancy, a professor Another approach, Glancy says, could be Global Engagement Center and expanded its of strategy at the Institute for World Politics an agency similar to the Office of the U.S. mission to include countering Russian, Chi- and a former adviser to the Pentagon and the Trade Representative, an independent Cab- nese and Iranian disinformation campaigns. State Department. inet entity with a small staff and officials But the center’s efforts have been hobbled “There’s a whole spectrum that goes be- drawn from different federal agencies to by poor management. tween peace and war and a lot of our adver- develop strategies not only to combat disin- Rex Tillerson, then the secretary of State, saries are engaged in that gray zone of con- formation but apply other measures of U.S. refused in 2017 to take $60 million in funds flict in a coordinated way,” Glancy says. “We power against adversaries that could be im- Congress had redirected to the center from are not very focused and are just waking up to plemented across the government. the Pentagon’s budget, and reluctantly ac- it in light of the Russian actions in 2016.” Unlike Russia, China and Iran, where the cepted about $40 million after lawmakers The United States has plenty of lessons to strategy flows from the country’s top leader, complained for months. draw from on developing a coordinated ap- “there isn’t such a centralized approach in the In early June, the State Department sus- proach, says Seth Jones, a senior adviser on United States,” Jones says. “We are very late pended funding for a group called the Iranian international security at the Center for Stra- to this game.”

24 JUNE 24, 2019 | CQ iStock

SPECIAL REPORT: DEFENSE Tech to Feds: ‘Be Cool’ Government cybersecurity teams can’t fill critical jobs without a new approach to recruiting

By PATRICK KELLEY

CQ | JUNE 24, 2019 25 SPECIAL REPORT: DEFENSE

THE PENTAGON’S CYBERSECURITY mission is facing a classic supply and demand problem: there’s a nationwide shortage of tech talent and an oversupply of jobs. This leaves the Pentagon starved of the cyber-sentries needed to defend its digital networks as the nation’s top computer sci- entists and software engineers often choose careers in the private sector that offer fat sala- ries and generous benefits. “They are so talented and in such high demand,” then-acting Defense Secretary Patrick Shanahan said of the Pentagon’s red team members, cybersecurity experts who test and defend Defense Department com- puter networks, at a Senate Defense Appro- priations Subcommittee hearing in May. “We really get out-recruited.” If there was ever a time the Pentagon would not want to lose the recruiting battle with the private sector, it’s now. The Chi- nese, Russians and Iranians have all hacked important aspects of American society since 2016. Moscow and Tehran targeted U.S. elec- tions and Beijing has hacked U.S. defense contractors, highlighting the Pentagon’s need for cyber-defenders. Offensively, the Pentagon will also increas- ingly need tech expertise. The military soon plans to integrate artificial intelligence tech- nology into its weapons systems, an endeavor that would give war machines human abil- Images Mark Makela/Getty ities and rely on yet-to-be-implemented 5G wireless internet technology. firms, startups and even Wall Street, often These tasks are monumental. Some of Competitive Pay choose between multiple lucrative job offers them may be done by entities on the Pen- The government struggles to at salary levels reserved for veteran govern- tagon’s periphery, like defense contractors. compete for cyber and IT jobs. ment employees. Others, like those done by the red teams, “It’s hard to beat the pay,” says Sibin Mo- must be carried out by the government. OCCUPATION 2018 MEDIAN PAY han, a computer science professor at the Uni- Capitol Hill knows this, and is nudging versity of Illinois, whose 2018 computer engi- Computer and information ����������� $118,370 the Defense Department to create a pipeline research scientist neering graduates — the talent the Pentagon from top U.S. universities to the Pentagon. struggles to recruit and retain — earned an Computer network architect �������$109,020 But that pipeline will need to offer strong average starting salary of $99,741. incentives to steer recruits with some of the Software developer...... $105,590 That salary level for 20-something com- highest-earning potential of all college stu- Information security analyst ���������� $98,350 puter nerds rivals the top level of what some dents away from the private sector. Database administrator...... $90,070 government workers earn in the Washington metropolitan area. Computer systems analyst ��������������$88,740 Many Opportunities The government pays its employees ac- “Students have many choices these days,” Computer programmer...... $84,280 cording to its “GS” salary table, a 15-tier pay Sally Luzader, manager of corporate relations Network and computer...... $82,050 scale with 10 different salaries at each grade. at Purdue University’s Department of Com- systems administrator The average Illinois computer engineering puter Science, said in an email. “So the top Web developer...... $69,430 graduate from 2018 earns $569 more per year candidates, especially, have the luxury of be- Computer support specialist ����������$53,470 than a GS-13 Step 1 employee in the Washing- ing very selective.” ton area, with the maximum amount a GS can Those graduates, sought by massive tech Source: Bureau of Labor Statistics make in the capital being $166,500 per year.

26 JUNE 24, 2019 | CQ TECH HELP WANTED: military that were way more rigid than my An Amazon jobs fair in Robbinsville, N.J., in experience both at the [U.S. Naval Acade- 2017 attracted thou- my] and onboard a submarine,” J.P. Mellor, sands of applicants. a Naval Academy graduate and head of the computer science and software engineer- ing program at the Rose Hulman Institute of Technology, says. “There was plenty of room [in the military] for my creativity.” Mellor left the Navy decades ago, but sees ample room for innovation on the Pentagon’s red teams. “That’s a super-creative activity,” Mellor says. “You have to try figure out what could go wrong here or how can I turn it on its head?” Mohan agrees, saying working on teams tasked with testing network security — hack- ing, essentially — “becomes a bit of an art and not completely a science.”

More Savvy Needed One reason — perhaps the main reason — the Pentagon has trouble filling these jobs is its sales pitch, or lack of one. Mellor couldn’t recall the Defense De- partment recruiting on Rose-Hulman’s Terre Haute, Ind., campus, but said his students of- ten intern and later start careers at the com- panies with structured internship programs that recruit the students in person. A provision in the House version of the fis- cal 2020 defense spending bill would direct the Pentagon to hire like private companies, saying the Pentagon should work with univer- West Coast companies like Amazon, Mic- the Wall Street firms, a decent amount of sities to recruit cyber-skilled students during rosoft and Uber are recruiting these students money, and turned it down because they their junior and senior years, giving them time well before they graduate, and the local cli- were not excited about it,” Mohan says. “If to complete the requisite security clearance. mate is part of the draw. the government agencies show them the cool “That would totally do it,” Mellor says. “I A lot of people want to live in California, work that can be done, then some students think that’s a great strategy.” “as opposed to say living in D.C.,” Mohan might be attracted to it.” But Mellor would advise the Pentagon not says. So-called “cool” work for recent grads could to wait until the students’ junior years. But it is smaller tech firms that are escalat- very well be their deciding factor between jobs. Many Rose-Hulman students, like those at ing the bidding war. Those jobs could include the short-staffed red other universities, often start internships af- “Startups are ready to pay extra money just teams at the Pentagon and other cybersecurity ter their freshman year, return to school and to attract students away from some of these roles across the government. spread the word about their apprenticeships, big names,” Mohan says. “Students often want to work on ‘cool’ sometimes recruiting classmates to apply to And back on the East Coast, Wall Street projects,” Luzader says. the company where they worked. quantitative trading firms are showering William Crumpler, a research assistant The result is job security before grad- computer geniuses with cash to help shave at the Center for Strategic and Internation- uation, with more than 90 percent of lucrative nanoseconds off transaction times. al Studies who has studied the federal cyber Rose-Hulman students accepting full-time In recruiting tech talent, the government workforce gap, says government cyber pro- job offers before their senior year final -ex simply can’t outbid the private sector. Luck- grams need to “focus on the coolness factor.” ams, Mellor says. ily for the Pentagon, some of the country’s By this logic, the Pentagon would do well So for the military to win the future wars in brightest college graduates aren’t solely mo- to shed its stiff, top-down image, which some ethereal digital conflict zones, they must first tivated by money. veterans say is a myth. win on an equally competitive battlefield: the “I know students who’ve had offers from “I’ve been lots of places that are not the college career fair.

CQ | JUNE 24, 2019 27 SPECIAL REPORT: DEFENSE Old Habits, Old Gear Reliance on 20th century weapons handicaps the military in the 21st

By ANDREW CLEVENGER

IF A WAR BROKE OUT tomorrow with strike targets with relative impunity. China or Russia, the U.S. would enter the fray For Elbridge Colby, who served as deputy with an aged military — many of the ships, assistant Defense secretary for strategy and tanks and planes have been in service since force development early in the Trump ad- the Cold War. ministration, the 1970s and ’80s offer a useful The reasons are numerous: the decades it model of success. often takes to develop new equipment, long That second major advance “is considered periods of insufficient investment and a re- the gold standard for successfully dealing luctance to abandon familiar weapons. with great power competition,” says Colby, Two years into the Trump administration, who now directs the defense program at the the Pentagon’s budget decisions have not Center for a New American Security. fully aligned with its rhetoric about retooling A self-described optimist who spearhead- shrewdly spread the work of developing, and boosting its military edge over China and ed the Pentagon’s National Defense Strategy manufacturing and assembling major weap- Russia. And that raises questions about how in 2018, Colby believes the U.S. is better po- ons programs across multiple states and dis- the Pentagon is preparing for its next conflict. sitioned to maintain its warfighting edge now tricts, making it less palatable for Congress to “Does technology drive strategy or does than it was in the 1970s. pull the plug on older programs and risk los- strategy drive technology?” wonders Rich- “We’re not going to be able to march on ing those jobs. ard Aboulafia, vice president of analysis at Beijing, but that’s not what we’re thinking “Inevitably, you’re going to have the con- Teal Group. “I’m not really convinced that we about,” says Colby. “We’re thinking about gressional support come down on the side of have a strategy that drives technology.” how we help Taiwan defend itself.” existing platforms and associated jobs rather American ingenuity helped produce two If that’s the case, some ask, why put prior- than the side of a handful of engineers work- great technological advances that extend- ities on making incremental advances to last ing on transformational technology,” Aboula- ed the United States’ run as the world’s pre- century’s military, like a new armed scout he- fia says. eminent military power, even as potential ad- licopter? Army Undersecretary Ryan McCarthy, versaries amassed larger armies and stores of “Are you really going to do an air assault who is responsible for devising a more mod- conventional weapons. into Shanghai?” asks Byron Callan, an analyst ern approach, acknowledges that these forces The first was the development and de- with Capital Alpha Partners. can be hard to overcome. ployment of tactical nuclear weapons, which Part of the Pentagon’s reliance on older “It’s very difficult to step away from leg- helped counteract the Soviet Union advantage systems comes from practical necessity. To acy systems,” he says. “There’s obviously in conventional forces that threatened to over- paraphrase former Defense Secretary Don- the congressional interest, but also institu- run Eastern Europe. The second was the ma- ald Rumsfeld, you go to war with the equip- tionally, these are systems that many of the turity of U.S. surveillance and reconnaissance ment you have, not the equipment you would officers and noncommissioned officers have capabilities, coupled with new stealth technol- like to have. grown up on. They’re comfortable with them. ogy and precision-guided weapons that could Another hurdle: defense contractors They’ve fought with them in combat.”

28 JUNE 24, 2019 | CQ ANCIENT WARRIOR: A B-52 bomber flies over Osan Air Base in Pyeongtaek, South Korea. Chung Sung-Jun/Getty Images Chung Sung-Jun/Getty

To convince decision-makers in the Penta- backward. It’s an indication of very, very But the Pentagon is falling well short of gon and Congress to approve a new concept, short-term perspective,” he says. “As long full-throated support for that approach, he says, “you have to be relentless in explain- as appropriators focus so heavily on the up- Callan notes. As appropriators angle to cut ing in why you’re doing it, and you need to be coming year, they tend not to have a strategic funds for forward-looking technologies, the really ruthless with the prioritization of those view.” Defense Department has barely pushed requirements.” It’s an uphill push to overcome the risk- back. The Pentagon’s budgets do contain crucial averse culture on the Hill and in the Penta- “Where’s the hue and cry about, ‘No! No! seed money for new technologies like hyper- gon, he says, but Congress needs to take the No! These are priorities!’ ” Callan says. sonic missiles and artificial intelligence. The lead in demanding a coherent approach. Some key lawmakers want more details plans also contain massive investments in a Zakheim notes that the Pentagon has about how the Pentagon intends to use new new stealth bomber, the next generation of pushed for 21st century warfare technolo- tech for national security. House Armed Ser- aircraft carrier and ballistic missile subma- gy, such as systems for cyberspace conflicts, vices Chairman Adam Smith says he wants to rines, and updates to Bradley Fighting Vehi- which go beyond shooting wars. see strategic plans before he can wholeheart- cles and Stryker combat vehicles. “The question then is, when does Con- edly embrace the Pentagon’s approach. Dov Zakheim, who served as the Penta- gress really take charge and move ahead?” he “What are they hoping to use these technol- gon’s comptroller during the George W. Bush asks. ogies for, how do they help them accomplish administration, notes that House appropria- CNAS’ Colby agrees that Congress could their goals, what’s the application of the tech- tors cut back fiscal 2020 funds in several criti- force the issue. nology, instead of just saying, ‘Hey, this would cal areas, including artificial intelligence, and “My hope is that it will become increasing- be neat,’” the Washington Democrat said at the Defense Innovation Unit, the Pentagon’s ly embarrassing for Congress to do logrolling the Center for Strategic and International outreach effort to Silicon Valley. in defense rather than supporting and de- Studies June 10. “My overall concern is that we “Those are the kind of things you need if manding strategically sound policy and pro- are embracing more projects than we’re ulti- you are thinking ahead instead of looking gramming,” he says. mately going to have money to fund.”

CQ | JUNE 24, 2019 29