In his first public remarks in his new role, Michael Sulmeyer, the first-ever assistant secretary of defense for cyber policy, said on Friday that he wants to focus on finding a better way to measure the cybersecurity progress of the Department of Defense (DoD).
Sulmeyer is only four weeks into his new job, and he is already working with his team to focus not just on the quantity of cyber operations, but also the quality.
“One of the things I’ve been talking with my team about and trying to talk with other partners across the government about is, how do we keep score of ourselves? It’s one thing to count the number of operations or something like that, or to count the number of ‘hunt-forwards.’ There is a power in quantity, but increasingly how we talk about our return on the nation’s investment in us,” Sulmeyer said on Sept. 6 at the 15th Annual Billington CyberSecurity Summit in D.C.
“Not just DoD, but the cyber community, more broadly, private sector, public, I think is an area I’m looking to try to work on, again in the weeks and months ahead of telling that story – at least from the Office of the Secretary of Defense side,” he added.
Hunt-forward missions are conducted by the U.S. Cyber Command’s (CYBERCOM) Cyber National Mission Force (CNMF). They aim to uncover tools used by hackers, disrupt adversaries’ cyber operations, and strengthen networks while providing crucial defensive insights for future cyber conflicts.
CNMF Commander Maj. Gen. Lorna Mahlock announced at the Billington CyberSecurity Summit on Sept. 5 that CYBERCOM has or will be deploying its cyber force approximately 25 times on hunt-forward missions this year. By comparison, the CNMF deployed on those kinds of missions only about five times in 2018, when the force was created.
Fast forward to today, and the CNMF has deployed more than 60 times and conducted operations in 28 countries since 2018, including Lithuania, Albania, Latvia, Canada, and Zambia.
DoD’s Sulmeyer wants to find out the qualitative details of these types of cyber operations, as well as other operations across the cybersecurity community.
Sulmeyer was nominated by President Biden on March 21 for his role as assistant secretary of defense for cyber policy, which was established by the fiscal year (FY) 2023 National Defense Authorization Act (NDAA).
In his new role, Sulmeyer is responsible for developing, coordinating, assessing, and overseeing the implementation of DoD cyberspace policies and strategies, including the Pentagon’s Defense Industrial Base cybersecurity strategy.
Additionally, Sulmeyer said that part of his job is to certify CYBERCOM’s cyber operations budget in close partnership with the DoD’s chief information officer.
“I’m supposed to focus on understanding the cyber operations part of Cyber Command’s budget and then DoD-wide,” he said. “That means that there’s an opportunity to set some priorities upfront with other department leaders to say, here’s where we want to go in the future, we have a strategy, now let’s look at where does that set of investment priorities go. Then through the budget process every year, Congress has given us that mechanism to work with the services and see how that actually translates at that level.”
However, Sulmeyer said that when it comes to budget priorities, it is “critical” to have conversations with management to explain that cybersecurity “is actually important to the revenue generation and protection side as well.”
“I really found that recently as well. I’m glad you brought that up,” added Ryan Gillis, the session moderator and the senior vice president and global head of government partnerships at Zscaler.
“I felt that we were past the explaining the relevance of cyber, and what I’m finding is that what we’ve seen on the kinetic side, in Ukraine, for example … much of the way the Russians initially went after critical infrastructure was with missile strikes. And so, there’s been a bit of a pendulum swing, I think, to some of the more traditional, kinetic focus,” Gillis said. “I think this audience, we all think of cyber first in a lot of ways, but you’re right, we have to actually keep continuing to articulate the relevance against the sort of traditional threats.”
