Jim Sullivan, defense intelligence officer (DIO) for cyber at the Defense Intelligence Agency (DIA), emphasized the value of offensive operations in cyberspace to deter nation-state attackers during a panel discussion this week at the RSA security conference in San Francisco.
“The best defense is a good offense,” said Sullivan, who touched on the growing capabilities of U.S. Cyber Command. “They are conducting military cyber operations going on 24/7 for 365 days a year,” he said, adding, “You will see more cyber operations over time.”
To create a more effective deterrence strategy, Sullivan said it’s necessary to better understand nation-state adversaries, and their motivations and interests. That’s easier said than done, he indicated, while also stating that playing defense against nation-states is not enough to change their attack calculus, which features the perception of minimal downside risk.
“You’ll never fully get out from under network defense” if you don’t understand the attackers better, Sullivan said. “If we don’t impose costs” on attackers, “we will play defense for a long time and eventually become exhausted,” he said.
“Entry into this is a laptop and an internet connection,” said Don Heckman, deputy chief information officer for cybersecurity at DoD, commenting on the low barriers to entry for attackers.
On top of that, the urgency of the security threat is hard to convey to most people, Sullivan said.
“If you are sitting in this room you understand the threat,” he said. But in the case of most of the general public, “it’s very difficult to impress upon people the threat … Because they are busy doing other things.” Another reason is because cyber threats can’t be seen with the naked eye. By comparison, Sullivan said that if those same threats were coming from enemy air power, “you’d see Russian and Chinese bombers in the air.”
“We are trying to get everyone at the same level of awareness,” he said.
“We need to educate people to demand security as a key feature,” Heckman said. “Like you buy a car … Everyone should be a demanding consumer.”
Sullivan also emphasized that better communication about threats and available assistance at the Federal level is important to improve security. He offered the example that DoD doesn’t have much security interaction with state governments. “The biggest problem is communications across Federal, state, and local governments,” he said.