Teamwork -- balancing between opportunity and risk -- and transparency of intent are the keys to U.S. efforts in the cyber domain, the acting deputy assistant secretary of defense for cyber policy said June 12.
Speaking at a Hot Topic forum hosted by the Association of the United States Army's Institute of Land Warfare, Maj. Gen. John A. Davis discussed dynamics and trends he has seen driving Defense Department cyber policy, strategy and authority while working over the last six years in senior cyber-related positions.
The first driver of cyber policy has been teamwork and partnerships, he said.
"We say cyber is a team sport a lot," he said.
Adding, "I can tell you from my perspective: Don't underestimate that or think that it's a cliche. It is not."
Many public and private organizations have individual roles and responsibilities that are critical in the area of cyber, Davis said.
"There's no doubt everybody's got a part to play," he added. "But there's no single organization -- public or private -- that has sufficient expertise, talent, resources, capabilities, authorities or capacity to act or be successful in isolation."
From the perspective he has gained in the office of the undersecretary of defense for policy, the general said, he views these partnerships on four levels, which he referred to as: "The Four I's."
- The first is internal, he said -- things an organization needs to do within itself to be an effective member of a broader team.
- The second is interagency, which means a federal whole-of-government approach.
- The third, industry is the public-private partnership that's required to be effective.
- The final "I," he said, stands for international.
The implications of these concepts, the general said, are related to the Defense Department as a member of an interagency team, and its role and responsibility in cyberspace with other elements of the federal government.
After a cross-government cyber exercise, Davis said, the three main organizations that formed the basis of the federal cybersecurity operations team -- the FBI, the Department of Homeland Security and the Defense Department -- spent the next year outlining their roles and how they related to each other.
This was done, he added, to provide for effective preparation, response, prevention, mitigation and recovery from a major cyber attack with the organizations working together as an effective team.
Davis also said President Barack Obama's cyber policy is "an articulation of a very clear role for the DoD in defending the nation in cyberspace. That's very important for us as a member of a broader team."
The second driver, balancing opportunity and risk, refers to growing reliance on information technology environment standing in stark contrast to that environment's security.
"It's because technology and technological development ... have historically focused more on opportunity," he explained.
Adding, "We always chase technology, and security's always behind and trying to keep up."
The balance is changing, Davis said, but at a slow pace.
The Defense Department and the intelligence community have been ringing the bell to alert the public and private sectors of a growing threat to critical infrastructure and key resources, not only in the United States, but also worldwide.
"There's a risk of the proliferation of cyber weapons, and with it, the increasing potential for instability and mistakes," Davis said. He added that he is most worried about the risk of unintended consequences.
"There's been a lot of blurring of the lines recently between state and non-state activity," he noted.
"There's been an extreme lack of transparency in the ability to gauge intentions. There's been a lot of reckless behavior that we've seen, and we don't understand the intentions behind it."
This uncertainty, Davis said, could lead to the next big cyber event as the result of a mistake or of a surrogate being out of control.
Clarity and transparency, the third driver of cyber policy, is desperately needed, Davis said.
"Historically, most of the sophisticated cyber capabilities that we know grew up in darkness and anonymity," he said, citing hackers, criminals and even the legitimate intelligence community.
He added, "But now we are witnessing a growing array of nation-state military cyber capabilities, including our own. But this requires a different model with a bit more light shed on it. Why? To reduce uncertainty and increase stability."
It's important to explain clearly what the U.S. military is doing in cyber and why it is doing it, Davis said, and how the United States is exercising careful, deliberate control over what it is doing as a responsible nation.
"Clarity and a greater level of transparency are important," he said. "The question is how much clarity and transparency."
Davis noted that the president and Defense Secretary Chuck Hagel have said the need for clarity and transparency is critical in driving policy, strategy and authorities within the Defense Department and across the government.
"This is why we have been increasingly clear and transparent with friends and competitors alike," Davis said.
Adding, "We want the world to know about both the capabilities we're building and the intentions for their use to the degree that it doesn't impose a disadvantage, and to the degree that we can use this for deterrence measures."
That's what a responsible nation does, Davis said, and the United States is setting an example it expects others to follow.