Air Force Lt. Gen. Kevin McLaughlin, Deputy Commander of U.S. Cyber Command (USCYBERCOM) said Wednesday that too much of the cybersecurity threat conversation on Capitol Hill discusses threats as a “theory” — rather than the reality these threats already are.
“What are we going to do when? If an enemy does X, what are we going to do about it?” he said, summarizing the sorts of discussions he’s heard at symposiums and on the Hill.
“A lot of the discussions are about the theory, as if this isn’t actually happening right now,” said McLaughlin Wednesday at the Potomac Officers Club.
There’s discussions about “how you defend the internet of things. Well, maybe the internet of things hasn’t come fully realized the way we think it could in the coming years, but in terms of the practical realization of the connective tissue between the internet and physical things… and cyber and critical things we depend on, including physical, that’s upon us right now,” he said.
“We’re dealing with that right now within the command,” said McLaughlin. “Cyber threats, and connective tissue platforms, and weapons systems… it’s a challenge right now for us.”
The immediacy of the threats, as well as the myriad of trends in cyber, are “a challenge right now for us,” he said. “We didn’t originally create the command thinking about” the internet of things or cloud or how prevalent different technologies would become “but we realized [over time] that was a very limited view.”
He said the command was originally created with a much more narrow mission, but that as technology has expanded in real time, they’ve had to acquire the flexibility and agility to keep up with the challenge. McLaughlin’s staff have to handle threats in real time, without a chance to practice on an enemy.
Networks at the core of DOD are being integrated because “for us, it’s our weapons system. We have to be able to see across it. We have to converge those together so we can more rapidly know if there’s a vulnerability out there,” said McLaughlin. “We have to know if there’s a vulnerability out there… it still takes us days, even weeks, to know. It can’t take that long.”
McLaughlin said the departments are discussing what sort of capabilities they’ll need, and how to create architectures across them for joint cyber capabilities, as well as drive the right type of people for the military to train.
There’s tension between what traditional military services would do, versus what a cyber command would do, he added.
“I can’t tell you exactly how it’s going to turn out; I’ll just tell you we’re applying pressure for how we think that ought to look,” said McLaughlin.
“The boss mentions the fact that Congress in last year’s NDAA [military funding bill] described in law an elevated cyber command with U.S. Silicon-like authorities, in fact the language looks very close to Silicon’s language,” he said. “And so the discussion is, how are we going to implement that, at what pace, and there will be a lot of … discussions about how that’s actually going to work.”
He said the military doesn’t just want to maneuver in cyberspace, they want to “maneuver the cyberspace.”
They “want to maneuver the network — actively and pro-actively, in concert with the operations that we’re trying to run,” said McLaughlin. “That’s when you begin to see skills like IT and cyber-security skills and …operational skills that see the world like Neo did in the Matrix. … but that requires changing the tribes… and the culture… of the people that do it” in the federal government.
The Deputy Commander of U.S. Cyber Command also emphasized the Pentagon’s extreme need for cyber manpower. He said the military is “thinking a lot about what capabilities, capacity, and roles functions authorities should our command have” in the future, and “particularly those that would be unique for a [cyber]command to have.”
“It’s our view that we will expand those into the future in a significant way,” said the keynote speaker at the Potomac Officers Club Spring Cybersecurity Summit Wednesday.