Some strategists have urged America’s cyber warriors to think more like a hockey team than a football team. But the second-in-charge at U.S. Cyber Command prefers a different sporting analogy—the gladiatorial combat known as mixed martial arts.
“I’ve heard people say we probably want to get closer to what you see in hockey, which has much quicker transitions [between offensive and defensive plays],” Cybercom Deputy Commander Air Force Lt. Gen. Charles L. Moore Jr. said, discussing the relationship between offensive and defensive campaigns carried out as part of Cyber Command’s strategy of persistent engagement. But he added that neither football nor hockey properly captured the freewheeling essence of cyber combat.
“In my mind, we want to get something a lot closer to mixed martial arts—you have people that are fighting one another, they’re not thinking, ‘Hey, right now I’m on defense, and I’m going to do something defensively.’ Or ‘OK, now I’m going to try some offensive moves.’ It is much more inherently blended in and seamless. So that’s how I would suggest we need to think about it and where we need to go.”
In his remarks at C4ISRNet’s CyberCon virtual event Nov. 10, Moore also touched on the need to defend U.S. military space assets in cyberspace; the vulnerabilities inherent in the Defense Department’s joint all-domain command and control (JADC2) operating concept; the posture of North Korea’s state-backed hackers; and the difficulties in measuring the effectiveness of cyber campaigns.
Moore said persistent engagement has been successful both defensively and offensively since Cyber Command adopted it in 2018. The strategy involves continuously infiltrating adversary networks, not just to prepare to take them down in a future conflict, but also to engage the adversary now and try to change their decision calculus about the use of cyberattacks in “gray zone” or hybrid war strategies.
Defensively, the command has been able to block some enemy cyber campaigns before they were even launched, Moore said, “In many cases, … we’ve been able to stop operations and attacks from happening to begin with.” He added that U.S. operations into adversary networks have revealed “what they may be trying to do to our country, and to our friends and allies; what infrastructure they may be using; what tools; what malware or cyberweapons they may be developing.” He said by publicly providing samples of malware being readied for adversary campaigns, “we’ve been able to … inoculate not just ourselves, but the broader cybersecurity enterprise against them.”
Moore said Cyber Command’s presence on adversary networks put it in a position “to achieve the effects that we want to achieve on behalf of the … nation in times of crisis or conflict.” But it’s also “given us more opportunities for access, more opportunities to impose cost.” In many cases, he added, it’s exposed campaigns in the planning stage.
Touching on the need to defend the nation’s space assets in cyberspace, Moore said that of the 14 additional cyber combat teams funded in the current year budget, half of the them were specifically earmarked “to help us address defending our space capabilities, and also to present any type of offensive capabilities from a cyber perspective that we may need in that [space] domain.” He said the teams would be up and running by the end of 2024 and fully trained within a year to 18 months after that, “so we’re working very closely with the U.S. Space Command to get those teams stood up to get them bedded down and get them operating.”
On the Pentagon’s plan to create a fully networked and connected Internet of Military Things—known as JADC2—Moore said Cyber Command would have two key roles: first, to contribute the “cyber picture” to the common all-domain operating picture JADC2 requires. But also to defend the infrastructure that would make the common operating picture and decision-making tools of JADC2 available to commanders. Moore said the integration of all-domain sensing and decision-making would greatly multiply the potential cyberattack surface for adversaries.
“As you can imagine, potential vulnerabilities exist across all the different domains in the way that we gather the information and transport the information, make it visible to decision makers; and then how … directions go back out to the broader force.” Joining all those vulnerable systems together made them much harder to defend, Moore said, and added complexity—often seen as the enemy of cybersecurity.
“For every unit of increase that we have in effectiveness and efficiency gained by integration, which is really the goal of [JADC2], you probably have an increase in potential cyber vulnerabilities [of a power of two] at least,” he said, jokingly analogizing his own rule of thumb to Moore’s law, which famously predicted that computing capacity would double every 18 months. “Maybe I’ll name that Charlie Moore’s law,” he said, “the point being that you have an increase in that net surface area of vulnerability that we have to make sure we’re postured to help defend from the ground up.”
Responding to a question about North Korea’s prolific state-backed hackers, Moore said that they appeared more focused on financial cybercrime to provide hard currency to the regime, rather than more conventional computer network attack activities. “The North Koreans mainly seem to be focused really on revenue generation,” he said. “They’re not too focused, from what we see from a day-to-day perspective, … on trying to perform operations against the United States, against our Defense Department Information networks, but rather very much trying to generate money to support the regime.”
Although it was often hard to measure the effectiveness of cyber campaigns, Moore said, Cyber Command leadership sometimes got feedback “directly from our adversaries about what they’re thinking and how they’re responding” because U.S. cyber warriors had infiltrated the networks they use to communicate.
“That’s very informative and tells us when we’re on target or hitting something important,” he said.