Braxton Taylor
The White House’s pick to lead Pentagon cyber policy wants to lean in on offensive cyber operations and using AI as the cyberattacks become more common and lawmakers worry about conflict with China.
“While we need strong defenses, we are not going to deter the adversary with defenses only,” Katie Sutton, who was recently the chief technology advisor at U.S. Cyber Command, told senators Tuesday during her confirmation hearing to become assistant defense secretary for cyber policy. “If confirmed, I will work to strengthen our offensive cyber capabilities to ensure the President has the options he needs to respond to this growing threat.”
To do that, Sutton said the Pentagon needs to reevaluate its policies and authorities, including the 2018 National Security Presidential Memorandum 13, which was designed to streamline how cyber operations get approved, to keep up with new threats.
“I believe we’re at a point where we need to re-evaluate those and make sure that we’re…able to respond to the increasing speed of cyber attacks, and that we are able to address the incoming impacts of AI,” Sutton said. “The speed of technology is often outpacing the policies we have in place to utilize that technology. So for example, in the case of artificial intelligence, we need to make sure we have the right policies for data and that it’s responsibly used, but also that we are authorizing its use.”
Artificial intelligence has changed the cyber landscape as hackers use the technology to create more convincing voice, video, and text-based messages for fraud campaigns.
“If you think about the number of things in your home that are connected to the internet. If we think about, across the military, how we’re going to need data connectivity that certainly poses a very large attack surface that the adversary can go after,” Sutton said, noting that much of that attack surface is in the private sector. “Coupled with all of the technology that’s available, like generative AI, has made it very easy and a very low bar to be able to come in and exploit vulnerabilities in this system.”
Lawmakers agreed, calling for more transparency and use of offensive cyber operations.
“We need to be more aggressive, offensively,” said Sen. Eric Schmitt, R-Mo. “I don’t think that a lot of Americans understand, probably, how vulnerable our critical infrastructure is to what the Chinese are already probably embedded in what they’re willing to do. It certainly would reach a critical mass if they moved on Taiwan. I think that that’s sort of probably where they go first.”
There was even some support for more doctrine on cyber warfare. Sen. Angus King, I-Maine,
called for a “doctrine on deterrence in cyberspace” to make it clear to adversaries that the U.S. was serious about offensive cyber operations.
“We need to have both the capability for offensive cyber, but also, I believe, we need a stated doctrine. Everyone in the world knows our doctrine of deterrence and nuclear armaments, for example, people should also understand a doctrine of deterrence, that if you attack us in cyberspace, there will be a response. It may not be cyber, it may be something else,” said King, who co-chaired the Cyberspace Solarium Commission. “We still haven’t responded to the Sony hack. We haven’t responded to Volt Typhoon. There’s no price to pay for our adversaries. I hope in your counsels within the Defense Department, in the administration, you’ll argue for a serious and substantial cyber deterrent, stated policy. If it’s not stated, a deterrent doesn’t work.”
Sutton also stressed the need for better tools for operators.
If confirmed, Sutton wants to expand a version of the Defense Advanced Research Projects Agency Cyber Command’s Constellation program to improve the tools cyber operators use, including artificial intelligence, by pairing operators and analysts with developers to make sure the final product will be useful.
“We’ve had success in that,” she said. “And I look forward to using that model, if confirmed, to be able to bring innovations from across industry and the rest of the innovation ecosystem in.”
Read the full article here