 But now it's my pleasure to introduce Dr. Emily Goldman. Dr. Goldman is currently on detail to the Office of Policy Planning at the U.S. Department of State. She's on assignment there from National Security Agency, where she has been a member of the U.S. Cyber Command and NSA's Combined Action Group since 2011, and it's director since 2014. As the CAG director, Dr. Goldman was responsible for and the strategic advisor to three directors or commanders where she helped articulate and execute the vision and strategy for both organizations. In 2018, she led a team to write the U.S. Cyber Command vision to achieve and maintain cyberspace superiority, and she convened the first annual cyberspace strategy symposium. She's received her Ph.D. from Stanford University and was associate professor of political science at University of California Davis from 1989 to 2008. She's published in numerous journals. She has received awards and fellowships from MacArthur, Olin, Pugh and Smith Richardson Foundation's Institute of Peace Woodrow Wilson Center and the Naval War College. Her book, Power in Uncertain Times, Strategy in the Fog of Peace, was published on Stanford University Press. And later this year, you will be reading one of her book's cyber analogies, which she co-authored with the Naval Postgraduate Schools Professor John Arquilla in 2014. Please join me in welcoming Dr. Emily Goldman. Good morning. Can you all hear me okay? Okay, great. First of all, thank you for inviting me to speak to you today, and it's a pleasure to be back at the Naval War College. I actually spent 1991-92 here as a secretary of the Navy Fellow, so I have a real fondness for this institution. I want to be clear that my comments reflect my views and they don't necessarily reflect any official views of the U.S. government, any department within that government. So with that caveat in mind, what I wanted to do today, and I know that you've had some really interesting discussions yesterday about sort of how to think outside the box, futuristically about the world that we're facing and going into, what I wanted to do is to try to tell you the story of where we are in terms of thinking about cyber strategy and cyberspace operations from my vantage point of sitting at the National Security Agency and U.S. Cyber Command and now at the State Department. So hopefully this will kind of give you an understanding of the state of the art in terms of strategic thinking and operational thinking. And these ideas are evolving every day as we continue to operate in the space and to learn from that experience. So what I'm going to do is I'm going to start off by providing the strategic context for the national approach to cyberspace, the role of cyberspace in that. Then I want to talk about the evolution of U.S. policy and strategy and conclude with some challenges and potential remedies for those that you'll be facing as you go out to lead in this new space. So let me start with the strategic context. And I think the biggest takeaway that you need to have is that it's a period of renewed great power competition. I mean, that is the strategic framework that our national policy leaders, DOD leaders are using to understand the dynamics that are going on now. It's been more than a year since the national security strategy called out the Contest for Power as the central continuity in history and warned that the revisionist states of China and Russia were actively competing against the U.S. and our allies and our partners. Similarly, the national defense strategy identified interstate strategic competition not terrorism as the primary concern in U.S. national security strategy. So this is the strategic framework that really is informing how we think about cyberspace and actually even in the State Department, they're reorienting to think about how do we deal with great power competition. After the collapse of the Soviet Union, I think there was a period of strategic pause where we felt that the democratic capitalist operating system somehow had won out. And that after decades of struggle, that had prevailed. And of course, people wrote about the end of history. And here we find ourselves in an ideological and in a great power competition that is not necessarily resolved in our favor. So this is the framework that we face. And there's something unique about it, I would argue, and that's that for the first time we face a geostrategic economic competitor. So the last time we faced a major economic competitor was probably Britain in the 1920s. But we ceased being strategic rivals with Britain probably around 1815. So the Union, major formidable geostrategic military foe, but not an economic peer. But in China, we face that. This is something that we have never faced before. Okay, an alternative model, party-led mercantilism, that has appeal as a business partner to many countries, as a patron to many countries. At the same time, coupling this with their tremendous military power, growing military power and strategic ambitions. So with the lens of great power competition, I want to talk about how it's playing out in cyberspace and what the implications are for our strategy and our operational approach to dealing in this space. So I would argue that cyberspace is a key arena of great power competition. And the question is why, okay? Why in cyberspace as much if not more than in the physical spaces? Because what cyberspace does is it offers new ways for great powers to influence, to coerce and to exploit each other for strategic advantage without resort to physical aggression. So if we look at first of all, that's a key point. And if we look first of all at what these challengers are doing, let's take China. China, as I said, is a geo-economic strategic competitor. And its behavior is designed to build and to control all aspects of the information environment, and to supplant American superiority. So what they do is they're leveraging our system, our values. They're co-opting our institutions, our allies, our businesses, engaging in IP theft at scale, targeted investment in emerging technologies such as US-based artificial intelligence. And they're using legal overt behavior, investing in companies, buying companies that have gone bankrupt, to supplant American advantage. And to be in the lead for the next wave of technological development. So China is a geo-strategic economic competitor. Russia, I would define as a geo-strategic agitator. Okay, a country that is employing disruptive campaigns to undermine the sources of American power, our authority, to delegitimize democratic institutions, not just in the United States, but across Europe among our allies and partners, to sow discord in our society, and to manipulate political discourse and social media, to also undermine alliance cohesion. So each of these countries is engaged in what I would call strategic cyber behavior. What do I mean by strategic? By strategic, I mean it's meant to erode the sources of national power. They're doing it in different ways, but their intent is to change the international distribution of power relative to the United States. And cyberspace is a major way that they are embarking upon doing this. Why is that? Because as I said, cyberspace represents a new seam or a new opportunity in great power competition. You can gain strategic advantage, gain global influence, reduce US power without engaging in conflict and without ever setting a foot on US soil. So why is this significant? Okay, so and I would argue is that it's significant because historically, if you wanted to undermine the power of another country, how did you need to do that? You couldn't do that from afar. It required territorially focused over violent armed attack or physical invasion. There was war, I mean that was really the fundamental way over history where states had challenged one another. But now you can erode the sources of national power without resort to territorial aggression, so think about what that means. I would argue that we often talk about adversaries trying to balance US power. Balance, but what we're seeing really more is a leveling of American power. It's not trying to balance it, it's trying to erode it and gradually level it and take away the advantages without provoking a conventional military response because these countries do not want to go to war with the United States. They understand our conventional superiority. So the question becomes, how do you get the strategic gains and minimize those risks? And what they have learned is you do it through information campaigns, cyber enabled information campaigns because the Soviet Union of course has a long history of doing information operations and information warfare, disinformation prior to the cyber age. Election meddling, the theft of intellectual property and PII at scale to exploit our individuals, supply chain disruption. So there's a whole range of ways that we're seeing this. And I think in many ways what these countries have done is they've honed these skills internally in order to impose information control on their domestic populations and then they've turned those techniques and those capabilities outward. And just like any other military transformation that you'll learn about from the industrial age, the conventional war, Blitzkrieg, all of these sort of military transformations. It's really a question of how you experiment and how you apply and how you use them in different countries will do it differently. But nonetheless, the strategic intent is what is critical. So one of the implications of this, I would argue, is that the strategic space below the threshold of armed conflict has become as decisive as the space of war and conflict. So that's a really different way of thinking about how you're gonna alter the power of the international system and how you're going to challenge your adversaries. That strategic space below the threshold of war is strategically consequential in ways that it has never been in the past. And I think we're just awaking to the fact that there are continuous campaigns enabled through cyberspace conducted in through and from cyberspace that are nonviolent and that are having a strategic effect on our power. Adversaries are persistently active. It's continuous, it is not episodic, it is going on all the time. And most significantly, I think, is the fact that the costs that it's imposing are cumulative costs. So any particular individual intrusion or individual hack or any technical action is something that there was a breach of company X or company Y. It doesn't really seem strategically consequential. So we don't really think about responding to it or even preparing in advance. But what happens is that the total cumulative impact of these individually technical actions have had a combined strategic effect and have had the consequence of what in the past required war to achieve. So I think in many ways, and I would advance this hypothesis that these technologies are altering the geopolitical balance of power in a way that we have not seen since the atom bomb. And that's a really significant analogy and it's an analogy I think in many ways that has led to a misapplication of how we think about cyberspace. Because of the tremendous potential that these provide, we have tended to think about cyber with a nuclear lens. And our cyber strategy historically has been informed by the strategic approach that we used to deal with nuclear weapons. And I think we've done that to our detriment. And actually what we're seeing now is really a paradigm shift in the way that the United States and working with our partners are thinking about how we need to operate in cyberspace. So let me move now on to how US policy and strategy is responding to these challenges. And I'm going to sort of start with a critical turning point which was 2010 with the stand up of US cyber command. But clearly that's not the beginning of the cyber age. In fact, the United States really had a tremendous lead in cyberspace going back before there really even was a cyberspace, going back into the 1980s with our ability to think about computers, integrating computers, computer security, our lead in cryptography and cryptology, the advances that the National Security Agency made in the intelligence space, which is really operating in the same space now that other people are operating in. Citizens, now the military, the private sector, we're all operating in this one interconnected space. So with that caveat in mind, that sort of longer, deeper background that would take another whole hour to talk about, I want to focus on what DOD is doing and how, because that's the world that many of you will be spending most of your time in or at least moving back and forth between. One of the things that I like to do is I like to sort of make the argument that to secure, to protect and defend are different things. We tend to use those words the same way. So I think in terms of when I think about securing, I think about that's what individuals do, that's what companies do, that's what we all do independently to try to make our networks and our systems and our platforms more secure and to protect them. Protection is something that is really a mission that was given to the Department of Homeland Security. And that's DHS using its authorities to help protect and respond domestically to challenges that come in and through cyberspace into the nation. What DOD does is to defend. So I want to focus on that defend mission, which is really in the same way as we think about how do we operate in the world to defend against any adversary challenges before they come into the homeland. Okay, so it's really outside of the domestic space. Key milestone, 2010 US Cyber Command is stood up. And that was really the result, the proximate result of a foreign infection of sensitive DOD networks. And it took a tremendous amount of time to be able to mitigate that, to respond to that, to address that. I think it was a real wake up call how in a very, very, in a way that our adversaries could expend very little cost, very little resources, they imposed huge costs upon us in terms of remediation and dealing with that intrusion. So if you go back to 2010 and time, you know, the events move and rapidly change so quickly, the major threats that were coming from cyberspace were cyber espionage and network disruption. So it was espionage, it was intelligence agencies and disrupting those operations. Our adversaries had limited resources, limited expertise. And I would argue that we enjoyed relative superiority. Okay, as, you know, a few years ago, 2010, US Cyber Command was given three missions. The first one was to defend DOD information networks, defend the Dodon, okay. First among equals, primary thing that we needed to do because if you didn't protect your networks and you didn't protect your systems, you weren't gonna be able to fight and go to war. Okay, fundamental, you can't, so it's almost like, you know, operational security. That was, and in fact, Secretary Carter when he came in, he said, Dodon defense number one. Second mission was support to combatant commands. And that reflects the war fighting mission, which is the foundation of the Department of Defense. Okay, phase two plus, even though we don't really talk about phases anymore or joint staff didn't wanna talk about phases anymore, but you understand that it was this notion that the fundamental thing that DOD does, that no other agency does is it goes to war. So we needed to be able to support our regional combatant commanders in their operational plans and their contingency plans and integrate cyber into that. So that was the second mission. The third one was called what evolved into defending the nation. And that has really been the one where we've seen the biggest evolution. And there was a tremendous debate about what was the role of DOD in defending the nation and would that takeaway from DOD's need to prepare for war? Okay, so the defend the nation mission is the one where we've seen, as I said, the greatest change, the greatest intellectual development. And it's from this mission that the concepts of persistent engagement and defend forward, which I'll talk about and you probably will hear about if you're operating in this space have emerged. So 2013 was also a critical point. A strategic inflection point where we began to see that our adversaries, we thought we had superiority. Our adversaries were far more capable. They were operating far more assertively against government networks, against commercial networks, stealing PII and IP at scale, targeting our critical infrastructure. And I think what happened was, if you go back, 2013 was a critical point because it was on the heels of the Arab Spring. And the Arab Spring was really a critical development in the sense that authoritarian nations realized that through the internet, through cyberspace, you could topple their regimes. And they realized how vulnerable they were. So they began to, on the one hand, impose much more information control internally. They began using these technologies to try to control their domestic populations. And what they learned from that, they then began to export outward and use against their adversaries outside. So, and I think in many ways, things that we consider fundamentally and here in our values, free information, freedom of speech, connectivity, these countries viewed as existential threats. So in their view, we are the aggressors. By virtue, even though the US government obviously doesn't control Facebook or doesn't control Google and all of these social media companies, from their view, those are American companies. And in fact, they represent what the American policy and strategy is and they view that as very aggressive. So by 2013, there was tremendous evidence that essentially what we were doing was not working. It was not working particularly for the vast majority of aggression that was occurring below the threshold of armed conflict. And that was increasing in scope, it was increasing in scale, and it was increasing in frequency. Not only was it an issue of quantity, but it's also the types of attacks or the types of, I like to call it really aggression because I think attack is kind of a misnomer, the type of aggression that we were seeing. So initially, as I said, the challenge we faced was espionage and exploitation. Then we began to see a shift to disruptive attacks. And I go back to 2012 and 2013 and the distributed denial of service attacks by the Iranians against financial networks in New York. 2014, we began to see destructive attacks. On the one hand, the Iranians against an American casino and the North Korean attack on Sony Pictures. And what we've seen emerging now is what I would call corrosive attacks against democratic institutions. So you've gone from exploitation to disruption to destruction to corrosion. And people were beginning to see that this was really a crisis for US strategy because we were not prepared to deal with it. At the time, in 2014, Admiral Mike Rogers, who was then the commander of US Cybercom and the director of the National Security Agency, firmly believed, and he's spoken about this publicly, that 2014 was going to be a pivot point. That the North Korean attack on Sony was going to be a turning point because what you had seen was the power of a nation state turned upon a company. How could we possibly expect that company to defend itself? That was the role of the government. And he went on the record saying that he thought it would be a tipping point, but it wasn't. We chose to treat it as a law enforcement issue. And that, I think, crystallized this notion that the US was restraining itself. We were following a strategy of self-restraint and we were allowing these activities to go unchallenged, fearing that if we responded, we'd escalate, but in fact, what was happening was our restraint was escalatory. Our restraint was emboldening our adversaries because they didn't see any pushback. So in essence, what we were doing is we were ceding the initiative in cyberspace to adversaries who were unrestrained. They were active, we were restrained. Why were we doing this? So there's probably a lot of different arguments you could make. I think one of the ones that is part of that answer is that we tended to treat cyber operations in the same way as we treated nuclear weapons. And even though people will deny that, I really do think in a very fundamental way, we thought initially about cyber in the way that we think, or cyber operations, the way we think about nuclear weapons, that every single use was gonna be strategically consequential. If we responded back, that was going to lead to war. So that was carried over from the nuclear framework. We tended to view it as high risk and we tended to view it as escalatory, that if we do this, we're going to escalate to conventional conflict. So not surprisingly, with that logic in mind, what did we do? We applied the same strategic framework to cyber as we did to nuclear weapons. And that was the strategy of deterrence. So if you go back and if you read the doctrine, I mean, it was so interesting, as opposed to saying, how should we address cyberspace operations? We asked ourselves, how do we deter cyber? Deterrence was an answer to the nuclear problem. So we were pre-defining the answer without ever having examined the strategic concept. We assumed that we could deter and we should deter, just like we had been doing. I mean, deterrence worked really well during the Cold War and in the nuclear space and even conventional deterrence. And so the presumption was that it made sense in cyberspace. And if you go back to the late Bush administration and into the Obama years, if you look at the 2011 international strategy for cyberspace and the 2015 DoD cyber strategy, they are all grounded in this framework of deterrence. And in fact, the DoD cyber strategy is explicit. It says that we are committed to a doctrine of restraint. It is US policy to take the least action necessary to mitigate threats and to prioritize network defense and law enforcement is the preferred courses of action. Okay, so essentially what we've done is we've taken DoD off the table, right? Many kind of people thought it's like, here's our very capable forces, but there really is no role for DoD. This is law enforcement, this is homeland security, this is protect, this is resilience. And that was the approach for all of these assumptions that we had that cyber equated to nuclear. In 2016, people were getting really frustrated. In fact, Congress was, it was palpable, the frustration that they had with our policy in cyberspace. But at the time, there was no alternative to deterrence. There really wasn't an alternative theory and alternative framework. And so what did Congress do? It called for more cyber deterrence. If you go back and if you look at testimony, it's just pervasive throughout. And probably the biggest advocate of this was Senate Armed Services Committee Chairman at the time, John McCain. And he pushed relentlessly for a cyber deterrence strategy. He criticized both the Obama and Trump administrations for not doing this. Tremendous frustration that we were treating each cyber attack as an ad hoc basis, incident to incident, we had no strategic approach. Our adversaries were emboldened and that they, as he said in testimony, they had seized the initiative and we had no serious strategy or policy. So let me be a little bit more precise in terms of how I think about these strategic concepts. It's not so much that deterrence was not working at all. It was that it was not stopping the burgeoning number of attacks below the threshold of armed conflict. And that these were the ones that I've argued that cumulatively were having a strategic impact. They were eroding our national sources of power, our military capability, our political cohesion, our economic prosperity. So I would argue that if you look, however, at what I would call cyber armed attack equivalence or cyber attacks that might lead to the type of destruction that one could also get kinetically that arguably we hadn't seen much of those. So perhaps we, in fact, were deterring those. People had originally talked about a cyber Pearl Harbor. SecDeath Panetta spoke about we have to fear a cyber Pearl Harbor. But we haven't seen a cyber Pearl Harbor. So arguably states are sort of abiding by the laws of self-defense that are codified in the UN Charter that treats these types of activities as equivalent to acts of war and that legitimate the right of self-defense. We had not seen that. So I would make the argument, and you have to sort of be careful how you make it because you never really know if you're deterring something, right? I mean deterrence is like a non-event. So if you're never really quite sure what the cause is of a non-event, but I think there's a case to be made that we were deterring the types of attacks that cause death and destruction. But we weren't deterring those that occurred below that threshold. And I would argue adversaries were intentionally operating below that threshold because they were not going to breach what would be considered an act of war. So this was part of their strategic intent about how they're going to erode our power without going to war. So at this time around 2016, operational commanders were very much aware that what we weren't doing, what we were doing was not working. And in part I think that was because much of this information is classified. So they were able to see on a day to day basis what was happening to our networks. And they were also very much aware that if we continue to be in this mode of restraint and response after the fact, often we never would get around to responding. I mean, if you think about, you know, Sony, it took about five years to get indictments. Okay, so I mean, how is that even a timely response? But also what it meant was that we had to absorb the attacks and then do cleanup on aisle nine. Okay, we were willingly saying, we're not going to do anything unless we're attacked. So we're going to absorb that attack. And this was something, once again, I keep going back to this notion of seeding the initiative, which operational commanders were extremely frustrated. Pile that on top of the fact that US Cyber Command by 2016 had stood up Joint Task Force Aries. JTF Aries was involved in the counter ISIS fight in support of plans, operational plans being conducted by US SOCOM and US CENTCOM. So Cyber Command was learning, they were learning by operating, they were learning by doing in the counter ISIS fight and they were prepared to think about how do those lessons apply to defending the nation in cyberspace. So by 2017, an alternative strategy had emerged. And the strategy I would call it cyber persistence. And the notion of cyber persistence underpinned US Cyber Command's vision of how we need to operate in cyberspace. And these ideas were socialized within OSD and DOD more broadly, within, across the joint staff and with partners. So this was really a critical, I think kind of a paradigm shift based on frustration that what we were doing wasn't working coupled with experience that operational commanders were gaining in the field. So in a nutshell, the theory of cyber persistence, its premise is that strategic frameworks must align to the realities of the strategic environment. You can't impose a strategy on a strategic environment. You must derive the strategy from it. We could not impose deterrence, which was an answer to the nuclear problem onto the cyber strategic environment. We had to say, what are the fundamental, what is the fundamental nature of the cyber strategic environment? And then derive our strategy from that. So the theory, and I think some of the readings I recommended talk about that, was that cyberspace has a couple of unique characteristics. Interconnectedness, we're inherently interconnected and constant contact. You're constantly in contact on the networks bumping into friends, adversaries, your grandmother, companies, government, industry, academia, we're all operating in this same space. And this combination of interconnectedness and constant contact led to an imperative for persistent action. It made persistent action possible and it made persistent action necessary, because we're inherently always interacting with each other. I mean, it's just in the nature of the space. And so when we don't interact, that gives free ring to those who choose to leverage the unique characteristics of cyberspace. And this was a strategic mismatch with deterrence. Because when you think about deterrence, deterrence is based on operational restraint. Restraint, not action, but threatening to act, okay? And the threat of force, not the use of force. The cyberspace domain, I would argue, calls for the use of capabilities, the use of cyber capabilities in persistent operations to generate continuous advantage tactically, operationally and strategically so that we can deliver effects in and through cyberspace at the time and place of our choosing, okay? So it was a different notion of thinking about this is an active space and we need to be active in this space. This is not an episodic space where we have, like in the sense of in the physical space where you'll have conflict and war or you won't have it, right? This was sort of almost like an insurgency, continuous operations. So while the idea of deterrence may have made sense in the context of armed attack equivalents, right? Those cyber for harbors, those major attacks on critical infrastructure, you had to complement it with persistent activity below the threshold of armed conflict. And that's what cyber command called persistent engagement. And it made the argument that there were really two strategic spaces, the strategic space of conflict and the strategic space of competition. And that competition and what was occurring there was as strategically consequential as the space of armed conflict. And in fact, that was where our adversaries were choosing to operate in cyberspace. So if I was to summarize this, it's not the fact that deterrence is not relevant at all, but deterrence of these high level attacks had to be coupled in tandem with these steady sustained activities over time to frustrate and to counter what our adversaries were doing. So this is a warfighter symposium. So what I wanna do is drill down a little more into the warfighter perspective to give you a sense of how the cyber warfighters think about this space and how they're supporting our other warfighters in the interface between conventional and cyber. So there's a lot of confusion over the different terms and the different meanings of persistent engagement, of the notion of defend forward, the DOD cyber strategy talks about defend forward. US Cyber Command argues that the strategy of defend forward is executed through the operational approach of persistent engagement. And that's what General Nakasone, the commander talks about. And that this is the approach that supports both competition and warfighting. Because if you're operating in the space, you're gaining initiative that you can leverage in the warfight. And if you're operating continuously in the space, that's critical for making sure that your forces are ready and the readiness will enable you in a conflict to be able to operate. So persistent engagement is about the competition space and the warfighting space. It's defined as the continuous execution of the full spectrum of cyberspace operations to achieve and maintain cyberspace superiority, to build resilience at home, to defend forward and to contest adversary campaigns and objectives. And each one of those words was, you know, like you guys are military people doctrine very specifically chosen. One of the ones I want to point out is the notion of superiority. Carefully chosen military doctrinal concept. It was not dominance because the recognition was you couldn't dominate this space. You could only achieve superiority at a particular time and at a particular place in order to be able to operate and to deny the ability to operate to your adversary. So in many ways, I think you can think about superiority in terms of initiative. Okay, we realized that this was gonna be a constantly shifting space and we had to be operating in order, we had to be active in order to gain the initiative. So one of the articles that I recommended you read was the Joint Forces Quarterly article about General Nakasone and it's a really interesting, I think, analysis of the pivot from what he calls a response force to a persistence force. US Cyber Command initially focused on, as I said, defending DOD networks. That was the most important thing that we were tasked to do. Executing counter-terrorism operations, planning to support the conventional force in a crisis and maintaining the capacity to respond and being prepared to respond should there be a significant attack against critical infrastructure. Okay, so that was essentially what the command was doing. What we realized was that the response force concept really was about holding our forces in reserve or responding to attacks after the fact and it was totally inadequate for dealing with this ongoing low-level operations against our society, our military and our economy that were cumulatively leading to the erosion of our power. No one of those particular actions was really enough to get us to respond and so we weren't responding at all. And in fact, I would argue it committed the ultimate, one of the ultimate mistakes of military operations and that's to hold your forces in reserve past the point of strategic decision. So essentially, forces were sitting on the sidelines and were not doing anything. So persisting engagement acknowledges that we will not degrade our adversaries in a single strike. The notion of persistence is that that is not going to occur in one single strike or one single episode and it also recognizes that the adversary will not retreat after the first action. We must be persistent. The emphasis on engagement was we must do it now. We must do it today. And coming up with the strategic rationale and understanding the concept was a huge lift. What we are now is finally getting more of the authorities and changes in policy to be able to actually execute that. Because once you have the ability to think about how you wanna operate, the question is, do your authorities permit you to operate in that way? And this was a very different approach for thinking about cyberspace than what had occurred before. Persistent engagement, the way the commander of cyber command talks about it is enabling and acting. So a huge part of what our cyber forces do is they enable. They enable the interagency, they enable our international partners, they enable the private sector by sharing threat indicators, by sharing warning insights, and by sharing personnel in some cases. So there's a huge enabling piece of this and that's because no one entity has all the authorities and all the capabilities and most critically all the insight, okay? Because we can't see all of you know from a DOD perspective, you cannot see into private sector networks. And 85% of the critical infrastructure in our country is owned by the private sector. Okay, so we don't really have insight into that. So a big part of this was enabling those that did have insight in their networks to protect them. So through enhanced warning, what would that give us? If we have better understanding because we're operating of what the adversary intends, what their capabilities are, what their TTPs are, we can better defend our networks, okay? We can develop those mitigations and we can disseminate that threat information. And if we can get anticipatory about it, we can take away the vulnerabilities that our adversaries might want to exploit. Okay, we know what they're planning, we know kind of what their TTPs are, let's take away those vulnerabilities that they want to exploit beforehand. We can change the terrain of our networks, okay? We can inoculate our systems and very important for the white warfighter, we can more effectively test the vulnerabilities of our weapons systems. We can do that beforehand. So this notion of enhanced warning and insight and sharing these threat indicators was critical. The second part is not just enabling but acting. Acting when authorized to perform a range of defensive and offensive missions. So the defend forward is really, I think, captures the defensive mission. What does it mean in sort of its most, its kind of pure sense? It basically means operating off the, operating outside of DOD networks, okay? That's it, you know, in kind of a nutshell. It means that prior to this point, DOD was only allowed to operate on DOD networks. Now what it said is that DOD can operate outside of DOD networks. So think about it this way. The US Navy does not protect the nation by remaining important. The US Air Force does not defend the nation by remaining on the ground. They patrol the seas, they patrol the skies, they are out there, our adversaries have to be aware, they have to expend resources in monitoring what we're doing and then trying to, protect and defend themselves. They know we're there, we're communicating. Why should our cyber forces remain in their virtual garrisons? When our naval forces and our air forces don't remain in their garrisons. So from a defense point, I mean, it makes perfect sense, but it was a tremendous shift in thinking. So defending forward as the command of signs defines it is to operate as close as practical to the source of military activity, to the source. The DOD argues it's about operating at the source. That implies that you're gonna be in the adversaries networks. You don't necessarily have to be there. Okay, we can operate with partners in consensual relationships. One of the big advances that the command has made and has honed this in the 2018 elections and the command has spoken about it publicly is hunting on friendly networks. So identifying through intelligence where we think the adversary is operating, identifying partners, requesting the ability and working with them voluntarily to hunt on their networks. And what happens is if those networks in many of those countries are less secure, the adversary is not using its most exquisite tradecraft. And one of the things that you sort of learned by operating, one of the things that the command did was when they discovered malware from the GRU, so the Russian Intelligence Agency, they uploaded it onto Virus Central, onto a public website and allowed all of the virus companies to be able to identify it, to attribute it, and to develop mitigations. And then in that respect, to make everybody more secure. So this notion of hunting forward, the idea of exposing and blunting the adversary's capabilities before they reach US networks. Now, let me make one caveat there. This is not the same as preemption, okay? So you will hear people talk about that defending forward is preemption. And that is an incorrect way to think about it because preemption is a concept that deals with war. It's a legal self-defense action that is taken to prevent imminent war. That is what preemption is. Persistent engagement is about competition short of war, okay? So it's worth kind of thinking that through that it's not about preemption, it's about competing. So in addition to these defensive operations, acting can also involve more offensive operations, contesting, blocking, countering, frustrating the adversary, causing doubt in the adversary's capabilities, injecting friction into their planning, into their organizations, into their operations, and causing them to divert their resources to defending themselves as opposed to attacking others. So this is really kind of the concept of how and the notion of injecting friction, defending forward, this is the way the cyber forces, the operational war fighters are thinking about how they need to engage in this space and work as well with other parts of DOD. These ideas have permeated DOD guidance, so the 2018 DOD cyber strategy says we will defend forward. It puts compete on parallel with deter. I mean, that's a huge thing that competition in cyberspace, it's not just about deterring, and it says we must persistently contest malicious activity. Similarly, the 2019 National Defense Authorization Act established a cyberspace solarium commission, and this is just in progress now. We'll see essentially how it evolves, but the idea is to look at competing strategic approaches to cyberspace, much in the way that the Eisenhower administration looked at competing approaches for how to deal with the Soviet threat in the 1950s, and so persistent engagement is one of those strategic approaches. So that's kind of a recognition that we need to think about these concepts and that they are beginning to permeate and to actually transform the thinking and the action. So I think that, let me just, before I kind of move on to sort of challenges and opportunities and then open it up to questions, sensitize you to the fact that the lexicon is evolving. And if you're mindful of the lexicon, you can see that it's a really good indicator of people's thinking about cyberspace. So we're talking about from a persistence perspective, campaigns, and not all cyberspace activity is campaigns, but we need to be mindful of the fact that our great power adversaries are engaged in campaigns. It's not just an incident or an intrusion or a hack. We need to look at the totality of what they're doing. It's about interaction, not escalation. Escalation is the sense we're going to escalate to war. Much of this competition, we are operating back and forth and interacting, but interaction does not have to lead to escalation. Seizing targets of opportunity rather than holding targets at risk. Holding targets at risk means that in the nuclear mindset where we could know that we could hold a city at risk because we could drop a nuclear bomb on that city, right? And that could deter the adversary. And that nuclear bomb was incontestable. We could not defend against it. In cyberspace, you can't hold targets at risk because if the adversary updates their operating system, if a server room floods, a whole variety of reasons, and access can be fleeting. So it's really about seizing targets of opportunity rather than holding targets at risk. It's about initiative rather than restraint or response. Our activity has to be continuous, not episodic, and the costs are cumulative, okay? They're not case by case. And then finally, I think it's really the notion that competition is as strategically consequential as war and territorial aggression. So that is really a pivot in how I'm gonna leave you with those ideas that kind of where we are at this point in time, where DOD is in thinking about cyberspace. Let me just tick off a few challenges and then a few potential remedies and challenges for you. First thing I wanna do is just to make sure that we're not sort of making our adversaries 10 feet tall or 20 feet tall. That in many cases, these are brutal authoritarian regimes. They must expend tremendous resources on internal political control, okay? And that is a huge drain on their resources. As much as the Chinese spend, for example, on their military forces and their intelligence, they spend far more on domestic political control of their population. That's a huge drain. So we shouldn't underestimate that. At the same time, we face challenges as a country too. The first thing is I think we're inclined toward what I call segmentation. Okay, here we are in this interconnected space. We divide the authorities between DOD, GHS, FBI. Each has their piece of the pie. Any of you who've ever tried to integrate across different agencies know that that's not seamless and easy. And so we tend to be disjointed in our responses. It takes us longer to integrate, gives the adversary time to exploit. So that's one of the challenges. Our authorities, our bureaucracies are segmented. Our adversaries can move much more seamlessly across their government spaces. Private ownership is another aspect that we have a bright line between public and private ownership. Adversaries don't do that. They employ private hackers, cyber militias, criminal elements. They, in many cases, own the private companies or their government-run companies. It's interesting because we have companies that think about the social media companies and the IT companies. They are not necessarily aligned to what the United States government wants to do because they have their own private sector incentives. But they are strategically consequential. So for the first time, you've got strategically consequential actors that really are non-security actors. And this is a real challenge for the US coming forward with integrated approaches to these integrated campaigns our adversaries are launching. We observe boundaries between public and private and foreign and domestic. Those make sense because that's foundational to our constitution. We have to recognize that those are somewhat artificial and our adversaries don't have those same constraints. We also tend to have an intellectual mindset that views peace and war as a binary construct. Peace is normal, war is the aberration. Our adversaries view this as a seamless struggle across that whole continuum. And this hampers our ability to act. And finally, I'd say that we have extensive constraints on the collection and use of data, which we should because of the nature of our constitution and the nature of our democracy. But that puts us at a tremendous disadvantage in the 21st century. Because I would argue that if you look back to the strategic resources that states have had to control in order to increase their power and their influence, you know, the productive resources, whether it's people, land, industry, the navies which were able to give us access to more resources. Legitimacy was a strategic resource in terms of getting the population behind the state so that it could go to war if it needed to and have the support of the nation. I would argue that access to data is a new strategic resource for the 21st century and the ability to acquire data and to exploit it legitimately. And the bottom line is that, you know, if you think about the two entities that are acquiring the most data and have the ability to exploit it, I'd argue one of them is probably China and the second one is probably Google DeepMind, right? So that's a really interesting space to be because, you know, the US government does not have the ability to, despite what people might think, the authorities, the constraints, the oversight are so tremendous that there's no way they can assemble the type of data that you need to hone your algorithms for AI. So data is gonna be a strategic resource, okay? And we're not really postured effectively to think about that. Let me conclude by suggesting some remedies. And I sort of took apart all these challenges and problems we face. I think that, you know, with focused attention and most fundamentally with an understanding of the strategic environment, we can prevail. The first thing that we need is operational partnerships, partnerships that span all levels of government and with the private sector, operating together, side by side, understanding the space collectively. We often talk about partnerships, but not operational ones, where we're sharing capabilities, TTPs, sharing accesses that we can become much more agile and protecting and increasing the resilience of our systems and enabling DoD to defend outside US networks. Speed and agility, okay? I mean, we're not very fast, we're not very agile. We're not gonna speed up our existing processes. We have to think innovatively about how to increase speed and agility. And of course, talent. Anyone who talks about this space will tell you that there's a tremendous competition for talent in this space. One of the really untapped things that we have to deal with is we have to basically have the ability to move people across the public and private sector much more seamlessly, okay? When somebody leaves, if you're out in Silicon Valley and if you're working for Facebook and if you leave Facebook and you go to Google, you've left that company, but you have not left the Silicon Valley ecosystem. We need to think about sort of the ecosystem much more broadly so that if somebody is working at the National Security Agency or US Cyber Command and they go out to the Valley, they're still part of that ecosystem, okay? And that they need to be able to move back into government, taking what they've learned from the private sector and at the same time taking the insights and understanding about what government needs and sharing that with the private sector. And we're not very good at this public-private movement. For you, as current and future leaders, I would argue you need to have an operational mindset when it comes to cyber. First of all, cyber has to be integrated in planning upfront. It cannot be an afterthought. So we talk about the economy today. We don't talk about the digital economy. It's just the economy. It is pervasive. It is integrated. So it's not about talking about cyber war. I wouldn't have put cyber war up there. It's war. It's war. It's conflict, okay? That is just what it is. And cyber is integrated fundamentally in that and we need to be thinking about it when you're doing your planning and your operations. It shouldn't be like Iran, X, Y, whatever. I mean, it should be integrated in the planning upfront. You need to understand what is unique about cyber. So the terrain is malleable. It's continuously constructed. Sovereignty is ambiguous. So there are not the same unambiguous thresholds in the cyberspace as you have in physical space in terms of borders, for example, that are internationally agreed upon. Everybody agrees that this is a border. The whole notion of sovereignty is very contested in cyberspace. Attribution is more difficult, although we're getting much better at that. But you should also know what is not different about cyber. So just like in the physical domains, in cyberspace, we do reconnaissance. We do operational preparation of the environment. We target, we maneuver. It's a battle space and we have to fight the networks. So all of those same concepts apply in cyberspace. And what that means for you as leaders is that you must pivot from an IT mindset to an operational mindset. Your networks are not something that you can lead to the IT professionals. You need to understand your networks. You don't need to be a technical expert, but you need to know enough to ask the right questions. As my former boss, Admiral Rogers, would always say cyberspace is commander's business. And as commanders, all of you have an obligation to understand it, to have knowledge about it, to ask the right questions about it, and to be part of securing it. You cannot leave it to the techie guys and gals and the nerds. You take care of that. No, you must really, you must own this. And you also must be able to do something that our Cold War predecessors did, but we're not so good at today. And that's essentially fight in a degraded information environment. We have become so used to having access to information that we forgot what it means to act, to operate in a degraded information environment. And moreover, in one where what the information you're receiving can be manipulated by the adversary. So all of those things have to really change the way that you think. And I think more broadly as a nation, we have to get our understanding of the strategic environment right. So I would make the argument, and you'll learn plenty about this in S&P, in your classes, is that in 1914, the great powers misunderstood their strategic environment. And that led to catastrophe. So we need to understand this strategic environment. And we can't import things that worked for other environments into it. So essentially when the nuclear era came, our leaders did not import the successful strategic approaches to victory in World War II into the nuclear era. Similarly, we cannot import what we did in the Cold War necessarily into the cyber era. We must understand our strategic environment. And we must ask ourselves, and I think Dr. Demchuk will probably talk about this, are we in this to win or are we in this to merely survive? Okay, because this is an ideological conflict between countries that want information control to challenge our information freedom. That's really the essence of what we're facing. And I would argue that requires a level of consensus and a whole of society effort that we haven't seen since the Cold War, but we're certainly going to need going forward.