 Hello and welcome to DMA Center Stage. I'm your host, Hal Pittman. Our guest today is Ms. Mika O'Yang, the Deputy Assistant Secretary of Defense for DOD Cyber Policy. Besides leading DOD's cyberspace policy and strategy, she works to provide guidance and oversight for DOD's cyberspace activities as well as managing DOD's cyber relationships. Prior to joining the DOD in her current role, she worked for the think tank third way as senior vice president for their national security program. And before that, worked in multiple staff roles in Congress, including as the subcommittee staff director for intelligence community management on the House Permanent Select Committee on Intelligence. Welcome, Mika. Thank you for joining us today on Center Stage. We've got a meaty topic to get into today, and that's cybersecurity policy. Thanks for being here. Thanks so much for having me. OK, so first off, you're a lawyer by trade. How did you get into cybersecurity? So my background was really in Congress and national security. As you noted, I had served in a bunch of different roles and committees. And so in one of those roles in the intelligence committee, we experienced in the US government a major cyber breach. Some folks might recall that, known as Buckshot Yankee. And I was responsible for handling the committee's response to that. So that was one of the first major breaches for the country, and it was one of my first experiences dealing with cybersecurity and have been involved with it ever since, but really focused on it when I was at third way. And as we were thinking about national security and what needed to be addressed for the nation, after all these years of focusing on counterterrorism, we realized the other way that malicious actors outside the United States could do harm to the average American was through cyber. And most people experience cyber as cyber crime. And so we spent a lot of time trying to unpack that and trying to figure out what can the government do to try and limit the harm to Americans that comes through the cyber domain. Yeah, so not a day goes by when you don't read of some kind of cyber intrusion in the news. To the point that you noted, it may be cyber crime where companies are held hostage, held for ransom. It may be some kind of malware or attack. And of course, we hear all of the discussion about our peer competitors, China, Russia, Iran, who might tend to do us harm in the cyber field. Talk to us a little bit about DoD's role in the cyber world. Where are we? And are we doing enough right now? Yeah, that's a really big question. Hal, just we do a lot in the department. It's a lot to unpack, as they say. So let me just start with the threat environment. As you say, we've got a lot of adversaries out there who try to push their goals through the cyber domain. And some of them are trying to make money and steal things from Americans. Sometimes they're trying to steal intellectual property from Americans. Sometimes they're trying to commit espionage. But what we've seen recently is the real possibility that people can disrupt life through the cyber domain. And we've always worried about that from the department, from the perspective of how could an adversary use that capability in a wartime context. So we've really been focused on that for the department. When you think about the department's missions in cyberspace, there are really three. One is protect and defend the doden. How do we protect our systems that we own? How do we prepare to fight and win the nation's wars? How do we bring cyber aspects to that fight? How do we protect against adversaries' attempts to use cyber against our forces? And the third is defend the nation. And that's the one that's been sort of least understood. But what's happened since 2018, the department has made clear that we can use our cyber capabilities to protect the nation. And that means, how can we think about using those capabilities to disrupt adversaries before they hit our shores? And we do some of that through hunt forward missions where we go out and we have partners who let us onto their networks to look for threat. And there are other ways that we can try and disrupt the adversary. And we can also look for the clues that they're about to attack us to try and be able to disrupt them. So there's a lot that we do there. So it's a very complex mission. It is. A lot of people involved with it across the department and across the rest of government. Are we ready for the threat? So we, as the United States, are probably more ready for this threat than most other countries. But you could never say we're completely ready. This is a domain that's very hard to see what the adversary is doing. There's a lot of obfuscation and hiding their hand. There are a lot of different ways that the adversary can come at us. Technology is very complex. We can't shut down every avenue. So there is a real risk of surprise. But as a nation, or as a department, we are more focused on this than I think many others. The challenge really is how do we react if the event occurs? And this is where resilience comes in. If we act like we're taken by surprise, if we're not prepared for it, if we haven't thought through in advance what could happen, then we're not prepared to be resilient. And our panic can make the situation worse. So it's really important that we develop a resilience mindset and plan in advance for the kinds of disruptions that we know could happen. So talking about the kinds of disruptions, one of the things that we've seen reported in the news, rumors around cyber engagement in the current Russia-Ukraine situation, right? What does that say about the future of this space and what should we expect to see? Yeah, this is actually a really important conflict for us to understand as a department because it's the first time we're really seeing a cyber-capable adversary bring those capabilities to bear in the context of a conventional fight. And so there is a lot here that we need to learn and unpack. And part of the challenge for us as a department is some of the information that we need to understand is not in the government's hands. It's with the Ukrainians and what TTPs they have had that have been most effective. It's with the private sector and what they have done to defend Ukraine's infrastructure because it's not just against their military systems, it's against all their systems. And then as with anything, some of that information that we need is in the hands of the adversary. What was their planning? What were their challenges? But we really need to unpack this challenge. But one of the things that is clear in this is that cyber, as we thought about it before this conflict, is not exactly what it is. I think many people thought that cyber and a conflict was going to be like the end of the movie Fight Club where all the lights go out across the country. That's not exactly what's happening here. It's something different. But that's not to say that it's not just as consequential. We just need to understand it better. So you mentioned how industry has a role. Are we working close enough with industry and the department to address this challenge? We can always do better. This is one of the challenges we have. The adversary knows for the department that our authorities are limited to outside the United States. When it comes to inside the United States, that's a blind spot for us. So we really need the help of the private sector to help us understand what that threat is. And we work very closely with our colleagues at FBI and DHS who do have authorities and responsibilities inside the United States to try and understand that. But this is a place where we really need the private sector's help. And our colleagues at NSA, our colleagues at SZA, they are working very hard at this every day. So let's talk about China a little bit. Absolutely. If you watch television news, you read the newspapers, you understand that China has a significant cyber force, cyber capability. We have to assume that it's aimed at, you know, China's peer competitors around the world, which would probably include us. So should we be doing, should we be putting the same sorts of resources from a government perspective into our cyber efforts and trying to control the battle space, if you will? So this is a real challenge with China because they have a population overmatch on us so that we will never, I think, be really able to go force on force. But we have many other tools at our disposal across the US government to help us leverage, to even out this battle. And this is really what Integrated Deterrence is about. It's about bringing all tools together. But one of the challenges we see with China, it's not just the capability of their cyber forces, it's their ability through the technology they export to shape the global technology ecosystem that tilts the playing field in their favor with all the kinds of surveillance mechanisms and things like that that are inherent in their technology. That makes them an order of magnitude different threat than Russia, even if their cyber capabilities are the same, Russia will never shape the global technology ecosystem the same way that China does. So how do we stay ahead of that? So this is a whole of government effort where we have to work with our colleagues and other agencies to try and ensure that the rules are fair, that we hold China accountable for the kinds of technologies that they are trying to proliferate, that we convince our allies and partners not to go down that road for technology that we know is not going to be secure for them. And we have to work, we work on this a lot. This is one of the Secretary's real priorities is how do we improve the cybersecurity of our partners and allies? Cause it's not just about us, the United States, it's about the people that we are going to fight with and trying to keep the Chinese out of their networks too. Right. What is the Chinese intent and the dominance that we see? What does that have to, what future can we look to with regards to the internet and the average person's use of the internet? Yeah, this is a really big philosophical difference between the United States and China. China has a very authoritarian approach to its own population, pervasive surveillance, cameras everywhere, control of the message and what they can see, hear, say. We in the United States believe in freedom. We believe in people's ability to hold their governments accountable, to say what they wanna say, in the people's right to get the information they need for their lives to be able to communicate with the rest of the world freely. China's outward expression of that internal repression is the thing that poses a threat to our vision of freedom and an open internet. And that is one of the things that American and Western internet technologies carry with them, that access to information, that ability to connect without government interference. This is what we're really fighting for when we think about the coming challenge between the United States and China going forward. So what does that future digital environment look like? This is a real question. This is the contest for the rest of the world. We hope that it is one that carries with it the values that we have, that fosters innovation, that allows people access to information, that improves people's ability to hold their governments accountable and to express themselves and be creative. We do not want a future that involves censorship mechanisms, that involves tracking of people wherever they go that allows people to undermine independent journalism. That is the competing vision that we are talking about for the internet. It's a very challenging time, obviously. It is. What about the confluence between cyber and information operations? Can you talk a little bit about that and give us your thoughts on that and where are we going policy-wise with regards to that? Yeah, so this is, you know, one of the things that's complicated about cyber is that if you think about the technology stack, you have the information that flows across the domain, the content that you and I see and read and react to. You have what we think of as a logical layer, the programs that can be manipulated and can be exploited and information can be taken from. And then you have the transport layer, the networks themselves, the Wi-Fi, the fiber optic. And as we think about the ways in which the adversary can disrupt us, they could disrupt us across any part of that layer. So what we worry about is someone coming through the cyber domain, we saw this in certain areas, coming through the cyber domain to take or shape or release information to undermine people's confidence in their government, to try and put false information out there. The linkage between cyber and information ops is very clear, but then we also worry about the potential for disruption in that transportation layer. And we're seeing that in the Russia-Ukraine context. We saw that with Russia trying to use the cyber layer to disrupt the transport layer when we think about the viasat disruption, right? How do we think about the ways in which they're trying to cut off access to communication, which is ultimately about cutting off that communications and information layer. So these things all depend on each other. We think of them as a stack, but they're very much interdependent. And the disinformation and misinformation that we see that's rampant today, not just in among warring societies, but even in our own country in this time of peace. What does the future have in store for us as a country, as we consider the cyber ramifications and this idea that information shapes perception and challenges what we believe is reality. Yeah, so I try not to be in the prediction business, having spent some time around the intelligence community. You've got to make sure you're clear about the difference between analysis and prediction. So I don't want to speculate too much on what the future holds, but we do see that adversaries think that there's tremendous advantage in shaping the information environment to their own advantage, right? We saw the Russians try to do that, to shape the information space, to try and blame Ukraine for Russia's blatant attack and unjust invasion of their country. They were not successful at doing that, but you could see other countries thinking I need to shape the information space too. The challenge for us as Americans is that if you think about misinformation sort of in three categories, there's the information itself, there's the delivery mechanism, and then there's the fertile ground in which it lands. The fertile ground is our minds and our understanding of information. And there's more that we all can do as Americans to try and understand better the risks of misinformation and be able to parse sources and understand what is true and when people are trying to manipulate us. We can do a better job on that while we as the government think about how do we disrupt those delivery mechanisms that adversaries are trying to use to go against us? And if that happens, then the information can't really trend and take off, then perhaps the information itself isn't as dangerous. Yeah, great. Thank you so much. You've been watching DMA Center Stage and our guest today has been Mika Oyang, the Deputy Assistant Secretary of Defense for Cyber Policy. Mika, thank you so much for being with us today on Center Stage, sharing your insights. I'm your host, Hal Pittman. It's been my pleasure to bring you this episode of Center Stage where we introduce some of the most interesting guests and topics in national security, public policy and business. See you next time.