 So one December day, in the middle of a global pandemic, the world learned about a fairly sophisticated intrusion into an enterprise management software system known as SolarWinds. And when we discovered that, the media environment and the cybersecurity community, national security community went into overdrive talking about this intrusion. One senator called this equivalent to an armed attack. One commenter summarizing all of this said that this incident hit every single one of our nightmare scenarios. That commenter was me, commenting from my lockdown living room in the middle of the pandemic. I'm Mika Oh-Yang. I used to be a think tanker where I did a lot of work writing about cybercrime and cybersecurity. And after this, with all of this hype, a few weeks later, I came into government as the deputy assistant secretary of defense for cyber policy. I am the senior civilian policy official in the Department of Defense. You might have heard of us. And I had to deal with this incident, how the government was going to respond to it, and then subsequent attacks like the hafnium, intrusion, and Microsoft systems, and colonial pipeline. And one of the things that I had to wrestle with was the consequences of that rhetoric that we had talked about in the national security community to describe cyber incidents. And one of the challenges that I discovered is that a lot of the mental models that we use to describe cyber incidents don't actually map to our lived experience in the cyber domain. And so, you know, we really start wondering, like, why are we so off? Why are the ways in which we talk about these things so different from the reality that we experience? And frankly, that rhetorical difference inhibits a useful policy conversation about how we respond, how serious and big these things are. And one of the things I realized is that national security people tend to talk about these things in the frames that they understand. And so, you know, I did that too. I had been a professional staff member on the House Intelligence Committee. I had responded to the Buckshot Yankee, Operation Buckshot Yankee, which some of you may remember from 2008. I thought I understood cyber and the ways in which we as a national security community talked about it. But as I said, the ways in which we've talked about it have not actually been that helpful. And there's a huge difference between cyber war and then cyber in-war. So I want to talk to you guys today a little bit about where those mental models came from, how that differs from our experience and how we see that, and then what that means for us going forward. So let me start at the beginning. Some of you may be familiar with this screen grab. For those of you who are not, ask your parents about the movie War Games. War Games was a movie where a young and chapped hacker, for those of you who were too young to remember this, breaks into the Department of Defense's nuclear command and control systems and demonstrates that the world could be destroyed through mutually assured destruction. This movie is really sort of the start of not only cybersecurity, but a number of other things for the Department of Defense, including when President Reagan saw a recognition that we had to engage in arms control negotiations with the then Soviet Union, but also his recognition that, hey, some of our sensitive DOD systems might be vulnerable to hacking. And so when the Department of Defense stood up its first cyber command, we stood it up as subordinate to U.S. strategic command. And that subordination meant that the ways in which strategic command thought about the management of nuclear weapons, which was their main mission, infected a lot of the ways in which we thought about the cyber domain. So concepts like mutually assured destruction, some of these concepts about mutual hold at risk, the idea that you could do something to the adversary the same way that he would do it to you, really guided a lot of the thinking around how the Department approached cyber. And I know that term is like fraud. But it really shaped a lot of the ways in which we thought about it. And so as time went on, we still tended to view the cyber impacts at the high end of the national security threats that we experienced. You heard language and DOD officials talking about a cyber 9-11 or a cyber Pearl Harbor thinking that it was going to be this kind of big attack that would change society and leave everybody in darkness. And so we thought about it in those terms. But we thought it was going to be like the end of Mr. Robot season one, like everything goes dark and there's chaos. And then also for the Department of Defense, as we thought about that activity, we thought about it in terms of war, which meant that we were thinking about it just in terms of like what crossed the threshold for the Department of Defense as an armed attack? What would be the trigger in cyber that would bring the rest of our capabilities to bear? And in doing that, we didn't really think as carefully about a whole range of activity that was happening every day in the internet domain, espionage, criminal activity, hacktivism. There were all kinds of things happening that were not rising to the level of the Department of Defense. And everyone was like, when is the Department of Defense getting in the game? But our experience in cyber war and the people who were working on thinking these things through sort of a hypothetical. The hypothetical didn't match the reality of what we have subsequently learned. So if you think about 2017 and the cyber attacks against Ukraine by Russia that were significant disruptions to their electric grid, there were significant disruptions to their critical infrastructure, and people said, this is cyber war. This is the kind of attack that we are expecting in the cyber domain. What we learned in 2022 is that cyber attacks are actually not the same, like cyber war is not the same as cyber in war. And the cyber attacks against Ukraine's critical infrastructure were not nearly as devastating or impactful as the kinetic attacks that Russia launched against Ukraine in their attempt to take the entire country. Kinetic war and cyber use in kinetic war is very different than the ways in which we were talking about cyber war. And I don't know if you remember at the beginning of the conflict, everyone was like, where is the cyber war that we were promised? Is cyber the dog that didn't bark? And part of the challenge of that is the national security rhetoric around this meant that we had been conditioned to expect that when that dog barked, it would blow out our eardrums. But actually, when the dog barked, it barked at the volume of a normal dog. Cyber did the things that cyber could do. It just didn't cause the Ukrainians to roll over and say, okay, fine, take our country. It was not going to do that. There are many other things that affect people's calculus in the context of an armed conflict. And indeed, we saw, right, the cyber attacks that the Russians launched against Ukraine at the outside of the conflict, even some of the most sophisticated, like the disruption against the ViASAT satellite communications network that had spillover effects into NATO countries, was not sufficient to overcome Ukraine's will to defend its own territory and the resilient mindset that they displayed and their ability to look to commercial solutions to continue fighting their fight. So what that tells us is that it's not about cyber deterrence. It's not about this cyber for cyber, we, you know, cyber pew pew, your networks, you cyber pew pew ours. It's now for us about integrated deterrence. We think about these things in the context of how can cyber, as one of the tools of national power, support all of the other things that we do in the cyber domain. So how do we ensure that we can use cyber to defend our cyber terrain in air, land, maritime, space, and then what are the options that we have to use cyber in those other places? And it may be that we respond to cyber things with other tools, with sanctions, with law enforcement actions, with diplomatic demarges, and very, very angry letters. But it may be that we also respond with kinetic attacks, depending on the range of things that we have and what is needed at the time. So as we think about some of the challenges and what we've experienced, we've learned some things based on our experience of how cyber is different. And one of those things is about moving at the speed of cyber. We have always assumed that cyber domain moves quickly because technology moves quickly, the attacks come quickly. And so we often have people asking us, like, you know, can you just give me a cyber option, like, tank, whistle me up and exit. And the thing is, like, you can't just, like, as you all know, tap your fingers on a keyboard and then have something happen on the other side of the world. It takes time and preparation, it takes understanding, it takes engineering, it takes coding to be able to be able to accomplish things. And so it's not what I think a lot of people expect about how quickly we can move in the cyber domain. And in fact, I really appreciate the academic work of a guy, Lenart Mashmire, who did an analysis of Russian cyber attacks against Ukraine in the run-up to this conflict. And he talked about the cyber trilemma and these concept of speed, intensity, and control, and how these factors play off against each other. You can't optimize for all three, right? It's like, good, fast, cheap, pick two. It's speed, intensity, control, pick two. And so when you see an incident like, not Petya, you see something that was developed relatively quickly, had a pretty large intensity level, but spun out of control. And so for us in the Department of Defense, we're going to optimize for control. There are elements of control about making sure that you don't get caught, about doing exactly what you intend to do and no more, to not spill over. That's one of the things that we optimize for. We spent a lot of time investing in precision, precision weapons and all those other things. It's not different in the cyber domain. And so not only are we optimizing for control, there are rules that we, the Department of Defense, have to follow. There is no cyber asterisk on the rules under the laws of armed conflict. There are certain things that we would not do via any means, poison civilians, things like that, intentionally trying to inflict harm on civilians. If we're not going to do them via kinetic means, we're not going to do them via cyber means. Unfortunately, I don't know how well understood that is globally around the world. Frankly, there are some countries that maybe aren't even living up to those obligations in the physical space. But for us, there are rules that we are going to have to live by as we think about armed conflict. And so, right, we are reflecting all this in our 2023 cyber strategy, which we hope to roll out publicly soon. We've released a classified version of Congress, so they're going through it. But we hope to be able to talk to you more about it shortly. But another one of the things that's changed for us that we reflect here is how we think about cyber offense and defense. Historically, the department had thought about cyber defense and really prioritized it as, like, how do we defend the networks that we own and operate? And we would think about, how do you defend all the things all the time? But the challenges, of course, the number of attacks we experience are so numerous, so pervasive by so many different actors, like, you can only hold the door for so long before the attackers make it through. And so you have to adapt a more resilient approach. And because we can't be everywhere all the time, we have to think about new ways to defend the nation. We are not going to seek to be on all of the private sector networks all the time. Frankly, we can't afford the personnel costs of that. But also, like, who wants, like, an E4 showing up at your network, being like, hi, I'm here from the Department of Defense. I'm here to help. So, like, we have to think about different ways of doing that. And so one of the things that we can do is take the insights that we have as the Department of Defense about the adversaries' TTPs and share them out with the world through partners. And so we work with other countries around the world, with our civilian agency partners, the FBI, DHS, and others, to identify this type of TTPs and then push them out to the private sector so that they can defend their own networks. And that's actually a really big change for us. When I started in this business, people kept asking us for actionable intelligence, and we're like, no, it's too secret. We can't tell you. We have now figured out how to be able to share that information. And you saw that in something else that occurred at the beginning of the conflict, credit to Jen Easterly, who was wandering around here somewhere, the shields up activities that we engaged in to encourage critical infrastructure to raise their level of defense. And the information that the Department of Defense shared out through that so that the private sector could defend themselves, and then the technical assistance that we are able to provide through the NSA's Cyber Security Collaboration Center. We think that this model represents a better way for us as the Department of Defense to engage in the defend the homeland mission that doesn't ask us to get on everybody else's networks. But I think one of the challenges is that we need help. And so we have to think about, for us, who does cyber? And I know a lot of you do cyber, but when it comes to offensive cyber, we're one of the only organizations that has the legal authority to be able to go out and disrupt adversary, malicious cyber activities without our colleagues at the FBI knocking on people's doors. And the challenge for us is that it's a really big threat space. We have a lot that we have to take on. Russia is not our only cyber-capable adversary. Frankly, the PRC is also highly capable and has demonstrated, for those of you who saw the Microsoft Volt Typhoon announcement, seeking to disrupt critical infrastructure on which we, the Department of Defense, would rely for our mobilization, putting at risk the lives of our service members and the lives of people in Guam, the lives of people in the Indo-Pacific region that we might be protecting. But it's a really big challenge for us. And we need help. We need the help of people who have the skill set to the people in this room to be able to help identify the adversary, malicious activity to help us develop the kinds of things that we can use to prevent that malicious activity from causing harm to Americans. And we need your help to be able to disrupt that activity before it causes harm to people in the United States. And we hope that you'd be willing to come help us with that. It's a big mission space. We are thinking about it differently. We are thinking about it in the context of our rules, and we're thinking about it in the ways in which the cyber domain actually works. So with that, ladies and gentlemen, thank you.