Written by Greg Otto
A former U.S. Cyber Command official said Thursday that China and Russia’s use of cyberattacks has upended the way the U.S. military thinks about warfare, given the incidents’ direct impact on civilians rather than armed forces.
Brett Williams, a former deputy of operations for the command, said at an IT conference in New York City that the two adversaries have made it so the military can no longer “play an away game.”
“What I mean by that is [the U.S. likes] to fight away games,” Williams said at an event held by Tierpoint, held during CyberScoop’s NY CyberWeek. “We don’t want to have to fight here [on U.S. soil]. Anything we get into with China and Russia, the first impact is going to be felt on our civilian population.”
Williams also said he believes both countries’ actions — he spoke specifically on China’s intellectual property theft and Russia’s targeting of the Ukrainian power grid — serve to further distract the world from the foreign policy issues that have surfaced over the past decade.
“[Cyberttacks] have become a political issue, and it makes us focus inward on how to solve the problem,” he told the he told the crowd of private sector IT executives. “That’s what both of those countries would like. The more that we are focused inward, the harder it is to focus on what [Russia and China] are doing in Crimea or the South China Sea.”
Williams, now the chief operating officer of Maryland-based cybersecurity startup IronNet Cybersecurity, says in order to combat the threats from these counties, the United States needs to do a better job of establishing nation-state behavior norms.
“ I would argue that the United States is struggling to figure that out,” he said. “Do you think that Vladimir Putin has his general counsel in there trying to figure out if [cyberattacks] are a legal thing to do?”
Despite Williams’ laments, he said there are lessons to draw from the way the military has matured with regard to cyber capabilities.
He emphasized that trying to buy ways to keep hackers at bay is a poor strategy due to the fact that tech changes so quickly that there will never be a solution that keeps enterprises protected for very long.
“We’re always looking for the magic technical solution, we want the box that will keep the Chinese out,” he said. “The technology the good guys use is going to be different six months from now. The technology the bad guys are using is going to be different three months from now. If you are looking for a technical solution as a business leader, you’re not going to find it.”
Williams also suggested that making employees accountable for their behavior on corporate networks can force a culture change inside organizations.
He pointed to the massive overhaul inside the Department of Defense — including the formation of U.S. Cyber Command — that took place after a 2008 incident in which USB drives loaded with malware were plugged into classified military IT systems.
“We started to see some serious accountability in the military for those types of actions,’” he said. “When you start to hold people accountable for their behavior, you start to change behaviors.”
Overall, Williams hopes that companies start to follow up on these changes. As he has spent time talking to the private sector, he told the crowd that companies have often talked a big game without actually putting any action into place.
“There’s still a lot of talk, and not necessarily walking with that talk,” he said. “We’ve got to continue to make sure how this all goes together.”