Breaking Barriers: The Air Force and the Future of Cyberpower
A number of student tickets are available. For more information, please contact firstname.lastname@example.org.
This event took place on Wednesday, March 8, 2017
JOEL ROSENTHAL: Good evening. Welcome. I'm Joel Rosenthal, president of Carnegie Council. Glad to see you all this evening.
On behalf of the Council, I'm delighted to welcome you to our conversation with Lt. Gen. William Bender. Our topic this evening is "Breaking Barriers: The United States Air Force and the Future of Cyberpower."
I know Joanne had been working for a long time to get this program set up. She seems to have a way to know what is going to happen in the news. We couldn't have imagined all of the news from North Korea to WikiLeaks and so on, but as usual it is a very timely event. So, thank you, Joanne, and thank you, General, for coming.
Among the many impressive qualities of the U.S. military is its relationship to the American public. There is a strong tradition of public engagement in venues like ours. In the recent past, Carnegie Council has hosted the Chairman of the Joint Chiefs of Staff General Martin Dempsey, and the head of the Army's futures think tank, Lt. Gen. H. R. McMaster, now the national security advisor to President Trump. We've also organized several trips and activities with West Point, Annapolis, the U.S. Naval War College, and the U.S. Merchant Marine Academy thanks to Col. Bonadonna, and these have been important exchanges for us, I think good for the leaders themselves and for the citizens who have participated in them.
We are grateful for the opportunity to continue this tradition today with General Bender. General Bender is a New Yorker and a Manhattan College graduate—so welcome home. In his current post as chief, information dominance and chief information officer, Office of the Secretary of the Air Force at the Pentagon, he is at the forefront of the growing effort to protect America in the cyber realm. As an Air Force pilot, he has flown more than 4,000 hours in nearly a dozen aircraft. As his bio puts it, "He now defends an area perhaps infinitely larger and more unpredictable than the skies. He is the Air Force's chief information officer and the leader of nearly 55,000 cyber operators."
Given its natural mission off the ground and in the air, the Air Force has a special role to play in adapting to and using cyberspace for security purposes. General Bender will give us some of the highlights of its accomplishments as well as some of the challenges it faces moving forward. These challenges include a needed culture change to adapt to the new security environment, as well as changes in procurement and training. What does it mean to be a cyber warrior? What kind of training does this entail? What kind of equipment is needed? What kind of ethical challenges does this new theater of operations pose?
Several years ago the Carnegie Council had a visit from General Sir Rupert Smith, a British officer who had written a book called The Utility of Force: The Art of War in the Modern World. The book was about the transition from industrial war to what General Smith called "war among the people." In short, he was talking about the shift from World War II-style mechanized war to low-intensity urban war and terrorism. We have now witnessed another transformation—a war in a realm largely invisible and without clear boundaries, the futuristic realm called cyberspace. For a tour of this new battlefield and some ideas of how we should approach it, we turn to General Bender for his thoughts on this big and urgent challenge.
Thank you all for joining us, and thank you, General, for coming.
LT. GEN. WILLIAM BENDER: Thank you. Good evening, everybody, and thank you for being here tonight. It is really an honor for me to spend time with such an esteemed group as yourselves who clearly are here by choice. In the military very often you're "volun-told" to be at a gathering like this. You are all here because you want to be, and I think rightly so, because a lot that we need to be talking about at a national level is maybe some of what I'll touch on tonight. Be sure to leave plenty of time, Dr. Rosenthal, for some questions and maybe just a back-and-forth on what's on your mind.
This opportunity comes at the end of a two-day spell of just running from location to location to location to have a discussion within the greater New York area, mostly related to the different academic forums. We spent some time with the Harvard Business School, Columbia, and Massachusetts Institute of Technology. I went to my alma mater at Manhattan College. I wouldn't really hold them in the same esteem as the aforementioned ones, but just a fantastic time for me to go home and to visit with my alumni. Then I spent some time on the radio.
The reason I mention all of that is there is a tremendous interest all over on this topic of cyber security because, as you mentioned in your opening remarks, it is really a brand-new domain. In Air Force terms we would talk about air and space as a separate domain. And now we have this thing called "cyberspace" and we have to learn to operationalize it—meaning learn to operate in, through, and from cyberspace—and think about it differently than we have in the past. It is not a benign environment.
As we are all, I think, very well aware, our adversaries have been watching your U.S. military for a long time—for 20-some years—and understand how we like to defend the nation, typically on our terms in their space, and doing it as we have now over many years become a very strong military; so taking some number of months to load up, take it on ships and the back of airplanes, and go to their space.
But this new cyberspace completely changes that paradigm. It really undermines our ability to do exactly what we would hope to do, to fight it on our terms, because of the ubiquitous nature of information technology. Not a thing that we do, not a mission that we have, is not dependent on the ones and the zeros, the connectedness required in order to be effective. So the enemy knows that, and we like to say "the enemy gets a vote." The concern that we have here is real, the vulnerabilities are great, and the requirement for us to think and act differently going forward is really necessary.
So I find myself in the position of chief information officer for the Air Force, which provides a unique vantage point because, as the heretofore sort of senior functional in the Air Force responsible for that information technology, it comes together at the same time with trying to operationalize this new domain. The work in front of us, I think, has really led us to recognize the critical nature of going after some real transformative changes. It really runs along three lines of effort where I'm concerned, and I'll share those with you. They really define the three lines of effort for not just me but all of my counterparts.
One of the things that I have found notable in my time in this position—and I see it as a great strategic advantage that I would want to leave you to think about—is that every chief information officer, really every company out there, every commercial entity, any sector, academia, think tanks, government, all agencies—we are all doing the same thing. We all recognize the same problems, and we're all working on the exact same things, and I think they come across in these three what I would call in military vernacular "lines of effort."
The first is that we need to pay closer attention to securing our infrastructure worldwide. We need to understand our systems of systems interdependencies for what is a very legacy U.S. military. We need to understand where the vulnerabilities are and to reconstitute and modernize our infrastructure in a way that lowers the security footprint; that actually attempts to use better technologies to automate fixes; that uses current ability as it relates to data analytics and things of that nature that actually help us to secure this big enterprise of ours. So really focused on better information technologies and lowering our cyber security footprint.
At the same time, we have to understand that this is a growing mission for us, none of which have necessarily been thought through early on, so that many of the people we've brought into the services don't have the requisite skills, aptitudes, and experiences that we would hope to have at this point for trying to take on this new mission. So we're really taking a concerted effort at addressing security in a new way, building out a new mission.
The way that we're doing that—and it is similar with all the services—is that to the maximum extent possible those things that could be done commercially—we call it the "commoditization of information technology"—to do things like go to the commercial cloud, to partner with industry to provide certain services for us, or use commercial off-the-shelf in all of these different ways, so that we can repurpose our people and go after this new mission, which is securing and defending our cyber terrain. So it goes well beyond just our networks. It is involving all of our space-based assets, our nuclear assets, and really all of the air-breathing platforms—which is another way of saying our aircraft, manned and unmanned—and the list just goes on. And it is not unique to the Air Force; it is all of the military services.
When I say "legacy," I mean stuff that was built before there was a thought of the critical security concerns related to actually having somebody wanting to do us harm by attacking the data and getting into our networks.
The third area is: It stands to reason that if I don't have the workforce with the requisite skills required, then we have to actually transform that workforce. So again, very similar to industry, I haven't met a peer of mine in any walk of life who isn't working on the same things, trying to take a workforce and not incrementally change it but transform it. In my case, it is a 54,000-person workforce. It is everything we can think of to try to bring those skills in as rapidly as we can.We are doing unique things in terms of partnering with industry so that we can train people at scale. We're bringing people actually in a very fluid manner in and out of government in a way that we haven't done in the past. We're really working to try to assess, develop, and retain people with these skills. It is just a monster.
Any one of those three lines could be enough to keep me full-time employed, but we have to do all three at the same time. Fortunately, like I said, the advantage to us here is that everybody else is working on it, so many hands make light work. We work very closely with industry partners and academia in inspiring an innovative approach to some of this.
Very often the intellectual capacity, the technologies, the research-and-development money, that is actually sitting more outside of government than it is in. That may surprise you—maybe not. But the reality is that we are absolutely dependent on public-private partnerships in a way that is different than we've done in the past. So that effort is really required.
Another area is if you're going to say innovation is really defined as thinking and acting differently, you have to inspire that innovation. It's not about the technology as much as it is about taking this legacy Air Force and changing the way we do business, in some cases in really significant ways, turning upside-down the way that we've always done something and figuring out how to do it at the speed of need. This environment as it relates specifically to cyber changes on an hourly, daily basis. So the old means of, for example, acquisition, where I would have had to have had a good idea two years ago to bring it to a program today to fund it for the next four years and deliver it two years after that, doesn't make any sense at all because Moore's Law has taken effect about seven times over.
So really thinking through the complexities associated with that, we're working on innovative procurement efforts to actually end-to-end think and act differently as it relates to procuring cyber security tools. We actually have been successful in some measures in doing that. But very often it means breaking all of the rules in place for the acquisitions as they take place, and that presents us with both a legal and a contracting challenge. In some cases it becomes brute force when you want to be a little more sophisticated, and then you have to do this across many challenges in different functional areas of our Air Force. So putting a process in place that is innovative and keeps up with the rapidly changing environment.
Other areas of innovation that we have been very engaged in would be—you may have read about the Defense Innovation Unit Experimental (DIUN) out in Silicon Valley, Boston, and other tech centers, one of which certainly could be New York-based, and all that takes place in the tech ecosystem here. That was inspired by the secretary of defense. Really what he is trying to do is harness some of the entrepreneurial spirit that is taking place out in the Valley and thinking differently about how we go about it.
I guess what I would maybe finish my remarks around would be: Where are we trying to go; what's the plan? Today the plan is to try to develop an Air Force that can remain competitive and the strongest air force in the world, recognizing that we're no longer in the Industrial Age; we're actually in the Information Age.
So a lot of work has to be done in order to develop not just a capable workforce but to deal with a primarily legacy air force and at the same time start to enhance our capabilities related to what you would hear as the "Internet of Things," but we have our own version of that. The "Internet of Military's Things" really has to do with all of our tremendous sensors that today can find, fix, and finish any kind of any enemy anywhere in the world within minutes. But connecting all that and integrating that is really a responsibility that, because it's not an affordable air force going forward, with the proliferation of Internet protocol devices and all of the sensors that are out there, the world we're living in, then we have to contend with everything being defined by software. It actually changes the game for us, but we have to transition to that kind of an Air Force.
I'll use just one example there. If I can find a relationship with a software developer, including with us, and leverage it to its full capability, what we're doing is on an iterative basis continually upgrading, so as a threat becomes known we address it and we move on. So, the Amazons of the world, as the example, actually generate about 3,000 changes a day to their global networks.
If I were to change one thing in my global networks, it would take me some 20-30 days to push out a patch or a script. So we have to get aggressively after the fact that software defined actually helps us significantly improve our mission effectiveness.
And then, to really understand that data at the end of the day is the strategic asset that we need to protect, the data and the applications that we use, and rely more heavily on commercial providers for things like commercial off-the-shelf or as-a-service offerings, and worry of our key data as the asset that I'm responsible for protecting, and having good protocols to ensure the veracity of that data. You can imagine, if we didn't, the challenges that that presents when you're in an information war like we are.
And finally, inspiring to the best that we can this collaboration between industry, academia, and government in a way that we've talked about. But it's very often manifest in the exchange of business cards at conferences and not as much in deep relationships where industry and government in this case are working closely together to actually solve problems. I think that there is enough work to do for all of us. I call it some combination of "many hands make light work," and we absolutely need to turn the corner on that as a U.S. military. I think some people find that may be hard to imagine. I've been to too many meetings where people have looked at me and said, "Well, this doesn't apply to you because as the U.S. military you must have this."
But this is a new world and a different world, and one that we're not entirely prepared for and have some work ahead of us. That does not mean that we're not aggressively going after it—that should concern you—but it means that with the environment as it is changing we really need to work closely together.
I hope that is a stage-setter in terms of some of what is both in my portfolio and some of what we're working on. I'd love at this point to see what's on your mind and try to address any questions you might have.
JOEL ROSENTHAL: In terms of stage-setting, you did a wonderful job focusing primarily on the need for defensive capabilities to protect national security. But the news of the day has been more offensive capabilities, whether it was the program in Iran or the program in North Korea, and now there's more—I guess this is an intelligence issue, but CIA capabilities in cyber.
I don't know if you could just say a few words about that side of things in terms of how you think about it, and then we'll go to the Q&A.
LT. GEN. WILLIAM BENDER: Sure. Thank you.
Yes, I didn't talk about what the Air Force is doing to support U.S. Cyber Command, and that is really where our offensive capability resides. Six years or so ago we established U.S. Cyber Command. It is co-located with the National Security Agency (NSA) at Fort Meade in Maryland.
The Air Force is producing our part of a larger joint force. It ends up being about 6,000 military supporting Admiral Rogers in his two hats as the NSA director and also the U.S. Cyber Command commander. That gets a little bit confusing organizationally, but that is where the offensive capability actually resides.
To speak to North Korea, The New York Times article that was out recently in terms of getting "left of launch"—while I cannot really say because I haven't been a part of it, but it doesn't surprise me that that would be taking place because prepping and getting into somebody's networks or infrastructure in any way is a long-lead item away. So that work, you would really consider us irresponsible if we weren't attempting to do that, though we have to be very careful of the ramifications—meaning what is the reaction to a certain action, how do you escalate and de-escalate, what are the policies involved, and where are the legalities? So there is a lot that may be ethical, but also there is a national dialogue that has to take place as we start to work through what we would effectively call an offensive capability in the cyberspace domain.
This is what Russia and other nation-states are doing on a regular basis, or at least attempting to. I have stopped looking at the numbers, but it's in the millions of cyber attacks a day on Pentagon networks.
We defend those networks in a way that has been very successful and keeps us secure. But it's not a benign environment, and this is a weakest-link discussion. So if you find a way to get in because of maybe just one airman's bad behavior, and he puts a USB thumbdrive into his computer and that happens to carry malware, well, that was an aggressive offensive action to get into our networks that we never saw coming. So a lot of this has to do with ensuring better, smarter behaviors on the part of our people. That in large measure comes to people in my position making sure that they're aware of the threats and the vulnerabilities.
QUESTION: James Starkman.
I would assume that the coordination with our allies, particularly Israel—I know Stuxnet we were involved with, which might be not so open to public discussion because they spy on us and we spy on them probably—but if you can just comment briefly on how much cooperation we have with our NATO allies and Israel.
Also, just on the headlines recently about missiles, when North Korea has 10,000 artillery pieces trained on nine nuclear plants surrounding the city of Seoul, what do they need missiles for as far as an attack on South Korea? I can understand to keep the United States in its place they would want an intercontinental missile, but they could reduce those plants to rubble like Chernobyl in minutes. Thank you.
LT. GEN. WILLIAM BENDER: Okay. So I'll come back to North Korea. The first question you asked—
QUESTIONER [Jim Starkman]: Basically who are we working with, among allies. How much can we really work—
LT. GEN. WILLIAM BENDER: There is a tremendous amount of work. There is a recognition—and I'm sure that General Dempsey probably shared this with you when he was here—of a requirement to basically work among our friends and our allies. So everything we do is joint in nature. That means all of the services coming together because that's how we fight today, and with our coalition partners, however they're made up.
Israel is a great friend of the United States, and so it is reasonable to assume, since that's what you said that you're assuming, that we would be working closely with our Israeli partners, as well as NATO allies, who see the world the way that we see it. So, especially as it concerns Eastern Europe, there's a lot of work being done today.
QUESTIONER [Jim Starkman]: Supposedly Israel is building a billion-dollar facility in the Negev just for cyber.
LT. GEN. WILLIAM BENDER: Yes, they are very aggressively going after it. So yes, we're working very closely with them in developing our cyber ranges and a lot of the work that is being done, in some cases borrowing on their lessons learned and their expertise.
In terms of North Korea, I can't speak to anything in terms of—you're right about having all of this artillery trained on enough to turn South Korea to rubble. So why do they need missiles? I believe it's because you have a state that has a personality that wants to demonstrate they are a world power, and that's what we're dealing with. I can share with you that I think those in the position to really have an opinion on this, all the way up through our secretary of defense and higher, consider North Korea today as the greatest threat to us in the very short term because of many of the indicators we're seeing in terms of missile launches and an unknown actor in terms of Kim Jong-un.
QUESTION: Don Simmons.
We've been reading recently about successful invasions of various systems. Theoretically one way to provide very good security is to isolate the system—you have a desktop computer and giving up that connection to the Internet presumably buys some safety. In a military context, would that be a part of our thinking with respect to, for example, fighter aircraft or bombers? Do we have research objectives that would include attempts to hack, let's say, a Russian fighter?
And then, second, can we defend against such hacking by isolating the system? That gives up a lot of control, I know.
LT. GEN. WILLIAM BENDER: The safest we could be is if we unplugged everything, but we'd also be dead in the water, so to speak. We consider that one course of action but not a viable one.
But your larger point in terms of isolating and securing our systems—as I mentioned earlier, our weapons platforms, the B-52s, all of our fighters, basically everything that is legacy, in fact touches the Internet. An F-16, as an example, our primary fighter, has a maintainer who goes out with a Toughbook and logs in to find out what the flight hours are and all of the diagnostics on the maintenance. But that same airman, if he's not properly schooled on what not to do, is using that Toughbook when he's in the ready room looking at a YouTube video. That presents a tremendous vulnerability to us because malware then is ported over—air-gapped—onto a weapons system. That is not a fictional case. That is very possible to include our space-based assets and our nuclear assets and everything. So nothing is off limits here.
So what are we doing? We're attempting to secure it, in some cases by isolation, wrapping it by a secure means, and putting continuous testing and monitoring into the system so that any anomaly is pointed out and we can then react appropriately because we know now something is not normal. So that effort is taking place.
In terms of what we're attempting to do against other nation-states and other actors, absolutely through continued tests and evaluation what we learn about ourselves we certainly would be looking to turn that same vulnerability on an adversary if it made sense.
QUESTIONER [Don Simmons]: I'm just remembering that was about a 60-year-old problem. At the height of the Cold War there was a strategic question of whether our nuclear bombers once instructed to bomb Moscow could be recalled or not. So kind of the same issue.
LT. GEN. WILLIAM BENDER: Yes. There are a lot of parallels actually between nuclear and cyber. Some of it is because we haven't really worked through the strategy associated with it. So when you talk about nuclear containment, for example, that is an understandable strategy, and we knew exactly what we were doing. We are working feverishly at the highest levels of government to have that same kind of understanding of how we operate in this new domain and what are the approaches we will take.
QUESTION: Thank you for the statement. Tarik Fatallah.
My question will pick up on what you stated earlier with the partnerships with academia and the private sector. Companies like Lockheed Martin or Booz Allen provide very important partnerships with the military. Given recent events, it does open a door for certain mishaps. Without providing names, some of them might even be considered public service, but others can have sensitive information that can have detrimental implications on personnel and military systems.
What type of risk assessments does the military conduct when assessing these situations? What has been learned from prior events that is now being implemented; or, foreseeing what could possibly happen, again given the recent events, that could possibly be another hit that could be somewhat parallel or similar to what happened in the past?
LT. GEN. WILLIAM BENDER: There have been a lot of lessons learned by—when something happens we all react to it. Let's take the Office of Personnel Management (OPM) for an example, where 25 million records were exploited and all of that privacy information taken. Just as an aside, we have to resolve these types of—prevent them from happening. We were on the wrong side of the cost curve as it relates to that kind of thing. So to react and to fix the problem that was presented to us was about a $500 million proposal. Rogue actor really with virtually no expense causing that—that is not something that the nation could sustain. So we have to do a better job of protecting, defending, and securing.
What we've learned is that nothing is benign. There is a system of systems interdependencies. When I think about Lockheed, 80-90 percent of Lockheed's second- and third-tier vendors are small businesses with virtually no ability to influence their cyber security in their factories if they're making components. So this is a bigger problem than any one specific company or one specific problem.
We need to really think of it holistically. I would say that the most important aspects are to put standards and criteria in place related to if you're going to do business with the U.S. military. We are doing a lot of that. We are securing our supply lines, and lots of checking, validating, and holding accountable ourselves, to ensure that what we are getting from vendors is actually secure to start with. So there is a lot of work being done there.
QUESTION: Joseph Franklin McElroy.
You said this was the "Information Age." It is also, wouldn't you say, the "Network Age," and we see the power of networks have really transformed business and have transformed the social sphere. Terrorism takes advantage of the networks. I am wondering what the military is doing to be maybe offensive in using the power of networks to build our defense and make us safer in the world.
LT. GEN. WILLIAM BENDER: That's a great way of describing it. It is not fair to describe it as an Information Age because I really believe, like you do, that it is really about the networks. It is a recognition that the most sophisticated weaponry that we can provide, every bit of it is tied to networks. The F-35, the fifth-gen fighter, is only fifth-gen if the suite of sensors and the integration of the combat space actually can take place. So it is dependent on either the aerial layer network or the air-terrestrial network throughout its entire mission. So it is heavily network-dependent.
So what are we doing to put an offensive spin on our networks? I would say that comes certainly in the area of offensive weaponry. But in the cyberspace side, as I said, we're working within Cyber Command to really do some very state-of-the-art, very capable cyber offensive operations.
Specifically, today that I can speak of—because I'm aware of it and it's open press—is with some of the counterterrorism efforts really taking out their networks through use of airborne platforms with energy and electromagnetic pulse (EMP) types of efforts, radio frequency (RF), using ways to take out networks offensively, recognizing how it is that they're communicating and how they are prosecuting. So there is a lot of work being done there, but I would say it is overall described as a nascent stage. There is a lot more work that has to be done.
QUESTION: Emily Cashel.
I was just wondering if you could speak more on procurement issues. For example, could you give an example of innovative procurement processes? How do you think the procurement process is keeping up with the cyberspace?
Also, do you have any guns-and-butter problems politically with cyber versus guns? Does that make sense?
LT. GEN. WILLIAM BENDER: We might have to press on that second one a little bit.
But in terms of procurement, what we're attempting to do is, first of all, approach it very collaboratively. So a sequential effort is built into the process, taking many months to coordinate one step after the next step after the next step. So it goes to the requirements builders for a while, and then they take it to the legal people, it goes back to requirements and refine that, and then they move it to perhaps acquisition for a final look before it goes to contracting before it goes back to the program office, and so on and so forth, taking many months. Or you could collaboratively do that in terms of a team approach, so the contractor, the lawyer, the acquisition person, the engineer, and the operator are all in the room together looking at the problem at the same time. And that has been a proven technique in terms of, I would call it, the "Special Operations Command model" where they very rapidly assess, acquire, and bring new technologies in.
That is uniquely required as it relates to cyberspace, as I said before, where the environment changes so rapidly that we absolutely have to have procurement keep up with the speed. We've had some good examples of doing that. If we can get automation tools onto our networks, then it really—because they're software-defined it takes acquisition out of the process in a lot of ways because it just iteratively updates to address threats as they become known. So a lot of good work is being done there.
Now the guns-and-the-butter question. Try to describe just a little bit more what—
QUESTIONER [Emily Cashel]: Just from a budgetary perspective. I don't know if you deal with budgets.
LT. GEN. WILLIAM BENDER: I do, yes. I think I get it.
From a budget perspective, sure. We are investing a fair amount, a healthy amount, of dollars against this new mission. I think what's important for a group like this to understand is that there are tremendous competing requirements anywhere you look.
The nuclear enterprise—and nobody would argue that the nuclear force is the guarantor of our national security—is 50-plus years old. Much of our space domain that we, the U.S. Air Force, provide for the country is increasingly becoming contested.
Again, the Chinese and the Russians are heavily in space and have crossed a boundary over into making it a war-fighting domain. For too long it was a benign environment, and maybe we were slow to recognize the potential for an adversary to weaponize space. We've crossed that paradigm, and now we're trying to catch up.
When you consider the criticality of the nuclear enterprise and the space enterprise, cyber is important, but it's not the only thing going on, although we are heavily invested in it. I would submit to you that there is a greater return on investment in the cyberspace domain as a result of many of these capabilities being in the low dollar amounts relative to some of what I just mentioned in terms of nuclear and space.
I try to look at it through that lens. There is plenty of money being spent on it. It is a matter of competing against other valid requirements.
QUESTION: Braham Clark.
In terms of quantifying cyber capabilities and quantifying their effectiveness, I can go online, and either the Air Force or the Department of Defense (DoD) has a website currently for Operation Inherent Resolve where I can go and look—the Air Force has dropped, hit X amount of targets, in Syria over the last 12 months.
Does the Air Force, or the DoD more broadly, have any obligation, say, to the public or to Congress to make a similar attempt to quantify cyber capabilities; or when someone in your position goes to Capitol Hill to argue for how much funding the Air Force needs for cyber capabilities, do you make an attempt like that to really clearly quantify your capabilities and quantify how they're being used currently?
LT. GEN. WILLIAM BENDER: I think that is a great question. I think that it is increasingly becoming clear to us that we absolutely have that responsibility. It's finding the ability to build the narrative around something that very often is highly classified, that is delivered in some cases by our clandestine forces, so we're not likely to want to reveal that as a matter of getting congressional support.
The irony of cyberspace in general is that, on one hand, it is very closed and niche, and very few people even understand what we're talking about. Then, at the same time, you have to have all this openness and information-sharing. It is a conundrum because it's a weakest-link theory. Therefore, if you're not sharing and passing along information, then you're likely to disadvantage somebody who would be a part of solving that problem.
So I think we do have an obligation. We're working increasingly to share that in the right forums. We have a joint task force that Admiral Rogers stood up that is having tremendous effect in the cyberspace domain, bringing both kinetic and non-kinetic effects against the terrorist networks out there. We are spending a lot of time trying to make sure that we are exposing that to the right decision-makers in Congress so that this isn't just all magic; it actually has effects and it really happens.
QUESTION: Freedom of the press versus national security. I believe The New York Times was the first publication to release the story that the U.S. intelligence community—I would assume in cooperation with the U.S. military, coordination with the U.S. military—has been using cyber warfare to sabotage North Korea's missile tests. I was rather appalled that that information has been released publicly, given the very volatile and extremely dangerous nature of this regime in North Korea, and I was wondering how you felt about that kind of information being released publicly.
LT. GEN. WILLIAM BENDER: As a military person, I can tell you that as a matter of course I find it very difficult to understand why we are compelled to talk about certain things as if everybody has a right to know. That doesn't make any sense. It disadvantages you and it puts people in harm's way at the extreme. And it's the wrong thing to do. But we have somehow attuned ourselves to this notion that everybody has to be totally transparent and have a discussion in an open forum across every media outlet. Whereas we need to talk at the right levels to the right people and they need to stay informed, I don't think we need to broadcast every capability we have because it puts us at a great disadvantage. I take it that you agree with that.
QUESTIONER [Unidentified]: I'm a reserve officer in the French Air Force. I'm an intelligence liaison officer. I'm very familiar with strategic deterrence and matters of national security that are intensely sensitive.
LT. GEN. WILLIAM BENDER: From a perspective where I sit, if I can be just a little more personal, I find it surprising that we're calling into question some of the intelligence professionals at the alarming way that we're doing that when these are hardworking patriots generally. That's not to say that there is not occasionally either a mistake or a nefarious action. That happens when you're running big organizations. But the reality is these people have dedicated their lives to protecting the nation, and I don't really understand why we feel as though to score political points we're going to try to call them out.
QUESTIONER [Unidentified]: I liaise not only with the U.S. military, I also liaise with the U.S. intelligence community and U.S. law enforcement, and I have close friends in the FBI and the Central Intelligence Agency, and I have great admiration and affection for these people. They are true patriots; they are really good guys. I really can't understand how anyone could put them down or vilify them as some kind of internal enemy subverting the United States. That is just absolutely insane. You can be assured that I, as an ally—
LT. GEN. WILLIAM BENDER: I know how you feel about it now, so thank you.
QUESTION: Hi, my name is Shannon Forest. I'm from Bard College.
You were talking about innovation and how do we encourage innovation. My question is: What do you think is the most effective and least morally reprehensible way to create a competition of ideas? I'm talking specifically about zero days and exploits in the context of government interactions with grey markets.
LT. GEN. WILLIAM BENDER: You're well outside of my portfolio with that question. That doesn't take place within the U.S. Air Force, so that would better be placed with perhaps our intelligence community and some of those who do that kind of work for us. I think that is the best way I can answer that.
QUESTION: Hello. Ed Albrecht from Mercy College.
I have a question about the legal implications of cyberpower in particular with declarations of war. It seems to me that it is now possible to be in a war without anybody really knowing it. In the "legacy systems," as you put it, things explode, and everybody sees that. So I wonder what conversation is being held around the legal issue of actually declaring war with a nation or not.
LT. GEN. WILLIAM BENDER: I think it's a great question, and we've brought that up a number of times over the last two days of discussions where that is very muddy at this point. It is an area where we absolutely have to form the legal regime and also the policy regime centered around what is effectively a new form of warfare.
And so I would submit to you today—we may not call it this—but we are in an information war today, because by all of the military principles of war we are being attacked and we have a responsibility to the critical infrastructure and to the nation's defense, however you define that, and yet we don't have any kind of a declaration or a clear way ahead.
So strategy, policy, a legal regime centered around cyberspace and cyber security specifically is really lacking, and we absolutely need sort of the coalition of the willing to come around to help us. It's not necessarily for the military to do, but we'll be a contributor to it.
AUDIENCE MEMBER: Can you retaliate?
LT. GEN. WILLIAM BENDER: I believe that our government can certainly retaliate, and we do.
AUDIENCE MEMBER: What would be the turning point?
LT. GEN. WILLIAM BENDER: I think that's the discussion that we have to have. You have to understand where are the points of escalation and where do you respond in kind.
My own theory—and that's all it is, is a personal theory—has to do with when you're disadvantaged on the offensive because of whatever reason—regulations, limitations of our authorities—we really need to consider more offensively to hold countervalue targets at risk. Otherwise, we're just sitting here as a punching bag.
But determining where that threshold has been crossed is not necessarily in my area of responsibility. So it would be more of an opinion.
JOEL ROSENTHAL: General, I have a question just building on that. I'm curious about how you think about education and training. Our generation—analog generation—you were trained as a pilot. So when you see young officers coming up—different kind of warfare, different kind of weapons, different kind of strategy—has there been any thought given to what it means for education and training, particularly for the officers, I suppose, who are making strategic decisions?
LT. GEN. WILLIAM BENDER: Yes. I think we need to increasingly bring that into the dialogue. I think there is a lot of work being done, training and education more tactically focused, and also working it into combat operations, part of working into our operational plans, so that there is a multi-domain effect using the synergies available with cyber, air, land, and sea. So bringing all of those domains together.
But they really stop at that sort of operational level of war. When you start to think in terms of what does the environment look like five years, 10 years, 20 years from now, and what are we doing to prepare our future leaders to fight in that kind of environment, I think we're found lacking. I think that again it is an area where we really need to bring the brightest minds together.
We are, in fact, as an Air Force at the direction of the secretary of the Air Force and the chief working on exactly that, getting a think tank of war fighters and planners together specifically to get after that issue, because it is new, so we're having to learn our way through it.
QUESTION: In the Six-Day War in 1967 with Israel, one of the ways they won the war was they destroyed the Egyptian Air Force before they got off the ground. I have to assume that in the future if we are going to win a hot war we will have to destroy the air force, the missiles of our enemies, before they get off the ground, and the only way we're going to be able to do that is with cyber warfare—turn their missiles around when they're launched to strike back on themselves. Are we actively pursuing that? Are there capabilities to prevent our enemies from militarily attacking us?
LT. GEN. WILLIAM BENDER: Yes. But I don't think that is—it's easy to say and hard to do. There are years of effort required to "prep the operational environment," as we would call that in military terms, so that you're advantaging yourself when an eventual contingency happens. With all of the intelligence community and the skilled people to prepare for that, that work is being done.
The challenge remains for a North Korea as an example. It's far less developed than the United States would be, which means they are far less vulnerable to that kind of preparation of the environment than we would be. That's just a fact of life in this space. There is no country more dependent on our connectedness and our digital quality of life, if you will, than the United States of America, so we probably have more to defend.
QUESTION: My name is Richard Zimmerman.
Previously, with Stuxnet, I don't think anybody took responsibility for that. There was a lot of supposition, but nobody really said, "Oh, yes, we did it." Now there seems to be talk about proportionality—in other words, when we're attacked, we have to proportionally respond. I don't really understand that. Perhaps you could talk a little bit about that. I think if somebody hits you, you want to knock them out. You don't want to let them hit you again.
LT. GEN. WILLIAM BENDER: Right. Well, there are military principles of war, and we probably are going to fail-safe to try to apply them where they make sense.
But I think really what you're getting at is perhaps the notion of proportionality isn't as much of a motivator for bad actors. In particular, there are plenty of criminal elements out there that are for no intended purpose other than damage—so taking out at tremendous cost our networks or our equipment and that type of thing—and the question becomes what do you do about that. There is a lot of "what-if"-ing going on today as we try to work that through.
From where I sit, having to try to prosecute the policies, the legal regime, and the strategy, I wish that we would get faster about doing it so that we actually understand what we mean by proportionality in the cyberspace domain. Is it on par with proportionality as we would think about it during the time that we are more force-on-force physically? So we have to really think through all of that stuff. To my mind it hasn't been developed nearly enough or fast enough for the environment we're actually in.
QUESTION: My question is twofold. Paul Roveda, by the way.
Could you talk a bit about how public-private partnerships have helped the U.S. government conduct its cyber warfare against its adversaries?
Second—I hope this question isn't too leading—how has the Trump administration and their stance on public-private partnerships either helped the Air Force, the U.S. military, or the cyber command, or not?
LT. GEN. WILLIAM BENDER: Public-private partnerships, when I talk about it, means that we recognize the critical need to actually work together in a strategic way. So where we've seen this work really well means an overabundance of commitment on the part of industry generally, but even academia and others, to break through the bureaucracy that has built up around the Department of Defense. We have to do our part. We have to work closely. But in some cases to think that there is going to be this transformation overnight for something that has been built over the period of time that the Defense Department has built up is unreasonable. So the first quality for public-private to work is perseverance and really being committed to solving problems together.
Where I've seen it work best is when it starts at the top. The areas where we have true strategic partners in the U.S. Air Force willing to go the distance with us, that started with the CEO who was committed to doing it not necessarily because it was a cost-benefit analysis or a business case as much as it was the desire to solve real problems that had real impact. So that is kind of what I'm talking about. And we have had some examples, but we now need to do that at scale, and so that's the work to be done.
In terms of the Trump administration, I have not heard anything, in terms, at least publicly, about public-private being something that they're pushing. I do know for a fact that when you look at his initial set of priorities, after eradicating the Islamic State of Iraq and the Levant (ISIL) from the face of the Earth was cyber security. So there's a recognition at the highest levels, certainly in the secretary of defense's office under General Mattis now, a real recognition of the concerns and the vulnerabilities and doing something serious about it.
JOEL ROSENTHAL: Thank you. Just by way of concluding, there is a lot of loose talk in the press and in public about American exceptionalism. I do think it is very exceptional that General Bender would come to New York and spend a day engaging in forums like this, and particularly to come here. So I want to thank you for that, General. Thank you for coming here and thank you for your service.
Thank you all for joining us. I really think that engagements like this are really important for the country. It sets a great example. Thank you for giving us so much of your time.
We do have a reception so we can continue informally. Thank you.