Pentagon Cyber Warfare Chief Says Critical Infrastructure Needs Urgent Investment

A more resilient national defense increasingly hinges on securing critical civilian infrastructure from nation-state cyber threats, according to War Department Director for Cyber Warfare in the Office of the Undersecretary of Defense for Acquisition and Sustainment John Garstka.

“The weapon engagement zone in cyberspace is global,” said Garstka during the AFCEA NOVA September Luncheon at George Mason University on Friday.  “If you’re connected to the network, you’re part of that global engagement zone.”

Garstka added that the current approach to cybersecurity must evolve into risk-informed strategic investments backed by significant funding to counter high-level adversaries. Leaders like CEOs and infrastructure operators need to shift from compliance to mission assurance within a business framework, he said.

“[Cybersecurity is] not a science project. It’s a business, unless people are going to work for free,” Garstka said. “You’ve got to talk about risk to mission and risk to business operations if you want to be effective. As a CISO, I have never practiced cybersecurity at the tactical level. I have moved over half a billion dollars in money, in the budget to go solve cybersecurity challenges.”

Garstka said that officials need to understand the economics of cybersecurity as part of the mission.

“There’s somebody’s job to take money from the overall budget and move it to the cybersecurity budget, because you can have technology, you can have aspirations, you can have a plan, but if you cannot … move the Benjamins from the overall budget to the cybersecurity budget, then nothing happens,” said Garstka.

Preparing for the Next Fight

Garstka outlined the need for leaders to understand the distinction between common cybercriminals —”cyber pirates”— and highly capable nation-state cyber actors. While cyber pirates operate for profit and often carry out attacks such as temporary device encryption, nation-state actors aim to degrade warfighting capability, major economic activity and the American way of life.

“[Nation-state adversaries’] objective is to not just degrade our warfighting capability, but to degrade our way of life,” he said. “[They want to do that] at a distance through cyberspace, because … it’s our businesses, it’s the infrastructure that we depend on. It’s all in play if we can’t figure out how to defend it.”

Garstka warned that many national security and adjacent organizations’ current cybersecurity measures are only designed to deal with the lower-end threat of cyber pirates. The military — Garstka cited United States Transportation Command as one example — is deeply dependent on commercial critical infrastructure, including transportation and utilities. He cited the Jan. 2023 Federal Aviation Administration (FAA) database shutdown as an example of poor cyber management, albeit an incident not caused by an attack.

“This was in a real world example of something happening in cyberspace. The planes were fine. They didn’t have the information that they needed to do their job because of something that happened halfway across the globe in an IT system,” said Garstka. “The largest ground stop since September 11, because the FAA’s [Notice to Air Missions] system went down. Not a good day for the director of FAA, who subsequently lost his job over something that happened in cyberspace.”

Garstka noted that attacks on this commercial infrastructure are not a hypothetical construct, but a “real, unacceptable behavior” impacting services like water and power that DOW bases and the public rely on.

“If we rely on commercial systems to do our job, we need to defend them,” he said. “This is not an optional homework assignment.”

Training and Risk Management

DOW needs to focus on risk management and foresight in the cyber domain, Garstka added. He cited a Navy memo downplaying the risks of Japan’s airpower before the 1941 strikes on Pearl Harbor as an example of underestimating adversaries, linking it to potentially being unprepared for cyber attacks from nation-states.

“They didn’t do the math right,” he said. “My assertion is that that’s kind of where we are today. We’re not doing risk to force correctly.

Garstka said that military and cybersecurity leaders need to understand risk in cyberspace. He presented a risk framework adapted from the National Institute of Standards and Technology  guidance to help organizations quantify cyber threats in operational theaters. Training and preparation are critical to defense operations in cyberspace.

“If you’re not training in a cyber contested environment, you’re not going to be able to operate when the adversary shuts out their lives in cyberspace,” he said.

Garstka, who noted that he holds the unique distinction of having both “cyber” and “warfare” in his Office of the Undersecretary of Defense for Acquisition and Sustainment title, framed the challenge not as a technology problem, but as a critical one of economics and strategic risk assessment.

“Cyberspace is a dangerous place,” Garstka said. “If you want to do business in this century, you’ve got to figure out how to do it successfully.”