Could striking first in cyber be new Pentagon policy?

Bolstering cyber operations is top of mind for Katie Sutton, the White House's pick to lead Defense Department cyber policy. The 35-year-old former chief technology advisor at U.S. Cyber Command has been confirmed by the Senate to become assistant defense secretary for cyber policy. Her confirmation comes as lawmakers and experts worry about China's growing threat in cyberspace.

"While we need strong defenses, we are not going to deter the adversary with defenses only," Sutton told senators during her confirmation hearing. "If confirmed, I will work to strengthen our offensive cyber capabilities to ensure the President has the options he needs to respond to this growing threat." She emphasized that a robust offense is necessary to keep pace with the speed and sophistication of modern cyberattacks.

"I believe we're at a point where we need to re-evaluate those [cyber operations policies] and make sure that we're...able to respond to the increasing speed of cyber attacks, and that we are able to address the incoming impacts of AI," Sutton said. "The speed of technology is often outpacing the policies we have in place to utilize that technology." She highlighted the need for updated policies on artificial intelligence (AI) use, citing concerns about its potential misuse in fraud campaigns.

"If you think about the number of things in your home that are connected to the internet. If we think about, across the military, how we're going to need data connectivity that certainly poses a very large attack surface that the adversary can go after," Sutton noted. "Coupled with all of the technology that's available, like generative AI, has made it very easy and a very low bar to be able to come in and exploit vulnerabilities in this system."

Lawmakers agreed that a more aggressive approach was needed. Sen. Eric Schmitt (R-Mo.) called for more transparency and use of offensive cyber operations, warning that the vulnerability of critical infrastructure posed by China's cyber presence could lead to catastrophic consequences.

"We need to be more aggressive, offensively," Schmitt said. "I don't think that a lot of Americans understand, probably, how vulnerable our critical infrastructure is to what the Chinese are already probably embedded in what they're willing to do. It certainly would reach a critical mass if they moved on Taiwan. I think that that's sort of probably where they go first."

Even Sen. Angus King (I-Maine) suggested establishing a "doctrine on deterrence in cyberspace" to make it clear to adversaries that the US was serious about offensive cyber operations.

"We need to have both the capability for offensive cyber, but also, I believe, we need a stated doctrine," King said. "Everyone in the world knows our doctrine of deterrence and nuclear armaments, for example, people should also understand a doctrine of deterrence, that if you attack us in cyberspace, there will be a response. It may not be cyber, it may be something else."

Sutton emphasized the need for better tools for operators to stay ahead of emerging threats. She wants to expand the Defense Advanced Research Projects Agency (DARPA) Cyber Command's Constellation program to improve the tools cyber operators use, including AI, by pairing operators and analysts with developers.

"We've had success in that," Sutton said. "And I look forward to using that model, if confirmed, to be able to bring innovations from across industry and the rest of the innovation ecosystem in."