US Can Focus on Both Offensive and Defensive Cyber, Top NSC Official Says

At the Billington Cyber Summit, Alexei Bulazel, the senior cybersecurity director at the National Security Council (NSC), delivered a message that may come as a relief to those concerned about the US's approach to cyber warfare. In recent public appearances, Bulazel has made it clear that the US will be taking a more assertive stance in cyberspace against adversaries like China, which have targeted and infiltrated critical infrastructure around the country.

However, Bulazel also emphasized that offensive cyber measures should not come at the expense of robust defensive cybersecurity efforts. "Offensive measures are an important tool of the toolbox that we'll be unafraid to use," he said. "But that's not to say we don't need to do normal blocking-and-tackling cyber defense." The National Security Agency, U.S. Cyber Command, and other entities are legally authorized to conduct clandestine intrusions into adversary networks, but lawmakers have expressed concerns that the nation's tactics haven't been sufficiently assertive.

Bulazel's approach is rooted in a "yes, and" mentality, where offensive cyber measures are seen as a complement to defensive efforts. "It's very much a 'Yes, we're going to do all the defense at a world-class level,'" he said. This approach recognizes that both offense and defense are crucial components of a comprehensive cybersecurity strategy.

Defensive measures are essential for scanning, detecting, and mitigating vulnerabilities in critical infrastructure and federal networks. Bulazel highlighted the potential of artificial intelligence (AI) tools to accelerate these dynamics. He cited a recent Department of Defense-led competition focused on using AI tools to patch code vulnerabilities, where winners were announced last month.

According to the Defense Advanced Research Projects Agency's analysis, the competitors' models patched flaws in just 45 minutes on average. This represents a significant improvement over traditional methods, which can take days or even weeks to address vulnerabilities.

Bulazel also expressed confidence in Sean Plankey, Trump's nominee to head the Cybersecurity and Infrastructure Security Agency (CISA) within the Department of Homeland Security (DHS). CISA is tasked with defending against cyber and physical threats to US critical infrastructure and federal networks. With Plankey at the helm, Bulazel believes that defensive work will receive the necessary attention and resources.

In conclusion, Bulazel's remarks offer a reassuring message for those concerned about the US's approach to cyber warfare. By acknowledging both offensive and defensive measures as crucial components of a comprehensive cybersecurity strategy, Bulazel has outlined a path forward that prioritizes both assertive tactics and robust defenses. As the nation navigates the complex landscape of cyber threats, it is clear that a balanced approach will be necessary to protect US critical infrastructure and federal networks.