Skip to content
Don't miss

Get the daily Cyber Briefing in your inbox

SIGN UP
Podcast

Fuel, Force, and the Frontlines: Critical Infrastructure in Conflict with Chris Cleary

Season 2 Episode 42 •

Show Notes

What if the easiest way to disrupt U.S. military operations isn’t with missiles—but by targeting fuel logistics? In this episode, Chris Cleary explains how civilian infrastructure has become a frontline in national defense. He and Frank Cilluffo discuss how adversaries exploit cyber vulnerabilities to slow military response, and why deterrence requires more than just rhetoric. They unpack the case for a dedicated Cyber Force, the suprising way Chris thinks it should be structured, and the challenges of coordinating across government and industry. With prepositioned threats like Volt Typhoon in the headlines, the stakes are higher than ever.

Main Topics Covered

  • How fuel logistics shape U.S. military readiness in the Pacific
  • Why adversaries target civilian infrastructure like water and power systems
  • What defines a “cyber attack” under rules of engagement
  • Gaps in deterrence, response, and public signaling
  • The case for a U.S. Cyber Force modeled after the Coast Guard
  • Challenges of coordination across agencies and private sector providers

Key Quotes

“I could degrade the Navy’s ability to run around in the Pacific by just limiting the ability to move fuel on the west coast of the United States.”Chris Cleary

“If [China’s cyber forces] are in Littleton, Massachusetts, they’re everywhere.”Chris Cleary

“I would argue a cyber force of the future looks more like a Coast Guard than a Navy.”
Chris Cleary

“I am a true believer that cyber is a legitimate means and methods of warfare. And we are going to have to professionalize in it.”Chris Cleary

“All the zero trust in the world is not going to stop—a China, a Russia, a sophisticated organization—from targeting you.”Chris Cleary

Relevant Links and Resources

60 Minutes on China’s Cyber Infiltation: https://www.cbsnews.com/news/china-hacking-us-critical-infrastructure-retired-general-tim-haugh-warns-60-minutes-transcript/

Guest Bio

Christopher Cleary is Vice President of Global Cyber Practice at ManTech. He previously served as the Department of the Navy’s Principal Cyber Advisor, where he led the implementation of the DoD Cyber Strategy across the Navy and Marine Corps. Prior to that, he was the Navy’s Chief Information Security Officer and Director of Cybersecurity within the Department of the Navy CIO’s office.

Transcript

1
00:00:00,000 –> 00:00:01,000
Christopher Cleary [00:00:00]:
If I could degrade the Navy’s ability to run around in the Pacific by just limiting the ability to move fuel on the west coast of the United States, if I’m the adversary, I just got to look at other ways to trip you up that does not involve me putting a weapon into a platform.

2
00:00:01,000 –> 00:00:02,000
Frank Cilluffo [00:00:16]:
Welcome to CyberFocus from the McCrary Institute, where we explore the people and ideas shaping and defending our digital world. I’m your host, Frank Cilluffo, and this week I have the privilege to sit down with Christopher Cleary. Chris Cleary is a vice president at Mantech, where he leads their global cyber practice. Just prior to that, he served as the PCA, or the principal cyber Advisor at US Navy, and was prior to that was the Chief Information Security Officer, or CISO, at the Department of Navy. Chris has had a long career in government, both in military roles and in intelligence roles. And we were just reflecting. We’ve been friends for well over 20 years, and really excited to have Chris join us today. Chris, thanks so much for joining us.

3
00:00:02,000 –> 00:00:03,000
Christopher Cleary [00:01:02]:
No, Frank, thanks for having me. I’m excited to be here.

4
00:00:03,000 –> 00:00:04,000
Frank Cilluffo [00:01:04]:
No, likewise. And I thought we’d sort of start with the Senate moved on their National Defense Authorization Act. The House, I think, passed it a month or so ago. There are a number of provisions in there that are focused on defense critical infrastructure, what we used to call mission assurance, force protection, and the whole like. Before we drill into what some of those provisions, in fact, are, I thought it’d be helpful to give a layman’s understanding of why DoD depends on civilian critical infrastructure.

5
00:00:04,000 –> 00:00:05,000
Christopher Cleary [00:01:39]:
Yeah, sure. So most of my tenure when I was Right. So strangely enough, most of my tenure when I was the principal cyber advisor for the Department of the Navy, focused on the operational technology, whether it was defense critical infrastructure or weapon systems. Because at the time, we had gotten really good at traditional enterprise IT security, right. Zero Trust, Microsoft, Defender, not to name drop, but, you know, from a traditional cyber security compliance, identity management, we really were getting our hands around that. We were doing a pretty good job with it. But when you start opening the aperture up to other things that have ones and zeros associated with them, weapon systems, critical infrastructure, there wasn’t as much attention being brought to those things. And what you begun to realize, again, what we were talking about kind of prior to getting on camera was five years ago, if you were talking about an adversary in an information system, okay, it was acknowledged to talk about an adversary in an operational technology system.

6
00:00:05,000 –> 00:00:06,000
Christopher Cleary [00:02:40]:
Critical infrastructure was still sort of. We don’t want to acknowledge that they’re doing it. Then salt and volt typhoon come around, the cat’s out of the bag. It’s very clear to be now Almost publicly acknowledged. 60 Minutes just last week with General Hawk talking about the Chinese being in critical infrastructure at a water treatment facility in Littleton, Massachusetts, which was not so.

7
00:00:06,000 –> 00:00:07,000
Frank Cilluffo [00:03:04]:
Far from where you grew up. Right.

8
00:00:07,000 –> 00:00:08,000
Christopher Cleary [00:03:05]:
I used to play spy hunter in the Littleton House of Pizza. I get on my bike with a pocket full of quarters. So I know that town very well, grew up there. So I was like, oh my God, we’re talking about Littleton, Massachusetts. And of course, what Tim, General Hawke goes off to say is, well, why Littleton, Massachusetts? Well, why not? If I can engage infrastructure, it’s just going to cause some level of hate and discontent and confusion and just I’m going to affect the population in some way. Why not? Right. It’s going to cause it. So when you open that up and you start thinking about the technology that the Department of Defense depends on, the lion’s share of that is still controlled by the commercial sector.

9
00:00:08,000 –> 00:00:09,000
Christopher Cleary [00:03:45]:
So Guam would be a good example. You know, vault Typhoon and salt Typhoon. The Guam Power Authority, well that’s, you know, run by the Guam. You have the governor that’s interested and just to be able to respond effectively on Guam, you would need the Navy, the Air Force, dhs, cisa, doe, Guam Power Authority and the Guam government to all get in a room together and figure that out. So when you look at the dependencies and the way the DoD has it, it’s just the target set opens up so quickly. But now that we’re talking about it publicly, to get to the NDA as an example, I think because we are now talking about this a lot more openly, people are saying, well, what are you going to do about it? So there are no longer these classified secret discussions in back rooms. We’ve now got to get the language out to be more public. And I’m really encouraged by some of the things in this NDAA that are driving that.

10
00:00:09,000 –> 00:00:10,000
Frank Cilluffo [00:04:39]:
And Chris, we’re going to get to that in a second. But to put a fine point on it, it impedes the ability to project power, deploy forces because outside the base you have civilian critical infrastructure running, whether it’s transportation, whether it’s utilities and electricity and the like. And that I think has been reflected in the latest National Defense Authorization act and recognition that this isn’t something, I mean they’re pre positioned.

11
00:00:10,000 –> 00:00:11,000
Christopher Cleary [00:05:12]:
Correct. And just take legit logistics. Right. If I want to get fuel moved around in The Pacific theater of operations. We’ll have to embark that fuel in a couple of ports on the west coast of the United States. Well, there’s a mostly commercially owned facilities. So I could degrade the Navy’s ability to run around in the Pacific by just limiting the ability to move fuel on the west coast of the United States. Because since we shut down Red Hill in Hawaii, you know, there’s very millions and millions of gallons of fuel oil that doesn’t sit on that island anymore.

12
00:00:11,000 –> 00:00:12,000
Christopher Cleary [00:05:39]:
I now have to get it another 5,000 miles into theater. So if I’m the, if I’m the adversary, I just got to look at other ways to trip you up that does not involve me putting a weapon into a platform. I can just slow you down by degrading logistics in the environment which are very targetable.

13
00:00:12,000 –> 00:00:13,000
Frank Cilluffo [00:05:54]:
And I would imagine 2027 is top of people’s minds and indicators that could lead to all of that. The challenge I have with some of this is should we assume we are owned pretty much across the board.

14
00:00:13,000 –> 00:00:14,000
Christopher Cleary [00:06:09]:
So again, five years ago we would have not have said that. I think today when you look at Littleton, Massachusetts, if they’re in Littleton, Massachusetts, they’re everywhere. Right. So if you’re trying to defend that, well, Littleton might not be important from a national defense standpoint, certainly is important to the people of Littleton, Massachusetts. But when, but there are things that are very important to any of the services and I think our adversaries do that. There’s an interesting book called Under a Nuclear Shadow. I can’t remember the author’s name. She’s at pit, I think, and she basically talks about the Chinese larger strategy and how they’re going to engage us non nuclearly.

15
00:00:14,000 –> 00:00:15,000
Christopher Cleary [00:06:45]:
And their three lines of effort are counter space offensive, cyber and long range precision fires, hypersonics. Those are all relatively inexpensive, they’re all relatively quick to market and each of them are demonstrated to have strategic level impact. So if I can use offensive cyber to go after non traditional targets, well, I’m holding a lot of your infrastructure at risk now that we’re just not prepared to respond to.

16
00:00:15,000 –> 00:00:16,000
Frank Cilluffo [00:07:08]:
Yeah, and it’s an enabler to all of the above as well, whether it’s hypersonics or anything else. Right, so let’s get into what is with some of the provisions that are in the NDAA in particular, what, what sort of, what grabbed your attention?

17
00:00:16,000 –> 00:00:17,000
Christopher Cleary [00:07:23]:
So there was two, most notably that grabbed my attention. The first one was establishing some level of deterrence in cyberspace.

18
00:00:17,000 –> 00:00:18,000
Frank Cilluffo [00:07:30]:
And we’re going to get to that.

19
00:00:18,000 –> 00:00:19,000
Christopher Cleary [00:07:31]:
Discussion for operational technology. And this directs US Cyber Command to say, hey, how are we going to engage this problem? What offensive cyber capabilities should we looking at? What would be maybe a use of force case? Do we respond in kind? Do we open up response options to include things outside of cyber? Which I think of course we’re going to do. But it’s interesting that, because that language has never really been suggested before, certainly at an unclassified level, directing U.S. cybercom to start thinking about how you would engage in response to attacks on our critical infrastructure. There’s another one that now is calling for sort of a resiliency working group to figure out, hey, what are all the Department of Defense’s dependencies on things and how are we going to shore those things up? Which then harkens back to a lot of things that we were trying to do in the Navy and the Air Force and the army, and guys like John Garska that we talked about earlier and Darrell Hagley, who runs the CROCS office in the Air Force, are all trying to get their hands around that. And I would argue a couple years ago we were pushing a big rock up a very steep hill with very few people. I’m encouraged that now that this language is making into the ndaa, Darrell’s office CROCS might get a little more attention, a little more resourcing. John Garska certainly should get a lot more attention and a lot more emphasis put on the things he’s doing.

20
00:00:19,000 –> 00:00:20,000
Christopher Cleary [00:08:50]:
Katie Sutton, who’s now the ASD for cy, when she was a staffer, we would kind of talk about this all the time and the things the Navy was or wasn’t doing to get after this. I’m just encouraged that now that this language is out there, it’s really going to put a spotlight on this and the things that we’re trying to do five years ago, theoretically get moved a little higher on the priority list. I’m a little jealous that I’ll miss out on some of it because I really enjoy doing that work. But I’m encouraged by the people that I know who are still in the building who will take on that. That mantra, you know, that. That they will continue to push this rock up the hill.

21
00:00:20,000 –> 00:00:21,000
Frank Cilluffo [00:09:23]:
So there is a gap between awareness and actually execution and implementation. So. And obviously you need the resources there to get things done. Do you think that we will devote the resources?

22
00:00:21,000 –> 00:00:22,000
Christopher Cleary [00:09:36]:
This is an interesting. And I could tell just a funny joke, right? The thing that I’m still struggling with is why These two things haven’t connected. So we’re very, very aware of the adversary. Right. There’s no. And again, the cat’s out of the bag. There’s no secret.

23
00:00:22,000 –> 00:00:23,000
Frank Cilluffo [00:09:49]:
There’s no secret here.

24
00:00:23,000 –> 00:00:24,000
Christopher Cleary [00:09:50]:
We all in our structure. Littleton, Massachusetts. Right. And there are no shortages of companies or technologies or resources to apply to this problem. Dragos, Armis, Tenable ot. There’s. There’s dozens, there’s a bunch. Not as many as in the IT space, but there certainly are a bunch of people working on this problem.

25
00:00:24,000 –> 00:00:25,000
Christopher Cleary [00:10:09]:
The question is, why have those two things not come together? Why has the problem not elevated to such a point that the resources are applied to go get the technology we know exists to train the people or do whatever? There’s more language in the NDA about training people around ot. Again, very.

26
00:00:25,000 –> 00:00:26,000
Frank Cilluffo [00:10:22]:
We’re going to get into that, too. Yeah, yeah, yeah.

27
00:00:26,000 –> 00:00:27,000
Christopher Cleary [00:10:24]:
The, the, the, the cynic in me says you haven’t connected these two things in a way that a policymaker or a lawmaker or a decision maker can connect the two. And the joke that I always make is I like using the Ghostbusters as a reference. And for everybody who’s seen the movie, I imagine everybody listening to this has seen Ghostbusters. You know when Bill Murray at the end is talking to the mayor and he says, Mr. Mayor, if we’re wrong, we’ll go to jail and we’ll go with a smile on our face. And he goes, but if we’re right, you, sir, would have saved the lives of millions of registered voters. To which point the conversation is over. Because you put it in such a way that a policymaker is like, oh, I’m going to get reelected.

28
00:00:27,000 –> 00:00:28,000
Christopher Cleary [00:10:59]:
I’m going to get whatever. For some reason, we haven’t connected it in such a way that people are willing to move the resources above other things they consider important. I think we’re getting closer to that. But it’s how you make that argument or present this thing that you’re looking to go do that requires a resource and a body to go do it. I still think we’re missing the mark on connecting those two pieces.

29
00:00:28,000 –> 00:00:29,000
Frank Cilluffo [00:11:26]:
I don’t disagree. I like to say policy without resources is rhetoric. There is more and more policy. There is recognition. Unless you lived under a rock, you kind of realize what we’re dealing with. But I don’t always see that implementation. And maybe the issue is not above something else. It’s critical to everything else.

30
00:00:29,000 –> 00:00:30,000
Frank Cilluffo [00:11:52]:
I mean, it’s sort of like Oxygen, Cyber is its own domain, but it transcends everything else. Right. And how do we make that a priority? Not after we get kicked in the teeth, but well in advance because I think we all know how this movie ends. Let’s try to get out in front of it. Let’s. Let’s talk about sort of how our deterrence posture and before we get into force structure and the like, whether or not we need a cyber force. And we’ve had a number of guests on to discuss that as well. But I thought a broader discussion around offensive cyber, which again, five years ago, you couldn’t really talk about CNA either.

31
00:00:30,000 –> 00:00:31,000
Christopher Cleary [00:12:37]:
Right.

32
00:00:31,000 –> 00:00:32,000
Frank Cilluffo [00:12:38]:
Computer network attack and the like. But where do you think we stand now? Where do you think we should be?

33
00:00:32,000 –> 00:00:33,000
Christopher Cleary [00:12:44]:
So it’s interesting because 10 years ago, working at the fort, or 15 years ago, the joke was you couldn’t even say the words computer network attack inside a skiff. That’s how sensitive that this topic was. Fast forward. We create Cyber Command. We create the Mission Force, and we eventually acknowledge that offensive cyber operations are a legitimate mission area, which would then go further to imply that we do these things. We’re not going to tell you how. It’s kind of like, you know, Special Forces. I don’t tell you how or where or why.

34
00:00:33,000 –> 00:00:34,000
Christopher Cleary [00:13:10]:
But it’s not a secret that SEAL Team 6 exists or Delta Force exists, but we don’t know how they operate necessarily.

35
00:00:34,000 –> 00:00:35,000
Frank Cilluffo [00:13:17]:
So then you’re night stalkers. You got to get all this.

36
00:00:35,000 –> 00:00:36,000
Christopher Cleary [00:13:19]:
Night stalkers, right. 1 60th, guys. Yeah, we got some friends that are pilots over there. So. So now we’ve acknowledged that this is a thing which would then go further on to imply that industry, just like everything else, is going to begin to build capabilities and capacity to help the DoD, you know, execute these mission areas. All right, well, why have these things not moved faster? Why has cybercom not be more mature or the mission force or readiness? I still think there’s a fundamental lack of understanding of how the community works and more of a belief system that the cyber community can do the things that it implies it can do when it needs to go do it. So I would still argue that the people who don’t understand this space consider some of this still a parlor trick. Like, it works in the lab.

37
00:00:36,000 –> 00:00:37,000
Christopher Cleary [00:13:58]:
I’ve seen it kind of, you’ve seen the demo, but I’m not sure it can work in the wild the way that you’re saying can work. Well, I am a true believer that cyber is a legitimate means and methods of warfare. And we are going to have to professionalize in it, it’s a first mover advantage. All those other things we’ve talked about before. But once again, kind of going back to the previous discussion of, well, how do you make the argument of why to invest in it? I’d say if deemed credible. So the credibility of this space is still the big thing that has to be established. But if established as credible, cyber capabilities are relatively inexpensive. Again, compared to $15 billion aircraft carriers, they’re relatively quick to market.

38
00:00:37,000 –> 00:00:38,000
Christopher Cleary [00:14:36]:
I mean, the development timelines around these things, again, it takes 15 years to build an aircraft carrier, and they’re relatively unconstrained by range. You know, all the physical things that we live with, you know, fuel consumption and speed of advances. And I got to figure out how to get a weapon from, you know, a factory in the United States to a target in the Nanjing military region of China. There are huge logistics chains that come along with that. Now, I’m not saying that access is easy for a cyber target. I mean, there’s, there’s many, many things that are as challenging in that sense. Space, the target changes, and all this other stuff, but again, relatively inexpensive. I might spend $10,000 on a cyber tool, and if it’s ineffective the next day, well, I’ll make another one.

39
00:00:38,000 –> 00:00:39,000
Christopher Cleary [00:15:15]:
Right? I mean, that’s just the nature of the beast that we’re in right now. And to imply that it’s not worth the effort because the adversary can change their target environment up, I’m like, well, where’s our change the environment button? That’s the one I keep coming back to.

40
00:00:39,000 –> 00:00:40,000
Frank Cilluffo [00:15:29]:
Exactly.

41
00:00:40,000 –> 00:00:41,000
Christopher Cleary [00:15:30]:
We are overly concerned about our adversary’s ability to do this to us because we know it’s not that easy to change our environments or update them in a way that says those tools are no longer effective.

42
00:00:41,000 –> 00:00:42,000
Frank Cilluffo [00:15:40]:
Roger that. And please disagree with me. I would also dispel another myth and tear apart my argument. But at the end of the day, we’ve in essence still been blaming victims. There hasn’t been the imposition of cost and incurring the consequences for bad cyber behavior. And the argument is it would lead to escalation. I would argue, how much more can we escalate than what we’ve seen with volt salt and you name the typhoon that comes out tomorrow.

43
00:00:42,000 –> 00:00:43,000
Christopher Cleary [00:16:14]:
And I very much agree with you on this. The, the victim blaming. And, and one of the things that I wasn’t a huge fan of, I mean, conceptually, I understood it when we were talking about secure by design. Okay, well, secure by design is a great construct, but secure by design based on what criteria?

44
00:00:43,000 –> 00:00:44,000
Frank Cilluffo [00:16:31]:
So I would add cyber informed engineering and sorry, I got to do it.

45
00:00:44,000 –> 00:00:45,000
Christopher Cleary [00:16:34]:
The right words. Right. If that’s. If those are the right words. But you know, I think we were talking about this once before. You know, if my requirement is to stay dry for my little girl to get on a school bus. So I’m going to Target and I’m buying a $10 raincoat, that’s all I need. If I’m going to go into the Himalayas or the rainforest or climb Mount Everest, I’m not buying my gear at Target.

46
00:00:45,000 –> 00:00:46,000
Frank Cilluffo [00:16:52]:
Yeah.

47
00:00:46,000 –> 00:00:47,000
Christopher Cleary [00:16:53]:
You know, I’m going to spend probably everything that I can spend to get something that’s going to be survivable in that environment. So the question is, when we go to build our own cyber environments, to what level should I expect anything to withstand a dedicated, sophisticated, well resourced adversary? Home router system. Yeah, I should keep it updated. I should buy something. But if China has targeted me as an individual at my house, I’m not going to survive that. Banks do a good job at this because you know, Donald Dillinger, it’s where the money is. Right. So they’re going to protect that.

48
00:00:47,000 –> 00:00:48,000
Christopher Cleary [00:17:24]:
Telecoms do a good job with it.

49
00:00:48,000 –> 00:00:49,000
Frank Cilluffo [00:17:26]:
Ish.

50
00:00:49,000 –> 00:00:50,000
Christopher Cleary [00:17:27]:
Right. They do better. Right.

51
00:00:50,000 –> 00:00:51,000
Frank Cilluffo [00:17:29]:
Okay, So I retract salt. They have. Yeah.

52
00:00:51,000 –> 00:00:52,000
Christopher Cleary [00:17:31]:
But, but that is a dedicated, sophisticated, well resourced adversary that’s trying to target.

53
00:00:52,000 –> 00:00:53,000
Frank Cilluffo [00:17:37]:
And no company went into business thinking they were defending against foreign militaries and intelligence services.

54
00:00:53,000 –> 00:00:54,000
Christopher Cleary [00:17:41]:
So the question is, when you start getting into these, these relationships, at what level should I expect a traditional company, whether it’s a defense contractor, all the way down to a flower store, what level should I expect of expertise that they’re going to have organically? And at what level do they cry uncle to where a responder is going to have to show up again? We were talking about this before. You know, I imagine there’s a fire extinguisher within the vicinity of us sitting here and a little small fire, we should be expected to deal with it. If the building’s on fire, we pull the fire alarm and the fire department shows up, which is trained, resourced and equipped to do things that we’re not capable of doing. I think we need to have this discussion.

55
00:00:54,000 –> 00:00:55,000
Frank Cilluffo [00:18:20]:
There’s no equivalent for cyber. Right. Who do you call?

56
00:00:55,000 –> 00:00:56,000
Christopher Cleary [00:18:22]:
Who do you call?

57
00:00:56,000 –> 00:00:57,000
Frank Cilluffo [00:18:24]:
Ghostbusters.

58
00:00:57,000 –> 00:00:58,000
Christopher Cleary [00:18:30]:
But what should be your level of expectation of some other resource coming to help you to do something that you are not capable of doing? And all the zero trust in the world is not going to stop. Again, a China A Russia, a sophisticated organization from targeting you, you know, should.

59
00:00:58,000 –> 00:00:59,000
Frank Cilluffo [00:18:46]:
We be more forward, forward leaning, should we be more proactive? What does that mean? Not in theory. You’re starting to hear a lot of discussion that we’re never going to defend our way out of this problem. And a lot of talk about offensive cyber from our policymakers. But what does that look like in practice?

60
00:00:59,000 –> 00:01:00,000
Christopher Cleary [00:19:08]:
The former administration, this could all change. But I really was a fan of their integrated deterrence strategy. Deterrence through denial, resiliency and imposition of cost. So, you know, resiliency and denial were things like. Or denial would be zero trust. I’m not going to give you access to a target. Resiliency would be, well, even if you got in, I’m going to keep the system or the function running. I think that’s a lot of the OT stuff like how do we keep electricity on even though I know that they have engaged it Integrated, blah, blah, blah.

61
00:01:00,000 –> 00:01:01,000
Christopher Cleary [00:19:35]:
The imposition of cost is an interesting one because that goes. That’s sort of multifaceted. Well, the more resilient or the more I can deny you to a target, it obviously costs you more to figure out a way to get into it. But when you start talking about imposition of cost, that you’re going to do something to me and I’m going to do something back to you. I think that’s where some of the language in the NDAA is getting at. Like, hey, what would be a response to some of these things? What would we have to be prepared to do things we might have to target authorities that are going to be available to us to, you know, and you don’t have to reply in kind. I mean, I’m not saying it’s cyber for cyber’s sake. A cyber attack on the world has.

62
00:01:01,000 –> 00:01:02,000
Frank Cilluffo [00:20:11]:
To be on the table, but it.

63
00:01:02,000 –> 00:01:03,000
Christopher Cleary [00:20:12]:
Has to be on the table. And I think what’s interesting about cyber is it’s, you know, it can be destructive, we all know that. But less destructive. I didn’t put a tea lamb into a building somewhere or, you know, sank a ship. I could do something that is theoretically recoverable, the period of time. It might be significant but not irreversible.

64
00:01:03,000 –> 00:01:04,000
Frank Cilluffo [00:20:32]:
But it also has to be public. Right. Because I have a feeling, and I’m not discussing anything I shouldn’t discuss, but we’ve signaled and we’ve demonstrated capabilities, but I’m not sure the adversaries always understood what we’re doing.

65
00:01:04,000 –> 00:01:05,000
Christopher Cleary [00:20:46]:
There’s a very specific line and I can’t remember, but again, in the NDA if you read it, one of the sub paragraphs is how would you signal a capability without maybe giving that capability away? So that’s an interesting one. And you know, that’s harder to work, but it’s important.

66
00:01:05,000 –> 00:01:06,000
Frank Cilluffo [00:20:59]:
And the. And it has to be a little public because you’re not only dissuade, deterring, or compelling the bad actor knocking on your door, it’s everyone else watching. Right? It’s. So if we don’t. Let me be very blunt, I am frustrated and I’d be curious. What more could we vault? Typhoon, I think, crossed any and every line in the silicon or the sand. What was the cost?

67
00:01:06,000 –> 00:01:07,000
Christopher Cleary [00:21:27]:
Well, so we get into definitions, right? One of my biggest pet peeves is the way we use the word cyber attack.

68
00:01:07,000 –> 00:01:08,000
Frank Cilluffo [00:21:34]:
Right?

69
00:01:08,000 –> 00:01:09,000
Christopher Cleary [00:21:35]:
The word attack.

70
00:01:09,000 –> 00:01:10,000
Frank Cilluffo [00:21:35]:
You. You and me both, and I use.

71
00:01:10,000 –> 00:01:11,000
Christopher Cleary [00:21:37]:
It, and we all use it. Right. We’re all guilty of it. But if you really get into the definition of it, laws around conflict, rules, engagement, all that other stuff. An attack is something specifically with the intent to damage or destroy equipment or injure or kill personnel. Okay. So if you’ve done an attack, you would have had to demonstrate those things. Now, an attack would then constitute, particularly in the military, rules of engagement, use of force issues, the way that I could respond to these things.

72
00:01:11,000 –> 00:01:12,000
Christopher Cleary [00:22:03]:
We haven’t established any of that stuff here because we call everything an attack. That’s so true. So.

73
00:01:12,000 –> 00:01:13,000
Frank Cilluffo [00:22:09]:
But if you. If you can exploit, you can.

74
00:01:13,000 –> 00:01:14,000
Christopher Cleary [00:22:12]:
Absolutely.

75
00:01:14,000 –> 00:01:15,000
Frank Cilluffo [00:22:12]:
Your intent is there, Right.

76
00:01:15,000 –> 00:01:16,000
Christopher Cleary [00:22:14]:
Solar winds as an example. Right. Would we constitute solar winds as an attack through that definition? Well, it certainly give you access to things. Things to steal information, whatever. I don’t like the fact that it.

77
00:01:16,000 –> 00:01:17,000
Frank Cilluffo [00:22:24]:
Happened, but it wasn’t sort of like salt, same thing. I don’t like that it happened.

78
00:01:17,000 –> 00:01:18,000
Christopher Cleary [00:22:28]:
It didn’t degrade or destroy anything. It could certainly have done it. But espionage, and we are certainly guilty of that as well, right?

79
00:01:18,000 –> 00:01:19,000
Frank Cilluffo [00:22:34]:
Yep. And I’m shocked. There’s gambling going on in the casino, right?

80
00:01:19,000 –> 00:01:20,000
Christopher Cleary [00:22:37]:
That’s right. Yeah.

81
00:01:20,000 –> 00:01:21,000
Frank Cilluffo [00:22:38]:
So.

82
00:01:21,000 –> 00:01:22,000
Christopher Cleary [00:22:39]:
But if you cross another movie, if you cross a particular line that I’ve defined something now as an attack, there should be some response to that.

83
00:01:22,000 –> 00:01:23,000
Frank Cilluffo [00:22:47]:
But I think voltage is that example, because there. And I think General Hawk made this point in his 60 Minutes interview of Littleton. What is the value other than preposition?

84
00:01:23,000 –> 00:01:24,000
Christopher Cleary [00:23:00]:
That’s right. And he said it very, very well. There was no intrinsic intelligence value to be on that target. The Chinese could go buy any piece of equipment at Littleton, Massachusetts, and roll it out to anywhere in China if They chose to. It’s all commercially available. They could design it. I’m sure the person that built the water treatment plant would be happily go over to China and build a water treatment plant looked exactly like it. So the only reason you are there is pre positioning to, to create, deny, destroy, disrupt.

85
00:01:24,000 –> 00:01:25,000
Frank Cilluffo [00:23:26]:
Unless you’re using it as a practice field.

86
00:01:25,000 –> 00:01:26,000
Christopher Cleary [00:23:28]:
Correct. And I would argue, but even then, you know, even I left my door unlocked. I would not be happy about finding a stranger in one of my children’s bedrooms.

87
00:01:26,000 –> 00:01:27,000
Frank Cilluffo [00:23:35]:
Yep.

88
00:01:27,000 –> 00:01:28,000
Christopher Cleary [00:23:35]:
Right. What are you doing? There’s no reason for you to be here.

89
00:01:28,000 –> 00:01:29,000
Frank Cilluffo [00:23:38]:
Yeah, absolutely.

90
00:01:29,000 –> 00:01:30,000
Christopher Cleary [00:23:39]:
Well, I was just, I wanted to see the bedspread. You go to Target, right. Go to Walmart, go. You don’t need to be in my house to see it. And I think that crosses a line yet. We haven’t defined any of those as norms.

91
00:01:30,000 –> 00:01:31,000
Frank Cilluffo [00:23:51]:
And I do think the time has come where we do have to give some real thought to what those lines are. And obviously they’re going to have to, we’re going to have to spend the time to examine what that is. I do feel signaling lines in the silicon. That discussion is ready.

92
00:01:31,000 –> 00:01:32,000
Christopher Cleary [00:24:12]:
Yeah. And I’ll plug. Gary Korn was a, was a former attorney, army attorney at cybercom when I was there. I think, Sorry, he works at a competitor organization. I’ll leave that one out of it. But somebody like Gary is very adamantly trying to, trying to run all these things down and he is carrying a lot of the water for the legal conversations around all of this and I champion that and I just, you know, I hope he continues to make the successes he needs to bring these conversations to, to the forefront.

93
00:01:32,000 –> 00:01:33,000
Frank Cilluffo [00:24:38]:
So what makes deterrence so hard and what do you think success looks like?

94
00:01:33,000 –> 00:01:34,000
Christopher Cleary [00:24:43]:
Yeah, so that’s a, that’s a harder.

95
00:01:34,000 –> 00:01:35,000
Frank Cilluffo [00:24:45]:
That’S a big one.

96
00:01:35,000 –> 00:01:36,000
Christopher Cleary [00:24:46]:
Deter means. Is there some cost imposition for you to do something? There’s some. You are convinced to not take this.

97
00:01:36,000 –> 00:01:37,000
Frank Cilluffo [00:24:51]:
Action, but it’s not the nuclear deterrent. I, there’s some straw men we got to shoot down. So.

98
00:01:37,000 –> 00:01:38,000
Christopher Cleary [00:24:57]:
But one of the models with the nuclear deterrence that, that does work is there’s deterrence theory, right. The five Cs capability, capacity, credibility, communication and commitment. And if you can demonstrate the five Cs, you can, you have a deterrence strategy. And I would argue in cyber you could demonstrate like we certainly have capability. Capacity you could argue is maybe not where it needs to be, but the other three Cs around communication, commitment and communicate. Communicate, I said it twice. Credibility. Are the ones that we’re trying to establish because if we could communicate our intent, like, hey, if you do X or Y, we will tell you we’re committed to it and we’re credible because we’ve done it in the past.

99
00:01:38,000 –> 00:01:39,000
Christopher Cleary [00:25:41]:
So I think our deterrent strategy from a cyber perspective, we’re missing some of the C’s. We haven’t demonstrated that we’ll either communicate or we’re credible.

100
00:01:39,000 –> 00:01:40,000
Frank Cilluffo [00:25:49]:
Incredible. That will actually respond. So lean forward. Do we have the force structure? So say we all do agree that we need to be a little more proactive and we need to treat offensive cyber like any other capability outside of this particular domain.

101
00:01:40,000 –> 00:01:41,000
Christopher Cleary [00:26:11]:
My personal opinion, the short answer is no. And I would argue this is why we’re having discussions about a cyber service or cyber force and all of those. I know you had Josh on not that long ago.

102
00:01:41,000 –> 00:01:42,000
Frank Cilluffo [00:26:21]:
Josh and General Cardone. Yep.

103
00:01:42,000 –> 00:01:43,000
Christopher Cleary [00:26:23]:
And they’re working and I’m, you know, full disclosure, I’m part of that working group is right.

104
00:01:43,000 –> 00:01:44,000
Frank Cilluffo [00:26:27]:
Good.

105
00:01:44,000 –> 00:01:45,000
Christopher Cleary [00:26:27]:
But having seen this from the services perspective, not that the Navy did not want to do this, but got other priorities. Columbia class submarine is an expensive, manpower intensive platform that is a no fail mission for the Navy that, you know, they have to get that done. So when you go down the priority list of getting to cyber. Well, it’s on their list. They certainly acknowledge they got to do it, but it’s not near the top of the list. And when you look at the way China is investing with their information forces and you know, I think for our mission force, which I think sits at around 2,000 members, you know, they have 10 or 15 times that doing similar activities because they’ve seen, I think, the return on investment and the value that it offers their joint force to go do these. Do we need a similar structure? I would argue that we do. There’s retention problems, there’s training problems, there’s getting to a level of proficiency problems that we’re trying to work through.

106
00:01:45,000 –> 00:01:46,000
Christopher Cleary [00:27:20]:
But I would argue that, you know, my number one reason for a cyber force, if somebody needs to go to work every day and say this is.

107
00:01:46,000 –> 00:01:47,000
Frank Cilluffo [00:27:26]:
Why I’m forcing function to do it. Exactly.

108
00:01:47,000 –> 00:01:48,000
Christopher Cleary [00:27:29]:
This is my number one reason for being at work.

109
00:01:48,000 –> 00:01:49,000
Frank Cilluffo [00:27:31]:
And, and you know, and I don’t want to get overly wonky here, but when you look at the CCP or you look at some of the other, they’re integrating computer network attack into their war fighting strategy and doctrine. That’s different than a separate capability. It is part and parcel is that’s kind of where we need to be right.

110
00:01:49,000 –> 00:01:50,000
Christopher Cleary [00:27:50]:
And I would argue, having seen some of the ways that we do it is it’s a lot of cyber. The way that we’re looking at through it is to enable other things like I’m going to do.

111
00:01:50,000 –> 00:01:51,000
Frank Cilluffo [00:27:59]:
And it is that.

112
00:01:51,000 –> 00:01:52,000
Christopher Cleary [00:28:00]:
But it’s more and I’m going to do things in a particular theater to degrade your ability to see me moving, whether a ship, a plane, a tank or whatever. And that’s going to enable my platform to get closer to its target, a person on the ground, a tank, a plane, a ship, as opposed to saying, well, why are cyber effects in themselves not first mover advantage and just the fact that I’m doing this cyber activity, I don’t have to move the other forces around. The cyber action in itself should be enough of sending the message or the signal or degrading a target and assuming.

113
00:01:52,000 –> 00:01:53,000
Frank Cilluffo [00:28:31]:
There is some momentum around the standing up a cyber force. So cyber comm would have the operational role. Cyber force would build the capabilities through.

114
00:01:53,000 –> 00:01:54,000
Christopher Cleary [00:28:41]:
And to tie all this whole conversation together. When you look at one of the things that we debate on the cyber forces, you we do sort of see it through the lens of it’s a military organization, Title 10 to do military things.

115
00:01:54,000 –> 00:01:55,000
Frank Cilluffo [00:28:54]:
Yep.

116
00:01:55,000 –> 00:01:56,000
Christopher Cleary [00:28:54]:
My opinion is if you were to use the Navy as a model, that I would argue a cyber force of the future looks more like a Coast Guard than a Navy.

117
00:01:56,000 –> 00:01:57,000
Frank Cilluffo [00:29:03]:
Interesting.

118
00:01:57,000 –> 00:01:58,000
Christopher Cleary [00:29:04]:
Why is that?

119
00:01:58,000 –> 00:01:59,000
Frank Cilluffo [00:29:04]:
Well, a Coast Guard auxiliary has.

120
00:01:59,000 –> 00:02:00,000
Christopher Cleary [00:29:06]:
Well, a Coast Guard has a Title 10 authority. I mean, they can be put under the Navy if they have to, but they can also pull a boat over and say, show me your life preservers.

121
00:02:00,000 –> 00:02:01,000
Frank Cilluffo [00:29:16]:
Yep.

122
00:02:01,000 –> 00:02:02,000
Christopher Cleary [00:29:16]:
Right. They can go into a port and can expect and inspect it. They have a lot of domestic things that they can respond to. And I would argue when you open up a cyber force with Cybercom now having a responsibility to respond to ot things with a working group, you know, you tie all these things together. Well, a lot of the things you might want a cyber force to do would be internal to protect or defend against attacks domestically as opposed to doing things.

123
00:02:02,000 –> 00:02:03,000
Frank Cilluffo [00:29:41]:
You know, that’s an interesting. Just to pull that thread a little further. When we think of data joint in. In a military environment, it’s the services. Maybe you can bring in the Title 50 entities and figure out how to synchronize Title 10, Title 50 occasionally 32 if it’s bringing in the Guard or unfortunate Title 18, you know, 18 and 10. But. But do we really need a Goldwater Nichols that goes to industry or at least where you have industry spending time in the shoes of service and vice versa. Versa.

124
00:02:03,000 –> 00:02:04,000
Christopher Cleary [00:30:16]:
What’s interesting about that is when I’ll talk to an industry about again we’ll use Littleton, Massachusetts as a perfect example. You have found yourself in the crosshairs of a nation state adversary who would be looking to bring Title 10 kind of effects into your organization to degrade your ability to perform your mission. You are in some instances a legitimate military target. So because we would have this conversation around it security all the time and like the my. Well the Chinese are always trying to get my information. Yeah I got it. Intellectual property they’re trying to sell. But in some instances if you find yourself as labeled a traditional military target, it goes well beyond cyber.

125
00:02:04,000 –> 00:02:05,000
Christopher Cleary [00:30:56]:
They could put a kinetic weapon in one of your buildings because that’s a legitimate action to take to degrade your ability to support a DoD mission. Blah blah blah blah blah. And I think when you open up this aperture and you start talking to several industries, your oceans don’t protect you anymore and now you’re seen as again legitimate military targets of our adversaries. They’re going to see spend resources to degrade your ability to perform whatever function the Dow depends on.

126
00:02:05,000 –> 00:02:06,000
Frank Cilluffo [00:31:23]:
And from a broader national perspective it gives visibility what the Brits would call rich picture where Littleton of course is at the pointy end. But it also could be emblematic and reflective of a much bigger set of issues afoot. So if Congress does move forward, what do you think the biggest hurdles would be to, to stand this up?

127
00:02:06,000 –> 00:02:07,000
Christopher Cleary [00:31:45]:
It’s a resourcing, right? I think when, even when you look at the NDAA I learned very, very.

128
00:02:07,000 –> 00:02:08,000
Frank Cilluffo [00:31:50]:
Painful because I always find DCs quick with if they can’t fix something, build something new. And I’m not suggesting we don’t need in fact I think we probably do. But, but that can’t be the.

129
00:02:08,000 –> 00:02:09,000
Christopher Cleary [00:32:02]:
It’s a resourcing and a prioritization thing because I think even when I experienced whatever NDAA came across my desk of the X things that were on it, you only seem to get to a third of them. Right. So there’s some things you just never got around to doing for whatever reason whether it was resources or priority and some of the things I would argue the NDAA is asking us to go do. John Garska has at his desk right now. But you don’t need to do this. I have it right here. I’ve had it for years. I’ve done these exercises, I’ve demonstrated these things.

130
00:02:09,000 –> 00:02:10,000
Christopher Cleary [00:32:30]:
So don’t spend six months on trying to. Well, what are the threats, the adversaries? We know what those are.

131
00:02:10,000 –> 00:02:11,000
Frank Cilluffo [00:32:36]:
That’s. It’s.

132
00:02:11,000 –> 00:02:12,000
Christopher Cleary [00:32:37]:
Now, how do we roll out capability, capacity, train the workforce, put some umbrellas of protection? Maybe the DOW has a mission that under a certain level, you know, you now bring Baltimore Gas and Electric under your protection umbrella because it provides most of the electricity to the National Security Agency.

133
00:02:12,000 –> 00:02:13,000
Frank Cilluffo [00:32:57]:
And I do think the adjutant generals and the National Guard do play a significant role in this. Chris, we’re almost at the end of our time. What questions didn’t. Didn’t I ask that I should have.

134
00:02:13,000 –> 00:02:14,000
Christopher Cleary [00:33:07]:
No, we got to a lot of them. I just think when you tie all these things together, it does seem like we address these things individually and not whack them. All right? And not acknowledge they’re all connected. So when we were doing, you know, even cybersecurity with inside the Department of the Navy, because it touched so many things, there was no, in my opinion, intelligent design to try and say the whole Department of the Navy, look, there’s so many interdependencies, there’s so many individual program offices, there’s so many authorities. Somebody kind of has to be bringing this whole thing together and at least see the big picture. This is why I’m bullish on Sean Cannon Cross and, you know, you and me both, which to say, look, Sean, you know, what you need to do is really pull a lot of these people together. When I was the pca, Chris Inglis never called all the cyber principles, doe, dhs, CISA into us and guys, once a year, we should at least all get together. I’m hoping Sean does that, because what that will do is to bring a lot of these things where everybody has some piece of the equity, but nobody’s responsible for the whole thing.

135
00:02:14,000 –> 00:02:15,000
Christopher Cleary [00:34:11]:
Somebody has to convene a group of people together to say Guam. We’ll just use Guam as an example. Navy, Air Force, doe, dhs, cisa, Caesar, all get in a room to. Caesar. Yeah, Caesar, get in a room together and tell me what you’re going to do about Guam Power Authority, because that’s the only way you’re going to solve it.

136
00:02:15,000 –> 00:02:16,000
Frank Cilluffo [00:34:29]:
Chris, thank you for spending so much time with us today. Thank you for your service over all these years. And I failed to mention you’re a senior fellow. Thank you for supporting.

137
00:02:16,000 –> 00:02:17,000
Christopher Cleary [00:34:39]:
Thank you for having me.

138
00:02:17,000 –> 00:02:18,000
Frank Cilluffo [00:34:40]:
Thank you, Chris. Awesome.

139
00:02:18,000 –> 00:02:19,000
Christopher Cleary [00:34:41]:
Thanks.

140
00:02:19,000 –> 00:02:20,000
Frank Cilluffo [00:34:41]:
Frank, thank you for joining us for this episode of Cyberfocus. If you liked what you heard, please consider subscribing your ratings and reviews help us reach more listeners. Drop us a line if you have any ideas in terms of topics, themes, or individuals you’d like for us to host. Until next time, stay safe, stay informed, and stay curious.

Related Content