The Hammer and the Anvil: Offensive Cyber Strategy with Chris Inglis
Season 3 Episode 2 •Show Notes
Chris Inglis joins Frank Cilluffo to break down what offensive cyber strategy should look like in an era of strategic competition. Drawing from the McCrary Institute’s new report on U.S. cyber policy, Inglis argues that resilience and consequences are not competing theories—they have to work together. He explains why “defend forward” and persistent engagement reshaped authorities and expectations after 2018, including how NSPM-13 changed delegation for operations. The conversation also tackles the messy seam between Title 10 and Title 50 in cyberspace, and why integration—not exquisite tools—will decide whether cyber power is truly strategic.
Main Topics Covered
- Why offense and resilience must operate as one integrated cyber strategy
- Cyber deterrence as changing an adversary’s decision calculus, not perfection
- How NSPM-13 helped shift delegation and operational tempo in 2018
- What “defend forward” means in plain terms—and why it’s defensive
- Blurring of Title 10 and Title 50 in cyberspace—and why that matters
- The warning: the U.S. is behind on integrating cyber with power
Key Quotes
“My view is that the discussion of whether it’s going to be a focus on defense kind of inherent resilience or a focus on imposing consequences is a false choice.” — Chris Inglis
“But when you get to cyberspace, it turns out that the Title 50, which is trying to get information from cyberspace, and the Title 10, which is trying to actually achieve effects in cyberspace, are about 90% the same.” — Chris Inglis
“[With defend forward] We’re not going to wait onshore for [malicious cyber activity] to arrive and then kind of cede the initiative to adversaries.” — Chris Inglis
“What keeps me awake at night? We don’t have time. We’re way behind the curve.” — Chris Inglis
Relevant Links and Resources
McCrary Institute report — U.S. Cyber Policy: Offense, Deterrence, and Strategic Competition
Guest Bio
Chris Inglis is the former U.S. National Cyber Director and former NSA Deputy Director, with decades of experience in national security and cyber policy.
Transcript
1
00:00:00,000 –> 00:00:01,000
Chris Inglis [00:00:00]: This really is kind of any hammer needs an anvil and any anvil is useless without a hammer. And so we got to get both parts of those right. The discussion of whether it’s going to be a focus on defense kind of inherent resilience or a focus on imposing consequences is a false choice.
2
00:00:01,000 –> 00:00:02,000
Frank Cilluffo [00:00:18]: Welcome to Cyber Focus from the McCrary Institute, where we explore the people and ideas shaping and defending our digital world. I’m your host, Frank Cilluffo, and I’m joined this week by one of my co chairs, Chris Inglis, who is a leader of all things cyber, former deputy Director of the National Security Agency, a decorated veteran of the US Air Force, the nation’s first National Cyber Director, and now involved in a major effort by the National Academy of Sciences. But we’re here this week to discuss a paper we released just before the holidays. US Cyber Policy, Offense, Deterrence, and Strategic Competition. Chris was one of our co chairs along with General Frank McKenzie and Tom Bossert, and we’re going to drill deep into the study. So, Chris, thank you so much for joining us.
3
00:00:02,000 –> 00:00:03,000
Chris Inglis [00:01:09]: It’s a pleasure to be with you, Frank. Thanks very much for the opportunity.
4
00:00:03,000 –> 00:00:04,000
Frank Cilluffo [00:01:12]: Chris, so I thought we’d start a little bit contextual and maybe on the substance itself. I hope everyone actually does download and read the report. But what were some of the big takeaways from your perspective as to why we jumped into this and more importantly, what some of our findings were?
5
00:00:04,000 –> 00:00:05,000
Chris Inglis [00:01:34]: Yeah, so I think, well, first of all, thank you for the pleasure and the privilege of being a part of that effort. I learned a lot in it and I think it’s a really important opportunity to describe how we got where we are, but more importantly to lay a foundation for what we might do forward. I love the title of it to start with because offense, deterrence and strategic competition is in part a declarative statement, which is we’re in an age of strategic competition and cyber is in full play. It is an instrument of power and the offense and deterrence being employed by others is not asymmetrically or it’s not being done by us in equal measure. I think when you look at the great power competition that’s ongoing at the moment, think about China, Russia, the United States as being the principal players and that not the only, but the principal players. China and Russia are way ahead of us in terms of thinking about how they might use cyber as an instrument of power, fully integrated with other instruments of power. That’s not to say that we don’t have game. We’ve got some extraordinary capabilities, but we haven’t integrated those in the same way.
6
00:00:05,000 –> 00:00:06,000
Chris Inglis [00:02:41]: And so strategic competition is a reality. Offense and deterrence really is the subject matter of that report. And I find upon my reread of the report, which I helped to write, I’ve learned things in terms of how to stitch that together as a basis for consideration going forward.
7
00:00:06,000 –> 00:00:07,000
Frank Cilluffo [00:02:58]: Thank you, Chris, and I’m glad you brought that up. This was really to set the stage. It was long on explaining where we are, how we got here, and a little short in terms of where we want to go. And I know that there are other efforts, including our own, that are looking at that and, you know, as a, as a backdrop, why is defense and resilience not enough when we think about cyber? So I think a lot of the attention has been rightfully focused on that, but in itself, it’s insufficient. Correct?
8
00:00:07,000 –> 00:00:08,000
Chris Inglis [00:03:37]: By itself, in and of itself, it is insufficient, but so is offense by and of its own self insufficient. This really is kind of any hammer needs an anvil, and any anvil is useless without a hammer. And so we got to get both parts of those right. There’s a broad diaspora of threats in this space. Some might be simply complacency or incompetence on the part of the users. Some might be criminal elements. And they’re enormously prodigious in terms of coming at us day after day. The lucrative assets they might acquire, just too attractive.
9
00:00:08,000 –> 00:00:09,000
Chris Inglis [00:04:15]: And then there are a few, but they have an outsized effect, rogue nation states or nation states that are using this as an instrument power coming at us. We require a range of remedies to deal with those. It might well be that we can get most of the cretins off the field by just strengthening our defenses, make us or make ourselves a harder target. Right? That then would say a bias towards inherent resilience is the right strategy to deal largely with that center of gravity. But that doesn’t take care of those that say, I’m coming at you anyway, and I’ve got the capacity and the willpower to actually kind of breach your inherent resilience, your defenses, because nothing can be made perfect. So you need to have some remedies for them.
10
00:00:09,000 –> 00:00:10,000
Chris Inglis [00:04:57]: But those complement each other. It’s not a choice between those, it’s an alignment of all of those. So my view is that the discussion of whether it’s going to be a focus on defense kind of inherent resilience or a focus on imposing consequences is a false choice. There was a great kind of beer commercial years ago. I won’t advertise the beer, but the tagline on that was less filling, great taste. Turns out that both of those things were true and the competition between those two parties was not rational.
11
00:00:10,000 –> 00:00:11,000
Frank Cilluffo [00:05:26]: Well, very well said and love the tie back to less filling, great taste. I, I want to sort of jump into, and this is a topic you and I have discussed for many years, not many days, but looking at, and, and I think you talked about how resilience can be an element of our deterrent strategy. That’s one part of the, one side of the coin. The other side is obviously a willingness to impose cost and consequences on bad cyber behavior. I’d be curious, you want to lay out a little bit of this, articulate your views in terms of cyber deterrence?
12
00:00:11,000 –> 00:00:12,000
Chris Inglis [00:06:07]: Yeah. So the McCrary report, that was the stimulus for this discussion, I think, does a really nice job of looking over the shoulder and saying, what did we define deterrence as in an age of great power competition, where the principal resource on the field in terms of the end game, was a nuclear weapon? That was a very different world, and it was one where what we really needed to do was to make sure the weapon was never used. Deterrence was a binary proposition. It was absolute. We needed to make sure that thing never showed up. And therefore the means and methods we would employ had a different outcome in mind in terms of the absoluteness of our success. But tucked inside of that, deterrence was, and deterrence remains, an attempt to change the decision calculus of somebody that’s going to do something you don’t want them to do. We’re still dealing with human beings.
13
00:00:12,000 –> 00:00:13,000
Chris Inglis [00:06:59]: They’re today using cyber weapons more than kind of perhaps nuclear weapons on a daily basis. And therefore we can still change their decision calculus. And how do you do that? For millennia, we’ve known you can change somebody else’s decision calculus by making it such that if they aspire to do something, if you make it harder for them to do it, they’ll think twice about whether they’re going to expend the effort to do that. Inherent resilience kind of fills that gap. If you actually stoutly defend the thing that they’re after, then they might think twice about kind of wanting to get caught in the bargain. If you say, I’m going to impose a cost on you, if I catch you doing it, again, you’re kind of affecting their decision calculus. All of those add up to the possibility that cyber deterrence is viable. But we have to have some humility about how successful we can be of being complete and keeping that adversary off the field.
14
00:00:13,000 –> 00:00:14,000
Chris Inglis [00:07:51]: We’re not going to be able to do that.
15
00:00:14,000 –> 00:00:15,000
Frank Cilluffo [00:07:53]: Well said. And ultimately, I hate coming back to the analogy, but I do. It’s like any football team, you’re not going to win the national championship, neither Miami nor Indiana if they are all offense or all defense. You’ve got to be able to integrate all the, those pieces together.
16
00:00:15,000 –> 00:00:16,000
Chris Inglis [00:08:12]: Let me borrow that analogy. I, I’ve known football teams in the past that played defense on one field and offense on another. The two sides never showed up at the same time on the same field. It never works.
17
00:00:16,000 –> 00:00:17,000
Frank Cilluffo [00:08:24]: Well said. Well said. So just turning to the offense offensive discussion just a teeny bit, what do you think some of the day to day battle rhythm goals are? I, I, I mean clearly we have some very exquisite capabilities and I think there have been some policy dilemmas that maybe we haven’t fully addressed and authorities and the like. But I’d be curious what you think that looks like in a day to day environment.
18
00:00:17,000 –> 00:00:18,000
Chris Inglis [00:08:54]: Yeah, I think policy matters, but before I get to that, I would just say, you know, what are the aspirations of a policymaker or a combatant commander in the case of U.S. Cyber Command for the use of cyber power that they want it to work when and where they need it? And they might not be able to predict in advance precisely where that is. It might be that we’re going to wake up tomorrow and there’s a new area where we want to impose a consequence using cyber assets, where there’s a new threat where we want to defend again by, with and through the use of digital infrastructure. And if cyber can’t deliver on a no notice proposition anywhere in the world against any adversary, kind of perhaps some that we haven’t fully anticipated, then it can’t be completely strategic. It’s something that you begin to doubt as to whether this really has a role to play in the panoply of other instruments of power that actually are quite willing and able to kind of have a no notice proposition. There was a study the Defense Science Board did, I think it concluded in about 2018 called cyber as a strategic capability. And what it really tried to get to the heart of is how do you make cyber meet the aspirations that I just described, which is when you turn to it and say I need you now here, it doesn’t say give me three months. And that is less about policy.
19
00:00:18,000 –> 00:00:19,000
Chris Inglis [00:10:17]: Policy has to enable what I’m about to describe. Then it is about familiarity with the terrain, muscle memory necessary to navigate that terrain, agility and the delegation of initiative necessary for the people and the technologies on that terrain to adjust to changing circumstances. If you can do those, then cyber can step up and become a truly strategic capability. So you need to make sure you understand what your aspirations are first. Then you need to set policy and the assets. And the assets are more than technology, it’s people too. And then the policy and doctrine can follow to make sure that that actually is teed up to do just what you’ve asked it to do.
20
00:00:19,000 –> 00:00:20,000
Frank Cilluffo [00:10:57]: You know, very well said. I often say we have a lot of tactics masquerading as strategy. First we need the strategy and then, and then build the tactics, techniques, procedures around that to be able to achieve some of those goals. And I think we’re, we’re, we’re getting to that point. But to stick with the sports analogy for a second, for those of us who’ve been in D.C. for a while, George Michael used to be a sports analyst, and he would always say, back to the time machine. So let’s go back. And you brought up 2018.
21
00:00:20,000 –> 00:00:21,000
Frank Cilluffo [00:11:30]: I think NSPM, or National Security Presidential Memorandum 13, which came out in 2018, was a bit of a, a watershed moment. Any, and, and we spent a lot of time in our paper looking at that. So I, I’d be curious what some of your thoughts are going back in time in terms of what it means for today.
22
00:00:21,000 –> 00:00:22,000
Chris Inglis [00:11:53]: Yeah, I do think that was an inflection point. And inflection points have a before and an after. That’s why they’re inflection points. They’re in the middle of those two very different situations. So let me go back a little bit further. So when U.S. Cyber Command was formed, 2009, 2010, it came into IOC in 2010, its initial operating status, it was created to ensure that we didn’t simply put all the cyber assets in the same place, but I think with the aspiration that it would be a truly strategic capability against our earlier discussion. But in 2014, I’ll never forget this, I think it was Secretary of Defense Hagel said something that didn’t surprise anyone.
23
00:00:22,000 –> 00:00:23,000
Chris Inglis [00:12:33]: We all thought it was reasonable. But in 2014, he said, we have built this thing, but we’re going to use it with great restraint and kind of discretion. I perhaps added the wrong adjective. He’d say, great, but we’re going to use it with restraint and discretion because we don’t want to overplay our hand in this space. And so those that are worried that we’re about to militarize cyberspace or the Internet don’t worry about that. We’re going to use this kind of thoughtfully. We’re going to use the principles, I will kind of insert these principles. We’re going to use the principles of necessity and proportionality.
24
00:00:23,000 –> 00:00:24,000
Chris Inglis [00:13:06]: 2017 we saw some number of transgressions between 14 and 17 on the part of nation states. But 2017 was an eye opening year. In the spring of that North Korea did something called WannaCry, which took down vast infrastructure, the national health system in the United Kingdom went down. The summer of 2017 with NotPetya which the Russians were going after the Ukrainians. But that thing escaped and it brought down broad swaths of our critical infrastructure. And so that was a lesson that perhaps our restraint was escalatory. So 2018 then was the kind of the inflection year. You’ve mentioned NSPN 13.
25
00:00:24,000 –> 00:00:25,000
Chris Inglis [00:13:46]: The guts of that were classified then have been complemented by further presidential decision orders which I think remain classified. But what it did was to fundamentally change the delegation of authority to organizations like Cyber Command as to when and where they could engage adversaries. Gave them an envelope and said within this, for some well defined, upfront well defined envelope, you may proceed and execute, execute my word campaign. You can go after them without coming back to say mother may I for each discrete, you know, kind of fire. But, but there are two other things that happened in 2018 and the paper I think brings these out. One was, is there was a declaration by the Congress in law that that cyber operations were traditional military activities. And what that does is to allow some degree of delegation with the attendant responsibility to meet kind of to live within a collateral effects envelope.
26
00:00:25,000 –> 00:00:26,000
Chris Inglis [00:14:43]: We’re going to give you the authority to do this with some initiative to balance, but you’re accountable to make sure it does what it’s supposed to do. It doesn’t have any perhaps kind of significant negative consequences. And the third piece was the creation and deployment strategy we know today as defend forward and a sub piece of that which is persistent engagement. We’re not going to wait onshore for these things to arrive and then kind of cede the initiative to adversaries. We’re going to engage these things as these threats kind of are kind of on the rise so that we have the highest possible leverage and the earliest possible opportunity to deal with those threats. That’s not a provocative kind of activity. Secretary Hagel in 2014 would have been pleased in 2018 we had not actually entered into an era of provocation.
27
00:00:26,000 –> 00:00:27,000
Chris Inglis [00:15:30]: What we’ve said is that if there’s a provocation out there that would hold us at risk, we’re going to engage it. And so I think that was the trifecta year at the core of that, to your point, was NSPM 13. But it was really important that cyber was described as a traditional military activity and that we then kind of lived that dream by saying we’re going to engage these activities that hold us at risk, highest possible leverage, earliest possible opportunity.
28
00:00:27,000 –> 00:00:28,000
Frank Cilluffo [00:15:54]: Chris, I mean, I’m really glad you jumped in to defend forward and persistent engagement. I was clearly going to ask that question. In very plain terms, what does that mean? I mean, I know in our world we live that, but I’d be curious, in plain terms, what do you think that entails?
29
00:00:28,000 –> 00:00:29,000
Chris Inglis [00:16:16]: If you know that there is an adversary or perhaps somebody who is going to use cyber power to your detriment, if you know that that’s true, you’ll have sufficient evidence for a range of insights. Maybe it’s intelligence, maybe it’s diplomacy, maybe just read the news. You shouldn’t wait back to figure out what they’re going to do with that as they arrive inside your network, as they essentially kind of hit your perimeter. You should, as we have done for millennia, move forward and use the assets you have to persistently understand what are they doing, how are they using those, how are they holding you at risk? And when you find it necessary to actually suppress those things that are holding you at risk, again, the provocation comes from them, not from us. Then you forward defend, meaning you go as far forward as possible to hold those kind of in check. And defend forward, as defined by the U.S. Defense Department, was essentially something that was always intended to be done in coalition, that we would kind of find who was the, who were the parties that owned the infrastructure on which we needed to operate and open up a collaboration with them so that we could help them defend their infrastructure. And in so doing, the lens through which that might be perhaps aimed at us within the United States. The long story made short, it’s really a defensive play that’s proactive as opposed to the leading edge of a provocative offensive play.
30
00:00:29,000 –> 00:00:30,000
Chris Inglis [00:17:44]: And we’ve done this with defense attaches, with diplomats, with legal attaches forever. Why would we not do this in cyberspace?
31
00:00:30,000 –> 00:00:31,000
Frank Cilluffo [00:17:53]: Yeah, that was a beautiful explanation on a, on a complex matter. So thank you for that. And I, I, I, I want to stick with the, in simple terms sort of concept. A lot of discussion around Titles 10 and Title 50, Title 10 being Armed Services, Title 50 being intelligence and the synchronization. Can you give a little bit of backdrop in terms of why that matters? What is an intelligence operation, what is military and obviously where they blur?
32
00:00:31,000 –> 00:00:32,000
Chris Inglis [00:18:24]: Well, it’s a pity we only have 30 minutes and we’ve consumed some amount of that.
33
00:00:32,000 –> 00:00:33,000
Frank Cilluffo [00:18:28]: But you did it so well in terms of defend forward, so I’ve got to ask.
34
00:00:33,000 –> 00:00:34,000
Chris Inglis [00:18:34]: Well, I mean, this is really, this, this, it’s important to understand history. There was a time when domestic security and foreign or national security outside of our borders was not just distinct in terms of geography, but it was distinct in terms of the parties that were accountable to try to actually deliver it. Domestic security, we have law enforcement organizations, we have the governance that is attending to the federal bureaucracy, the Congress, the judiciary, state, local, territorial, and all of that for most of our history has worked such that we could within our borders essentially do what was necessary to achieve the order and stability that we need for this society to move forward. Outside the country, it’s a different matter. Right? We all are keenly aware of World War II or keenly aware of the global war on terror. It requires a different level of focus in different authorities. Now, that doesn’t kind of cleanly explain the difference between Title 10 and Title 50, but Title 50 essentially is born of history.
35
00:00:34,000 –> 00:00:35,000
Chris Inglis [00:19:39]: Where Title 50 was, they were intelligence capabilities focused outside the United States to essentially try to understand what foreign efforts, foreign initiatives, I hesitate to say nation states because Al Qaeda might not be a nation state, but what foreign activities would hold us at risk. And Title 50 was largely defined to focus on that and not to focus on domestic intelligence. Why? Because the homeland is handled in a fundamentally different way. And the rights and privileges of U.S. persons, that’s not just U.S. citizens, but that’s people who have the right to live here or people who just are here legally in the moment. They deserve a different standard in terms of how we’re going to achieve order, discipline, stability there.
36
00:00:35,000 –> 00:00:36,000
Chris Inglis [00:20:25]: So Title 50 focused on the intelligence purposes was focused overseas. Part of the reason we kind of had this surprise on 9/11 was that the NSAs, the CIAs of the world, were hugely focused overseas. The FBI was focused domestically, using their own title, Title 18, and there was a seam. And kind of nature finds and exploits seams. That happened on 9/11. Title 10 is an authority in law that defines the authorities of the kind of the combatant, kind of the combatant assets that we have. How do we manage violence? We don’t manage violence within the United States? We manage violence abroad. Right?
37
00:00:36,000 –> 00:00:37,000
Chris Inglis [00:21:04]: We deploy our armies, our navies, our air force to defend the sea lanes or to essentially impose consequences on others by, with and through the appropriate application of military authorities. That’s not something that we apply domestically. And so Title 10 was for the military focused overseas. Now, they were defined, as I just described, in a way that was rational in the day. But when you get to cyberspace, it turns out that the Title 50, which is trying to get information from cyberspace, and the Title 10, which is trying to actually achieve effects in cyberspace, are about 90% the same. Right? What you need to do is to understand the nature of the territory, cyber, need to actually kind of make your way along that perhaps cracking through a firewall or kind of holding something at risk so that you can open a door and you can insinuate yourself in. And only in the last 5 to 10% of the operation do you do what you actually showed up to do, which is to take perhaps some information back and constitute, through Title 50 lenses and authorities, information to help the nation understand what risks there are in the world or in the last 5, 10%, to say, now I hear at the moment, I can close the trap and I can impose a consequence on some presumed adversary.
38
00:00:37,000 –> 00:00:38,000
Chris Inglis [00:22:20]: The first 95% of Title 10, Title 50 in cyberspace is the same. And it actually defies kind of our realization of experience in the physical world. We got there insidiously. It wasn’t something that we knew going into the prosecution of activities in cyberspace, say, 25, 30 years ago, but here we are. That’s why it’s so kind of difficult. And if you remove the boundary between Title 10 and Title 50, all of a sudden, all these other protections about how do we defend the homeland in a particular way, how do we defend US person privacy in a particular way. They might go out, that baby might go out with the bathwater.
39
00:00:38,000 –> 00:00:39,000
Chris Inglis [00:22:57]: I perhaps have made this more complicated than not, but it’s the nature of the dilemma. How do we actually get these things exactly right?
40
00:00:39,000 –> 00:00:40,000
Frank Cilluffo [00:23:05]: You know, that was exceedingly well articulated. And I might just add, looking back to the global war on terrorism and in a post 9/11 environment, syncing up those authorities doesn’t just happen on its own. We don’t just press a button. It takes scar tissue. It takes being in the same foxholes. It takes experience, it takes trust, and it takes some time. And ultimately that culminated, at least in my eyes, to a JSOC sort of capability, Joint Special Operations Command. But, and I think we’re at the evolution now where we’re seeing what that could and should look like.
41
00:00:40,000 –> 00:00:41,000
Frank Cilluffo [00:23:47]: But to get there, it’s going to take some time and ultimately you need to know where you want to end up. So I think I get back to some of the strategy because when I look at cyber capabilities, people often look at a capability is different than integrating it into your war fighting strategy, doctrine and everything else. And I think that’s precisely where that recalibration is today. Disagree with me, but when I go back to 9/11, I think that was arguably the greatest success.
42
00:00:41,000 –> 00:00:42,000
Chris Inglis [00:24:17]: I don’t actually. So my experience, my experience, some of which I’ve learned from others, some of which I’ve actually experienced, kind of would say that you’re exactly right. Look, I’m a long time kind of creature byproduct of the United States Air Force. And I was taught early on that the reason they took the Air Force away from the army, no offense to people who love the army on this podcast, the reason they took the Air Force away from the army is that the army thought that the Air Force was long range artillery and therefore had a limited view of what it might then achieve. So the capability wasn’t the issue. The doctrine, the aspirations and the use of that, that was the issue.
43
00:00:42,000 –> 00:00:43,000
Frank Cilluffo [00:24:54]: Exactly.
44
00:00:43,000 –> 00:00:44,000
Chris Inglis [00:24:54]: Which is why we then, now, today have an Air Force that thinks about air power and air supremacy. And that doctrine, which transcends merely long range artillery or close air support or all the other manifestations of that. I think we have to go through the same thinking in terms of what is cyber, what is cyber power and for what purposes would we employ that? In the absence of that strategy, nothing can be strategic.
45
00:00:44,000 –> 00:00:45,000
Frank Cilluffo [00:25:16]: You know, over the holidays, and none of us have the details, and if we did, we wouldn’t be talking about them specifically, but absolute resolve, you saw a culmination of cyber and publicly discussed by the Chairman of the Joint Chiefs, the President and others, the role that cyber played in this particular campaign. Anything in particular that stood out for you, Chris?
46
00:00:45,000 –> 00:00:46,000
Chris Inglis [00:25:45]: Well, at first I would kind of give the caution you had, which is that neither of us want to talk about classified information. I don’t think either of us have it. But I’ll go on the basis of what I heard the Secretary of Defense and the Chairman of the Joint Chiefs of Staff say, which is that cyber did play a role. I’m comforted by two things. One, that cyber as an instrument of power was in play. It’s not something we use simply because we had it. But if we’re going to do something that requires the application of Title 10 authority and the resources that are then attended to that Title 10 authority, then cyber either plays or it doesn’t. And cyber played. Second, it was an instrument of power.
47
00:00:46,000 –> 00:00:47,000
Chris Inglis [00:26:26]: It wasn’t the instrument of power. It was part of a larger campaign that achieved some effects, that ultimately all of those were after some larger strategic aspiration. We can argue whether that strategic aspiration was the right one or was at the right time. But if you look at the execution of the United States military and the resources that it brought to bear, cyber looked like it was integrated. And I was comforted by that.
48
00:00:47,000 –> 00:00:48,000
Frank Cilluffo [00:26:54]: And I might note not to go back to nuclear deterrence, because we are looking at this very differently. But as the line in the Dr. Strangelove movie went, what good is having the Doomsday machine if no one knows you got it? I think part of this is also signaling publicly, and I’m actually happy we’re, we’re discussing this publicly because it’s putting some of our adversaries on notice. Right? It’s not just the direct adversary, it’s everyone else watching.
49
00:00:48,000 –> 00:00:49,000
Chris Inglis [00:27:25]: But, yeah, that, that, that is both boon and bane. Right? So I agree with you, but sometimes the right choice is to not use it. So sometimes the right choice is to say there’s a better tool, right? And so we need to always think about what’s the kind of the transcendent strategic aspiration, maybe for some military objective that is subordinate to some national security objective, and then what’s the right set of tools to bring to bear? And what is really useful about the American approach, which is not unlike our allies approach, is the integration, you know, is more important than the application of any one of the silos. Look, I kind of came a long way in the Air Force, active and reserve, and it was very clear to me at the outset that I needed to develop a competence that was useful on some battlefield, but that was going to be applied in combination with all the other assets on that battlefield. If I didn’t understand joint, if I didn’t live joint or kind of in the coalition, if I didn’t understand what coalition warfare was, then I was going to be no good whatsoever. I couldn’t live in my stovepipe and say, yeah, I’ve done the air thing. We’ve dominated the airspace.
50
00:00:49,000 –> 00:00:50,000
Chris Inglis [00:28:31]: If we still lost the war, then all the parties that failed to integrate, that failed to understand the transcendent peace, were accountable. This thing is wider than it is tall, despite the fact that sometimes we fall in love with the depth kind of the silos within which we live.
51
00:00:50,000 –> 00:00:51,000
Frank Cilluffo [00:28:46]: Love it. Love it. We’re in a new year, it’s 2026. What’s one thing that’s got you most excited about where we’re going? And what’s the one thing that keeps you up at night most concerned?
52
00:00:51,000 –> 00:00:52,000
Chris Inglis [00:29:00]: I think what’s got me excited, you know, and sometimes optimism is its own reward, so, you know, might be unrequited aspiration here, but, but what’s got me most excited is that the questions that are being asked, I think are the right questions. Right?
53
00:00:52,000 –> 00:00:53,000
Chris Inglis [00:29:14]: What are our strategic aspirations? What do we have as expectations of the contribution by the various assets we can bring to bear? And it’s not just technology, which is so often the thing that’s fixating in this realm in cyberspace, but what’s the right skill, what’s the right doctrine, what’s the right degree of integration? What’s the video look like as opposed to the picture, the snapshot of the capabilities that we would put up kind of in some arsenal or on some org chart? And I think the questions that I hear kind of in my daily bump and grind are much more thoughtful than we knew how to be 15, 20 years ago. I think we ask the right questions and we kind of tap the right people, we’ll get some good answers and then the muscle memory based on actually applying those on putting those in harm’s way will iteratively get us to a better place. As you mentioned, right, it looks to me through an unclassified lens like Cyber Command and the cyber assets made a difference, you know, a discernible, useful difference. Right? In the Venezuela campaign, tt was also a public note by the Secretary of War that it made a difference in the attacks on the TONs earlier or mid-2025.
54
00:00:53,000 –> 00:00:54,000
Chris Inglis [00:30:29]: So I think we’ve got plenty of opportunity to employ this. Not because we want to, not because we simply have it, but because we need to. And the question seemed to be kind of helping us understand how to do that in the most strategic way possible. What keeps me awake at night? We don’t have time, right? We’re way behind the curve. So when you look at what in particular Russia and China have done to think their way through the use of cyber as an instrument of power and their integration of that into the way that they hold others at risk, or they deploy and realize their own strategic aspirations, we might win in a head to head contest of any particular capability taken unto itself in isolation, but I don’t think we’re in a great place in terms of the integration of all of that. In part because the rules that we are living by, which is very appropriate, we follow, but the rules we’re living by were designed for an earlier time when this degree of natural integration didn’t exist. There was a distinction between home and away.
55
00:00:54,000 –> 00:00:55,000
Chris Inglis [00:31:34]: There was a distinction between cyber and kinetic. All of those distinctions are increasingly being worn away. And the Chinese and the Russian kind of national security institutions are in some cases leading that deterioration, but in all cases taking advantage of it.
56
00:00:55,000 –> 00:00:56,000
Frank Cilluffo [00:31:52]: Chris, thank you for your wisdom, your commitment. Thank you for all the support you provided us in putting together this report. I might note, and this is a combination of your positive and negative, I’ve long said for too long we’ve let our adversaries shape our strategy. We’re reacting to whatever they do and that becomes our strategy. I think we’re at the point where maybe we can shape that and get ahead of the game. I’m often told an optimist is a pessimist with experience. I’m still an optimist.
57
00:00:56,000 –> 00:00:57,000
Frank Cilluffo [00:32:27]: Not always easy, but I’m optimistic because I get to work with great people like you. So, Chris, thank you. Thanks for all you’re doing and keep fighting the good fight.
58
00:00:57,000 –> 00:00:58,000
Chris Inglis [00:32:37]: Back at you, Frank. Thanks very much for the opportunity to kind of like work alongside the McCrary Institute and you.
59
00:00:58,000 –> 00:00:59,000
Frank Cilluffo [00:32:44]: Thank you for joining us for this episode of Cyber Focus. If you liked what you heard, please consider subscribing. Your ratings and reviews help us reach more listeners. Drop us a line if you have any ideas in terms of topics, themes or individuals you’d like for us to host. Until next time, stay safe, stay informed and stay curious.
