DOD cyber policy nominee vows to ‘revaluate’ offensive cyber guardrails

President Donald Trump’s pick to be the Defense Department’s next digital policy chief on Tuesday said she would reassess policies for offensive cyber operations to ensure the Pentagon is keeping pace with the “exponential” changes to the domain.

Katie Sutton, nominated to serve as assistant secretary of defense for cyber policy, specifically pointed to a directive from Trump’s first term, known as National Security Presidential Memorandum 13, that relaxed the rules on the use of cyber weapons, as well as defense policy legislation from around that time that deemed digital operations as a "traditional military activity.”

“I believe we're at a point where we need to reevaluate those and make sure that we're postured to be able to respond to the increasing speed of cyberattacks, and that we are able to address the incoming impacts of AI,” Sutton, who is currently chief technology advisor to the commander and director of Pentagon operations at U.S. Cyber Command, told the Senate Armed Services Committee.

Lawmakers on both sides of the aisle pressed Sutton on whether the U.S. is doing enough to deter digital attacks from foreign adversaries like China, especially after Beijing-backed hackers known as Volt Typhoon and Salt Typhoon have burrowed into U.S. critical infrastructure and penetrated the networks of at least nine telecommunication companies, respectively.

“As I have watched the domain evolve over the last decade, it is very clear that our adversaries are becoming not only increasingly capable, but also increasingly aggressive in the domain,” according to Sutton, who had been a professional staff member on the committee focused on cybersecurity.

She said that while China has “grown immensely in size and is aggressively looking at adoption of technologies” like AI to scale their capabilities, the U.S. has “taken a lead and we still maintain some of the best technical talent” at developing and adopting new tools.

On deterrence, she noted that while “we need strong defenses, we are not going to deter the adversary with defenses only, and that, if confirmed, I will work to strengthen our offensive cyber capabilities to ensure the President has the options he needs to respond to this growing threat.” 

“It's so vital that the world knows that whatever any country can do to us in the cyber world, we can do as much, and more, to them as well.”

Sen. Tim Kaine (D-VA) wondered why the U.S. isn’t a “little more candid with the American public about our offensive use of cyber so that they're aware that we're not just playing deeply, but that we actually have an offensive capacity that we use.”

Sutton noted that a decade ago “we barely even mentioned” offensive cyber, however “there's a bit of a culture change — just as we've seen a culture change when we used to see threats in cyberspace, we just kept them.”

With the establishment of things like the NSA Cyber Collaboration Center “we now work very hard to take what we see in the cyber domain and share it with industry so that they can defend. I think that same culture change needs to happen and how we discuss cyber deterrence.”

In addition to reviewing offensive cyber policies, Sutton vowed to tackle DOD’s longtime failures to recruit and retain digital personnel. 

“From my experience, some of our most talented operators and analysts at U.S. Cyber Command stay in the force, not solely for financial incentives … but also giving them the ability to stay on mission, to execute the mission and to defend our nation. That is what brings them into work every day,” she told the panel.

It was not immediately clear when the Armed Services Committee would vote on Sutton’s nomination. 

Laurie Buckhout, a retired Army colonel who ran for Congress in North Carolina last year as a Republican and was picked to serve as the deputy assistant secretary of Defense for cyber policy, was recently tapped to lead the Pentagon’s cyber policy shop in an acting capacity until Sutton is confirmed by the full Senate.