How Hard Is It to Launch an Offensive Cyber Operation? With TJ White

What does it take to plan and execute a cyber operation? Cyber operations like the SolarWinds attack don't just materialize with the flick of a switch. They require months, even years, of planning.

Russian cyber actors and their affiliates have been conducting a wide range of cyber operations against targets in Ukraine and further afield.

What if Russia retaliates for recent sanctions and stages offensive cyber operations against the US? What if Russian targets include our nation’s critical infrastructure, national power grid, or our military?

In this new episode of Finite State’s podcast, “IoT: The Internet of Threats,” Vice Admiral TJ White, US Navy (Ret.), former commander of US Fleet Cyber Command/US 10th Fleet and Navy Space Command, offers us key insights about US offensive cyber operations, the challenge of securing large networks, and what it takes to plan and execute a cyber operation.

During this 37-minute episode, TJ and Eric Greenwald, Head of Cybersecurity Policy, and General Counsel at Finite State, examine:

• Growing concern around potential targets of Russian cyber operations
• The US government policy and process for planning and approving offensive cyber operations
• The extreme challenge involved in defending big networks—and how the US government is getting better at helping private companies do just that

Also, in a 17-minute bonus track, listen in as TJ and Eric deep-dive into the policy and process surrounding offensive cyber operations, exploring how PPD-20 established a framework for US offensive and defensive cyber operations, but also generated a lot of fear in the cyber community. They also explore the new wide-ranging cyber authority that NSPM-13 brought to the DOD and Cyber Command and the controls that keep today’s cyber operations in the US in check.

All episodes of Finite State’s “The Internet of Threats” podcast can be heard on Spotify, Apple Podcasts, and Google Podcasts. Listen to this episode in its entirety below:

Episode Guest: Vice Admiral TJ White, US Navy (Ret.), former commander of US Fleet Cyber Command/US TENTH Fleet

Bio: TJ White served more than 37 years in government, including high-level assignments in intelligence, cybersecurity, and cyber operations for the US Navy. He served as Deputy Director for NSA’s elite hacking unit — Tailored Access Operations — and capped off his military career with a tour of duty as the Commander of US 10th Fleet.

Full Podcast Transcript:

Eric Greenwald: And now it is time for this week's interview segment where I am joined by TJ White. TJ and I have known each other for I guess it's probably about 12 years now, something like that, is it, TJ? He and I met up when we were both working at Fort Meade. What rank were you in the Navy at the time?

TJ White: At the time, I was a captain or an O-6.

Eric Greenwald: An O-6 at the time. You experienced a pretty meteoric rise after that. TJ was the, among other very impressive and important jobs, TJ was the Deputy Director of the Tailored Access Operations outfit at NSA, which is probably one of the very coolest jobs in cyber that exist. He, after you know, a few other transitions, moved on to become the Commander of the Tenth Fleet in the Navy and retired as a three-star admiral. In the Tenth Fleet job, he was responsible for maintaining the net … the defense of the network of the entire US Navy, which I think is probably just about as daunting a job as it sounds. I have loved the time that I spent working with TJ in government. And, in addition to his incredible experience, and his truly magnificent civil service in his own right, you were 37 years in government? Is that right, do I have that …?

He managed to serve alongside some truly notable folks. When you and I met, you were working directly for General Alexander who was DIRNSA at the time, working alongside none other than Paul Nakasone, now DIRNSA himself, and Jen Easterly, now the Director of CISA at DHS, and then in your job as Deputy Director, TAO, you were there with Rob Joyce. So, you have … not only have you done some extraordinary tours of duty, you have managed to serve alongside some similarly, luminary public servants. So, I … so let me just say it's an honor to have you on the podcast. And, you know, now, you've been retired for 18 months, is it? … And, and, and in that time, you've just been, you have been taking all the extraordinary cyber knowledge that you gained during your time in government, and you're now sharing it with a select few lucky entities. So, you know, I am glad to have you join me in the private sector. But I am sad that the government no longer has the benefit of your incredible skill set. But welcome, TJ, thank you very much for being on the podcast.

TJ White: It's my great pleasure to be here and great to see you. I remember those times that we shared together, pretty fast-moving, pretty heady, and consequential. And really sort of setting conditions for the future of cyberspace for the United States and partners and allies around the globe. So, it was an absolute pleasure to serve.

Eric Greenwald: Yeah. And it's worth noting that at the time that I mentioned, when TJ was working for General Alexander, that was right after the stand-up of Cyber Command. So, you were, you were there, although obviously, Cyber Command came from two existing component commands, you were there at the foundation of what is currently, you know, the Cyber Command outfit in the US military. So yeah, you and I have both seen things evolve over quite some time. And it's actually with that in mind that I want to ask you a couple of questions about what's going on in the international landscape right now. And, in particular, looking at the conflict in Ukraine at the moment. You know, there's been a lot of conversation about what we have and have not seen in terms of cyberattacks coming from Russia, you know, whether as a part of their military operations, or attacks directed against countries that are supporting Ukraine. What I wanted to know is, as you see the conflict evolve, especially now that we're getting reports that despite Russia's efforts to focus its military efforts, they still are not achieving success. Do you see that as increasing or decreasing the risk that they might actually start to launch more aggressive cyberattacks against Western targets?

TJ White: Eric, that's a good question. I don't know that we actually are observing enough to assess, more or less. I think it's also important to say, let's focus on, you know, what we would call a theater of operations. And from a Russian perspective, that would be the Ukraine and their near abroad, and they have been very active in cyberspace, certainly, for a number of years prior to Ukraine in 2014, in Crimea, but certainly since 2014, until the present, Russian cyber actors and affiliates have been conducting a wide range of operations in it through cyberspace, across a wide variety of target sets in the Ukraine, from government, IP-based services, to infrastructure and operational technology. So, they have, in my view, been very active already. I believe they continue to be active. And to this question about why are we not seeing more of it? You know, out of the theater, it could be that we are becoming more adept at contesting them as, as they continue their operations on the ground, and in the air, and in cyberspace oriented on the Ukraine.

Eric Greenwald: Well, I know one of the other threads that keeps coming up is people who actually understand, such as yourself, what's involved in planning, and then actually executing a cyber operation. Acknowledge that, Hey, you can't just turn these things on and off. And, so, what are your thoughts about how, whether its distraction, or lack of planning might be impacting Russia's ability to actually generate significant cyber effects? In the parlance?

TJ White: Yeah, so I think it's distraction. It’s probably something that they had accounted for, to a degree. You know, we have a saying, which you'll remember and have heard often: no plan survives first contact. So, I think that there's a substantial amount of planning for operations in cyberspace. And I think they had built a campaign, from the design through execution, to have operations in and through cyberspace, fully embedded and integrated into their schema maneuver in the Ukrainian theater of operations. You know, when you talk about things in cyberspace, you know, a good …. SolarWinds, a public release in December of 2020, sort of outed the fact of a compromise inside that software supply chain. And then as people in the industry and government partners started looking backwards in time, they began to see artifacts and evidence of initial precursor staging lateral movement operations, for a period of time maybe 18 or 24 months in advance. And to be clear, for that to happen, some probably in the leadership chain of that advanced persistent threat, likely made a decision 18 months before that. So, think about backing up the SolarWinds release from December of ‘20 to operations likely starting, you know, in the fall of ‘17.

Eric Greenwald: Yeah, so, we, I mean, we don't know what we will see, what we won't see. But what we see will … is something that they will probably have to … have had to have started planning quite some time ago. Is that what you're saying?

TJ White: Exactly right.

Eric Greenwald: Well, so one thing that we know the Russians have been active in, dating back years and years, is gaining access to critical infrastructure, in particular, power generation systems in the United States. What's your level of concern that if Russia decides they want to turn their attention to US targets as retaliation for sanctions, that they might actually start taking shots at the power grid?

 TJ White: Yeah, that's a really good question. And I am entirely confident that members in the industry that power generation, distribution, utilities, and private owners, as well as those instruments that the government, at least for the United States, anyway, DHS’s Department of Energy, the Department of Defense, when duly authorized, are very aware, and they're very capable. But you know, there is this expression, Eric, you know, we live in the glassiest glass house. And I think we need to be very aware. And it's going to take some time, and it will take some resources in order to get this platform, our national distribution grid, power distribution grid, resilient and robust the way that we should want it to be.

"There's an expression that we live in the glassiest glass house, and we need to be aware that it will take time and resources to get our national power distribution grid resilient and robust."   -TJ White

---

Eric Greenwald: last question on this topic, and I know you've been out of the game for 18 months. But, based upon what you were seeing before you left and what we might be able to recognize as general trends, do you feel like the US government is leaning far enough forward in sharing detailed threat information? For example, with critical infrastructure partners.

TJ White: Yeah. So, Eric, I think, you just take a look at the run-up to the Russian maneuver on the ground and cross-border operations, which, you know, formally kicked off, you know, on February 24 of this year. And there had been in any number of reports, open-source talking about Russian internal logistics movement, changes in their sustainment profile, you know, mechanized forces shifting location in and around the country. You know, that was a very good effort, I would say that the United States government, its intelligence community, and its national security enterprise, were not surprised by that. And I think they have seen the value in accepting a small amount of risk, you know, prudently assessed to disclose and operationalize, you know, what historically might be considered sensitive information, or intelligence. That said, I think that there are some things that ought to be done together, or at least that the United States government can do to reduce a little bit of the concern that the private sector might have with sharing data and information with the US government, and that the US government could operationalize, perhaps exchanging that information more completely and …. But that is not a … it's not a trivial problem set. And we do need to be very careful and judicious about how we exchange that information. These are things that you are certainly as or more aware of, you know, based on your background, and understanding the nexus between national policy and law, and then you know, what you're actually authorized to do or not do. This may require some action from Congress in order to enable and empower the executive branch to be more aggressive and bold in sharing.

Eric Greenwald: Yeah, this is a … obviously it's a challenging topic. And certainly, you and I, from the days that you and I were working first, together, we've seen some significant changes in the willingness of the government to either declassify threat information or to lean forward in terms of sharing classified information with key partners in ways to preserve that, the sensitivity of the information, I want to shift and talk a bit about the United States and its own offensive cyber capability. And you and I are going to have a longer conversation about this that we'll make available on the podcast website. But I want to just ask you, at a very high level, because you've had the opportunity to work across a number of different administrations, on planning, proposing, implementing offensive cyber operations. And I just wanted to get a sense from you like, what are you? What are you seeing in terms of trend lines? How big of a difference do you observe from one administration to the next, in the approach to offensive cyber operations?

TJ White: Yeah. So that's a good … that's a good question, Eric. I would say, if you think back to the 2007-8 timeframe, whatever cyber was, or whatever it was thought to be, it was not fully formed and it was not completely agreed. And, so you might, you might say that there was some, some care and due regard, in thinking about where the authorization and approval change would start and stop, and what the level of rigor and focus would be on actually authorizing the conduct of an operation. But, to be clear, then and now, and at every point in between, any operation that has been undertaken by the US government, and its agents, whether in the intel community, or the Department of Defense, are fully authorized, there is appropriate oversight, there is a mechanism to explain, put the operation in context, put the value proposition and the risk adjudication in front of the decisionmakers and to move forward. I do believe that you know, in that time period from sort of 2007 and -8, until now, you've seen a trajectory, which has been more operations being conducted, an extraordinary degree of confidence, a level of output has been achieved, as briefed by design, by the operational commanders. I'm confident inside the DOD absolutely with US Cyber Command, as also with inside the intelligence community and those agencies that do this work. And I think that what you're seeing now is that there is an expectation that operations in cyberspace are consequential and can have an impact.

Eric Greenwald: That's … it's good to know that we're seeing that kind of trend because certainly when you and I were first working together, it was hard to get a cyber operation approved, it was hard to get people to even understand what we were talking about. But for those listeners interested in getting a little bit more, check the podcast website, we'll have a link for a much deeper dive on this topic where TJ and I will geek out on the history and authorities associated with offensive cyber operations in the United States. But now what we're going to do is turn to your time in the US Navy, as commander of the 10th fleet, and the challenges you've faced in the product security arena. I just want to start by having you talk just very briefly about what the role of the commander, the 10th fleet and the 10th fleet as a whole is in the Navy.

TJ White: Sure, so I mean … Eric, it’s probably a couple of hats, right? So, you know, it begins with US Fleet Cyber Command, that's a dual opposition with Tenth Fleet, and then US Navy Space Command. And then there's a couple of subordinate issues directly related to the role I had as a subordinate operational command to US Cyber Command. So, Tenth Fleet is one of several numbered fleets inside the United States Navy. Generally, numbered fleets are organized geographically. So, for example, Fifth Fleet is aligned to Central Command. Seventh Fleet is aligned to Indo-Pacific Command. And United States Pacific Fleet and Tenth Fleet is the only one that has sort of a global remit and mission to secure, operate, defend, and conduct and plan full-spectrum cyberspace operations for the Navy, but also as a joint force operating under US Cyber Command. And, so, on the one hand, all day, every day, it's about secure, operate, and defend the Navy's communications, command and control networks, and enterprise. Those are afloat networks. Those are short terrestrial networks, Internet Protocol, IP, NIPRNet, SIPRNet, and so on, as well as all the special purpose communications used to command and control maritime forces around the globe. And, so, that's a … it's a lot to do. It's fun to do it. But it's hard. And it's all day, every day. No rest for the weary.

Eric Greenwald: Well, and this podcast is generally intended for professionals involved in defending, you know, their own companies’ networks, whether the, you know, working, managerial, or executive level. And I stop to think about the job that you had, like defending every damn system in the Navy, like, just think about a single US warship or submarine, not even a nuclear-powered submarine. And you think about all the systems that you got on there that need defending? How do you even wrap your head around trying to, you know, you … your first day on the job as Commander, Tenth Fleet? How do you even wrap your head around that job of defending all of those networks, all those systems?

TJ White: Yeah. Well, I mean, to be clear, it was really beneficial that some of my predecessors had done a great job, you know, setting conditions for success for anybody, no matter how good or how bad I was going to do it as a leader. The second thing, I would say, the Navy has an absolutely magnificent, professional IT workforce, information professionals on the officer side, and IT or information technologists, on the enlisted rating side. And, and they are very, very good, very well trained, and also highly educated. And frankly, they also get a lot of time doing it. Because you know, our Navy, your Navy is a 24/7, every time zone operation. Ships are deployed, planes are deployed, submarines are deployed. And the Navy conducts operations everywhere, all the time, you know, Arctic Circle to Antarctica, in every time zone. And, so, one of the things that we learned as we left the 19th century into the 20th century, was the power of wireless radio communications. And that began this idea that you could command and control ships, move them around, and do that with confidence that they will do what they were directed to do at a specific point in time. And then they can report back the nature and the status of their health and comfort, mission readiness, and so on. And so, you know, probably a million and change active user accounts, a billion active duty and reserve around the globe, three, generally different network baselines. And that's just for the IP stack. And, you know, not always the same. So, I would say the single largest challenge was that you didn't have a uniform standard, or a perfectly consistent architecture around the globe, for the Navy. Now, on the one hand, that could be a feature, because that means any adversary that's looking to do something against you might have to solve a lot of problems and discover many vulnerabilities, not just one. But, on the other hand, that makes the operations piece, sometimes very difficult to manage. And so, configuration control, I think, is one of the large problems. And then Eric, as you will know, you know, people, no matter how well-intentioned, are very often the weak link, because they don't see things the same way. They don't appreciate and understand things to the same level, they get fatigued. And, and you know, we sometimes don't make good cognitive decisions. And, so, it's easy to human engineer outcomes, easier than we would like.

Eric Greenwald: I am I'm now having a flashback to the daily stand-ups at Cyber Command where one of the running metrics was okay, in the last 24 hours, how many times did somebody plug a SIPRNet machine into the internet?

TJ White: That's right. Yeah, and so … so those things are going to happen, right. So, I would say, on balance, the Navy has done a pretty good job of improving its infrastructure and its readiness. But I think, sometimes very large corporations, you know, one of the … one of the power, one of the features of technology is that, you know, you can step change, and improve readiness and resiliency pretty quickly. But when you talk about the amount of money and resources it takes to buy that step change, and the time it would take to apply it across every asset and resource and platform and base in the Navy, you know, nothing can be done overnight. You know, you have shifts that are underway in the middle of an operation. And you want to be very careful about making any changes to an operational network that's in the middle of a live mission. And, so, you probably, you know, we're always playing catch up with the technology that the Navy wants to insert across its information enterprise.

Eric Greenwald: Yeah, we were actually in the news roundup, we were talking about some challenges, just in the process of understanding the time lag in understanding and then patching vulnerabilities coming from the very beginnings of the supply chain, just being able to have that roll up and get that information and then have the patches bubbled up from the people who are at the very bottom of the supply chain, it takes an incredibly long period of time. And, all of a sudden, you've got people building systems and moving on with, you know, incorporating code that people already know, is vulnerable. But that, you know, the change, the vulnerability hasn't bubbled up, the patch hasn't bubbled up. So, they're moving forward. And wait around. And yeah, you know, as you say, the Navy is a 24/7 worldwide operation. You can't sit around and wait for, you know, a CVE patch, you know, until you do turn the system back on. Well, TJ, thank you so much for sharing your time. I really appreciate it. Hope we get to have you back on again sometime soon to share more of your wisdom. But it is it has been a pleasure as always to chat with you.

TJ White: Eric, thank you very much. The pleasure has been mine and my best wishes for the good fortune of you and Finite State. It’s a great company.