Question: What do you see as the most surprising event since the last Asymmetric Threat Symposium in May 2012, and how could it have been averted?
MG Jones: I don't think it was a surprising event, but the evolution of what some people call the Arab Spring and how it has evolved surprised some policymakers. Now, clearly, there were people who talked about democratization and what the outcomes could be in terms of more extremist elements being able to increase their control and influence. But from a policymaker's standpoint, it is as if we were surprised by just how violent and unstable these emerging democracies have become.
As far as if it could have been averted, I don't really know. Certainly there were voices that expressed concern, but I'm not sure that they were listened to necessarily in years past. And there was still a kind of ideological drumbeat — not really understanding or acknowledging the very high level of risk this democratization effort or movement would have.
Question: In dealing with surprise, denial, and deception, how would you rate the United States' efforts in interagency cooperation, and what do you see as the strengths or weaknesses in this area?
MG Jones: We have markedly improved interagency cooperation, certainly at lower levels and at the tactical level on the ground, where people are working together. That's been a huge turnaround in terms of improvement. At the national level, it's improved — probably not nearly as much — but I think that our interagency cooperation is probably better than at any time I've seen it before. Obviously there's always room for continued improvement.
Question: In dealing with surprise, denial, and deception, how would you rate the cooperation of our federal, state, and local governments?
MG Jones: I think the cooperation is there. What fails us is that we still have a large number of legacy systems and rules for information sharing and other residual things from a less cooperative time. So I still think there are improvements to be made in giving people the tools to better cooperate and share information faster. We still have challenges in terms of the systems that support our people and their level of cooperation.
Question: How would you rate national efforts in critical infrastructure protection, and what are our strengths and/or weaknesses?
MG Jones: Clearly we have huge vulnerabilities in critical infrastructure protection. For example, there was a story in the media a couple months ago about entry into a nuclear power plant by an unauthorized person, and there's a gaping vulnerability in the cyber domain.
In fact, it goes back to this idea of strategic surprise. Clearly there are voices out there saying we have a huge vulnerability and we need to do something about it. But at the most senior levels of government, whether it's in Congress or the administration, we haven't been able to actually do enough about the warnings that a number of voices are trying to give us. And so it leaves us with a presumption that they either don't take the threat seriously or they're not listening. Regardless of the outcome, we still have this very large vulnerability, and I think that we are not taking sufficient action to reduce it.
Question: How would you rate government-private sector cooperation in the context of dealing with surprise, denial, and deception?
MG Jones: The public-private partnership is clearly what's needed, but I'm not seeing it. We have the Chairman of the Joint Chiefs of Staff, the Secretary of Defense, and others saying repeatedly and loudly that we have this very large vulnerability in the cyber domain. My personal mantra with people is that the cyber 9/11 equivalent is going to happen. It's not a question of if, it's when. And it's a shame, because it doesn't have to. But we can't get Congress to act.
On a related note, while the topic is about being surprised, the bottom line is it shouldn't be surprising. The question is: If you knew something was coming and you did nothing about it, does that really mean you were surprised?
Question: What is the likelihood of a "cyber Vietnam" or "cyber Afghanistan" occurring? In other words, a conflict that is not only impactful, but drags on for a long period?
MG Jones: We're currently in a state of conflict. The number of cyber attacks that go on every single day — both on the governmental and the private side — is remarkable. For our country and for the entities in our country, there is a cost to be paid for this state of conflict. Part of that cost is what you pay to protect yourself. Part of it is the cost that you don't know about — for example, somebody stole your blueprints, created a knockoff, and is selling that in the commercial market, and therefore you are not selling your product. That conflict is ongoing and serious, and it can get worse.
But I think a bigger threat than the ongoing conflict is having our electrical grid or network shut down. What would happen to the country if we just shut down the grid for any period of time? How long could big businesses like Amazon.com operate and stay in business, for example, without having network access? The bottom line is these are huge vulnerabilities. They are ones where our protection is insufficient, and the policy apparatus of our country is certainly not doing anything significant to mitigate our risk.
Question: Which asymmetric threat worries you the most?
MG Jones: I think the most dangerous asymmetric threat for us is cyber, and that's because there is virtually no aspect of what we do nowadays that doesn't have a cyber component — whether it's defense, industry, or infrastructure. The cyber capability we have is almost like air because we have to have it to function normally. For a limited period of time, we can probably figure out how to deal with a temporary outage or some interruption, but the reality is that we are very, very dependent on it.
Collectively, there are no real workarounds for what happens if we have a catastrophic cyber attack, so that's the one that I am most concerned about. And coincidentally, it's the one I think we probably know the least about, because in order to really know what penetration we've had — what things reside either in our systems or on our networks — we need a set of diagnostic tools that I think we just don't currently have in place across all the dependencies. So we don't know just how significant the threat is.
Question: Do you see any asymmetric advantages that the United States has and willingly forfeits?
MG Jones: We restrain ourselves to some degree in terms of what we do that we could do asymmetrically. But I don't know of anything — other than maybe in the cyber domain, to some degree — that I'm uncomfortable with in terms of our self-restraint right now.
There is a downside to using all of our capability. Obviously, we have the capability to use nuclear weapons, and it would not be to our advantage to resort to it very frequently. So sometimes we get a better outcome by exercising restraint, and it seems to me we probably have the right balance, again, with maybe some exceptions in the cyber domain.
An interview with
Former Chief of Staff, U.S. Central Command
Strategic Corporate Advisor, Senior Vice President
CACI International Inc