It is an understatement to say that Michael Sulmeyer shoulders a heavy weight.

In his dual roles as the inaugural assistant secretary of defense for cyber policy and the principal cyber advisor to the secretary of defense, he is the senior official responsible for supervising Department of Defense policy for cyber operations while at the same time serving as principal advisor to the secretary of defense on military cyber forces and activities.

“The importance of cyber is continuously growing, and Dr. Sulmeyer, with his experience, will propel this newly reconfigured policy office forward,” said acting Undersecretary of Defense for Policy Amanda Dory in a news release after Sulmeyer’s confirmation in August. The Department of Defense established the dual role in March 2024.

As the interview that follows details, Sulmeyer is at the epicenter of an area of policy that has been growing in importance since the world embraced an online way of life. It is made even more challenging by a quickly changing technology landscape unlimited even by the outer reaches of space.

When asked how he found his way to this field, Sulmeyer laughed, saying, “I think it started with the fact that I had no friends in eighth grade and helped build the middle school computer lab.” He credited early interests in technology, public affairs, and current events for his career trajectory to national security policy. “Even as an eager middle-schooler, I found that I could hold these things—early technology issues and current events, world leaders, international affairs—in my head better than a lot of other topics.” Through college and his first job after graduation at the Pentagon, he honed his focus. “I wanted to work on national security issues, but I also wanted to find ways to do it with technology. My doctorate gave me a deeper dive into national security issues, and then law school was a terrific force multiplier.”

Sulmeyer received his JD from Stanford Law School in 2011 and was a Marshall Scholar at Oxford University, where he received his doctorate in politics that same year. His dissertation, Money for Nothing: Understanding the Termination of U.S. Major Defense Acquisition Programs, won the Sir Walter Bagehot Prize for best dissertation in government and public administration. With a JD/PhD in hand, he returned to the Pentagon right when it was launching a new cyber policy office in 2012. “It really opened my eyes to that relationship between national security policy and technology.”

Prior to his current appointment, Sulmeyer served as principal cyber advisor to the secretary of the Army, offering guidance on all cyber-related matters, including readiness, capabilities, and strategy. While with the U.S. Army, he led the service’s efforts to improve the cybersecurity of operational technology and control systems. Sulmeyer has held a number of other high-level, cyber policy-focused positions at the Department of Defense and the White House, including as senior advisor to the commander of U.S. Cyber Command, as well as special assistant to the president and senior director for cyber policy on the National Security Council staff. Beyond his government roles, Sulmeyer was director of the Cybersecurity Project at Harvard Kennedy School’s Belfer Center for Science and International Affairs and has taught at the University of Texas School of Law and served as a senior Fellow at Georgetown University’s Center for Security and Emerging Technology.

Mark A. Lemley (BA ’88), who interviewed Sulmeyer in November 2024, is the William H. Neukom Professor of Law at Stanford Law School and director of the Stanford Program in Law, Science and Technology. He is also a senior fellow at the Stanford Institute for Economic Policy Research and is affiliated faculty in the symbolic systems program. He teaches intellectual property, patent law, trademark law, antitrust, the law of robotics and AI, video game law, and remedies. He is the author of 11 books and 218 articles, including the two-volume treatise IP and Antitrust.
—by Sharon Driscoll

---

Mark A. Lemley: Can you give us a broad description of what your new position involves? What do you do day to day?

Michael Sulmeyer: You mean in English?

Right! I won’t restrict the use of acronyms because I know that would be extremely challenging, but as few acronyms as possible.

There is a traditional role in this policy organization where the team is the face of the Department of Defense externally—to our foreign partners and to the White House. For example, if a new executive order is being considered, my office would help offer input, but then also share that across the entirety of the Department of Defense to get views and to understand if there are concerns. And we orchestrate various military-to-military relationships with allies and partners abroad to improve our cyber-related collaboration and interoperability.

In addition, I have a separate team for the principal cyber advisor role. That’s the role where I oversee U.S. Cyber Command’s special authorities. For example, most combatant commands do not have their own acquisition authorities or their own dedicated budget. U.S. Cyber Command has both, and I provide civilian oversight for that work. So, a traditional external-facing role with other U.S. government agencies, as well as allies and partners, combined with an internal-facing role to help U.S. Cyber Command exercise its unique authorities. Those are the two hats I wear.

Can you lay out some top-level responsibilities for Cyber Command?

It’s worth noting the three key missions for U.S. Cyber Command and what I am in the business of helping them with. It is first to defend our own military networks and the data on them. Second is to support our regional combatant commands in the work that they must do. And the third is to be able to defend the nation from significant cyberattacks.

I read that there are some 23 different teams in various parts of the federal government focusing on cybersecurity issues. Is there coordination between these groups and how does that function?

Well, the good news is that a lot of us are repeat players in this space. For example, my counterpart at the State Department, Ambassador Nate Fick, I’ve known for a good long while. And I have similar colleagues at the Justice Department, at Treasury, and the FBI. When you’ve been in the cyber policy world for a while, you develop those relationships. We talk all the time informally. The White House also does something that’s very helpful: They bring us together formally.

But the real power is in the very talented civil service employees who work for me. Some of them have been on the portfolio for over a decade. And the relationships they have across the federal government with CISA [Cybersecurity and Infrastructure Security Agency] and others across the intelligence community are significant and impressive. I’ve got some of my own, but that’s a real comparative advantage that the career civil service brings to the table in a specialized field like cyber policy.

Why was this new position created? And why now?

There are a couple of reasons. First, Congress put it into law. But I think, more broadly, it represents an evolution of an earlier statutory construct where the role of principal cyber advisor to the secretary of defense was an additional duty to some other Senate-confirmed official. I focus on cyber issues all day, every day. I’m not also charged with space policy; that is outer space, not building facilities space. I’m not also having to focus on homeland defense issues. Those are separate jobs and separate portfolios. So, what this represents is a really dedicated focus at this assistant secretary level.

If you add all the active duty, the guard, the reserve, the civilians in the Department of Defense, you get close to 3 million people. And it’s decentralized in a lot of ways. It’s challenging to govern the cybersecurity of a 3-million-person organization. So, having it at the Senate-confirmed level is crucial.

As to why now? Because of the need. The drive to accelerate cybersecurity outcomes for the department is growing in importance.

Can we talk about that? I think when most of us outside the military think about cybersecurity, we think about a data breach or maybe someone tries to hack their bank account or computer system. Are you dealing with the same things, but for the military? Or is there a broader cyber policy beyond ensuring our military infrastructure isn’t hacked?

It’s all of the above. If you think about what is on a military base, there’s critical infrastructure with water, power, etc., in addition to traditional IT networks. There are also military accounting networks, HR networks. There are so many aspects of life outside the government, or outside the defense establishment, with similar concerns, and the need to protect the confidentiality, the integrity, and the availability of critical data is a priority for us to manage risk to force and risk to mission.

You can read the newspaper and see how active this space is and how the pace of developments evolves fast. We used to talk of military evolution change taking decades in terms of some combat arms. Cyber policy is not a field where you wait decades for change to come.

The other element of why this is critical right now for the Department of Defense is that U.S. Cyber Command as a military command continues to be empowered by the executive branch and by Congress. Having a Senate-confirmed official as a civilian counterpart to the four-star commander reflects the commitment of civil military relations that we have not just in cyberspace, but in all other aspects of military policy as well.

Can you give us a sense of scope of the problem you’re addressing? What’s your biggest set of worries regarding threats to our infrastructure?

I prioritize mission, and I prioritize our people. The military is charged with doing very challenging, very novel activities around the globe. And the way the internet is woven into the fabric of global communications means that it’s something we must account for as we think about operating the force that we do. So, number one, we think about protecting those missions and making sure the military can do what it needs to do when it needs to do it. On the people side, it’s a force, as I said, of over 3 million human beings, and we need to make sure that the work they do can be protected—and that they’re secure as well, so they can come to work and execute those missions.

A significant amount of our military operations happen overseas. What are the complications of trying to protect cybersecurity and infrastructure on a U.S. base or U.S. operation that’s outside the United States?

Operating in cyberspace for DOD is the away game. So far, we’ve been talking a lot about the “home game,” if you will, but it is the “away game” as well. That’s where military operations occur, not in the homeland. So, that requires partnerships. You asked, “Why now?” for this role. It’s because of the necessity for those partnerships. You’re seeing other countries also elevate these types of roles like the one I now occupy within their own governments. It’s helpful to have someone, at this level, to be an interlocutor. Again, we always talk about the role of partnerships. For me, I’m looking for where one plus one equals more than two. That’s where I try to focus my time on international partnerships.

Can you talk about how you build those cooperation standards with countries that aren’t already tied into a defense alliance, like NATO?

One of the lessons I took away from my two and a half years as the secretary of the army’s principal cyber advisor was how many of our partnerships can be enhanced. We’re very big as a defense department, but not a lot of our partners are that big. A lot of relationships are formed at the service-to-service level. That is, another country’s army with the U.S. Army or another partner’s navy with the U.S. Navy. And so, one of the things I do is look at those special service relationships that lend themselves to potential expansion and building on those for cyber issues as well—to add that on. That’s why it helps me in this role to have a background with one of the uniformed services, too.

We often talk about the support to the regional combatant command in the Pacific, to our Indo-Pacific command. They drive many of the international relationships in the Pacific. We try to make sure that we’re working through them, just as we do other combatant commanders in other parts of the world, to make sure that the regional commanders’ priorities and objectives are really being fulfilled.

I want to ask about the relationship between the military and cyber command and civilians who are the victims of nation-state cyberattacks on private infrastructure or a hack into universities or banks, etc. Is that something that you view as within the DOD’s framework or is that somebody else’s problem?

As I mentioned, the remit for the Defense Department from an authority standpoint really is predominantly the away game and operating abroad. My focus regarding the homeland is on the partnerships that we need to empower those who are authorized to help with the questions you’re asking. Again, so much of what Cyber Command does is to enable partners. Based on insights and experience generated through activities abroad, how can that information help partners like CISA, which manages the relationships for critical infrastructure at home, or other government agencies? We’ve got to be there with them, side by side, to enable their success and the nation’s security.

This is, in some sense, the inverse of the last question, which was about government hacks of our private infrastructure. Do you see the biggest risks to the military infrastructure coming from private citizens and private attacks or from foreign governments?

We have to be prepared for a range of threats. There used to be a narrative that the nation-state attacks were the only game in town and that private criminal elements were a lesser problem. And what we’ve seen over the last several years is that criminal elements can be quite sophisticated. We don’t have the luxury of dismissing that as something that’s not in the job description. We must be prepared across that full range. Obviously, we’re going to be laser-focused on the true nation-state threats, but we also must ensure that the less affiliated are accounted for as well.

And do you see a growing threat from what we might call someone in between those two: private but politically motivated non-state actors, whether it’s a terrorist organization or people with extreme views?

Absolutely. They’re on my list. What I try to do is figure out not just intentions, but also the resources available. If you can, determine what adversaries, competitors, and challengers may have and then try to get that constellation of matching intent with capability. We’re postured to make sure that we can account for that full range of threats.

We’ve been talking about defense. How focused is the U.S. on an affirmative cyber warfare capability, either engaging in it or preparing to engage in it should we end up in a broader conflict?

As a force, we must be prepared for the worst-case scenarios—in the event that forces are called upon to deploy and operate abroad in those kinds of conflict and crisis scenarios. So, of course, we want to make sure that cyber capabilities are available to support those efforts.

But even going back to 2011, it was declared in the first DOD cyber strategy that this is a military domain where nations compete and where there can be conflict. And just like there’s a land domain, a space domain, a sea domain, an air domain, there is a cyberspace domain. And so, we must be prepared to defend our interests when challenges occur and make sure that if there is a crisis or a conflict, cyber forces are ready.

Can you talk about your priorities coming into this job? What do you hope to achieve that isn’t currently being done? What things do you want to change?

I inherited two offices that were doing tremendous work. I’m very fortunate for the strong leadership that the uniformed military and the career civil service have been exercising here and to join a group where a lot of great work has been going on. The question I always wrestle with is what can I do that only I can do and what is the best area to put my time and effort at my level for comparative advantage. For me, that’s thinking about the future of U.S. Cyber Command. It’s been, depending on your math, 14, 15 years since U.S. Cyber Command was created. The change in the threat environment over the years, since it was established, going back to ISIS, then building a command of over 6,000 humans to be presented by the Army, the Navy, the Air Force, the Marine Corps—that was a force in waiting, just starting to be trained. And thinking about what most military forces do, which is train and prepare and be the last line of defense. But in cyberspace, you have to defend forward. You can’t just wait in the homeland for something to happen and get mobilized and try to swat it away. You have to defend our interests proactively. How is the international security environment changing and evolving? What are the lessons learned from some of the conflicts we’ve been seeing over the last couple years, and what are the things we can start to put in place now to make sure we maintain our readiness in the future?

In Silicon Valley in 2024, I think I am constitutionally required to ask questions about artificial intelligence. What do you see as new challenges coming down the line from AI or, on the flip side, new opportunities for the U.S. Cyber Command?

I’ve been trying to figure out a way to make a tort joke or something, but it would be negligent if we weren’t thinking about artificial intelligence. I haven’t worked in the civil procedure joke yet. But regarding artificial intelligence, we’ve seen outstanding leadership from the White House with last year’s executive order, which really tries to get the entirety of the U.S. government aligned with common goals and priorities.

Often in an emerging field, you don’t have the benefit of top-level guidance about direction. But we do have that in our government for artificial intelligence. Also, we’re committed to making sure that where there are areas we can automate with some assist from AI, we’re doing that for efficiency. We’re trying to figure out where the comparative advantages for cyber operations are and where artificial intelligence can make a difference to help defend U.S. forces and interests as the technology evolves.

AI is booming and we’re seeing graduates find terrific opportunities in the private sector. Is that a challenge for you—holding on to staff?

We’re starting to see a number of folks from the national security establishment going to work at the big AI companies. The companies have recognized the need to understand government and the defense world—and so these departing officials take that with them to the private sector. There are historical examples of, say, Bill Perry (BS ’49/MS ’50) forging those relationships with Silicon Valley. Ash Carter really reenergized this kind of outreach for the department when he was the secretary of defense, creating the Defense Innovation Unit and locating it in the Bay Area. It helps having partners on the other side who’ve lived it a little bit. And that’s what we’re seeing now.

This is a good point to transition to our students. Almost 20 percent of Stanford Law graduates now hold joint degrees. You have joint graduate degrees as well. What do you want students and alumni to know or think about if they are interested in working in this area?

First, you’ve got to have the fire in the belly, you’ve got to want to roll up your sleeves to do public service—especially in an area like cyber policy. You don’t get a lot of public exposure, and you don’t get a lot of public compliments or praise, so you’ve got to be okay with that. You’ve got to want to do it for the mission and because it’s right, and you’ve got to be able to take some satisfaction in that.

Second, I would encourage relaxing some of the traditional constraints around thinking about a legal career. You certainly could go to counsel’s office, and I love working with our lawyers in the counsel’s office, at Cyber Command, in the Army, and now in the Office of the Secretary of Defense. But I’m in a policy role, and the benefit of the law degree is such that I draw on it every day, and it makes my conversations with our lawyers a lot more productive. Maybe my lawyer friends disagree with that. I think it makes me a better consumer of legal advice.

So, for students, there are a number of ways that you can contribute. I think there is a belief that if you go to law school, you therefore must end up in counsel’s office. That wasn’t the case for me.

Earlier we touched on the many areas of government that have cyber in their remit. It’s a big bureaucracy. How do people new
to government find their way in?

There are a number of different ways in, whether through the military services, USAJOBS, the intelligence community, and more. There are tons of opportunities, and it’s a little overwhelming, frankly. So, one of the things I want to work on is how to make it a little easier coming from the outside.

I would add: Don’t give up—and use the alumni network. If you’re passionate about this career path, reach out and we can try to help direct you to a variety of avenues so you can understand a range of options for what would make the most sense.

That’s great advice. Before we end, I’m wondering if your law degree has helped you in this role or your previous roles?

I want to compliment the law school, with its curriculum and faculty, for equipping its graduates, at least me, with a fantastic education. I draw on it so much in my work and in ways that I didn’t necessarily think I would. I took a lot of classes in corporations, for example, and deals. And given how much I interact with the defense industry, for example, it’s incredibly helpful to have taken those classes, even though they weren’t on cyber policy or national security. So, again, my compliments to you and the faculty. I hope I can try to be a resource for the law school in the future.

Thank you so much for speaking with us. This has been super interesting.

My pleasure. Thank you. SL