Aaron Hughes: Cyber Policy and National Security

by Ted Jou '99

Aaron Hughes, Class of '93, was Deputy Assistant Secretary of Defense for Cyber Policy from May 2015 to January 2017, at the end of the Obama administration. When he was at Blair, he remembers "being drawn to computer programming," and his career has progressed from working on computer networks and government contracting to cyber security and public service. He has traveled the country and the world but has generally stayed in the DC area, now living in Northern Virginia.

Aaron Hughes
Hughes has fond memories of his time at Blair, where he was a multi-sport athlete, playing on the soccer, basketball, and baseball teams. In the magnet, he "enjoyed being surrounded by other motivated students interested in science and math and computers." Hughes then attended the University of Virginia on an Air Force ROTC scholarship and earned a Bachelor's degree in mechanical engineering. He later earned a Master's degree in Telecommunications from George Washington University and an MBA from Stanford University. For over twenty years, he has served in the Maryland Air National Guard, and he is part of the 175th Cyber Operations Group.

Hughes has been working on computer security issues from early in his career when he was an engineering on telecommunications and computer networks in the late 90s. In the early 2000s, his Air National Guard unit began to focus more on cybersecurity, collaborating with the NSA to support more of a national security mission. After attending business school at Stanford, he interviewed with Silicon Valley companies but ultimately returned to the DC area to work in strategy consulting. In 2008, he joined In-Q-Tel, a strategic investment firm that funds the development of innovative technologies for the U.S. intelligence community. In 2013, he was promoted to Vice President for Intelligence Community Support at In-Q-Tel, and when the Cyber Policy position at the Department of Defense opened up in 2014, Hughes found himself on a short list of candidates being vetted by the White House.

After a lengthy interview process, Hughes received his appointment to the Department of Defense in May 2015. As Deputy Assistant Secretary for Cyber Policy, he was responsible for the strategy, policy, and operational oversight of the Defense Department's cyber programs and forces. Hughes was the top civilian responsible for Cyber issues and reported to the Under Secretary of Defense for Policy, the #3 official at the Pentagon.

Hughes's responsibilities included international engagement, where he would "travel the world to represent the Department of Defense" to meet with foreign military leaders, develop cyber partnerships, and to negotiate bilateral and multilateral agreements. He also represented the Pentagon in meetings with the White House and other government officials regarding foreign cyber threats. In July 2016, Hughes testified before a Congressional Committee at a hearing on Digital Acts of War. Hughes was also tasked with oversight of the United States Cyber Command (USCYBERCOM), the unified combatant command for the US military's cyber capabilities.

During Hughes's tenure, he was involved in extensive ongoing discussions about how USCYBERCOM should be structured, and what its relationship should be to the NSA and other government agencies. There were also questions about the National Guard's role in domestic cyber defense, and how they should work with the Department of Homeland Security, the FBI, and other agencies. One major policy directive to come out of these discussions was Presidential Policy Directive 41 on Cyber Incident Coordination, which was issued by the White House in the summer of 2016, at a time when the threat of cyber attacks was becoming more public in the midst of the election season. The Cyber Incident policy had been developed through discussions over many months between the White House and Pentagon, Homeland Security, the Department of Justice, and other stakeholders. Its purpose was to provide overall guidance for the government's response to cyber incidents and to define the responsibilities of different agencies in the event of a major cyber incident.

The last months of 2016 were a busy time for cyber policy, and although Hughes could not discuss the classified details of his work, he mentioned the administration’s focus on Russian operations to influence the 2016 election. He resigned from his position in January 2017 with the change in administration, and he called his time at the Defense Department "the best job I ever had." In an earlier interview celebrating Black History Month at the Pentagon in 2016, Hughes had said he was "tremendously proud" to serve under President Obama.

After leaving the Pentagon, Hughes took some time off to find the right opportunity in the private sector. He is now the Vice President for Information Security and Risk Management at Capital One, where he is responsible for the security of all Capital One digital assets and data transformation initiatives.