Defense Department Prepares for CyberWar
The Current State of Play
04/12/2011 – Ensuring the security of the cyber domain has emerged as one of the most serious challenges to U.S. national and economic security. Of all U.S. government departments, the U.S. Department of Defense (DoD) has evinced the greatest interest in cybersecurity issues.
In a June 2009 speech, Deputy Secretary of Defense William J. Lynn warned “the cyberthreat to DoD represents an unprecedented challenge to our national security by virtue of its source, its speed, and its scope.” The Department has launched a number of initiatives to enhance its cyber capabilities. These range from developing new operational concepts, deepening its cyberspace expertise, extending its interagency partnerships, establishing a new U.S. Cyber Command, to trying to change its cybersecurity culture.
Starting in 2005, the Director of National Security Agency (NSA) was dual-hatted as commander of the Joint Functional Component Command-Net Warfare. The commander of the Defense Information Systems Agency (DISA) was also dual-hatted, as commander of the Joint Task Force-Global Network Operations. In 2008, a foreign intelligence agency placed a malicious computer code onto a flash drive that was inserted into a U.S. military laptop, causing the code to spread rapidly throughout U.S. Central Command’s network and transfer classified information to servers under foreign control. In response to this unprecedented disaster, later that year Secretary of Defense Robert Gates placed the Joint Task Force-Global Network Ops under operational control of the commander of the Joint Functional Component Command-Net Warfare. The move recognized both the imperative for better synchronizing offensive and defensive cyber capabilities as well as the need to leverage NSA’s intelligence capabilities to support an understanding of the threat and respond to it.
On June 23, 2009, Secretary Gates authorized the establishment of U.S. Cyber Command (CYBERCOM) to “secure freedom of action in cyberspace.” It is a subunified command of U.S. Strategic Command (STRATCOM) tasked “to lead, integrate and better coordinate the day-to-day defense, protection, and operation of DoD networks.”
CYBERCOM’s purpose was to integrate the multiple DoD commands, assets, and activities that exist in this area as well as strengthen the “full-spectrum” of DoD’s cyber activities, including the planning and conduct of defensive and offensive cyber operations. Although CYBERCOM achieved initial operational capability on May 21, 2010, concerns over civil liberties and other issues delayed the command’s establishment for months. Many of CYBERCOM’s key missions, relationships, and authorities still remain unresolved.
CYBERCOM has specific broad responsibilities:
- Defend US military networks (from criminals, terrorists, foreign intelligence services, as well as foreign militaries)
- Support current military operations and planning for future contingencies
- Assist civilian partners as needed and permitted
CYBERCOM’s initial agenda consists in helping to develop and integrate existing DoD cyber initiatives, establishing detailed rules for when and how the U.S. military can conduct retaliatory or first cyber strikes, and defining its relationship with the other U.S. cyber stakeholders. CYBERCOM will oversee DoD efforts to recruit, train, and retrain many more cyber security experts, who are also heavily sought after by other public and private employers. The command aims to use the considerable technical expertise and other cyber assets possessed by U.S. military and intelligence agencies more effectively.
Gen. Keith Alexander, in charge of the NSA, now also concurrently leads the new Cyber Command. As director of the NSA, he also retains the additional duty of Joint Functional Component Command Net Warfare. In addition, NSA still reports directly to the (DNI for operational intelligence matters. The DNI oversees all the threat-related collection that goes on in cyber space. The most recent DoD Quadrennial Defense Review (QDR) calls on the U.S. armed forces to develop greater cyber expertise, develop a comprehensive approach to DoD operations in cyberspace, centralize command of cyber operations, and enhance partnerships with other U.S. government agencies.
The new command is intended to integrate DoD cyber intelligence, offense, and defense within one organization. CYBERCOM is responsible for directing the daily operations and defense of DoD information networks and for the systemic and adaptive planning, integration and synchronization of all DoD cyber activities.
In addition, when directed under the authority of the President, the Secretary of Defense and the Commander of STRATCOM, CYBERCOM is responsible for conducting full-spectrum military cyberspace operations to ensure U.S. and allied freedom of action in cyberspace. Specifically, when appropriately directed, CYBERCOM will support joint commanders with cyber capabilities to conduct military operations. Joint commanders are demanding that available cyber capabilities be considered in military operational planning.
This support will range from synchronizing planning among the other combatant commanders, to advocating for needed joint capabilities, to defending their networks from attack, to assisting them launch intelligence operations.
CYBERCOM will assist other government and civil authorities and industry partners, though only in support of the Department of Homeland Security (DHS), which is the lead agency for domestic infrastructure protection from cyber and other threats.
Deputy Secretary Lynn has compared that domestic cyber role to the same way DoD assists the Federal Emergency Management Agency (FEMA) in natural emergencies in the United States, such as hurricanes: “DOD has enormous assets, helicopters, transportation, logistics that can be provided to help. But it’s FEMA that’s in charge. And FEMA calls on those DOD assets, but FEMA is the organization in charge. And this is I think a similar kind of a situation.” As in other domains, DoD aims to coordinate and cooperate on cyber issues with members of the intelligence community, the State Department, law enforcement agencies, and the private sector.
Other combatant commanders want to know the status of their command-and-control networks, when penetration attempts are detected, and what actions are being taken. Gen. Alexander has therefore established the early goal of understanding the status of U.S. networks in real time and building an effective cyber-situational awareness through a common operating picture. “We must share indications in warning threat data at Net speed among and between the various operating domains. We must synchronize command-and-control of integrated defensive and offensive capabilities, also at Net speed.”
Alexander complained that often the military can only identify attacks after they have occurred and must can therefore only determine their source and nature after the initial attack. “And the consequence of that is, it was almost policing up after the fact versus mitigating it in real time. So the requirement, from my perspective: We need real-time situational awareness in our networks, to see where something bad is happening and to take action there at that time.” Cyber Command is working with other combatant commanders to conduct rigorous assessments of their network security collaborate to correct any flaws.
Before the creation of CYBERCOM, DoD bodies comprised a patchwork network for securing military communications. The Military Services still have independent military commands for their information operations that are also components of Cyber Command:
- Army Forces Cyber Command
- 24th Air Force
- Navy’s Fleet Cyber Command and
- Marine Forces Cyber Command
The Army’s Cyber Command has unique cyber operations capabilities from the 9th Signal Command, the Intelligence and Security Command and the First Information Operations Command. It uses a single operations center that’s tied to Cyber Command’s practical Joint Operational Center as a focal point for planning, synchronizing and conducting cyber operations.
The 24th Air Force is seeking to integrate the separate networks that were developed in each of the Service’s major commands—Air Combat Command, Space Command, and Air Mobility Command—into a single common operating environment. Fleet Cyber Command in the United States Navy 10th Fleet has unique responsibilities as the central operational authority for networks, cryptology, signals intelligence, information operations, cyber, electronic warfare and space operations in support of forces afloat and ashore.
STRATCOM retains oversight responsibility for operating and defending our U.S military networks, though it has traditionally focused mostly on outer space and especially nuclear defense issues. DISA also retains a role in managing DoD networks. The Defense Industrial Base initiative collaborates with American defense contractors to bolster their defenses against cyberthreats. At least some of these organizations also plan to draw on Reserve Component personnel as well as Active Duty members—and also to use professional contractors as well as full-time civil servants. The relationship of all these legacy institutions to CYBERCOM is unclear. DoD has simply observed that the success of the new command in fulfilling its missions will depend heavily on “the capabilities and growth of the Service components that are stood up to support USCYBERCOM.”
Actually attempting to employ offensive cyber attack capabilities could prove problematic. The George W. Bush administration approved each U.S. cyber attack, such as those against Iraq in 2003, on a case-by-case basis. The key members of the Bush administration could not reach a consensus on a comprehensive authorization to govern U.S. information warfare activities because they would likely involve third-party (both foreign and domestic, including civilian) Web sites given the global and interlocking nature of the Internet.
Some U.S. officials acknowledge that another problem was that the negative publicly resulting from the NSA wiretapping scandal led the Bush White House to believe that they lacked the credibility to articulate an explicit policy on so controversial an issue.
In addition to restructuring how its organizes for information operations, DoD has also launched initiatives to train more cybersecurity experts, encourage better information security practices among the department’s millions of civilian and military personnel, and refine DoD doctrine and practices for the cyber domain.
While some observers claim that the new command represents an expansion of the DoD cyberspace mission, others see it as continuing within the U.S. military’s historic mission of protecting U.S. national security from all potential threats. Yet, certain analysts fear that CYBERCOM will so militarize U.S. cyber defense efforts that the U.S. government will prove unable to realize the deep public-private partnerships that experts see as essential for securing the Internet.
Yet, U.S. officials acknowledge they cannot solve the cybersecurity problem simply by applying more human and technological resources. It will have extensive cooperation with non-DoD partners in government industry, academia, and in foreign countries.
Many key cyber skills and assets will not belong to DoD. CYBERCOM also awaits detailed overarching guidance from the National Security Council regarding what types of offensive operations are permissible and under what conditions. The deputies of other national security departments are meeting regularly to discuss the legal issues relating to cyber security and to decide what CYBERCOM can legitimately do under various conditions.
Deputy Secretary Lynn has said that one reason for CYBERCOM’s creation was to “help rationalize the interagency process” by giving non-DoD agencies a focal point of contact within the military. Yet, CYBERCOM’s relationship with these key players is very uncertain. In addition to bureaucratic competition over authorities and resources, cybersecurity issues involve almost all U.S. government agencies, create unprecedented multinational challenges, and generate tensions between effective network surveillance and protection of civil liberties.
DoD leaders have argued that it would be foolish not to take advantage of the military’s superior cyber capabilities for defending non-military networks. CYBERCOM is prepared in principle to support civilian agencies as needed and permitted, but its authorities to do so, and the appropriate thresholds for triggering military intervention, remain unclear. A cyber emergency could require a much more urgent response than when the military renders aid to civilian authorities after natural disasters like Hurricane Katrina.
DoD officials stress the need for close military-intelligence collaboration, but privacy advocates worry that CYBERCOM’s close relationship with the NSA will enhance the ability of the intelligence community to monitor Americans. Alexander heads both CYBERCOM and the NSA (which is considered a part of both DoD and the U.S. intelligence community) and the two Both headquarters are co-located at Fort Meade, Maryland.
Other DoD cyber organizations are also moving there. Defenders of close integration between CYBERCOM and NSA believe it will promote synergies and a more rapid response to urgent threats. Intelligence is needed for defensive cyber operations since countering attackers effectively requires identifying them. Intelligence is required for offensive cyber operations since they require extensive knowledge of foreign networks often gained through network penetration.
Some cyber security experts worry about the expanding role of the military-dominated NSA in this area. The NSA helps protect some government computers but is better known for its global information collection operations. During the George W. Bush administration, the NSA provoked intense controversy for engaging in an extensive global wiretapping and message intercept program.
Although designed to monitor terrorists, the program appears to have captured the communications of many innocent Americans. The head of the National Cyber Security Center, Rod Beckstrom, resigned in protest of the NSA’s expanding cyber security functions, which he saw as encroaching on DHS’s responsibility for protecting non-military websites. He argued that the military’s growing role in U.S. cybersecurity initiatives posed “threats to our democratic processes.”
In addition, the high security classification of NSA activities could impede the sharing of cybersecurity information among government agencies and with the private sector, which owns an estimated 90 percent of U.S. critical infrastructure. A March 2009 report by the Task Force on National Security in the Information Age warned about persistent cyber vulnerabilities due to the continuing failure of U.S. government agencies and other organizations to share information effectively.
Extensive classification could also disrupt the already troubled campaign to reorient U.S. government information managers from the traditional “need-to-know” philosophy to one embodying a “need-to-share” attitude. The success of the September 2001 terrorist attacks and the attempted bombing by Umar Farouk Abdulmutallab have led many to stress the importance of ensuring that national security managers have access to all available information so that they can best identify and understand current and emerging threats.
In addition to privacy concerns, detractors worry about further undermining the distinction between Titles 10 and 51 of the U.S. Code (the laws governing respectively the military and the non-military intelligence communities).
Policy makers can potentially circumvent legal prohibitions contained in one section of the code by authorizing the suspect action under the other. For example, Congress can extensively oversee the Pentagon drone strikes in the Afghan-Pakistan theater, but not those conducted by the US intelligence community. The White House decision to authorize the CIA to capture or kill Anwar al-Awlaki, an American citizen now waging jihad against the United States from exile in Yemen, has intensified these concerns. Alexander argues that comprehensive oversight mechanisms involving all U.S. government branches as well as additional procedures firmly protect Americans’ civil liberties, but he and others refuse to discuss details for fear of exposing potential U.S. security vulnerabilities.