DOD and the Cyber Challenge
by Richard Weitz
Of all U.S. Government departments, the Department of Defense, which relies on assured information superiority to accomplish its key military missions, has evinced the greatest interest in cybersecurity issues.
In May 2011, then Defense Secretary Robert Gates said in his presentation rolling out the administration’s new International Strategy for Cyberspace: “It is hard to overstate the importance of cyberspace to the Department of Defense or the need to engage our allies and partners to keep it secure. Along with the advantages conferred by cyberspace comes the threat of potentially crippling cyber attacks.“
(Editor’s Comment: One could note that the attempt by Secretary Wynne and the USAF leadership to role out cyber operations was hammered by the Secretary of Defense.)
The most recent DoD Quadrennial Defense Review calls on the U.S. Armed Forces to expand its cyber expertise, develop a comprehensive approach to DoD operations in cyberspace, centralize command of cyber operations, and enhance partnerships with other U.S. Government agencies.
The Defense Department policy on cyberwarfare also emphasizes protecting the military information network and developing offensive cyberwar capabilities against potential adversaries.
The military increasingly envisions cyberspace as a theater of operations.
For example, U.S. forces in Iraq and in Afghanistan have undertaken operations to suppress insurgent propaganda networks that use the Internet against coalition forces. At the national level, the U.S. Strategic Command (STRATCOM) has played a role in global cyber operations since its creation in 1992.
STRATCOM’s Joint Functional Component Command for Network Warfare was established in 2005 for working with federal agencies on computer network defense and for planning offensive information warfare. The Director of the Defense Information Systems Agency also headed a Joint Task Force for Global Network Operations.
The DoD is also seeking the authority to conduct “active defense”—the option to respond to cyberattacks with offensive cyber capabilities. Alexander has repeatedly emphasized the necessity of having “offensive capabilities, to, in real time, shut down somebody trying to attack us.”
Similarly, the National Defense Authorization Act for Fiscal Year 2012 for the first time explicitly permits the Department of Defense to “conduct offensive operations in cyberspace to defend our Nation, Allies and interests.”
Under the authority of the Secretary of Defense and key political appointees, DoD now has two principle entities for dealing with cyber issues: the National Security Agency (NSA) and the new U.S. Cyber Command (CYBERCOM). General Keith Alexander is currently dual-hatted as NSA Director and CYBERCOM Commander. As NSA Director, Alexander retains the duty of Joint Functional Component Command Net Warfare. In addition, NSA (which is considered a part of both DoD and the U.S. Intelligence Community) still reports directly to the Director of National Intelligence (DNI), currently James Clapper, for operational intelligence matters. The DNI oversees all the threat-related intelligence collection activities in cyberspace.
The NSA was almost entirely responsible for U.S. offensive cyberattacks, though it is transitioning that task to U.S. Cyber Command. In its 2012 strategy document, NSA stated that one of its goals was to “provide intelligence and information assurance products and services that will help uncover, prevent, mitigate, or counter attempts to compromise information or information technology that is critical to national interests.”
The NSA also has responsibility for securing the government’s classified networks. Many have proposed that the NSA also apply its expertise to helping defend U.S. critical infrastructure that is in the private sector, but others fear that the NSA could abuse that access to collect information on American citizens or U.S. companies for unauthorized purposes.
CYBERCOM is a subunified command of U.S. Strategic Command (STRATCOM) and is tasked with integrating the multiple DoD commands and activities that exist in this area, as well as strengthening the “full spectrum” of DoD’s cyber activities, including the planning and conduct of defensive and offensive cyber operations.
Although it took many months to establish the Command because of concerns over civil liberties and other issues, many of CYBERCOM’s key missions, relationships, and authorities still remain unresolved.
DoD’s 2011 “Strategy for Securing Cyberspace” says that the Department is pursuing five strategic initiatives.
Strategic Initiative 1: Treat Cyberspace as an operational domain to organize, train, and equip so DoD can take full advantage of cyberspace’s potential.
Strategic Initiative 2: Employ new defense operating concepts to protect DoD networks and systems.
Strategic Initiative 3: Partner with other U.S. government departments and agencies and the private sector to enable a whole-government cybersecurity strategy.
Strategic Initiative 4: Build robust relationships with U.S. allies and international partners to strengthen collective cybersecurity.
Strategic Initiative 5: Leverage the nation’s ingenuity through an exceptional cyber workforce and technological innovation.
CYBERCOM’s contribution to this agenda is to develop and integrate existing DoD cyber initiatives, establishing detailed rules of engagement for when and how the U.S. military can conduct retaliatory or cyber first strikes, and define its relationship with the other U.S. cyber stakeholders. It also oversees current DoD efforts to recruit, train and retrain many more cybersecurity experts, who are also in demand among other public and private employers.
The Military Services have developed their own cyber units, which they place under CYBERCOM. These units are the Fleet Cyber Command/Tenth Fleet, Army Cyber Command/Second Army, Air Force Cyber/Twenty-Fourth Air Force, and Marine Corps Forces Cyber Command. In December 2011, the Army activated its first cyber brigade, the 780th MI Brigade. CYBERCOM also make use of contractors and other civilian personnel.
The intent in establishing the new Command was to integrate DoD’s considerable intelligence, offensive, and defensive assets within one organization.
To that end, CYBERCOM is responsible for:
- Directing the daily operations and defense of DoD information networks.
- Systemic and adaptive planning, integration and synchronization of all DoD cyber activities.
- Conducting full-spectrum military cyberspace operations to ensure U.S. and allied freedom of action in cyberspace, when directed under the authority of the President, the Secretary of Defense and the Commander of U.S. STRATCOM (specifically, when directed, CYBERCOM will support joint commanders with cyber capabilities to conduct military operations).
- Ensuring that available cyber capabilities are considered in military operational planning.
- Synchronizing planning among combatant commanders.
- Advocating for needed joint capabilities.
- Defending military networks from attack.
- Helping combatant commanders in launching intelligence operations.
- Assisting other Government and civil authorities and industry partners, although only in support of DHS, which is the lead agency for domestic infrastructure protection from cyber and other threats.
Former DoD Deputy Secretary William Lynn compared that domestic cyber role to the way DoD assists DHS in natural emergencies in the United States, such as hurricanes: “DoD has enormous assets, helicopters, transportation, logistics that can be provided to help. But it’s FEMA that’s in charge. And FEMA calls on those DoD assets, but FEMA is the organization in charge. And this is, I think, a similar kind of a situation.”
As in other domains, DoD aims to coordinate and cooperate with members of the Intelligence Community, the State Department, law enforcement agencies and the private sector.
An additional task is understanding U.S. networks and building effective cyber-situational awareness in real time through a common operating picture.
General Alexander has described this responsibility thus: “We must share indications in warning threat data at Net speed among and between the various operating domains. We must synchronize command-and-control of integrated defensive and offensive capabilities, also at Net speed.”
Alexander complained that often the military can identify attacks only after they have occurred and must try to determine their source and nature after the initial attack. “And the consequence of that is, it was almost policing up after the fact vs. mitigating it in real time. So the requirement, from my perspective: We need real-time situational awareness in our networks, to see where something bad is happening and to take action there at that time.”
And a final task is to work with other combatant commanders to conduct rigorous assessments of their network security and to collaborate to correct any flaws.
In his March 27 testimony to the Senate Armed Services Committee, General Alexander outlined his vision of the roles and missions for interagency cooperation in the cyber domain: DHS would work directly with civilian agencies and critical infrastructure, DoD would lead defense efforts in the case of cyberattack, and the FBI would focus on law enforcement and intelligence.
In addition to restructuring how it organizes for information operations, DoD has also launched initiatives to train more cybersecurity experts, encourage better information security practices among the Department’s millions of civilian and military personnel and refine DoD doctrine and practices for the cyber domain. In his written statement to the U.S. House Armed Services Committee, Gen. Keith Alexander announced the creation of the Cyber Training Advisory Council (CYTAC): “The CYTAC is an advisory and coordination committee established to improve the quality, efficiency, and sufficiency of training for computer network defense, attack, and exploitation that will work to coordinate and standardize cyber training across all military services, Cyber Command, and NSA.”
The administration’s proposed budget continues to sustain high levels of spending in this domain.
Members of Congress support this priority. DoD has directed structural initiatives to achieve savings in acquisition, sustainment, and manpower costs. Due to the low-cost, high-outcome nature of cybercapabilities investments, this initiative allows DoD to save money while transitioning to a modern information environment.
Yet U.S. officials acknowledge that they cannot solve the cybersecurity problem simply by applying more financial, human, and technological resources.
They need more cooperation from other U.S. government agencies, industry, academia and foreign countries. Many key cyberskills and assets will be non-DoD assets. The most important interagency relationship will be with the DHS and was a significant part of the DoD’s cyberspace strategy. Another major interagency relationship is with the Defense Industrial Base.
One reason for CYBERCOM’s creation was to help rationalize the interagency process by giving non-DoD agencies a focal point of contact within the military.
Yet CYBERCOM’s relationship with these key players has yet to be fully resolved. In addition to bureaucratic competition over authorities and resources, cybersecurity issues involve almost all U.S. Government agencies, create unprecedented multinational challenges and generate tensions between effective network surveillance and protection of civil liberties.
Virtually every DoD mission depends on the Department’s information infrastructure.
The Department is more accustomed to large IT development projects, but the traditional acquisition timeline is not fast enough for the DoD to keep up with emerging cyberthreats. It is crucial that the Department have the most current and effective agile technology to reduce its vulnerability against emerging cyber attacks.
Yet lengthy DoD security requirements and processes delay the fielding and sometimes prevent the acquisition of new technologies. The DoD is seeking to pursue more incremental projects that use commercial applications, which will allow the Department to better understand and characterize the cyberthreat.
Teresa M. Takai, Chief Information Officer, testified to Congress on March 20, 2012 about DoD’s IT modernization and cyber security efforts. She explained that DoD is accelerating its efforts to take advantage of rapid changes in information technology, which is one aspect of the overall effort to improve and modernize DoD’s information environment. The Department has five primary goals for its cybersecurity acquisition efforts:
- Customers of DoD information infrastructure should be able to depend on essential information infrastructure in the face of cyber warfare.
- Enabling of rapid and safe data sharing with any partner. The information shared should be sufficiently rich, so that mission execution is effective.
- Protection of sensitive and classified information.
- Protection of mission commanders’ access to cyberspace.
- Agility of technology uptake in DoD, while still aligning with security requirements and keeping risk low.
- While some observers claim that the new CYBERCOM represents an expansion of the DoD cyberspace mission, others see it as continuing within the U.S. military’s historic mission of protecting U.S. national security from all potential threats.
Yet certain analysts fear that CYBERCOM will so militarize U.S. cyber defense efforts that the U.S. Government will prove unable to realize the deep public-private partnerships that experts see as essential for securing the Internet. This has resulted in a debate as to whether the DoD, especially the NSA, or the DHS is the proper agency to deal with cyber issues.
DoD leaders have argued that it would be foolish not to take advantage of the military’s superior cyber capabilities for defending non-military networks. CYBERCOM is prepared in principle to support civilian agencies as needed and permitted, but its authorities to do so, and the appropriate thresholds for triggering military intervention, remain unclear. A cyber emergency could require a much more urgent response than that when the military renders aid to civilian authorities after natural disasters like Hurricane Katrina.
DoD officials stress the need for close military-intelligence collaboration, but privacy advocates worry that CYBERCOM’s close relationship with the NSA will enhance the ability of the Intelligence Community to monitor Americans. Alexander heads both CYBERCOM and the NSA, and the two headquarters are co-located at Fort Meade, MD. Other DoD cyber organizations are also moving there. Defenders of close integration between CYBERCOM and NSA believe it will promote synergies and a more rapid response to urgent threats. Intelligence is needed for defensive cyber operations, since countering attackers effectively requires identifying them.
Intelligence is needed for offensive cyber operations, since such operations require extensive knowledge of foreign networks often gained through network penetration.
Some cybersecurity experts worry about the expanding role of the military-dominated NSA in this area.
The NSA helps protect some Government computers, but is better known for its global data-collection operations. In addition to privacy concerns, detractors worry about further undermining the distinction between Titles 10 and 51 of the U.S. Code (the laws governing the military and the non-military Intelligence Communities, respectively). Policy makers can potentially circumvent legal prohibitions contained in one section of the code by authorizing the suspect action under the other section.
For example, Congress can extensively oversee the Pentagon drone strikes in the Afghan-Pakistan theater, but not those conducted by the U.S. Intelligence Community. The White House decision to kill Anwar al-Awlaki, an American citizen who waged jihad against the United States from exile in Yemen, has intensified these concerns.
Alexander argues that comprehensive oversight mechanisms involving all U.S. Government branches, as well as additional procedures, firmly protect Americans’ civil liberties, but he and others refuse to discuss details for fear of exposing potential U.S. security vulnerabilities.
How Titles 10 and 50 apply in actual cyber conflicts is more nebulous in their area of command. General Alexander testified at a Hearing of the Senate Armed Services Committee on March 27, 2012, about the de-confliction between Titles 10 and 50. He explains that computer network exploitation (CNE) is largely executed under Title 50, whereas computer network attacks (CNA) would be conducted under Title 10.
Alexander explains that CNA and CNE are not exclusively conducted by the military or intelligence community.
For example, the military can conduct CNE in times of crisis and war in conjunction with Title 50, while it is possible to execute CNA under covert action. Without a clear line between the two methods of cyber security, it may be difficult for the Government to manage funding, personnel, and infrastructure between military and non-military intelligence.