At the helm is Air Force Gen. Keith B. Alexander, who is also director of the National Security Agency and head of the Central Security Service. Congress made him responsible for “directing the operations and defense of the Defense Department’s information networks, the systemic and adaptive planning, integration and synchronization of cyber-activities and . . . for conducting full-spectrum military cyberspace operations to ensure U.S. and allied freedom of action in cyberspace.”
But how will the command fulfill this mission? Part of the answer lies in how the command prepares for a mission that requires the integration of IT offices from all five services, all combatant commands, the nation’s intelligence services and by necessity the private sector, including public utilities and industry, and local law enforcement. Factor in as well foreign governments and non-state actors who are involved in cyber-espionage or suspected of attacking the Defense Department’s networks. All of this must be taken into account as Cyber Command identifies, connects and strengthens the latticework of 15,000 different Pentagon networks, 4,000 military installations and more than seven million Defense Department computer and telecommunication tools. The scope of the problem, considering the amount of hardware and software that needs to be cataloged, ordered and protected, is staggering.
Since the command has been set up to tackle a new and emerging kind of warfare—one which hasn’t been fully defined—it is critical that Cyber Command breaks out of the rigid historical and structural box that conventional U.S. combatant commands operate in, say several industry experts interviewed by DTI.
Michael Tanji, a security consultant who previously worked with the Defense Intelligence Agency, National Security Agency and National Reconnaissance Office, says the command should strive to “operate in a matrix fashion” and bring in the right staffers regardless of where they sit on the civilian/military divide, or even which service or office they report to, for any given problem. “A pyramid-shaped organization chart, made up of smaller pyramid-shaped organization charts, is not going to work,” he says. “Cyber Command has to deal with offense and defense, and the best way to do that is to have [everyone] work together to understand the adversary mindset and techniques. You’re a much better defender if you know how bad guys exploit software; you’re a much better attacker if you know what defenders can do to stop you from succeeding.”
The notion that this command needs to find a new way of operating is shared by another analyst, Richard Stiennon, who says “it’s not like setting up the Air Force or bringing in John Paul Jones to set up the Navy, where you take some people at the beginning of an industry and have them do it. We’re 10-15 years behind the times and playing catch-up.” Stiennon, chief research analyst at IT-Harvest and an IT security adviser who has worked for the Pentagon and private industry, adds, “Imagine if the Navy decided to get into aircraft carriers today, from scratch,” without having the benefit of decades of developing aircraft and carrier technologies, tactics and procedures in tandem. That, he says, captures the scope of the task ahead. Stiennon says the first priority of the command should be simple: start with the basics. “On Day 1, if [General] Alexander were to pound the table with his fist, it should be to discover and know every network connection and make sure it’s protected. That’s a huge task. It would be expensive, but it’s got to be done.”
An event in Washington in July, sponsored by the Armed Forces Communications and Electronics Association, brought together the major players from industry, cyber-office heads from the individual services and Cyber Command leaders to figure out how some of these problems might be addressed. Bruce Held, director of intelligence and counterintelligence for the Energy Department, warned that “a static cyber-defense can never win against an agile cyber-offense. No matter how many attacks the U.S. repels in the coming years, there will always be more on the way. “You beat me 99 times, I will come after you 100 times. Beat me 999 times, I will come after you 1,000 times,” and eventually, “I will beat you.”
Army Brig. Gen. John Davis, director of current operations at U.S. Cyber Command, said it is imperative that the offensive capabilities of the military are linked with other government agencies and the civilian world, so the government can build “the frameworks to plan across the spectrum of conflict.”
Another panelist, Ed Mueller, chairman of the President’s National Security Telecommunications Advisory Committee, added that “we’ve made a big push over the last several years to become more tactical” when it comes to thwarting cyber-attacks. To continue innovating, “a bridge between private [industry] and public [government] is absolutely essential.”
Given the pervasive nature of the threat from hackers and even disgruntled service members leaking information that each service has to confront—the recent leak of 90,000 pages of tactical reports from Afghanistan to the activist website WikiLeaks shows how pervasive the threat is—one wonders how all of these different cyber commands are going to coalesce into one effective organization under U.S. Cyber Command. The new command’s director of plans and policy, USAF Maj. Gen. Suzanne Vautrinot, moderated a panel of cyber commanders from the services, saying that “nobody here has one job,” since those tasked with leading their services’ cyber-operations are “dual-hatted” to Cyber Command.
USAF Brig. Gen. Gregory Brundidge added that the services have to “harmonize” their efforts, and quickly. He mentioned that when he was deployed to Iraq, the services “were fighting to get information because everyone was reporting through their own services. If there is one lesson we’ve learned over the years, it’s that anything that brings our efforts closer together and harmonizes things is going to get us much farther along in our journey . . . what we’re all grappling with today is how . . . we bring all these things together that we have created in our own cocoons.”
In comments this summer to a group at the Center for Strategic and International Studies, Alexander outlined some of the difficulties that Cyber Command faces under different scenarios. For example: When the U.S. is at war with another state; a state uses an intermediary to “bounce” an attack (i.e., conceal its involvement) against U.S. networks; or the U.S. is under attack by stateless entities. “Each one of those is going to have different standing rules of engagement,” Alexander said. “What we don’t have now is precision in those standing rules of engagement, [which] we need. And we’re working through those with U.S. defense policy and up through the deputies’ committees for the administration.”
While the command might not yet have methods to work through these problems, Stiennon says, the danger lies in the fact that “you can’t do this slowly, the adversaries already know about the networks—they might know more about the network than the owners of the network. You’ve got to slam the door in their face, and you’ve got to do it now.”
Tanji sees the success of Cyber Command resting on the issue of whether the leadership can think, organize and behave as an information-age enterprise. “If their model is that of every other military command, then they will fail,” he says. “They will spend their time fighting internal and external battles. The only way they will succeed in a military command structure is if their authorities trump other command and service level [structures]. To overcome that you need to be thinking about how to offer solutions or capabilities that multiply the power of operational commands within that construct