By Stoney Trent, October 30, 2017
In recent years, cyber intrusions have compromised both personal privacy and national security in the United States. Recent hacks of financial, government personnel, and political party systems—as well as Russian influence operations through US social media—illustrate grave threats to the nation’s values and institutions. But oddly, news of compromised defense systems and critical infrastructure has failed to raise widespread alarm. Between 2009 and 2013, intruders stole design information for the F-35 fighter aircraft and a variety of other military systems. Between May and July of this year, intrusions were detected into at least a dozen nuclear power plants. (A UK-based company has been offering a course in infrastructure hacking for at least three years.) Hackers, by compromising defense systems, have gained information about military designs that cost US taxpayers trillions of dollars to develop—and meanwhile, hacking of industrial control systems could result in calamity for civilian populations. It is clear that the United States is now in a Cyber Cold War against multiple capable adversaries. As during the original Cold War, the Defense Department is organizing, posturing, and maneuvering to gain and retain the initiative.
Figure 1: Major cyber intrusions in the United States, 2009–2017
In 2009, the Defense Department directed Strategic Command to establish Cyber Command as a subordinate unified command. Cyber Command was given responsibility for protecting the department’s information network, countering strategic threats to US interests, and supporting Combatant Command operations. Since then, the department has been building the Cyber Mission Force to execute this mission; the Cyber Mission Force will eventually consist of approximately 6,200 active-duty personnel organized into 133 cyber teams. An additional 2,740 Reservists and National Guardsmen will augment these teams and provide another 36 teams when mobilized. Teams are directed by six joint commanders, who report to the Cyber Command commander.
There are three types of Cyber Teams—protection, mission, and support. Protection teams defend the department’s information system infrastructure and support cybersecurity service providers. Mission teams deliver effects through cyberspace in support of national objectives, or those of combatant commanders. Support teams develop cyber tools and provide analytical support to mission and protection teams. These teams are manned, trained, and equipped by the four military service departments, and then directed by their respective operational headquarters.
Figure 2: The Cyber Mission Force
On August 15, the president announced the elevation of US Cyber Command to a unified command, on par with the nine other commands that direct regional or functional operations for the US military. Cyber Command’s mission as a unified command will be to defend and advance US interests in and through cyberspace. This change in authorities and responsibilities will entail a number of significant administrative undertakings. Assigning a commander, updating agreements, transferring resources, and determining the conditions required for full operational capability will take time. Unfortunately, Cyber Command’s realignment of responsibilities does not represent an immediate or dramatic change to the nation’s capabilities in cyberspace operations. Although the Cyber Mission Force has matured dramatically since its inception, major barriers—legislated operating constraints, unwieldy acquisition processes, and less-than-ideal utilization of commercially developed technologies—impede the innovation necessary to ensure that the United States can overmatch its adversaries.
Two hats for now. The elevation of Cyber Command to a unified command will leave a single person serving as both director of the National Security Agency and commander of Cyber Command. Any decision to split these responsibilities remains contingent upon achieving six conditions outlined in the 2017 National Defense Authorization Act. As determined by Congress, the two roles will not be separated until Cyber Command has its own operational infrastructure and command-and-control systems to conduct cyberspace operations. The Cyber Mission Force must also be fully manned, trained, and equipped with sufficient intelligence collection and effects tools. It must also have its own training capabilities. Cyber Command and the Cyber Mission Force remain on track to achieve these conditions by October of next year. Until then, Cyber Command and the National Security Agency will share the divided attention of one person for strategic guidance and decision making.
Even after separation, Cyber Command and the National Security Agency will have three critical interdependencies. First, the Cyber Mission Force will rely on National Security Agency–certified facilities, infrastructure, and security to economize logistic support activities. Second, the National Security Agency and the Cyber Mission Force will both require a significant number of personnel with similar skills. “On network” operators, data scientists, malware analysts, and software developers with security clearances are the center of gravity for signals intelligence, information assurance, and cyberspace operations. Workgroups will continue to compete with each other for such individuals. Finally, the Cyber Mission Force collects and provides intelligence as part of its operations through cyberspace. This type of analysis makes the Cyber Mission Force a new, but increasingly important, part of the signals intelligence production chain—the community of analysts that provides reporting for use across the whole of government. Because of these interdependencies, it is important that processes and agreements that support synergistic co-existence between Cyber Command and the National Security Agency continue to mature after the split.
Three problems to solve. The cyber intrusions discussed at the beginning of this article, and others like them, emphasize the gravity of cyber threats to the nation’s values and institutions. Unfortunately, three issues limit the current effectiveness of the Cyber Mission Force.
The first and largest challenge for effective and adaptive cyberspace operations results from federal law. The US Code divides responsibilities that pertain to cybersecurity and cyberspace operations across many departments and agencies. Such a division creates seams for threat actors to exploit. For example, Cyber Command and the Cyber Mission Force only have responsibility for protecting the .mil domain—whereas the Homeland Security Department is responsible for protecting .gov. Other domains, such as .edu and .com, remain the responsibilities of public, private, or commercial groups. In fact, Cyber Command and Cyber Mission Force had no responsibility for responding to any of the major intrusions shown in Figure 1. Approvals for government intervention in such incidents are subject to byzantine inter-agency processes and predominantly occur only in response to indications of compromise.
Revisions to the US Code, or federal reorganization, could remedy the systemic division of responsibilities in cyberspace. A new Cyberspace Department or Agency that is authorized to operate in support of foreign intelligence, domestic law enforcement, and military operations would eliminate the exploitable seams for threat actors. Such an organization could consolidate and advocate for standards, technologies, policy, and legislation to improve resilience in and through cyberspace. It could also serve as an independent, technical arbitrator between government agencies and the general population when trade-offs must be adjudicated. Others have made similar recommendations for reorganization within the Defense Department.
Unfortunately, the government has demonstrated the ability to make such dramatic changes only following catastrophic crises. So for now, the government’s current assortment of partially empowered, cyber-related organizations must invest in better information sharing and streamlined collaborative approval processes.
Second, the Defense Department’s planning and programming challenges are exacerbated by another authority constraint: In 2016, Congress granted Cyber Command acquisition authorities for cyber-peculiar capabilities. But this does not mean that all cyber-capability acquisitions are conducted by Cyber Command. To the contrary, most resources for cyber capability development are still being allocated to, and then invested by, the service departments as they fulfill their responsibilities (under Title 10 of the US Code) to train and equip their forces.
For fiscal year 2018, the Defense Department has requested $8 billion for cyberspace operations, an increase of 19 percent from fiscal year 2017. According to the Defense Department comptroller, this investment is equivalent to four destroyers, a nuclear-powered aircraft carrier with 36 F/A-18 aircraft, or upgrades for 267 M-1 tanks. Only $647 million of the $8 billion will go to Cyber Command. Given the practical and political difficulties involved in managing a technically complicated portfolio across three service departments and a combatant command, unintentional redundancies and unrecognized gaps are likely. Furthermore, it is unclear whether $8 billion—an amount equivalent to less than 8 percent of the budget for any single service department—is sufficient or exorbitant.
The elevation of Cyber Command to a unified command will result in greater emphasis on cyberspace resourcing, but further changes are nonetheless warranted. Currently, the service departments balance their cyberspace investments with their core warfighting and workforce sustainment responsibilities. The Defense Department should designate Cyber Command as the executive agent for all joint cyberspace capabilities. As such, it would be responsible for all cyberspace operations capabilities not specific to a single service. The service departments should explain how any desired cyber investments are service-specific and not the rightful responsibility of Cyber Command. Consolidating joint cyber capabilities under one organization would enable coherence and efficiencies, and simplify interactions with commercial technology developers.
Third, sufficiently innovative and agile cyberspace operations can only be enabled by leveraging and informing commercially developed technologies. In 2016, civilian cybersecurity investments were estimated to be $31.5 billion in the United States and nearly $74 billion worldwide. Market forces are encouraging rapid improvements in security products, but these technologies are not always fit for government-directed cyberspace operations. Deliberate military procurement processes often produce stale concepts that inadequately and inefficiently orient commercial developers toward the needs of the Cyber Mission Force. A robust campaign of experimentation is necessary to determine how commercial technologies fit the nation’s cyber needs and to inform commercial research and development activities about the nation’s requirements. Such experiments must be collaborations between cyber teams, research staff, and software developers so as to afford rich, experiential learning by all parties. Data on tool and team performance can be used to validate investments as well as to identify areas needing improvement. Cyber Command has already established the Cyber Immersion Laboratory—a research activity that involves experimentation along the lines just described. But within the Cyber Mission Force it should be routine to empower the entire force to communicate with decision makers about what works under real(istic) operating conditions.
Across the silos. Ultimately, the nation needs the capability to achieve and sustain superiority in cyberspace. Such superiority will enable dominance in other work and military domains. Contemporary cyber incidents should be treated as calls to action, but they have not resulted in the disruptive changes to authorities, processes, and cultures that are necessary. A stable and vibrant workforce must be empowered to operate across the silos established in the US Code. The nonexistential crises of the current Cyber Cold War should be leveraged for experimentation not only with technologies but also with processes to improve the decisive application of force. And finally, top-down portfolio management must be balanced with activities that enable democratized, organic, and timely technology adoption.
This article reflects the views of the author. It does not necessarily represent the position of the Defense Department, US Cyber Command, the National Security Agency, or the US Army War College.
The Bulletin elevates expert voices above the noise. But as an independent, nonprofit media organization, our operations depend on the support of readers like you. Help us continue to deliver quality journalism that holds leaders accountable. Your support of our work at any level is important. In return, we promise our coverage will be understandable, influential, vigilant, solution-oriented, and fair-minded. Together we can make a difference.