US Cyber Command Established

After several delays, U.S. Cyber  Command was established in May at
Ft. Meade, Md., under the umbrella of the U.S. Strategic Command
.

At
the helm is Air Force Gen. Keith B. Alexander, who is also director of
the National Security Agency and head of the Central Security Service.
Congress made him responsible for “directing the operations and defense
of the Defense Department’s information networks, the systemic and
adaptive planning, integration and synchronization of cyber-activities
and . . . for conducting full-spectrum military cyberspace operations
to ensure U.S. and allied freedom of action in cyberspace.”

But
how will the command fulfill this mission? Part of the answer lies in
how the command prepares for a mission that requires the integration of
IT offices from all five services, all combatant commands, the nation’s
intelligence services and by necessity the private sector, including
public utilities and industry, and local law enforcement. Factor in as
well foreign governments and non-state actors who are involved in
cyber-espionage or suspected of attacking the Defense Department’s
networks. All of this must be taken into account as Cyber Command
identifies, connects and strengthens the latticework of 15,000
different Pentagon networks, 4,000 military installations and more than
seven million Defense Department computer and telecommunication tools.
The scope of the problem, considering the amount of hardware and
software that needs to be cataloged, ordered and protected, is
staggering.

Since the command has been set up to
tackle a new and emerging kind of warfare—one which hasn’t been fully
defined—it is critical that Cyber Command breaks out of the rigid
historical and structural box that conventional U.S. combatant commands
operate in, say several industry experts interviewed by DTI.

Michael
Tanji, a security consultant who previously worked with the Defense
Intelligence Agency, National Security Agency and National
Reconnaissance Office, says the command should strive to “operate in a
matrix fashion” and bring in the right staffers regardless of where
they sit on the civilian/military divide, or even which service or
office they report to, for any given problem. “A pyramid-shaped
organization chart, made up of smaller pyramid-shaped organization
charts, is not going to work,” he says. “Cyber Command has to deal with
offense and defense, and the best way to do that is to have [everyone]
work together to understand the adversary mindset and techniques.
You’re a much better defender if you know how bad guys exploit
software; you’re a much better attacker if you know what defenders can
do to stop you from succeeding.”

The notion that
this command needs to find a new way of operating is shared by another
analyst, Richard Stiennon, who says “it’s not like setting up the Air
Force or bringing in John Paul Jones to set up the Navy, where you take
some people at the beginning of an industry and have them do it. We’re
10-15 years behind the times and playing catch-up.” Stiennon, chief
research analyst at IT-Harvest and an IT security adviser who has
worked for the Pentagon and private industry, adds, “Imagine if the
Navy decided to get into aircraft carriers today, from scratch,”
without having the benefit of decades of developing aircraft and
carrier technologies, tactics and procedures in tandem. That, he says,
captures the scope of the task ahead. Stiennon says the first priority
of the command should be simple: start with the basics. “On Day 1, if
[General] Alexander were to pound the table with his fist, it should be
to discover and know every network connection and make sure it’s
protected. That’s a huge task. It would be expensive, but it’s got to
be done.”

An event in Washington in July,
sponsored by the Armed Forces Communications and Electronics
Association, brought together the major players from industry,
cyber-office heads from the individual services and Cyber Command
leaders to figure out how some of these problems might be addressed.
Bruce Held, director of intelligence and counterintelligence for the
Energy Department, warned that “a static cyber-defense can never win
against an agile cyber-offense. No matter how many attacks the U.S.
repels in the coming years, there will always be more on the way. “You
beat me 99 times, I will come after you 100 times. Beat me 999 times, I
will come after you 1,000 times,” and eventually, “I will beat you.”

Army
Brig. Gen. John Davis, director of current operations at U.S. Cyber
Command, said it is imperative that the offensive capabilities of the
military are linked with other government agencies and the civilian
world, so the government can build “the frameworks to plan across the
spectrum of conflict.”

Another panelist, Ed
Mueller, chairman of the President’s National Security
Telecommunications Advisory Committee, added that “we’ve made a big
push over the last several years to become more tactical” when it comes
to thwarting cyber-attacks. To continue innovating, “a bridge between
private [industry] and public [government] is absolutely essential.”

Given
the pervasive nature of the threat from hackers and even disgruntled
service members leaking information that each service has to
confront—the recent leak of 90,000 pages of tactical reports from
Afghanistan to the activist website WikiLeaks shows how pervasive the
threat is—one wonders how all of these different cyber commands are
going to coalesce into one effective organization under U.S. Cyber
Command. The new command’s director of plans and policy, USAF Maj. Gen.
Suzanne Vautrinot, moderated a panel of cyber commanders from the
services, saying that “nobody here has one job,” since those tasked
with leading their services’ cyber-operations are “dual-hatted” to
Cyber Command.

USAF Brig. Gen. Gregory
Brundidge added that the services have to “harmonize” their efforts,
and quickly. He mentioned that when he was deployed to Iraq, the
services “were fighting to get information because everyone was
reporting through their own services. If there is one lesson we’ve
learned over the years, it’s that anything that brings our efforts
closer together and harmonizes things is going to get us much farther
along in our journey . . . what we’re all grappling with today is how .
. . we bring all these things together that we have created in our own
cocoons.”

In comments this summer to a group at
the Center for Strategic and International Studies, Alexander outlined
some of the difficulties that Cyber Command faces under different
scenarios. For example: When the U.S. is at war with another state; a
state uses an intermediary to “bounce” an attack (i.e., conceal its
involvement) against U.S. networks; or the U.S. is under attack by
stateless entities. “Each one of those is going to have different
standing rules of engagement,” Alexander said. “What we don’t have now
is precision in those standing rules of engagement, [which] we need.
And we’re working through those with U.S. defense policy and up through
the deputies’ committees for the administration.”

While
the command might not yet have methods to work through these problems,
Stiennon says, the danger lies in the fact that “you can’t do this
slowly, the adversaries already know about the networks—they might know
more about the network than the owners of the network. You’ve got to
slam the door in their face, and you’ve got to do it now.”

Tanji
sees the success of Cyber Command resting on the issue of whether the
leadership can think, organize and behave as an information-age
enterprise. “If their model is that of every other military command,
then they will fail,” he says. “They will spend their time fighting
internal and external battles. The only way they will succeed in a
military command structure is if their authorities trump other command
and service level [structures]. To overcome that you need to be
thinking about how to offer solutions or capabilities that multiply the
power of operational commands within that construct