Atthe helm is Air Force Gen. Keith B. Alexander, who is also director ofthe National Security Agency and head of the Central Security Service.Congress made him responsible for “directing the operations and defenseof the Defense Department’s information networks, the systemic andadaptive planning, integration and synchronization of cyber-activitiesand . . . for conducting full-spectrum military cyberspace operationsto ensure U.S. and allied freedom of action in cyberspace.”
Buthow will the command fulfill this mission? Part of the answer lies inhow the command prepares for a mission that requires the integration ofIT offices from all five services, all combatant commands, the nation’sintelligence services and by necessity the private sector, includingpublic utilities and industry, and local law enforcement. Factor in aswell foreign governments and non-state actors who are involved incyber-espionage or suspected of attacking the Defense Department’snetworks. All of this must be taken into account as Cyber Commandidentifies, connects and strengthens the latticework of 15,000different Pentagon networks, 4,000 military installations and more thanseven million Defense Department computer and telecommunication tools.The scope of the problem, considering the amount of hardware andsoftware that needs to be cataloged, ordered and protected, isstaggering.
Since the command has been set up totackle a new and emerging kind of warfare—one which hasn’t been fullydefined—it is critical that Cyber Command breaks out of the rigidhistorical and structural box that conventional U.S. combatant commandsoperate in, say several industry experts interviewed by DTI.
MichaelTanji, a security consultant who previously worked with the DefenseIntelligence Agency, National Security Agency and NationalReconnaissance Office, says the command should strive to “operate in amatrix fashion” and bring in the right staffers regardless of wherethey sit on the civilian/military divide, or even which service oroffice they report to, for any given problem. “A pyramid-shapedorganization chart, made up of smaller pyramid-shaped organizationcharts, is not going to work,” he says. “Cyber Command has to deal withoffense and defense, and the best way to do that is to have [everyone]work together to understand the adversary mindset and techniques.You’re a much better defender if you know how bad guys exploitsoftware; you’re a much better attacker if you know what defenders cando to stop you from succeeding.”
The notion thatthis command needs to find a new way of operating is shared by anotheranalyst, Richard Stiennon, who says “it’s not like setting up the AirForce or bringing in John Paul Jones to set up the Navy, where you takesome people at the beginning of an industry and have them do it. We’re10-15 years behind the times and playing catch-up.” Stiennon, chiefresearch analyst at IT-Harvest and an IT security adviser who hasworked for the Pentagon and private industry, adds, “Imagine if theNavy decided to get into aircraft carriers today, from scratch,”without having the benefit of decades of developing aircraft andcarrier technologies, tactics and procedures in tandem. That, he says,captures the scope of the task ahead. Stiennon says the first priorityof the command should be simple: start with the basics. “On Day 1, if[General] Alexander were to pound the table with his fist, it should beto discover and know every network connection and make sure it’sprotected. That’s a huge task. It would be expensive, but it’s got tobe done.”
An event in Washington in July,sponsored by the Armed Forces Communications and ElectronicsAssociation, brought together the major players from industry,cyber-office heads from the individual services and Cyber Commandleaders to figure out how some of these problems might be addressed.Bruce Held, director of intelligence and counterintelligence for theEnergy Department, warned that “a static cyber-defense can never winagainst an agile cyber-offense. No matter how many attacks the U.S.repels in the coming years, there will always be more on the way. “Youbeat me 99 times, I will come after you 100 times. Beat me 999 times, Iwill come after you 1,000 times,” and eventually, “I will beat you.”
ArmyBrig. Gen. John Davis, director of current operations at U.S. CyberCommand, said it is imperative that the offensive capabilities of themilitary are linked with other government agencies and the civilianworld, so the government can build “the frameworks to plan across thespectrum of conflict.”
Another panelist, EdMueller, chairman of the President’s National SecurityTelecommunications Advisory Committee, added that “we’ve made a bigpush over the last several years to become more tactical” when it comesto thwarting cyber-attacks. To continue innovating, “a bridge betweenprivate [industry] and public [government] is absolutely essential.”
Giventhe pervasive nature of the threat from hackers and even disgruntledservice members leaking information that each service has toconfront—the recent leak of 90,000 pages of tactical reports fromAfghanistan to the activist website WikiLeaks shows how pervasive thethreat is—one wonders how all of these different cyber commands aregoing to coalesce into one effective organization under U.S. CyberCommand. The new command’s director of plans and policy, USAF Maj. Gen.Suzanne Vautrinot, moderated a panel of cyber commanders from theservices, saying that “nobody here has one job,” since those taskedwith leading their services’ cyber-operations are “dual-hatted” toCyber Command.
USAF Brig. Gen. GregoryBrundidge added that the services have to “harmonize” their efforts,and quickly. He mentioned that when he was deployed to Iraq, theservices “were fighting to get information because everyone wasreporting through their own services. If there is one lesson we’velearned over the years, it’s that anything that brings our effortscloser together and harmonizes things is going to get us much fartheralong in our journey . . . what we’re all grappling with today is how .. . we bring all these things together that we have created in our owncocoons.”
In comments this summer to a group atthe Center for Strategic and International Studies, Alexander outlinedsome of the difficulties that Cyber Command faces under differentscenarios. For example: When the U.S. is at war with another state; astate uses an intermediary to “bounce” an attack (i.e., conceal itsinvolvement) against U.S. networks; or the U.S. is under attack bystateless entities. “Each one of those is going to have differentstanding rules of engagement,” Alexander said. “What we don’t have nowis precision in those standing rules of engagement, [which] we need.And we’re working through those with U.S. defense policy and up throughthe deputies’ committees for the administration.”
Whilethe command might not yet have methods to work through these problems,Stiennon says, the danger lies in the fact that “you can’t do thisslowly, the adversaries already know about the networks—they might knowmore about the network than the owners of the network. You’ve got toslam the door in their face, and you’ve got to do it now.”
Tanjisees the success of Cyber Command resting on the issue of whether theleadership can think, organize and behave as an information-ageenterprise. “If their model is that of every other military command,then they will fail,” he says. “They will spend their time fightinginternal and external battles. The only way they will succeed in amilitary command structure is if their authorities trump other commandand service level [structures]. To overcome that you need to bethinking about how to offer solutions or capabilities that multiply thepower of operational commands within that construct
