Military wrestles with cyber war battle planning

The new consolidated Cyber Command faces unprecedented challenges as it forges the nation's policies and capabilities for cyber war

Many historians maintain that it was the ability to decipher Japanese code and not the creation of a new bruising battleship that turned the tide for the U.S. Navy in the Pacific theater during World War II. Meanwhile, in the Atlantic, Allied bombers tried to conceal their aerial attacks by dropping tiny strips of metal foil to sabotage German radar.

Militaries have long sought to seize the advantages and exploit the vulnerabilities that information technology brings to the battlefield. Now, more than ever, that duality of advantage and vulnerability sums up the U.S. military’s deep dependence on IT.

The advanced weapons and communications systems that underpin U.S. military superiority rely on the uninterrupted functioning of that IT backbone and protection of the information it contains — a fact plainly understood by adversaries ranging from other nations to terrorist groups. Defense Department systems are probed by unauthorized users roughly 250,000 times an hour, or more than 6 million times a day, according to DOD officials.

The IT systems that form the backbone of the nation's industrial base play a similarly critical role, with similar vulnerabilities. To compound the challenge, the military, civilian sector and even adversaries use many of the same commercial computer products, which makes them a double-edged sword.

Yet when it comes to providing security in this complex new world of risks and opportunities, the military’s past efforts have not been as well coordinated as they could have been. For example, their efforts have focused mostly on the defensive side of the equation.


Related stories

Global cyber arms race may be brewing
Military stands up its cyber forces
Cyber risks place new demands on public/private partnership 


DOD was "unorganized for the cyber threat for the 21st century,” said Paul Kurtz, a cybersecurity expert who served on the White House's National Security and Homeland Security councils during the Clinton and George W. Bush administrations. But, Kurtz said, the military has come to the realization that “cyber weaponry would be a very important arrow in the quiver.”

DOD publicly recognized its needs in that area in June 2009, and this past May, it activated the Cyber Command, which is part of the Strategic Command. Cybercom is intended to integrate and coordinate DOD cyber defenses that previously were based in the individual military services.

Led by Army Gen. Keith Alexander, Cybercom also oversees offensive cyber capabilities, and that involves developing weapons and the doctrine that governs when and how those weapons can be used. When he took command of Cybercom, Alexander retained his post as director of the nation’s largest intelligence agency, the National Security Agency, which is responsible for signals intelligence and information assurance.

Besides resolving previous gaps and shortcomings, the creation of a command with that level of authority also recognizes the unique and important role of cyberspace.

“As a doctrinal matter, the DOD has declared this a domain, the cyberspace domain,” said Air Force Maj. Gen. Suzanne Vautrinot during a speech in Washington last month at a conference that Symantec hosted. Vautrinot is director of plans and policy at Cybercom. “This is the only [domain] that’s not controlled by God or Mother Nature, depending on your proclivities.”

It’s also a domain without precedent, which poses a challenge in setting objectives, organizational structures, resources and capabilities. Cyberspace involves air, space, land and sea, but it doesn’t fall neatly within any of them. As Cybercom moves into its third month, devising clear policies and rules of engagement is high on the to-do list.

Cyber Ops

Although the new command just came online, the military’s focus on cyberspace is hardly new.

Each of the services has or is in the process of setting up an operational cyberspace command. Alexander recently referred to the Army Forces Cyber Command, Marine Corps Forces Cyberspace Command, 24th Air Force and Navy’s Fleet Cyber Command as Cybercom’s boots on the ground. However, until now, those assets haven’t been controlled in a coordinated fashion.

One of Cybercom’s main objectives is to better integrate and coordinate those commands' operations, Vautrinot said. It also includes the staffs from DOD’s Joint Functional Component Command for Network Warfare and the Joint Task Force-Global Network Operations.

Prescott Winter, a former chief technology officer and chief information officer at NSA, said there are long-standing concerns about cyber doctrine. He said those concerns hinge on having someone who could review all the options and understand how to coordinate available capabilities in the context of a larger military engagement.

“What you don’t want to do is start an operation and then suddenly discover that armed forces are tripping all over each other out there in cyberspace somewhere,” said Winter, now CTO of ArcSight’s public-sector business.

Cybercom’s creation is an effort to keep that from happening. As part of its mission, Cybercom plans, coordinates, integrates, synchronizes and conducts activities to defend DOD information networks and, when necessary, help conduct military cyberspace operations.

The last part of its mission statement refers to the ability to go on the cyber offensive, a mode of operation that many cybersecurity experts have long thought of as necessary, but one that is seldom discussed by DOD officials publicly or in detail. Cybercom’s launch hasn’t loosened many lips when it comes to talking about the tools in the United States' offensive cyber arsenal.

“We’re doing what you would expect us to do,” said Navy Rear Adm. Michael Brown, deputy assistant secretary of cybersecurity and communications at the Homeland Security Department. “We’re developing a framework across the spectrum of conflict.”

Experts say cyber capabilities can allow the military to use computer keystrokes to achieve objectives that in the past required advanced weaponry or air power to accomplish.

For example, a cyberattack could include turning off an adversary’s power grid and then turning it back on later without needing to spend time and money to rebuild it, as would be the case if the military had used conventional weapons to destroy it.

“That’s certainly one attack that I think we're likely to see in future conflicts because it’ll be much more surgical than even the smartest bomb,” said Robert Knake, an international affairs fellow in residence at the Council on Foreign Relations.

Knake and Richard Clarke, former counterterrorism adviser for Democratic and Republican presidential administrations, have co-authored a new book, "Cyber War: The Next Threat to National Security and What to Do About It." In it, Knake and Clarke cite a 2007 incident in which they said Israel used light and electric pulses to control what Syrian air defense radar saw. That allowed Israeli aircraft to destroy a structure believed to be a clandestine nuclear facility.

Cybercom will likely have cyber weapons at its command that can similarly blur the line between offensive and defensive modes. In a military context, the difference between being able to probe and penetrate an adversary’s computer network or attack it comes down to a couple of keystrokes, Knake said.

Likewise, Kurtz, now a managing partner based in the United Arab Emirates for Good Harbor Consulting, said, “You can have a small piece of code that can do a whale of a lot of damage or just a little bit of damage depending on how you choose to use it.”

Just as important as the cyber weapons — offensive or defensive — are the people who will wield them. So organizing those human resources is also high on Cybercom’s agenda.

“Offense and defense are there at the same time, so you’ve got to plan a strategy in advance, you’ve got to be able to work as an integrated team being able to play with each other and recognize the talents and skills of the entire team,” Vautrinot said.

Others agree that properly managing the people will be crucial. “The big take-away here should be it’s about capability: how well trained, how disciplined, how broad is your capability within your offensive organization,” Knake said.

Uncharted Territory

Just as decades ago the military recognized the need for special skills to operate in the air, officials now understand that a specific skill set is necessary for cyberspace. In that context, Cybercom’s creation represents a logical progression, said Dan Kuehl, a military historian and professor of information operations at National Defense University’s iCollege.

“This is a brand-new domain,” he said. “We’re learning how to do it. It’s not the same as the other domains, and so the development of expertise and capabilities in this domain are best served not by burying it within some existing structure but by going to something new and unique.”

Noah Shachtman, a nonresident fellow at the Brookings Institution and editor of Wired magazine’s national security blog, “Danger Room,” said it remains to be seen what the exact scope of Cyber Command’s mission will be.

As Alexander noted during his confirmation hearing before the Senate Armed Services Committee in April, “We can stand up the command under existing authorities, but there is undoubtedly much uncharted territory.”

Indeed, the command faces unprecedented questions about personnel, policy, law, doctrine and rules of engagement.

One vexing issue is the role the military should play in protecting private-sector networks if they come under attack, particularly a peacetime attack that originates abroad but is routed through computers owned by U.S. residents.

Alexander said that in such a scenario, DHS would lead because it has responsibility for critical infrastructure. But it could ask for and receive DOD’s support. “If asked to do that, we’d get an execute order, and we’d have the standing rules of engagement that we operate under all the time,” Alexander said. “The issues now, though, are far more complex because you have U.S. persons [involved]. Civil liberties, privacy — all come into that equation.”

Another potential wrinkle, for privacy and operational issues, is the role of NSA, which Alexander also directs. NSA and Cybercom are located at Fort Meade, Md.

Alexander stressed during his confirmation hearing that there would be significant synergy between the two organizations, but each would have its own mission. “There will be two distinct staffs, with distinct authorities and responsibilities for how we operate for intelligence, for information assurance on the NSA side and, for Cyber Command, how we defend and secure our networks and conduct cyberspace operations if directed,” he said.

For Knake, the most important question is how Cybercom officials will decide when to respond to state-sponsored cyber threats against civilians and companies. “What are the thresholds for the military to engage in offensive cyber activity in defense of the United States?” he asked. “That’s really the biggest question: When should that take place?”

Even with clear rules, knowing whom to target with cyber operations will not be easy. A sophisticated adversary can make it nearly impossible to identify where a cyberattack came from.

“Attribution is a huge problem right now,” said Arthur Wachdorf, senior adviser for intelligence and cyber operations at the 24th Air Force, the service’s component command for Cybercom. “Attribution is inexorably linked to how we come up with these terms and policies dealing with attack, espionage or what we’re going to do about that. We have to be able to do it fast enough that it’s militarily relevant.”

None of these are easy questions, but Cybercom officials and supporters understand the challenges they face.

“The easy and simple stuff was done long ago,” Alexander said during a recent speech. “We got the rest.”

— With reporting from staff writer Amber Corrin

 

2014 Rising Star Awards

Help us find the next generation of leaders in federal IT.

Reader comments

Thu, Aug 5, 2010 Jeffrey A. Williams Frisco Texas

I fully agree and sympathize with both Maj. Pittmans and Maj. Lynches concenrns and questions accordingly. As of today our cyberwarfair offinsive ability is seemingly limited especially in the government sector, but also still limited/restricted in the private sector as well by conflicting laws unfortunately. Collaboration between and at all levels of the private and government sectors in my professional opinion is paramount but nearly non-existant and/or entirely weak. This must change and change soon! I believe that the main reasons for this lack of cooperation is rooted in "who's calling ths shots" rather than actually knowing what to do, when to do it, and how to do so. Further NIST's new Sha-2 ( 256k ) key length encryption standard is far too weak simply because 1024k has already been broken by the U. Mich. and as such the likelyhood of unfriendly governments and private sector competators exploiting that ability in short order is too large of a risk for the US in either the government sector of private sector to take. This standard needs immediate review at a minimum and IMO, upgrading significantly.

Fri, Jul 30, 2010 J.D.Bailey

Comments..., until they get their head out of their tank or cock-pit whichever one... expect experience based/directed failure. Horses, guns, and cannon GO+Staff after defeats gave way to tanks, planes, and nukes overlooked Staff. Where is the academic, manufacturing, and military industrial base? Wait for the war, if we survive, then....

Thu, Jul 29, 2010 Jeffrey A. Williams Frisco Texas

China already has a upper hand in cyberwarefair defense and is gaining rapidly on the offense side. Both Maj. Lynch's and Maj. Pittmans comments are a bit behind the curve given recent incidences. Long ago now I along with others that were allinged with a few others made notice and repeatedly reported glaring holes in DOD's and other sensitive government IT networks and were basically ignored. Now that the problem has gotten some press suddenly it has become a hot button in D.C. and withing the military complex as well as the intelegance gathering community in the USG. Better late than never I suppose... Still playing catch-up ball is never a good stratagy in my professional opinion.

Mon, Jul 26, 2010 MAJ Cindy Pittman Student, ILE

In the current economical environment there are numerous competing priorities. Although Cybercom has been "stood up," will the organization be given the teeth necessary to launch cyber attacks and enforce compliance in defense of the network? Authorization to use cyberspace for offensive operations would clearly open the US up to potential counterattacks where we are particularly vulnerable due to the often lack of emphasis placed on securing the network at the lower levels. Defending the network proves to be a challenge for the DoD. The military is reluctant to spend decreasing resources on additional security and ensuring compliance with existing policies. The leadership often cannot see the links between network security and the potential for vital information to be compromised and therefore do not allocate sufficient resources to secure it. When the use of thumb drives was banned it took months to bring various organizations into compliance, and it is doubtful that we are 100% compliant now. If Cybercom is not given the authority to remove organizations from the network that are non-compliant in regards to network security then we have created another level of bureaucracy that consumes valuable resources but solves no problems. "The views expressed in this comment are those of the author and do not reflect the official policy or position of the Department of the Army, Department of Defense, or the U.S. Government."

Mon, Jul 26, 2010 MAJ Edward Lynch student ILE

It seems that the U.S. is devising a mostly defensive stance when it comes to cyber war. The Economist writes that China has plans of “winning informationised wars by the mid-21st century”. They note that other countries are likewise organizing for cyberwar, among them Russia, Israel and North Korea. Iran boasts of having the world’s second-largest cyber-army. What if anything is the U.S. doing for an offensive retaliation to this threat?

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above