Urgency grows to align cyber, physical combat

Until fairly recently, the idea of warfare meant one thing: physical combat. In recent years this idea has evolved with the establishment of cyberspace as a military domain. But for the most part, the two tend to remain separate: separate military training, separate operations, separate rules of engagement. That will need to change – and soon, according to experts.

Cybersecurity's prominence has skyrocketed in recent months, and as focus ramps up in Congress, the executive branch and the military, that trend will only continue. Dealing with it requires a change in approach that fuses what have until now been distinct lines of operation.

"Right now we're being asked to look at potential consequences of attacks on [critical infrastructure] and prioritize...from a cyber perspective," said Suzanne Spaulding, deputy undersecretary for the National Protection and Programs Directorate at the Homeland Security Department. "You can't do that if you're not looking at the cross-sector and physical consequences."

Spaulding, one of several speakers addressing the Feb. 22 AFCEA DC cybersecurity symposium in Washington, pointed out that at DHS, this idea already is under way in the form of integrated task forces for assessing risks and implementing policies.

"It's an absolutely essential piece of this to have a coordinated approach," she said. "We're pulling in cyber and physical folks to do joint assessments, looking at what are the cyber vulnerabilities, what are the physical vulnerabilities, how do they relate to each other, and importantly, what are the cascading effects?"

An alignment of policies and actions in cybersecurity is happening across the government, recently evidenced by mandates for cooperation and information-sharing rolled out in President Barack Obama's executive order and accompanying presidential policy directive.

On the military side, a parallel alignment is taking place as well, but it has required a careful consideration of core missions and how to meet their requirements, according to one Defense Department official.

"If I ask you what does an infantry battalion or a carrier strike do, you can define that," said Maj. Gen. Brett Williams, director of operations at U.S. Cyber Command. "So one thing we needed to do in defining the missions...we needed to align forces, capability and capacity to each one of the missions."

Those missions – defending national security against cyber threats, securing the DOD information network and supporting combatant commands – are still being tweaked at CyberCom, now in its third year of full operation. However, doing so means walking a fine line between applying traditional military approaches and giving special considerations to the distinctive nature of cyberspace.

"We've done a very good job convincing people how different, mysterious and technical cyber is, which it is. But I would argue [that while] operations are unique...they're no more unique than flying an airplane is from operating a ship," Williams said.

At the same time, leadership cannot take the same approach to cyber weapons and operations that would be used in, say, nuclear cases – a common, but some say faulty, comparison.

"It's an analogy that is almost always false," said Eric Rosenbach, deputy assistant secretary of defense for cyber policy. "Loose nukes are actually an easy problem compared to constraining the flow of destructive malware. They're produced almost entirely by nation-states. They give off a signature – there are actually radiation waves you can track. And it's a physical thing. That's not the same situation when it comes to malware...which passes through borders and is nearly, if not completely possible, to track."

In an operational picture that is blurred by a lack of boundaries, visible enemies and established rules, the fine line emerges. While cyber is a part of national security and military domains that is unlike others, it is still just that – one part of a larger, operational landscape in which the U.S. government as a whole must engage.

"You can't clearly define what's defense and offense. We've got to have all the capability to coordinate, integrate, synchronize and de-conflict across operations, offense and defense," Williams said. "There is no such thing as cyber conflict. There is only conflict, and cyber provides another medium in which to exercise elements of national power."