The Army Cyber Command has seen substantial growth in the past three years, including launching 42 cyber mission teams, but it still faces policy limitations on deploying and using cyber capabilities.
Lt. Gen. Edward Cardon said cyber policy is facing the same growing pains that counterterrorism policy experienced after the 2001 attacks.
The leader of the Army's Cyber Command said it has seen substantial growth in the past three years, but challenges related to staffing, training and policy reform lie ahead.
Lt. Gen. Edward Cardon added that in the past 18 months, the command has created 42 cyber mission teams and is in the process of developing 20 more from National Guard and Reserve units.
Some of the teams are already carrying out three kinds of mission functions in the field.
"Offensive cyberspace operations [are] about taking cyber to create an effect," Cardon said. "It's not cyber for the sake of cyber, but cyber for the integration and effects to accomplish an objective. And then defensive cyberspace operations, that really you have a threat and you're hunting that threat, and then of course protecting the network itself."
He said deploying the teams at the "corps and below" level is already paying dividends.
"What we find is [when] you put high-end cyber operators [on the ground], the units do much, much better," he said. "The challenge for us: It's not all about the technologies. It's the ability to integrate, the ability to conduct the tradecraft."
He said the technology is largely where it needs to be, but when it comes to the deployment and use of cyber capabilities, policy is the limiting factor.
"There are current processes and procedures by which cyber is used today," he said. "The challenge is those are all built on 19th-, 20th- and some 21st-century laws. So when you're starting to use 18th-, 19th-century law for something that's as fast moving as cyber, you start to have some challenges."
Cardon said the Obama administration has been doing a lot of work on the policy front, but there is much more to be done.
"It should not be harder to use cyber than it is to use kinetics to accomplish your goal, and right now it is in some cases," he said.
He added that America's use of cyber on the battlefield conforms to the laws of war in terms of proportionality and discrimination, but the problem is agreeing on the protocols and policies for using cyber technology in certain situations.
"It ultimately comes down to risk because people want things in a defined box," Cardon said. But a lot of technology does not fit a simple definition. A particular challenge is the fact that so much law and policy is based on geographical constructs that deal, for example, with dimensions such as sovereignty. In the virtual world, those boundaries often don't exist.
He added that the challenges are slowly being overcome, but technological change will continue to outpace policy formulation. "It's not for us to try to make a list," he said. "What I try to do is develop options for decision-makers, then you must choose that range of options and what…you want us to do."
Ultimately, though, "cyber is disruptive, full of disruption, and we have to make sure that our force is adapting at the pace of the technologies that we're facing," he said. "I view every mission that we do is breaking new ground and setting [policy] forward."
Cardon said cyber policy is facing the same growing pains that counterterrorism policy has experienced since 2001. Shortly after the terrorist attacks, conducting a drone strike was a controversial and questionable practice, yet today it's commonplace and has a host of guidelines and regulations.
"Every time you do something, you're setting norms, and then are those norms right or wrong?" he said. "You adjust accordingly based on the effects that are achieved."
In addition, Cardon said the military must focus on finding, recruiting and training talented cyber professionals. "You have to build a world-class cyber force," he added. "It's really about people, training and a capability development process that can turn faster than your adversary."
He added that "the next piece…is you have to be able to integrate that into current operations. Now that means you need operational commanders at all levels who can understand their environment on their different domains -- meaning the geographic domain, personnel domain [and] virtual domain -- and organize it in time and space to include cyber to deliver an effect."
That requires teaching some old dogs new tricks. "It just doesn't come to you by instinct," Cardon said.