How a 1997 military exercise sparked the eventual creation of a unified combatant command for cyber.
National Security Agency cyber tools stolen via Kapserky Lab antivirus software. An Equifax breach that, combined with the OPM hack, enables foreign espionage services to precisely target Americans who have both security clearances and financial challenges. Tens of millions of U.S. state voter records made available on the dark web.
Perhaps lost in the flurry of recent reports of cyber debacles were the positive actions to prevent and counter ever more pervasive and sophisticated cyber threats from foreign states and criminals.
Secretary of Defense Jim Mattis is now implementing President Donald Trump’s late-August directive to elevate the U.S. Cyber Command to be a unified combatant command, reporting directly to the president and secretary of defense. This action will enhance our nation’s cyberspace capabilities to effectively address the full range of cyber threats, including threats to infrastructure that the public and governments at all levels rely upon daily. It is the culmination of a convoluted journey that began almost exactly 20 years ago.
A no-notice military exercise in 1997, dubbed Eligible Receiver 97, dramatically demonstrated that government authorities had little ability to recognize -- much less defend against -- a coordinated network attack and that our nation’s critical infrastructure was vulnerable to cyber disruption. The exercise combined simulated denial of service attacks on the 911 systems in nine large U.S. cities and actual penetration and disruption of military networks to the very top of the national command system. The timing of ER97 was impeccable, as it coincided with a series of real-world cyber attacks that validated the exercise findings.
With the ER97 results still reverberating, in October 1997 the President’s Commission on Critical Infrastructure issued its report with numerous recommendations to enhance federal, state, local and private cooperation to strengthen critical infrastructure protection. This led to Presidential Decision Directive 63 (Critical Infrastructure Protection), which among other things created Information Sharing and Analysis Centers (ISACs), bringing together public officials at all levels of government and private executives to break down stove pipes impeding cooperation, and established the National Infrastructure Protection Center (NIPC).
ISACs remain central to efforts to improve the resiliency of infrastructure, from water and power to financials systems. Congress is now working to make the NIPC’s successor organization a fully operational Cybersecurity and Infrastructure Security Agency to coordinate across all levels of government and with the private sector.
In DOD, we realized the need to assign cyber operations to one of our combatant commands, which are the only organizations authorized to conduct combat operations under the command and control of the president and secretary of defense. The initial step was creating the Joint Task Force for Computer Network Defense, which in 1998 we assigned to the U.S. Space Command -- the first time a warfighting command had the authority to direct defensive operations in cyberspace. Over the next few years, successor organizations grew in resources and capabilities -- including authority for offensive action, which can be essential to prevent attacks.
When the mission transitioned to the U.S. Strategic Command in 2002, responsibilities for cyber defense and offense were split, with the latter under a new Joint Functional Component Command-Network Warfare, whose commander was dual-hatted with the NSA Director to leverage the overlap between intelligence exploitation and offensive operations.
In 2010, Secretary of Defense Bob Gates consolidated all cyber operations under U.S. Cyber Command to better address a rapidly expanding threat. But this retained the NSA Director as its dual-hatted commander who was still subordinate to U.S. Strategic Command. As a result, the commander of U.S. Cyber Command had as many as three bosses, depending of what mission he was executing.
The impending establishment of CyberCom as a unified command simplifies the chain of command and emphasizes the critical importance of the cyber mission. It also bring to completion a 20-year journey from that surprise exercise that exposed our vulnerabilities and crystalized the recognition that superior IT infrastructure had become our nation's Achilles heel.
On Oct. 10, the Cyber Center for Education & Innovation, home of the National Cryptologic Museum, in partnership with the National Security Agency and the University of Maryland University College, is hosting a full-day, public symposium, “Cyber at the Crossroads.” With the benefit of 20 years’ experience and recently declassified material, the symposium will explore the roots of ER97, resulting initiatives, today’s cyber issues, and current Administration initiatives to secure America’s future cyber infrastructure.
The last two decades hold essential lessons for today’s decision makers who face cyber threats coming ever more fast and furious. To quote that not-yet-produced Toffler-Santayana mashup, “to deal with too much change in too little time, remember the past.”
NEXT STORY: Audit chides FDIC for sloppy breach protocols