The Cipher Brief Cyber Advisory Board convenes meetings with some of the most innovative thinkers across government and the private sector, tackling a range of cyber threats. Meetings are bi-monthly and are moderated by General Michael Hayden, former Director of the NSA and CIA, as well as a rotating list of guest moderators depending on the topic. To view the Board’s guidelines and policies, please click here. To learn more about subscription to the Cyber Advisory Board, please click here.
Cyber Command no longer acts like a five-year old, but is ready to grow up. It is the latest step in a 20-year journey. The Trump Administration has recently ordered the elevation of U.S. Cyber Command.
Elevation is best understood as just the latest step (and maybe not the last) in a long series of organizational changes. In 1997, the Department of Defense response to cyber attacks was run out of the Joint Staff. The J-39 ran a Joint Staff Information Operations Response Cell, which was useful for the Eligible Receiver exercise of 1997 and Solar Sunrise intrusion of February 1998. But as the J-39 reported, it wasn’t sufficient. There was, according to the J-39, “[N]o one responsible for defense; no one with authority to direct defense.” All the cell could do was make suggestions and ask for defensive measures: not a satisfying state of affairs for a military organization.
The First Cyber Command
So by the end of 1998, the DoD created a two-star command, the Joint Task Force – Computer Network Defense (or JTF-CND, though initially stylized at CND-JTF) with the authority to not just coordinate defense operations, but give orders to service and agency components, generally the computer emergency response teams. These authorities for tactical control (or TACON in military-speak) would kick in when a cyber incident was “widespread or critical” or crossed command, service, or agency boundaries.
I was the officer at Air Staff directed to help create the unit and wrote at the time that the “Joint Chiefs decided in August 1998 to stand up a strong CND-JTF to be ‘in charge’ during attacks. The JTF would have authority to direct and coordinate the entire DoD defense. CSAF [the Chief of Staff of the Air Force] stressed the need for a strong, directive, operationally minded CND-JTF.”
There was not initially enough space to host the JTF within the Defense Information Systems Agency, so the world’s first joint cyber command – reporting directly to the Deputy Secretary of Defense – had to initially stand up in temporary aluminum trailers in the DISA parking lot. (Borrowing from a Navy tradition, that aluminum was later cut up and give to the unit’s “plankholders,” those of us who were the unit’s initial cadre.)
The JTF-CND did indeed have command authority, starting with a DoD-wide password change meant to disrupt an adversary’s cyber espionage operation. It was a simple tactic, but an early demonstration of Defense-wide command and control. The JTF led the DoD response to significant early cyber incidents, including Moonlight Maze and mass defacements of websites tied to operation Allied Force, NATO’s campaign in Kosovo.
On 1 October 1999, the JTF-CND was moved to U.S. Space Command (yes, there used to be such a thing) and renamed JTF-CNO (Computer Network Operations) in April 2000 to indicate the unit would now have responsibility for the full spectrum of computer network operations, including offense.
Considering the over-classification, which was soon to smother discussion of offensive operations, the language in the Unified Command Plan was particularly stark. Space Command’s responsibilities would include serving as the military lead for computer network defense and attack, “to include advocating CND and CNA (Computer Network Attack) requirements, … conducting CND and CNA operations, planning and developing requirements for CND and CNA, and supporting other [commands] for CND and CNA.”
During this time, there was a fast-moving worm attack (such as SQLSlammer or Blaster) about every quarter, so Space Command had the JTF issue early warnings through the existing command-post hotline. Normally, the hotline was used to announce potential ICBM launches against the United States, so the watch officers at the Pentagon must have been quite relieved to answer, hearing that it was only another malware attack.
But it was the new offensive mission, which took center stage. As the unit’s commander said afterwards, offense was “taking probably 30 percent of my mission, and it was taking up 70 percent of my time, because it was so sensitive and classified. Every time I turned around, somebody wanted to give me another polygraph to read me onto a program.”
By 2003 though, offense was becoming important enough that NSA stepped up a new team, the new Network Attack Support Staff, under the operational control of U.S. Strategic Command. The next year, Strategic Command created a full Joint Functional Component Command—Network Warfare, under command of the three-star director of NSA, to have overall control of offensive operations. Since offense could not have a higher-ranking commander, the defense team was commanded by the three-star director of DISA and re-named the Joint Task Force – Global Network Operations, with responsibility for keeping the networks operating in the face of any disruption, not just direct attack.
Creation of Cyber Command
Offense and defense were re-combined in the form of today’s Cyber Command in May of 2010, which still operating under Strategic Command. Eleven years, four months and twenty-one days after the IOC of the first cyber command, there was a four-star command, fully combining offense and defense. The initial two-dozen plank holders of the JTF-CND were now amplified into a 6,200-strong Cyber Mission Force, not even counting command staff.
The 2017 escalation of Cyber Command is the last obvious step in this evolution. But as Michael Sulmeyer and General Michael Hayden have written, the elevation of U.S. Cyber Command from a sub-unified command to a full unified command is neither a revolutionary or terribly ground-breaking step. In Sulmeyer’s analysis while a Defense cyber official, “there was nothing Cyber Command could undertake if it became a unified command that it could not already do as a subordinate command.”
Still, there are real gains to be had from elevation. Sulmeyer sees elevation leading to “[g]reater integration” into “the rest of the military plans, organizes, trains, and equips to execute warfighting missions.” Another former Defense cyber official, Kate Charlet, highlights especially that an “elevated Cyber Command is better positioned to fight successfully for resources inside the Defense Department” as “having an equal seat at the table [with other commands] can make a big difference in the fight for dollars.” Charlet also believes elevation “signals to international partners, who face increasing cyber threats that the Department of Defense will prioritize efforts to build defense and resilience together,” though with so much DoD focus on the offense, this signal may not get transmitted correctly.
Perhaps the most important advantage is that elevation removes the distraction of whether Cyber Command should be escalated or not, one of the three most fruitlessly over-discussed topics in the field (alongside information sharing and deterrence).
However, even elevation to a full unified command may not be the final word. Admiral James Stavridis has argued for a separate cyber force, akin to the other military services. After all, the Army, Navy and Air Force all have primary responsibility in their own domain of conflict (land, maritime, air and space). Since DoD considers cyberspace a separate domain, shouldn’t it have its own force? Elevation, in many ways, will make Cyber Command more like Special Operations Command, with unique training and acquisition authorities, but as Admiral Stavridis argued, “SOCOM indeed requires the core competencies of all the services to carry out its missions in the sea, air, and on land. Cyberspace operations, by contrast, do not require any of the core competencies of the five services; in fact, the cyber domain requires precisely the core competencies that none of the other branches possesses.”
With the command just elevated, this may not seem the opportune time for this idea, but with Congress pushing for a separate space corps, it may be closer than it seems.
The Down Side
Elevation will also not help if the Army, Navy, Marines, and Air Force continue to build separate networks, which they intend to defend in different ways. There are certainly some service-specific requirements, but almost all are running similar networks with similar protocols and requiring similar skills. As the past 20 years of history show, organizational structures and marginal increases to command authority cannot easily fix these underlying problems.
But the most important disadvantage of elevating Cyber Command (or indeed a cyber branch) is that humanity is still only fresh into the information age and we don’t fully understand the direction or dynamics of what we’ve created.
In the 1990s, when the first JTF was created, the major threat and opportunity was from information, not just specifically cyber. “Information operations” doctrine looked across the entire spectrum of how the DoD and U.S. adversaries could use information, from intelligence, propaganda, media, and electronic warfare to computer and network attack.
Many, indeed perhaps most, of the most disruptive cyber attacks on the United States in the past years have been more about the impact of the use of information, not from the specifically cyber elements. The most important examples are the attack on Sony, in which the North Koreans released embarrassing and commercially sensitive information, and of course the Russian attack on the Democratic National Committee, whose emails were then released to throw off the course of the 2016 presidential election.
Indeed, information may turn out to be a more important organizing principle than cyber; certainly this is what China and Russia both seem to believe. Sulmeyer writes that, “[m]aybe it’s time we get away from using “cyber” as the description of what needs to be done, and instead think about what an Information Warfare Command would look like.”
Elevating U.S. Cyber Command may, in fact, be akin to if the United States created a U.S. Battleship Command in 1935: the wrong force for the wrong kind of conflict.
