In the nearly seven years since the U.S. Department of Defense declared cyberspace a “domain” of warfare – alongside land, air, sea, and space – the Pentagon has developed an overarching Cyber Strategy to guide their efforts in the new domain and raised a Cyber Command that has grown from 700 military and civilian employees to an expected 6,200 personnel by October 2018.
What would it take to move toward a fully independent Cyber Command – free from the reins of the National Security Agency, which it has long been tied to both operationally and administratively? At a time when cybersecurity is now in every American’s lexicon, how will CYBERCOM undertake its mission of defending military networks, securing critical infrastructure, bolstering the country’s deterrence posture, and taking the virtual fight to foreign adversaries – from non-state actors such as ISIS to nation-states risking international stability?
The Cipher Brief convened a group of distinguished experts from military, intelligence, civil society, and private industry backgrounds for its Cyber Advisory Board Meeting on “Navigating a New Cyber Command” to discuss the growing challenges in engaging adversaries on the virtual battlefield.
Cyber Command’s New Status
Currently Cyber Command remains deeply linked with the NSA under the single leadership of Admiral Mike Rogers, but this could change, if the dual-hat leadership role is split and Cyber Command branches out on its own. There are a number of reasons to separate the two organizations. The most apparent is that the NSA, the nation’s preeminent signals intelligence agency, operates under Title 50 espionage authorities, while Cyber Command, the country’s cyber warfare and national defense combatant command, operates under Title 10 warmaking authorities.
“We were plainly in error in 2009 that NSA and Cyber Command were 80 percent similar,” said one former senior intelligence official at the meeting. “The theory of the moment then, was that both are constituted by traversing cyberspace, finding and fixing something in cyberspace, and then and only then will they decide if they will exploit it, attack it, or defend it.” However, according to this view, that approach missed “the fact that the texture, the context, and the speed are profoundly different,” between NSA and Cyber Command operations.
Some at the meeting felt that the degree of integration between NSA and Cyber Command may be of less importance in the future than each of their integration with other components.
Cyber Command has successfully integrated with the combat services, such as the F-35 and the F-22, according to members of the Cyber Advisory Board. In fact, as one noted, “that is where the real integration is taking place – the traditional kinetic warmaking platforms that either offend or defend in cyberspace using Title 10.”
Cyber Command’s First Fight
Cyber Command’s first and only public campaign has been to assist in the fight against ISIS. In a joint operation last November, called Operation Glowing Symphony, the NSA and Cyber Command obtained access to ISIS administrator accounts and used them to block out members and delete content such as battlefield videos, how-to manuals, and recruitment forums. But the content was quickly restored or resurfaced elsewhere. ISIS recruitment messaging – unlike static nation-state targets such as Iran’s uranium enrichment facility in Natanz or North Korea’s ballistic missile program – enjoys a level of decentralization and therefore resilience.
Cyber Command has also stressed the overarching problem of fighting ISIS in cyberspace is that that their presence on the internet is not contained to geographical regions. “The challenge in the cyber area is, for example, the infrastructure that ISIS might be using is not physically in Syria and Iraq, but is in other areas,” Rogers told the Senate Armed Services Committee in May. “We need to be able to have an impact on that.” There remains heated debate over whether the U.S. should notify foreign countries that are home to computers hosting ISIS content but outside ISIS’ physical presence before taking action.
But conventional warfare between near-peer adversaries will not be the same as engaging technically unsophisticated networks of individuals affiliated with ISIS as they fight in Iraq and Syria. “We shouldn’t overlearn the same lessons” from this conflict, warned one leading academic on cyber issues. Generalizing the knowledge gained from a few years fighting ISIS would be dangerous, in his mind “because we have superiority over them that we are not going to have in many other cyber conflicts.”
Moreover, mere U.S. technical superiority over others may not be enough to be successful in its cyber operations – it is simply a tactical medium that enables traditional objectives. “The technical capabilities matter less here. It is the maturity of the application,” said a former senior intelligence official. “The Russians are ten years ahead of us in that regard.”
The Search for Doctrine
Indeed, one key question the Cyber Advisory Board grappled with was that of the lack of U.S. cyber doctrine. While the Army, Navy, and Air Force have years of combat history to study, analyze, and develop into doctrine, America’s cyber warriors are not forged in quite the same way – or at least not yet.
But as CYBERCOM and this doctrine come together, many of our Cyber Advisors noted that other countries, such as Iran and North Korea, have become emboldened in their operations. “Much smaller countries with less capability are using the tools and creating norms and we aren’t actually complaining about them,” said a former senior military officer.
“One way to establish norms is to affirmatively declare doctrine, and another is to call out when folks cross what we would want to be normative lines,” said a leading legal expert in the field of cybersecurity. So, when the United States remained silent as suspected Russian state-sponsored hackers disrupted Ukraine’s power grid, it missed an opportunity to lay down a marker for nations worldwide about accepted norms.
What’s more, the near-peer adversaries that the United States could find itself in cyber conflict with in the future – most notably Russia – do not adhere to the same cyber warfare rules. One only needs to look at Russian interference in the 2016 U.S. presidential elections to see how cyber capabilities can be used to strategic advantage in a way that U.S. Cyber Command does not.
“When you look at Russian doctrine in this space, it is far more elegant than anything American senior officers are doing,” said Michael Hayden, former Director of both the CIA and NSA and moderator of the of the Cyber Advisory Board.
According to one private industry advisor on the Cyber Advisory Board, Russia approaches this domain as a question of information security. “They defined, from a Russian perspective, what an attack on Russia would look like in cyberspace, and at the time we laughed at them because they said a blog post that is accessible to the Russian population that is critical of the Russian government is a cyber attack. We said, what are you talking about, that is free speech, and now the Russians are getting the last laugh.”
Levi Maxey is the cyber and technology analyst at The Cipher Brief. Follow him on Twitter @lemax13.