15 June 2014

New NSA Director: U.S. Military Not Organized For Cyber Warfare; CNAS On ‘Digital Theaters,’ Decentralizing U.S. Cyber Command

June 13, 2014 · 

New NSA Director Says U.S. Military Not Organized For Cyber Warfare; “Digital Theaters, Decentralizing USCYBER Command

NSA’s new Director, and head of the U.S. Cyber Command (USCYBERCOM) ADM. Mike Rogers, speaking at the annual conference Association of the U.S. Army this week in Arlington, Virginia, said that “the U.S. military’s hidebound culture and outdated procurement system are slowing down efforts to improve cyber defenses — against increasingly sophisticated network attacks.” “Our greatest challenge is not technology; but, organization,” with DoD having a vast IT ecosystem with some 15K networks across the Department and the military services. 

As Sandra Erwin wrote in the June 12, 2014 edition of National Defense Magazine, “each branch of the military buys and manages its own systems. She adds that “of most concern to ADM. Rogers is that cyber security trends are [increasingly being] put on the back burner.” “Military commanders must own cyber,” added ADM Rogers, “networks and cyber [should be] the commander’s business.” As cyber attacks become more pervasive and intractable, “our ability to integrate cyber into a broader operational concept is going to be key. Now, we treat cyber as something specialized, so different, so unique, — that it resides outside the operational framework.”

ADM Rogers argued that [military] “commanders operate under a “flawed” notion that they can turnover network responsibilities to the unit’s information technology experts. Commanders have to own this mission and integrate it into operations. Senior officer’s ought to be as knowledgeable about a unit’s network capabilities and potential vulnerabilities, as they would about its fuel and ammunition supplies. The challenge to that is as much cultural as it is technical. The military indeed needs advanced technologies to build stronger cyber defenses,” said Rogers; but, “a disjointed procurement system makes that difficult. The DoD today,” ADM Rogers argued, “cannot synchronize our capabilities as a team.”

“The military must build a joint network backbone,” he contended. “I never understood why the Services each spend money creating, maintaining, building, and operating a global communications backbone. We do it independently. It makes no sense to me. It is inefficient. It does not lead to an integrated approach to problem solving,” he added. “We need a joint framework. Each Service could still address its own needs, “for the last tactical mile.” ADM Rogers “sees no easy fixes to this problem, other than “a fundamental change in how we do acquisitions. Networks are not viewed as “war fighting platforms. We generally turn to our CIO and tell them to go build a network.. we don’t entwine acquisitions and operations.”

ADM Rogers also called on the military services to beef up their in-house [cyber] talent. “We need to create a workforce that understands the vision, and has the tools and capabilities to execute that vision. We, the DoD, are not on the cutting-edge when it comes to networks, information technology….We need to build a trained and ready operational cyber force. USCYBERCOM wants to partner with the Services because it cannot do its job without their cooperation. It makes no sense to develop some joint vision and jam it down the throats of our Services. I tell the Services that we’re doing this as one team.”

“Future networks,” ADM Rogers added, “not only must be joint, but also “defensible…with an architecture in which defensibility, resiliency, and redundancy are core characteristics… I can’t say that about current networks. For USCYBERCOM, it can be daunting to have to defend networks it cannot see. We have got to create a shared operational awareness. It is awfully hard to operate — whether on the offensive, or defensive side — in an environment where you cannot see the environment where you operate. Military commanders have tactical operations centers, where they can follow events in real-time. We don’t have that in the cyber world. We have to create that. It’s hard to be agile when you can’t visualize what you’re doing.”

Becoming more joint and more integrated with respect to IT and our networks, also can make us more vulnerable. I am not sure what the right answer is; but, consolidating and integrating our networks would — on its face — seem to make the adversary’s job easier since they would have fewer critical network/IT targets to compromise. 

CNAS On “Digital Theaters: Decentralizing CYBERCOM

Last month, the Center For New American Security (CNAS) National Security Program, published a report by Ben Fitzgerald, Technology and National Security Program Director at CNAS and LTC. Parker Wright, USAF — with the title above. They argued that “C2 theater cyber forces, should be the first area of focus for DoD, in order to help mature cyber capabilities in a strategically mature manner.” They added, “DoD must find a balance between centralizing C2 at USCYBERCOM; and, pushing C2 to the Combatant Commanders. If CYBERCOM controls capabilities too tightly then, it risks limiting development. On the other hand, if it loosens oversight of cyber capabilities too much, then its risks their misapplication — with potentially strategic consequences.”

The authors added that theater cyber is often overlooked in discussions of cyber, which usually emphasize rare, high-end, covert “strike” capabilities; and, the broader challenge of critical infrastructure protection. Within the Geographic Combatant Commands, the authors argue that DoD can most rapidly and meaningfully mature its cyber capability — and, integrate cyber into other military operations. 

The authors conclude that USCYBERCOM must establish a C2 construct, for theater cyber, that sustains service interests and investment, and ensures that USCYBERCOM has the sufficient ability to oversee and manage cyber operations within a global context, and guarantees Combatant Commanders access to responsive cyber capabilities — at the required capacity.

The two authors examine four existing C2 models, considering the trade-offs that the DoD must deliberately balance: demands on unity of effort, force responsiveness, force availability, and organizational versatility.” They recommend that [cyber] combat mission forces conduct distributed operations from their home station — and, not deploy to the theater of operations. Combat mission forces [cyber] have a global reach, not limited by geography. The authors recommend: 

USCYBERCOM should exercise COCOM, but delegate OPCON of combat mission forces to Combatant Commanders; 

Combatant Commanders Should Establish Joint Functional Cyber Component Commands;

USCYBERCOM Should Field Specialized, Service-Aligned Combat Mission And Combat Support Teams;

DoD Should Establish USCYBERCOM As A Full Unified Command; But, Retain The Dual-Hatting Arrangement For The NSA Director And The Commander USCYBERCOM — Only Until Cyber Is Effectively Established As A Fighting Force.

Lastly, the authors provide recommendations for the DoD and Congress — to help responsibly decentralize C2 of theater cyber forces, concluding C2 structures must constantly evolve to remain effective and relevant. The authors believe “failure to commence this process in an international, collaborative manner, risks creating and locking in, ineffective and/or inappropriate C2 and technical architectures that will be difficult to change in the future.” Lots to think about and consider. V/R, RCP

No comments: