Putting new emphasis on military cyber operations, President Donald Trump has ordered the Pentagon to elevate its top cyberspace headquarters, U.S. Cyber Command, to a so-called “unified combatant command,” putting it on the same level with other functional unified commands such as U.S. Special Operations Command (SOCOM). This decision has been long in the making, predating the Trump Administration, and is only one small part of a larger, ongoing discussion about the exact roles and responsibilities of U.S. military “cyber” forces.
Trump and the Department of Defense both made separate announcements about the transformation of Cyber Command, or CYBERCOM, on Aug. 18, 2017. Previously, the headquarters had been subordinate to U.S. Strategic Command (STRATCOM).
“This new Unified Combatant Command will strengthen our cyberspace operations and create more opportunities to improve our Nation’s defense,” Trump said in a written statement. “The elevation of United States Cyber Command demonstrates our increased resolve against cyberspace threats and will help reassure our allies and partners and deter our adversaries. United States Cyber Command’s elevation will also help streamline command and control of time-sensitive cyberspace operations by consolidating them under a single commander with authorities commensurate with the importance of such operations.”
The “elevation of U.S. Cyber Command … reflects the growing centrality of cyberspace to U.S. national security,” the Pentagon said in its own release. “Raising the organizational status of U.S. Cyber Command is intended to demonstrate visibly DoD's long-term commitment to cyberspace as a warfighting domain. It also signals the department's resolve to embrace the changing nature of warfare – thus helping to reassure partners and deter adversaries.”
This change reflects the latest transition for CYBERCOM since the decision to create it in the first place in 2009. After reaching full operational capability in 2010, the command quickly absorbed even older cyber defense entities, the Joint Task Force-Global Network Operations (JTF-GNO) and the Joint Functional Component Command-Network Warfare (JFCC-NW). JTF-GNO had stood up in 1998, followed by JFCC-NW in 2005.
More importantly, at present, the Pentagon requires the head of CYBERCOM to be the same individual who runs the National Security Agency (NSA). The decision to make the cyber headquarters its own separate entity has no effect on this command structure.
So what is CYBERCOM turning into?
The decision to elevate the status of CYBERCOM changes very little and a lot, all at once. As far as the average person is concerned, there probably won’t be a lot of visible differences in the new command structure. The cyber operations headquarters isn’t getting a seat on the Joint Chiefs of Staff, as has been suggested could happen as part of plans for a new Space Corps, and its stated mission is unlikely to be any different from what it is now.
The command’s main jobs will remain protecting U.S. military computer networks and conducting other offensive and defensive military missions in cyberspace – a nebulous mission set and a separate issue we’ll come back to later. CYBERCOM will continue to oversee the activities of the cyber elements of all the services – U.S. Army Cyber Command, the U.S. Navy’s Fleet Cyber Command, U.S. Air Force Cyber Command, and U.S. Marine Corps Forces Cyberspace – and directly support U.S. Coast Guard Cyber Command, even though that unit technically falls under the Department of Homeland Security (DHS). It will still coordinate with DHS, the Office of the Director of National Intelligence, and the other 16 members of the U.S. Intelligence Community.
There may be some paperwork involved, but CYBERCOM and its components won’t stop handling Operation Gladiator Shield, the official nickname for the Pentagon’s over-arching global network defense mission. The more than 130 national Cyber Mission Force (CMF) teams will keep on doing whatever it is that they do. There’s no reason to assume that the established arrangements that have the different service cyber components support specific U.S. military’s regional commands and SOCOM will change in the near future.
But pulling CYBERCOM out from under STRATCOM gives the head of America’s military cyberspace forces significantly more authority and stature. Instead of being as subordinate to STRATCOM’s top officer, they’ll be an equal.
As Trump noted in his statement, this could dramatically speed up the response to a massive data breach, denial of service attack against military networks, or other cyberspace crisis since the command will be able to make many more decisions on its own. CYBERCOM’s commander no longer has to go through STRATCOM’s chain of command, which was additionally awkward given their other status as head of the separate NSA.
In addition, the four-star officer at the top of CYBERCOM’s leadership becomes a single, top manager to coordinate the purchase of the often unique equipment it needs, setting core standards for training specialized personal for cyber jobs, and other mundane, but no less critical administrative duties. They’ll be in charge of setting the tone for exercises on the U.S. military’s cyberspace training “ranges” and promoting long-standing, but slow moving plans for a single unified environment for online drills.
Cyberspace is getting dangerous
All of this emphasizes the existing importance of cyberspace for American military operations, which have become heavily reliant on computerized systems and integrated networks. There’s no suggestion that we’ll see a change in this trend and other foreign forces are heading in the same direction.
This means that protecting against hostile attacks through cyberspace and launching responses against enemy assets will steadily become a more commonplace component of U.S. military missions. We’ve already seen what this sort warfare might entail and guarding against intrusions won't just be a matter of updating anti-virus software.
Assaulting networks, either to disrupt them or take them over in order to sow misinformation and general chaos, is hardly a new concept. Russia in particular has become a major user of cyber attacks in order to influence foreign elections, including in the United States. In June 2017, I wrote:
"Hacking," which seems to imply directly breaking into a computer network to change an election result, might not necessarily be the most accurate description of the Kremlin's activities. Foreign intelligence and law enforcement agencies, as well as independent cyber security firms and experts, have more accurately said Russian agents and government sponsored actors have selectively stolen and leaked information to smear certain politicians and political parties, possibly seeded those leaks with or been duped into releasing fabricated documents, actively spread disinformation, and otherwise sought to manipulate the public discourse. Both organizations and individuals have taken responsibility for these operations. Some of these, such as the individual or individuals claiming to be the hacker Guccifer 2.0, have insisted they're acting on their own accord despite evidence linking them to Russian intelligence agencies.
Notably, in October 2016, the United States Computer Emergency Readiness Team (US-CERT), an element of the Department of Homeland Security, released an unclassified Joint Analysis Report with “details regarding the tools and infrastructure used by the Russian civilian and military intelligence Services (RIS).” The review specifically looked at entities known as Advanced Persistent Threat 28 and APT 29, better known as Fancy Bear and Cozy Bear. These two groups are widely understood to be directly under the control of the military Main Intelligence Agency (GRU) and either the civilian Federal Security Service (FSB) or Foreign Intelligence Service (SVR), respectively. Cyber-security firms had previously connected the organizations to cyber attacks dating as far back as 2008. DHS said its information was part of a broader investigative operation into “Russian malicious cyber activity,” which it had nicknamed Grizzly Steppe.
The War Zone’s own Tyler Rogoway has previously explored how even more active election-day cyber attacks are a virtual inevitably, writing:
Even with a broad audience, fear, and uncertainty may not be the goal of some adversaries. Barring the public from accessing information may prove to be just as powerful a tactic as any. On October 21st, hackers used lower-end internet connected devices to stifle access to the net with a series of mass DDoS attacks, affecting tens of millions of Americans. It seems clear that a peer state actor could use more harmful and precise attacks to creatively sway elections. But our vulnerabilities don’t end there.
Much in the same way that weather can affect voter turnout, cyber attacks could do the same. Strikes on the power grid in key areas could disrupt the predicted outcome of a Presidential election – especially in key swing states where polling is extremely close. This is especially true in demographically slanted areas, such as big cities. These population centers often lean one way while rural parts of the same state lean the other. Attacking cities’ power grids, transportation arteries or other critical infrastructure, while leaving rural areas untouched, could result in a significant advantage for one candidate over another.
In a more military-focused context, Russia appears to be actively experimenting with spoofing and jamming or disabling GPS navigation signals, which could send troops off course, misdirect bombs or missiles, or otherwise impact operations. The U.S. military is becoming increasingly aware of its need to have a plan for working in GPS-denied environments.
Cyberspace as a battlefield
In addition to these attacks being known threats, we’ve also heard about U.S. government development of their own similar cyber weapons. There were reportedly plans in place for a massive, widespread cyberspace blitz on a variety of targets in Iran, collectively known as “Nitro Zeus,” in case the international deal over that county’s controversial nuclear program fell through.
Though that cyber strike never occurred, some of the same tools and tricks might have entered up pointed at ISIS. Back in February 2016, then-Secretary of Defense Ashton Carter and Chairman of the Joint Chiefs of Staff U.S. Marine Corps General Joseph Dunford gave some important details about those activities during a briefing at the Pentagon.
Using another commonly acronym for ISIS, Dunford specifically explained:
“The secretary has talked a lot about physically isolating ISIL. In other words, isolating Raqqa, isolating Mosul, keeping the lines of communications between the two being separate, dividing Iraq and Syria up, making life difficult for the – for the – for ISIL. I think conceptually, that’s exactly the same thing we’re trying to do in the cyber world. In other words, we’re trying to both physically and virtually isolate ISIL, limit their ability to conduct command and control, limit their ability to communicate with each other, limit their ability to conduct operations locally and tactically.
“But I’ll be one of the first ones arguing that that’s about all we should talk about. Most importantly, we don’t want the enemy to know when, where and how we’re conducting cyber operations. We don’t want them to have information that will allow them to adapt over time. We want them to be surprised when we conduct cyber operations. And frankly, they’re going to experience some friction that’s associated with us and some friction that’s just associated with the normal course of events in dealing in the information age. And frankly, we don’t want them to know the difference. So they – it’s to our advantage to maintain the element of surprise with regard to conducting cyber operations.”
Cyber operations against the terrorist group are still ongoing and there have been rumors of new, exotic weapons in Iraq and Syria. “The Cyber Mission Force is making significant contributions in meeting the department's toughest challenges, including the fight against ISIS,” the Pentagon noted in their statement about the change in CYBERCOM’s status. Thanks to the Freedom of Information Act, you can read more about how U.S. military commanders in the Middle East define operational cyber warfare here, as well.
So, having a central advocate and manager for all of these increasingly important capabilities and in the face of growing threats definitely makes good practical sense.
Military operations versus intelligence
Unfortunately, elevating CYBERCOM’s stature within the Pentagon doesn’t necessarily get into the more difficult and long-running discussion about just what the U.S. military’s cyber forces are supposed to do and their relationship to other agencies that have a vested interest in cyberspace.
This is where the intertwined relationship between CYBERCOM and the NSA comes into question. The reason this arrangement exists is because both organizations are effectively tasked with protecting against cyberspace breaches against military networks and operational cyberspace activities against foreign entities. The problem is that CYBERCOM’s mission is focused on creating more conventional military-style effects – interrupting an enemy’s ability to operate or even actively destroying their capacity to do so – whereas NSA’s goal is to break in and steal information.
These two mission sets are tangentially related, but more often than not are in a certain amount of conflict. Maintaining covert access to a network for intelligence purposes is predicated on your opponent not knowing you’re there, which effectively precludes cyber attacks. Inversely, an operational cyber assault that achieves an immediate success might expose a vulnerability that intelligence specialists could’ve exploited, but ends up sealed off from further breaches afterwards.
“For as long as there has been signals intelligence, there have been tensions of this kind,” Robert Chesney, a law professor at the University of Texas at Austin and senior fellow at the Brookings Institution, wrote in a detailed exploration of this issue for the blog Lawfare, which is worth reading in its entirety. “When one side has access to the other’s communications, there will always be tension between the temptation to exploit that access for operational effect (with the opportunity cost of risking loss of that access going forward as the enemy realizes it has been monitored) and the temptation to instead exploit it for indirect intelligence advantage (with the opportunity cost of forgoing direct operational advantage in at least some cases).”
In theory, having the head of CYBERCOM be the same person in charge of NSA was supposed to help mitigate this inherent conflict of interest, as well as boost coordination between the two intrinsically linked domains. However, critics have long worried that one focus – intelligence or military operations – would always be favored over the other.
Given NSA’s substantially greater authority, most assumed intelligence collection would always prevail under the existing system. In September 2016, U.S. Navy Admiral Mike Rogers, who has this so-called “dual hat,” pointedly warned about this situation himself, advocating in front of Congress for the two entities to go their separate ways as soon as feasible.
“While USCYBERCOM resides with NSA, the two organizations are distinct entities with separate missions, authorities, and resource streams,” Rogers explained in written testimony that seemed to expose his own bias. ”Neither is an arm of the other, and both perform vital tasks on behalf of our nation.”
A maze of laws and budgets
At the same time, Rogers highlighted the other fundamental issue with this marriage of convenience. CYBERCOM relies heavily on NSA systems and cyber architecture to perform its own missions. While it’s fair to ask whether this is a product of the two being effectively blended together, it does mean that pulling the entities apart could be complicated and require significant time and investment in new resources.
It’s hard legally to consider going in the opposite direction and blending CYBERCOM even more closely together with NSA. This is in order to try and keep foreign intelligence collection and military operations separate and distinct for oversight purposes. The law that allows for the elevation of the military cyber headquarters to a unified combatant command makes this clear, stating “this section does not constitute authority to conduct any activity which, if carried out as an intelligence activity by the Department of Defense, would require a notice to the Select Committee on Intelligence of the Senate and the Permanent Select Committee on Intelligence of the House of Representatives.”
Even if CYBERCOM and NSA were to split formally, it seems unlikely that they would be able to ever really operate without constantly consulting with each other. It’s difficult to say how it would be best preserve both of these critical functions and give them equal attention and status, but it’s a question that will be increasingly important to answer.
The draft defense budget bills for the 2018 fiscal year now making their way through the House and Senate include sections requiring the Pentagon or CYBERCOM command specifically to provided detailed breakdowns of certain parts of the issue. The House wants a report on the remaining budgetary and statutory hurdles that would need fixing before any split. The Senate is particularly interested in finding out how much this change would cost.
As it stands now, since it maintains much of the necessary systems, NSA controls the bulk of the budget. A truly independent CYBERCOM would need its own, complete funding.
Legislators will need to reconcile these different provisions before any defense spending plan can become law. On top of that, existing laws make it clear that before any split occurs, both parties have to make sure each can properly advance their own missions independently.
When and if the reports make it to Congress it’ll be clearer just how feasible that separation might be.
Contact the author: firstname.lastname@example.org