Cyber Command Wrestling With Unresolved Technology and Policy Issues
Despite its fast-and-furious growth, Cybercom's responsibilities as the protector of U.S. military information networks are still vaguely defined. Command officials are not yet clear on how they would respond to a cyber attack that, most likely, would not just affect military networks but also civilian systems. They also are wrestling with larger philosophical questions about how cyberspace fits into military strategy. Unfamiliarity with the scope of the threat also is making it difficult for Cybercom to determine how best to defend networks and what investments it must make for the future.
"There is a real dearth of doctrine and policy in the world of cyberspace," said Marine Corps Lt. Gen. Robert E. Schmidle Jr., deputy commander of U.S. Cyber Command. One of the organization's biggest challenges, he said, is to figure out how to "operationalize" cyberspace, or as he put it, find the "nexus between the technological and the conceptual."
A broad discussion must take place inside and outside the Defense Department about "how we will deal with cyber threats," Schmidle said March 1 at a conference of defense industry investors in Arlington, Va., organized by Credit Suisse.
The challenges for Cybercom are wide-ranging, he said. On the policy side, one of the biggest uncertainties are the lines of authority in case of a cyber attack, he said. "How is it that we are going to respond when something happens in cyberspace, things that happen in milliseconds?" he asked. The military has mastered the command-and-control processes for responding to a hostile nuclear missile, but Cybercom is not yet certain what its role would be if, for instance, the nation's electric grid were infected with computer viruses or malware. Action would be required within minutes to avert the collapse of critical infrastructure, which calls for a more decentralized chain of command, said Schmidle. Significant planning is needed in this area, he said. The Department of Homeland Security is in charge of protecting government civilian and private-sector networks. But how DHS and Defense would work together is an unsettled issue. Cybercom does provide technical assistance to DHS if requested, Schmidle said.
In the near term, the priority at Cybercom is to bulk up its talent base with IT experts, network engineers and analysts, Schmidle said. "One of the strongest demand signals we have is for analysts," he said. The ideal analyst not only would have knowledge of the hard science of cybersecurity but also an understanding of how the military works with information. "A lot of the discussions today about cyberspace either are very technically oriented or very emotional, or both," said Schmidle. He would like to see a national-level debate similar to what took place in the 1950s and 1960s, when the United States grappled with the use of nuclear weapons. How does “strategic deterrence” work in cyberspace? he asked. "That kind of informed dialogue about cyberspace and the way we operate in cyberspace would be the first step going forward.”
On the technical side, the command is seeking to build a "common operational picture," which would allow Cybercom leaders to monitor activities across the entire spectrum of defense networks. Currently, the command has little or no visibility into hundreds of information systems that are operated by the military services and defense agencies. Gaining access to a common picture "sounds easy" but it is far more complex than experts had predicted, Schmidle said.
Another tough question for Cybercom is to define what constitutes a “defensible” network, he said. Typically that means that a system has been hardened, or that antivirus software has been installed. But it has become clear in recent years that what makes most defense networks vulnerable is their “thick client” architecture, said Schmidle. A thick client is a computer in a client–server network that provides functionality independently of the central server. A thin client, by contrast, is a computer heavily dependent on a server's applications.
“Our thick client architecture is our greatest vulnerability,” he said. Most workers have multiple PC towers under their desks, and each unit can be targeted. A thin client, or “cloud” computing environment, would be easier to defend, Schmidle said.
Companies in the defense and IT industries have been waiting for Cybercom to disclose what technology investments it plans to make. But the command has no definitive wish-list for new software or hardware, said Schmidle. The military's cyber organizations still have to make a cultural adjustment to a world that is far different from the traditional weapons procurement business, he said. “Where do you find the balance between the conventional [weapons such as ships and aircraft] and cyber?” he asked. “What should we do in cyberspace?”
He noted that Cybercom has no procurement authority. Most of its budget pays for people and facilities. It must rely on the military services and agencies to fund research, development and purchase of new products.
David M. Van Buren, the Air Force’s senior acquisition executive, also speaking at the Credit Suisse conference, said the service is eager to support cyber efforts, but expects a steep learning curve. “We have to become more knowledgeable,” Van Buren said. “How do we do this acquisition thing [in the cyber business]? We are still sorting that out.”
Officials in the private sector, meanwhile, are waiting for the government to come up with a cohesive cyber strategy. The fragmented arrangement of U.S. cybersecurity responsibilities only will create more confusion about who has the authority to unleash a network attack on an adversary, or who has the power to determine if a target is legitimate, said Charles Croom, retired Air Force lieutenant general and vice president of cybersecurity solutions at Lockheed Martin Corp., at an industry conference in January.
“What happens if we taken down a country’s utility and the hospital’s power goes out?” Croom asked. If U.S. critical infrastructure were struck by malware, it’s not clear whether that would be considered a hostile terrorist-like act. “What is our threshold for war, and when do we respond kinetically and say, ‘That’s enough.’”
Croom blames the military for not providing expert guidance to civilian authorities. “The military, in my view, has totally avoided the strategy aspect,” he said. Instead, it has just thrown money at the problem. “In the military, we do what we do best when we come to a hard issue: We create an organization.” The Defense Department established the Cyber Command. After the bureaucracy is in place, maybe someone will ask, “what the heck was our strategy anyway? ... I’m not saying that’s bad, but it does seem backwards.”
Cyber Command, in Croom’s opinion, prematurely declared itself “operational” last fall, “without any processes, without any talent.” The private sector so far has been ambivalent about investing in cyberwarfare technology because, for many companies, there is still no “business case,” Croom said. “Industry also is saying to the government, ‘Hey you’ve got more information than I have, why don’t you start sharing it?’”