Disjointed, Redundant Cybersecurity Programs Undermine Efforts to Protect Networks
Each service, for instance, has established its own cyber command. There are at least five major service-unique cyber commands that follow different processes for training Internet security personnel. Because of the way service budgets are managed by law, each has separate funding lines to pay for cybersecurity initiatives.
That is a losing formula for winning in cyberspace, said Air Force Brig. Gen. Greg Brundidge, deputy director at U.S. European Cyber Command. He spoke July 15 at an Armed Forces Communications and Electronics Association cybersecurity symposium in Washington, D.C.
“If we don’t have a common vision of what we’re trying to get after in this business, then we shoot at a lot of different targets and we take aim based on where we sit,” Brundidge said. “A lot of our energy now is being spent on the wrong things. We’re spending a lot of time looking at boxes and lines and wires trying to get that perfect organizational chart and that perfect command relationship.”
That is going to hinder the military’s ability to operate in cyberspace, Brundidge said. The key to success lies in being able to share capabilities and make quick decisions — tasks that are much easier to accomplish in a common operating picture, he said.
European Command has been collaborating with U.S. Africa Command and NATO on the mission in Libya. These operations have shown that the U.S. military is its own worst enemy when it comes to moving information around, Brundidge said. In cyberspace, the result is a “very haphazard” way of determining the status of the network, he said.
If all of the services monitored their networks from regional centers instead of separately, potential threats would be easier to identify and defeat, Brundidge said.
One industry executive asked the panel of military leaders if they would create a "cyber corps" like they did with medical professionals.
“You’re knocking on a door that I think time will determine the final answer,” Brundidge said. “If you look at where we’ve gone with space over the last 20, 25 years, we’re about to embark on the same kind of journey” for the cyber domain. After all, he said, 75 percent of cyber-operations are common throughout the military services.
The makeup of the services’ cyber commands varies drastically. For instance, the Air Force’s organization consists of 15,000 personnel, 10,000 of whom come from the Air National Guard and Reserves. At the other end of the spectrum is the Coast Guard, which despite being the smallest of the services, must deal with its own set of cyber issues, as the Coast Guard has military, law enforcement and homeland security authorities. The Coast Guard’s Cyber Command is manned by just 18 security professionals, who train at a Navy facility.
Experts have suggested that the U.S. Cyber force could align under U.S. Special Operations Command, or at least in an organization similarly structured. Officials at the symposium also suggested that the military’s network security specialists could be trained at the same schoolhouse or with a common core curriculum.
The services should avoid trying to conduct network defense in five different ways, Brundidge said. The military also must be careful not to lump all network security personnel into U.S. Cyber Command, officials said.
“We don’t want the future cyber force assigned to U.S. Cyber Command as a monolithic organization,” said Air Force Maj. Gen. David N. Senty, chief of staff of Cyber Command. The military’s cyberwarriors must be developed through the services and with some joint training, he said.
A more unified approach to cybersecurity would allow the military to give industry a more consistent and accurate projection of what technologies will be needed across the services. While companies may benefit financially from being able to sell certain products to all of the different services, it creates overlap and duplication that hurts the military’s operations in cyberspace, Brundidge said. The military doesn’t need five or six different products that perform the same function, he said.
The biggest challenge in cyberspace may not come from hostile hackers, but from within, Brundidge said. “Does our work in cyber minimize the lines and boundaries that our organizations bring to it? If it doesn’t, we’re not doing the right thing.”