Splitting NSA, Cyber Command Leadership a ‘Risk’, Senior Officer Says

By Stew Magnuson
A proposal to put separate leaders in charge of the National Security Agency and U.S. Cyber Command would be a “risk” because the structure in place is working well the way it is, the second highest ranking military officer in the organizations said Dec. 5.
“In my personal opinion, it works pretty darn good the way it works right now. We have figured out a way to make this work and get my job done,” Marine Corps Lt. Gen. Jon M. Davis, deputy commander of Cyber Command said in Arlington, Va., at a National Defense Industrial Association breakfast.
Davis’ boss, Army Gen. Keith B. Alexander, currently commands both the civilian NSA, and the military’s relatively new Cyber Command. He has announced in October his intention to step down by March or April. This came after months of news reports about NSA spying activity, which was revealed by former NSA and CIA employee Edward Snowden.
Since the announcement, the Obama administration has floated the idea of putting two different leaders in charge of the two organizations, which are co-located at Fort Meade, Md.
Davis in his speech painted a picture of a newly formed command, which is still in its infancy. It is in the process of training 6,000 highly skilled cyberwarriors, he said.
“By pulling us out of that umbrella right now, there is certainly some risk there,” he said.
“I’m a military guy so I plan for the worse case. And I know that our political leadership might do that,” he said. The organizations are actively planning as if the proposal will go through, he said. Policy, procedures, authorities, and transition of authorities are being looked at “to make sure Cyber Command doesn’t lose any speed if they decide to have two people,” Davis said.
“We will not miss a beat. We’re going to make it work,” he added.
Cyber Command is in the process of organizing and training two different types of teams that will go out and assist military entities. One is intended to deploy with combatant commanders. The other can go to any military organization and bolster its network defenses.
There will be 27 teams that will be allocated to the co-coms. “We are talking about empowering combatant commanders and giving them the tools they need to fight their fight,” he said.
“They will be trained to go out there in enemy space, build networks, map networks, build the intelligence they need to know if the threat is actually real, get the indications and warnings that something bad is about to happen, and also to be able to take action if need be,” Davis said.
They can prepare a target for a cyber-attack if there is an official order to do so, he added.
There will also be 68 cyber protection teams, each with about 40 personnel, and containing five subcomponents, he said.
A white team will come into an organization to do an inspection of its computer defenses. A blue team will patch any of the gaps the white team discovers.
“Blue teams to do patching for weak networks. 'Your network is a piece of junk. But here’s what you can do to make it a better piece of junk,'” he added.
A green team will sort out who among the personnel in an organization lack the proper training for how to defend networks, and then get them retrained.
After that work is done, a red team comes in to attack the system and discover any vulnerabilities. The fifth team, the hunters, will go into systems and look for malicious code, and “bad actors,” Davis said.
Red and hunter team personnel will be the most highly skilled among the team members and will undergo two years of training, Davis added.
Cyber Command and the NSA have also formed a research-and-development program called Joint-9, a secretive Skunk Works-like organization that will develop “tools,” he said. It will be housed in a facility at Fort Meade and will be co-led by an NSA employee and an Army colonel, both with computer science Ph.Ds.
Trained as a Marine Corps aviator, and having no experience with cybersecurity prior to Alexander naming him as the command’s deputy, Davis has brought a more regimented military approach to the job. Training, readiness and accountability were major parts of his speech.
“I will tell you right now we don’t even have a way to measure readiness. We’re working on that. We’re getting there. But 18 months ago, we didn’t even measure readiness,” he said.
If a network is compromised, the first instinct is to shut it down and isolate it. That is not going to be possible, he said. “Am I going to unplug it in the middle of a fight? Absolutely not.” Combatant commanders will have to work through problems, he said.
Cyber Command once asked the services to map their networks. They came back a few days later and said it was impossible. “How can I defend what I can’t even map?” he asked. “If I don’t know where my perimeter is, how can I defend that?”
The problem is that military networks were designed for communication, not defending, he said. He likened them to the F-18s he once flew. There were 32 lots manufactured by Boeing, and they all had some variations, but a trained pilot like himself could fly them all.
“Imagine if there were 32,000 lots of F-18s all different, built by different factories all over the world,” he said. And then each wing commander took each aircraft and modified it as he saw fit. That is what Cyber Command is facing with the thousands of computer systems it must defend.
“We need to treat our IT like weapon systems. If we treat it like a weapon system, we won’t have half the problems we have now,” he said.
As far as accountability is concerned, if he let his F-18 roll off the runway after a landing, he would be taken off the job, made to “pee in a cup,” and there would be an investigation to see if he was still qualified to fly. It will be the same with personnel charged with guarding military networks whose errors led to a cyber-attack. he said.
Whether the person who let the defenses down are contractors, union members, civilians or military personnel, he has the authority to treat them the same way as a pilot who makes a major error. There will be an investigation to find out if the cause is laziness, a lack of training or something more nefarious such as an insider threat.
“One thing I can do is pull people off the network and deny them the ability to log on … We’re going to do that for everybody,” he said.

Topics: C4ISR, Cybersecurity

Comments (0)

Retype the CAPTCHA code from the image
Change the CAPTCHA codeSpeak the CAPTCHA code
Please enter the text displayed in the image.