This is Part II of a four-part series exploring what U.S. Cyber Command will need to operate on its own, separate from the National Security Agency.
Given the two distinct — yet sometimes similar — mission sets of U.S. Cyber Command, a war-fighting organization, and the National Security Agency, an espionage organization, separate infrastructure, tools and training is needed for the former to operate on its own.
For CYBERCOM to meet the stipulations of current law (as discussed in Part I), which are unlikely to change in future years' legislation given the stern opposition from influential lawmakers regarding a premature NSA-CYBERCOM split, the organization will need its own infrastructure on which to conduct its operations.
PART I: What is needed to split NSA and Cyber Command?
PART III: The types of tools an independent Cyber Command will need
This effort is currently spearheaded by the recently established Capabilities Development Group, which plans and synchronize capability development for the joint cyber force and whose No. 1 goal is developing the Military Cyber Operations Platform, or MCOP.
MCOP is "essentially the sum total of the portfolios we manage," said Keith Jarrin, executive director of the Capabilities Development Group at CYBERCOM.
Gen. John Hyten, commander of U.S. Strategic Command, of which CYBERCOM is a sub-unified command, recently toldthe Senate: "I will not advocate separating the two until we have a separate platform in the services that Cyber Command can operate on."
MCOP will be the war-fighting platform used by the cyber mission force to conduct Title 10 war-fighting missions.
The services are also looking into the development of the so-called unified platform, which is outlined in the Department of Defense’s 2015 cyber strategy and serves as the back end of MCOP. Just like providing conventional kinetic military forces with weapons, munitions or vehicles, outfitting cyber forces involves fielding the unified platform and figuring out how to establish an infrastructure separate from the NSA to conduct missions.
Cyber warriors, in order to successfully carry out their mission, need a platform, an interface, a tool set and an infrastructure, just like war fighters in the more traditional physical domains. As discussions continue to surround the inevitable NSA-CYBERCOM split, an independent CYBERCOM will need its own infrastructure to conduct war-fighting missions separate from the NSA, which is an intelligence-collection, combatant command-support agency.
The Air Force notedin its research, development, test and evaluation budget request this year that it will spend $82 million in fiscal 2018 on "common services," which, as part of this line item, the FY18 base expenditure will "establish and evolve the Military Cyberspace Operations Platform (MCOP) to enable combined arms, offensive and defensive operations … continue development and employment for a series of operational prototypes under the Unified Platform that reduces acquisition risk, responds to operational imperatives, and ultimately support full-spectrum cyberspace operations for the Cyber Mission Forces."
While CYBERCOM moves toward independence with the impending full operational capability of its workforce — which consists of 133 cyber mission force teams made up of 6,200 individuals set to reach full operational capability in 2018 – officials contend the command is still heavily reliant on the NSA.
MCOP is essential not just from an NSA-CYBERCOM split perspective, but for the command to perform its war-fighting duties.
"Unified Platform is going to be that common war-fighting platform that then I believe that we will see targeting systems come up around it, arsenals come up around it, a place to keep your cyber weapons, it will have [battle-damage assessment], it will have command and control. It will develop — over realistically over the next decade or so — it will develop into something like the [air operations center], a war-fighting system," Bill Leigher, director of government cyber solutions at Raytheon, told reporters during a media day in early June at a company facility in Northern Virginia.
CYBERCOM still relies on the NSA’s infrastructure as well as its personnel, who are sometimes perform dual-hat roles by executing intelligence-gathering activities and offensive military operations for CYBERCOM.
There are potential dangers within this construct, aside from the potential blurring of legal lines, one being the reliance upon the same infrastructure to conduct intelligence with the intent of being stealthy and unidentifiable while performing loud, offensive military operations meant to disrupt a target’s networks (but sometimes with the intent of being identifiable — think dropping a bomb from an Air Force B-2). This presents dangers from an intelligence perspective given these loud attacks may be traced back through the channels on which they were carried, leading adversaries back to NSA servers and offering intel on capabilities.
"If you want to be good at attack, sometimes it’s inappropriate to have an intelligence signature on your tools," Phil Quade, former director of the NSA Cyber Task Force, said in an interview. As mentioned above, sometimes DoD wants adversaries to know they were targeted.
"If you’re using the same platform that’s vulnerability to the enemy following you back, that path in cyberspace, you’re jeopardizing your intelligence sources if you’re using the same platform to conduct an attack," Leigher said during an interview in February. "With intelligence, you typically don’t want to get caught — it's espionage. Well, if I’m going to use a cyber exploit, and I’ve got the rules of engagement to do it, the thinking is: Heck, I’m at war. Getting caught isn’t part of the equation."
Attribution is not a big deal in a warfare scenario.
However, Quade acknowledged that the flip side is also true: If performing an intelligent operation with a tool whose signature makes it look like an attack tool, it creates the perception that international law has been violated — it's seen as an act of war when in fact it’s just surveillance. "I think it’s the benefit of both missions to have capabilities that can serve each mission — intelligence versus attack," he said.
Aside from just sharing infrastructure, some former top intelligence officials feel the longer CYBERCOM and the NSA remain married, the more the military mentality might take over to the detriment of intelligence.
In May, former Director of National Intelligence James Clapper voiced his strong conviction before the Senate Armed Services Committee that the two should split. "NSA is a crucial component of the intelligence community, and I don’t believe it’s healthy for it to be subordinated to a sub-unified command and DoD," he said. "I was the undersecretary of defense for intelligence when we came up with this arrangement. … I believed in it at the time, but it was never intended to be permanent."
"The great fear we had was as the command matured, the Cyber Command identity at Fort Meade would become more and more dominant at the expense of the intelligence identity," Michael Hayden, former director of the NSA and the CIA told C4ISRNET in an interview. He also pointed out that the NSA creates roughly 60 percent of America’s intelligence every day.
While emphasizing his support of CYBERCOM being stood up, Hayden added: "I was worried and I remain worried that the longer this goes, the more the Title 10 personality, culture, climate, mission will dominate at Fort Meade at the expense of the traditional intelligence climate, personality, culture and so on. …That is a danger."
Part III will examine the types of tools Cyber Command needs apart from those needed by NSA to conduct espionage.
Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.