Nearly a decade after the formation of U.S. Cyber Command senior leaders at the Department of Defense are questioning the scope of the organization’s work due to the novelty of formalized military cyber operations and the dynamic cyber environment.
In other words: where does Cyber Command’s work begin and end?
“The challenge associated with defining traditional military activities in the cyber domain is typically that is done by looking back historically at what are traditional types of military operations,” Kenneth Rapuano, assistant secretary of defense for homeland defense and global security and the principal cyber adviser for the Department of Defense, said during an April 12 hearing in front of a House Armed Services subcommittee.
“In a domain that is so novel in many respects and for which we don’t have the empirical data and experience associated with military operations per se, particularly outside zones of conflict, there are some relatively ambiguous areas associated with what constitutes traditional military activities,” he said. “This is something that we are looking at within the administration and we’ve had a number of discussions with members and your staffs. That is an area that we’re looking at in terms of understanding what the trades are and what the implications are of changing the current definition if that were to be warranted.”
Moreover, just as the organization’s cyber warrior cadre is set to be fully staffed, the head of Cyber Command has suggested there might need to be adjustments to its structure. Adm. Michael Rogers has said in previous congressional testimony he’d like to “retool” the structure because the current hierarchy was based on an assessment from nearly eight years ago.
“This capability that we’ve invested, that we’ve built, how do we use it in a way that attempts to forestall the opponent’s ability to gain advantage in the first place,” Rogers told the House Armed Services Committee Wednesday. “Failing that, how do we stop that activity before they have significant impact.”
Rogers also openly questioned, from a defensive posture perspective, if Cyber Command’s forces should expand beyond operating solely inside the DoD Information Network.
“One of the questions I think we need to ask ourselves is,” he said in regards to the defense industrial base and the prospect of DoD’s role of partnering and defending critical infrastructure, “what level of ability to operate outside the DoDIN would be appropriate for the cyber mission force.”
This could be an entirely new scope for Cyber Command, which comes at a time lawmakers have questioned Cyber Command’s role in helping to defend elements of critical infrastructure – of which 80 percent is owned by the private sector – and election systems from foreign interference.
“I think that’s a good conversation for us to have because right now, not a criticism, an observation, right now [in] the current construct, I don’t operate outside the DoDIN. I would suggest we ought to take a look at that,” Rogers said.
Deputy Secretary of Defense Patrick Shanahan recently called for defense contractors to step up their game when it comes to cybersecurity.
Boeing, a major contributor in the defense industrial base, recently suffered a noteworthy cyber incident when it was hit by the WannaCry ransomware. The company maintains that the incident didn’t spread to its defense business.
However, it is unclear what Cyber Command’s role would be in lending a hand or supporting forces either to private companies or critical infrastructure. Rogers in the past has acknowledged how cyber forces are limited in their capacity and equated their use to that of high demand assets such as special operations forces or intelligence, surveillance and reconnaissance assets.
“We need a prioritization, a risk based model about how we’re going to allocate our capabilities and we’ve got to continually reassess this just like we do with ballistic missile defense, with [intelligence, surveillance and reconnaissance][ with [special operations forces]. We shouldn’t be viewed any differently,” Rogers told Senators in February.
Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.