As Cyber Command continues to mature, key government watchdogs want to ensure the organization does so in a responsible way.
As part of this effort, the House Armed Services Emerging Threats and Capabilities subcommittee, which oversees cyber, held a classified briefing with the Government Accountability Office in mid January to “discuss ongoing reviews and studies of cyberspace and cybersecurity capabilities of the Department of Defense,” a press release from the committee said.
Fifth Domain has learned the topics discussed during the briefing included the maturation of Cyber Command, its cadre of cyber warriors known as the cyber mission force and the dual hat relationship with the National Security Agency.
The committee’s release also obliquely pointed out that it had “noted concern in the past at DoD’s ability to mature U.S. Cyber Command.”
But now those particular worries are coming into greater focus.
Specifically, the committee is concerned about the maturity of the cyber mission force, the 133 teams each of the services collectively provide to Cyber Command. Members also want DoD to have a structure in place where cyber warriors can either organize, train and equip and fight, a Congressional aide said. Perhaps most importantly, they want to know how cyber forces will be used.
Joseph Kirschbaum, the director of defense capabilities and management at the Government Accountability Office, said the GAO has recommended to the subcommittee that DoD determine clear roles and responsibilities for who’s supposed to do what, command and control constructs, under what conditions cyber forces would be used and who would command them.
Kirschbaum also discussed capabilities from a “total force” perspective, meaning guard and reserve.
“The department doesn’t really have a good picture of what those capabilities are,” he said, which has implications for the broader use of DoD cyber. “Some of those capabilities may be vital for them to draw on and they need a clear appreciation of where they are.”
Prior to severing the dual hat relationship between Cyber Command and NSA, DoD must ensure there are robust command and control and processes for planning and deconflicting cyber military operations, per last year’s annual defense policy bill.
A legislative fix
Two items in the most recent defense authorization bill were designed to get at the command and control relationships and how forces are being used, an aide said. The bill includes requirements for DoD to provide notification of sensitive military cyber operations and quarterly briefings on cyber operations.
The cyber mission force will also need enhanced authorities to act including clear rules of engagement, as well as appropriate resources and funding, Jamil Jaffer, founder of the National Security Institute at George Mason University Law School and a former senior counsel at the House Intelligence Committee, told Fifth Domain.
“We want for Cyber Command to become more proficient in its ability to procure things,” a Senate staffer said. “I think [CYBERCOM is] approaching it cautiously … but it’s our hope that they’ll start utilizing this. Our bigger concern is that the services aren’t actually budgeting and providing the tools and capabilities that the cyber mission force is going to need.”
The idea behind this authority, a House aide said, was Cyber Command would have $75 million of flexible acquisition authority for items that would be needed in an emergent situation or maybe even a portion of that could be a standing need across the services.
“The tools are different. Tools designed to reside and extract information might be different than tools designed to delay, degrade, disrupt and all that,” Michael Hayden, former director of the NSA and the CIA, told C4ISRNET last year.
Still, the issue of readiness remains.
Michael Sulmeyer, director of the cybersecurity project at Harvard’s Belfer Center and the former director of plans and operations for cyber policy at the Pentagon, said he is watching the readiness discussion surround the cyber mission force, not in terms of a technical definition of what it means for a team to be ready, but are those teams ready to do missions they’re asked to.
With the massive investment that has been made in the cyber missions force, he said there needs to be a focus around that team’s readiness. If they’re not ready, it’s important to be honest and figure out what steps to take to close that gap.
Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.