Cyber Command’s mission and portfolio has expanded and evolved. The nature of cyberspace means the Department of Defense’s cyberwarriors are facing new challenges every day. But the future of Cyber Command, an organization whose workforce and capabilities have grown rapidly, remains uncertain.
Cyber Command was born out of an effort to consolidate the Department of Defense’s cyber efforts under a single entity to protect U.S. military networks.
“For the first 20-odd years [of cyber within DoD] it was about this struggle to try to do defense better,” Jason Healey, senior research scholar at Columbia University specializing in cyber, told Fifth Domain.
The catalyst to create Cyber Command came after a 2008 intrusion dubbed Operation Buckshot Yankee. At that time, Defense Department personnel inserted thumb drives they found in parking lots overseas into their devices and spread malware throughout the secret and unclassified Pentagon network.
Buckshot Yankee “was the straw that broke the camel’s back. Senior leadership said, ‘This can never happen again,’” John Davis, federal chief security officer for Palo Alto Networks and a former senior military adviser for cyber to the under secretary of defense for policy, told Fifth Domain.
“For defensive reasons, the decision was made to create an organization that could combine these authorities and resources — offense, defense, operations of the network and intelligence — all into one organization,” he added. “That was the reason behind Cyber Command. It wasn’t to go out and be offensive, it was purely defensive in nature.”
USING CYBER FORCES
Leaders at Cyber Command spent much of the past decade building the workforce — the 133 offensive, defensive and support teams that conduct operations — as well as improving the capabilities and cyber tools needed to conduct those operations. At the same time, however, the organization was reliant on the National Security Agency for infrastructure, some tools and some personnel.
Now, Cyber Command is transitioning from building its force to building out the necessary infrastructure the department needs to conduct cyber operations and to do so independent from the NSA.
Officials say a ready force and the fact that cyber is now becoming more commonplace means that cyber capabilities will likely be used more as an instrument of U.S. and military power.
When Pentagon leaders first developed Cyber Command, officials debated whether cyberwarfare would provide a strategic deterrent on par with nuclear weapons or whether it would become a game changer at the operational level, Jacquelyn Schneider, assistant professor at the Center for Naval Warfare Studies at the Naval War College, said.
“In some ways, the desire to make cyber so strategic and so important really delayed — or stymied — the integration of cyber operations at an operational level because what policy makers heard when they heard Armageddon,
Pearl Harbor, strategic … is ‘This is something that is really important and we need to control it,’” she said, adding she was not speaking for the War College or the Defense Department.
While cyber capabilities are becoming more commonplace within the geographic combatant commands through new planning cells, some have questioned how much of a difference the cyber domain will be in a conflict.
“It’s still largely unproven how cyber is going to impact the battlefield,” Healey said.
He pointed to a recent workshop in which participants tried to understand cyber effects on the battlefield. An operation could be successful or it might not if the targets patch their systems beforehand. Such scenarios leave open a wide range of outcomes.
“Cyber advantages always proved fleeting. Moreover, any cyberattack launched on its own was close to useless,” James Lacey, professor of strategic studies at the Marine Corps War College, wrote in a recent blog post about a student wargame he organized this year. “On the other hand, targeted cyberattacks combined with maneuver forces always proved to be a deadly combination.”
CYBER COMMAND’S NEW APPROACH
While the Pentagon — and by extension Cyber Command — have always been tasked to protect domestic targets as if they were protecting the United States from incoming missiles launched by a foreign adversary, the homeland focus has become much more prominent.
“You’ve seen an evolution from [a] very strategic focused command to a command that’s [...] primary focus is domestic,” Schneider said.
Cyber Command’s latest command vision stated that adversaries are exploiting cyberspace on a daily basis and doing so below the threshold of armed conflict. As a result, “in order to improve security and stability, we need a new approach,” it read.
The new operating concept is called persistent engagement and it aims to meet adversaries in cyberspace on a daily basis below the threshold of conflict. A key pillar to the concept is what Cyber Command calls “defend forward,” essentially battling adversaries in networks as far away from the United States as possible.
Top Defense Department leaders have said this philosophy takes advantage of the Pentagon’s unique authorities to act outside U.S. networks as a way to defend the homeland from cyber threats.
Some experts have noted that the Department of Defense isn’t operating in domestic networks, but rather trying to thwart attacks before they get to the United States. However, others contend that the new approach and authorities might embolden decision makers to rely on cyberwarriors for a new host of problems.
“I get some feeling that it’s now the U.S. Hammer Command. That everyone’s looking around saying we’ve built the forces, how are we going to use them,” Healey said. “’Oh, I know, we can use them these ways.’”
New authorities from Congress and the White House have made it easier for DoD to gain approval for cyber operations.
“Am I focused on the [integrated air defense systems] or am I focused on the railroads,” Schneider said, pointing to discussions several years ago that focused on whether to pursue purely military targets or quasi-civilian targets. “I think today the debate is more about am I focused on the railroads or am I focused on our railroads?”
Cyber Command’s highest profile mission to date was protecting the 2018 midterm elections following Russia’s influence operation during the 2016 presidential election.
The persistent engagement and defend forward concepts are still nascent and will take some time to discern how effective they will be.
“I get the feeling when I talk to Cyber Command folks that they feel like they’ve got this figured out. That we’ve got forward defense, we’ve got the operating concept, we’ve got the forces, just let us get on with this because it’s solved,” Healey said. “That worries me.”
Healey was also clear to point out that the notion the old approach did not work and needed to be tweaked to this more active posture, is true only if it’s limited to a narrow set of what others have done to the U.S.
“Who after Stuxnet, who after the revelations by Snowden of what the U.S. is up to can possibly say the United States was doing nothing? Our adversaries are responding to things they see from us,” he said noting that he was not drawing a moral equivalency. “When we say the U.S. is the only one that is paying attention to the norms and we [muck] around like we’re only been victims and not done anything else, then we’re going to get the dynamics wrong. Our adversaries are sure — some of them correctly, some of them incorrectly — that we’ve been throwing the first punch.”
To others, such as Schneider, leaders are putting too much stock in the idea of persistent engagement.
“If we’re persistently engaging, does that ever end? The problem with persistent engagement is it promises to do too much all the time and doesn’t articulate priorities,” she said.
However, one positive change, she said, is that it has shifted the thinking from cyber as a rarely used strategic tool, to one that can be used more often below the threshold of conflict.
WHAT THE FUTURE HOLDS
Unlike the physical domains of land, air and sea, the cyber domain is quickly changing.
“The evolution of Cyber Command is trying to keep up with those changes both in terms of what’s changing in the technology environment as well as what’s changing from a threat perspective,” Davis said. “Those changes are driving the evolution of how the command is organized and what its focus, its priorities are.”
To keep up with the threat, he said, the command will have to take greater advantage of automation. In other words, fighting machines with machines. Today, the process of cyberwar is too human-centric.
Machine learning and automation can identify adversary tactics or playbooks and counter them, he said.
Additionally, some in the national security community have cautioned that cyber operations are being viewed too narrowly. Rather, it should be considered under a larger umbrella of information operations.
“Elevating Cyber Command might be like creating a U.S. battleship command in 1935 because it might be a wrong kind of capability for the future fight,” Healey said. “It might be that the future is going to be much more about information operations than it is about strictly cyber.”
Enemies “have learned that the integrated use of not just cyber capabilities but the combination of disinformation, denial capabilities, the psychosocial aspect of weaponizing social media, which provides an enormous platform … to sow division and doubt,” Davis said.
Leaders at Army Cyber Command have hinted that they want the organization shift to be something along the lines of Army Information Warfare Command.
Cyber Command’s current leader, Gen. Paul Nakasone, had previously testified in 2018 to Congress that during his most recent assignment leading the cyber offensive against ISIS that information operations were the most eye-opening.
“I’ve been glad to hear Gen. Nakasone and others say that they are interested in what they can do to start getting more involved especially in cyber-enable information operations, influence operations,” Healey said. “The most important cyber incidents that affected the United States have been much less cyber than have been information operations and influence.”
“I’ve been glad to hear Gen. Nakasone and others say that they are interested in what they can do to start getting more involved especially in cyber-enable information operations, influence operations,” Healey said. “The most important cyber incidents that affected the United States have been much less cyber than have been information operations and influence.”
To learn more about the ways Cyber Command has evolved over the last decade, download our series of essays that reflect on the origins and future of defend forward and hybrid warfare.
Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.