Last week I attended the Cyberspace Symposium 2014 in Colorado Springs. The topic was: Managing Cyber Chaos: Integrating education, industry and government into the anarchy of the virtual world. I thought it was an excellent venue and provided great insight into what approaches the military is taking toward cyberspace and why.
I know for a variety of reasons there is much skepticism concerning the military and cyber. There have been lots of reports in the media accusing the military of “hyping” the cyber threat and trying to militarize the internet. For example, at the conference, Major General Alan Lynn, the Vice Director of the Defense Information Systems Agency (DISA), the organization responsible for providing and operating the military’s communications and information sharing systems, stated that each month they encounter 180 million malicious attack events. Critics say these numbers are inflated and include everything from hackers simply taking on the challenge of cracking the networks to spying and criminal activity. They also accuse the DoD of militarizing the internet.
I think critics are missing two major points, both of which were talked about at the conference. First, the military is heavily dependent on cyberspace, and if there is a problem, regardless of what group, individual, or nation state caused it, they along with many in business and the public could be impacted negatively. For example, when I first became involved in cyber in 1999, about 90 percent of military communications went over a commercially owned circuit at some point in their transmission. A 2008 report by the Defense Science Board stated:
“About 85% of the energy infrastructure upon which DoD depends is commercially owned, and 99% of the electrical energy DoD installations consume originates outside the fence.”
Several of the speakers provided more insight on this point. General William Shelton, USAF, Commander, Air Force Space Command said people used to summarize critical military requirements with the phrase “beds, beans, and bullets.” Now you need to add connectivity. He elaborated further by saying, “intelligence, logistics and operational plans come from remote locations.” You have to retain connectivity to get the critical information needed to conduct military operations.
This brings me to my second point: General Shelton also pointed out others know that cyber is our “life line.” He remarked that, “buried in millions of attacks today are sophisticated actors trying to find holes, insight into operations, weapons systems, and capabilities.” He asked the question could they also cause things to fail at a time and place of their choosing.
When he said that, two incidents came to mind. In December 2013 the Navy Times reported that the USS Chancellorsville (CG-62) had been struck by a target drone while conducting tests of the Navy’s Combat System Ship Qualification trials for the installation of its Baseline 9 Aegis combat system off the California coast. According to the report “the ship’s crew had about a four second warning the target controllers at Point Mugu range had lost control of the BQM-74 (drone) before the drone struck the ship.” I wondered if an enemy could do that to us. The initial report said it would take six months and $30 million dollars to repair the damage.
The second incident concerns one of the reasons U.S. Cyber Command was stood up. In 2012 the Naval War College hosted an international law conference. As stated in the conference report:
“In one of the talks Captain Timothy J. White, USN, of the Navy Information Operation Command discussed the building of U.S. Cyber Command. He explained there were external actors and internal structural deficiencies driving the process of standing up Cyber Command. In 2008, while engaged in active operations in Afghanistan, the potential compromise of data security and integrity of data led to a loss of confidence in command and control. That was a driving factor in examining what steps were necessary to secure cyber. There was a mobilization around this imperative with a clarification of terms and consultation with lawyers. JFCC-NW and JTF-GNO came together in the fall of 2009 to form Cyber Command, organized as a subordinate unified command under U.S. Strategic Command. The mission of Cyber Command is how to contribute to defending the nation, and how to support the mission around and across the globe. In cyber, we need to be able to see, understand, and prepare for various threats.”
Of note, I thought one of the best talks at the conference was given by Cyber Commands Director of Operations (J3) Major General Brett Williams. He opened up proceedings with his talk “Cyberspace Operations.” Some of his key points of the military aspects follow:
- We need to take an operational approach to cyber. If we have that maybe it wouldn’t be so chaotic.
- Emphasized the value of forums that allowed industry and the military to interact in order for them to better understand and figure out the solutions needed to enable the military to operate the way they need.
- The problem with some technology is that it doesn’t do what you need it to do.
- There is a need to be able to provide freedom of maneuverability in cyberspace. You need to be able to get information, use it, and make better decisions than the enemy.
- The term of cyber is misused. It’s part of the word cyberspace. It’s an information environment that we create. Once you create that you have a domain.
- You need to understand all that goes on in that domain. For instance, communications and intelligence are supporting forces in that domain.
- There are three competing groups: the people that deliver efficient use of resources, people responsible for security, i.e., cyber command, and the operators. In this last group are people like medical and logistics personnel.
- These three groups are competing on what is being called the Joint Information Environment should look like. (Note: Also known as JIE, the military’s plan to create a secure information sharing environment for all of the services.)
- The operators need to be more engaged. All three groups have to take risk but who sits on top and decides who should take what risk. There is no one working across all these areas with the right knowledge.
- The cyberspace domain will always be contested. You can apply everything you know about Joint Warfare but you still need people with the right expertise.
- When you’re setting up a Joint Task Force you can’t teach the commander and his staff basic cyber operations when you’re in the set up phase. You need to establish a Cyber Commander as part of the Joint Warfighting Command. (Note: A joint task force (JTF) is established when the scope, complexity, or other factors of the contingency or crisis require capabilities of Services from at least two Military Departments operating under a single joint force commander (JFC).)
- A question asked is at what point is national security threatened that will result in an attack outside of the United States? You need policy, rules of engagement and authorities. These issues are being worked at classified levels.
- Even if you have the authorities needed do you have intelligence, access and capability for cyber operations?
- This capability is still nascent. There is a focus on creating that capability which will involve things like identifying key cyber terrain.
- There is a need for a cyberspace battle management system. In order to do this you need the developer and operator working beside each other.
- The key components of this system will be a common operational picture (COP), targeting, weaponeering, assessment (presumable battle damage assessment of cyber actions).
Think I’ll end here. There is a lot more information to share from the conference. More to follow. As always the views expressed are my own.