Operationalizing Cyber is New Commander’s Biggest Challenge
By Cheryl Pellerin
American Forces Press Service
WASHINGTON, June 2, 2014 U.S. Cyber Command’s greatest challenge is to operationalize cyberspace to turn the electro-digital network of networks into a command-and-control environment where warriors can see the adversary and whose operations defense leaders can integrate into options for commanders and policymakers, the new director of the National Security Agency and commander of U.S. Cyber Command said here last week.
Navy Adm. Michael S. Rogers addresses the audience and the workforces of U.S. Cyber Command, the National Security Agency and the Central Security Service at his assumption of command ceremony, April 3, 2014. National Security Agency photo
(Click photo for screen-resolution image);high-resolution image available.
Navy Adm. Michael S. Rogers was a keynote speaker May 28 at the Armed Forces Communications and Electronics Association 2014 Cyber Summit.
The admiral told a large audience that he and his team are working to develop a set of five capabilities that will enable the teams of Cybercom to fight, if that becomes necessary, in cyberspace, which became a military domain in 2010 with the stand-up of Cybercom as a subunified command under U.S. Strategic Command.
Rogers also shared the early stages of an idea his team is working through to make part of the Defense Information Systems Agency, or DISA, a partner with Cybercom in defending DOD networks.
“At U.S. Cyber Command, as the new guy, I’ve said we need to focus on what a subunified command should be doing and not doing. We've got to optimize, focus and prioritize, so let's ask ourselves what we’re doing that we shouldn't be doing,” Rogers said.
The admiral concluded that if Cybercom intimately focuses on tactical-level details of defending the network, it would not accomplish much more, and he turned to DISA. In its current role, he said, DISA is largely an acquisition and engineering organization.
“I believe that for DISA to achieve what it needs to do with respect to how it's going to operate and help us defend the networks, a portion of DISA [must] become an operationalized entity focused on maneuvering and defending the networks,” he said. “We have to give DISA the ability to come up with a command-and-control node that can coordinate with others in defending the DOD information networks.”
The Cybercom commander said that in this role, DISA “could enable U.S. Cyber Command to function at the operational level of war. That's our niche and that's where I think we generate the best return and the best outcome.”
Cybercom teammates, including combatant commanders and service chiefs, eventually will discuss a more fleshed-out version of the idea, he added.
On Cybercom’s greatest challenge, Rogers offered five capabilities that must exist if cyberspace is to become viable as a military domain.
The first capability is a truly defensible network.
“Today we are … working with a series of networks in which redundancy, resiliency and defensibility were never core design characteristics,” Rogers explained. “We often treat defensive capability as something that is literally bolted onto a system after we've done everything else.”
The effort to create a defensible architecture is leading Cybercom to reduce its number of networks and to focus on areas where the networks have continuous public interfaces -- a source of particular vulnerability, Rogers added.
DOD’s fledgling Joint Information Environment, or JIE, is a framework for modernizing DOD information technology systems and making them more secure. The system includes overarching architectures, standards and specifications; common ways of operating and defending DOD networks; and common engineered-solution designs.
“We've already created a JIE structure in Europe as a test. We're moving into the Pacific arena next and we'll continue to expand around the world,” Rogers said. “We're trying to create a network in which defensibility, redundancy and resiliency are core design characteristics from the ground up.”
The second capability is common, shared situational awareness in cyberspace.
The admiral said that at every level of maritime operations, he’s used to walking into a command center that gives him a common picture of a situation through the use of color, symbology and geography in a visual display that lets him quickly gain situational awareness and make decisions.
“We do not have that right now in the cyber arena,” Rogers said. “As I used to kid my teammates, how do you defend something you can't see?”
Cybercom is in the early stages of putting together such a capability, the admiral said, and it has proven to be a hard challenge.
“We're certainly not as far along as I would like but it's not because of a lack of effort,” Rogers said, adding that he’s trying to bring together separate efforts to create the capability across the department.
“In an era of declining resources we’ve … got to do this together and we've got to divvy up who's going to do what,” he added.
The third capability involves Cybercom’s authorities and responsibilities to act.
Within the Defense Department, Rogers said, he's comfortable with Cybercom’s current authorities, “but when we start to go outside the department, it gets a little more complicated.”
One mission set Cybercom anticipates receiving is in the event of attempts to disrupt critical infrastructure in the United States, the admiral said.
“It is our expectation that we are training and working toward the ability to respond,” he added, “and it is my expectation that potentially the president and the secretary of defense will turn to U.S. Cyber Command and say, … ‘We're seeing activity X, and need you to be part of the federal government's response to this.’”
As a department, the admiral said, DOD routinely provides support to civil authorities in a multitude of mission areas, including hurricanes and wildfires.
“I don't think cyber is going to be any different in that regard,” Rogers said, “and I look for us to partner incredibly closely with our friends at the Department of Homeland Security, DHS, which is the lead for protecting federal networks” and for responding to cyber concerns outside the federal government.
The FBI also plays an important role, he said.
DOD is measured in what it does within the United States versus what it does overseas, Rogers said, “and we've got to be mindful of [the Posse Comitatus Act] and this thing we call the law. We are not going to violate that.”
Under the Posse Comitatus Act, service members and National Guardsmen who are under federal authority can’t perform in a law-enforcement capacity in the United States, unless the Constitution or Congress specifically authorizes it.
“We’ve got to make sure the constructs we build enable us to work within the U.S. legal [system],” Rogers said, so he and his Cybercom team are discussing with officials at U.S. Northern Command, which has a primary mission of homeland defense, how best to work with federal government partners.
“But clearly,” he added, “to work with other federal partners, we’ll need some measure of authority and direction that we don't enjoy day to day.”
The fourth capability for operationalizing cyberspace, Rogers said, is to develop operational concepts and a command-and-control structure that takes operating in cyberspace from dream to reality.
As U.S. Cyber Command generates teams of warfighters to operate in cyberspace, its questions will include: Who will operate in cyberspace? How will command and control work there? How will cyber operations be prioritized? Who will make critical decisions about what Cybercom teams will and won’t do in the cyber environment? What authorities are granted to which individuals? How will Cybercom make the chain of command clear to everyone operating in cyberspace?
None of this is unique to cyber, and for the military services, it's nothing new, but one thing that does make cyber especially challenging is a lack of physical geography, Rogers said.
“In the DOD framework, we often use geography as a way to define responsibilities, carving the world up as regional combatant commands, … and yet cyber doesn't recognize the geographic boundary thing,” the admiral explained.
“If I'm looking at potential attack strategies against critical infrastructure or … DOD networks, I’m watching a path that bounces from a nation state, individual or group to infrastructure spread out in countries that aren’t [our] particularly close friends or allies, then bounces into U.S. infrastructure, bounces out again, and then comes back in directly at the final target,” Rogers said.
U.S. Cyber Command must develop operational concepts and a command-and-control structure that recognizes this reality, he added.
“Like any other military endeavor,” Rogers said, “we tend to use intellectual thought, exercises and a variety of means in U.S. Cyber Command and among the broader partner teams … to work our way through this.”
The admiral added, “I tell the team, don't fixate on cyber as something unique that nobody understands. Ask yourself how we can translate [into the cyber arena] the operational concepts all of us have spent our lives in uniform learning and understanding as warfighters.”
The fifth area critical to operationalizing cyber is to generate trained and ready forces, Rogers said, adding that generating such forces and deploying them to operational commanders is a service mission.
To accomplish the mission, Rogers has mandated the following three priorities:
-- Train everyone to the same set of standards.
-- Conform to a team structure that divides 6,000 people into 133 teams that range in size from more than 60 individuals to about 20. At U.S. Cyber Command, Rogers said, the goal is to have the 6,000 people trained and certified by the end of 2016.
-- Generate capacities in the teams focused on defending the networks -- combatant commander networks, service networks, DISA networks, DOD enterprise networks, the DOD backbone, and, if needed, critical-infrastructure networks.
“This is hardest in some ways, because to truly defend a network takes a host of partners,” Rogers said, “[and] … synchronizing all areas of defense at one time is master's-level command and control in the cyber environment.”
The admiral said network defense may be Cybercom’s most complicated task, “but I would argue it's the most important in some ways because we’ll be tested every day on our ability to defend the department’s networks and, if directed, defend other networks.”
(Follow Cheryl Pellerin on Twitter: @PellerinAFPS)