Cyber Command no longer acts like a five-year old, but is ready to grow up. It is the latest step in a 20-year journey. The Trump administration has ordered the elevation of the National Security Agency and U.S. Cyber Command; now the discussion can turn to the more important issue, the separation of their dual leadership.
As Michael Sulmeyer and General Michael Hayden have both written, the elevation of U.S. Cyber Command from a sub-unified command to a full unified command is neither a revolutionary or terribly ground-breaking step, just “cutting the cords” and “much ado about nothing.”
In 1997, the Department of Defense response to cyber attacks was run out of the Joint Staff. The J-39 ran a Joint Staff Information Operations Response Cell, which was useful for the Eligible Receiver exercise of 1997 and Solar Sunrise intrusion of February 1998. But as the J-39 reported, it wasn’t sufficient. There was, according to the J-39, “[N]o one responsible for defense; no one with authority to direct defense.” All the cell could do was make suggestions and ask for defensive measures: not a satisfying state of affairs for a military organization.
The First Cyber Command
So by the end of 1998, the DoD created a two-star command, the Joint Task Force – Computer Network Defense (or JTF-CND, though initially stylized at CND-JTF) with the authority to not just coordinate defense operations, but give orders to service and agency components, generally the computer emergency response teams. These authorities for tactical control (or TACON in military-speak) would kick in when a cyber incident was “widespread or critical” or crossed command, service, or agency boundaries.
I was the officer at Air Staff directed to help create the unit and wrote at the time that the “Joint Chiefs decided in August 1998 to stand up a strong CND-JTF to be ‘in charge’ during attacks. The JTF would have authority to direct and coordinate the entire DoD defense. CSAF [the Chief of Staff of the Air Force] stressed the need for a strong, directive, operationally minded CND-JTF.”
There was not initially enough space to host the JTF within the Defense Information Systems Agency, so the world’s first joint cyber command – reporting directly to the Deputy Secretary of Defense – had to initially stand up in temporary aluminum trailers in the DISA parking lot. (Borrowing from a Navy tradition, that aluminum was later cut up and give to the unit’s “plank holders,” those of us who were the unit’s initial cadre.)
The JTF-CND did indeed have command authority, starting with a DoD-wide password change meant to disrupt an adversary’s cyber espionage operation. It was a simple tactic, but an early demonstration of Defense-wide command and control. The JTF led the DoD response to significant early cyber incidents, including Moonlight Maze and mass defacements of websites tied to operation Allied Force, NATO’s campaign in Kosovo.
On 1 October 1999, the JTF-CND was moved to U.S. Space Command (yes, there used to be such a thing) and renamed JTF-CNO (Computer Network Operations) in April 2000 to indicate the unit would now have responsibility for the full spectrum of computer network operations, including offense.
Considering the over-classification, which was soon to smother discussion of offensive operations, the language in the Unified Command Plan was particularly stark. Space Command’s responsibilities would include serving as the military lead for computer network defense and attack, “to include advocating CND and CNA (Computer Network Attack) requirements, … conducting CND and CNA operations, planning and developing requirements for CND and CNA, and supporting other [commands] for CND and CNA.”
During this time, there was a fast-moving worm attack (such as SQLSlammer or Blaster) about every quarter, so Space Command had the JTF issue early warnings through the existing command-post hotline. Normally, the hotline was used to announce potential ICBM launches against the United States, so the watch officers at the Pentagon must have been quite relieved to answer, hearing that it was only another malware attack.
But it was the new offensive mission, which took center stage. As the unit’s commander said afterwards, offense was “taking probably 30 percent of my mission, and it was taking up 70 percent of my time, because it was so sensitive and classified. Every time I turned around, somebody wanted to give me another polygraph to read me onto a program.”
By 2003 though, offense was becoming important enough that NSA stepped up a new team, the new Network Attack Support Staff, under the operational control of U.S. Strategic Command. The next year, Strategic Command created a full Joint Functional Component Command—Network Warfare, under command of the three-star director of NSA, to have overall control of offensive operations. Since offense could not have a higher-ranking commander, the defense team was commanded by the three-star director of DISA and re-named the Joint Task Force – Global Network Operations, with responsibility for keeping the networks operating in the face of any disruption, not just direct attack.
Creation of Cyber Command
Offense and defense were re-combined in the form of today’s Cyber Command in May of 2010, which still operating under Strategic Command. Eleven years, four months and twenty-one days after the IOC of the first cyber command, there was a four-star command, fully combining offense and defense. The initial two-dozen plank holders of the JTF-CND were now amplified into a 6,200-strong Cyber Mission Force, not even counting command staff.
The 2017 escalation of Cyber Command is the last obvious step in this evolution. But as Michael Sulmeyer has pointed out, the escalation is not as big a deal as it seems: “Cyber Command,” he writes, “has already quietly amassed non-operational power and authority within the Department of Defense, making it one of the most independent commands, second only to the U.S. Special Operations Command.” And, he says he could never “find a function Cyber Command might be asked to execute that could only be performed by a full, unified command (like Strategic Command) but not by a sub-unified command (like Cyber Command).”
Perhaps the most important advantage is that elevation removes the distraction of whether Cyber Command should be escalated or not, one of the three most fruitlessly over-discussed topics in the field (alongside information sharing and deterrence).
However, even elevation to a full unified command may not be the final word. Admiral James Stavridis has argued for a separate cyber force, akin to the other military services. After all, the Army, Navy and Air Force all have primary responsibility in their own domain of conflict (land, maritime, air and space). Since DoD considers cyberspace a separate domain, shouldn’t it have its own force? Elevation, in many ways, will make Cyber Command more like Special Operations Command, with unique training and acquisition authorities, but as Admiral Stavridis argued, “SOCOM indeed requires the core competencies of all the services to carry out its missions in the sea, air, and on land. Cyberspace operations, by contrast, do not require any of the core competencies of the five services; in fact, the cyber domain requires precisely the core competencies that none of the other branches possesses.”
With the command just elevated, this may not seem the opportune time for this idea, but with Congress pushing for a separate space corps, it may be closer than it seems.
The Down Side
Elevation will also not help if the Army, Navy, Marines, and Air Force continue to build separate networks, which they intend to defend in different ways. There are certainly some service-specific requirements, but almost all are running similar networks with similar protocols and requiring similar skills. As the past 20 years of history show, organizational structures and marginal increases to command authority cannot easily fix these underlying problems.
But the most important disadvantage of elevating Cyber Command (or indeed a cyber branch) is that humanity is still only fresh into the information age and we don’t fully understand the direction or dynamics of what we’ve created.
In the 1990s, when the first JTF was created, the major threat and opportunity was from information, not just specifically cyber. “Information operations” doctrine looked across the entire spectrum of how the DoD and U.S. adversaries could use information, from intelligence, propaganda, media, and electronic warfare to computer and network attack.
Many, indeed perhaps most, of the most disruptive cyber attacks on the United States in the past years have been more about the impact of the use of information, not from the specifically cyber elements. The most important examples are the attack on Sony, in which the North Koreans released embarrassing and commercially sensitive information, and of course the Russian attack on the Democratic National Committee, whose emails were then released to throw off the course of the 2016 presidential election.
Indeed, information may turn out to be a more important organizing principle than cyber; certainly this is what China and Russia both seem to believe. Sulmeyer writes that, “[m]aybe it’s time we get away from using “cyber” as the description of what needs to be done, and instead think about what an Information Warfare Command would look like.”
Elevating U.S. Cyber Command may, in fact, be akin to if the United States created a U.S. Battleship Command in 1935: the wrong force for the wrong kind of conflict.