Cyber
The Magazine of the MCPA




Click here to be published and contribute to the professional dialogue!

Full Text Listing of All Stories


Developing a Strategy for Cyber Conflict

posted by Clara Bayne   [ updated ]

By Arnold J. Abraham, Institute for Defense Analyses


Introduction

History teaches the importance of developing the right strategy to adapt to a changing situation on the world stage. At the dawn of the last century, a significant shift in the global balance of power began to emerge. Germany’s power was rising, but it still faced significant rivals on both her Eastern and Western borders. The Schlieffen Plan was developed as a strategy to meet this challenge and was put to the test in World War I. The strategy called for Germany to leverage its military and infrastructure strengths to rapidly mobilize and concentrate forces to quickly defeat the French army on one front before shifting east to face the Russians. The strategy failed and the results were catastrophic. Almost ten million soldiers died in that war, far exceeding any conflict to date, and the unresolved struggle soon led to another war, which was even more devastating.


Now, in the early 21st century, the United States is the sole global superpower, but new concerns require non-linear extrapolation to develop a strategy to overcome current and future adversaries. In particular, the emergence of the cyberspace domain presents unprecedented opportunities and challenges for national security. Nations around the world have begun to recognize the significance of this dynamic, but the United States has the most at stake due to its premier position. With this in mind, U.S. Cyber Command is in the process of training and deploying a cyber force. But to optimize that force, the right strategy is needed.


This paper explores the question, “How do we develop the right force optimization strategy for cyber conflict?” It is important to invest time and effort to work through the concepts because the stakes are enormous. The first issue to address is the significance of conflict in cyberspace, not just as an aspect in the evolution of modern warfare, but as an integral element of today’s society and world. Within this context, optimal approaches for conducting cyber warfare are explored, including the best ways to posture and utilize the cyber force. Ultimately, a risk management approach is proposed to allow for leverage against many unknown factors. In the absence of hard-earned lessons learned through full-scale conflicts, simulation, exercises, and war games become the vital ingredients for developing successful strategies. But these tools can only go so far—the objective strategy may require a significant restructuring and rebalancing effort. The scale of the change seems daunting, but as cyber conflict transcends military conflict, the change should be dealt with in a revolutionary manner that does not underestimate the growing importance of cyberspace in global affairs.

 

What is Strategy? 

Why bother to discuss strategy after the April 2015 publishing of the Department of Defense Cyber Strategy to guide the development of DoD’s cyber forces and strengthen its cyber defense and cyber deterrence posture? That document did an excellent job of describing the drivers behind the need for a strategy and articulated a set of five strategic goals and over a dozen detailed objectives. However, it is better characterized as a “strategic implementation plan” rather than a strategy itself. It is a good roadmap, but one based on the assumption of a known objective end state. Alternatively, this paper calls for an examination of underlying premises because even the best map cannot be used to chart a path if one is not yet sure of the ultimate destination or method of travel.

Developing a Strategy is the art of balancing Ends, Ways, and Means against Risks. Ends are the objectives (what is to be achieved), Ways are the courses of action or methods (how and when are the available tools used to get the job done), and Means are the resources (what tools are to be acquired and used). Assessing Risk involves recognizing the Strengths and Weaknesses and the Opportunities and Threats presented by the environment and the actors. Unfortunately, U.S. leaders sometimes overlook the importance of using this model to develop optimal strategies. Instead, over-reliance on superior technology and greater resources is seen as the path to victory. When it comes to Cyber Strategy, these advantages are no longer determinative, and thus pressure is building for a more astute approach.

What is the significance of cyber conflict in modern warfare and society?

For much of human history, nations fought over control of territory. Fertile land, rich mineral deposits, navigable rivers, and safe harbors were the early prizes that eventually evolved into vital industrial and population centers. Land and sea forces were the predominant means to seize and maintain these objectives. As technology advanced, control of the airspace became an important contributor to determining the outcome of battle. Similarly, the automation of command and control mechanisms added the potential for actions in the cyberspace domain to affect conflicts between air, land, sea, and space forces. But cyber power now also offers a potential approach to conflict independent of military engagement in the traditional air, land, maritime, and space domains.

Where will the most significant struggles play out for dominance in the cyberspace domain?

Virtually all modern battlefield weapon systems have some connection to cyberspace. This means existing arsenals of air, land, and naval weapons themselves represent potential direct targets in cyber conflict at the tactical level. Similarly, administrative, logistical, and other support networks essential to conducting military operations are reliant on cyberspace and therefore are potentially vulnerable to cyber attacks as part of theater-wide campaigns. Finally, critical civilian national infrastructures that provide the foundations for military force projection now also have cyber vulnerabilities that can be exploited at the strategic level. Thus, cyberspace operations must take place at the tactical, operational, and strategic levels of conflict.

The ability for cyber power to be applied across all levels of war has led several strategists to consider the development of airpower as an analogy. Aircraft offer a similar range of options, starting with air-to-air or air-to-ground engagements (e.g., dogfights, tank plinking), moving up to targeting military installations (e.g., airfields, logistics depots), and finally to directly disrupting strategic infrastructures (e.g., petroleum-oil-lubricants and ball bearing plants). As airpower developed, significant debate ensued as to where along this spectrum it would be most effective. Even after more than 100 years of using airpower, the debate continues. A similar debate has begun on the application of cyber power. However, instead of expecting a definitive answer, the lesson to be applied from the airpower analogy is that we must be prepared to use cyber power across each level of war from the tactical to strategic.

The cyberspace domain is more than the newest realm for extending traditional military conflict to achieve military ends. The pervasive nature of cyberspace in modern society has led to challenges beyond those that typically fall within the purview of a military force. First, the age-old struggle between the concepts of freedom of information/transparency versus personal privacy has been amplified significantly through the emergence of cyberspace. Second, the entire global economy is increasingly intermeshed with cyberspace, and the competition for information advantage has become an essential ingredient of private sector profitability. The cyberspace domain has become an integral part of modernity. Given this unique dynamic, the airpower analogy falls short when trying to extend lessons beyond the military dimension. Instead, we must look to other models.


Deterrence and Cyber Conflict 

The theory of deterrence, which is as old as war itself, has been applied with varying degrees of success to avoid conflict entirely or discourage use of particular weapons and attack techniques. During the Cold War, much thought went into nuclear deterrence theory in an attempt to grapple with the extreme consequences of atomic weapons. The “Wizards of Armageddon” developed concepts such as the strategic triad, massive retaliation, and mutually assured destruction, which became part of national strategy.

The potential to apply deterrence to cyber conflict has garnered interest, and “deterrence of cyberattacks” is discussed in the DoD Cyber Strategy. However, much work remains to be done, starting with determining what goal is really being sought. Is this a version of “cyber arms control” or “de-escalation?” Or does the United States seek to retain freedom of action to use cyber power as it deems necessary while restricting any potential adversary’s range of options? Answering these questions requires first figuring out our strategic concept for the use of cyber power.

Additionally, deterrence requires predictable actors whose decisions can be influenced through the right combination of words and deeds targeted to affect their interests. This is particularly challenging for future cyber conflict, which may include unpredictable and radical non-state actors, some of which remain unidentified, while others may not yet exist. Thus, discussion of cyber deterrence should be pursued within the context of developing an overarching strategy for cyber conflict – the optimal mix of “ends,” “ways,” and “means.”

 

What will the primary nature of future cyberspace struggles involve? What are the “Ends” we should strive to achieve?

Military. As noted above, conflict in cyberspace can have multiple dimensions. First, there is the application of cyber operations as a component of military power to enable, supplement, or replace use of other capabilities. This can be done through either force-on-force attacks or by directly attacking other military targets. As cyber weapons mature and proliferate, these types of attacks will likely become a standard part of military conflicts. Providing information assurance for conventional weapon platforms will be as vital as providing an air defense umbrella for land and sea forces and rear areas. The ability to disrupt an adversary’s weapon platforms through cyber-attack will also be a valuable tool, but possibly less vital in most cases due to the availability of existing kinetic options to service the same potential targets. Cyber-attack options will be most valuable when political considerations constrain the use of traditional military force. Although the application of cyber power can lead to casualties and physical destruction, there is also the potential to launch attacks whose effects are intentionally limited to being non-kinetic, temporary, reversible, or all three, and that may be more suitable for the early stages of an international crisis. On the other end of the scale, military cyber-attacks may provide the only feasible means to penetrate hard targets without paying too high a price in terms of friendly force attrition against heightened physical defenses. However, to date, no direct cyber casualties have been recorded.

Intelligence/Counterintelligence. While cyber power will grow to be a significant complement to kinetic force application during military conflict, it will have even greater roles in other areas as evidenced by recent events. Cyber capabilities have already radically altered the landscape for intelligence and counterintelligence. The amount of digitized information far exceeds what has previously been available, and the center of gravity for the intelligence world has already shifted to the cyberspace domain. If a nation wishes to keep its secrets, it must first provide adequate security for its networks. A single insider with wide network access can wreak havoc, as has been demonstrated on more than one occasion (e.g., Snowden, Manning). On the other end of the spectrum, a determined power can develop remote accesses that lead to transfers of valuable information on an unprecedented scale. In 2012, General Keith Alexander, Director of the National Security Agency and Commander of U.S. Cyber Command, described the loss of industrial information and intellectual property through cyber espionage as the “greatest transfer of wealth in history.” Thus, conventional weapon platforms may still dominate current and future military conflicts, but the tide has already turned in the world of espionage and the role of cyber power within it.

Homeland Security. Homeland security is another area of which cyber power has become a crucial component. Critical civilian infrastructures in sectors such as power, transportation, banking, and communications increasingly rely on cyberspace components. The increased efficiency of the advances has benefited society, but it comes with a price that has not yet been fully realized. A whole new class of vulnerabilities exists, which requires attention beyond the physical protective measures we have traditionally relied on to remain secure. Further, unlike in the physical world, the potential to exploit those vulnerabilities is not limited to those actors in close proximity to the facilities. This is a particularly irksome challenge for the United States to face after having enjoyed the buffer of its oceans for two centuries. Hostile actors from anywhere across the planet now represent a direct potential threat. Such actors may have no affiliation with foreign militaries or intelligence services. They may not even be part of any recognized terrorist organization and could remain “under the radar” from the perspective of traditional geopolitical security interests.


Law Enforcement. On a day-to-day basis, law enforcement is the one area that has been affected by the cyberspace domain even more notably than espionage or homeland security. The vast majority of cybersecurity incidents are not traced back to foreign military forces, intelligence agents, or terrorists—they are simple criminal acts, often committed by low-level perpetrators, including some who may not even have malign intentions. Hackers are everywhere today, ranging from the teenage lone-wolf script kiddies in competition for bragging rights to international criminal syndicates organizing multimillion-dollar embezzlement schemes. This ubiquitous challenge is complicated by the fact that the technical signatures of malicious cyber activity are often hard to distinguish when first detected (if they are detected at all). This means that activity appearing to be a criminal breach may ultimately be traced to state-sponsored action with political or military motives. While national security concerns continue to grow, the predominant cyber threat to guard against today remains criminal activity, which now costs the global economy over $400 billion per year.

Regulation. The final area for consideration is the most mundane and most removed from the high-adrenalin crisis-oriented world of military conflict. In fact, the greatest risks and destructive impacts within the cyberspace domain to date have been crises that neither the military nor homeland security or law enforcement forces could prevent. Instead, the greatest damage has been due to inadvertent technical failures, which are more akin to acts of nature and natural disasters than acts of a determined adversary. These threats are best addressed by regulation and safety measures. The most prominent example was the self-inflicted wound of “Y2K” and subsequent remediation, which cost over $300 billion worldwide. Industry generally riles against government regulation of cyberspace, but as the risks to public safety grow, the role of regulation and oversight will inevitably increase. Cybersecurity managers will eventually find solace in regulations that help to define standards of due care considered by the courts to determine liability with some predictability. The traffic safety model offers an analogy of where things may be headed in cyberspace. Before the automobile, anyone with the physical ability and resources could ride a horse with little interference from the government. As the automobile became prevalent, an entire regulatory scheme and supporting infrastructure evolved to ensure safe transit (speed limits, traffic lights, highway guard-rails, vehicle registration, license plates, driver’s licenses, mandatory insurance, etc.). Unfettered access by any and all to the “information super-highway” may soon become a risk society can no longer afford. How to manage that risk through optimal regulatory means and enforcement mechanisms may be the most daunting cyberspace challenge faced by the government.

What are the optimal organizational approaches (i.e., the “Means”) to help achieve and maintain dominance in cyberspace?

While some conflicts between nations consist primarily of military contests, it is clear that the struggle for dominance in cyberspace involves multiple axes of effort as noted above. Given the widely varied nature of the threats faced in the cyberspace domain, the question of how to best posture our capabilities becomes crucial. Defending the network on one day may mean blocking hostile attempts to overload a system with denial of service traffic, but on the next day, it could require enforcing maintenance of a firewall standard on a private company’s server. It could involve discovering and countering malware implanted in critical platforms, or strikes against the source of such attacks to cut off their command and control. Cyber threats continue to evolve and escalate at a pace beyond what we are used to in the physical domain. The struggle for dominance in cyberspace will require a versatile force that can operate within and across the variety of challenges found in the military, homeland security, intelligence, law enforcement, and regulatory realms.

Can existing structures be adapted to meet the new challenges? Currently, the bulk of the U.S. Government’s cyber resources reside within the Department of Defense (DoD), including the National Security Agency, U.S. Cyber Command and Cyber Command’s Service Components. The Federal Bureau of Investigation, the Central Intelligence Agency, and Department of Homeland Security (DHS) also have key roles. However, none of these elements have the complete range of authorities and capabilities to deal with the full scope of the challenge. The Commander of U.S. Cyber Command, Admiral Mike Rogers, recognized this reality when he described cyber as “the ultimate team sport” because no one organization has all the answers or the capability to solve all problems.
 

Bolstering any one of the existing elements, a combination of them, or even all of them will still fail to address the seams and inherent frictions of interagency bureaucracy. But there is no need to accept the status quo and rely on virtual “pick-up” teams drawn from across a sprawling network of independent agencies. Instead of trying to wedge cyberspace into the existing apparatus, a new model should be explored. Cyberspace presents many new and unique challenges, but this is not the first time that the nation has had to struggle with problems that do not present themselves neatly within current frameworks. Organizations such as the United States Coast Guard, the Merchant Marine, and the Public Health Service provide useful models that could be templates for building a cyber force to address all of the nation’s concerns. Those organizations were formed to fill crucial gaps that once existed, and they continue to provide unique services today.

The Coast Guard is a uniformed, armed military service that resides within the Department of Homeland Security during times of peace, but can operate under the Department of Defense when war is declared, or by direction of the President. Its missions fall within the categories of maritime safety, security, and stewardship. The Coast Guard is the pre-eminent law enforcement authority within its domain. In addition to securing waterways against intrusion by unauthorized personnel or materials, the Coast Guard develops and enforces vessel construction standards and domestic shipping and navigation regulations. To ensure compliance, it reviews and approves plans for ship construction, repair, and alteration, and it routinely inspects vessels, mobile offshore drilling units, and marine facilities for safety. Finally, the Coast Guard provides aids to navigation and search and rescue services that are welcome by all legitimate mariners. Unlike any other military force, the Coast Guard has a pervasive domestic presence, interacting in an authoritative manner on a day-to-day basis with civilians operating in their domain. The public not only accepts the Coast Guard’s role, but generally embraces and depends on it as a valued partner in maritime pursuits. The cyber force of the future should have a similar ability to transition smoothly from regulatory, to law enforcement, to security functions, adapting to different challenges as they present themselves. Strong relationships with the private sector are likewise essential, because the primary domain for conflict is not a remote battlefield across the globe, but the server farms and databases of companies forming the backbone of the new digital economy. A future “U.S. Cyber Guard” (or an independent “Cyber Agency” or a new cabinet-level “Cyber Department”) could be postured to directly repel attacks on critical infrastructures, aid the private sector and government in remediation efforts or resiliency measures, and help set and enforce day-to-day standards in cybersecurity for issues that impact the nation’s security. The Coast Guard model deserves careful study because, despite the pressing need, the public is not inclined to endorse DoD or the Intelligence Community with the broad responsibilities needed for true effectiveness in cyberspace. Thus, a new organization outside of those elements is needed at the Agency or Department level—independent, yet interdependent. Regardless of what it is called, the new organization must have mixed authorities and responsibilities for cyberspace in a manner similar to those the Coast Guard has in the maritime domain.

Two other important organizations that offer lessons learned are the Merchant Marine and the U.S. Public Health Service. These organizations are relatively minor components of the Federal Government today, but they have rich histories going back to the early days of the United States. They were established outside of the predominant organizations to perform vital niche functions that contribute to national and homeland security. On one end of the spectrum, the U.S. Public Health Service is a small cadre of experienced medical personnel who are commissioned as officers and distributed to serve across numerous federal organizations. Taking the opposite approach, today’s federal component of the Merchant Marine exists only in the form of a training academy that teaches new mariners, who can then work as civilians manning vessels. Following one of these models, a “U.S. Cyber Academy” could be established to train the finest network security engineers, who would then fulfill their federal obligations by serving in key cybersecurity positions for the private sector. In the other model, a “U.S. Cyber Hygiene Service” could be created to manage a cadre of operations experts who would be assigned to work within each federal department to fill key cybersecurity roles.



Merchant Marine – a Model for Integrated Government and Private Sector Cyber Partners

The United States Merchant Marine is a fleet of over 400 U.S.-registered, privately owned civilian merchant vessels that carries imports and exports during peacetime, and that can become a naval auxiliary during wartime to deliver troops and war materiel. The Merchant Marine is complemented by the National Defense Reserve Fleet, which consists of “mothballed” ships that can be activated during national emergencies, either military or non-military, such as commercial shipping crises.

Merchant mariners move cargo and passengers between nations and within the United States, and they operate deep-sea merchant ships, tugboats, towboats, ferries, dredges, excursion vessels, charter boats, and other waterborne craft on the oceans, the Great Lakes, rivers, canals, harbors, and other waterways.

During World War II, the U.S. Government controlled the cargo and the destinations, contracted with private companies to operate the ships, put guns and armed Navy personnel on board. The U.S. Maritime Service trained the men to operate the ships and assist in manning the guns. Over 240,000 served, and they suffered one of the highest casualty rates of any Service in the war. Today, the uniformed Merchant Maritime Service exists only at the U. S. Merchant Marine Academy, a federal service academy that educates licensed Merchant Marine officers who serve U.S. marine transportation and defense needs in peacetime and war. Graduates are obligated to serve aboard vessels or be commissioned as officers in the military or National Oceanic and Atmospheric Administration Corps.

A cyber equivalent of the Merchant Marine could involve a range of options. To mirror its current form, a U.S. Cyber Academy would provide trained cyber experts who would populate private cybersecurity firms upon graduation, but they would have reserve commissions and be on tap for recall in the event of crises. On the far extreme, significant investments could be made in a dual-purpose cyber infrastructure that would not only aid in commerce but also bolster resiliency and be subject to direct government re-purposing in the event of national need.

U.S. Public Health Service (USPHS) – a Template for National Cyber Hygiene?
The USPHS consists of a uniformed commissioned corps of 6,500 public health professionals who serve within federal agencies such as the National Institutes of Health and the Centers for Disease Control and Prevention. The USPHS provides rapid and effective response to public health needs, leadership in public health practices, and advancement of public health science. USPHS traces its beginnings back to the U.S. Marine Hospital Service, which protected against the spread of disease from sailors returning from foreign ports and screened the health of immigrants entering the country. Today, USPHS officers are involved in health care delivery to underserved and vulnerable populations, disease control and prevention, biomedical research, food and drug regulation, mental health and drug abuse services, and response efforts to natural and man-made disasters as an essential component of the largest public health program in the world.

A cyber equivalent of the USPHS would consist of a new uniformed Cyber Service, separate from the Army, Navy, Air Force, and Marines. Just as when the Air Force was formed, this does not mean every cyber operator would need to be pulled from his or her current home. Instead, the Cyber Service could be a small cadre that focuses on only advanced offensive or defensive cyber operations—and like current USPHS professionals, they could be embedded within other elements of government to aid those organizations.


None of these examples are sufficient to serve as complete solutions, but they highlight the potential for unconventional approaches. It is clear that cyberspace conflict is not just a military issue. A successful strategy begins with recognizing the scope of the problem, and posturing correctly to address the challenge. Whatever form it would take—U.S. Cyber Guard, U.S. Cyber Service, or U.S. Cyber Academy—it cannot be just another element of DoD. Beyond Title 10 warfighting responsibilities, strong law enforcement, regulatory, and intelligence authorities are also needed. A hybrid element bridging both DoD and DHS, like the Coast Guard, holds the most promise to handle the full range of issues.

What are the best “Ways” to strategically posture and operationally utilize the Cyber Mission Force?      

Once the overarching challenges are addressed, there will still be a need for a military cyber force devoted to military missions. The U.S must first choose whether the cyber force currently under development should become the kernel of a new comprehensive solution or focus solely on the military mission. The former requires significant political advocacy for changes in authorities and organizational structures that are unlikely to materialize without an external catalyst (e.g., a “Cyber Pearl Harbor” or “Cyber 9/11”) to force new thinking. The latter means ceding ground on which most of today’s cyber conflicts and internal controversy resides, but it allows a focus on the military’s traditional spheres of expertise.

A force optimization strategy that confines the Cyber Mission Force to a military focus requires evaluating cyber weapons’ utility as a substitute for or complement to other military capabilities. The key question is whether cyber weapons provide “another arrow in the quiver” or a whole different method of conflict. Do cyber weapons simply provide another means to take out existing priority targets, or do they represent something entirely different—such as the next stage in the evolution of combined arms warfare?

Employing a combination of military techniques to leverage the strengths of particular weapon systems against the weakness of others is a mainstay of modern conflict. This approach, known as “combined arms” (originally conceived to involve infantry, mounted cavalry, and artillery), continues to evolve as technology brings new weapons to the battlefield. Today, military officers are still taught the critical importance of synchronizing attacks through different means to defeat adaptive adversaries.

When applied to airpower, combined arms meant that one could not rely solely on anti-aircraft artillery to defend airspace but also needed the ability to scramble fighters to intercept and engage in air-to-air combat with intruding bombers. In turn, the bombers were given fighter escorts to aid in penetration of enemy defenses.

At sea, a complex network of specialized vessels and aircraft has been developed, including attack submarines, frigates, destroyers, cruisers, and aircraft carriers. No fleet sails without the appropriate combination of these platforms to ensure capability against a range of threats.

Inclusion of cyber attack and defense in combined arms warfare will apply to land, sea, and air combat. Just as ground forces learned to consider their vulnerability to air strikes, all military forces must now become prepared for cyber attacks. Under this construct, future Army Divisions may each require their own cyber battalions, responsible for tactical offensive and defensive cyber maneuvers within their areas of operation. The same would be true of Navy, Air Force, and Marine equivalent forces.


An alternative way to envision cyber forces is as specialized strategic capabilities limited to certain extreme cases, in a manner such as chemical, biological, radiological, or nuclear weapons. These weapons, judged by society as particularly gruesome means of causing death and destruction, are generally reserved for dire circumstances. In most cases, their use is tightly controlled by treaty, agreement, or public policy. Unlike the combined arms model, which would lead to inclusion of cyberspace engagements in practically any and all conflicts, this method of employment would see offensive cyber power become highly restricted.

While cyber attacks may someday be viewed as similar to attacks by other weapons of mass effect, they do not currently carry such a stigma and are therefore relatively free of internationally recognized restrictions on battlefield employment. However, the fear of potential widespread secondary and cascading effects do bring significant political pressures to bear when using cyber power against civilian targets or other networks connected to the Internet. Therefore, cyber power may best be employed in a hybrid manner. The first method is on a tactical and operational level, in conjunction or integrated with other military forces, in a counter-force role to disrupt or otherwise defeat adversary military weapon systems and forces. The second method is on a strategic level, independently as a counter-value capability to directly affect an adversary’s national power through cyber attacks on civilian and economic centers of gravity.

There is another fundamental question beyond determining how cyber forces best fit in alongside and integrated with other military forces to achieve objectives. Within the cyberspace domain itself, the individualized tactics to achieve optimal effects remain a vital issue. Other weapon systems are limited by geography and many other physical constraints, but these do not apply in cyberspace. For example, there is no need to conserve firepower due to the logistical strains behind storage and transport of available rounds of ammunition. There are also no circles to be drawn on the map to depict the maximum effective range where targets can be held at risk before fuel or gravity holds sway. Additionally, there is no need to apportion the physical terrain as a means to avoid friendly fire and fratricide. Instead, the limiting variables are access to detailed intelligence, maintaining access on extremely dynamic networks, and perishability of exploits once specific attack mechanisms become public or after first use.


Within these new constraints, the most effective means to employ cyber power will likely vary because of the fluid nature of the domain. However, certain techniques may be worth using as the default. For example, a basic question is whether it is more effective to concentrate firepower or distribute it. The “deep and narrow” approach and the “shallow and wide” approach (e.g., precision-guided weapons versus carpet bombing) each has its benefits and detriments in different scenarios.

Similarly, one must consider whether to apply “strength versus strength,” or is it better to use one’s strongest force to exploit weaknesses in an adversary’s defense? Sun Tzu wrestled with these questions 2,500 years ago, and his sage advice stood the test of time in the physical domain, but it may or may not translate well to the virtual world.

Another consideration is the sequencing of attacks. Should cyber power be held in reserve for the turning points in battle, or can it be best used as the preliminary strike? Or should it be applied as a constant unrelenting barrage throughout an engagement?

Some answers are known already. For example, the classic “3:1” ratio of forces needed for offense to defense, developed as a gauge for ground combat, is clearly not applicable in the cyberspace domain. But other warfighting principles and techniques, from the basic through the advanced, remain to be discovered. For example, what is the cyberspace equivalent of the “Immelmann” air maneuver that came out of World War I dogfighting, or the “Crazy Ivan” developed by Cold War submariners?

Defensive strategies must also be further developed. For example, when should fixed-point fortifications be relied on versus mobile defensive countermeasures? These and many other combat strategies cannot be relied on using a default solution based on the first idea presented or the program that is cheapest or quickest to implement. Instead, dedicated and concentrated effort must be applied to development of cyberspace strategies and techniques, as was done in other realms of conflict. Many modern battle techniques have emerged from Service War Colleges and Command and Staff schools.

While it is too early to determine the optimal strategic, operational, and tactical employment of cyberspace forces, we do not need to wait until after a major conflict to find the answers. Instead, a robust simulation, war game, and exercise program should be pursued as the primary line of effort. Sun Tzu’s ancient prescription to “know your enemy, know yourself, and in 100 battles you will not be defeated” must be adapted to the virtual test range. Even though a particular technique or formation may appear to be working, the alternatives must be considered until every feasible angle is investigated. While it is true that exercises, simulations, and war games do have a role in today’s military, they are often seen as a drain on resources away from the day-to-day operational mission. This dynamic needs to be reversed for cyberspace to ensure the right investments for the future.

Conflict in the cyberspace domain does not benefit from the natural evolution mankind experienced in the physical domain. We are used to judging distance and speed by eye and can readily apply such lessons. Similarly, hundreds of years of experience in structural engineering yields, as a byproduct, the ability to calculate the destructive effects of explosives against facilities. In comparing the domains, even our most advanced cyberspace practitioners are still novices when it comes to fully understanding the terrain and methods of maneuver. The potential risks and rewards are too great to wait to learn these lessons the hard way—in the course of battle. Therefore, while simulation, war games, and exercises are part of every military mission, they must play an even more extensive role for cyber conflict.

Instead of selecting a particular strategy now and pursuing it straight away, a sizable portion of the cyber force should be devoted to developing the path ahead. For much of the Cold War, a majority of military forces focused on getting ready for a battle they fortunately never fought. A return to this type of model may be prudent for cyber forces, filling the calendar with a variety of realistic exercises and virtual force-on-force simulations. Strategic Air Command was the pinnacle of this approach, being well-known (one could say almost “infamous”) for its rigorous exercise, training, and evaluation program to support readiness. The procedures for nuclear conflict had been finely honed, but painstaking practice was needed to ensure precise execution of the plan if called upon. The current state of cyber conflict requires a similar level of intense effort, far beyond the current level of commitment to exercises and training.

Cyber teams should be developed along different conceptual approaches and tested against each other—again, and again, and again. It may seem counterintuitive to take troops “off the line” when cyber incidents are occurring on a daily basis, but the long-term risk must be balanced against that of the present day. When the time comes to execute a major cyber conflict, we can ill afford to be surprised by major developments.

Conclusion

While the United States currently enjoys military superiority across the globe, developing the right strategy for cyberspace operations can mean the difference between victory and defeat in future conflicts. In the early 1600s, a tiny nation rose to pre-eminence in global affairs. The Dutch Gilded Age saw a transformation of the Netherlands from a minor possession of the decaying Holy Roman Empire into the world’s foremost maritime and economic power. The Dutch East India Company was at the heart of the “Dutch Miracle”—it was the world’s first multinational corporation financed by the first modern stock exchange. The story is relevant today because it is essentially a tale of new technologies and new organizational concepts being combined in a game-changing strategy, altering the global balance of power. Such stories are inspiring to some, but are potentially foreboding for the United States today.

The 21st century is no longer a time for business as usual when considering the shifting balance of power in cyberspace. Today, the United States, Russia, and China dominate, but tomorrow it could be smaller but highly advanced technical powers such as Israel, Japan, and Singapore that take the fore. Alternatively, the very essence of national power may be redefined as super-empowered individuals and international non-state actors such as the Islamic State in Iraq and Syria (ISIS), Anonymous, and Google seize the initiative in a rapidly evolving landscape…as the Dutch did 400 years ago.

Without a crystal ball, it is impossible to know what the right strategy is. But we do know that the wrong strategy can lead to disaster. It is necessary to adapt to the changing situation readily apparent across the spectrum of day-to-day affairs. Today’s environment requires a non-linear extrapolation. The best swordsmen of their day, with the most training and finest steel, could not stem the tide of firearms and explosives. Now is not the time to just keep sharpening the sword. But it is also not the time to throw down the sword and take up an entirely new type of arsenal. Instead, a risk-management approach to balance the right ends, ways, and means of strategy demands spreading efforts across the range of potential outcomes to guard against both likely and unforeseen contingencies.
 

Rather than waiting for the aftermath of a major cyber conflict to show the way, a robust simulation and exercise program must explore a range of alternatives. This will require some sacrifice of readiness to execute current missions, but it is an investment in the future to avoid outcomes with the potential for much greater harm. The answers cannot be constrained to existing paradigms, so an important part of the future investment is to establish an organization free of ties to legacy structures and policies. DoD and U.S. Cyber Command should lead the charge in calling for a new organization to be their vital partner in developing the optimal cyberspace strategy for the nation. While U.S. Cyber Command focuses on its military role, another non-DoD element will be able to transcend the military, intelligence, law enforcement, and regulatory functions. Even while the Cyber Mission Force is still being fleshed out, it is time to raise the flag of the “United States Cyber Guard.”

David and Goliath

The story of David and Goliath is well known as a classic example of the improbable victory of an underdog over a more powerful foe. The author Malcom Gladwell, whose works focus on unexpected implications of social science research, recently published a book which concludes that giants are sometimes not as powerful as they seem, and history is replete with examples of unexpected outcomes of this nature

 

Gladwell suggested the hidden weakness of “Goliath” enterprises is their tendency to assume that the strategy that made them great will keep them great. The Goliath story shows that someone perceived as an underdog may actually have an advantage by employing an alternate strategy.

Favoring the underdog is a part of American tradition, but when it comes to cyber conflict, the United States is the “Goliath” of the tale. The February 2015 National Security Strategy states, “We possess a military whose might, technology, and geostrategic reach is unrivaled in human history.” From our 21st century telecommunications infrastructure and $13 trillion economy to our $600 billion DoD budget (which represents more than one-third of the entire global market), and seemingly omnipresent Intelligence Community, the United States rests atop a perch as the world’s sole superpower. But many are actively seeking to change the status quo, and a range of potential new foes is on the horizon. Developing the right strategy for cyber conflict is crucial because the United States cannot continue to rely on its size and strength to defeat future “cyber-Davids.”



About the Author

Mr. Abraham is a Distinguished Graduate of the National War College, a Principal Attorney with The CyberLaw Group, and member of the MCPA's Board of Advisors. He previously served as a Senior Executive in U.S. Cyber Command, the Department of Homeland Security, and the Office of the Director of National Intelligence. He wrote this paper based on research sponsored by the Institute for Defense Analyses.

Photo credits (in order of appearance):  AFCEA International, onthenetgang.com, Huffington Post, Littlegate Publishing, Duffel Blog, Eder Flag, Department of Defense, GameSpy, RC Airplane World, Cryptome, silist.com.

The Cyber Security Ratio

posted Mar 30, 2017, 2:42 AM by Michael Lenart   [ updated Apr 20, 2017, 5:15 PM ]

By Daniel Cahill

 

Introduction

 

Governments and private firms spend significant amounts of their budgets on cyber security to ensure confidentiality, integrity, availability of data, and to limit liability. How much is enough? How do private firms compare to each other and how do they compare to governments and government agencies? These questions are difficult to answer because there are neither baselines nor standards. Current accounting practices and analysis consider cyber security expenses as a percentage of overall expenses. This method, however, misses the mark for two reasons. First, there is no standardization for cyber security requirements and therefore no baseline from which comparisons can be made. Second, it does not consider the value of the transactions and assets exposed to cyber threats. The Cyber Security Ratio allows for a fairer comparison across sectors by assigning a value to what is being protected and then comparing that value to what is being spent on cyber security.


Background


The U.S. Department of Defense (DoD) utilizes multiple computer networks to conduct its daily operations; the two primary networks are SIPRNET and NIPRNET. Both SIPRNET and NIPRNET utilize the worldwide web (internet) to exchange information, the difference being that NIPRNET can actually send information and receive information/data from the Internet whereas the SIPRNET merely utilizes the NIPRNET/Internet as a means to securely tunnel encrypted information. No information/data originating from the Internet enters or leaves the SIPRNET network or vice versa. Furthermore, SIPRNET terminals are only connected to the SIPRNET, so there is no other method for data to move onto or off the system. In theory SIPRNET is inherently secure, with all of its contents being encrypted.1,2

 

The SIPRNET concept eliminates a vast majority of problems associated with network security as no unencrypted data is ever exposed to the Internet and the terminals themselves are fully shielded from the Internet. There is very little risk of data being compromised or malicious code being introduced directly from the Internet. The only real risk, aside from an insider threat, is denial of service. The additional, minimal expense with SIPRNET involves encrypting data at the point where data leaves the local network and decrypting data where data enters the network.

 

The NIPRNET is more like a typical business network and exposed to the same risks.  The cost of securing this network should be similar to that of any other network. In fact, an argument could be made that a typical firm is required to store and transmit all of its data in a manner that exposes it to the internet, whereas the Department of Defense has the option to transmit and store much of its sensitive data on SIPRNET.

 

Virtually every firm engaged in business utilizes the Internet in some way, shape, form, or manner, and very few firms utilize the “encrypted tunneling” technique in the way that DoD does. That is, very few firms use terminals that cannot send or receive data from the Internet. Considering this, how do these firms secure their data and networks? In government terms, a vast majority of these private firms utilize commercial off the shelf (COTS) solutions.



In order to determine the proper amount to spend on cyber security, the most important question is: How “sensitive” is the data being secured? The second question to ask is what is the threat? The answer to the first question is the foundation (or denominator) for the Cyber Security Ratio (alternately referred to as the Cahill Ratio/Number). There are five methods that can be used to accomplish this, all of which involve 1) assigning a dollar value to what is being secured, and 2) equating a dollar value to determine sensitivity. Once the value of what is being secured is determined, it can be compared to the expense of protecting it, which is the annual cyber security budget (the numerator of the cyber security ratio).

The Cyber Security Ratio can therefore be calculated as follows:

(Annual Cyber Security Budget/Annual Value of Assets and or Transactions Exposed to the Internet) x 10,000

 

These methodologies will be demonstrated and discussed below in the “Examples” section using data reported in financial disclosures from some well-known financial firms and the U.S. government.


The answer to the second question, “What is the cyber threat?”, is that all entities, government and private, face very similar threats and therefore no correction factor has to be applied to account for difference in risk. Most insurance policies/underwriting have an exception for war, meaning it is possible to insure a civilian airliner but not military aircraft. However, in the realm of cyber warfare there is no distinction between civilian and military. All entities are targets, including state/government functions and private enterprise.

 

Examples

 

The first method for calculating the Cyber Security Ratio (CSR) equates the value or sensitivity of the data to the annual expenses of the firm.

 

The U.S. Department of Defense (DoD)

Budget for 2015: 560 Billion USD3                                 ($560,000,000,000)

Cyber Security Budget for 2015:  4.7 Billion USD4         ($4,700,000,000)

CSR = 4,700,000,000/560,000,000,000 x 10,000   =     83.93

 

JP Morgan Chase (JPM) 2014-2015

Expenses for 2014:  61 Billion USD5                              ($61,000,000,000)

Cyber Security Budget for 2015:  250 Mil USD6             ($250,000,000)

CSR = 250,000,000/61,000,000,000 x 10,000         =    40.98

 

Bank of America (BAC) 2014-2015

Expenses for 2014:  75 Billion USD7                              ($75,117,000,000)

Cyber Security Budget for 2015:  400 Mil USD8             ($400,000,000)

CSR = 400,000,000/75,117,000,000 x 10,000         =    53.25

 


  

 

The above calculations demonstrate that spending on cyber security as compared to expenses varies significantly between the two financial services firms. Bank of America's CSR exceeded JP Morgan Chase's by 29.93%. This difference is significant because if one assumes other expenses are relatively similar, then the difference in cyber security expenses has a significant impact on net income. In the case of Bank of America, whose net income was $8.3 billion in 2014, this cyber security expense was 5% of its net income.

 

When we compare cyber security spending in the financial services sector to the U.S. Department of Defense, we see that DoD’s spending on cyber security as compared to expenses is 104.79% greater than JP Morgan Chase’s and 57.61% more than Bank of America’s. These numbers are well outside the realm of differences seen within the financial services industry and suggest DoD is over spending on cyber security – at least from the perspective of overall expenses.

 

A challenge of this method is that expenses may not accurately represent the value of the data that is being protected, particularly for firms who manage a large amount of assets. Using data from the aforementioned entities (and sources), we see that there is little correlation even within the financial services sector between expenses, assets managed (held), and shareholders’ equity (net assets). Bank of America’s expenses versus assets held is 50% greater than that of JP Morgan Chase. Bank of America’s expenses versus shareholders’ equity is still 20% more than that of JP Morgan Chase.

 

The second method is to measure the value of the firm in terms of either shareholders' equity or market capitalization. In the case of the Department of Defense, this would be the same as assets because for all intents and purposes DoD owns its assets outright. This only makes sense if you believe the total losses of a company are limited to shareholders’ equity and you disregard the loss of assets and/or liabilities.

 

The U.S. Department of Defense (DoD)

Total Assets for 2015: 2.3 Trillion USD9                      ($2,292,137,000,000)

Cyber Security Budget for 2015:  4.7 Billion USD10    ($4,700,000,000)

CSR = 4,700,000,000/2,292,137,000,000 x 10,000 = 20.50

 

JP Morgan Chase (JPM) 2014-2015

Shareholder’s Equity for 2014:  232 Bil USD11           ($232,065,000,000)

Cyber Security Budget for 2015:  250 Mil USD12        ($250,000,000)

CSR = 250,000,000/232,065,000,000 x 10,000      = 10.77

 

Bank of America (BAC) 2014-2015

Shareholder’s Equity for 2014:  243 Bil USD13           ($243,471,000,000)

Cyber Security Budget for 2015:  400 Mil USD14        ($400,000,000)

CSR = 400,000,000/243,471,000,000 x 10,000      = 16.43


 

 

 

Using the Shareholder’s Equity method we see that the Bank of America spends 52% more than JP Morgan. The Department of Defense spends 90% more than JP Morgan and 25% more than Bank of America. Again, we see that Bank of America is spending significantly more than JP Morgan and that DoD is spending significantly more than JP Morgan and marginally more than Bank of America.

 

Many, if not most, accountants consider the maximum loss as something similar/equivalent to shareholders’ equity. Any suggestion of considering the maximum loss as being total assets would be dismissed as unrealistic because you can’t take any more from a firm than shareholders’ equity (Shareholders’ Equity = Total Assets – Total Liabilities). This firm-centric perspective is dangerous because it dismisses the potential loss of assets held on behalf of the client. To put it simply, you can steal vastly more from a bank than the value of shareholders equity; this is a fact. And the Federal Deposit Insurance Corporation (FDIC) does not cover losses that result from theft or fraud. The next method will take this possibility into consideration.

 

The third method is to consider the total assets of the firm, whereas the value of the data is the value of the total assets held by the firm. Using total assets makes sense if one believes the ultimate or most catastrophic loss is a loss of all of the firm’s assets rather than “net assets” or shareholders’ equity.

 

The U.S. Department of Defense (DoD)

Total Assets for 2015: 2.3 Trillion USD15                     ($2,292,137,000,000)

Cyber Security Budget for 2015: 4.7 Billion USD16      ($4,700,000,000)

CSR = 4,700,000,000/2,292,137,000,000 x 10,000 =  20.50

 

JP Morgan Chase (JPM) 2014-2015

Total Assets for 2014: 2.6 Trillion USD17                     ($2,570,000,000,000)

Cyber Security Budget for 2015: 250 Mil USD18              ($250,000,000)

CSR = 250,000,000/2,570,000,000,000 x 10,000 =    0.97

 

Bank of America (BAC) 2014-2015

Total Assets for 2014: 2.1 Trillion USD19                     ($2,100,000,000,000)

Cyber Security Budget for 2015: 400 Mil USD20          ($400,000,000)

CSR = 400,000,000/2,100,000,000,000 x 10,000 =    1.90

 

 

 

 

The aforementioned calculations demonstrate that even when considering total assets managed (or assets at risk), the results are highly disparate. Using this method, we see that Bank of American spends 95.81% more on cyber security than JP Morgan. When comparing Bank of America to DoD in this manner, we find that DoD spends a staggering 10 times or 976.51%  more on cyber security. When comparing DoD to JP Morgan Chase in this manner, DoD is spending a similarly staggering number of 20 times or 2,007.90% more. I believe this calculation most accurately represents the true picture of what is being spent on cyber security and also highlights the most excessive disparities between the Department of Defense’s spending and the spending of financial services firms. Again, the threats encountered by both are the same and both have similar assets to lose, yet some are spending drastically more than others.

 

The fourth way to measure value of the data is to measure the actual value of the transactions that take place across the network. An argument can certainly be made that this is what’s truly at risk for a firm above and beyond any other number presented above (at least from a cyber security perspective). Certain sectors, such as the financial services sector, deal with transactions that far exceed their expenses or even the value of their companies. An excellent example of this is the New York Stock Exchange (NYSE), which executed transactions in excess of 11 trillion dollars in 2015.21 Yet, the parent company Intercontinental Exchange (ICE) had expenses of approximately 1.6 billion dollars, assets totaling 50 billion, and shareholders’ equity of 12 billion.22 This fourth manner is the one that presents the most challenges, as most firms do not publicly report the actual value of transactions that take place across their networks. Furthermore, estimates based on required disclosures would be difficult because many values are reported as “net values,” which negates the ability to estimate the value of actual transactions. All of this makes it extremely difficult to ascertain the CSR using this methodology. Additionally, the value of transactions does not necessarily represent the number of transactions taking place, which would be important because every time a transaction crosses the Internet, there is a risk of compromise. 

 

The fifth method would involve a combination of the first four methods. Perhaps a starting point would be sum of assets, value of transactions, and market capitalization/shareholders equity.

 

Challenges

 

Challenge #1: The most fundamental challenge with utilizing the CSR is a lack of data as most firms (and the government) are not willing to report all aspects of their cyber security spending. Most firms are afraid of the consequences of being deemed irresponsible regarding budget allocation for cyber security. Similarly, the federal government has funding mechanisms designed to obfuscate true spending. 

 

Challenge #2: Assigning a value that truly represents what is being protected. What is the price or cost of losing a client’s personal data/identity data? What if the client’s available credit is $100,000 versus $5,000? What is the firm’s reputation worth?

 

Challenge #3: How much spending is enough? If 50% more in spending only provides 5% more security, is that spending worth it? Related to the challenge of assigning a value is how can risk be measured if what is being protected does not have an objective, accurate, designated value?

 

Challenge #4: How much cyber security related information is the U.S. Department of Defense sharing with the private sector? Is it being shared equally? How much is the private sector benefiting from this sharing and what would the dollar value be to this support? A corollary of this is if U.S. firms operating in the EU are exposed in Europe, does that mean that the U.S. Department of Defense will share DoD derived information from their program with non-U.S. entities? Will the U.S. fund worldwide cyber security efforts by sharing the information derived from its cyber security programs? Where would the U.S. draw line in sharing cyber threat information?

 

Challenge #5: As discussed above – what is the threat, because without knowing the threat, it is difficult to assess risk. The threat faced by firms is the same threat faced by government and militaries, therefore an accurate assessment of the absolute threat is necessary to determine what cyber security measures must be taken. Basically, if it is determined that U.S. Department of Defense networks face threat “x,” then all networks worldwide would face the same threat.

 

Conclusions

 

Use of the CSR to compare financial services firms has identified significant differences across the sector. What does this mean? Most managers ask the following two questions: What does is cost? How much will it save? (Or how much income will it generate?) In the case of cyber security, the answers to those questions are apparently ambiguous. Rating agencies and actuaries have had a difficult time assessing risks and threats, particularly as they apply to cyber threats and financial services firms in general. Also, as discussed above, underwriters are not in the business of underwriting risks associated with war and cyber threats are a result of warfare – cyber warfare. Therefore, at this point, the proper amount to spend on cyber security are the best estimates of those directly involved/invested. As cyber security risks become underwritten, standards will be developed and enforced by insurers and/or government regulators/regulations; in the meantime, these expenditures appear to be rather arbitrary. The above notwithstanding, it does appear that either the U.S. Department of Defense is spending too much on cyber security or financial services firms are spending too little. It is also quite possible that Bank of America is spending too much on cyber security and JP Morgan Chase is spending too little. Regardless, it is difficult to conclude that each of the entities considered above is spending the proper amount on cyber security.

 

Perhaps most importantly regarding the Department of Defense, it has always been difficult to assign a value to national security. The U.S. Department of Defense is not only securing itself, but is securing the entire nation. That said, as we’ve identified above, there are many firms, like the New York Stock Exchange (NYSE), that are securing vastly more than their own value (net assets and/or shareholders equity). I would venture to say that in a similar manner, the value of the daily transactions across the network of financial services firms are much greater than the value of their assets. So perhaps the argument that the Department of Defense is securing the entire nation is moot OR there is a dollar value to assign to the support being provided to firms by the U.S. Department of Defense. If the latter is true, then dollar value for the support provided by DoD can then be added to what firms are spending and/or subtracted from the cyber security spending by foreign entities (and perhaps domestic as well) not protected by the U.S. Department of Defense.

 

Furthermore, unlike financial services firms, the Department of Defense has the SIRPNET to secure much of its sensitive information. I would offer that the cost of maintaining this SIPRNET is vastly less than the difference between what DoD is spending on cyber security versus financial services firms. Considering this assumption, what would be the value of the remaining information left on the NIPRNET? Perhaps the best way for DoD to secure its NIPRNET is with COTS technology that would be more in line with what financial firms are utilizing. 

 

Epilogue

 

Both firms and governments need a balanced approach to cyber security spending to ensure confidentiality, integrity, and availability of data, and to limit liability. The most efficient approach to spending is usually spending in a manner that provides the most absolute gain. As discussed in challenge number 3, if 50% more in spending only provides a 5% increase in security, is that spending worth it? If our adversaries (or other firms) are obtaining a 90% solutions by spending half as much, how should that affect our spending? From a national security perspective, if our adversaries are removing their “sensitive” networks from the internet, essentially precluding a data compromise, does that negate the need for traditional cyber security for those networks? What would be the true cost of total compromise of the DoD’s NIPRNET? Is DoD placing too much sensitive data on the NIPRNET and not enough on the SIPRNET? Again, hopefully the CSR will assist firms, government policymakers, and underwriters in developing the most appropriate courses of action.

 

 


About the Author

Daniel Adams Cahill is a Commander in the Navy Reserve, where he supports the Naval Inspector General. He holds a Bachelor's Degree in Marine Engineering, with a concentration in Nuclear Engineering, from the United States Merchant Marine Academy. He earned graduate certificates in International Relations and in Business from Columbia University, where he focused on applying business principles to military strategy and foreign policy.


 

End Notes


1. “Secret IP Data”. Defense Information Services Agency. http://www.disa.mil/Network-Services/Data/Secret-IP.  Accessed 24 Mar 2017.


2. “Using the SIPRNET”. Defense Human Resources Activity. U.S. Department of Defense.  http://www.dhra.mil/perserec/osg/s1class/siprnet.htm. Accessed 12 Mar 17.


3. “ UNITED STATES DEPARTMENT OF DEFENSE FISCAL YEAR 2016 BUDGET REQUEST”. Comptroller – U.S. Department of Defense. http://comptroller.defense.gov/Portals/45/Documents/defbudget/fy2016/FY2016_Budget_Request_Overview_Book.pdf. Accessed 12 Mar 17.


4. Sternstein, Aliya. “The Military’s Cybersecurity Budget in 4 Charts”. Defense One. http://www.defenseone.com/management/2015/03/militarys-cybersecurity-budget-4-charts/107679/. Accessed 12 Mar 17.


5. “JPMORGAN CHASE & CO (Filer) CIK: 0000019617” (JP Morgan 10-K. 2015). JP Morgan Chase & Co. http://www.sec.gov/cgi-bin/viewer?action=view&cik=19617&accession_number=0000019617-15-000272&xbrl_type=v#. Accessed 12 Mar 17.


6. Glazer, Emily. “J.P. Morgan CEO: Cybersecurity Spending to Double”. Wall Street Journal, http://www.wsj.com/articles/j-p-morgans-dimon-to-speak-at-financial-conference-1412944976. Accessed 12 Mar 17.


7.  BANK OF AMERICA CORP /DE/ (Filer) CIK: 0000070858” (Bank of America 10-K, 2015). http://www.sec.gov/cgi-bin/viewer?action=view&cik=70858&accession_number=0000070858-15-000008&xbrl_type=v#. Viewed 12 Mar 17.


8. O’Daniel, Adam. “Moynihan: BofA's cyber security given unlimited budget 'to keep us safe'”. Charlotte Business Journal.  http://www.bizjournals.com/charlotte/blog/bank_notes/2015/01/moynihan-bofas-cyber-security-given-unlimited.html.  View 12 Mar 17.


9. “AGENCY FINANCIAL REPORT, FISCAL YEAR 2015”.  U.S. Department of Defense. http://comptroller.defense.gov/Portals/45/Documents/afr/fy2015/3-Financial_Section.pdf.  Viewed 12 Mar 17.


10. Sternstein, Aliya. “The Military’s Cybersecurity Budget in 4 Charts”. Defense One. http://www.defenseone.com/management/2015/03/militarys-cybersecurity-budget-4-charts/107679/. Accessed 12 Mar 17.


11.  JPMORGAN CHASE & CO (Filer) CIK: 0000019617” (JP Morgan 10-K. 2015). JP Morgan Chase & Co. http://www.sec.gov/cgi-bin/viewer?action=view&cik=19617&accession_number=0000019617-15-000272&xbrl_type=v#. Accessed 12 Mar 17.


12. http://www.wsj.com/articles/j-p-morgans-dimon-to-speak-at-financial-conference-1412944976


13. “BANK OF AMERICA CORP /DE/ (Filer) CIK: 0000070858” (Bank of America 10-K, 2015). http://www.sec.gov/cgi-bin/viewer?action=view&cik=70858&accession_number=0000070858-15-000008&xbrl_type=v#. Viewed 12 Mar 17.


14. O’Daniel, Adam. “Moynihan: BofA's cyber security given unlimited budget 'to keep us safe'”. Charlotte Business Journal.  http://www.bizjournals.com/charlotte/blog/bank_notes/2015/01/moynihan-bofas-cyber-security-given-unlimited.html.  View 12 Mar 17.


15. “AGENCY FINANCIAL REPORT, FISCAL YEAR 2015”.  U.S. Department of Defense. http://comptroller.defense.gov/Portals/45/Documents/afr/fy2015/3-Financial_Section.pdf.  Viewed 12 Mar 17.


16. Sternstein, Aliya. “The Military’s Cybersecurity Budget in 4 Charts”. Defense One. http://www.defenseone.com/management/2015/03/militarys-cybersecurity-budget-4-charts/107679/. Accessed 12 Mar 17.


17. “JPMORGAN CHASE & CO (Filer) CIK: 0000019617” (JP Morgan 10-K. 2015). JP Morgan Chase & Co. http://www.sec.gov/cgi-bin/viewer?action=view&cik=19617&accession_number=0000019617-15-000272&xbrl_type=v#. Accessed 12 Mar 17.


18. Glazer, Emily. “J.P. Morgan CEO: Cybersecurity Spending to Double”. Wall Street Journal, http://www.wsj.com/articles/j-p-morgans-dimon-to-speak-at-financial-conference-1412944976. Accessed 12 Mar 17.


19. “BANK OF AMERICA CORP /DE/ (Filer) CIK: 0000070858” (Bank of America 10-K, 2015). http://www.sec.gov/cgi-bin/viewer?action=view&cik=70858&accession_number=0000070858-15-000008&xbrl_type=v#. Viewed 12 Mar 17.


20. O’Daniel, Adam. “Moynihan: BofA's cyber security given unlimited budget 'to keep us safe'”. Charlotte Business Journal.  http://www.bizjournals.com/charlotte/blog/bank_notes/2015/01/moynihan-bofas-cyber-security-given-unlimited.html.  View 12 Mar 17.


21. “ Daily NYSE Group Volume in NYSE Listed, 2017”.  The New York Stock Exchange. http://www.nyxdata.com/nysedata/asp/factbook/viewer_edition.asp?mode=table&key=3141&category=3.  Viewed 12 Mar 17


22.  Intercontinental Exchange, Inc. (Filer) CIK: 0001571949” (NYSE Parent Company 10-K).  Intercontinental Exchange, Inc. http://www.sec.gov/cgi-bin/viewer?action=view&cik=1571949&accession_number=0001571949-15-000003&xbrl_type=v#.  Viewed 12 Mar 17.


Photo credit: globalknowledge.com



Cyber Leader Development Program: Developing Tomorrow’s “Cyber-Savvy” Officer Today

posted Feb 19, 2017, 3:14 PM by Clara   [ updated Feb 21, 2017, 12:46 PM by Michael Lenart ]

By Jason M. Bender

The establishment of U.S. Cyber Command (USCYBERCOM) and Army Cyber Command (ARCYBER) in late 2010 highlighted the necessity of understanding cyberspace as an operational domain and how to integrate it with traditional warfighting. Two of the most candid articles in the past six years – both published in 2015 – cite an article Small Wars Journal published for me in 2013, an article that voiced frustration by offensive cyber operations planners regarding a disconnect between the cyber and operational communities.1 In their articles, Martha VanDriel and Natalie Vanatta further emphasize that operations in the physical domains are heavily reliant on cyberspace and can be easily disrupted by ignorance of cyberspace operations basics. Further, operational staffs at all levels still need professional military education and self-study to better understand effects that can be brought to bear in the physical domains from cyberspace.2

A number of recent articles emphasize the need to develop expert and capable cyber operators – officer and non-commissioned officer alike – and discuss the necessity of where, which, and how much training is needed to do this. A recent article in Army magazine posits that many of the officers transferring into the cyber community from the operations branches do not understand cyber or possess any sort of operational background that might help the cyber community. The article further comments that “[g]iven the carryover from their legacy branches and the necessarily strong emphasis on technical versus tactical expertise, the vast majority of junior cyber officers are not prepared to assume such a role” without substantial preparatory professional education. This thus presents a transitional dilemma to both the branch and the community as these officers pass through education and training required to get them to the point of technical and operational proficiency.3

After publishing my original article I left the cyber operations community to be the Professor of Military Science at the University of Cincinnati, refocusing my professional efforts to recruit, develop, and commission Army Second Lieutenants. It did not take long to realize that, where the military services struggle to develop cyber understanding in their existing enlisted and commissioned ranks, an opportunity exists to develop some of that understanding at the pre-commissioning programs (i.e., service academies and Reserve Officer Training Corps (ROTC) programs). Rather than aiming solely to create officers whose formal branch is Cyber, the Army can more generally create cyber-capable, or “cyber-savvy,” officers who accede into a variety of branches. This realization led me to reach out to friends at the Army Cyber Institute (ACI) located at the U.S. Military Academy (USMA) to inquire about their creation of a Cyber Leader Development Program (CLDP).4

USMA’s CLDP design provides “800-plus hours of cyber-related education, development, and experience outside of the traditional classroom environment.”5 In other words, USMA’s CLDP goes above and beyond the standard academic education that West Point cadets receive to further broaden and develop these future Army officers, and this is done pre-commissioning. ACI’s CLDP provides USMA cadets with opportunities to participate in cyber-related internships, to attend cybersecurity-related symposiums and conferences, and mandates participation in a regularly meeting “student club” equivalent that reinforces skills and concepts learned and promotes curiosity and enthusiasm for things cyber. On top of all of this, each USMA CLDP cadet is the recipient of targeted mentoring by USMA faculty and ACI personnel. At accessions (i.e., branch assignment), USMA CLDP participants are considered for Cyber, Military Intelligence (MI), and Signal branches if that is what the cadet wishes. Just as many choose Infantry, Armor, or Aviation irrespective of their major. The point, however, is that regardless of what the USMA CLDP cadet branches at commissioning, they are generally “cyber savvy” and will likely remain that way for the remainder of their military career, whether that includes remaining in their branch, transferring to the Cyber branch at some point, or separating from the service.

USMA’s CLDP is matched by U.S. Army Cadet Command (USACC) at only a handful of senior ROTC programs. At best, a small handful of ROTC cadets are accepted annually to national cyber-related internships managed by USACC every summer, or they might participate in university sponsored co-operative internships if their major program incorporates it.6 Mentorship while on campus is at best hit-or-miss, and based entirely on whether ROTC detachment cadre have relevant experience in the cyber operations community. Given the mismatch of opportunities between USMA and ROTC, it makes sense to implement CLDP at those universities with robust cyber-related majors and better develop and prepare ROTC cadets to integrate cyberspace operations into the operational environment they will experience after graduation. Whether those ROTC cadets choose to branch Cyber, MI, or Signal, or are branched Infantry or Military Police, they will have a better understanding of cyber-related concepts than their non-CLDP counterparts who take nothing beyond their university core or major requirements. Despite recognition by a handful of senior ROTC program Professors of Military Science (PMS) who implemented CLDP at their respective universities, U.S. Army Training and Doctrine Command has yet to adopt basic cyber education in the Basic Officer Leader Course – A (BOLC-A) curriculum. Additionally, USACC has not implemented CLDP more widely, despite the obvious benefits to the Army in creating cyber savvy officers.7


Challenges faced with building cyber ‘savvy’ leaders

Army leadership struggled with the decision to create a new Cyber branch. However, after four years of fighting among the Army’s signal, intelligence, and operations communities, the Secretary of the Army established Cyber as a basic branch (Operations Career Field 17) on August 21, 2015. The branch was headquartered at Fort Gordon, Georgia at the U.S. Army Cyber Center of Excellence, where the Cyber School resided alongside the Signal School.

Despite the step forward in creating the Cyber branch, the Army continues to struggle with identifying and assigning personnel capable of operating under two masters – the cyber and operational communities. What’s more, this problem is compounded by cyber and maneuver personnel’s mutual lack of understanding of each other’s areas.8

At the most basic level, Army branches are designed to fulfill the needs of the Army from the point of accession to the point of separation and provide a steady stream of educated, experienced, and developed branch-specific specialists. These branch specialists are assigned at the tactical to strategic levels, to the operational to institutional parts of the Army, and even to enterprise, joint, interagency, and multi-national settings to bring their expertise to bear for the benefit of others. Yet it remains difficult to “[grow] competent, confident, self-aware leaders who are prepared for the challenges of the future in combined arms joint, interagency, intergovernmental and multinational (JIIM) operations.”9 Doing this requires an awareness and understanding of cyber operations and effects – which the basic branches rarely provide, as they remain focused on addressing branch-specific competencies.

Personnel assignments at both ARCYBER and USCYBERCOM continue to be top-heavy (i.e., senior company grade, field grade, and warrant officers, and senior non-commissioned officers). This forces recognition of a branch structure that represents a diamond standing upright on its tip rather than a pyramid like most Army basic branches. Where some argue that the existing branch structure and manning meets the Army’s readiness needs, this argument is contingent on the pyramidal basic branch structure where far fewer lieutenant colonels are needed than majors, far fewer majors are needed than captains, and fewer captains are needed than lieutenants. Attrition as officers progress up the basic branch pyramid is a result of self-selection, non-selection for promotion, or deliberate administrative separation.10 Some of this attrition will result in basic branch officers transferring to the cyber branch, but as already mentioned, some of them simply do not have the education or bona fides to qualify for selection.

Beginning its growth, the Cyber Branch accessed thirty cadets – fifteen each from USMA and ROTC – over the past three accessions cycles (Fiscal Years 2015 – FY 2017). Unlike infantry, armor or field artillery second lieutenants who face less than six months of Basic Officer Leader Course (BOLC-B) training before reporting to their first operational unit, the new cyber second lieutenants face a pipeline of training that in some cases stretches out to two years before they are considered qualified to perform their duties at their first assignment.11 Even with that, they will still not be the subject matter experts in offensive or defensive cyber operations at the operational levels for many years. This unavoidable delay in providing cyber expertise to the overall force underscores the need to improve the basic cyber savviness of non-cyber officers.

As mentioned previously, the Army Cyber Branch’s current structure makes it so that more captains and majors are needed than lieutenants. Given the minimal accessions as compared to the basic maneuver branches, it will be some time before Cyber Branch is fully capable of meeting the Army’s needs at the upper tactical and operational levels. It may be up to five years or longer before the Army reaches a minimum number of fully capable personnel (i.e., trained and experienced) who can effectively apply cyber capabilities to support field commanders’ needs, intent, and guidance. This, more than anything else, emphasizes the need for traditional maneuver and operational support basic branch officers to educate themselves on cyber basics and, once identified through assessment or self-identification, transfer the best candidates into the Cyber Branch at the captain and major ranks. It also speaks of a need for standardized professional military education at the basic branch schools and the Command and General Staff College to build a general understanding of cyber operations across the force, but especially in the operations career fields.12

As important as this is, however, something even more beneficial can be done.

 

Building a ROTC CLDP 

Army ROTC has produced nearly seventy percent of the Total Army’s second lieutenants over the past 100 years.13 With only half of the Cyber branch accessions over the last three fiscal years, though, ROTC is proportionally underrepresented. This indicates that USMA cadets have benefited from CLDP in a way that ROTC cadets – having no such program – have not.

Having learned of CLDP, a fellow PMS and I travelled to USMA to visit ACI in early 2015 to determine the best way to replicate CLDP at our respective university ROTC programs.14 Working with peers from ACI and the U.S. Army Cyber School, we collaborated and designed an ROTC CLDP concept easily reproduced at any ROTC program at which there are ROTC cadets pursuing cyber-related majors, related academic minors, or who have purely personal interest.15 Following USMA’s CLDP requirements, we recommended the following requirements for Army ROTC CLDP:

• Major or minor in a cyber-related discipline (e.g., computer science, information technology, computer or electrical engineering, systems engineering with focus on cybersecurity), or mathematical sciences (with a focus on cryptography and discrete math);

• Cyber-related internship of at least three weeks (e.g., at the Department of Defense, Army, intelligence community, private or public sector organization, or national laboratory);

• Participation in an extra-curricular cyber club or study group for two cumulative academic years (e.g., Association for Computing Machinery’s Special Interest Group for Security, Audit and Control (SIGSAC); Cadet Cyber Competitive Team);

• Attendance at a cybersecurity training opportunity or conference; and

• Participation in an ACI-approved cybersecurity capstone project or competitive event.16

We also recommended that USACC add a CLDP coordinator – an officer from Cyber Branch Proponent – in a similar fashion to the ROTC brigade nurse coordinators, and we identified opportunities for the Simultaneous Membership Program (SMP) employed by ROTC with the U.S. Army Reserve and Army National Guard. SMP cadets are paired with U.S. Army Reserve and Army National Guard (ARNG) units and are assigned a military occupational specialty as they pursue their commission through ROTC. The intent behind this is to leverage the professional military education and training opportunities in nearby MI, Signal, and Cyber units.17

 

Concept to Reality – University of Cincinnati Army ROTC CLDP

Putting all of this into play, University of Cincinnati (UC) Army ROTC instituted CLDP in the spring of 2015 with eight cadets pursuing cyber-related majors and minors. Partners in this effort included UC’s Department of Electrical Engineering and Computing Systems (College of Engineering and Applied Science (CEAS)); School of Information Technology (College of Education, Criminal Justice and Health Sciences (CECH)); School of Information Systems (College of Business; Department of Operations, Business Analytics and Information Systems); and Department of Political Science (College of Arts and Sciences). As it was, the National Security Agency (NSA) designated UC’s Department of Electrical Engineering and Computing Sciences in late-2014 as a Center for Academic Excellence (CAE) – Cyber Operations, and the School of Information Technology secured the NSA designation as CAE – Cyber Defense Education in the first half of 2016.18 Where only fourteen schools nation-wide hold both NSA designations as CAEs for Cyber Operations and Cyber Defense Education, University of Cincinnati remains the only university in the nation to hold both NSA CAEs and have a resident ROTC CLDP.

In implementing CLDP at UC, the immediate focus was to secure cyber-related internships for CLDP participants. Fortunately, the computing sciences (CS), electrical engineering (EE), and information technology (IT) tracks in UC’s CEAS and CECH benefit from integrated, experienced-based learning and career education programs (i.e., ‘co-operative’ internships), something that UC itself pioneered more than 100 years ago.19 In working to secure internships for the non-CS, -EE, or -IT CLDP participants, we relied at first on USACC centralized summer Cadet Professional Development and Training (CPDT) internship opportunities. In doing this, we quickly realized that rising third-year cadets were at a disadvantage in competing against the rising fourth-year cadets who attend Advanced Camp and then participate in follow-on training or internships at Army units and joint headquarters throughout the world. This led to developing relationships with the Ohio ARNG in spring 2015 and securing the first unpaid internship for a rising third-year CLDP cadet with the Columbus, Ohio-based Cyber Protection Team during the summer of 2015. In 2016, three rising fourth-year CLDP cadets were selected for the NSA’s ROTC Cyber Internship Program, while a number of others participated in co-operative internships organized by UC’s EE/CS, IS, and IT departments.

As the relationship between UC Army ROTC and the Ohio ARNG Cyber Protection Team matured, the opportunity presented itself to place three cadets with the Cyber Protection Team in an SMP status – a first in the nation. The Ohio ARNG Cyber Protection Team commander and state J-6 interviewed and vetted all three cadets before approving transfer from their existing Ohio ARNG units to the Cyber Protection Team. This relationship additionally led to professional training opportunities for two of the SMP cadets in the summer of 2016, and opened the door for stand-by selection of both cadets, along with a third CLDP cadet, to attend the U.S. Air Force Institute of Technology’s Advanced Cyber Education later the same summer. In addition to the “hands-on” experience the internships provide, UC CDLP cadets are also encouraged to pursue part-time employment (time permitting) with local IT or cyber-related companies. One non-scholarship CLDP cadet took a part-time job with the IT department at Kroger’s world headquarters in Cincinnati.

Collaborating with the ACI, all CLDP participants are added to a national distribution list overseen by ACI and ROTC CLDP mentors. Mentors routinely send out emails that highlight training opportunities or recent articles of interest. Cadets routinely ask questions of and seek advice from the mentors. ACI additionally sends out a monthly newsletter-type document that highlights recent activities in the cyber operations community, promulgates cybersecurity tips and tidbits, and promotes discussion between CLDP participants. ACI additionally facilitates quarterly video teleconferences hosted by the USMA Cyber Research Center’s SIGSAC, in which CLDP programs are able to connect, listen, watch, and participate in the discussion.20 Lastly, to satisfy the club participation requirement, UC CLDP cadets are encouraged to participate in UC’s Cyber Crime Cats student club, or to join a local chapter of the Association of Computing Machinery, National Cybersecurity Student Association, or the Military Cyber Professionals Association.21

As for the capstone project, all of UC’s colleges that host cyber-related majors and minors have fourth-year capstone classes that focus on synthesis of the student’s academic pursuits and serve as the culminating demonstration and validating event. UC’s Department of Political Science also partners with the School of IT and hosts a 5000-level Cyberattack Red Team Collaborative Seminar that crosses traditional computer science, IS/IT, and policy lines for a truly multidisciplinary approach to cybersecurity. The seminar culminates with student-teams developing and testing strategies for attack and defense scenarios in a “force-on-force” capstone to identify weaknesses and validate multidisciplinary theories. In addition to the university capstone options, other alternatives include local and national cyber defense exercises regularly advertised by ARCYBER, ACI, and NSA as part of the CLDP mentorship program, or through other local cyber-related organizations.

CLDP at UC Army ROTC today includes several cadets with non-cyber related majors or minors and is integrating UC Air Force ROTC cadets to grow the program further. These non-cyber and non-Army cadets, participating out of personal interest, are embarking down their individual path to cyber savviness. Growing to fifteen members in the fall of 2016, UC’s first four CLDP participants will graduate and commission in the spring of 2017. Of those four, one will branch active duty Infantry, two will branch active duty Signal Corps (with branch details to Field Artillery), and one is expected to branch Cyber with the Ohio ARNG. With the growth of UC Army ROTC’s CLDP to fifteen members during fall semester 2016, it is now the second largest CLDP in the nation behind USMA – modest for sure, but aggressively forging ahead in spite of the challenges faced.

 

Challenges to ROTC CLDP Sustainability

As much as was done at UC, CLDP faces two major sustainability challenges at the university ROTC detachment level. First and foremost is the issue of mentorship for the CLDP cadets by ROTC detachment cadre. Where USMA is able to provide each CDLP cadet with a specific mentor – some mentors cover two or three USMA CLDP cadets – the ROTC detachment cadre cannot in most cases mentor CLDP cadets unless the cadre member has cyber experience in their background- most of whom don’t.

In those ROTC detachments that do have a cyber savvy cadre member – most times one officer – that officer will mentor five or ten, or possibly fifteen CLDP cadets in addition to his or her normal mentorship responsibilities as a Military Science and Leadership instructor for an entire year-group cohort of cadets. In the case where the mentor happens to be the PMS – whose purview includes the entire cadet battalion – the mentor-mentee ratio becomes even more lopsided. Further complicating this is that it is highly unlikely that Cyber Branch officers will be assigned as Assistant PMS or PMS in the foreseeable future due to the nascent nature of the branch and its modest size.

Reassignment of ROTC cadre who provide CLDP mentorship further complicates things, when those reassignments are unanticipated and come as a result of promotion, selection for professional schooling, or retirement. In many cases, the only requirement for selection for assignment to an ROTC detachment, other than university requirements on advanced education or specific military occupational skill designations, is combat experience. In ROTC detachments where no mentorship exists due to a total lack of cadre cyber experience, CLDP is unlikely to flourish. Similarly, ROTC cadre with experience in cyber operations who successfully stand up a CLDP program at their university may see it crumble after reassignment when their replacement has no cyber experience, education, or understanding.

The second challenge is funding – USACC provides no funding whatsoever for CLDP and securing funding falls in the lap of the ROTC detachment PMS or Assistant PMS serving as the CLDP mentor. At schools with large, well-developed ROTC alumni programs and funds, funding is far less of an issue than at those schools lacking well-developed alumni programs, or where foundational or alumni fund income is nothing more than a trickle. UC Army ROTC finds itself in this latter category, and finding alternative sources of income becomes tricky due to the amount of time needed to network and investigate funding sources. In light of this, continuing to develop and maintain relationships with the colleges and the university IT sections becomes a critical path to gaining equipment needed to facilitate CLDP club activities.

While visiting the UC CLDP in spring 2016, the U.S. Army Cyber School Commandant commented on the Cyber School’s inability to promote and support ROTC CLDP programs, and he recommended that CLDP cadets and mentors adhere to a ‘grass roots’ mentality in seeking and securing funding and equipment from the local communities. While this encourages an innovative and creative mindset, ROTC cadets are first and foremost pursuing a university degree in order to commission. Requirements to self-fund or self-build a CLDP program, on top of all of the cadet’s other ROTC and academic and professional development requirements can get to the point of overwhelming cadets in similar fashion as those cadets who overextend themselves with Ranger Challenge, Pershing Rifles, cadet battalion leadership and administration, or other extracurricular activities (e.g., fraternities/sororities, student government, club sports).

 

Concluding Thoughts 

The original intent of USMA CLDP was to be a pilot program that ultimately expanded to ROTC.22 In only a handful of cases did this happen, and then only when championed by an ROTC detachment cadre member with knowledge of CLDP and awareness of resources and requirements at the university level. After the ACI visit in the spring of 2015, we wrote an information paper detailing how to implement CLDP at university ROTC detachments and recommended how to make it sustainable. USACC convened a planning session at Fort Knox, Kentucky in late September 2015 to assess the concept, and a team composed of members of USACC G3, ACI, NSA, and UC Army ROTC made the same recommendations to the commanding general. That concept was later assigned to USACC’s 6th ROTC Brigade for further development, but as of the time of this article’s publication nothing else appears to have come of the effort.

It is worth commenting, as a final aside, that while every Army ROTC cadet is required to take an American military history course, no such requirement exists for them to take any sort of computer science course or cyber policy-related course (e.g., political science) – if they are even offered at the university.23 If we are truly trying to create “cyber savvy” leaders, priming them in the pre-commissioning phase is optimal. What better place to incorporate cyber operations awareness and basic understanding than thru the BOLC-A pre-commissioning ROTC curriculum to ensure one hundred percent “touch and coverage” for all ROTC cadets? If nothing else, it is a step in the right direction in creating “cyber savvy” officers.

If CLDP is implemented, supported, and sustained in a more formal manner than just “grass-roots,” realizing the “cyber savvy” leader as a product of Army ROTC at the point of commissioning is a realistic goal. Unless ROTC cadre with the necessary cyber experience are assigned, and funding is provided by the university or USACC, CLDP at ROTC detachments will quickly become unsustainable. Here too, an opportunity exists for both Cyber Branch and USACC to institute a top-down mentor program at Cadet Command, or its subordinate brigades, similar to the already existing Nurse Counselor program where Army Nurses are assigned at the ROTC Brigades to mentor and track the progress of ROTC nursing cadets at the university levels.24 While opportunities exist, if CLDP is not formally supported and sustained, it will remain nothing more than an abstract concept or temporary local innovation.

Finally, where Cyber Branch seeks to create “competent professionals who… earn the trust of leaders from other operational branches,” the Army, and specifically USACC, need to focus on pre-commissioning requirements as the best place to create cyber-capable officers. Creating CLDP at ROTC detachments with robust cyber-related academic programs is the first step and is a “win-win” situation. Implementing CLDP needs to be quickly followed with adoption and integration of basic cyber education into all levels of the ROTC BOLC-A pre-commissioning curriculum and Cadet Summer Training, as USMA is already beginning to do.25 Given that the predominance of second lieutenant production over the past century belongs to USACC, this puts USACC and  ROTC detachments in a unique position to greatly affect the foundational cyber knowledge of future generations of officers – especially those who branch other than Cyber – and thus influence the Army’s long-term institutional knowledge and intellectual culture for decades.

 

 

About the author: Lieutenant Colonel Jason M. Bender is the Head of the Department of Military Science and Professor of Military Science for the Army Reserve Officers’ Training Corps (ROTC) detachment at the University of Cincinnati. A Regular Army field artillery officer, Lt. Col. Bender served at all levels from tactical to strategic, and most recently served with U.S. Army Cyber Command (ARCYBER)/2nd Army as ARCYBER’s first Chief of Fires and U.S. Cyber Command J35 Offensive Cyber Operations Planner; and later as an ARCYBER/2nd Army G5 Strategy and Policy Planner. He holds a bachelor’s degree in mathematics from Oregon State University; master’s degrees from Troy University and the U.S. Army School of Advance Military Studies; and is a graduate of the U.S. Army Command and General Staff College. He is also a recipient of the Armed Forces Communications and Electronics Association's Order of Saint Isidore and the U.S. Field Artillery Association’s Honorable Order of Saint Barbara.

 

Disclaimer: The views and opinions expressed here are expressly those of the author and do not reflect the official policy or position of any organization of the U.S. Department of Defense or University of Cincinnati.

 

 

End Notes

1. Jason Bender, “The Cyberspace Operations Planner,” Small Wars Journal, 05 November 2013, http://smallwarsjournal.com/jrnl/art/the-cyberspace-operations-planner. Coincidentally, I didn’t discover until drafting this article how many times my original article was cited since Small Wars Journal published it almost three years ago. The realization that others see value in what you’ve said and consider it worth repeating is humbling.

2. Martha S.H. VanDriel (Colonel, USA), “Bridging the Planning Gap: Incorporating Cyberspace into Operational Planning,” 04 May 2015,

http://www.strategicstudiesinstitute.army.mil/index.cfm/articles/Bridging-the-planning-gap/2015/05/04; and Natalie Vanatta (Major, USA), “A Year of Cyber Professional Development,” 23 January 2015, http://www.cyberdefensereview.org/2015/01/23/professional-development/.

3. Justin Considine (Lt. Col., U.S. Army) and Blake Rhoades (Capt., U.S. Army), “How to Grow a Capable Cyber Officer,” Army, January 2017: 19-21; see also Scott R. Gourley, “Closing the Capabilities Gap: Seven Things the Army Needs for a Winning Future,” Army, February 2017: 36-41.

4. ACI facilitated the implementation of CLDP with the intent of providing cadets “who are interested in cyber security studies… [an opportunity to] enhance their education with a wide range of broadening opportunities… as well as mentorship to guide them in their development within the field of cyber security.” United States Military Academy, “Memorandum for Record: Cyber Leader Development Program in the Army Cyber Center, USMA.” West Point, NY: USMA. 09 October 2013.

5. Ibid.

6. USACC’s centralized, annual summer internships normally include opportunities at USCYBERCOM, National Security Agency (NSA), U.S. Army Intelligence and Security Command, and the Army’s 1st Information Operations Command and opportunities to attend the U.S. Air Force Institute of Technology’s (AFIT) Advanced Cyber Education (ACE).

7. Army pre-commissioning leader development programs (i.e., USMA and senior ROTC) are designated by U.S. Army Training and Doctrine Command as BOLC-A. See U.S. Army Training and Doctrine Command, TRADOC Regulation 35-36 Basic Officer Leader Training Policies and Administration, Fort Eustis, VA: TRADOC, 01 September 2015; http://www.tradoc.army.mil/tpubs/regs/TR350-36.pdf.

8. Considine and Rhoades, “How to Grow a Capable Cyber Officer”; and Bender, “The Cyberspace Operations Planner”.

9. Department of the Army, DA Pamphlet 600-3 Commissioned Officer Professional Development and Career Management, Washington, D.C.: Department of the Army, 01 February 2010: 2; http://www.apd.army.mil/Search/ePubsSearch/ePubsSearchForm.aspx?x=PAM.

10. Candice Frost (Lieutenant Colonel, USA), “Ignorance and Arrogance: Misunderstanding the Officer Personnel Management System,” Military Review (Spotlight Article), 05 January 2015;

http://usacac.army.mil/CAC2/MilitaryReview/repository/spotlight/Frost-Jan-2015.pdf.

11. Cyber BOLC-B is thirty-seven weeks long, nearly twice the longest comparable basic branch BOLC-B. Length of follow-on post-BOLC training is dependent on the cyber officer’s first assignments (i.e., National Mission Forces, tactical unit Cyber and Electromagnetic Activities (CEMA) Element, etc.). Laura Levering, “Army Cyber School marks major milestone,” Army.mil, 17 August 2015;

https://www.army.mil/article/154001/Army_Cyber_School_marks_major_milestone.

12. See DA Pamphlet 600-3, Part II, which includes branch descriptions and requirements for Infantry, Armor, Aviation, Field Artillery, Air Defense Artillery, Engineers, Military Police, Special Operations, Psychological Operations, and Civil Affairs branches and the Information Operations functional area.

13. C. Todd Lopez, “ROTC has minted over 1,000,000 new lieutenants during its 100 year history,” 05 June 2016;

https://www.army.mil/article/169167/ROTC_has_minted_over_1_000_000_new_lieutenants_during_its_100_year_history/.

14. USACC oversees 275 Army Senior ROTC programs at more than 1100 universities and colleges across the United States and its territories, the majority of which have some type of cyber-related academic major or minor. “Army Reserve Officer Training Corps,” STAND-TO!, 02 December 2015; https://www.army.mil/standto/archive_2015-12-02.

15. Lt. Col. James Scrogin, PMS at Purdue University Army ROTC; ACI’s Lt. Col. David Raymond and Lt. Col. (then-Major) James Finocchario; and Lt. Col Robert Johnson, Assistant Commandant at the U.S. Army Cyber School.

16. Jason Bender, James Scrogin, David Raymond, Robert Johnson, Tim Groves, and James Finocchario, “INFORMATION PAPER: Establishing a Cyber Leader Development Program (CLDP) in United States Army Cadet Command (USACC) Senior Reserve Officers’ Training Corps (SROTC) Programs”, 05 May 2015.

17. Bender, et. al., “INFO PAPER: Establishing CLDP at USACC SROTC Programs”; see also Department of the Army, Army Regulation 145-1 Senior Reserve Officers’ Training Corps Program: Organization, Administration, and Training,” Washington, D.C.: Department of the Army, 22 July 1996: Chapter 3; Department of the Army, Army Regulation Regular Army and Reserve Components

Enlistment Program, Washington, D.C.: Department of the Army, 31 August 2016: Chapter 6; and Department of the Army, National Guard Regulation 600-100 Commissioned Officers: Federal Recognition and Related Personnel Actions, Washington, D.C.: Department of the Army, 15 April 1994: Chapter 13.

18. See “National Center of Academic Excellence in Cyber Operations: Mission and Purpose,” http://ceas.uc.edu/cyberops/mission.html; and “UC Becomes Leader in Cybersecurity Education,” http://cech.uc.edu/headlines/2016/it-nsa-cae-designation.html.

19. “Experienced-Based Learning & Career Education,” https://www.uc.edu/careereducation.html. See also Mary Niehaus, “University of Cincinnati Co-op: 100 years of success,” December 2005, http://magazine.uc.edu/issues/1205/success1.html; and Troy Onink, “College Co-Op Pioneer is Still Leading the Charge after 100 Years,” Forbes, 27 February 2012;

http://www.forbes.com/sites/troyonink/2012/02/27/college-co-op-pioneer-is-still-leading-the-charge-after-100-years/#29db89de5230.

20. See “SIGSAC – ‘Special Interest Group for Security, Audit and Control’”,

http://www.usma.edu/crc/sitepages/sigsac.aspx. Sponsored by USMA’s Department of Electrical Engineering and Computer Science, SIGSAC is an academic club focused on developing leadership applicable to the cyber domain through knowledge sharing and cultivation of technical skill sets.

21. See Cyber Crime Cats, https://www.facebook.com/groups/cybercrimecats/ and

https://twitter.com/cybercrimecats; Association for Computing Machinery, https://www.acm.org/; National Cybersecurity Student Association, http://www.cyberstudents.org/; and The Military Cyber Professionals Association, https://www.milcyber.org/.

22. USMA, “Memo: CLDP in the Army Cyber Center”.

23. U.S. Army Training and Doctrine Command, TRADOC Regulation 350-13 Instruction in Military History, Fort Eustis, VA; TRADOC, 05 March 2010: 14; see also U.S. Army Cadet Command (USACC), Cadet Command Regulation 145-3 Army Senior Reserve Officers’ Corps (SROTC) Basic Officer Leader Course – A (BOLC-A) – On-campus Training and Leader Development, Fort Knox, KY: USACC, 20 September 2011: 7. If the university or college does not have an American military history course, the ROTC detachment cadre is required to teach it to the cadets every semester themselves.

24. Bender, et. al., “INFO PAPER: Establishing CLDP at USACC SROTC Programs”.

25. Considine and Rhoades, “How to Grow a Capable Cyber Officer.” See also Matt Hutchison, Erick Waage, and Brent Chapman, “We Took West Point Cadets to (Cyber) War,” War on the Rocks, 21 June 2016; https://warontherocks.com/2016/06/we-took-west-point-cadets-to-cyber-war/


Photo credits (in order of appearance):  

U.S. Army ROTC

UC.edu

U.S. Army / Chuck Burden

U.S. Army / Bill Roche

Securing the Autonomous Revolution

posted Jan 25, 2017, 4:54 AM by Michael Lenart   [ updated Jan 25, 2017, 5:25 AM ]

By Paul L. Jordan

A self-driving car travelling through a two-lane tunnel has lost control of its brakes due to a mechanical failure. In the lane ahead, a road construction crew is making repairs. The software that drives the car faces a choice: continue straight ahead, almost certainly killing the construction workers, or change lanes causing a head-on collision and almost certainly killing the two drivers of the vehicles involved in the accident. This is an adaptation of the classic ethical thought experiment: the trolley problem [1]. This problem presents several ethical concerns with regard to autonomous vehicles, but how does cybersecurity affect this landscape? The answer? Nobody cares. 


As our military cyber community is acutely aware, neither industry nor society will slow down for security. In this case, industry is showing us that it is incapable of even slowing down for tough ethical dilemmas or drastic economic consequences, but for arguably good reasons. According to the CDC, in 2014, approximately 35 thousand people died in motor vehicle accidents in the United States.1 Further, according to a 2015 report from the National Highway Traffic Safety Administration, 94% of automobile accidents were caused by human error.2 In a May 2015 report, Google announced that it had logged over 1.8 million miles driven by their autonomous cars with only two minor incidents, both of which were caused by other vehicles with human drivers.3 Incidentally, if all automobiles were automated overnight, roughly 33 thousand lives could be saved each year!



Unfortunately, this progress has potentially massive economic impacts. According to a 2016 report by the Bureau of Labor and Statistics, transportation makes up roughly 5% of our labor force.4  Furthermore, the second and third order affects aren’t insignificant. According to the American Truckers Association, there are approximately 3.5 million truck drivers employed in the United States.5 Automating transportation won’t only affect those jobs, but also all of the hotels, restaurants, and convenience centers that these truckers use every day. Should these impacts slow down the potential benefits of automating vehicles? They don’t seem to be. 


And there are serious cybersecurity concerns about automating transportation as well. In 2015, researchers were able to take control of a Jeep Cherokee through the internet.6 Just recently, a group of Chinese researchers were able to remotely control the brakes of a Tesla Model S.7 Hacks like this could have life-threatening consequences if not handled properly. But should these consequences slow the progression of technology that stands to save tens of thousands of lives each year? Fortunately, in recent years, it seems the sentiment is changing. Security is being talked about on major news outlets, and security is being considered in system design processes instead of after deployment. However, this is just a first step in the right direction. 


Autonomous travel is no longer a technical problem. Companies like Google and Tesla are racing toward an autonomous consumer vehicle, and a few commercial vehicles already exist. In recent years, it has become clear that computers will make better drivers than humans, and an enormous amount of money stands to be made by the company that does it first. As a result, there exist ethical and financial imperatives to automate transportation. To that end, many of the concerns that exist are being ignored. But the cybersecurity community cannot allow this to prevent us from working toward a secure autonomous vehicle. We all know the narrative: brand new shiny toy is introduced that makes everyone’s life easier; that shiny toy comes with security concerns; our recommendation is to hold off on implementing the new toy until we can secure it; our concerns are heard, but ignored; we throw our hands in the air and give up. That cannot be allowed to happen this time- especially in the realm of military hardware.


Now more than ever, we need to stay engaged in this effort. We must develop and innovate ways of securing this nascent autonomous revolution. Advances in automating military weapon systems are being pursued and made every day. Our role in securing those systems is more important than ever. We’re already seeing our military become increasingly dependent upon remotely piloted aircraft. Today, these systems are remotely piloted by humans and have limited autonomous capability, and they’re already the target of cyber-attack. From an operational perspective, these systems would ideally behave with complete autonomy. Unfortunately, this change would make them an even more valuable target for cyber-attack. Without the proper protection, these systems could be used against us.


But does this mean that complete autonomy should not be pursued? Again, the answer is that it does not matter. This technology will continue to be pursued because the end result is savings and efficiency in a period of time during which our senior leaders are looking for any such opportunity. 


Some critics of autonomy argue that some tasks are just too complex for computers to handle.  They argue that a computer could never identify a target and deploy ordinance to neutralize that target because that task is too complex. (Before the industrial revolution, factory workers probably shared this same sentiment about many of the tasks they performed.) But at the cutting edge, some of the artificial neural networks are performing far better than expected.8 For instance, accurately identifying objects in images is rapidly becoming a trivial task for intelligent systems. Why couldn’t these same systems be used to identify and target known combatants? Eventually, these systems will be able to target and neutralize threats much better than we can today while reducing unnecessary or unintended casualties. As such, we have a moral obligation to pursue them and arguably more importantly, secure them.


Ultimately, given the importance and relative similarity of artificial intelligence (AI) to the cybersecurity profession, we must ensure we understand the technical capabilities and limitations of AI so that we can contribute in a meaningful way to discussions on it. People are looking to us to be experts in these types of systems, and more specifically, the security of these systems. Let’s focus on getting this right so we can be known as the community that was part of the solution, instead of the community that let Skynet happen because we thought it never would.



About the Author

Paul Jordan is the founder of the St. Louis chapter of the Military Cyber Professionals Association(MCPA), and the current chief of MCPA Chapter Operations.  He holds an MS in Computer Science from the Air Force Institute of Technology (AFIT) and currently works as a cyberspace operations officer for the Air Force.








References

[1] J. Thomson, “Double effect, triple effect and the trolley problem: Squaring the circle in looping cases,” Yale Law Journal, vol. 94, no. 6, pp. 1395–1415, 1985.

End Notes


1. http://www.cdc.gov/nchs/data/hus/hus15.pdf

2. https://crashstats.nhtsa.dot.gov/Api/Public/ViewPublication/812115

3. https://www.documentcloud.org/documents/2094029-report-0515.html

4. http://www.bls.gov/cps/cpsaat18.htm

5. http://www.alltrucking.com/faq/truck-drivers-in-the-usa/

6. https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/

7. https://www.theguardian.com/technology/2016/sep/20/tesla-model-s-chinese-hack-remote-control-brakes

8. http://karpathy.github.io/2015/05/21/rnn-effectiveness/


Photo credits (in order of appearance): Google, dronewars.net



Winning the Public to Private Transition

posted Jan 22, 2017, 6:11 AM by Michael Lenart   [ updated Jan 23, 2017, 12:20 PM ]

By Adam Tyra, Contributing Editor

Many government and military cybersecurity professionals have felt the pull of the private sector in recent years. According to industry observers at Cybersecurity Ventures, the shortfall of available cybersecurity professionals compared to the number of available cybersecurity jobs worldwide is expected to reach 1.5 million by 2019.1 The cybersecurity labor market, as with other markets, responds to the law of supply and demand. This means professionals can expect strong salaries and low unemployment for the foreseeable future. Cybersecurity professionals working in the public space have never been faced with a greater variety of opportunities than they have right now, and many of this magazine’s readers are undoubtedly considering a career change in the near future.

 

While the opportunities are undeniable, your readiness to capitalize on them might not be. The military has been described as a “culture within a culture” in the ways that it simultaneously mirrors and diverges significantly from American civilian life. This will never be more apparent to you than while you’re searching for your first position after the military. While I have insights to share from my own experience making the transition and building my career, I have another set of experiences that I’d like to share- interviewing and evaluating candidates just like you. In the past three years, I have conducted in-person interviews for well over 100 cybersecurity professionals, mostly veterans, and I have also conducted resume reviews and phone screens for more than 500 additional professionals. I gained this experience while helping build the team at the world’s second largest cybersecurity consulting firm. This article will discuss a few of the things that I learned and hopefully prepare a few readers for success when they decide to make their own transition.

 


Get Noticed

 

Unless you are referred by an acquaintance or get spotted at a career fair, your first contact with a potential employer will likely occur online after submitting your resume. Gone are the days of snail mailing your resume on high quality paper directly to a hiring manager. Instead, you’ll need to attract a computer’s attention first. Indeed, a human will probably never see your resume unless it contains one or more keywords associated with an open position. Potential search terms include certification names, security tool names, skills such as “reverse engineering”, and previous job titles. If it was in the job description, it needs to be in your resume.

 

Once you get to the human review phase, brevity is key. You want all killer and no filler. Plan on one page per four years of experience and no more than two pages total. Why? How many eight-year-old technologies / skills are still relevant to you in your current job? If you think two pages isn’t enough space, carefully read what you wrote. Is it all killer with no filler? No? Slim it down. Reading other people’s resumes is neither interesting nor a treasure hunt. If a recruiter needs more than ten seconds to decide whether someone is worth a phone conversation, then the answer is probably no.  

 

So, what should you put in your two-page resume to make it all killer? First and foremost, you need to make it about the employer and not about you. There is only one reason to hire anyone ever a belief that the person in question will help solve a problem. If you’re wondering what problems businesses need solved, just read the descriptions for the jobs that they have available. Most job seekers have heard that they should tailor their resume to the job they want, but service members have a terrible track record actioning this advice. For example, here are a few things that you should not include in your civilian resume: combat experience, training courses dealing with combat skills, words like “terrorism”, “war”, “deployment”, a listing of military awards earned (more on this in a moment), a listing of the dollar values of property owned in various roles, and military jargon of any type.

 

Keep in mind that, statistically speaking, the person reading your resume almost certainly has never served in the military. They will have great difficulty making the mental leap between “person who was successful in battle” and “person who will get the job done for me.” In some cases, you might even intimidate the person and you will definitely cause doubts about your cultural fit and maybe even your mental stability (really). Awards present a similar challenge. Your resume doesn’t include any information about what you did to get them, so a hiring manager doesn’t know how to value them.

 

Instead of using up valuable real estate talking about the counterinsurgency school you attended, list the college courses you took where you learned programming and network engineering. Don’t say that you’re an expert on “WIN-T”, say that you’re an expert on satellite communications. Instead of discussing “DIACAP”, explain that you have experience with cybersecurity compliance and governance. If you aren’t sure how to describe your skills, get help, because resume writing is a no-fail portion of the job hunt.

 

You need to civilianize job titles. This is easier said than done, though, because commonly used job titles mean different things in different companies. A director might be a senior leader in one place and a first line supervisor at another. Regardless of the exact titles you select as equivalents to your military job, you should convey progression, a steady increase in responsibilities over time, and rough equivalence. Here are a few examples. Mix them with functional areas as necessary (e.g. malware analysis shift supervisor, etc.).

·         Security Analyst. You routinely put your hands on the keyboard and work with tools to get your job done. You might be a penetration tester or conduct security monitoring. 0-2 years of experience.

·         Team Lead / Shift Supervisor. You have several analysts working for you to perform a specific function like incident response. Most of your day still consists of analyst work. 2-5 years of experience.

·         Manager. The individuals who report to you have people who report to them as well. You’re involved with interviewing and hiring entry-level personnel. Managing consumes the majority of your workday, and your opportunities to use your technical skills are declining. 5-8 years of experience.

·         Director. You’re responsible for an entire department, facility, or a sizable team. You are responsible for a budget that you spend according to an approved plan. You’re involved with interviewing and hiring supervisors and managers. Management consumes your entire workday, and you only deploy your technical skills to conceptualize solutions. 8-12 years of experience.

·         Executive. Your decisions affect the entire organization, and you have the ability to set strategic direction for large parts of the enterprise. You have a budget that you spend on your own authority. You may hire and fire employees on your own authority. You make procurement decisions on your own authority. You rarely do anything now that your entry-level or junior management self would have recognized as work. Overseeing and approving the work of others now consumes your entire workday.

 

Be careful not to appropriate prestigious titles as equivalents unless you’re sure that they’re a good fit. I have seen multiple resumes of senior O3 and junior O4 officers who identified themselves as the “CISO” of their unit. Unless you were involved in hiring and firing employees, settings strategy, conducting procurement, budgeting, etc., you were not the equivalent of a C-level anything. This type of title inflation sounds as absurd to a civilian hiring manager as your friend who is a help desk manager would sound to you if he told you he was, “basically equivalent to a General.”    

 


Get Hired

 

You’ve gotten an interview. Nice work. Remember that the labor market for cybersecurity skills is strong, and your skills are in demand. While the employer is learning about you, be sure you’re learning everything that you need to know about them as well. Think of job interviews like dates. You definitely don’t want to marry everyone that you date, so you need to quickly determine whether a position is worth pursuing to avoid wasting your time (and theirs). Here are a few other tidbits to help you make the right match.

 

Don’t be too agreeable. Playing the good Soldier by affirming your willingness to undergo any hardship is not the right play at this point. You need to get what you want, and not just be what the employer wants. In my current career, travel is a significant requirement. We typically inform candidates that they will be required to travel up to 80% of the time and verify that this won’t be a problem. For candidates that indicate that they can’t (or don’t want to) travel, the interview ends pretty much immediately. This is better for both sides. Remember, the company has to fit your culture just as you have to fit theirs. Talking your way into a position you’ll hate and eventually quit only means stress for you and significant disruption for the employer. So, if you think that something about the position isn’t right, say so and look elsewhere.  

 

Don’t talk about or around classified information. In fact, don’t mention or allude to it at all. I’ve interviewed multiple candidates who claimed that they were with the NSA, CIA, TAO, Delta, the Space Marines, etc. but couldn’t reveal any details about the work that would support my decision about them. If, at any point, you are forced to deflect a question about your background with the claim that, “It’s classified,” you will definitely irritate most interviewers. If you have relevant experiences that are sensitive, leverage your respective organization’s resume review process to make sure that you understand where the lines are. Then, figure out what you can say that’s both meaningful and acceptable. If you can’t do this, then don’t waste the space on your resume or the interviewer’s time.   

 

Be honest with the employer (and yourself) about the nature of your skills. Remember that your organization (unit, agency, etc.) wasn’t your role. Making coffee at CIA headquarters doesn’t make you a Clandestine Service member any more than making briefing slides at Cyber Command makes you an elite super hacker. Many service members lose sight of this, and some overestimate their own level of expertise because of it. I’ve seen former watch officers, shift supervisors, and staff members from various impressive-sounding organizations fail technical phone screens, because they equated talking the talk of cybersecurity with walking the walk. Think about the top three tools that you use in your daily work. Are they Word, PowerPoint, and Excel? If so, you probably aren’t suited for an engineering role. Similarly, if the list includes Ida Pro, gcc, and gdb, then you shouldn’t go after a sales manager position.


 

Get Paid

 

You’re getting a written offer. Congratulations! Compensation is one of the main reasons why cybersecurity professionals decide to make career changes, and it will probably be among your primary selection criteria when you evaluate opportunities. It’s true that there is usually a significant pay gap between what you’re currently getting as a government employee and what the civilian equivalent for your position can command in the job market. According to CIO magazine, the average salary earned by a cybersecurity worker in the United States in 2013 was $116,000.2 However, you need to calibrate your expectations before beginning your job search to ensure that you’re prepared to negotiate compensation effectively. The following are a few points you should consider.

 

You should have some idea what a job pays before applying. Research the average pay for a role before submitting your resume. My favorite source for this type of data is glassdoor.com. For large companies, you can find a wealth of information on the average salary and bonus structure for a range of positions offered by your employers of choice. You can also search by city to see, for example, what an average cybersecurity manager makes in Fresno, California if you’re evaluating an offer from a nearby company that isn’t well represented in glassdoor.

 

While you should expect a healthy bump in pay when you make the transition, don’t become overwhelmed by a feeling of entitlement. Remember that the single most important factor in salary determinations is time. More professional experience generally commands a higher salary, while other factors generally don’t. For example, if the role requires a bachelor’s degree, while you have a graduate degree, don’t expect this to automatically translate to a higher salary.

 

When comparing offers, mind the differences between jobs. Roles that pay significantly more than other similar opportunities usually require something unpleasant from you. This unpleasant thing could be relocation to an undesirable place (deployment, maybe?) or extensive travel in general. It could also include persistent required overtime. Requirements like these may or may not change your mind about whether these jobs are worthwhile opportunities. Even they still seem worthwhile, remember that this effect on quality-of-life should be a consideration in compensation negotiations. Be sure you also consider the cost of living where the job is located: $100k in San Antonio, Texas goes a lot further than $100k in San Francisco, California. Also remember the importance of advancement opportunities, and training and education support.

 


Continuing Your Service

 

As you transition into the private sector, an important parallel consideration is how you can continue your service in the government/military cybersecurity community on a part-time basis. While many uniformed personnel will transition to one of the reserve components to continue their military service, there are also other opportunities to stay involved through organizations such as the Military Cyber Professionals Association (MCPA). Each has its advantages and disadvantages. As a reservist you can continue to advance your skills through the rapidly expanding catalog of military cyber training courses. Military service also exposes you to situations and experiences that you’ll never find in the private sector, and you get a paycheck of course.

 

Understand that the days of “one weekend a month and two weeks in the summer” were left behind at the end of the 20th century, however. Much more will likely be expected of you as the military works to expand both its active and reserve cyber forces in the coming years. If you aren’t sure whether or not this is for you, try it out for a few months. Even if you eventually discover that the part-time military life doesn’t work for your situation, your reserve unit will serve as a type of transition support group while you adjust. At the very least, you’ll have a captive audience with whom to share your great war stories long after your significant other has grown tired of hearing them.

 

If continued military service isn’t for you, you can also expand your involvement in volunteer organizations like the MCPA. Volunteers willing to work are always in short supply for every non-profit organization, and the MCPA is no different. There are always leadership positions available from the local to the national level, including national officer roles. If you’ve always wanted to increase your involvement in the MCPA but didn’t have time, consider this both a reminder and a renewed invitation.  

 

Final Thoughts

 

While this article focused on the transition itself, I have a few comments on preparation for those who might be a few years out from a transition. First, make sure that you have the right credentials for the jobs you want. Specifically, get certified and get educated. Many talented cybersecurity professionals feel that certifications and diplomas are mere “pieces of paper” that don’t actually prove that a person has skills. Maybe. But they’re also table stakes for most jobs. Think of these credentials as though they’re a driver’s license. Even if you’re a phenomenal driver, you’ll still be required to possess a license in order to drive legally. Get this out of the way, while the government is willing to pay for it on your behalf.

 

Finally, network as much as you can. I have been continuously surprised and dismayed by service members’ disinterest in or downright unwillingness to network with their civilian counterparts. In this respect, college students who have no professional experience vastly outclass veterans when it comes to job hunting. You won’t be working for the government forever, and it pays to have friends to call on when you’re ready to move. You never know who will be able to refer you or vouch for you or who will be in a position to hire you outright. And, even if your friends don’t refer you, you could still find yourself in a position to refer them. Every company that I’ve worked for since leaving active duty paid referral bonuses, and some roles carried bonuses as high as $10k.

 

Cybersecurity professionals today couldn’t hope for better career prospects than they’ll see for at least the next decade. Finding a position somewhere is almost a foregone conclusion for most cyber defenders leaving government service, but maximizing your outcomes after a transition takes a bit of work. By sharpening your resume, maximizing your interview skills, and ensuring you’re prepared to negotiate compensation, you’ll ensure that you’re prepared to capitalize on your skills when you decide to make the move.





About the Author

Contributing Editor Adam Tyra is a cybersecurity professional with expertise in security operations, security software development, and mobile device security. He is currently employed as a cybersecurity consultant. Adam served in the U.S. Army and continues to serve part-time as an Army reservist. He is an active member of the Military Cyber Professionals Association and is a former president of the San Antonio, Texas chapter.








End Notes


1. http://cybersecurityventures.com/jobs/

2. http://www.cio.com/article/2383451/careers-staffing/cybersecurity-pros-in-high-demand--highly-paid-and-highly-selective.html


Photo credits (in order of appearance): military.com, LinkedIn, Investopedia, ClipartBro.com, Breaking Defense





An Interview on Cyber Norms

posted Jan 17, 2017, 4:27 PM by Michael Lenart   [ updated Jan 19, 2017, 4:28 AM ]


Robert Morgus is a policy analyst and Dan Ward a cybersecurity fellow for New America’s Cybersecurity Initiative. They’re also the authors of the informative (and entertaining) Professor Cy Burr’s Graphic Guide to International Cyber Norms. They agreed to sit down with Cyber Editor-in-Chief Michael Lenart to discuss their graphic guide as well as the major issues associated with developing international cyber norms.  


 

Q: As you do in the International Cyber Norms graphic guide, let’s start with the basics: What do we mean when we talk about “international cyber norms,” and how are they developed?

 

Dan: Norms are the informal, unofficial standards of behavior that guide the way people and nations interact. They get formed in several different ways – sometimes they emerge organically, other times they are developed strategically and deliberately. There’s a whole adoption process that we outline in the comic.

 

Robert: Dan is spot on. In this case, norm is short for normative behavior. In the most basic sense, a norm is a description of existing behavior. However, in the international cybersecurity context we’ve seen the emergence of two different types of norms: actual norms—which are a description of actual behavior—and aspirational norms—which describe ideal behavior.

 

 

Q: Along with norms, the graphic guide identifies coercion and treaties as the other means by which states can limit destructive behavior. What is the relationship among norms, coercion, and treaties – especially in a cyber context?

 

Dan: They all intersect and overlap a bit. For example, using treaties instead of coercion (or vice versa) can be a norm. The types of coercion or retaliation a country chooses to engage in are largely determined by norms.

 

 

Q: Did treaties and/or coercion contribute to the development of the Obama-Xi pact, i.e., China’s acceptance of a norm against industrial espionage? Or is there a better real-world example of the linkage among norms, treaties, and coercion?

 

Robert: Coercion and international law (treaties) most certainly played a role in the development of the Obama-Xi pact. People close to the indictments of five People’s Liberation Army hackers in the Western District of Pennsylvania would suggest to you that those indictments, a form of coercion, were more or less responsible for bringing Xi to the table. The legal side of this particular case study is complicated. There are international institutions like the World Trade Organization and various trade pacts (like the Trans-Pacific Partnership and Transatlantic Trade and Investment Partnership) that could provide the victim of economic espionage with a legal platform to seek some form of remuneration. However, there is no universal international law that directly addresses the issue of economic espionage.

 

 

Q: With regard to how one defines “cybersecurity,” you discuss major philosophical differences between two camps, roughly divided between western liberal democracies in one camp and Russia, China, and various other non-western states in the other. Can you describe these philosophical differences about cybersecurity and, broadly speaking, the political efforts each camp has undertaken to advance their particular perspective?

 

Robert: For the last decade, the diplomatic policy of much of the west has been to treat cybersecurity and information security as two separate issues. This means that when the US engages other camps on cybersecurity norms, the discourse has been limited to discussions on norms for engagement around attacks on physical infrastructure and what the US calls computer network operations. However, in other parts of the world, like Russia and China, cybersecurity and information security are deeply interwoven. Thus, a codification of national sovereignty over a given state’s cyberspace—which refers to information and communications technology (ICT) infrastructure, but not the content on it—has been met with a call for national sovereignty over information space—a thinly veiled attempt to allow states to control the internet and communications content that flows over their ICT infrastructure. The U.S. and rest of the west have been hesitant to engage on these topics as part of their diplomatic strategy. However, given the attention paid to the alleged Russian information operation around the U.S. election, it may be time for the west to reconsider this staunch separation.

 

 

Q: In two of Robert’s recent articles, he refers to statements by NSA and Cyber Command Chief Admiral Mike Rogers about a "series of ongoing conversations" the U.S. is having with other states on developing cyber norms. What can you tell us about these conversations?

Robert: Admiral Rogers is right to point to ongoing conversations the U.S. is having with other states. We engage at the multilateral and bilateral level with the likes of our partners in Europe, as well as some nations that are seen as more adversarial in this space like Russia and China. However, in part due to disagreement over the content of these conversations, they have stalled. One of the forums that has been instrumental in illuminating areas of agreement has been the United Nations Group of Governmental Experts (GGE) in the Disarmament Committee. However, at the end of last year’s meeting in August, the representative to the GGE from Russia is said to have stated that he thought all the agreement that could be reached on the topic has been, and some states have backtracked a bit on commitments made during past meetings.

 

 

Q: In the graphic guide, “Professor Cy Burr” briefly introduces Chris Painter, the State Department’s Coordinator for Cyber Issues and a major player in the U.S.’s work on cyber norms. Do you have any recommendations for how the Defense Department can improve its collaboration with State and/or other federal agencies to advance the development of international cyber norms?

 

Dan: Norms are generally informal and unofficial, which means cooperation is the key to getting a norm adopted. That’s why I think the various federal agencies have to make collaboration on this issue a priority. No single agency has complete jurisdiction over cyberspace, no agency has complete autonomy, and norms are almost never adopted just because one stakeholder wants it to be. Precisely because cyberspace is a shared domain, precisely because we all have interests and priorities and opinions about what norms should be adopted, it is crucial that we talk and collaborate, both at the senior leadership level and the lower levels.

 

 

Q: Since a norm is essentially an agreement among stakeholders who must share at least a basic level of trust, how large a role can norms play in the interactions of states like the U.S. and Russia (or China), whose relations often lack that basic element of trust?

Dan: Norms present us with an opportunity to develop a virtuous cycle (as opposed to a vicious cycle), because while norms require a certain amount of trust, they also help foster trust. So if we can get the ball rolling a little, with a few basic, easily-agreed upon norms, they can serve as building blocks to greater levels of trust and cooperation.

Robert: Dan is right, of course, but at the same time, breaching a norm can cause increased tension and further disintegration of trust. In the case of cybersecurity norms, this is a particularly realistic concern because, while many norms have been clearly articulated in writing, some are simply assumed and sometimes not necessarily assumed universally. This can lead to confusion should one state violate the perceived norm of another and also give potential norm defectors cover to plead ignorance.  

 

 

Q: Can you give an example or two of the type of basic, easily agreed upon norm that could get the ball rolling, like you mention above?

Dan: The best place to start is with norms already in place in other areas of international activity, such as the law of armed conflict (LoAC). Nation-states already have general agreements on things such as distinguishing between civilian and military targets, ensuring proportionality of response, and avoiding unnecessary suffering. So while we don’t have universal agreement that current international agreements and laws of war translate in full to cyberspace activities, there are certainly pieces and components of existing agreements we can use as these initial building blocks.

Robert: I’m not so sure there is a ton of low hanging fruit here, and I’ll break a bit from Dan in my answer. For the last decade, the U.S. has focused their strategy on negotiating or translating norms mostly from the armed conflict space, like LoAC. Over the last year I’ve become increasingly skeptical that this is the right approach to negotiating international cybersecurity norms. When I look at the vast majority of state cyber operations, I do not see military operations that should therefore be governed by the laws of armed conflict. Instead, I see intelligence operations that are far more akin to traditional espionage practices. From my perspective, it is important for those developing our norms strategy to understand and tease out what this means with regard to what sorts of existing norms we should be pushing for application in cybersecurity and where the key pressure points are for the development of new norms.

 

 

Q: This is admittedly a complex question that doesn’t lend itself to simple answers, but roughly speaking, how would you assess the international community’s current progress on developing and implementing a set of workable cyber norms?

Dan: As we explain in the comic, we’re very much in the early stages of this activity, largely because we are still in the early stages of learning to live in cyberspace. We’re still exploring. We are still figuring out what questions to ask and how to find answers, so it’ll be a while before we have a robust, shared set of cyber norms. The other thing to understand is that norms are not static. They tend to emerge and evolve over time, so I don’t think we should expect to ever have a set of norms as a complete, finished product. Norms are always a work in progress.

Robert: Absolutely. I would also say that we’re still in the exploratory phase wherein the international community wrestles with what should be the content for norms (recall the cybersecurity vs. information security debate). Recent events could push this stage to a culmination as western countries are pushed to acknowledge the relevance of information security.

 

On behalf of Cyber and the Military Cyber Professionals Association, I’d like to thank Mr. Morgus and Mr. Ward for taking time out of their busy schedules to share their valuable knowledge and insights with us. Integrating an understanding of cyber norms with traditional military cyber competencies can lead to a more thoughtful, strategic, and ultimately more beneficial application of cyber capabilities and capacities.

I strongly encourage all readers to review the graphic guide that prompted this interview.

-M. Lenart, Editor-in-Chief




Photo credit: TR Service Learning Academy

Trump on Cyber Warfare

posted Dec 28, 2016, 7:49 AM by Shawna Bay   [ updated Dec 29, 2016, 1:55 PM ]

by J. L. Billingsley 

Preface: This article is not a political endorsement nor piece of partisan propaganda. I nor the nonprofit I founded have received any form of support from any political or Trump related entity. This is an independently conceived evidence-based analysis intended to illuminate a specific topic currently muddled in opinionated bickering and misunderstanding, the likes of which complicate thoughtful policy analysis and planning. It is incumbent upon fellow members of the American national security community to hasten progress from a mudslinging campaign mindset to more mature rational discussions that will better poise our nation for success in the coming years.[i],[ii],[iii]


For a man who prides himself on being unpredictable, President-elect Donald J. Trump has been exceedingly clear that he will prioritize developing America’s cyber warfare capabilities during his administration.[iv] In various venues (including speeches, tweets, and publicized meetings), Trump has clearly indicated his intent to address our nation’s ability to both throw a punch and take a hit in cyberspace. Below is a review of some such indications.

His First Address

It has not gone unnoticed within national security circles that Trump chose to highlight the cyber threat in his first official public address as President-elect…


“On national security, I will ask the Department of Defense and the Chairman of the Joint Chiefs of Staff to develop a comprehensive plan to protect America’s vital infrastructure from cyber-attacks, and all other form of attacks.”[v]

As anybody familiar with the inner workings of government bureaucracy and resource allocation (sometimes referred to as sausage-making) will attest, words matter. Further, the order of words by national leadership matters and has a direct impact on which programs receive funding (the means that enable all operations) and which ones do not. With this insight is mind, the above statement is truly telling.

While only briefly discussing national security among a short list of immediate priorities in the address, cyber is not only included but is leading. That is in stark contrast to how we typically hear cyber included in lists, after more established forms of military power (such as air and maritime capabilities).[vi] Including cyber in such lists has been sufficient to ensure a funding stream to steadily develop this capability. However, the prominence Trump bestows on cyber in this intentional and polished statement signals to us that cyber will be a true priority, both in funding and operationally.

National Security Speech

In October 2016, during a talk hosted by a veterans group, candidate Trump opened with a lengthy discussion about the importance of developing cyber capabilities. While I have included only a fraction of his relevant statements in this excerpt, they clearly support this article’s main conclusion and require no further elaboration.

“I’d like to address one of the most important aspects of America’s national security, and that’s cyber security. To truly make America safe, we must make cyber security a major priority... As president, improving cyber security will be an immediate and top priority for my administration... The scope of our cyber security problem is enormous. Our government, our businesses, our trade secrets and our citizens’ most sensitive information are all facing constant cyberattacks and reviews by the enemy… I will make certain that our military is the best in the world in both cyber offense and defense… I will also ask my secretary of Defense and Joint Chiefs to present recommendations for strengthening and augmenting our Cyber Command. As a deterrent against attacks on our critical resources, the United States must possess — and has to — the unquestioned capacity to launch crippling cyber counter attacks. And I mean crippling, crippling. This is the warfare of the future. America’s dominance in this arena must be unquestioned… Cybersecurity is not only a question of developing defensive technologies but offensive technologies, as well... We should turn cyber warfare into one of our greatest weapons”[vii]

Tweet History

Some of his statements to the veterans group go into detail about the role and cost of various notable hacks on American targets. Those 2016 statements appear consistent with his cyber related concerns expressed years ago, sometimes conveyed in tweets. See some of these comments below…




[viii]

Social Media


From being used to topple governments during the Arab Spring to enabling Trump to directly engage millions of followers, social media platforms like Twitter are powerful tools, and the President-elect clearly knows it.[ix] Among numerous other statements on the topic, he shared his views succinctly in a recent 60 Minutes interview…

“I have such power in terms of numbers with Facebook, Twitter, Instagram, et cetera, I think it helped me win all of these races where they’re spending much more money than I spent… I think that social media has more power than the money they spent, and I think maybe to a certain extent, I proved that.”[x]

As Trump acknowledges, backed up by the statements of numerous commentators, his ability to wield the power of social media allowed him to effectively shape the information environment in support of his primary objective…being elected President. Other statements of his indicate he plans to retain this critical capability in support of achieving other goals.[xi] Given the high value of these social media services to Trump, and since they are cyberspace based, both military planners and computer security experts can conclude that the in-coming administration will likely pursue expenditure of significant resources on cyberspace related efforts.

Relationship Building

Time is one resource he has already begun to invest into strengthening existing and building new relationships with leaders that will help inform and enable his cyberspace related efforts. For example, as he promised to do on the campaign trail, Trump recently met with Bill Gates, top Silicon Valley executives, and the leader of U.S. Cyber Command.[xii],[xiii] Trump’s selection of General Mattis to lead the Defense Department is beneficial, as well, since the General understands the cyber threat. This was abundantly clear in my first interaction with the recently retired General as he was on the way to spend quality time at Stanford University (an essential Silicon Valley institution).[xiv]


Trump meeting with Silicon Valley leaders in December 2016. From left to right: Eric Trump, Brad Smith of Microsoft, Jeff Bezos of Amazon, Larry Page of Alphabet/Google, Sheryl Sandberg of Facebook, Mike Pence, Donald Trump, and Peter Thiel (founder of PayPal).[xv]

In addition to discussing immediate cybersecurity concerns with such leaders, the President-elect’s emphasis on increasing technology related jobs in America is likely to bolster our nation’s severely underperforming and unsustainable STEM (science, technology, engineering, and mathematics) talent development pipeline (which includes K-12 education).[xvi] Given the natural forces of supply and demand, the more Americans with STEM talent that can qualify for government security clearances, the more capability our nation will have to triumph in cyber warfare and in the economic activity that enables such operations.

The Threat from China and Russia

Due to the current prominence and importance of the topic, no discussion of Trump and cyber warfare today would be complete without briefly addressing his views on China and Russia. While his attitude towards Chinese cyber activities (and generally) are clear and consistent (exemplified by the aforementioned tweets), his stance on Russia deserves some demystifying.

One underdiscussed but reasonable interpretation is that he intends to follow geopolitical common sense in a multipolar world by neutralizing threatening alliances that counter his nation’s influence. He recognizes this situation, as indicated in comments such as…

“You can't have everybody hating you. The whole world hates us. And one of the things that I heard for years and years, never drive Russia and China together. And Obama has done that.”[xvii]


In this case, he may be seeking to divide the powerful China-Russia bloc by aggressively courting Russia. This can be accomplished, in part, by building on shared vital interests (like countering the threat of Islamic extremism) and resolving peripheral differences (such as approach towards ending the conflict in Syria and Iraq).[xviii],[xix]

As of the writing of this article in late December 2016, a current point of contention between America and Russia are the leaks of politically sensitive American data by (potentially Russian) hackers. Trump has already developed a consistent narrative that categorizes (what some may refer to as) foreign state-directed cyber-attacks as a direct result of disrespect towards President Obama.[xx] Trump has repeatedly stated that Putin will respect him, which in this case includes a stop to such cyber related activity. Taking advantage of opportunities to affect foreign state decision-making through the power of personal diplomacy and negotiation, as opposed to the expenditure of more American blood and treasure, appears consistent with Trump’s overall emphasis on the American economy (which includes more efficient use of American power).

Conclusion

Upon reviewing this discussion about our new national strategist, any reasonable person can conclude that his administration will prioritize developing our nation’s cyber related capabilities. With such development, and their cost and ethical advantages over traditional military capabilities, we may even witness cyberpower becoming the tool of choice in upcoming conflicts.[xxi],[xxii] 


This anticipated evolution to a cyber-first footing in the national security community will have many implications yet to be conceived. It is obviously beneficial to those in cyber related industries, as well as citizens frustrated with increasingly frequent, high-profile, and costly hacking incidents. Without prioritizing cyber and addressing the nation’s current state of vulnerability, as the incoming administration is expected to do, the actions of potential adversaries risk antagonizing a nation fully capable of traveling “an alternate path.”[xxiii] With that in mind, this is a positive direction for all peoples.


About the author

















Joe Billingsley is founder of the 501(c)(3) educational nonprofit Military Cyber Professionals Association (MCPA) and is pursuing a PhD in Information Sciences. He is an Iraq War veteran, served as a Strategist and Cyber Operations Officer in the U.S. Army, and is a graduate of programs at the Army War College, Naval War College, Military Intelligence School, and Army School of Information Technology. He holds an MS in Cyber Systems and Operations from the Naval Postgraduate School and a BA in History from the University of Connecticut. He serves as Advisor to the Cyber Security Forum Initiative, faculty at George Washington University, and Fellow of the Center for Network Innovation and Experimentation.











The Saga of the "Internet Kill Switch"

posted Dec 4, 2016, 6:33 AM by Michael Lenart   [ updated Dec 4, 2016, 6:56 AM ]

By Jessica “Zhanna” Malekos Smith

With thanks to the Thomas M. Cooley Homeland & National Security Law Review

It is often said that trust takes years to build and seconds to destroy – but what about the Internet? While the Internet infrastructure took years to build, would it similarly take seconds to destroy using a ‘kill switch?’ According to Dyn Research, because the United States has a robust Internet economy with over 40 Internet Service Providers (ISPs), it “is likely to be extremely resistant to Internet disconnection.”1 Despite this assessment, since 2010 Congress has considered bills granting the president “the power to order ISPs to disconnect certain websites, stop the flow of information from certain countries or even create an internet service blackout.”2


This article analyzes the congressional history of so-called "Internet kill switch" bills and two domestic cases of a denial-of-access to local Internet connections. The first involves the Federal Bureau of Investigation’s (FBI) actions in disconnecting a suspect’s Internet access because “Internet access isn’t an essential service.”3 The second case examines the California state-run Bay Area Rapid Transit (BART) company’s suspension of cell phone service signals to inhibit protesters’ communications.4



Historical Legislative Overview

In 2010, U.S. Senators Joseph Lieberman (Independent, Connecticut), Susan Collins (Republican, Maine), and Thomas Carper (Democrat, Delaware) proposed the Protecting Cyberspace as a National Asset Act (PCNAA).5 Under the PCNAA, the president would hold broad authority over privately owned computer systems during a national cyber emergency.6 The bill also would have enabled the Department of Homeland Security (DHS) to enact emergency protocols to safeguard the “nation’s critical infrastructure.”7 Critics denounced this provision, however, because it did not specifically identify the DHS’s emergency protocols and types of covered critical infrastructure.8 Opponents alleged the PCNAA impermissibly encroached on their right to free speech online.9 As such, the controversial legislation was dubbed the “Internet Kill Switch Bill” and failed in Congress.


In 2011, Renesys co-founder James Cowie posited that:

 

“[a] country’s legal framework, not its technical infrastructure, determines whether it is able to shut down its citizens’ access to the internet . . . “somebody has to have the legal authority to go to a company that runs a large part of the internet in the United States and say, ‘Turn off your connection to the outside world.’”11




That same year the PCNAA was revived, and now included a provision that prohibited private-sector service providers from seeking judicial review against the DHS’s emergency protocol regulations.12 The bill alienated many in the technological community by stipulating that the “federal government’s designation of vital Internet or other computer systems shall not be subjected to judicial review.”13 Essentially, the DHS would develop a critical infrastructure list (including but not limited to servers, websites, and routers) that would be subject to the president’s emergency declarations, if each of these three conditions applied:

First, the disruption of the system could cause “severe economic consequences” or worse. Second, that the system “is a component of the national information infrastructure.” Third, that the “national information infrastructure is essential to the reliable operation of the system.”14

If a private-sector company objected to these protocols by asserting a Fifth Amendment due process violation, then its only legal recourse would be an appeal to the Secretary of the DHS, who would offer a binding legal determination.15 For TechFreedom analyst Berin Szoka, this belies core democratic principles because “[b]locking judicial review of this key question essentially says that the rule of law goes out the window if and when a major crisis occurs.”16 Indeed, under this administrative schema, it appeared that the ominous adage silent leges inter arma (“in times of war, the laws fall silent”) would hold true.17

Although the 2011 bill failed, the 2012 Cybersecurity Act (CSA 2012) was then proposed to “alleviate the concerns about the 2010 Act by eliminating any provisions that could be interpreted as giving the president a ‘kill switch.’ The new legislation also define[d] critical infrastructure very narrowly to include only systems that could cause catastrophic damage, if compromised.”18 Despite these changes, CSA 2012 faced strong opposition from the U.S. Chamber of Commerce and civil advocacy groups like the Electronic Frontier Foundation.19,20 In the end, the bill failed to garner enough votes in Congress.21


Denial of Access to Local Internet in the United States
Case Study I: Las Vegas, Nevada

While Congress has not adopted a “kill switch bill,” there have been instances where a state entity attempted to cordon off a user’s access to the global Internet. The first case study involved the FBI, a Malaysian gambling ring, and the opulent Caesars Palace hotel in Las Vegas, Nevada.22

By 2014, the FBI discovered an illegal World Cup gambling ring, estimated at $13 million, operating inside the Caesars Palace villas.23 FBI agents allied with a hotel WiFi24 contractor and devised a plan to disable the hotel-guest Internet connection in the targeted suites.25 Next, FBI agents “posed as repairmen and tricked the butler into letting them into the luxury suite – all without a warrant. The ruse enabled the FBI to gather evidence that led to the arrest of Malaysian gambler Wei Seng ‘Paul’ Phua.”26 As a result, Mr. Phua’s attorneys moved to suppress the incriminating evidence that was seized from warrantless search of Mr. Phua’s suite.27

The government reasoned that the “trickery deployed in Mr. Phua’s case was permissible because Internet access isn’t an essential service.”28 Moreover, they explained that “had the FBI agents manufactured an emergency by shutting off the defendant’s water, heat or electricity,” then such acts of deception would be unconstitutional.29 Assuming that Internet access is a non-essential utility, does that justify the FBI’s actions in shutting down a user’s access? While U.S. District Judge Andrew P. Gordon of the District of Nevada did not directly confront this issue in his ruling, he still ruled in favor of Mr. Phua because the evidence constituted “fruits of an unconstitutional search” in contravention of Fourth Amendment rights.30


Case Study II: San Francisco, California

On August 11, 2011, the California state-run Bay Area Rapid Transit (BART) company “turned off” cell phone service inside select San Francisco stations to inhibit protest activity.31 The following day, BART issued a statement defending its actions: “BART temporarily interrupted service at select BART stations as one of many tactics to ensure the safety of everyone on the platform.”32


For historical context, on July 3, 2011, a deadly shooting involving BART police and a suspect occurred.33 In response, several hundred people assembled at BART stations to protest the shooting.34 Unfortunately, the demonstrations turned violent.35 According to The Washington Post, because protestors were planning to disrupt BART services again on August 11, 2011, which could cause platform overcrowding and unsafe conditions for BART employees and passengers, BART initiated a service outage based on safety concerns: “Organizers… stated that they would use mobile devices to coordinate their disruptive activities and communication about the location and number of BART police.”36

The Electronic Frontier Foundation likened BART’s actions in silencing protestors to those of former Egyptian President Hosni Mubarak, who “ordered the shutdown of cellphone service in Tahrir Square in response to peaceful protests….”37 In fact, the moniker “#MuBARTek” began gaining popularity on the social networking site Twitter.38 Here, the realization that a state-imposed cell phone service outage was just as possible in San Francisco, California, as it was in revolutionary Egypt is chilling.

The case also illustrates that not only can communication networks be restricted by a local state entity to mitigate immediate public safety risks, but also to indiscriminately prevent future protest activity. The First Amendment provides that “Congress shall make no law… abridging the freedom of speech, or… the right of the people peaceably to assemble….”39 Here, BART’s self-imposed outage encroached on the individual right to free speech because it restricted commuters’ ability to “dial 911, or surf the Web for three hours during the shutdown, and protestors were unable to coordinate their actions.”40


Generally, BART has taken the position that it “accommodates expressive activities that are constitutionally protected by the First Amendment to the United States Constitution and the Liberty of Speech Clause of the California Constitution (expressive activity), and has made available certain areas of its property for expressive activity.”41 However, BART’s ability to unilaterally apply a service outage to silence all protest demonstrations – even those that have not yet occurred – is a sobering thought for First Amendment scholars, activists, and citizens.42 Given the high potential for misuse of this power, one wonders how robust the system of checks and balances can operate in a democracy when such forms of speech are readily made silent?


Expanding National Security Communications via Executive Order

On July 6, 2012 President Obama issued Executive Order 13618, the Assignment of National Security and Emergency Preparedness Communications Functions.43 In order to communicate during a national security attack or other emergency, EO 13618 affirms the federal government’s authority to manage federal, state, local, and territorial government and private sector telecommunications systems under such circumstances.44 The list of assigned communication systems includes “landline, wireless, broadcast and cable television, radio, public safety systems, satellite communications, and the Internet.”45


This is not the first instance, however, when a president used an executive order to augment his war powers under the 1934 Communications Act.46 From President John F. Kennedy prescribing “federal telecommunications management functions” in 1962 under EO 10995, to President William J. Clinton regulating “national defense industry resource preparedness” in 1994 under EO 12919, presidents have bolstered their authority to manage National Security/Emergency Preparedness (NS/EP) communications.47 The first section of EO 13618 identifies its central purpose as the following:

The Federal Government must have the ability to communicate at all times and under all circumstances to carry out its most critical and time sensitive missions. Survivable, resilient, enduring, and effective communications, both domestic and international, are essential to enable the executive branch to communicate… Such communications must be possible under all circumstances to ensure national security, effectively manage emergencies, and improve national resilience.48

It is interesting to note that the phrase “under all circumstances” appears twice in the opening statement of EO 13618.49 One possible explanation is that the “2010 National Security Strategy, the primary federal government guidance on national security, reiterates the notion that reliable and secure telecommunications is necessary to effectively manage emergencies, and that the United States must prevent disruptions to critical communications.”50

EO 13618 also disbands the National Communications System and replaces it with “an executive committee to oversee federal NS/EP communications functions, [and] establish[es] a programs office within the [DHS] to assist the executive committee….”51 Critics were particularly disturbed by Section 5.2, which allocates broad oversight authority to the DHS.52 The relevant portion reads:

The Secretary of Homeland Security shall: (a) oversee the development, testing, implementation, and sustainment of NS/EP communications, including: communications that support Continuity of Government; Federal, State, local, territorial, and tribal emergency preparedness and response communications; non-military executive branch communications systems; critical infrastructure protection networks; and non-military communication networks….53

Opponents felt this provision of EO 13618 gave President Obama a “kill switch” by allowing him “’control over the internet’ beyond the general ability to suspend communications in extreme cases….”54

Given the emergency powers vested in the Commander-in-Chief, could the president restrict American Internet connections during a national security emergency? Recall that under the 1934 Communications Act, the president already possesses the emergency power to “suspend or amend the rules and regulations applicable to any or all facilities or stations for wire communication within the jurisdiction of the United States as prescribed by the Commission[.]”55 As such, EO 13618 adds another medium (i.e., the Internet) to the list of NS/EP communication channels subject to the president’s control.56 And although no “kill switch” bill has been formally adopted in Congress, the language of EO 13618, coupled with the case studies discussed herein, indicate that restrictions on U.S. citizens’ access to the global Internet could become an unsettling reality.




About the Author

Jessica “Zhanna” Malekos Smith is a postdoctoral fellow with the Belfer Center's Cyber Security Project at the Harvard Kennedy School. Previously she was a fellow of the Madeleine Korbel Albright Institute for Global Affairs in 2013. Malekos Smith received her B.A. from Wellesley College and J.D. from the University of California, Davis School of Law. She is an M.A. candidate in International Relations and Contemporary War at King's College London, War Studies.







End Notes

 

1. Jim Cowie, Could It Happen in Your Country?, Dyn Res. (Nov. 30, 2012), http://research.dyn.com/2012/11/could-it-happen-in-your-countr/.

2. See Betsy Isaacson, How To Get Around The Internet Blackout In Syria—Or A Mass Communications Outage Anywhere, Huffington Post (Nov. 30, 2012, 2:39 PM), http://www.huffingtonpost.com/2012/11/30/internet-blackout-syria_n_2218656.html?1354304364.

3. See Jacob Gershman, Judge: FBI Ruse in Las Vegas Sports Betting Case was Unconstitutional, Wall St. J. (Apr. 20, 2015), http://blogs.wsj.com/law/2015/04/20/judge-fbi-ruse-in-las-vegas-sports-betting-case-was-unconstitutional/.

4. See Melissa Bell, BART San Francisco cut cell services to avert protest, Wash. Post (Aug. 12, 2011), https://www.washingtonpost.com/blogs/blogpost/post/bart-san-francisco-cut-cell-services-to-avert-protest/2011/08/12/gIQAfLCgBJ_blog.html.

5. S. 3480 (111th): Protecting Cyberspace as a National Asset Act of 2010, GOVTRACK.US, https://www.govtrack.us/congress/bills/111/s3480 (last visited June 26, 2016).

6. See John D. Sutter, Could the U.S. shutdown the internet?, CNN (Feb. 3, 2011, 10:23 AM), http://www.cnn.com/2011/TECH/web/02/03/internet.shut.down/.

7. Markus Rauschecker, Protecting U.S. “Cyberspace”: How the Notion of an Internet Kill Switch Sidetracked the National Asset Act, LAW PRAC. TODAY (Mar. 2012), http://www.americanbar.org/content/dam/aba/publications/law_practice_today/protecting-us-cyberspace-how-the-notion-of-an-internet-kill-switch-sidetracked-the-national-asset-act.authcheckdam.pdf.

8. See id.

9. See id.

10. See Isaacson, supra note 2.

11. See Sutter, supra note 6 (quoting Jim Cowie, co-founder of Renesys).

12. See Declan McCullagh, Internet ‘kill switch’ bill will return, CNET Blog (Jan. 24, 2011), http://www.cnet.com/news/internet-kill-switch-bill-will-return/.

13. Id. (quoting S. 3480, 111th Cong. (2010)).

14. Id. (emphasis added).

15. Id.

16. Id.

17. Marcus Tullius Cicero, GoodReads, http://www.goodreads.com/quotes/49233-in-times-of-war-the-law-falls-silent-silent-enim (last visited June 26, 2016); see also Inter Arma Enim Silent Leges Law & Legal Definition, USLegal, http://definitions.uslegal.com/i/inter-arma-enim-silent-leges/ (last visited June 26, 2016).

18. See Rauschecker, supra note 7.

19. About the Electronic Frontier Foundation, EFF, https://www.eff.org/about (last visited June 26, 2016) (“The Electronic Frontier Foundation is the leading nonprofit organization defending civil liberties in the digital world. Founded in 1990, EFF champions user privacy, free expression, and innovation through impact litigation, policy analysis, grassroots activism, and technology development.”); See also Rauschecker, supra note 7.

20. See Rauschecker, supra note 7.

21. See id.

22. See Gershman, supra note 3.

23. See id.

24. Wi-Fi, TechTerms, http://techterms.com/definition/wi-fi (last visited June 26, 2016) (“Wi-Fi is a wireless networking technology that allows computers and other devices to communicate over a wireless signal. It describes network components that are based on one of the 802.11 standards developed by the IEEE and adopted by the Wi-Fi Alliance.”).

25. See Gershman, supra note 3.

26. Id.

27. See id.

28. Id.

29. Id.

30. See id.

31. See Bell, supra note 4.

32. Id.

33. See id.

34. See id.

35. See id.

36. Id.

37. Daniel Ionescu, FCC Investigates BART over Cellphone Shutdown, PCWorld (Aug 16, 2011, 8:00 AM) http://www.pcworld.com/article/238160/FCC_Investigates_BART_Over_Cellphone_Shutdown.html.

38. Bell, supra note 4.

39. U.S. Const. amend. I.

40. Ionescu, supra note 37.

41. Bell, supra note 4.

42. Eva Galperin, BART Pulls a Mubarak in San Francisco, Elec. Frontier Found. (Aug. 12, 2011), https://www.eff.org/deeplinks/2011/08/bart-pulls-mubarak-san-francisco (“[O]nce BART made the service available, cutting it off in order to prevent the organization of a protest constitutes a prior restraint on the free speech rights of every person in the station, whether they’re a protester or a commuter. Freedom of expression is a fundamental human right. Censorship is not okay in Tahrir Square or Trafalgar Square, and it’s still not okay in Powell Street Station.”).

43. See Dara Kerr, Obama signs order outlining emergency Internet control, CNET Blog (July 10, 2012), http://www.cnet.com/news/obama-signs-order-outlining-emergency-internet-control/.

44. See Shawn Reese, Cong. Research Serv., R42740, National Security and Emergency Preparedness Communications: A Summary of Executive Order 13618 2 (2012).

45. Id. (emphasis added).

46. See id.

47. See id.

48. See Exec. Order No. 13618, 77 Fed. Reg. 40,779 (July 6, 2012), https://www.gpo.gov/fdsys/pkg/FR-2012-07-11/pdf/2012-17022.pdf (emphasis added) [hereinafter E.O. 13618].

49. See id. § 1.

50. See Reese, supra note 44, at 1.

51. Id.

52. See Kerr, supra note 43.

53. E.O. 13618, supra note 48 (emphasis added).

54. See Adi Robertson, Obama clarifies plan to keep the internet running during emergencies in executive order, The Verge (July 10, 2012), http://www.theverge.com/2012/7/10/3149831/obama-national-security-emergency-preparedness-internet-order.

55. See 47 U.S.C.A. § 606(d) (West 1934) (emphasis added).

56. See Reese, supra note 44, at 2.


Photo credits (in order of appearance): Make:, Ars Technica, Franco Folini/Wikimedia Commons, FreedomWorks, d-infinity


















Cyber, Cyber Everywhere: Preparing for 2035

posted Nov 21, 2016, 3:11 AM by Michael Lenart   [ updated Dec 5, 2016, 4:29 AM ]

By Michael Lenart, Cyber Editor-in-Chief


Introduction


A crude but telling metric: “Cyber” and other forms of the word appear 118 times in Joint Operating Environment (JOE) 2035: The Joint Force in a Contested and Disordered World*. JOE 2035 is a Joint Staff force development document that lays out what the future environment and future conflicts may look like, and the missions the Joint Force may have to perform to be successful in them. Put another way, it provides ways to think about and prepare for the various “futures” that may arrive. Moreover, the prevalence of the word “cyber” within this futures document showcases the ever-increasing importance of proficiency in the youngest domain. This article will provide a very brief overview of JOE 2035 and discuss the cyber aspects within it.



Major Sections of JOE 2035


JOE 2035 has three major sections, briefly described below.


1. The Future Security Environment 2035. Providing an overall backdrop of the future environment, this section describes emerging trends that will lead to new and challenging conditions for the Joint Force.


2. Contexts of Future Conflict. No one can say exactly how the trends outlined in Section 1 will unfold and produce the future we will actually see in 2035. However, drawing on the trends from Section 1, Section 2 outlines six plausible “contexts” that forecast the general types of conflicts the Joint Force may face.


3. Implications for the Joint Force. To secure its interests in the six contexts outlined above, the U.S. will pursue four strategic goals ranging in aggressiveness from Adapt to changing conditions to Impose change and enforce outcomes. Each strategic goal comes with an associated “enduring military task” that describes the Joint Force’s role in achieving the strategic goal.



The Future Security Environment 2035


The first section of JOE 2035 describes major trends that will shape the future operational landscape. These trends are divided among three categories: World Order; Human Geography; and Science, Technology and Engineering.


The first part, “World Order,” states that regional powers aspiring to global influence will make “investments in more advanced cyber capabilities” that will enable them to, among other things, launch strategic attacks against U.S. financial and energy infrastructure. This mirrors the National Intelligence Council’s Global Trends 2030, which states, "A cyber arms race is likely to occur as states seek

to defend both public and private infrastructures against state and nonstate actors.”1 This is not merely an abstract prediction based on imagination; we have indeed already seen attacks against U.S. banks by Iran.2 Moreover, JOE 2035 reminds us that such activity has been and will continue to be conducted by both state and state-sponsored actors.


We then read in the “Human Geography” sub-section that “Shifting ideological affiliations could lead to new and surprising fractures in societies.” These fractures would be partially formed and then reinforced by mass online communication, as “groups will build regional and global networks around sets of ideas, forged and disseminated within cyberspace, with a range of ‘online ideologies’ and identity networks displacing nationalism as a source of legitimacy for many.” An obvious example of this kind of online ideology would be Islamic extremism, but many other potential examples exist in a world of several billion people comprising myriad groups, communities, and interests.


As for science, technology, and engineering trends, it’s no surprise that “Proliferated Information Technologies” play a large role in the 2035 Future Security Environment. This starts with infrastructure: “More modern developing states will continue to construct comprehensive national information technology infrastructures consisting of fiber-optic and cellular networks that far exceed the current state of the art.” Also beyond the current state of the art will be a growing “digital inter-connectedness” that will create an Internet of Things (IoT), leading to an exponential increase in cyber targets and vectors of attack. (For a recent example of a real-world attack that leveraged the IoT, see Jenni Ryall’s “How your smart device caused the internet to crash and burn.”3 For a strategic, systematic approach to securing the IoT, see Scott Shackelford’s “When Toasters Attack: 5 Steps to Improve the Security of Things.”4)


Information technologies of more immediately obvious military significance will include those “that can damage, spoof, confuse, or disrupt integrated battle networks,” and that can do so quickly and dynamically. This will require U.S. and partner battle command networks with enhanced protection, greater redundancy, and automated defenses. (For an in-depth look at analytic capabilities that will enable such automated defenses, see Adam Tyra’s aptly named article, “The Robot Security Analysts are Coming, but not Today.”5)


Lastly, the JOE warns of electromagnetic pulse weapons that will enable “the discriminate and precise targeting of a range of electronics-based systems,” to include U.S. and allied network components. Indeed, this reflects recent increases in Russian use of electronic warfare capabilities in Ukraine and Syria6, and it underscores the need to harden U.S. network and cyber warfare capabilities, and to develop capabilities able to inflict the same damage on our adversaries.

 


Contexts of Future Conflict


Drawing upon trends from Section 1, JOE 2035 outlines six contexts that may characterize future conflict. These include:


·       Violent Ideological Competition focused on the subversion or overthrow of established governments.


·       Threatened U.S. Territory and Sovereignty as enemies attempt to coerce the U.S. and its citizens.


·       Antagonistic Geopolitical Balancing by capable adversaries attempting to challenge the U.S. These adversaries will place difficult demands on the Joint Force over wide areas of the globe.


·       Disrupted Global Commons resulting from intimidation, destabilization, and the use of force by state and non-state actors.


·       A Contest for Cyberspace, in which conflict and/or war are likely to occur as states struggle to define and credibly protect cyber sovereignty, and non-state actors attack U.S. cyber interests.


·       Shattered and Reordered Regions resulting from internal political fractures, environmental stressors, or deliberate external interference.


Importantly, the document notes that the actual future in 2035 is likely to contain elements of some or possibly all of these contexts.


In the “Violent Ideological Competition” of Context 1, competitors will use ideas to influence the thoughts, feelings, impressions, and behaviors of their intended targets, using propaganda, cyber attacks, kinetic attacks, and covert operations. These activities will not occur independently of each other; they will be conducted in concert and thus will reinforce one another.


In Context 3, “Antagonistic Geopolitical Balancing,” state adversaries may seize long-contested territory, and then defend it using a variety of means to include cyber assets, as well as air defense capabilities and “advanced manned and unmanned aircraft, long-range ballistic and cruise missiles, submarines, surface ships, electromagnetic jammers and spoofers.” If successful in consolidating their newfound control and developing long-range strike assets, combatants will exploit this increased strategic depth to “invest in the naval, air, cyber, and other capabilities necessary to build credible power projection capabilities and assert themselves farther from their borders.”


One of the cyber high points of JOE 2035 resides in Context 5, “A Contest for Cyberspace.” This context states that the usual assumption is that cyberspace is a “commons,” or space that is “owned by none, accessible to all.” However, not all of cyberspace fits this definition, so the challenge for the U.S. and other state actors is to ensure access to the “commons” of cyberspace- those parts that should be open to all- while denying access to those parts that must remain secure.


For those parts that must remain secure, “The vulnerability of cyber-enabled systems to exploitation presents an assailable flank which competitors are likely to probe, infiltrate, and potentially attack.” As always, states will exploit an advantage when they see one. Accordingly, many will “[attempt] to influence, disrupt, degrade, or perhaps even destroy” key cyber-enabled assets of their competitors. Specific examples of such operations include attacks that undermine “the trust and data integrity” of financial, legal, and technical infrastructure; strategic surveillance; industrial and scientific espionage; and attacks against industrial machinery.


Moreover, beyond the technical attacks described above, cyber operations may be used “to stress or fracture the social and political cohesion of competitors,” intending to affect the perceptions and decision making of those competitors. The document doesn’t elaborate much on this point, but one could imagine these activities might involve cyber-enabled strategic communications, such as when attackers hijack major websites or social media accounts in order to broadcast their messages.  


JOE 2035 also adds that some states may “integrate cyber warfare capabilities at the operational and tactical levels of war,” targeting the command networks the Joint Force so thoroughly depends upon. Moreover, this can be accomplished not only through pure cyber attacks, but also via “an array of destructive weapons, including high-power microwave munitions and laser systems which are increasingly effective against digitized, miniaturized, and integrated circuits.”


Section 2’s final context, “Shattered and Reordered Regions,” posits that global cyber activist networks will be among several types of organizations who exploit the failures of central governments. No specifics are given, but examples may include Islamic extremist activists encouraging citizens to blame their governments’ failures on allegedly un-Islamic forces; anti-globalization groups conducting online campaigns in economically depressed regions, etc.



Implications for the Joint Force


The final section of JOE 2035 recognizes that the amount of resources, blood, time, and political capital the U.S. is willing to invest in a situation will vary according to the importance of the interest at stake, and whether that interest is currently being met or must be achieved through more concerted effort. Accordingly, Section 3 outlines four strategic goals of increasing ambition and effort, along with associated military tasks.


Strategic Goal

Enduring Military Tasks

Adapt to changing conditions – ensure the United States can adequately cope with emerging changes in the security environment.

Shape or contain to assist the United States with coping and adapting to changed international security conditions.

Manage antagonism and impose costs – discourage changes to the security environment that are unfavorable to the United States.

Deter or deny to manage the antagonistic behavior of competitors or to impose costs on competitors or adversaries taking aggressive action.

Punish aggression and rollback gains – block and undo changes to the security environment that are dangerous or disruptive to the United States.

Disrupt or degrade to punish aggressive action by an adversary or to force an adversary to retreat from previous gains.

Impose change and enforce outcomes – introduce desired changes to the security environment that are favorable to the United States.

Compel or destroy to impose desired changes on the international security environment and subsequently enforce those outcomes.



With regard to cyber, JOE 2035 explicitly identifies four future cyber missions, and two broader missions to which cyberspace operations contribute.


Under the enduring military tasks Shape or contain, the Joint Force must provide Military Support to Cyber Resiliency. This entails minimizing “the consequences of threatened or successful cyberattacks against the United States, its allies, and partners.” This mission will require working with traditional partners like U.S. government and civilian organizations, and allied nations, as well as nontraditional partners such as private companies or even cyber activists.


As part of the enduring military tasks Deter or deny, Joint Forces must conduct national and allied Network Defense. This mission may include “the development of a Department of Defense cyber umbrella; the creation of a national ‘cyber border patrol’; more comprehensive intelligence sharing efforts; contributions to national level cyber exercises; the development of hardened networks; and reinforced coordination with domestic law enforcement.” Additionally, it will “require steady-state information operations” that communicate to attackers the resiliency of major U.S. systems, ostensibly to deter attacks in the first place.


Under Disrupt or degrade, cyber forces must support Global Counterterrorism through offensive operations that “erode [terrorists’] ability to coordinate activities,” especially when attempting attacks against the homeland.


Perhaps the most comprehensive treatment of cyber’s future role and related functions is outlined in the portion of JOE 2035 describing Cyberspace Disruption, which is worth quoting at length:


…to attack adversary assets and impede their ability to adversely affect the unrestricted use of cyberspace by the United States. Offensive cyber operations will impose costs on adversaries by identifying and exploiting their cyber vulnerabilities, and may include distributed denial of service attacks, targeted cyber denial measures, and actions to physically impair military systems through cyberspace. Additionally, the Joint Force may conduct proportional cross-domain operations to physically damage an adversary’s cyber infrastructure, using weapons operating in other domains to suppress enemy cyber defenses and specifically strike their critical cyber infrastructure. Furthermore, these operations should be coupled with defensive cyber efforts to block adversary responses, and might include the use of autonomous or semi-autonomous cyber defense systems or the activation of war reserve networks when peacetime networks are unavailable.




Shifting to Compel or destroy tasks, cyber contributes to multi-domain offensive operations that impose Global Commons Exclusion on adversaries who threaten the free use of the commons. Furthermore, though JOE 2035 doesn’t explicitly say so, this support to multi-domain operations could also contribute to what it calls Major Sustained Operations and other high-intensity fights.7


JOE 2035 ends on a high note in terms of cyber-relevant missions. The last is a very ambitious challenge called Cyberspace Control, and its purpose is to:


eliminate an adversary's ability to define and defend their interests in cyberspace and force them to recognize U.S. views on its use. Cyberspace control operations will frequently integrate cyber and non-cyber capabilities. In coordination with law enforcement agencies, offensive operations may be required to identify, target, and capture or kill adversary cyber operatives. Offensive operations will also be used to eradicate an adversary’s cyber infrastructure and capabilities, which might include an array of kinetic strikes combined with simultaneous electronic, cyber, and space warfare actions. Finally, the Joint Force may impose cyber-military governance, including the introduction of U.S. cyber rules and laws on captured adversary networks to include the control of domain names, access and registration, and administration of key systems.



Conclusion


In very practical, even bureaucratic terms, the purpose of force development documents like JOE 2035 is to start identifying changes in areas like doctrine, organization, training, and material capabilities that are necessary to ensure warfighters are prepared for future environments. Though JOE 2035 doesn’t attempt to predict the future, forecasting various scenarios that may arise based on what we know now is helpful, because themes or features that appear in several of these scenarios are fairly strong indicators that, no matter what specific future ends up occurring, these particular themes or features are likely to appear. In terms of cyber, a few of such themes and features include continually increasing digital interconnectedness, continued disagreements over the boundaries and rules of cyberspace, cyber threats to the homeland, increased multi-domain and interagency cooperation, and probably increased reliance on autonomous cyber systems. The Department of Defense and the U.S. Government must therefore begin preparing for these and other likely occurrences sooner rather than later, since developing capabilities, changing large organizations, and budgeting for government procurement almost always take longer than one first anticipates- especially when one must do all three.


In less practical but equally important terms, the value of future-looking activities is intellectual. Deliberately moving oneself outside a current perspective improves one’s ability to think about what may happen, and to give serious consideration to plausible developments that would otherwise be overlooked. Moreover, if done repeatedly, this discipline even prepares one to deal with unforeseen surprises when they occur, since one has through practice overcome the mental handicap of only being comfortable dealing with the concrete and the predictable, the here-and-now.



About the Author



Michael Lenart is the Editor-in-Chief of Cyber magazine and an Army Strategist. His areas of interest include national security, cyberspace operations, and organizational change.











End Notes


*All JOE 2035 quotes and other citations retrieved from http://dtic.mil/doctrine/concepts/joe/joe_2035_july16.pdf


1. National Intelligence Council. Global Trends 2030. https://www.dni.gov/index.php/about/organization/global-trends-2030


2. Volz, D. & Finkle, J. U.S. indicts Iranians for hacking dozens of banks, New York dam. http://www.reuters.com/article/us-usa-iran-cyber-idUSKCN0WQ1JF


3. Ryall, J. How your smart device caused the internet to crash and burn. http://mashable.com/2016/10/21/dyn-attack-iot-device/#qIFPujAARiqO


4. Shackelford, S. When Toasters Attack: 5 Steps to Improve the Security of Things. http://magazine.milcyber.org/stories/whentoastersattack5stepstoimprovethesecurityofthings


5. Tyra, A. The Robot Security Analysts are Coming, but not Today. http://magazine.milcyber.org/stories/therobotsecurityanalystsarecomingbutnottoday


6. Patterson, C. Russia’s Surging Electronic Warfare Capabilities. http://www.thediplomat.com/2016/04/russias-surging-electronic-warfare-capabilities


7. Freedberg, S. Army’s Multi-Domain Battle To Be Tested In PACOM, EUCOM Wargames. http://breakingdefense.com/2016/11/armys-multi-domain-battle-tested-in-pacom-eucom-wargames/



Photo credits (in order of appearance)

1. Defense Technical Information Center

2. HD Wallpapers

3. Ng Han Guan

4. Army, iStock

















Q&A on the Joint Cyber Analysis Course with Cmdr. Christopher Eng

posted Nov 11, 2016, 9:48 PM by Michael Lenart   [ updated Nov 11, 2016, 9:49 PM ]

Cmdr. Christopher Eng is the commanding officer of Information Warfare Training Command (IWTC) Corry Station and a graduate of the Massachusetts Institute of Technology with a Bachelor of Science in computer science. He first served in the Navy as a submarine officer and then transferred to cryptology and information warfare (IW). He became the commanding officer of  IWT Corry Station in September 2015. 

IWTC Corry Station is in Pensacola, Florida, and is one of four training schoolhouses for the Center for Information Warfare Training (CIWT), a learning center for Naval Education and Training Command. Eng’s staff of around 350 personnel trains 2,200 students every day, totaling 8,300 students annually.

In July 2016, the former Center for Information Dominance (CID) changed its the name to CIWT, to emphasize a shift in thinking of IW as a critical capability of the Navy’s mission sets. Accordingly, Eng’s command name changed from CID Unit Corry Station to IWTC Corry Station.

The command’s mission was also updated to providing a continuum of IW training to Navy and joint service personnel that prepares them to conduct IW across the full spectrum of military operations.

While many within the IW community think of Corry Station as the “cradle of cryptology,” the schoolhouse also offers courses in the information technology field. 

Carla McCarthy, the CIWT public affairs officer, spoke with Cmdr. Eng about one of the 39 courses his staff teaches, the Joint Cyber Analysis Course.


Q: What is the Joint Cyber Analysis Course (JCAC)?

A: JCAC is the introductory “A” school for Navy Occupational Specialty (NOS) B525, for what were cryptologic technician networks (CTN) Sailors. It’s roughly 6 months long, and it takes a Sailor who may have minimal exposure to computers and how computers work and brings up their baseline knowledge in terms of how networks operate.  What I really like about it is that it teaches the fundamentals of networks and computer science. I think it’s important to teach the fundamentals because that allows Sailors to really branch out to different work roles from there. All things are cyber related, but our graduates will have different work roles. This course is really the introductory level and the feeder into more advanced follow-on courses specific to the job skills that they’ll hold for their first tour in the Navy.

 

Q: What kind of student is the Navy looking for to perform the job of cyber analysis?

A: Of course a technical background, a good strong background in STEM, which is science, technology, engineering, and math, always will be beneficial.  Someone who got good grades in high school math is beneficial. Some of the intangibles are strong critical thinking skills, a level of curiosity. What we really want is people we can teach how to self-learn, people who are enthusiastic about this topic.  That way they will want to do their own research, and they want to continue along with this education. While the JCAC course is 6 months and it’s long and it’s hard, it’s really only the beginning of a significant training pipeline to develop a strong Sailor who will be valued within the cyber field.  So, critical thinking, curiosity, strong STEM background and initiative are important.

 

Q: How difficult is the course and what kind of support do instructors provide to help students succeed?

A: The course is probably the most difficult technical “A” school course that we teach at Corry Station. Approximately 22 percent of our students will academically attrite, and that’s across all services, the Navy, the Air Force, the Army, the Marines and the Coast Guard, who all attend this course. What we also see is an increased rate of attrition from our new accession Sailors, those Sailors coming straight out of boot camp, and I’ll speak to that in a second.

The instructor’s whole role is to impart this training and to try and get the students to succeed. The instructors will look to find people who are having difficulties, and they will assign them mandatory hours.  During those mandatory hours of remedial training, they will get more individualized attention to catch up on materials they might not have picked up on the first time. We hold academic review boards for students who are having issues with their tests. They’ll meet with a set of military instructors to understand if there are any hurdles that are keeping these students from achieving their academic potential and succeeding in the course. It could be they’re distracted by other duties. They’re distracted by home. They may have some personal issues, and these are things that we will want to help to address to alleviate the concerns and distractions. That way the students can focus in on the class.

Speaking of which, I mentioned that the new accession Sailors have a higher attrition rate, and I attribute that to folks who are coming out of high school. To qualify for this school, you have to have a higher than average ASVAB rating. For some of these people, they may have done well in high school, and they might not have needed to study really hard.  If they try to apply their old study habits to JCAC, it’s less likely that they will be successful.

Additionally, if you join the Navy and the recruiter offers you this NOS and this school, the awareness of what this career field does is not necessarily out there. Potentially you come to this course, and it’s the first thing the Navy offers you, and you don’t realize what a tremendous opportunity this is.  So, you don’t put forth your best effort, because you think if you don’t pass, then you’ll get another opportunity that’s just as good. 

I think for our fleet returnees, they understand how valuable this training is, what a great opportunity this is and how relevant it is to job opportunities in the Navy and outside the Navy.  They just work harder, and they’re more receptive to understanding that they’re going to have to study hard.

 

Q: How does JCAC support the development of the Cyber Mission Force?

A: JCAC is a feeder course for all of the work roles that the Cyber Mission Force will perform.  You can go on DoD’s website, and it outlines the different roles for the Cyber Mission Force.  JCAC is the introductory-level training that will support all of those work roles.  A majority of the [service members] in the Cyber Mission Force will have gone through JCAC prior to their assignment to the force. Then after they get assigned to the CMF, they will probably do continued follow-on training for their specific role and specific mission that they’ve been assigned. From JCAC, having that strong foundational knowledge in networking, in computer skills is a key enabler to success in those follow-on courses.



Q: What kind of assignments do JCAC Sailors receive upon graduation?

A: The vast majority of them will go work at a navy information operations command, or NIOC. Some of them will be part of the Cyber Mission Force. They’ll get assigned one of those work roles, and they would be administratively controlled by a NIOC. A lot of the students will also go into the traditional signals intelligence (SIGINT) mission.


Q: As a leader within the Navy’s Information Warfare community, what words of wisdom do you have regarding cybersecurity?

A: Cybersecurity really needs to be viewed as everyone’s responsibility.  We all have to remain vigilant. We all receive training, and it’s important that we take on board that training. The cyber realm and the cyber threats are evolving each and every day, so just because you went through the training last year, just because you went through training at boot camp, doesn’t mean that you shouldn’t take this training seriously.  As the threats evolve, we have to remain on top of it. It’s each individual person’s responsibility to take this seriously and to report suspicious activity.





Photo credits (in order of appearance):

1. Students in the Joint Cyber Analysis Course (JCAC) at Information Warfare Training Command Corry Station take part in an independent study session. JCAC trains enlisted personnel from all services in the skills and knowledge to perform technical network analysis in cyberspace operations. (U.S. Navy photo by Petty Officer 3rd Class Taylor L. Jackson/Released)

2. Cmdr. Christopher Eng, Commanding Officer, IWTC Corry Station

3. Airman 1st Class Susanna Murrell (left) and Airman 1st Class Nathaniel Giles, students in the Joint Cyber Analysis Course (JCAC) at Information Warfare Training Command Corry Station, take part in an independent study session. JCAC trains enlisted personnel from all services in the skills and knowledge to perform technical network analysis in cyberspace operations. (U.S. Navy photo by Petty Officer 3rd Class Taylor L. Jackson/Released)



1-10 of 40