By Jason M. Bender
The establishment of U.S. Cyber
Command (USCYBERCOM) and Army Cyber Command (ARCYBER) in late 2010 highlighted
the necessity of understanding cyberspace as an operational domain and how to
integrate it with traditional warfighting. Two of the most candid articles in
the past six years – both published in 2015 – cite an article Small Wars Journal published for me in
2013, an article that voiced frustration by offensive cyber operations planners
regarding a disconnect between the cyber and operational communities.1
In their articles, Martha VanDriel and Natalie Vanatta further emphasize that
operations in the physical domains are heavily reliant on cyberspace and can be
easily disrupted by ignorance of cyberspace operations basics. Further, operational
staffs at all levels still need professional military education and self-study to
better understand effects that can be brought to bear in the physical domains
A number of recent articles emphasize
the need to develop expert and capable cyber operators – officer and
non-commissioned officer alike – and discuss the necessity of where, which, and
how much training is needed to do this. A recent article in Army magazine posits that many of the
officers transferring into the cyber community from the operations branches do
not understand cyber or possess any sort of operational background that might
help the cyber community. The article further comments that “[g]iven the
carryover from their legacy branches and the necessarily strong emphasis on
technical versus tactical expertise, the vast majority of junior cyber officers
are not prepared to assume such a role” without substantial preparatory
professional education. This thus presents a transitional dilemma to both the
branch and the community as these officers pass through education and training
required to get them to the point of technical and operational proficiency.3
After publishing my original
article I left the cyber operations community to be the Professor of Military
Science at the University of Cincinnati, refocusing my professional efforts to recruit,
develop, and commission Army Second Lieutenants. It did not take long to
realize that, where the military services struggle to develop cyber
understanding in their existing enlisted and commissioned ranks, an opportunity
exists to develop some of that understanding at the pre-commissioning programs
(i.e., service academies and Reserve Officer Training Corps (ROTC) programs). Rather
than aiming solely to create officers whose formal branch is Cyber, the Army
can more generally create cyber-capable, or “cyber-savvy,” officers who accede
into a variety of branches. This realization led me to reach out to friends at
the Army Cyber Institute (ACI) located at the U.S. Military Academy (USMA) to
inquire about their creation of a Cyber Leader Development Program (CLDP).4
USMA’s CLDP design provides “800-plus
hours of cyber-related education, development, and experience outside of the
traditional classroom environment.”5 In other words, USMA’s CLDP
goes above and beyond the standard academic education that West Point cadets
receive to further broaden and develop these future Army officers, and this is
done pre-commissioning. ACI’s CLDP provides
USMA cadets with opportunities to participate in cyber-related internships, to
attend cybersecurity-related symposiums and conferences, and mandates
participation in a regularly meeting “student club” equivalent that reinforces
skills and concepts learned and promotes curiosity and enthusiasm for things
cyber. On top of all of this, each USMA CLDP cadet is the recipient of targeted
mentoring by USMA faculty and ACI personnel. At accessions (i.e., branch
assignment), USMA CLDP participants are considered for Cyber, Military
Intelligence (MI), and Signal branches if that is what the cadet wishes. Just
as many choose Infantry, Armor, or Aviation irrespective of their major. The
point, however, is that regardless of what the USMA CLDP cadet branches at
commissioning, they are generally “cyber savvy” and will likely remain that way
for the remainder of their military career, whether that includes remaining in
their branch, transferring to the Cyber branch at some point, or separating
from the service.
USMA’s CLDP is matched by U.S. Army
Cadet Command (USACC) at only a handful of senior ROTC programs. At best, a
small handful of ROTC cadets are accepted annually to national cyber-related
internships managed by USACC every summer, or they might participate in university
sponsored co-operative internships if
their major program incorporates it.6 Mentorship while on campus
is at best hit-or-miss, and based entirely on whether ROTC detachment cadre
have relevant experience in the cyber operations community. Given the mismatch
of opportunities between USMA and ROTC, it makes sense to implement CLDP at
those universities with robust cyber-related majors and better develop and
prepare ROTC cadets to integrate cyberspace operations into the operational
environment they will experience after graduation. Whether those ROTC cadets choose
to branch Cyber, MI, or Signal, or are branched Infantry or Military Police,
they will have a better understanding of cyber-related concepts than their
non-CLDP counterparts who take nothing beyond their university core or major
requirements. Despite recognition by a handful of senior ROTC program
Professors of Military Science (PMS) who implemented CLDP at their respective
universities, U.S. Army Training and Doctrine Command has yet to adopt basic cyber
education in the Basic Officer Leader Course – A (BOLC-A) curriculum.
Additionally, USACC has not implemented CLDP more widely, despite the obvious benefits
to the Army in creating cyber savvy officers.7
Challenges faced with building cyber
Army leadership struggled with the
decision to create a new Cyber branch. However, after four years of fighting among
the Army’s signal, intelligence, and operations communities, the Secretary of
the Army established Cyber as a basic branch (Operations Career Field 17) on
August 21, 2015. The branch was headquartered at Fort Gordon, Georgia at the
U.S. Army Cyber Center of Excellence, where the Cyber School resided alongside
the Signal School.
Despite the step forward in
creating the Cyber branch, the Army continues to struggle with identifying and
assigning personnel capable of operating under two masters – the cyber and
operational communities. What’s more, this problem is compounded by cyber and
maneuver personnel’s mutual lack of understanding of each other’s areas.8
At the most basic level, Army branches
are designed to fulfill the needs of the Army from the point of accession to
the point of separation and provide a steady stream of educated, experienced,
and developed branch-specific specialists. These branch specialists are assigned
at the tactical to strategic levels, to the operational to institutional parts
of the Army, and even to enterprise, joint, interagency, and multi-national settings
to bring their expertise to bear for the benefit of others. Yet it remains
difficult to “[grow] competent, confident, self-aware leaders who are prepared
for the challenges of the future in combined arms joint, interagency,
intergovernmental and multinational (JIIM) operations.”9 Doing this
requires an awareness and understanding of cyber operations and effects – which
the basic branches rarely provide, as they remain focused on addressing
Personnel assignments at both ARCYBER
and USCYBERCOM continue to be top-heavy (i.e., senior company grade, field
grade, and warrant officers, and senior non-commissioned officers). This forces
recognition of a branch structure that represents a diamond standing upright on
its tip rather than a pyramid like most Army basic branches. Where some argue
that the existing branch structure and manning meets the Army’s readiness
needs, this argument is contingent on the pyramidal basic branch structure where
far fewer lieutenant colonels are needed than majors, far fewer majors are
needed than captains, and fewer captains are needed than lieutenants. Attrition
as officers progress up the basic branch pyramid is a result of self-selection,
non-selection for promotion, or deliberate administrative separation.10
Some of this attrition will result in basic branch officers transferring to the
cyber branch, but as already mentioned, some of them simply do not have the
education or bona fides to qualify
Beginning its growth, the Cyber
Branch accessed thirty cadets – fifteen each from USMA and ROTC – over the past
three accessions cycles (Fiscal Years 2015 – FY 2017). Unlike infantry, armor
or field artillery second lieutenants who face less than six months of Basic
Officer Leader Course (BOLC-B) training before reporting to their first
operational unit, the new cyber second lieutenants face a pipeline of training
that in some cases stretches out to two years before they are considered qualified
to perform their duties at their first assignment.11 Even with that,
they will still not be the subject matter experts in offensive or defensive
cyber operations at the operational levels for many years. This unavoidable
delay in providing cyber expertise to the overall force underscores the need to
improve the basic cyber savviness of non-cyber officers.
As mentioned previously, the Army
Cyber Branch’s current structure makes it so that more captains and majors are
needed than lieutenants. Given the minimal accessions as compared to the basic
maneuver branches, it will be some time before Cyber Branch is fully capable of
meeting the Army’s needs at the upper tactical and operational levels. It may
be up to five years or longer before the Army reaches a minimum number of fully
capable personnel (i.e., trained and experienced) who can effectively apply cyber
capabilities to support field commanders’ needs, intent, and guidance. This,
more than anything else, emphasizes the need for traditional maneuver and
operational support basic branch officers to educate themselves on cyber basics
and, once identified through assessment or self-identification, transfer the
best candidates into the Cyber Branch at the captain and major ranks. It also
speaks of a need for standardized professional military education at the basic
branch schools and the Command and General Staff College to build a general understanding
of cyber operations across the force, but especially in the operations career
As important as this is, however,
something even more beneficial can be done.
Building a ROTC CLDP
Army ROTC has produced nearly seventy
percent of the Total Army’s second lieutenants over the past 100 years.13
With only half of the Cyber branch accessions over the last three fiscal years,
though, ROTC is proportionally underrepresented. This indicates that USMA
cadets have benefited from CLDP in a way that ROTC cadets – having no such
program – have not.
of CLDP, a fellow PMS and I travelled to USMA to visit ACI in early 2015 to determine
the best way to replicate CLDP at our respective university ROTC programs.14
Working with peers from ACI and the U.S. Army Cyber School, we collaborated and
designed an ROTC CLDP concept easily reproduced at any ROTC program at which
there are ROTC cadets pursuing cyber-related majors, related academic minors,
or who have purely personal interest.15 Following USMA’s CLDP
requirements, we recommended the following requirements for Army ROTC CLDP:
• Major or minor in a cyber-related
discipline (e.g., computer science, information technology, computer or
electrical engineering, systems engineering with focus on cybersecurity), or
mathematical sciences (with a focus on cryptography and discrete math);
• Cyber-related internship of at least
three weeks (e.g., at the Department of Defense, Army, intelligence community,
private or public sector organization, or national laboratory);
• Participation in an extra-curricular
cyber club or study group for two cumulative academic years (e.g., Association
for Computing Machinery’s Special Interest Group for Security, Audit and
Control (SIGSAC); Cadet Cyber Competitive Team);
• Attendance at a cybersecurity training
opportunity or conference; and
• Participation in an ACI-approved
cybersecurity capstone project or competitive event.16
We also recommended that USACC add
a CLDP coordinator – an officer from Cyber Branch Proponent – in a similar
fashion to the ROTC brigade nurse coordinators, and we identified opportunities
for the Simultaneous Membership Program (SMP) employed by ROTC with the U.S.
Army Reserve and Army National Guard. SMP cadets are paired with U.S. Army
Reserve and Army National Guard (ARNG) units and are assigned a military occupational
specialty as they pursue their commission through ROTC. The intent behind this
is to leverage the professional military education and training opportunities
in nearby MI, Signal, and Cyber units.17
Concept to Reality – University of Cincinnati Army ROTC CLDP
Putting all of this into play,
University of Cincinnati (UC) Army ROTC instituted CLDP in the spring of 2015
with eight cadets pursuing cyber-related majors and minors. Partners in this
effort included UC’s Department of Electrical Engineering and Computing Systems
(College of Engineering and Applied Science (CEAS)); School of Information
Technology (College of Education, Criminal Justice and Health Sciences (CECH));
School of Information Systems (College of Business; Department of Operations,
Business Analytics and Information Systems); and Department of Political
Science (College of Arts and Sciences). As it was, the National Security Agency
(NSA) designated UC’s Department of Electrical Engineering and Computing
Sciences in late-2014 as a Center for Academic Excellence (CAE) – Cyber
Operations, and the School of Information Technology secured the NSA
designation as CAE – Cyber Defense Education in the first half of 2016.18
Where only fourteen schools nation-wide hold both NSA designations as CAEs for
Cyber Operations and Cyber Defense Education, University of Cincinnati remains
the only university in the nation to
hold both NSA CAEs and have a resident ROTC CLDP.
In implementing CLDP at UC, the immediate
focus was to secure cyber-related internships for CLDP participants.
Fortunately, the computing sciences (CS), electrical engineering (EE), and
information technology (IT) tracks in UC’s CEAS and CECH benefit from
integrated, experienced-based learning and career education programs (i.e.,
‘co-operative’ internships), something that UC itself pioneered more than 100
years ago.19 In working to secure internships for the non-CS, -EE,
or -IT CLDP participants, we relied at first on USACC centralized summer Cadet
Professional Development and Training (CPDT) internship opportunities. In doing
this, we quickly realized that rising third-year cadets were at a disadvantage
in competing against the rising fourth-year cadets who attend Advanced Camp and
then participate in follow-on training or internships at Army units and joint
headquarters throughout the world. This led to developing relationships with
the Ohio ARNG in spring 2015 and securing the first unpaid internship for a
rising third-year CLDP cadet with the Columbus, Ohio-based Cyber Protection
Team during the summer of 2015. In 2016, three rising fourth-year CLDP cadets
were selected for the NSA’s ROTC Cyber Internship Program, while a number of
others participated in co-operative internships organized by UC’s EE/CS, IS,
and IT departments.
As the relationship between UC Army
ROTC and the Ohio ARNG Cyber Protection Team matured, the opportunity presented
itself to place three cadets with the Cyber Protection Team in an SMP status –
a first in the nation. The Ohio ARNG Cyber Protection Team commander and state
J-6 interviewed and vetted all three cadets before approving transfer from
their existing Ohio ARNG units to the Cyber Protection Team. This relationship
additionally led to professional training opportunities for two of the SMP
cadets in the summer of 2016, and opened the door for stand-by selection of
both cadets, along with a third CLDP cadet, to attend the U.S. Air Force
Institute of Technology’s Advanced Cyber Education later the same summer. In
addition to the “hands-on” experience the internships provide, UC CDLP cadets
are also encouraged to pursue part-time employment (time permitting) with local
IT or cyber-related companies. One non-scholarship CLDP cadet took a part-time job
with the IT department at Kroger’s world headquarters in Cincinnati.
Collaborating with the ACI, all
CLDP participants are added to a national distribution list overseen by ACI and
ROTC CLDP mentors. Mentors routinely send out emails that highlight training
opportunities or recent articles of interest. Cadets routinely ask questions of
and seek advice from the mentors. ACI additionally sends out a monthly
newsletter-type document that highlights recent activities in the cyber
operations community, promulgates cybersecurity tips and tidbits, and promotes
discussion between CLDP participants. ACI additionally facilitates quarterly
video teleconferences hosted by the USMA Cyber Research Center’s SIGSAC, in
which CLDP programs are able to connect, listen, watch, and participate in the
discussion.20 Lastly, to satisfy the club participation requirement,
UC CLDP cadets are encouraged to participate in UC’s Cyber Crime Cats student
club, or to join a local chapter of the Association of Computing Machinery,
National Cybersecurity Student Association, or the Military Cyber Professionals
As for the capstone project, all of
UC’s colleges that host cyber-related majors and minors have fourth-year
capstone classes that focus on synthesis of the student’s academic pursuits and
serve as the culminating demonstration and validating event. UC’s Department of
Political Science also partners with the School of IT and hosts a 5000-level Cyberattack
Red Team Collaborative Seminar that crosses traditional computer science,
IS/IT, and policy lines for a truly multidisciplinary approach to
cybersecurity. The seminar culminates with student-teams developing and testing
strategies for attack and defense scenarios in a “force-on-force” capstone to
identify weaknesses and validate multidisciplinary theories. In addition to the
university capstone options, other alternatives include local and national cyber
defense exercises regularly advertised by ARCYBER, ACI, and NSA as part of the
CLDP mentorship program, or through other local cyber-related organizations.
CLDP at UC Army ROTC today includes
several cadets with non-cyber related majors or minors and is integrating UC
Air Force ROTC cadets to grow the program further. These non-cyber and non-Army
cadets, participating out of personal interest, are embarking down their
individual path to cyber savviness. Growing to fifteen members in the fall of
2016, UC’s first four CLDP participants will graduate and commission in the
spring of 2017. Of those four, one will branch active duty Infantry, two will
branch active duty Signal Corps (with branch details to Field Artillery), and
one is expected to branch Cyber with the Ohio ARNG. With the growth of UC Army
ROTC’s CLDP to fifteen members during fall semester 2016, it is now the second
largest CLDP in the nation behind USMA – modest for sure, but aggressively
forging ahead in spite of the challenges faced.
Challenges to ROTC CLDP Sustainability
As much as was done at UC, CLDP
faces two major sustainability challenges at the university ROTC detachment
level. First and foremost is the issue of mentorship for the CLDP cadets by
ROTC detachment cadre. Where USMA is able to provide each CDLP cadet with a
specific mentor – some mentors cover two or three USMA CLDP cadets – the ROTC
detachment cadre cannot in most cases mentor CLDP cadets unless the cadre
member has cyber experience in their background- most of whom don’t.
In those ROTC detachments that do
have a cyber savvy cadre member – most times one officer – that officer will
mentor five or ten, or possibly fifteen CLDP cadets in addition to his or her normal
mentorship responsibilities as a Military Science and Leadership instructor for
an entire year-group cohort of cadets. In the case where the mentor happens to
be the PMS – whose purview includes the entire cadet battalion – the mentor-mentee
ratio becomes even more lopsided. Further complicating this is that it is
highly unlikely that Cyber Branch officers will be assigned as Assistant PMS or
PMS in the foreseeable future due to the nascent nature of the branch and its
Reassignment of ROTC cadre who
provide CLDP mentorship further complicates things, when those reassignments
are unanticipated and come as a result of promotion, selection for professional
schooling, or retirement. In many cases, the only requirement for selection for
assignment to an ROTC detachment, other than university requirements on
advanced education or specific military occupational skill designations, is
combat experience. In ROTC detachments where no mentorship exists due to a
total lack of cadre cyber experience, CLDP is unlikely to flourish. Similarly,
ROTC cadre with experience in cyber operations who successfully stand up a CLDP
program at their university may see it crumble after reassignment when their
replacement has no cyber experience, education, or understanding.
The second challenge is funding –
USACC provides no funding whatsoever for CLDP and securing funding falls in the
lap of the ROTC detachment PMS or Assistant PMS serving as the CLDP mentor. At
schools with large, well-developed ROTC alumni programs and funds, funding is
far less of an issue than at those schools lacking well-developed alumni
programs, or where foundational or alumni fund income is nothing more than a
trickle. UC Army ROTC finds itself in this latter category, and finding
alternative sources of income becomes tricky due to the amount of time needed
to network and investigate funding sources. In light of this, continuing to
develop and maintain relationships with the colleges and the university IT
sections becomes a critical path to gaining equipment needed to facilitate CLDP
While visiting the UC CLDP in
spring 2016, the U.S. Army Cyber School Commandant commented on the Cyber
School’s inability to promote and support ROTC CLDP programs, and he
recommended that CLDP cadets and mentors adhere to a ‘grass roots’ mentality in
seeking and securing funding and equipment from the local communities. While
this encourages an innovative and creative mindset, ROTC cadets are first and
foremost pursuing a university degree in order to commission. Requirements to
self-fund or self-build a CLDP program, on top of all of the cadet’s other ROTC
and academic and professional development requirements can get to the point of
overwhelming cadets in similar fashion as those cadets who overextend
themselves with Ranger Challenge, Pershing Rifles, cadet battalion leadership
and administration, or other extracurricular activities (e.g.,
fraternities/sororities, student government, club sports).
The original intent of USMA CLDP
was to be a pilot program that ultimately expanded to ROTC.22 In
only a handful of cases did this happen, and then only when championed by an
ROTC detachment cadre member with knowledge of CLDP and awareness of resources
and requirements at the university level. After the ACI visit in the spring of
2015, we wrote an information paper detailing how to implement CLDP at
university ROTC detachments and recommended how to make it sustainable. USACC
convened a planning session at Fort Knox, Kentucky in late September 2015 to
assess the concept, and a team composed of members of USACC G3, ACI, NSA, and
UC Army ROTC made the same recommendations to the commanding general. That
concept was later assigned to USACC’s 6th ROTC Brigade for further
development, but as of the time of this article’s publication nothing else appears
to have come of the effort.
It is worth commenting, as a final
aside, that while every Army ROTC cadet is required to take an American
military history course, no such requirement exists for them to take any sort
of computer science course or cyber policy-related course (e.g., political
science) – if they are even offered at the university.23 If we are
truly trying to create “cyber savvy” leaders, priming them in the
pre-commissioning phase is optimal. What better place to incorporate cyber
operations awareness and basic understanding than thru the BOLC-A
pre-commissioning ROTC curriculum to ensure one hundred percent “touch and
coverage” for all ROTC cadets? If nothing else, it is a step in the right
direction in creating “cyber savvy” officers.
If CLDP is implemented, supported,
and sustained in a more formal manner than just “grass-roots,” realizing the “cyber
savvy” leader as a product of Army ROTC at the point of commissioning is a
realistic goal. Unless ROTC cadre with the necessary cyber experience are
assigned, and funding is provided by the university or USACC, CLDP at ROTC
detachments will quickly become unsustainable. Here too, an opportunity exists
for both Cyber Branch and USACC to institute a top-down mentor program at Cadet
Command, or its subordinate brigades, similar to the already existing Nurse
Counselor program where Army Nurses are assigned at the ROTC Brigades to mentor
and track the progress of ROTC nursing cadets at the university levels.24
While opportunities exist, if CLDP is not formally supported and sustained, it
will remain nothing more than an abstract concept or temporary local
Cyber Branch seeks to create “competent professionals who… earn the trust of
leaders from other operational branches,” the Army, and specifically USACC,
need to focus on pre-commissioning requirements as the best place to create cyber-capable
officers. Creating CLDP at ROTC detachments with robust cyber-related academic
programs is the first step and is a “win-win” situation. Implementing CLDP needs
to be quickly followed with adoption and integration of basic cyber education into
all levels of the ROTC BOLC-A pre-commissioning curriculum and Cadet Summer
Training, as USMA is already beginning to do.25 Given that the
predominance of second lieutenant production over the past century belongs to
USACC, this puts USACC and ROTC
detachments in a unique position to greatly affect the foundational cyber
knowledge of future generations of officers – especially those who branch other
than Cyber – and thus influence the Army’s long-term institutional knowledge and
intellectual culture for decades.
About the author: Lieutenant
Colonel Jason M. Bender is the Head of the Department of Military Science and
Professor of Military Science for the Army Reserve Officers’ Training Corps
(ROTC) detachment at the University of Cincinnati. A Regular Army field
artillery officer, Lt. Col. Bender served at all levels from tactical to
strategic, and most recently served with U.S. Army Cyber Command (ARCYBER)/2nd
Army as ARCYBER’s first Chief of Fires and U.S. Cyber Command J35 Offensive
Cyber Operations Planner; and later as an ARCYBER/2nd Army G5
Strategy and Policy Planner. He holds a bachelor’s degree in mathematics from
Oregon State University; master’s degrees from Troy University and the U.S.
Army School of Advance Military Studies; and is a graduate of the U.S. Army
Command and General Staff College. He is also a recipient of the Armed Forces Communications and Electronics Association's Order of Saint Isidore and the
U.S. Field Artillery Association’s Honorable Order of Saint Barbara.
Disclaimer: The views and
opinions expressed here are expressly those of the author and do not reflect
the official policy or position of any organization of the U.S. Department of
Defense or University of Cincinnati.
1. Jason Bender, “The Cyberspace Operations Planner,” Small Wars Journal, 05 November 2013, http://smallwarsjournal.com/jrnl/art/the-cyberspace-operations-planner. Coincidentally, I didn’t discover until drafting
this article how many times my original article was cited since Small Wars
Journal published it almost three years ago. The realization that others see
value in what you’ve said and consider it worth repeating is humbling.
2. Martha S.H. VanDriel (Colonel, USA), “Bridging the Planning Gap:
Incorporating Cyberspace into Operational Planning,” 04 May 2015,
http://www.strategicstudiesinstitute.army.mil/index.cfm/articles/Bridging-the-planning-gap/2015/05/04; and Natalie Vanatta (Major, USA), “A Year of Cyber
Professional Development,” 23 January 2015, http://www.cyberdefensereview.org/2015/01/23/professional-development/.
3. Justin Considine (Lt. Col., U.S. Army) and Blake Rhoades (Capt.,
U.S. Army), “How to Grow a Capable Cyber Officer,” Army, January 2017: 19-21; see also Scott R. Gourley, “Closing the
Capabilities Gap: Seven Things the Army Needs for a Winning Future,” Army, February 2017: 36-41.
4. ACI facilitated the
implementation of CLDP with the intent of providing cadets “who are interested
in cyber security studies… [an opportunity to] enhance their education with a
wide range of broadening opportunities… as well as mentorship to guide them in
their development within the field of cyber security.” United States Military
Academy, “Memorandum for Record: Cyber Leader Development Program in the Army
Cyber Center, USMA.” West Point, NY: USMA. 09 October 2013.
6. USACC’s centralized, annual summer internships normally include
opportunities at USCYBERCOM, National Security Agency (NSA), U.S. Army
Intelligence and Security Command, and the Army’s 1st Information Operations
Command and opportunities to attend the U.S. Air Force Institute of
Technology’s (AFIT) Advanced Cyber Education (ACE).
7. Army pre-commissioning leader development programs (i.e., USMA and
senior ROTC) are designated by U.S. Army Training and Doctrine Command as
BOLC-A. See U.S. Army Training and Doctrine Command, TRADOC Regulation 35-36 Basic Officer Leader Training Policies and
Administration, Fort Eustis, VA: TRADOC, 01 September 2015; http://www.tradoc.army.mil/tpubs/regs/TR350-36.pdf.
8. Considine and Rhoades, “How to Grow a Capable Cyber Officer”; and
Bender, “The Cyberspace Operations Planner”.
9. Department of the Army, DA
Pamphlet 600-3 Commissioned Officer Professional Development and Career
Management, Washington, D.C.: Department of the Army, 01 February 2010: 2; http://www.apd.army.mil/Search/ePubsSearch/ePubsSearchForm.aspx?x=PAM.
10. Candice Frost (Lieutenant Colonel, USA), “Ignorance and Arrogance:
Misunderstanding the Officer Personnel Management System,” Military Review (Spotlight Article), 05 January 2015;
11. Cyber BOLC-B is thirty-seven weeks long, nearly twice the longest
comparable basic branch BOLC-B. Length of follow-on post-BOLC training is
dependent on the cyber officer’s first assignments (i.e., National Mission
Forces, tactical unit Cyber and Electromagnetic Activities (CEMA) Element,
etc.). Laura Levering, “Army Cyber School marks major milestone,” Army.mil, 17 August 2015;
12. See DA Pamphlet 600-3, Part
II, which includes branch descriptions and requirements for Infantry, Armor,
Aviation, Field Artillery, Air Defense Artillery, Engineers, Military Police,
Special Operations, Psychological Operations, and Civil Affairs branches and
the Information Operations functional area.
13. C. Todd Lopez, “ROTC has minted over 1,000,000 new lieutenants
during its 100 year history,” 05 June 2016;
14. USACC oversees 275 Army Senior ROTC programs at more than 1100
universities and colleges across the United States and its territories, the
majority of which have some type of cyber-related academic major or minor.
“Army Reserve Officer Training Corps,” STAND-TO!,
02 December 2015; https://www.army.mil/standto/archive_2015-12-02.
15. Lt. Col. James Scrogin, PMS at Purdue University Army ROTC; ACI’s
Lt. Col. David Raymond and Lt. Col. (then-Major) James Finocchario; and Lt. Col
Robert Johnson, Assistant Commandant at the U.S. Army Cyber School.
16. Jason Bender, James Scrogin, David Raymond, Robert Johnson, Tim
Groves, and James Finocchario, “INFORMATION PAPER: Establishing a Cyber Leader
Development Program (CLDP) in United States Army Cadet Command (USACC) Senior
Reserve Officers’ Training Corps (SROTC) Programs”, 05 May 2015.
17. Bender, et. al., “INFO PAPER: Establishing CLDP at USACC SROTC
Programs”; see also Department of the Army, Army
Regulation 145-1 Senior Reserve Officers’ Training Corps Program: Organization,
Administration, and Training,” Washington, D.C.: Department of the Army, 22
July 1996: Chapter 3; Department of the Army, Army Regulation Regular Army
and Reserve Components
Enlistment Program, Washington, D.C.: Department of the Army, 31 August
2016: Chapter 6; and Department of the Army, National Guard Regulation 600-100 Commissioned Officers: Federal
Recognition and Related Personnel Actions, Washington, D.C.: Department of
the Army, 15 April 1994: Chapter 13.
18. See “National Center of Academic Excellence in Cyber Operations:
Mission and Purpose,” http://ceas.uc.edu/cyberops/mission.html; and “UC Becomes Leader in Cybersecurity Education,” http://cech.uc.edu/headlines/2016/it-nsa-cae-designation.html.
19. “Experienced-Based Learning & Career Education,” https://www.uc.edu/careereducation.html. See also Mary Niehaus, “University of Cincinnati
Co-op: 100 years of success,” December 2005, http://magazine.uc.edu/issues/1205/success1.html; and Troy Onink, “College Co-Op Pioneer is Still
Leading the Charge after 100 Years,” Forbes,
27 February 2012;
20. See “SIGSAC – ‘Special Interest Group for Security, Audit and
http://www.usma.edu/crc/sitepages/sigsac.aspx. Sponsored by USMA’s Department of Electrical
Engineering and Computer Science, SIGSAC is an academic club focused on
developing leadership applicable to the cyber domain through knowledge sharing
and cultivation of technical skill sets.
21. See Cyber Crime Cats, https://www.facebook.com/groups/cybercrimecats/ and
https://twitter.com/cybercrimecats; Association for Computing Machinery, https://www.acm.org/; National Cybersecurity Student Association, http://www.cyberstudents.org/; and The Military Cyber Professionals Association, https://www.milcyber.org/.
22. USMA, “Memo: CLDP in the Army Cyber Center”.
23. U.S. Army Training and Doctrine Command, TRADOC Regulation 350-13 Instruction in Military History, Fort
Eustis, VA; TRADOC, 05 March 2010: 14; see also U.S. Army Cadet Command
(USACC), Cadet Command Regulation 145-3
Army Senior Reserve Officers’ Corps (SROTC) Basic Officer Leader Course – A
(BOLC-A) – On-campus Training and Leader Development, Fort Knox, KY: USACC,
20 September 2011: 7. If the university
or college does not have an American military history course, the ROTC
detachment cadre is required to teach it to the cadets every semester
24. Bender, et. al.,
“INFO PAPER: Establishing CLDP at USACC SROTC Programs”.
25. Considine and Rhoades, “How to Grow a Capable Cyber Officer.” See
also Matt Hutchison, Erick Waage, and Brent Chapman, “We Took West Point Cadets
to (Cyber) War,” War on the Rocks, 21
June 2016; https://warontherocks.com/2016/06/we-took-west-point-cadets-to-cyber-war/.
Photo credits (in order of appearance):
U.S. Army ROTC
U.S. Army / Chuck Burden
U.S. Army / Bill Roche
By Paul L. Jordan
car travelling through a two-lane tunnel has lost control of its brakes due to
a mechanical failure. In the lane ahead, a road construction crew is making
repairs. The software that drives the car faces a choice: continue straight
ahead, almost certainly killing the construction workers, or change lanes
causing a head-on collision and almost certainly killing the two drivers of the
vehicles involved in the accident. This is an adaptation of the classic ethical
thought experiment: the trolley problem . This
problem presents several ethical concerns with regard to autonomous vehicles,
but how does cybersecurity affect this landscape? The answer? Nobody cares.
As our military
cyber community is acutely aware, neither industry nor society will slow down
for security. In this case, industry is showing us that it is incapable of even
slowing down for tough ethical dilemmas or drastic economic consequences, but
for arguably good reasons. According to the CDC, in 2014, approximately 35
thousand people died in motor vehicle accidents in the United States.1
Further, according to a 2015 report from the National Highway Traffic Safety
Administration, 94% of automobile accidents were caused by human error.2
In a May 2015 report, Google announced that it had logged over 1.8 million miles driven by their autonomous cars with only
two minor incidents, both of which were caused by other vehicles with human
drivers.3 Incidentally, if all automobiles were automated overnight,
roughly 33 thousand lives could be saved each year!
this progress has potentially massive economic impacts. According to a 2016
report by the Bureau of Labor and Statistics, transportation makes up roughly
5% of our labor force.4 Furthermore,
the second and third order affects aren’t insignificant. According to the
American Truckers Association, there are approximately 3.5
million truck drivers employed in the United States.5 Automating
transportation won’t only affect those jobs, but also all of the hotels,
restaurants, and convenience centers that these truckers use every day. Should
these impacts slow down the potential benefits of automating vehicles? They
don’t seem to be.
And there are
serious cybersecurity concerns about automating transportation as well. In
2015, researchers were able to take control of a Jeep Cherokee through the
internet.6 Just recently, a group
of Chinese researchers were able to remotely control the brakes of a Tesla
Model S.7 Hacks like this could
have life-threatening consequences if not handled properly. But should these
consequences slow the progression of technology that stands to save tens of
thousands of lives each year? Fortunately, in recent years, it seems the
sentiment is changing. Security is being talked about on major news outlets,
and security is being considered in system design processes instead of after
deployment. However, this is just a first step in the right direction.
travel is no longer a technical problem. Companies like Google and Tesla are
racing toward an autonomous consumer vehicle, and a few commercial vehicles
already exist. In recent years, it has become clear that computers will make
better drivers than humans, and an enormous amount of money stands to be made
by the company that does it first. As a result, there exist ethical and
financial imperatives to automate transportation. To that end, many of the
concerns that exist are being ignored. But the cybersecurity community cannot
allow this to prevent us from working toward a secure autonomous vehicle. We
all know the narrative: brand new shiny toy is introduced that makes everyone’s
life easier; that shiny toy comes with security concerns; our recommendation is
to hold off on implementing the new toy until we can secure it; our concerns
are heard, but ignored; we throw our hands in the air and give up. That cannot be
allowed to happen this time- especially in the realm of military hardware.
Now more than
ever, we need to stay engaged in this effort. We must develop and innovate ways
of securing this nascent autonomous revolution. Advances in automating military
weapon systems are being pursued and made every day. Our role in securing those
systems is more important than ever. We’re already seeing our military become
increasingly dependent upon remotely piloted aircraft. Today, these systems are
remotely piloted by humans and have limited autonomous capability, and they’re
already the target of cyber-attack. From an operational perspective, these
systems would ideally behave with complete autonomy. Unfortunately, this change
would make them an even more valuable target for cyber-attack. Without the
proper protection, these systems could be used against us.
But does this
mean that complete autonomy should not be pursued? Again, the answer is that it
does not matter. This technology will continue to be pursued because the end
result is savings and efficiency in a period of time during which our senior
leaders are looking for any such opportunity.
Some critics of
autonomy argue that some tasks are just too complex for computers to handle. They argue that a computer could never
identify a target and deploy ordinance to neutralize that target because that
task is too complex. (Before the industrial revolution, factory workers
probably shared this same sentiment about many of the tasks they performed.)
But at the cutting edge, some of the artificial neural networks are performing
far better than expected.8 For instance, accurately identifying
objects in images is rapidly becoming a trivial task for intelligent systems.
Why couldn’t these same systems be used to identify and target known
combatants? Eventually, these systems will be able to target and neutralize
threats much better than we can today while reducing unnecessary or unintended
casualties. As such, we have a moral obligation to pursue them and arguably
more importantly, secure them.
Ultimately, given the importance and
relative similarity of artificial intelligence (AI) to the cybersecurity
profession, we must ensure we understand the technical capabilities and
limitations of AI so that we can contribute in a meaningful way to discussions
on it. People are looking to us to be experts in these types of systems, and
more specifically, the security of these systems. Let’s focus on getting this
right so we can be known as the community that was part of the solution,
instead of the community that let Skynet happen because we thought it never
About the Author
Paul Jordan is the founder of the St. Louis chapter
of the Military Cyber Professionals Association(MCPA), and the current chief of
MCPA Chapter Operations. He holds an MS in Computer Science from the Air
Force Institute of Technology (AFIT) and currently works as a cyberspace
operations officer for the Air Force.
 J. Thomson, “Double effect, triple
effect and the trolley problem: Squaring the circle in looping cases,” Yale Law Journal, vol. 94, no. 6,
pp. 1395–1415, 1985.
Photo credits (in order of appearance): Google, dronewars.net
By Adam Tyra, Contributing Editor
government and military cybersecurity professionals have felt the pull of the
private sector in recent years. According to industry observers at
Cybersecurity Ventures, the shortfall of available cybersecurity professionals
compared to the number of available cybersecurity jobs worldwide is expected to
reach 1.5 million by 2019.1 The cybersecurity labor market, as with
other markets, responds to the law of supply and demand. This means
professionals can expect strong salaries and low unemployment for the
foreseeable future. Cybersecurity professionals working in the public space
have never been faced with a greater variety of opportunities than they have
right now, and many of this magazine’s readers are undoubtedly considering a
career change in the near future.
the opportunities are undeniable, your readiness to capitalize on them might
not be. The military has been described as a “culture within a culture” in the
ways that it simultaneously mirrors and diverges significantly from American
civilian life. This will never be more apparent to you than while you’re
searching for your first position after the military. While I have insights to
share from my own experience making the transition and building my career, I
have another set of experiences that I’d like to share- interviewing and
evaluating candidates just like you. In the past three years, I have conducted
in-person interviews for well over 100 cybersecurity professionals, mostly
veterans, and I have also conducted resume reviews and phone screens for more
than 500 additional professionals. I gained this experience while helping build
the team at the world’s second largest cybersecurity consulting firm. This
article will discuss a few of the things that I learned and hopefully prepare a
few readers for success when they decide to make their own transition.
you are referred by an acquaintance or get spotted at a career fair, your first
contact with a potential employer will likely occur online after submitting
your resume. Gone are the days of snail mailing your resume on high quality
paper directly to a hiring manager. Instead, you’ll need to attract a
computer’s attention first. Indeed, a human will probably never see your resume
unless it contains one or more keywords associated with an open position.
Potential search terms include certification names, security tool names, skills
such as “reverse engineering”, and previous job titles. If it was in the job
description, it needs to be in your resume.
you get to the human review phase, brevity is key. You want all killer and no
filler. Plan on one page per four years of experience and no more than two
pages total. Why? How many eight-year-old technologies / skills are still
relevant to you in your current job? If you think two pages isn’t enough space,
carefully read what you wrote. Is it all killer with no filler? No? Slim it
down. Reading other people’s resumes is neither interesting nor a treasure
hunt. If a recruiter needs more than ten seconds to decide whether someone is
worth a phone conversation, then the answer is probably no.
what should you put in your two-page resume to make it all killer? First and
foremost, you need to make it about the employer and not about you. There is only one reason to hire
anyone ever – a belief
that the person in question will help solve a problem. If you’re wondering what
problems businesses need solved, just read the descriptions for the jobs that
they have available. Most job seekers have heard that they should tailor their
resume to the job they want, but service members have a terrible track record
actioning this advice. For example, here are a few things that you should not
include in your civilian resume: combat experience, training courses dealing
with combat skills, words like “terrorism”, “war”, “deployment”, a listing of
military awards earned (more on this in a moment), a listing of the dollar
values of property owned in various roles, and military jargon of any type.
in mind that, statistically speaking, the person reading your resume almost
certainly has never served in the military. They will have great difficulty
making the mental leap between “person who was successful in battle” and
“person who will get the job done for me.” In some cases, you might even
intimidate the person and you will definitely cause doubts about your cultural
fit – and maybe even your mental
stability (really). Awards present a similar challenge. Your resume doesn’t
include any information about what you did to get them, so a hiring manager
doesn’t know how to value them.
of using up valuable real estate talking about the counterinsurgency school you
attended, list the college courses you took where you learned programming and
network engineering. Don’t say that you’re an expert on “WIN-T”, say that
you’re an expert on satellite communications. Instead of discussing “DIACAP”,
explain that you have experience with cybersecurity compliance and governance.
If you aren’t sure how to describe your skills, get help, because resume
writing is a no-fail portion of the job hunt.
You need to civilianize job
titles. This is easier said than done, though, because commonly used job titles
mean different things in different companies. A director might be a senior
leader in one place and a first line supervisor at another. Regardless of the
exact titles you select as equivalents to your military job, you should convey
progression, a steady increase in responsibilities over time, and rough
equivalence. Here are a few examples. Mix them with functional areas as
necessary (e.g. malware analysis shift supervisor, etc.).
Security Analyst. You routinely put your hands
on the keyboard and work with tools to get your job done. You might be a
penetration tester or conduct security monitoring. 0-2 years of experience.
Team Lead / Shift Supervisor. You have several
analysts working for you to perform a specific function like incident response.
Most of your day still consists of analyst work. 2-5 years of experience.
Manager. The individuals who report to you have
people who report to them as well. You’re involved with interviewing and hiring
entry-level personnel. Managing consumes the majority of your workday, and your
opportunities to use your technical skills are declining. 5-8 years of
Director. You’re responsible for an entire
department, facility, or a sizable team. You are responsible for a budget that
you spend according to an approved plan. You’re involved with interviewing and
hiring supervisors and managers. Management consumes your entire workday, and
you only deploy your technical skills to conceptualize solutions. 8-12 years of
Executive. Your decisions affect the entire
organization, and you have the ability to set strategic direction for large
parts of the enterprise. You have a budget that you spend on your own
authority. You may hire and fire employees on your own authority. You make
procurement decisions on your own authority. You rarely do anything now that
your entry-level or junior management self would have recognized as work. Overseeing
and approving the work of others now consumes your entire workday.
careful not to appropriate prestigious titles as equivalents unless you’re sure
that they’re a good fit. I have seen multiple resumes of senior O3 and junior
O4 officers who identified themselves as the “CISO” of their unit. Unless you
were involved in hiring and firing employees, settings strategy, conducting
procurement, budgeting, etc., you were not the equivalent of a C-level
anything. This type of title inflation sounds as absurd to a civilian hiring
manager as your friend who is a help desk manager would sound to you if he told
you he was, “basically equivalent to a General.”
gotten an interview. Nice work. Remember that the labor market for
cybersecurity skills is strong, and your skills are in demand. While the
employer is learning about you, be sure you’re learning everything that you
need to know about them as well. Think of job interviews like dates. You
definitely don’t want to marry everyone that you date, so you need to quickly
determine whether a position is worth pursuing to avoid wasting your time (and
theirs). Here are a few other tidbits to help you make the right match.
be too agreeable. Playing the good Soldier by affirming your willingness to
undergo any hardship is not the right play at this point. You need to get what
you want, and not just be what the employer wants. In my current career, travel
is a significant requirement. We typically inform candidates that they will be
required to travel up to 80% of the time and verify that this won’t be a
problem. For candidates that indicate that they can’t (or don’t want to)
travel, the interview ends pretty much immediately. This is better for both
sides. Remember, the company has to fit your culture just as you have to fit
theirs. Talking your way into a position you’ll hate and eventually quit only
means stress for you and significant disruption for the employer. So, if you
think that something about the position isn’t right, say so and look elsewhere.
talk about or around classified information. In fact, don’t mention or allude
to it at all. I’ve interviewed multiple candidates who claimed that they were
with the NSA, CIA, TAO, Delta, the Space Marines, etc. but couldn’t reveal any
details about the work that would support my decision about them. If, at any
point, you are forced to deflect a question about your background with the
claim that, “It’s classified,” you will definitely irritate most interviewers.
If you have relevant experiences that are sensitive, leverage your respective
organization’s resume review process to make sure that you understand where the
lines are. Then, figure out what you can say that’s both meaningful and
acceptable. If you can’t do this, then don’t waste the space on your resume or
the interviewer’s time.
honest with the employer (and yourself) about the nature of your skills.
Remember that your organization (unit, agency, etc.) wasn’t your role. Making
coffee at CIA headquarters doesn’t make you a Clandestine Service member any
more than making briefing slides at Cyber Command makes you an elite super
hacker. Many service members lose sight of this, and some overestimate their
own level of expertise because of it. I’ve seen former watch officers, shift
supervisors, and staff members from various impressive-sounding organizations
fail technical phone screens, because they equated talking the talk of
cybersecurity with walking the walk. Think about the top three tools that you
use in your daily work. Are they Word, PowerPoint, and Excel? If so, you
probably aren’t suited for an engineering role. Similarly, if the list includes
Ida Pro, gcc, and gdb, then you shouldn’t go after a sales manager position.
getting a written offer. Congratulations! Compensation is one of the main
reasons why cybersecurity professionals decide to make career changes, and it
will probably be among your primary selection criteria when you evaluate
opportunities. It’s true that there is usually a significant pay gap between
what you’re currently getting as a government employee and what the civilian
equivalent for your position can command in the job market. According to CIO
magazine, the average salary earned by a cybersecurity worker in the United
States in 2013 was $116,000.2 However, you need to calibrate your
expectations before beginning your job search to ensure that you’re prepared to
negotiate compensation effectively. The following are a few points you should
should have some idea what a job pays before applying. Research the average pay
for a role before submitting your resume. My favorite source for this type of
data is glassdoor.com. For large companies, you can find a wealth of
information on the average salary and bonus structure for a range of positions
offered by your employers of choice. You can also search by city to see, for
example, what an average cybersecurity manager makes in Fresno, California if
you’re evaluating an offer from a nearby company that isn’t well represented in
you should expect a healthy bump in pay when you make the transition, don’t
become overwhelmed by a feeling of entitlement. Remember that the single most
important factor in salary determinations is time. More professional experience
generally commands a higher salary, while other factors generally don’t. For
example, if the role requires a bachelor’s degree, while you have a graduate
degree, don’t expect this to automatically translate to a higher salary.
comparing offers, mind the differences between jobs. Roles that pay
significantly more than other similar opportunities usually require something
unpleasant from you. This unpleasant thing could be relocation to an
undesirable place (deployment, maybe?) or extensive travel in general. It could
also include persistent required overtime. Requirements like these may or may
not change your mind about whether these jobs are worthwhile opportunities. Even
they still seem worthwhile, remember that this effect on quality-of-life should
be a consideration in compensation negotiations. Be sure you also consider the
cost of living where the job is located: $100k in San Antonio, Texas goes a lot
further than $100k in San Francisco, California. Also remember the importance
of advancement opportunities, and training and education support.
Continuing Your Service
you transition into the private sector, an important parallel consideration is
how you can continue your service in the government/military cybersecurity
community on a part-time basis. While many uniformed personnel will transition
to one of the reserve components to continue their military service, there are
also other opportunities to stay involved through organizations such as the
Military Cyber Professionals Association (MCPA). Each has its advantages and
disadvantages. As a reservist you can continue to advance your skills through
the rapidly expanding catalog of military cyber training courses. Military
service also exposes you to situations and experiences that you’ll never find
in the private sector, and you get a paycheck of course.
that the days of “one weekend a month and two weeks in the summer” were left
behind at the end of the 20th century, however. Much more will
likely be expected of you as the military works to expand both its active and
reserve cyber forces in the coming years. If you aren’t sure whether or not
this is for you, try it out for a few months. Even if you eventually discover
that the part-time military life doesn’t work for your situation, your reserve
unit will serve as a type of transition support group while you adjust. At the
very least, you’ll have a captive audience with whom to share your great war
stories long after your significant other has grown tired of hearing them.
continued military service isn’t for you, you can also expand your involvement
in volunteer organizations like the MCPA. Volunteers willing to work are always
in short supply for every non-profit organization, and the MCPA is no
different. There are always leadership positions available from the local to
the national level, including national officer roles. If you’ve always wanted
to increase your involvement in the MCPA but didn’t have time, consider this
both a reminder and a renewed invitation.
this article focused on the transition itself, I have a few comments on
preparation for those who might be a few years out from a transition. First,
make sure that you have the right credentials for the jobs you want.
Specifically, get certified and get educated. Many talented cybersecurity
professionals feel that certifications and diplomas are mere “pieces of paper”
that don’t actually prove that a person has skills. Maybe. But they’re also
table stakes for most jobs. Think of these credentials as though they’re a
driver’s license. Even if you’re a phenomenal driver, you’ll still be required
to possess a license in order to drive legally. Get this out of the way, while
the government is willing to pay for it on your behalf.
network as much as you can. I have been continuously surprised and dismayed by
service members’ disinterest in or downright unwillingness to network with
their civilian counterparts. In this respect, college students who have no
professional experience vastly outclass veterans when it comes to job hunting.
You won’t be working for the government forever, and it pays to have friends to
call on when you’re ready to move. You never know who will be able to refer you
or vouch for you or who will be in a position to hire you outright. And, even
if your friends don’t refer you, you could still find yourself in a position to
refer them. Every company that I’ve worked for since leaving active duty paid
referral bonuses, and some roles carried bonuses as high as $10k.
professionals today couldn’t hope for better career prospects than they’ll see
for at least the next decade. Finding a position somewhere is almost a foregone
conclusion for most cyber defenders leaving government service, but maximizing
your outcomes after a transition takes a bit of work. By sharpening your
resume, maximizing your interview skills, and ensuring you’re prepared to
negotiate compensation, you’ll ensure that you’re prepared to capitalize on
your skills when you decide to make the move.
About the Author
Editor Adam Tyra is a cybersecurity professional with expertise in security
operations, security software development, and mobile device security. He is
currently employed as a cybersecurity consultant. Adam served in the U.S. Army
and continues to serve part-time as an Army reservist. He is an active member
of the Military Cyber Professionals Association and is a former president of
the San Antonio, Texas chapter.
Photo credits (in order of appearance): military.com, LinkedIn, Investopedia, ClipartBro.com, Breaking Defense
Robert Morgus is a
policy analyst and Dan Ward a cybersecurity fellow for New
America’s Cybersecurity Initiative. They’re also the authors of the informative
(and entertaining) Professor Cy
Burr’s Graphic Guide to International Cyber Norms. They agreed to sit down with Cyber Editor-in-Chief Michael Lenart to
discuss their graphic guide as well as the major issues associated with
developing international cyber norms.
Q: As you do in the International Cyber Norms graphic guide, let’s start
with the basics: What do we mean when we talk about “international cyber norms,”
and how are they developed?
Dan: Norms are the informal,
unofficial standards of behavior that guide the way people and nations
interact. They get formed in several different ways – sometimes they emerge
organically, other times they are developed strategically and deliberately.
There’s a whole adoption process that we outline in the comic.
Robert: Dan is spot on. In this
case, norm is short for normative behavior. In the most basic sense, a norm is
a description of existing behavior. However, in the international cybersecurity
context we’ve seen the emergence of two different types of norms: actual
norms—which are a description of actual behavior—and aspirational norms—which
describe ideal behavior.
Q: Along with norms, the graphic guide identifies coercion and treaties
as the other means by which states can limit destructive behavior. What is the
relationship among norms, coercion, and treaties – especially in a cyber
Dan: They all intersect and
overlap a bit. For example, using treaties instead of coercion (or vice versa)
can be a norm. The types of coercion or retaliation a country chooses to engage
in are largely determined by norms.
Q: Did treaties and/or coercion contribute to the development of the
Obama-Xi pact, i.e., China’s acceptance of a norm against industrial espionage?
Or is there a better real-world example of the linkage among norms, treaties,
Robert: Coercion and international
law (treaties) most certainly played a role in the development of the Obama-Xi
pact. People close to the indictments of five People’s Liberation Army hackers
in the Western District of Pennsylvania would suggest to you that those
indictments, a form of coercion, were more or less responsible for bringing Xi
to the table. The legal side of this particular case study is complicated.
There are international institutions like the World Trade Organization and various trade pacts (like
the Trans-Pacific Partnership and Transatlantic Trade and Investment Partnership) that could provide the victim of economic espionage with a
legal platform to seek some form of remuneration. However, there is no
universal international law that directly addresses the issue of economic
Q: With regard to how one defines “cybersecurity,” you discuss major
philosophical differences between two camps, roughly divided between western
liberal democracies in one camp and Russia, China, and various other
non-western states in the other. Can you describe these philosophical
differences about cybersecurity and, broadly speaking, the political efforts
each camp has undertaken to advance their particular perspective?
Robert: For the last decade, the
diplomatic policy of much of the west has been to treat cybersecurity and
information security as two separate issues. This means that when the US
engages other camps on cybersecurity norms, the discourse has been limited to
discussions on norms for engagement around attacks on physical infrastructure
and what the US calls computer network operations. However, in other parts of
the world, like Russia and China, cybersecurity and information security are
deeply interwoven. Thus, a codification of national sovereignty over a given
state’s cyberspace—which refers to information and communications technology
(ICT) infrastructure, but not the content on it—has been met with a call for national
sovereignty over information space—a thinly veiled attempt to allow states to
control the internet and communications content that flows over their ICT
infrastructure. The U.S. and rest of the west have been hesitant to engage on
these topics as part of their diplomatic strategy. However, given the attention
paid to the alleged Russian information operation around the U.S. election, it
may be time for the west to reconsider this staunch separation.
Q: In two of Robert’s recent articles, he refers to statements by NSA and Cyber Command Chief Admiral Mike
Rogers about a "series of ongoing conversations" the U.S. is having
with other states on developing cyber norms. What can you tell us about these
Admiral Rogers is right to point to ongoing conversations the U.S. is having
with other states. We engage at the multilateral and bilateral level with the
likes of our partners in Europe, as well as some nations that are seen as more
adversarial in this space like Russia and China. However, in part due to
disagreement over the content of these conversations, they have stalled. One of
the forums that has been instrumental in illuminating areas of agreement has
been the United Nations Group of Governmental Experts (GGE) in the Disarmament
Committee. However, at the end of last year’s meeting in August, the
representative to the GGE from Russia is said to have stated that he thought
all the agreement that could be reached on the topic has been, and some states
have backtracked a bit on commitments made during past meetings.
Q: In the graphic guide, “Professor Cy Burr” briefly introduces Chris
Painter, the State Department’s Coordinator for Cyber Issues and a major player
in the U.S.’s work on cyber norms. Do you have any recommendations for how the
Defense Department can improve its collaboration with State and/or other
federal agencies to advance the development of international cyber norms?
Dan: Norms are generally informal
and unofficial, which means cooperation is the key to getting a norm adopted.
That’s why I think the various federal agencies have to make collaboration on
this issue a priority. No single agency has complete jurisdiction over
cyberspace, no agency has complete autonomy, and norms are almost never adopted
just because one stakeholder wants it to be. Precisely because cyberspace is a
shared domain, precisely because we all have interests and priorities and
opinions about what norms should be adopted, it is crucial that we talk and
collaborate, both at the senior leadership level and the lower levels.
Q: Since a
norm is essentially an agreement among stakeholders who must share at least a
basic level of trust, how large a role can norms play in the interactions of
states like the U.S. and Russia (or China), whose relations often lack that
basic element of trust?
Dan: Norms present us with an opportunity to develop a virtuous cycle (as
opposed to a vicious cycle), because while norms require a certain amount of
trust, they also help foster trust. So if we can get the ball rolling a little,
with a few basic, easily-agreed upon norms, they can serve as building blocks
to greater levels of trust and cooperation.
Dan is right, of course, but at the same time, breaching a norm can cause
increased tension and further disintegration of trust. In the case of
cybersecurity norms, this is a particularly realistic concern because, while
many norms have been clearly articulated in writing, some are simply assumed
and sometimes not necessarily assumed universally. This can lead to confusion
should one state violate the perceived norm of another and also give potential
norm defectors cover to plead ignorance.
Q: Can you
give an example or two of the type of basic, easily agreed upon norm that
could get the ball rolling, like you mention above?
Dan: The best place to start is with norms already in place in other
areas of international activity, such as the law of armed conflict (LoAC). Nation-states already have general agreements on things such as distinguishing between
civilian and military targets, ensuring proportionality of response, and
avoiding unnecessary suffering. So while we don’t have universal agreement that
current international agreements and laws of war translate in full to
cyberspace activities, there are certainly pieces and components of existing
agreements we can use as these initial building blocks.
I’m not so sure there is a ton of low hanging fruit here, and I’ll break a bit
from Dan in my answer. For the last decade, the U.S. has focused their strategy
on negotiating or translating norms mostly from the armed conflict space, like
LoAC. Over the last year I’ve become increasingly skeptical that this is the
right approach to negotiating international cybersecurity norms. When I look at
the vast majority of state cyber operations, I do not see military operations
that should therefore be governed by the laws of armed conflict. Instead, I see
intelligence operations that are far more akin to traditional espionage
practices. From my perspective, it is important for those developing our norms
strategy to understand and tease out what this means with regard to what sorts
of existing norms we should be pushing for application in cybersecurity and
where the key pressure points are for the development of new norms.
Q: This is
admittedly a complex question that doesn’t lend itself to simple answers, but
roughly speaking, how would you assess the international community’s current
progress on developing and implementing a set of workable cyber norms?
Dan: As we explain in the comic, we’re very much in the early stages of
this activity, largely because we are still in the early stages of learning to
live in cyberspace. We’re still exploring. We are still figuring out what
questions to ask and how to find answers, so it’ll be a while before we have a
robust, shared set of cyber norms. The other thing to understand is that norms
are not static. They tend to emerge and evolve over time, so I don’t think we
should expect to ever have a set of norms as a complete, finished product.
Norms are always a work in progress.
Robert: Absolutely. I would also say that we’re still in the exploratory
phase wherein the international community wrestles with what should be the
content for norms (recall the cybersecurity vs. information security debate). Recent
events could push this stage to a culmination as western countries are pushed
to acknowledge the relevance of information security.
of Cyber and the Military Cyber Professionals
Association, I’d like to thank Mr. Morgus and Mr. Ward for taking time out of
their busy schedules to share their valuable knowledge and insights with us. Integrating
an understanding of cyber norms with traditional military cyber competencies
can lead to a more thoughtful, strategic, and ultimately more beneficial
application of cyber capabilities and capacities.
I strongly encourage all readers to review the graphic guide that prompted this interview.
-M. Lenart, Editor-in-Chief
Photo credit: TR Service Learning Academy
Preface: This article is not a political endorsement nor piece of partisan propaganda. I nor the nonprofit I founded have received any form of support from any political or Trump related entity. This is an independently conceived evidence-based analysis intended to illuminate a specific topic currently muddled in opinionated bickering and misunderstanding, the likes of which complicate thoughtful policy analysis and planning. It is incumbent upon fellow members of the American national security community to hasten progress from a mudslinging campaign mindset to more mature rational discussions that will better poise our nation for success in the coming years.[i],[ii],[iii]
For a man who prides himself on being unpredictable, President-elect Donald J. Trump has been exceedingly clear that he will prioritize developing America’s cyber warfare capabilities during his administration.[iv] In various venues (including speeches, tweets, and publicized meetings), Trump has clearly indicated his intent to address our nation’s ability to both throw a punch and take a hit in cyberspace. Below is a review of some such indications.
His First Address
It has not gone unnoticed within national security circles that Trump chose to highlight the cyber threat in his first official public address as President-elect…
“On national security, I will ask the Department of Defense and the Chairman of the Joint Chiefs of Staff to develop a comprehensive plan to protect America’s vital infrastructure from cyber-attacks, and all other form of attacks.”[v]
As anybody familiar with the inner workings of government bureaucracy and resource allocation (sometimes referred to as sausage-making) will attest, words matter. Further, the order of words by national leadership matters and has a direct impact on which programs receive funding (the means that enable all operations) and which ones do not. With this insight is mind, the above statement is truly telling.
While only briefly discussing national security among a short list of immediate priorities in the address, cyber is not only included but is leading. That is in stark contrast to how we typically hear cyber included in lists, after more established forms of military power (such as air and maritime capabilities).[vi] Including cyber in such lists has been sufficient to ensure a funding stream to steadily develop this capability. However, the prominence Trump bestows on cyber in this intentional and polished statement signals to us that cyber will be a true priority, both in funding and operationally.
National Security Speech
In October 2016, during a talk hosted by a veterans group, candidate Trump opened with a lengthy discussion about the importance of developing cyber capabilities. While I have included only a fraction of his relevant statements in this excerpt, they clearly support this article’s main conclusion and require no further elaboration.
“I’d like to address one of the most important aspects of America’s national security, and that’s cyber security. To truly make America safe, we must make cyber security a major priority... As president, improving cyber security will be an immediate and top priority for my administration... The scope of our cyber security problem is enormous. Our government, our businesses, our trade secrets and our citizens’ most sensitive information are all facing constant cyberattacks and reviews by the enemy… I will make certain that our military is the best in the world in both cyber offense and defense… I will also ask my secretary of Defense and Joint Chiefs to present recommendations for strengthening and augmenting our Cyber Command. As a deterrent against attacks on our critical resources, the United States must possess — and has to — the unquestioned capacity to launch crippling cyber counter attacks. And I mean crippling, crippling. This is the warfare of the future. America’s dominance in this arena must be unquestioned… Cybersecurity is not only a question of developing defensive technologies but offensive technologies, as well... We should turn cyber warfare into one of our greatest weapons”[vii]
Some of his statements to the veterans group go into detail about the role and cost of various notable hacks on American targets. Those 2016 statements appear consistent with his cyber related concerns expressed years ago, sometimes conveyed in tweets. See some of these comments below…
Social MediaFrom being used to topple governments during the Arab Spring to enabling Trump to directly engage millions of followers, social media platforms like Twitter are powerful tools, and the President-elect clearly knows it.[ix] Among numerous other statements on the topic, he shared his views succinctly in a recent 60 Minutes interview…“I have such power in terms of numbers with Facebook, Twitter, Instagram, et cetera, I think it helped me win all of these races where they’re spending much more money than I spent… I think that social media has more power than the money they spent, and I think maybe to a certain extent, I proved that.”[x]As Trump acknowledges, backed up by the statements of numerous commentators, his ability to wield the power of social media allowed him to effectively shape the information environment in support of his primary objective…being elected President. Other statements of his indicate he plans to retain this critical capability in support of achieving other goals.[xi] Given the high value of these social media services to Trump, and since they are cyberspace based, both military planners and computer security experts can conclude that the in-coming administration will likely pursue expenditure of significant resources on cyberspace related efforts.Relationship BuildingTime is one resource he has already begun to invest into strengthening existing and building new relationships with leaders that will help inform and enable his cyberspace related efforts. For example, as he promised to do on the campaign trail, Trump recently met with Bill Gates, top Silicon Valley executives, and the leader of U.S. Cyber Command.[xii],[xiii] Trump’s selection of General Mattis to lead the Defense Department is beneficial, as well, since the General understands the cyber threat. This was abundantly clear in my first interaction with the recently retired General as he was on the way to spend quality time at Stanford University (an essential Silicon Valley institution).[xiv]
Trump meeting with Silicon Valley leaders in December 2016. From left to right: Eric Trump, Brad Smith of Microsoft, Jeff Bezos of Amazon, Larry Page of Alphabet/Google, Sheryl Sandberg of Facebook, Mike Pence, Donald Trump, and Peter Thiel (founder of PayPal).[xv]In addition to discussing immediate cybersecurity concerns with such leaders, the President-elect’s emphasis on increasing technology related jobs in America is likely to bolster our nation’s severely underperforming and unsustainable STEM (science, technology, engineering, and mathematics) talent development pipeline (which includes K-12 education).[xvi] Given the natural forces of supply and demand, the more Americans with STEM talent that can qualify for government security clearances, the more capability our nation will have to triumph in cyber warfare and in the economic activity that enables such operations.The Threat from China and RussiaDue to the current prominence and importance of the topic, no discussion of Trump and cyber warfare today would be complete without briefly addressing his views on China and Russia. While his attitude towards Chinese cyber activities (and generally) are clear and consistent (exemplified by the aforementioned tweets), his stance on Russia deserves some demystifying.One underdiscussed but reasonable interpretation is that he intends to follow geopolitical common sense in a multipolar world by neutralizing threatening alliances that counter his nation’s influence. He recognizes this situation, as indicated in comments such as…
“You can't have everybody hating you. The whole world hates us. And one of the things that I heard for years and years, never drive Russia and China together. And Obama has done that.”[xvii]
In this case, he may be seeking to divide the powerful China-Russia bloc by aggressively courting Russia. This can be accomplished, in part, by building on shared vital interests (like countering the threat of Islamic extremism) and resolving peripheral differences (such as approach towards ending the conflict in Syria and Iraq).[xviii],[xix]As of the writing of this article in late December 2016, a current point of contention between America and Russia are the leaks of politically sensitive American data by (potentially Russian) hackers. Trump has already developed a consistent narrative that categorizes (what some may refer to as) foreign state-directed cyber-attacks as a direct result of disrespect towards President Obama.[xx] Trump has repeatedly stated that Putin will respect him, which in this case includes a stop to such cyber related activity. Taking advantage of opportunities to affect foreign state decision-making through the power of personal diplomacy and negotiation, as opposed to the expenditure of more American blood and treasure, appears consistent with Trump’s overall emphasis on the American economy (which includes more efficient use of American power).ConclusionUpon reviewing this discussion about our new national strategist, any reasonable person can conclude that his administration will prioritize developing our nation’s cyber related capabilities. With such development, and their cost and ethical advantages over traditional military capabilities, we may even witness cyberpower becoming the tool of choice in upcoming conflicts.[xxi],[xxii]
This anticipated evolution to a cyber-first footing in the national security community will have many implications yet to be conceived. It is obviously beneficial to those in cyber related industries, as well as citizens frustrated with increasingly frequent, high-profile, and costly hacking incidents. Without prioritizing cyber and addressing the nation’s current state of vulnerability, as the incoming administration is expected to do, the actions of potential adversaries risk antagonizing a nation fully capable of traveling “an alternate path.”[xxiii] With that in mind, this is a positive direction for all peoples.
About the author
Joe Billingsley is founder of the 501(c)(3) educational nonprofit Military Cyber Professionals Association (MCPA) and is pursuing a PhD in Information Sciences. He is an Iraq War veteran, served as a Strategist and Cyber Operations Officer in the U.S. Army, and is a graduate of programs at the Army War College, Naval War College, Military Intelligence School, and Army School of Information Technology. He holds an MS in Cyber Systems and Operations from the Naval Postgraduate School and a BA in History from the University of Connecticut. He serves as Advisor to the Cyber Security Forum Initiative, faculty at George Washington University, and Fellow of the Center for Network Innovation and Experimentation.
Jessica “Zhanna” Malekos Smith
With thanks to the Thomas M. Cooley Homeland & National Security Law Review
is often said that trust takes years to build and seconds to destroy – but what
about the Internet? While the Internet infrastructure took years to build,
would it similarly take seconds to destroy using a ‘kill switch?’ According to
Dyn Research, because the United States has a robust Internet economy with over
40 Internet Service Providers (ISPs), it “is likely to be extremely resistant
to Internet disconnection.”1 Despite this assessment, since 2010
Congress has considered bills granting the president “the power to order ISPs
to disconnect certain websites, stop the flow of information from certain
countries or even create an internet service blackout.”2
This article analyzes the congressional history of so-called "Internet kill switch" bills and two domestic cases of a denial-of-access to local Internet connections. The first involves the
Federal Bureau of Investigation’s (FBI) actions in disconnecting a suspect’s
Internet access because “Internet access isn’t an essential service.”3
The second case examines the California state-run Bay Area Rapid Transit (BART)
company’s suspension of cell phone service signals to inhibit protesters’
Historical Legislative Overview
In 2010, U.S. Senators Joseph Lieberman
(Independent, Connecticut), Susan Collins (Republican, Maine), and Thomas
Carper (Democrat, Delaware) proposed the Protecting Cyberspace as a National
Asset Act (PCNAA).5 Under the PCNAA, the president would hold broad authority over privately owned computer systems during a
national cyber emergency.6 The bill also would have enabled the
Department of Homeland Security (DHS) to enact emergency protocols to safeguard
the “nation’s critical infrastructure.”7 Critics denounced this
provision, however, because it did not specifically identify the DHS’s
emergency protocols and types of covered critical infrastructure.8 Opponents
alleged the PCNAA impermissibly encroached on their right to free speech
online.9 As such, the controversial legislation was dubbed the “Internet
Kill Switch Bill” and failed in Congress.
In 2011, Renesys co-founder James
Cowie posited that:
“[a] country’s legal framework, not its technical
infrastructure, determines whether it is able to shut down its citizens’ access
to the internet . . . “somebody has to have the legal authority to go to a
company that runs a large part of the internet in the United States and say,
‘Turn off your connection to the outside world.’”11
That same year the PCNAA was revived, and now included a provision that prohibited
private-sector service providers from seeking judicial review against the DHS’s
emergency protocol regulations.12 The bill alienated many in the
technological community by stipulating that the “federal government’s
designation of vital Internet or other computer systems shall not be subjected
to judicial review.”13 Essentially, the DHS would develop a critical
infrastructure list (including but not limited to servers, websites, and
routers) that would be subject to the president’s emergency declarations, if
each of these three conditions applied:
disruption of the system could cause “severe economic consequences” or worse. Second, that the system “is a component
of the national information infrastructure.” Third, that the “national information infrastructure is essential
to the reliable operation of the system.”14
If a private-sector company objected to these protocols by
asserting a Fifth Amendment due process violation, then its only legal recourse
would be an appeal to the Secretary of the DHS, who would offer a binding legal
determination.15 For TechFreedom
analyst Berin Szoka, this belies core democratic principles because “[b]locking
judicial review of this key question essentially says that the rule of law goes
out the window if and when a major crisis occurs.”16 Indeed, under
this administrative schema, it appeared that the ominous adage silent leges inter arma (“in times of
war, the laws fall silent”) would hold true.17
Although the 2011
bill failed, the 2012 Cybersecurity Act (CSA 2012) was then proposed to “alleviate
the concerns about the 2010 Act by eliminating any provisions that could be
interpreted as giving the president a ‘kill switch.’ The new legislation also
define[d] critical infrastructure very narrowly to include only systems that
could cause catastrophic damage, if compromised.”18 Despite these
changes, CSA 2012 faced strong opposition from the U.S. Chamber of Commerce and
civil advocacy groups like the Electronic Frontier Foundation.19,20
In the end, the bill failed to garner enough votes in Congress.21
Denial of Access to Local Internet in the United States
Case Study I: Las Vegas, Nevada
While Congress has not adopted a “kill switch bill,” there
have been instances where a state entity attempted to cordon off a user’s
access to the global Internet. The first case study involved the FBI, a
Malaysian gambling ring, and the opulent Caesars Palace hotel in Las Vegas,
By 2014, the FBI
discovered an illegal World Cup gambling ring, estimated at $13 million,
operating inside the Caesars Palace villas.23 FBI agents allied with
a hotel WiFi24 contractor and devised a plan to disable the
hotel-guest Internet connection in the targeted suites.25 Next, FBI
agents “posed as repairmen and tricked the butler into letting them into the luxury
suite – all without a warrant. The ruse enabled the FBI to gather evidence that
led to the arrest of Malaysian gambler Wei Seng ‘Paul’ Phua.”26 As a
result, Mr. Phua’s attorneys moved to suppress the incriminating evidence that
was seized from warrantless search of Mr. Phua’s suite.27
reasoned that the “trickery deployed in Mr. Phua’s case was permissible because
Internet access isn’t an essential service.”28 Moreover, they
explained that “had the FBI agents manufactured an emergency by shutting off
the defendant’s water, heat or electricity,” then such acts of deception would
be unconstitutional.29 Assuming that Internet access is a
non-essential utility, does that justify the FBI’s actions in shutting down a
user’s access? While U.S. District Judge Andrew P. Gordon of the District of
Nevada did not directly confront this issue in his ruling, he still ruled in
favor of Mr. Phua because the evidence constituted “fruits of an unconstitutional
search” in contravention of Fourth Amendment rights.30
Case Study II: San Francisco, California
On August 11, 2011, the California
state-run Bay Area Rapid Transit (BART) company “turned off” cell phone service
inside select San Francisco stations to inhibit protest activity.31
The following day, BART issued a statement defending its actions: “BART
temporarily interrupted service at select BART stations as one of many tactics
to ensure the safety of everyone on the platform.”32
context, on July 3, 2011, a deadly shooting involving BART police and a suspect
occurred.33 In response, several hundred people assembled at BART
stations to protest the shooting.34 Unfortunately, the
demonstrations turned violent.35 According to The Washington Post, because protestors were planning to disrupt
BART services again on August 11, 2011, which could cause platform overcrowding
and unsafe conditions for BART employees and passengers, BART initiated a
service outage based on safety concerns: “Organizers… stated that they would
use mobile devices to coordinate their disruptive activities and communication
about the location and number of BART police.”36
Frontier Foundation likened BART’s actions in silencing protestors to those of
former Egyptian President Hosni Mubarak, who “ordered the shutdown of cellphone
service in Tahrir Square in response to peaceful protests….”37 In
fact, the moniker “#MuBARTek” began gaining popularity on the social networking
site Twitter.38 Here, the realization that a state-imposed cell
phone service outage was just as possible in San Francisco, California, as it
was in revolutionary Egypt is chilling.
The case also
illustrates that not only can communication networks be restricted by a local
state entity to mitigate immediate public safety risks, but also to
indiscriminately prevent future
protest activity. The First Amendment provides that “Congress shall make no law…
abridging the freedom of speech, or… the right of the people peaceably to
assemble….”39 Here, BART’s self-imposed outage encroached on the
individual right to free speech because it restricted commuters’ ability to “dial
911, or surf the Web for three hours during the shutdown, and protestors were
unable to coordinate their actions.”40
Generally, BART has taken the position that it “accommodates expressive activities that are constitutionally protected by the First Amendment to the United States Constitution and the Liberty of Speech Clause of the California Constitution (expressive activity), and has made available certain areas of its property for expressive activity.”41 However, BART’s ability to unilaterally apply a service outage to silence all protest demonstrations – even those that have not yet occurred – is a sobering thought for First Amendment scholars, activists, and citizens.42 Given the high potential for misuse of this power, one wonders how robust the system of checks and balances can operate in a democracy when such forms of speech are readily made silent?
Expanding National Security Communications via Executive Order
On July 6, 2012 President Obama issued Executive Order 13618, the
Assignment of National Security and Emergency Preparedness Communications Functions.43
In order to communicate during a national security attack or other emergency,
EO 13618 affirms the federal government’s authority to manage federal, state,
local, and territorial government and private sector telecommunications systems
under such circumstances.44 The list of assigned communication
systems includes “landline, wireless, broadcast and cable television, radio,
public safety systems, satellite communications, and the Internet.”45
This is not the first instance, however, when a president
used an executive order to augment his war powers under the 1934 Communications
Act.46 From President John F. Kennedy prescribing “federal
telecommunications management functions” in 1962 under EO 10995, to President William
J. Clinton regulating “national defense industry resource preparedness” in 1994
under EO 12919, presidents have bolstered their authority to manage National
Security/Emergency Preparedness (NS/EP) communications.47 The first
section of EO 13618 identifies its central purpose as the following:
The Federal Government must have the ability to communicate
at all times and under all circumstances
to carry out its most critical and time sensitive missions. Survivable,
resilient, enduring, and effective communications, both domestic and
international, are essential to enable the executive branch to communicate…
Such communications must be possible under
all circumstances to ensure national security, effectively manage
emergencies, and improve national resilience.48
It is interesting to note that the phrase “under all
circumstances” appears twice in the opening statement of EO 13618.49 One
possible explanation is that the “2010 National Security Strategy, the primary
federal government guidance on national security, reiterates the notion that
reliable and secure telecommunications is necessary to effectively manage
emergencies, and that the United States must prevent disruptions to critical
EO 13618 also disbands the National Communications System
and replaces it with “an executive committee to oversee federal NS/EP
communications functions, [and] establish[es] a programs office within the
[DHS] to assist the executive committee….”51 Critics were
particularly disturbed by Section 5.2, which allocates broad oversight
authority to the DHS.52 The relevant portion reads:
The Secretary of Homeland Security shall: (a) oversee the development, testing,
implementation, and sustainment of NS/EP communications, including:
communications that support Continuity of Government; Federal, State, local,
territorial, and tribal emergency preparedness and response communications;
non-military executive branch communications systems; critical infrastructure protection networks; and non-military
Opponents felt this provision of EO 13618 gave President
Obama a “kill switch” by allowing him “’control over the internet’ beyond the
general ability to suspend communications in extreme cases….”54
Given the emergency powers vested in the
Commander-in-Chief, could the president restrict American Internet connections
during a national security emergency? Recall that under the 1934 Communications
Act, the president already possesses
the emergency power to “suspend or amend the rules and regulations applicable
to any or all facilities or stations
for wire communication within the jurisdiction of the United States as prescribed
by the Commission[.]”55 As such, EO 13618 adds another medium (i.e.,
the Internet) to the list of NS/EP communication channels subject to the
president’s control.56 And although no “kill switch” bill has been
formally adopted in Congress, the language of EO 13618, coupled with the case
studies discussed herein, indicate that restrictions on U.S. citizens’ access
to the global Internet could become an unsettling reality.
About the Author
Jessica “Zhanna” Malekos Smith is a
postdoctoral fellow with the Belfer Center's Cyber Security Project at the
Harvard Kennedy School. Previously she was a fellow of the Madeleine Korbel
Albright Institute for Global Affairs in 2013. Malekos Smith received her B.A.
from Wellesley College and J.D. from the University of California, Davis School
of Law. She is an M.A. candidate in International Relations and Contemporary War
at King's College London, War Studies.
Jim Cowie, Could It
Happen in Your Country?, Dyn Res. (Nov. 30, 2012),
2. See Betsy Isaacson, How To
Get Around The Internet Blackout In Syria—Or A Mass Communications Outage
Anywhere, Huffington Post (Nov.
30, 2012, 2:39 PM), http://www.huffingtonpost.com/2012/11/30/internet-blackout-syria_n_2218656.html?1354304364.
Gershman, Judge: FBI Ruse in Las Vegas
Sports Betting Case was Unconstitutional, Wall
St. J. (Apr. 20, 2015), http://blogs.wsj.com/law/2015/04/20/judge-fbi-ruse-in-las-vegas-sports-betting-case-was-unconstitutional/.
Bell, BART San Francisco cut cell
services to avert protest, Wash. Post
(Aug. 12, 2011),
5. S. 3480 (111th): Protecting Cyberspace as a National Asset Act of 2010, GOVTRACK.US, https://www.govtrack.us/congress/bills/111/s3480 (last
visited June 26, 2016).
John D. Sutter, Could the U.S. shutdown
the internet?, CNN (Feb. 3, 2011,
10:23 AM), http://www.cnn.com/2011/TECH/web/02/03/internet.shut.down/.
Markus Rauschecker, Protecting
U.S. “Cyberspace”: How the Notion of an Internet Kill Switch Sidetracked the
National Asset Act, LAW PRAC. TODAY (Mar. 2012),
supra note 2.
supra note 6 (quoting Jim Cowie,
co-founder of Renesys).
12. See Declan McCullagh, Internet
‘kill switch’ bill will return, CNET
Blog (Jan. 24, 2011),
13. Id. (quoting S. 3480, 111th Cong. (2010)).
14. Id. (emphasis added).
17. Marcus Tullius Cicero, GoodReads,
(last visited June 26, 2016); see also
Inter Arma Enim Silent Leges Law & Legal Definition, USLegal,
http://definitions.uslegal.com/i/inter-arma-enim-silent-leges/ (last visited
June 26, 2016).
18. See Rauschecker, supra note
the Electronic Frontier Foundation, EFF, https://www.eff.org/about (last visited June 26, 2016) (“The
Electronic Frontier Foundation is the leading nonprofit organization defending
civil liberties in the digital world. Founded in 1990, EFF champions user
privacy, free expression, and innovation through impact litigation, policy
analysis, grassroots activism, and technology development.”); See also Rauschecker, supra note 7.
Rauschecker, supra note
supra note 3.
(last visited June 26, 2016) (“Wi-Fi
is a wireless networking technology that allows computers and other devices to
communicate over a wireless signal. It describes network components that are
based on one of the 802.11 standards developed by the IEEE and adopted by the
supra note 3.
supra note 4.
Daniel Ionescu, FCC Investigates
BART over Cellphone Shutdown, PCWorld
(Aug 16, 2011, 8:00 AM) http://www.pcworld.com/article/238160/FCC_Investigates_BART_Over_Cellphone_Shutdown.html.
Bell, supra note
U.S. Const. amend.
Bell, supra note
Eva Galperin, BART
Pulls a Mubarak in San Francisco, Elec. Frontier Found. (Aug. 12, 2011), https://www.eff.org/deeplinks/2011/08/bart-pulls-mubarak-san-francisco (“[O]nce BART made the service
available, cutting it off in order to prevent the organization of a protest
constitutes a prior restraint on the free speech rights of every person in the
station, whether they’re a protester or a commuter. Freedom of expression is a
fundamental human right. Censorship is not okay in Tahrir Square or Trafalgar
Square, and it’s still not okay in Powell Street Station.”).
43. See Dara Kerr, Obama signs
order outlining emergency Internet control, CNET
Blog (July 10, 2012),
See Shawn Reese, Cong.
Research Serv., R42740, National Security and Emergency Preparedness
Communications: A Summary of Executive Order 13618 2 (2012).
Exec. Order No. 13618, 77 Fed. Reg. 40,779 (July 6, 2012),
https://www.gpo.gov/fdsys/pkg/FR-2012-07-11/pdf/2012-17022.pdf (emphasis added)
[hereinafter E.O. 13618].
See Reese, supra note 44, at 1.
supra note 43.
E.O. 13618, supra
note 48 (emphasis added).
Robertson, Obama clarifies plan to keep
the internet running during emergencies in executive order, The Verge (July 10, 2012), http://www.theverge.com/2012/7/10/3149831/obama-national-security-emergency-preparedness-internet-order.
U.S.C.A. § 606(d) (West 1934) (emphasis added).
See Reese, supra note 44, at 2.
credits (in order of appearance): Make:, Ars Technica, Franco Folini/Wikimedia
Commons, FreedomWorks, d-infinity
Michael Lenart, Cyber Editor-in-Chief
but telling metric: “Cyber” and other forms of the word appear 118 times in Joint Operating Environment (JOE) 2035: The
Joint Force in a Contested and Disordered World*. JOE 2035 is a Joint Staff
force development document that lays out what the future environment and future
conflicts may look like, and the missions the Joint Force may have to perform
to be successful in them. Put another way, it provides ways to think about and
prepare for the various “futures” that may arrive. Moreover, the prevalence of
the word “cyber” within this futures document showcases the ever-increasing
importance of proficiency in the youngest domain. This article will provide a
very brief overview of JOE 2035 and discuss the cyber aspects within it.
Major Sections of JOE 2035
JOE 2035 has three major sections, briefly
1. The Future Security Environment
2035. Providing an overall backdrop of the future environment, this section
describes emerging trends that will lead to new and challenging conditions for
the Joint Force.
2. Contexts of Future Conflict. No
one can say exactly how the trends outlined in Section 1 will unfold and produce
the future we will actually see in 2035. However, drawing on the trends from
Section 1, Section 2 outlines six plausible “contexts” that forecast the
general types of conflicts the Joint Force may face.
for the Joint Force. To secure its interests in the six contexts
outlined above, the U.S. will pursue four strategic goals ranging in
aggressiveness from Adapt to changing
conditions to Impose change and
enforce outcomes. Each strategic goal comes with an associated “enduring
military task” that describes the Joint Force’s role in achieving the strategic
The Future Security Environment 2035
The first section of JOE 2035
describes major trends that will shape the future operational landscape. These
trends are divided among three categories: World Order; Human Geography; and Science,
Technology and Engineering.
first part, “World Order,” states that regional powers aspiring to global
influence will make “investments in more advanced cyber capabilities” that will
enable them to, among other things, launch strategic attacks against U.S.
financial and energy infrastructure. This mirrors the National Intelligence
Council’s Global Trends 2030, which states, "A cyber arms race is likely to occur as states seek
defend both public and private infrastructures against state and nonstate
actors.”1 This is not merely an abstract prediction based on
imagination; we have indeed already seen attacks against U.S. banks by Iran.2
Moreover, JOE 2035 reminds us that such activity has been and will
continue to be conducted by both state and state-sponsored actors.
then read in the “Human Geography” sub-section that “Shifting ideological
affiliations could lead to new and surprising fractures in societies.” These
fractures would be partially formed and then reinforced by mass online
communication, as “groups will build regional and global networks around sets
of ideas, forged and disseminated within cyberspace, with a range of ‘online
ideologies’ and identity networks displacing nationalism as a source of
legitimacy for many.” An obvious example of this kind of online ideology would
be Islamic extremism, but many other potential examples exist in a world of
several billion people comprising myriad groups, communities, and interests.
science, technology, and engineering trends, it’s no surprise that “Proliferated Information
Technologies” play a large role in the 2035 Future Security Environment. This
starts with infrastructure: “More modern
developing states will continue to construct comprehensive national information
technology infrastructures consisting of fiber-optic and cellular networks that
far exceed the current state of the art.” Also beyond the current state of the
art will be a growing “digital inter-connectedness” that will create an
Internet of Things (IoT), leading to an exponential increase in cyber
targets and vectors of attack. (For a recent example of a real-world attack
that leveraged the IoT, see Jenni Ryall’s “How
your smart device caused the internet to crash and burn.”3
For a strategic, systematic approach to securing the IoT, see Scott
Toasters Attack: 5 Steps to Improve the Security of Things.”4)
Information technologies of more
immediately obvious military significance will include those “that can damage,
spoof, confuse, or disrupt integrated battle networks,” and that can do so
quickly and dynamically. This will require U.S. and partner battle command
networks with enhanced protection, greater redundancy, and automated defenses. (For
an in-depth look at analytic capabilities that will enable such automated defenses,
see Adam Tyra’s aptly named article, “The
Robot Security Analysts are Coming, but not Today.”5)
Lastly, the JOE warns of electromagnetic pulse weapons that will enable “the discriminate
and precise targeting of a range of electronics-based systems,” to include U.S.
and allied network components. Indeed, this reflects recent increases in
Russian use of electronic warfare capabilities in Ukraine and Syria6,
and it underscores the need to harden U.S. network and cyber warfare
capabilities, and to develop capabilities able to inflict the same damage on
Contexts of Future Conflict
Drawing upon trends from Section 1, JOE
2035 outlines six contexts that may characterize future conflict. These include:
· Violent Ideological Competition focused on the
subversion or overthrow of established governments.
· Threatened U.S. Territory and Sovereignty as
enemies attempt to coerce the U.S. and its citizens.
· Antagonistic Geopolitical Balancing by capable
adversaries attempting to challenge the U.S. These adversaries will place
difficult demands on the Joint Force over wide areas of the globe.
· Disrupted Global Commons resulting from
intimidation, destabilization, and the use of force by state and non-state
· A Contest for Cyberspace, in which conflict and/or
war are likely to occur as states struggle to define and credibly protect cyber
sovereignty, and non-state actors attack U.S. cyber interests.
· Shattered and Reordered Regions resulting from
internal political fractures, environmental stressors, or deliberate external
Importantly, the document notes
that the actual future in 2035 is likely to contain elements of some or
possibly all of these contexts.
In the “Violent Ideological
Competition” of Context 1, competitors will use ideas to influence the thoughts,
feelings, impressions, and behaviors of their intended targets, using
propaganda, cyber attacks, kinetic attacks, and covert operations. These
activities will not occur independently of each other; they will be conducted in concert and thus will
reinforce one another.
3, “Antagonistic Geopolitical Balancing,” state adversaries may seize
long-contested territory, and then defend it using a variety of means to
include cyber assets, as well as air defense capabilities and “advanced
manned and unmanned aircraft, long-range ballistic and cruise missiles,
submarines, surface ships, electromagnetic jammers and spoofers.” If successful
in consolidating their newfound control and developing long-range strike assets,
combatants will exploit this increased strategic depth to “invest in the naval,
air, cyber, and other capabilities necessary to build credible power projection
capabilities and assert themselves farther from their borders.”
One of the cyber high points of JOE
2035 resides in Context 5, “A Contest for Cyberspace.” This context states
that the usual assumption is that cyberspace is a “commons,” or space that is
“owned by none, accessible to all.” However, not all of cyberspace fits this
definition, so the challenge for the U.S. and other state actors is to ensure
access to the “commons” of cyberspace- those parts that should be open to all-
while denying access to those parts that must remain secure.
For those parts that must remain secure, “The vulnerability
of cyber-enabled systems to exploitation presents an assailable flank which
competitors are likely to probe, infiltrate, and potentially attack.” As always,
states will exploit an advantage when they see one. Accordingly, many will “[attempt]
to influence, disrupt, degrade, or perhaps even destroy” key cyber-enabled
assets of their competitors. Specific examples of such operations include
attacks that undermine “the trust and data integrity” of financial, legal, and
technical infrastructure; strategic surveillance; industrial and scientific
espionage; and attacks against industrial machinery.
Moreover, beyond the technical attacks described above, cyber
operations may be used “to stress or fracture the social and political cohesion
of competitors,” intending to affect the perceptions and decision making of
those competitors. The document doesn’t elaborate much on this point, but one
could imagine these activities might involve cyber-enabled strategic
communications, such as when attackers hijack major websites or social media
accounts in order to broadcast their messages.
JOE 2035 also adds that some states may “integrate cyber
warfare capabilities at the operational and tactical levels of war,” targeting
the command networks the Joint Force so thoroughly depends upon. Moreover, this
can be accomplished not only through pure cyber attacks, but also via “an array of destructive weapons,
including high-power microwave munitions and laser systems which are
increasingly effective against digitized, miniaturized, and integrated
Section 2’s final context, “Shattered
and Reordered Regions,” posits that global cyber activist networks will be
among several types of organizations who exploit the failures of central
governments. No specifics are given, but examples may include Islamic extremist
activists encouraging citizens to blame their governments’ failures on
allegedly un-Islamic forces; anti-globalization groups conducting online
campaigns in economically depressed regions, etc.
Implications for the Joint Force
final section of JOE 2035 recognizes that the amount of resources, blood, time,
and political capital the U.S. is willing to invest in a situation will vary
according to the importance of the interest at stake, and whether that interest
is currently being met or must be achieved through more concerted effort.
Accordingly, Section 3 outlines four strategic goals of increasing ambition and
effort, along with associated military tasks.
Adapt to changing conditions –
ensure the United States can adequately cope with emerging changes in the
Shape or contain
to assist the United States with coping and adapting to changed international
Manage antagonism and impose
costs – discourage changes to the security environment that
are unfavorable to the United States.
Deter or deny to manage the antagonistic
behavior of competitors or to impose costs on competitors or adversaries
taking aggressive action.
Punish aggression and
rollback gains – block and undo changes to the security
environment that are dangerous or disruptive to the United States.
Disrupt or degrade to punish aggressive action
by an adversary or to force an adversary to retreat from previous gains.
Impose change and enforce
outcomes – introduce desired changes to the security environment
that are favorable to the United States.
Compel or destroy
to impose desired changes on the international security environment and
subsequently enforce those outcomes.
regard to cyber, JOE 2035 explicitly identifies four future cyber missions, and
two broader missions to which cyberspace operations contribute.
the enduring military tasks Shape or contain,
the Joint Force must provide Military Support to Cyber Resiliency. This entails minimizing “the
consequences of threatened or successful cyberattacks against the United
States, its allies, and partners.” This mission will require working with
traditional partners like U.S. government and civilian organizations, and allied
nations, as well as nontraditional partners such as private companies or even cyber
part of the enduring military tasks Deter
or deny, Joint Forces must conduct national and allied Network Defense. This mission may include “the development of a
Department of Defense cyber umbrella; the creation of a national ‘cyber border
patrol’; more comprehensive intelligence sharing efforts; contributions to
national level cyber exercises; the development of hardened networks; and
reinforced coordination with domestic law enforcement.” Additionally, it will “require
steady-state information operations” that communicate to attackers the
resiliency of major U.S. systems, ostensibly to deter attacks in the first
Under Disrupt or degrade, cyber forces must support Global Counterterrorism through offensive operations that “erode [terrorists’]
ability to coordinate activities,” especially when attempting attacks against
the most comprehensive treatment of cyber’s future role and related functions
is outlined in the portion of JOE 2035 describing Cyberspace Disruption, which is worth quoting at length:
…to attack adversary assets
and impede their ability to adversely affect the unrestricted use of cyberspace
by the United States. Offensive cyber operations will impose costs on
adversaries by identifying and exploiting their cyber vulnerabilities, and may
include distributed denial of service attacks, targeted cyber denial measures,
and actions to physically impair military systems through cyberspace.
Additionally, the Joint Force may conduct proportional cross-domain operations
to physically damage an adversary’s cyber infrastructure, using weapons
operating in other domains to suppress enemy cyber defenses and specifically
strike their critical cyber infrastructure. Furthermore, these operations
should be coupled with defensive cyber efforts to block adversary responses,
and might include the use of autonomous or semi-autonomous cyber defense
systems or the activation of war reserve networks when peacetime networks are
to Compel or destroy tasks, cyber
contributes to multi-domain offensive operations that impose Global Commons Exclusion
on adversaries who threaten the
free use of the commons. Furthermore, though JOE 2035 doesn’t explicitly say
so, this support to multi-domain operations could also contribute to what it
calls Major Sustained Operations and other high-intensity fights.7
JOE 2035 ends on a
high note in terms of cyber-relevant missions. The
last is a very ambitious challenge called Cyberspace Control, and its purpose is to:
an adversary's ability to define and defend their interests in cyberspace and
force them to recognize U.S. views on its use. Cyberspace control operations
will frequently integrate cyber and non-cyber capabilities. In coordination
with law enforcement agencies, offensive operations may be required to
identify, target, and capture or kill adversary cyber operatives. Offensive
operations will also be used to eradicate an adversary’s cyber infrastructure and
capabilities, which might include an array of kinetic strikes combined with
simultaneous electronic, cyber, and space warfare actions. Finally, the Joint
Force may impose cyber-military governance, including the introduction of U.S.
cyber rules and laws on captured adversary networks to include the control of
domain names, access and registration, and administration of key systems.
very practical, even bureaucratic terms, the purpose of force development
documents like JOE 2035 is to start identifying changes in areas like doctrine,
organization, training, and material capabilities that are
necessary to ensure warfighters are prepared for future environments. Though
JOE 2035 doesn’t attempt to predict
the future, forecasting various scenarios that may arise based on what we know now
is helpful, because themes or features that appear in several of these
scenarios are fairly strong indicators that, no matter what specific future
ends up occurring, these particular themes or features are likely to appear. In
terms of cyber, a few of such themes and features include continually increasing
digital interconnectedness, continued disagreements over the boundaries and
rules of cyberspace, cyber threats to the homeland, increased multi-domain and
interagency cooperation, and probably increased reliance on autonomous cyber
systems. The Department of Defense and the U.S. Government must therefore begin
preparing for these and other likely occurrences sooner rather than later,
since developing capabilities, changing large organizations, and budgeting for
government procurement almost always take longer than one first anticipates-
especially when one must do all three.
In less practical but equally important terms, the value of future-looking
activities is intellectual. Deliberately moving oneself outside a current
perspective improves one’s ability to think about what may happen, and to give serious consideration to plausible
developments that would otherwise be overlooked. Moreover, if done repeatedly,
this discipline even prepares one to deal with unforeseen surprises when they occur, since one has through
practice overcome the mental handicap of only being comfortable dealing with
the concrete and the predictable, the here-and-now.
About the Author
Michael Lenart is the Editor-in-Chief of Cyber magazine and an Army Strategist. His areas of interest include national security, cyberspace operations, and organizational change.
*All JOE 2035 quotes and other citations retrieved from http://dtic.mil/doctrine/concepts/joe/joe_2035_july16.pdf
National Intelligence Council. Global
Trends 2030. https://www.dni.gov/index.php/about/organization/global-trends-2030
D. & Finkle, J. U.S. indicts Iranians for hacking dozens of banks, New York
3. Ryall, J. How your smart device caused the
internet to crash and burn. http://mashable.com/2016/10/21/dyn-attack-iot-device/#qIFPujAARiqO
4. Shackelford, S. When Toasters Attack: 5
Steps to Improve the Security of Things. http://magazine.milcyber.org/stories/whentoastersattack5stepstoimprovethesecurityofthings
5. Tyra, A. The Robot Security Analysts are
Coming, but not Today. http://magazine.milcyber.org/stories/therobotsecurityanalystsarecomingbutnottoday
C. Russia’s Surging Electronic Warfare Capabilities. http://www.thediplomat.com/2016/04/russias-surging-electronic-warfare-capabilities
S. Army’s Multi-Domain Battle To Be Tested In PACOM, EUCOM Wargames.
Photo credits (in order of appearance)
1. Defense Technical Information Center
2. HD Wallpapers
3. Ng Han Guan
4. Army, iStock
Cmdr. Christopher Eng is the commanding officer of Information Warfare Training Command (IWTC) Corry Station and a graduate of the Massachusetts
Institute of Technology with a Bachelor of Science in computer science. He first
served in the Navy as a submarine officer and then transferred to cryptology
and information warfare (IW). He became the commanding officer of IWT Corry Station in September 2015.
IWTC Corry Station is in Pensacola, Florida, and is one of
four training schoolhouses for the Center for
Information Warfare Training (CIWT), a learning center for
Naval Education and Training Command. Eng’s staff of around 350 personnel
trains 2,200 students every day, totaling 8,300 students annually.
In July 2016, the former Center for Information Dominance
(CID) changed its the name to CIWT, to emphasize a shift in thinking of IW as a
critical capability of the Navy’s mission sets. Accordingly, Eng’s command name
changed from CID Unit Corry Station to IWTC Corry Station.
The command’s mission was also updated to providing a
continuum of IW training to Navy and joint service personnel that prepares them
to conduct IW across the full spectrum of military operations.
While many within the IW community think of Corry Station
as the “cradle of cryptology,” the schoolhouse also offers courses in the
information technology field.
Carla McCarthy, the CIWT public affairs officer, spoke with
Cmdr. Eng about one of the 39 courses his staff teaches, the Joint Cyber
What is the Joint Cyber Analysis Course (JCAC)?
A: JCAC is the introductory “A” school for Navy
Occupational Specialty (NOS) B525, for what were cryptologic technician
networks (CTN) Sailors. It’s roughly 6 months long, and it takes a Sailor who
may have minimal exposure to computers and how computers work and brings up
their baseline knowledge in terms of how networks operate. What I really like about it is that it
teaches the fundamentals of networks and computer science. I think it’s
important to teach the fundamentals because that allows Sailors to really branch
out to different work roles from there. All things are cyber related, but our
graduates will have different work roles. This course is really the
introductory level and the feeder into more advanced follow-on courses specific
to the job skills that they’ll hold for their first tour in the Navy.
What kind of student is the Navy looking for to perform the job of cyber
A: Of course a technical background, a good strong
background in STEM, which is science, technology, engineering, and math, always
will be beneficial. Someone who got good
grades in high school math is beneficial. Some of the intangibles are strong
critical thinking skills, a level of curiosity. What we really want is people
we can teach how to self-learn, people who are enthusiastic about this topic. That way they will want to do their own
research, and they want to continue along with this education. While the JCAC
course is 6 months and it’s long and it’s hard, it’s really only the beginning
of a significant training pipeline to develop a strong Sailor who will be
valued within the cyber field. So,
critical thinking, curiosity, strong STEM background and initiative are
difficult is the course and what kind of support do instructors provide to help
A: The course is probably the most difficult technical “A”
school course that we teach at Corry Station. Approximately 22 percent of our
students will academically attrite, and that’s across all services, the Navy,
the Air Force, the Army, the Marines and the Coast Guard, who all attend this
course. What we also see is an increased rate of attrition from our new
accession Sailors, those Sailors coming straight out of boot camp, and I’ll
speak to that in a second.
The instructor’s whole role is to impart this training and
to try and get the students to succeed. The instructors will look to find
people who are having difficulties, and they will assign them mandatory hours. During those mandatory hours of remedial
training, they will get more individualized attention to catch up on materials
they might not have picked up on the first time. We hold academic review boards
for students who are having issues with their tests. They’ll meet with a set of
military instructors to understand if there are any hurdles that are keeping
these students from achieving their academic potential and succeeding in the
course. It could be they’re distracted by other duties. They’re distracted by
home. They may have some personal issues, and these are things that we will
want to help to address to alleviate the concerns and distractions. That way
the students can focus in on the class.
Speaking of which, I mentioned that the new accession
Sailors have a higher attrition rate, and I attribute that to folks who are
coming out of high school. To qualify for this school, you have to have a
higher than average ASVAB rating. For some of these people, they may have done
well in high school, and they might not have needed to study really hard. If they try to apply their old study habits
to JCAC, it’s less likely that they will be successful.
Additionally, if you join the Navy and the recruiter offers
you this NOS and this school, the awareness of what this career field does is
not necessarily out there. Potentially you come to this course, and it’s the
first thing the Navy offers you, and you don’t realize what a tremendous
opportunity this is. So, you don’t put
forth your best effort, because you think if you don’t pass, then you’ll get
another opportunity that’s just as good.
I think for our fleet returnees, they understand how
valuable this training is, what a great opportunity this is and how relevant it
is to job opportunities in the Navy and outside the Navy. They just work harder, and they’re more
receptive to understanding that they’re going to have to study hard.
does JCAC support the development of the Cyber Mission Force?
A: JCAC is a feeder course for all of the work roles that
the Cyber Mission Force will perform.
You can go on DoD’s website, and it outlines the
different roles for the Cyber Mission Force. JCAC is the introductory-level training that
will support all of those work roles. A
majority of the [service members] in the Cyber Mission Force will have gone
through JCAC prior to their assignment to the force. Then after they get
assigned to the CMF, they will probably do continued follow-on training for
their specific role and specific mission that they’ve been assigned. From JCAC,
having that strong foundational knowledge in networking, in computer skills is
a key enabler to success in those follow-on courses.
What kind of assignments do JCAC Sailors receive upon graduation?
A: The vast majority of them will go work at a navy
information operations command, or NIOC. Some of them will be part of the Cyber
Mission Force. They’ll get assigned one of those work roles, and they would be
administratively controlled by a NIOC. A lot of the students will also go into
the traditional signals intelligence (SIGINT) mission.
a leader within the Navy’s Information Warfare community, what words of wisdom
do you have regarding cybersecurity?
A: Cybersecurity really needs to be viewed as everyone’s
responsibility. We all have to remain
vigilant. We all receive training, and it’s important that we take on board
that training. The cyber realm and the cyber threats are evolving each and
every day, so just because you went through the training last year, just
because you went through training at boot camp, doesn’t mean that you shouldn’t
take this training seriously. As the
threats evolve, we have to remain on top of it. It’s each individual person’s
responsibility to take this seriously and to report suspicious activity.
Photo credits (in order of appearance):
1. Students in the Joint Cyber
Analysis Course (JCAC) at Information Warfare Training Command Corry Station
take part in an independent study session. JCAC trains enlisted personnel from
all services in the skills and knowledge to perform technical network analysis
in cyberspace operations. (U.S. Navy photo by Petty Officer 3rd Class Taylor L.
2. Cmdr. Christopher Eng,
Commanding Officer, IWTC Corry Station
3. Airman 1st Class Susanna
Murrell (left) and Airman 1st Class Nathaniel Giles, students in the Joint
Cyber Analysis Course (JCAC) at Information Warfare Training Command Corry
Station, take part in an independent study session. JCAC trains enlisted
personnel from all services in the skills and knowledge to perform technical
network analysis in cyberspace operations. (U.S. Navy photo by Petty Officer
3rd Class Taylor L. Jackson/Released)
By Adam Tyra, Contributing Editor
The massive distributed denial of service attack that occurred on 21 October 2016 dramatically realized the fears of security researchers regarding cyber risks due to insecure design in the “Internet of Things.” In the unlikely event that you missed it, Gizmodo has a comprehensive rollup of the effects of the attack. In an article titled “This is Why Half the Internet Shut Down Today,” Gizmodo staff writer William Turton wrote, “Twitter, Spotify and Reddit, and a huge swath of other websites were down or screwed up this morning. This was happening as hackers unleashed a large distributed denial of service (DDoS) attack on the servers of Dyn, a major DNS host. It’s probably safe to assume that the two situations are related.”1 The same article lists over 80 major websites that appeared to have been affected, ranging from ActBlue to Zillow, to the websites of news outlets CNN, Fox News, and the Wall Street Journal. The network traffic that characterized the attack appears to have been generated by a massive botnet composed of Internet-connected devices such as routers, IP cameras, and digital video recorders. Researchers discovered in the days after the attack that these devices were infected by a strain of malware known as “Mirai.” Security blogger Brian Krebs noted that the Mirai malware contained more than 60 discrete vendor-default username and password combinations and that many of these credential pairs are shared by dozens of devices made by a single manufacturer.2
The fact that the word Mirai means, “the future” in Japanese is, of course, no accident. This attack was the work of the cyber army of the future -an army of things- and it swears allegiance to no nation state, criminal group, or terrorist faction. It is an army built on connected devices ready to do the bidding of anyone who gains control of them. Security professionals have long known and understood that connected devices such as IP cameras, routers, smart TVs, and even insulin pumps contain numerous exploitable vulnerabilities. However, most of the discussion about this problem has centered on the implications of vulnerabilities in consumer products to the individual. For example, a connected insulin pump may be exploited to cause the death of its user, or a connected TV may be exploited to spy on viewers through its microphone and camera. The fact that a device as benign as a network-connected printer can be repurposed into a cyber weapon ominously foreshadows the possibilities of a future when any connected device might be repurposed to create chaos and real-world damage.
This idea has serious implications for cyber professionals. The idea that you can know your enemy, reliably attribute malicious activity to him, and develop countermeasures against his tactics, already difficult in the cyber domain, breaks down entirely when attacks originate from connected devices everywhere instead of known adversary-controlled networks and hosts. In addition, when every single device with a power supply becomes a potential point of origin for an attack, defenders effectively lose their ability to understand and control the attack surface of their organizations. Given the advancing complexity of malware, defenders can assume that future attacks from connected devices will likely be far more sophisticated than the packet-flooding denial of service perpetrated by the Mirai botnet. Increasingly capable connected devices will cause real-world physical damage. If this seems far-fetched, here are a few disruptive scenarios using today’s technology that I thought up in about five minutes:
- Many homes already have smart thermostats. In my local area, the electric company is actually offering to pay me to let them install one. An attacker who wishes to cause an electrical outage need only take control of a large number of smart thermostats in a geographical area and set them all to an extreme temperature while locking them from accepting any additional input from their owners. A few hundred thousand homes in one town trying to cool themselves down to 50 degrees Fahrenheit on a hot summer day ought to be enough to give the power company some problems. If running the air conditioners is not enough to suck up the available power, attackers can take control of lights, pool pumps, computers, game consoles, and connected TVs to add to the load.
- Most modern cars use computers to control braking and steering, and some even have automatic driving and parking features like Tesla’s Autopilot. Viable hacks on modern vehicle control systems from Chrysler were successfully demonstrated by researhers at the DEF CON and Blackhat hacking conferences in 2015 and 2016, respectively.3 Imagine if every late-model Jeep Cherokee in one city had its brakes lock up at 7:30 a.m. on a Monday morning. If that scenario seems like too much, consider the chaos that would be caused if this happened only with a handful of vehicles, resulting in a few dozen car accidents simultaneously occurring all around a large city. In the best case, the affected vehicles would simply block traffic on major thoroughfares during rush-hour. In the worst case, at least some would cause major multi-car pileups and fatalities.
- Amazon Prime Air, according to Amazon, is a “[F]uture delivery system…designed to safely get packages to customers in 30 minutes or less using small unmanned aerial vehicles, also called drones.”4 Amazon estimates that the drones themselves will weigh less than 55 pounds, of which up to five pounds will be cargo. This brings to mind the 2011 Iranian claim that they downed and captured an RQ-170 surveillance drone.5 Allegedly, this was the work of Iran’s cyber warfare unit, and it was accomplished via a combination of satellite jamming and GPS spoofing.6 Although the US government did not directly confirm the Iranian claims, the fact that a drone of this type was lost in Iran was acknowledged in December of that same year.7 We can assume that the means used to protect the RQ-170 from tampering were more sophisticated than those currently available to Amazon. Thus, it does not take much to envision that a future fleet of package-delivering Amazon drones might be repurposed by attackers into an air armada of 50-pound dive bombers to cause chaos or even destroy cars and damage buildings.
Military cyber professionals face additional challenges with connected devices. The cyber army of the future might not just contain benign consumer products but will likely include actual weapon systems as well. While technologists around the world debate whether or not we should build or possess autonomous weapons,8 the fact is that they’re already here. The US military has for decades possessed weapon systems that are almost exclusively computer controlled if not yet truly autonomous. So-called “fly by wire” systems, wherein the pilot of an aircraft does not directly manipulate control surfaces, originated in the mid-1960s, and there isn’t a single US warplane flying today where human muscles directly control flight. Instead, on-board computers interpret human inputs through the flight controls and move control surfaces via electric motors and hydraulics.
Ground forces also have computer-controlled weapons. The M1 Abrams tank and M2 Bradley Fighting Vehicle each have computers controlling their turrets. These computers allow the vehicle commanders and gunners to share control of turret movement, target acquisition, and weapon firing. The Army and Marine Corps have also, since 2004, widely deployed a computer-controlled crew-served weapons platform known as the Common Remote Operated Weapons Station. This system allows soldiers and Marines to remotely control a range of compatible weapons, including .50 caliber machine guns and Mark 19 automatic grenade launchers.
Modern warships, perhaps the most technologically sophisticated weapon systems in the American arsenal, are driven by computer-controlled propulsion and navigation systems and bristle with computer controlled weaponry such as radar-guided cannons and cruise missiles. Automation is so prevalent across the systems of the US Navy’s newest guided-missile destroyer, the stealthy USS Zumwalt, that it is able to operate with a crew of just 130 sailors- less than half the number required to run comparably sized older ships.9
The operators of computer-based weapon systems have only the illusion of control. This becomes plainly evident when the computers fail. For instance, as a mechanized infantry platoon leader early in my military career, I routinely experienced “dead-lined” vehicles that couldn’t perform their mission due to malfunctioning turret computers. And as far back as 1998, the Navy experienced similar losses of control as when a “computer glitch” left the missile cruiser USS Yorktown dead in the water- requiring it to be towed back to port.10 However, our problem isn’t that computer-controlled weapon systems break down. Our problem is that their software, like the software of the devices involved in last week’s DDoS attack, could be co-opted to perform an adversary’s bidding.
While most of our computerized weapon systems aren’t yet sophisticated enough to truly operate on their own, our warplanes probably are. If every system on an F-22 or F-35 is computer-controlled, then it seems completely feasible that an adversary could exploit one or all of them just as the hackers behind last week’s attack appropriated devices around the world. A sophisticated piece of malware infecting an F-22 fighter jet could cause it to discharge weapons unexpectedly or to crash. Given the fact that computers already routinely fly and even land modern aircraft, it follows that a malicious program with sufficient sophistication could cause an infected fighter to target its own side’s forces for an entire combat mission.
The typical military unit’s concept of cyber defense doesn’t seriously consider the threat posed by a malicious takeover of our digitally-enabled weapon systems. Most military cyber professionals have never even considered conducting a vulnerability assessment or penetration test on a vehicle, and I was also unable to locate any public references to weapon system security assessments. However, I assume that someone, somewhere must be responsible for some level of assurance on the software packages that run these assets. Since it is not the units that own the weapons, such assessments necessarily cannot occur on an ongoing basis. Security checks likely occur only at the time when a weapon system is fielded or receives major updates and therefore cannot account for the expanding universe of cyber threats on a continuing basis. Indeed, most of the academic discussion about solutions to the risk from connected devices centers on secure engineering and design as the best option. This makes sense for devices that will be life-cycled within five years or less, but it won’t help us with assets like fighter jets that are expected to fly for decades before being replaced. Further, if we do not regularly inspect the computers in our weapon systems for malicious activity, then we have no means to discover if an adversary has already injected malicious code.
Just as the Wright Brothers couldn’t have imagined modern integrated air defense systems, we likely won’t soon grasp the meaning of the changes that are already upon us. Nevertheless, the shortfall apparent in our defensive planning will need a solution sooner than we think. We’re already surrounded by the Cyber Army of Things. As the preponderance of devices both civilian and military becomes connected to the Internet, attacks by corrupted devices against people and property will become increasingly prevalent and increasingly dangerous. Every connected device will be a potential weapon- cyber or kinetic. Just as network hosts can’t be trusted to be malware-free today, weapon systems won’t be trustworthy tomorrow. Instead, they will need to be constantly inspected and protected in order to prevent theft and misuse. Just as the term “information security” has given way to cybersecurity, cyber defenders will need to begin thinking about defending against threats from the entire connected ecosystem and not just the part frequented by humans.
About the Author
Contributing Editor Adam Tyra is a cybersecurity professional with expertise in security operations, security software development, and mobile device security. He is currently employed as a cybersecurity consultant. Adam served in the U.S. Army and continues to serve part-time as an Army reservist. He is an active member of the Military Cyber Professionals Association and is a former president of the San Antonio, Texas chapter.
1 Turton, William. "This Is Why Half the Internet Shut Down Today - Gizmodo.com." Gizmodo. October 21, 2016. Accessed October 25, 2016. http://gizmodo.com/this-is-probably-why-half-the-internet-shut-down-today-1788062835
2 Krebs, Brian. "Who Makes the IoT Things Under Attack? - Krebs on Security." Krebs on Security. October 2016. Accessed October 25, 2016.
3 Greenberg, Andy. "The Jeep Hackers Are Back to Prove Car Hacking Can Get ..." Wired.com. August 1, 2016. Accessed October 25, 2016. https://www.wired.com/2016/08/jeep-hackers-return-high-speed-steering-acceleration-hacks/
6 Peterson, Scott. "Exclusive: Iran Hijacked US Drone, Says Iranian Engineer ..." The Christian Science Monitor. December 15, 2011. Accessed October 25, 2016. http://www.csmonitor.com/World/Middle-East/2011/1215/Exclusive-Iran-hijacked-US-drone-says-Iranian-engineer.
7 Miller, Greg. "After Drone Was Lost, CIA Tried a Head Fake - The ..."The Washington Post. December 6, 2011. Accessed October 25, 2016. https://www.washingtonpost.com/blogs/checkpoint-washington/post/after-drone-was-lost-cia-tried-a-head-fake/2011/12/06/gIQAJNrnZO_blog.html.
8 Gubrud, Mark. "Why Should We Ban Autonomous Weapons? To Survive." IEEE Spectrum. June 1, 2016. Accessed October 25, 2016. http://spectrum.ieee.org/automaton/robotics/military-robots/why-should-we-ban-autonomous-weapons-to-survive.
9 Patterson, Thom, and Brad Lendon. "Navy Stealth Destroyer USS Zumwalt Designed for ... - CNN." CNN.com. June 14, 2014. Accessed October 25, 2016. http://www.cnn.com/2014/06/14/tech/zumwalt-operations-center/index.html.
10 Slabodkin, Gregory. "Software Glitches Leave Navy Smart Ship Dead in the Water ..." GCN.com. July 13, 1998. Accessed October 25, 2016. https://gcn.com/articles/1998/07/13/software-glitches-leave-navy-smart-ship-dead-in-the-water.aspx.
By Major General Uzi Moscovici and Maj Oron Mincha
On a Thursday evening, several weeks after Operation “Protective Edge" took place, numerous officials from Israel’s military, National Security Council, and Shin-Bet internal security service, as well as various others involved with national security and especially cybersecurity, assembled at the Prime Minister's Office. The Prime Minister intended to summarize the national framework for coping with cybersecurity incidents. This came about as a result of a recent Iranian attack that occurred during the fighting in Operation "Protective Edge," an Israeli campaign in the Gaza Strip aimed at reducing rocket fire into Israeli territories.1
It is estimated that the attackers were coordinating their actions with Hamas during their activity in Gaza. The Israeli public was barely affected by this attack, but for many involved in cybersecurity, this attack "rang the alarm bells," so to speak.
The discussion continued several hours, lasting late into the night. There were quite a few disagreements regarding who is responsible for the security of the strategic assets of the State of Israel: the National Security Council, or the Shin-Bet. Clearly, it is a matter of prestige, as well as a conflict over manpower.
The discussion concluded with the proposition and eventually the resolution to establish a body responsible solely for cybersecurity. The “Protective Edge” incident and the increasing frequency and significance of cyber threats to the country had made this resolution more or less unavoidable. On February 15, 2015, the State of Israel approved Decision 2444, which goes by the name of "the Promotion of National Preparation for Cybersecurity." The main conclusion of the agreement is that it is necessary to establish a governmental body within the Prime Minister’s Office that will be responsible for national cybersecurity.
The body will manage, operate, and execute all national-level cyber defense efforts, in order to provide a full and consistent response to cyber attacks in real time, as well as create situation reports, focus research and intelligence, and maintain contact with the special units. In addition, this new authority will operate a center that will provide support in dealing with cyber threats (effectively, a national CERT), and act as a central interaction point between the security groups and units in the economy. Its eventual goal will be to build and strengthen the immunity of the entire economy in the cyberspace through preparation and regulation, including guidance of the economy in cyber defense, improvement of sectors’ and bodies’ cyber defense capabilities, regulation of the cyber defense service industry, licensing, holding exercises and training, and providing incentives and other necessary tools.2
The Four Pillars That Stabilize the State's Defense
Fortunately, Israel did not wait until 2015 or until the Iranian attack in 2014 to create order in its cyber realm. From the dawn of the modern-technological age, Israel has been investing in technological progress, and wisely so. It was the first prime minister of Israel, David Ben Gurion, who consolidated Israel's approach to security. Ben Gurion designated that, as the Israel Defense Forces (IDF) are quantitatively small relative to their surrounding adversaries, they must aspire to hold superiority over them in terms of quality. This approach led to the development and improvement of the human qualities of the Israeli soldier, with emphasis on equipping him with advanced weaponry through both in-house development and foreign purchases. This advantage has strengthened throughout the years, and it is backed by the development of Israel in numerous other sectors, such as science, technology, and industry. This advantage has manifested itself in the development of Israel's aerial capability, and in its ability to accurately strike targets with far greater firepower.3
Following Israel's upheaval after The Yom Kippur War, in 1974 the IDF established a technological information security body, with its main goal being to encrypt communication systems. From that moment onward, the IDF acknowledged the need to use "in-house" tools to protect its systems, starting with communication systems and later on advancing to information security systems. It's worth mentioning that with us being a small country, despite the conflicts between various security bodies (IDF/Shin-Bet/Mossad/Police) for assets, prestige, and manpower, there is strong cohesion between these bodies in terms of systems defense.
The current reality works on the basis of 4 security circles: The National Cyber Council acts as a national regulator until it becomes an authority with its own taskforce and defensive capabilities. The Shin-Bet, which is trusted to defend strategic assets today and in the future, will be forced to pass some of its authorities and manpower to the new national body. There’s also the Ministry of Defense, which is responsible for defending its networks and regulating the defense of security industries in Israel. Finally, there’s the IDF, which is responsible for defending its own networks, its objectives, and its capabilities, whatever those may be.
Despite there being a separation between these bodies, the Israeli reality overpowers bureaucracy, as it is a high-quality society where people know each other personally, whether it is because they served together in the army, studied together, live in the same city etc. The constant dialogue and support between people is unmatched by anywhere in the world. As a result, no one is surprised to see military personnel, dressed in civilian clothing, aiding the national bodies during a national event. The conflict over prestige and resources has intensified, but the national cause is always the one leading the approach of the tactical echelon. We allow the leaders, the managers and generals to fight over resources, and allow the working grades to do what they do best – work.
Cyber in Regards to Israeli Society
Cyber, as a brand, entered our vocabulary at the start of the 21st century. The Y2K bug frightened everyone at the dawn of the new millennium and caused the public to understand the basics of the challenges that come with network and information security. With this, we must remember that we are discussing a workspace that is unique due to it being man's creation and being idea based, contrary to the air, land, maritime, or space domains.
Israel is seen as an advanced and high-tech country, capable of capitalizing on the potential of this manmade domain. For many years the Israeli high-tech sector has developed ideas and solutions to system and information security, reflecting the "Start-Up Nation" phenomenon showcased in Dan Senor and Saul Singer’s 2009 book of the same name. These technical and innovative skills in the cyber domain stem from education with a realistic orientation, combined with experience in IDF high-tech units, an active reserve service, and the leveraging of Israeli or international high-tech industry capabilities and resources.
A good example of this is Adam Singolda, a 34-year-old who founded the search company "Tabula" right after his military service in the technological "Matzov" unit of the C4I Directorate. In an interview in 2013 he said "Matzov is no different from any civilian startup. I learned there that the most important thing is the people you work with. In Matzov, they took a group of smart and fresh nerds and transformed them into those responsible for Israel's encryption. There, a 19-year-old knows that if he makes the slightest mistake, the enemy could hurt soldiers."4
Thankfully, Israel has talented people like Singolda by the hundreds, if not the thousands. Some of them have already burst into the general public's view, while others have yet to do so- but they still provide the nation's defense. They are the ones building Israel's high-tech, affecting the global high-tech scene, and creating a healthy, relatively secure cyber ecosystem that provides for better and safer usage at the individual, organizational, and national levels.
About the Authors
Major General Uzi Moscovici is a 34-year veteran of the IDF and a graduate of the U.S. Army War College. He currently serves as Head of the IDF J6/C4I Directorate, to which the IDF Cyber Defense Division reports. An armor officer, he has commanded at the battalion, brigade, and division levels, and served as the IDF Central Command’s Operations Officer.
Major Oron Mincha is the Head of IDF C4I Foreign Military Cooperation. He has previously served as Company Commander, IDF Military Police Special Forces; Spokesman at IDF Central Command; Aide de Camp to Head of IDF Central Command; and assistant to IDF Defense Attaché, Israel Embassy, Washington, D.C.
1. Kronfeld, S., & Siboni, G. (2014). Iranian cyber-attacks during Operation “Protective Edge”. Retrieved from: http://heb.inss.org.il/index.aspx?id=4354&articleid=7583
2. Prime Minister Office. (2015). Promoting national preparations for Cyber Protection. Retrieved from: http://www.pmo.gov.il/Secretary/GovDecisions/2015/Pages/des2444.aspx
3. Ben-Israel, I. (2011). Israel's approach to national security. Tel Aviv - Broadcast University.
4. Orbach, M. (2013). 700 million Exits of Trusteer came out from MATZOV unit. Retrieved from:
Photo credits (in order of appearance):
1. The 4th Media
2. Times of Israel