Cyber Command getting closer to full deployment

The U.S. Cyber Command’s goal of setting up 133 cyber mission force teams to serve as a global force to conduct cyberspace operations in support of a three-pronged mission set is nearing its completion. The command’s deputy commander, Lt. Gen. James “Kevin” McLaughlin, told the House Armed Services Committee June 22 there are 46 teams at full operational capacity and 59 at initial operational capacity leaving, 28 still to go. The full complement of cyber teams are not expected to reach full operational capacity until 2018, although all teams are expected to hit initial operational capacity by the end of this year.

These forces will support missions in three critical areas: operate and defend DOD networks, be prepared to protect critical infrastructure and support combatant commander objectives. They are currently getting their first real test in the fight against ISIS in Iraq and Syria in support of the Central Command, which is the combatant command with the geographic area of responsibility responsible for the Middle East.

As the force continues to grow, officials described the need for a persistent training environment.  “The broader challenges we have is this team is still a young force. … The reason the persistent training environment is so important is to give teams like those that are supporting the war on ISIL more realistic opportunities to do their work and train in a realistic environments prior to actually doing it in combat,” McLaughlin said, using another acronym for ISIS. Witnesses before the committee lauded the annual Cyber Guard exercise as a great example of realistic training for cyber troops, but noted it is only once a year. The persistent training environment “is a focused effort in the Department of Defense to allow us to actually do that type of training routinely – every week, every day – so that the men and women that are on our teams have the ability to the level of training,” McLaughlin said.

Officials at the Cyber Guard exercise echoed his sentiment. “I need teams that can do this rapidly more than once a year, that can pull on partners, that have a distributed network, that have assessors, that have an adversary that is adaptable and is expandable to what we need to improve our readiness,” Maj. Gen. Paul Nakasone, Cyber Command Cyber National Mission Force commander, told reporters at a media day during the Cyber Guard exercise that Defense Systems participated in. “That’s the next step for us in cyber mission forces.”         

For these forces—the command and the government as a whole—clear definitions still plague cyber policy, however. “On what defines an act of war … that has not been defined – we’re still working toward that definition across the interagency,” Thomas Atkin, acting assistant secretary of Defense for Homeland Defense and Global Security, said in response to questions from committee members.

Atkin provided a set of criteria that the government uses to evaluate DOD response measures for an attack on the homeland, but conceded that these measures are evaluated on a case-by-case basis, refusing to elaborate on how the force would respond to hypotheticals posed by lawmakers. “As far as an attack of significant consequence, which DOD would respond to in the homeland, we don’t necessarily have a clear definition that says this will always meet it, but we do evaluate it based on loss of life, physical property, economic impact and [how it might impact] our foreign policy,” he said.    

Deterrence has been another keystone in the ongoing cyber policy debate. For many practitioners, deterrence in cyberspace is difficult due to its asymmetric aspect and the difficulty of attributing attacks to specific perpetrators. Atkin parroted a similar line used by several others that a cyber attack doesn’t always warrant a cyber response. There is a whole-of-government approach in which a response could involve a diplomatic response, a law enforcement response, an economic response such as sanctions, or a military response that could include cyber action. McLaughlin noted that cyber capabilities don’t just solve cyber problems.

Atkin outlined a three-pronged deterrence policy generally employed by the administration that involves denying adversaries the opportunities to achieve desired effects, followed by building resilient systems that can be recovered if attacked, and finally, imposing a cost on actors to deter the behavior. Atkin acknowledged that the attribution problem is the most difficult component in deterrence. “Attribution is key and that’s probably the greatest challenge in any cyber attack, is attributing it to either a state actor or a non-state actor,” he said.   

Attribution is a major factor of what we’re after, Phillip Celestini, senior executive FBI representative to the National Security Agency and Cyber Command for the FBI’s Cyber Division, told reporters at Cyber Guard, noting that they want “the hands behind the keyboard.”  Ultimately, he said, this type of malicious behavior can be deterred.

In that vein, the administration, in keeping with its whole-of-government approach, has turned to indicting hackers of both nation states and non-state groups. Recently, the Department of Justice has indicted members of the Chinese military, and hackers associated with ISIS, Iran and Syria. While some have seen these indictments of foreign nationals as toothless actions, others see real promise. David Hickton, U.S. Attorney in the Western District of Pennsylvania, has refuted common criticisms that the United States will never be able to get a hold of individuals abroad, noting that the same was said of Columbian drug lords 20 years ago. 

Celestini said exercises like Cyber Guard and similar real-world incidents could be used by the FBI to gather intelligence toward an indictment if criminal hacking activity occurred. A common conversation he said he has with interagency partners in the intelligence community is whether or not to unseal an indictment against a hacker, as it could reveal tactics, techniques and procedures for how intelligence agencies attributed the hack. Sometimes putting these folks in handcuffs is worth the tradeoff of exposing intelligence secrets, he said, but it’s a conversation conducted in concert with interagency partners. 

During a press conference following the indictment of the Iranian hackers, Attorney General Loretta Lynch noted that she did not want to give specifics on attribution because it would shed light on specifics into the investigative techniques. The idea is to let adversaries know the U.S. cn find them without letting them know how, FBI director James Comey said of attribution and the greater deterrent effect they could have on hacking U.S. entities.