Lt. Gen. Edward C. Cardon, Commanding General of U. S. Army Cyber Command, visits the Virginia National Guard’s Fairfax-based Data Processing Unit to learn more about the organization’s cyber capabilities.

Lt. Gen. Edward C. Cardon, Commanding General of U. S. Army Cyber Command, visits the Virginia National Guard’s Fairfax-based Data Processing Unit to learn more about the organization’s cyber capabilities. Photo by Cotton Puryear, Virginia National Guard Public Affairs

US Still Doesn’t Know Who's In Charge of What If Massive Cyber Attack Strikes Nation

Cyber physical attacks on infrastructure may be an unlikely sneak attack, but if it happens, the chain of command is far from clear.

The threat of a massive cyber attack on civilian infrastructure, leading to loss of life and perhaps billions in damages, has kept lawmakers on edge since before former Defense Secretary Leon Panetta warned of it back in 2012 (or the fourth Die Hard movie in 2007). Many experts believe that a sneak attack would be highly unlikely. The Department of Homeland Security has the lead in responding to most cyber attacks. But if one were to occur today, DHS and the Defense Department wouldn’t know all the details of who is in charge of what.

The Department of Defense Cyber Strategy, published in April, carves out a clear role for the military and Cyber Command in responding to any sort of cyber attack of “significant consequence," supporting DHS.

Specifically, the strategy tasks the 13 different National Mission Force teams, cyber teams set up to defend the the United States and its interests from attacks of significant consequence, with carrying out exercises with other agencies and setting up emergency procedures. It’s the third strategic goal in the strategy. It’s also “probably the one that’s the least developed at this – at this point,” Lt. Gen. James K. McLaughlin, the deputy commander of U.S. Cyber Command, said at a Center for Strategic and International Studies event last month.

He went on to describe the role that the military would play in such an event as “building the quick reaction forces and the capacity to defend the broader United States against an attack.” It’s something that the Defense Department, the Department of Homeland Security and the FBI and other agency partners all train for together in events like the Cyber Guard exercises, the most recent of which took place in July. The Defense Department, DHS and others worked through a series of scenarios related to a major attack on infrastructure.

McLaughlin described it as helpful in clarifying the difficult legal and policy issues that rear up when U.S. troops are brought in to perform some military operation on U.S. soil. But that doesn’t mean that all the kinks were ironed out.

“I think we feel comfortable that if one of those events happened today you’d see the right discussion about the sort of the political leadership, you know, has this reached that threshold? To be honest, it will never be black and white, have a perfect recipe ... we have a structure within the government to have that discussion, and the ability for a request to come forward where U.S. Cyber Command forces would go.”

A structure to have a discussion is a bit different than a clear sense of who is in charge of what when the power goes out.

Army Brig. Gen. Karen H. Gibson, deputy commanding general of Joint Force Headquarters-Cyber at United States Army Cyber Command, essentially reiterated that point when Defense One caught up with her at the AUSA conference last month. When asked if there existed a specific doctrine that spelled out the leadership roles for the Defense Department and for DHS in event of an attack of significant consequence, she said “There are a number of exercises to work through those very issues and how do we leverage the National Guard to help? It is a high priority and they are working it but I don’t think there’s a ‘Hey, here’s the solution,’ yet. It’s just a high priority.”

One of the various legal considerations muddying the prospect of a clear strategy could be laws related to posse comitatus, which forbid anyone to use “any part of the Army or the Air Force as a posse comitatus or otherwise to execute the laws,” except “under circumstances expressly authorized by the Constitution or Act of Congress.”

This kind of attack is a perennial boogeyman, but the actual likelihood of a digital sneak attack that rises to the level of “significant consequence” is harder to pin down. In his novel Ghost Fleet, a fictional account of World War III, strategist Peter Singer makes a convincing argument that a cyber-physical attack is most likely to occur as part of hostilities already underway, not as a first strike.

Keith Alexander, retired Cyber Command commander, struck a more Panetta-ish tone in testimony before the Senate Armed Services Committee Tuesday and painted an attack as imminent.

“We have to expand our outlook on what cyber can do to our country…Practically speaking, an adversary is going to go after our civilian infrastructure first,’ he said. “When you talk about total war, taking the will of the people out to fight, we’re seeing some of the things going on today. Take down the power grid and financial sector and we are isolated… It’s a new way of thinking about warfare where our nation is at risk. In the past we could easily separate out the military to overseas… in this area you can’t do that because the first thing they’re going to go after is our civilian infrastructure…And it’s going to escalate orders of magnitude faster than anything we’ve ever seen.”

However unlikely, were such an attack to occur today, the question of who is in charge of what remains somewhat open.