The Obama administration is considering elevating the status of US Cyber Command and separating it from the NSA, as cyberattacks and defense become a more integral part of modern warfare.
A new front has emerged in modern warfare, and it is not on the battlefield. Cyberwar and the digital arms race continue to advance as a threat faced by countries around the world. In June, NATO officially recognized cyberspace as an "operational domain" where conflict could occur.
To face this growing risk, world leaders are evaluating and updating their approaches to cyberwarfare—preparing to do battle online as well as on the ground. To better posture the US against cyberattacks, the Obama administration is considering elevating the status of the Pentagon's Cyber Command and separating it from the National Security Agency (NSA), which would give the Cyber Command more authority regarding cyber initiatives.
According to a report, originally published by Reuters, elevating the status of Cyber Command would give it more power to develop cyber weapons to deter attacks and punish cybercriminals who attack the US, such as the Islamic State. John Pironti, president of IP Architects, LLC, said that a move to elevate Cyber Command and separate it from the NSA would send a strong message to the world that the US views cyber as a strategic initiative within the military.
"This would allow for specific training, recruiting, and operational competencies of staff whose role will be to use cyber-related weaponry and capabilities for defensive and offensive actions," Pironti said. "At the same time, this would also allow for independent funding, capability development and maintenance, and oversight of militarized cyber capabilities, which would in theory allow for greater oversight than what is perceived to exist within the activities of the NSA today."
Ewan Lawson, senior research fellow for military influence at the Royal United Services Institute for Defence and Security Studies (RUSI), said that a separation of the parties could be beneficial moving forward if they retained close links with one another.
"NSA (like GCHQ in the UK) is primarily a strategic intelligence gathering agency and, whilst that [inevitably] provides technical expertise and accesses that are essential for the sort of military functions that Cybercom will undertake, ultimately the latter is a war-fighting command and the two functions don't always mix well," Lawson said.
In addition to separating from the NSA, the plan currently being considered by the White House would make the US Cyber Command an authority structure known as a Unified Combatant Command (UCC). A UCC is a joint command that provides command and control of military forces, regardless of branch, based on their geography or specific functionality. Much like how the United States Pacific Command (USPACOM) is responsible for the Asia-Pacific region and the United States Transportation Command (USTRANSCOM) manages the global defense transportation system, Cyber Command could be the UCC responsible for cyberspace.
The move to elevate Cyber Command would make sense, as the Pentagon has recently been ramping up its cyberoffensives against US enemies like the Islamic State, but hasn't been able to fully disrupt their operations. Also, the report comes only a few months after another report by the Government Accountability Office (GAO) claimed that the Pentagon does "not clearly define its roles and responsibilities for cyber incidents."
The potential elevation of Cyber Command has implications beyond just decision-making in times of conflict. Bob Gourley, co-founder of the cyber security consultancy Cognitio and former CTO of the Defense Intelligence Agency, said that there are benefits and risks to the decision, but "making Cyber Command a unified command is a logical next step in DoD's evolution of cyber operations."
For starters, elevating Cyber Command could enhance the professionalism of cyber operations in the military, Gourley said. Cyber defenders typically don't have as clear of a career path set out in front of them as do Navy pilots, for example. By giving Cyber Command more authority, and more powerful leadership, the military could potentially lose fewer cyber operators to attrition, Gourley said. It could also help improve the quality of decision-making in leadership.
"Right now, the four-star cyber command leader is an experienced cyberwarfare professional," Gourley said. "And, he reports to someone who was a submarine captain. What value add can that submarine captain be? The submarine captain will probably be replaced by a B-52 pilot in a year. Why should the cyber war expert report to a B-52 pilot?"
Currently, many military services are able to push back on certain orders regarding network defense, Gourley said. However, Cyber Command as a UCC would have more authority to ensure that DoD networks are operated securely. It would also be able to make decisions more quickly, but that speed in decision-making brings additional risks in terms of escalation with hostile powers.
"Rules of engagement must be very clearly articulated, so the new unified command does not conduct attacks without SecDef and Presidential authorization, and this should only be given if we are ready to manage the escalation of attacks," Gourley said. "Right now the extra layer in the chain of command can act as a speed bump that gives more time to think. Removing the speed bump can be good, but we have to mitigate the risks of a unified command deciding to attack without enough analysis."
Another risk that could come with the escalation of the Cyber Command is that, with the new authority in place for security, other organizations like the DoD may pay less attention to their own security, assuming someone else will protect them, Gourley said. This is unless the Cyber Command has the authority to order system maintenance.
If Cyber Command is officially elevated, it sets an interesting bar for cyber operations in the US military. It could also be the first step toward Cyber Command, or something similar, emerging as the sixth branch of the US military.
"I don't know when it will happen, it could be 10 years from now," Gourley said. "But I do see it happening."
However, Lawson isn't as sure of cyber becoming its own branch of the military as the other, existing branches all still rely on the government's cyber efforts.
"Those existing branches will need to be able to defend their own networks and, at the tactical and operational level, take action against and through adversary networks," Lawson said. "Where perhaps there might be space for a further branch would be in the potential delivery of strategic effects."
Both the NSA and Cyber Command are both currently based in Fort Meade, Maryland, and are led by Navy Admiral Michael S. Rogers, who assumed his present duties in 2014.
The 3 big takeaways for TechRepublic readers
- The Obama administration is considering elevating the status of US Cyber Command and separating it from the NSA, which could give Cyber Command more power and authority in cyberwarfare, and more defined roles.
- Elevating Cyber Command makes sense relative to the Pentagon's increased investments in cyber, and its recent cyber offensives against US enemies like the Islamic State.
- US cyber efforts are increasing with the prevalence of global cyberwar, but it remains to be seen if cyber will be elevated to a sixth branch of the military in the US.
- Cyberwar: The smart person's guide (TechRepublic)
- US Marines ramp up cyber warfare support (ZDNet)
- Pentagon's 'cyber bombs' against the Islamic State aren't working (ZDNet)
- Network Security Policy Template (Tech Pro Research)
- Election Tech: It's time for US to hit its cyberwar enemies hard, says Ben Carson (TechRepublic)