Cyber Defense Review

The Increasing Necessity for a United States Cyber Service

By 1LT Michael Anderson | November 21, 2016

Conducting cyber warfare is cheap and easy.[1] It affords anyone from individual hackers to nation-state actors the ability to wage destructive acts against the United States.[2] In 2009, the Secretary of Defense directed the Commander of U.S. Strategic Command to establish a sub-unified command, U.S. Cyber Command (USCYBERCOM), to prepare the Department of Defense (DoD) for the integration of offensive and defensive cyberspace operations.[3] Due to the constant rate of change in cyberspace, USCYBERCOM has experienced challenges integrating joint force cyber components. A quick examination of the US cyber force organizational chart demonstrates how complex the relationships are between service components and outside agencies. These organizational intricacies have led Admiral Michael Rogers, National Security Agency (NSA) Director and Commander of USCYBERCOM, to ask “is cyber so different, so specialized, so unique, so not well understood that it requires a very centralized, focused, unique construct to how we generate capacity and knowledge?”[4] While still heavily debated, many US government officials believe the existing organizational structure best meets current DoD requirements. However, there is an increasing necessity to transform the joint cyber construct into a stand-alone military service branch or similar entity that is separate from, yet integrated into the other military service branches. This necessity is based on cyberspace operations occurring in a separate operational domain, requiring a different organizational composition than traditional service branches, and hampered by the current joint cyber construct.

The most compelling reason for creating a separate, standalone cyber service is its distinct “global domain within the information environment consisting of the interdependent network of information technology infrastructures and resident data, including the Internet, telecommunication networks, computer systems, and embedded processors and controllers.”[5]  This DoD definition for ‘cyberspace’ establishes the specialization and uniqueness of the cyberspace domain.[6] While distinct from the other domains, cyber warfare often takes a supportive role to the other domains. USCYBERCOM defines three main focus areas in its mission: “Defending the DoD Information Networks, providing support to combatant commanders for execution of their missions around the world, and strengthening our nation’s ability to withstand and respond to cyber attack.”[7] Cyberspace operations align with the first two focus areas, and lend themselves to the current organizational structure. However, the third focus area, which involves responding to cyberattacks against our nation, describes a strategic capability that is outside the scope of the current service missions. Similarly, the Air Force, which separated from the Army in 1947 to become a distinct military service, has numerous supportive roles, which include “providing reconnaissance, transport, and direct attack against enemy forces.”[8] However, the Air Force also has other critical missions, such as strategic bombing, space, missile, and ISR roles, and “…it is in these realms that the Air Force provides indispensable capabilities that neither the Army nor the Navy can or will replicate, given their more limited core missions.”[9]

Just as the Air Force separated from the Army because of its unique strategic capabilities, cyber also needs to become a separate service. Conversely, some cyber professionals have stated that cyberspace must be viewed in a broader context than other operational domains and can be more effectively integrated into the existing service branches.[10] It is true that in some capacity all branches of the military operate in cyberspace to conduct missions, but the same interconnectedness applies to all military domains. For example, Marines navigate through the sea, supported by GPS from the space domain, and possess aviation assets supporting their land operations. This case demonstrates how all domains: air, land, maritime, space, and now cyberspace are all heavily interdependent in the operational environment. Cooperation is achieved through commanders effectively coordinating and de-conflicting the separate operational domains in their respective battlespace. While the degree of interconnectivity may vary from domain to domain, each is controlled by a centralized and distinct construct, except for cyberspace. Perhaps it is more interconnected than the other global domains, but as cyber warfare continue to increase in frequency, additional strategic cyber operations will fall outside existing service branches’ missions[11]

While cyberspace is widely considered its own operational , it is difficult to appreciate due to its increasingly complex and rapidly changing environment. Therefore, it requires a different organizational structure from the current matrixed organization used throughout all military services and nested organizations:[12] “The matrix organization contains a traditional vertical hierarchy but overlays an equally strong horizontal coordinating chain of command”.[13] While “matrix organizations do allow for greater flexibility and divided responsibilities,” information flow throughout the organization is still relatively slow and the vertical and horizontal vectors potentially present confusion when it comes to reporting.[14] It is impossible to accurately describe the DoD organizational model due to its complex nested organizations within which it deploys different organizational structures. In cyberspace, the speed of information flow and efficient communication is crucial to operational success. According to Pierluigi Paganini, Chief Information Security Officer at Bit4Id, “[t]he discovery of a zero-day vulnerability requires an urgent response…failure to follow the best practices in the process of patch management is the main cause of problems for private companies and governments. In some cases, patch management processes are extremely slow, and the window of exposure to cyber threats is extremely large.”[15]

While patch management is one element in network defense, it demonstrates the importance of speed for an organization operating in the cyberspace domain. For this reason, building up a cyber force within the existing military service branches is a fundamentally misguided approach; virtually all cyber operations require rapid actions or responses to be effective, and existing service organizational models have challenges related to the speed of information flow.  The operational requirement and authority to conduct offensive cyber operations currently has an extreme amount of overhead, and ultimately slows down the progress of operations. While there are still many variables that need to be considered, consolidating a cyber military service branch from current joint components would allow leaders to implement an organizational structure that makes sense for the cyber operational environment and increases the speed of information flow.

In addition to organizational inefficiencies, cyberspace operations in the joint cyber environment are inherently inefficient and limiting. Eric Bassel, director of the SANS Institute, believes there is a great deal of duplication regarding cyber funding between the different services and has advocated some form of future consolidation.[16] For example, each military service has their own cyber component with different methods of training and resourcing. The cost of funding separate training programs is potentially greater than the cost of a single, unified training program. Besides funding issues, unity of command problems are also inherent to the joint cyber structure. While each service component is subordinate to USCYBERCOM[17], this command structure creates a potential conflict of interest when respective service commanders have internal requirements that compete with USCYBERCOM operational priorities. The former NATO commander, Admiral (Ret) James Stavridis, and USCYBERCOM strategic planner, Mr. Weinstein, believe that “ stand-alone force would eliminate both the unity-of-command problem and the interservice rivalries … [and] prevent the inefficiencies associated with disparate personnel standards while allocating resources based on objectively adjudicated priorities”.[18]

Conclusion

Every minute wasted on organizational inefficiencies allows our adversaries the opportunity to widen the cyber capabilities gap. Now is the time for bold action from our US government—failure to create a separate cyber service allows our adversaries to further develop and increase their capabilities. Unfortunately, the idea of consolidating the different cyber service components into a single organization will remain a heavily discussed topic with advocates arguing both for and against the creation of a new military cyber service. Time will definitely play a factor as offensive and defensive cyber policies are still being developed and reviewed by national leaders. Until then, there will be an ever increasing necessity for the creation of an integrated military cyber service with the capacity to protect our nation. 

References

[1] “Global Information Assurance Certification Paper,” Sans Institute, (2004): 8 https://www.giac.org/paper/gsec/3873/information-warfare-cyber-warfare-future-warfare/106165.

[2] Ibid.

[3] “U.S. Cyber Command,” (2015), https://www.stratcom.mil/factsheets/2/Cyber_Command.

[4] Mark Pomerleau, “Rogers: Cyber Doesn’t Need Its Own Military Branch — Defense Systems,” Defense Systems, (2016), https://defensesystems.com/articles/2016/01/21/rogers-cyber-doesnt-need-to-be-separate-branch.aspx (accessed June 27, 2016).

[5] U.S. Joint Chiefs of Staff. “Cyberspace Operations,” Joint Publication 3-12, February 5, 2013: I-1.

[6] Pomerleau.

[7] “U.S. Cyber Command”, U.S. Strategic Command, (2015), http://www.stratcom.mil/f2 (accessed October 15, 2016).

[8] Michael Auslin, “Why America Needs The Air Force: Rebuttal to Prof. Farley”, (2013), http://breakingdefense.com/2013/08/why-america-needs-the-air-force-rebuttal-to-prof-farley/ (accessed October 15, 2016).

[9] Ibid.

[10] Pomerleau.

[11] Ty Cobb, “Cyber Warfare: Where the 21st Century Conflicts Will be Fought,” Harvard National Security Journal, (2012), http://harvardnsj.org/2012/03/cyber-warfare-where-the-21st-century-conflicts-will-be-fought (accessed July 19, 2016).

[12] Christopher Hicks, “Understanding and Designing Military Organizations For a Complex Dynamic Environment,” U.S. Army War College, (2008): 11-13

[13] Ibid.

[14] Ibid.

[15]  Pierluigi Paganini, “A World of Vulnerabilities,” Infosec Institute, http://resources.infosecinstitute.com/a-world-of-vulnerabilities/ (accessed July 19, 2016).

[16]  Andrew Tilghman, “Does Cyber corps merit its own service branch?” Military Times, (2015), http://www.militarytimes.com/story/military/pentagon/2015/04/09/cyber-corps-merit-own-service-branch/25530133/ (accessed July 19, 2016).

[17] James Stavridis and David Weinstein, “Time For a U.S. Cyber Force,” Proceedings Magazine 140 (2014), (accessed June 26, 2016).

[18] Ibid.