Cyber Defense Review

The Increasing Necessity for a United States Cyber Service

By 1LT Michael Anderson | November 21, 2016

Conducting cyber warfare is cheap and easy.[1] It affords anyone from individual hackers to nation-state actors the ability to wage destructive acts against the United States.[2] In 2009, the Secretary of Defense directed the Commander of U.S. Strategic Command to establish a sub-unified command, U.S. Cyber Command (USCYBERCOM), to prepare the Department of Defense (DoD) for the integration of offensive and defensive cyberspace operations.[3] Due to the constant rate of change in cyberspace, USCYBERCOM has experienced challenges integrating joint force cyber components. A quick examination of the US cyber force organizational chart demonstrates how complex the relationships are between service components and outside agencies. These organizational intricacies have led Admiral Michael Rogers, National Security Agency (NSA) Director and Commander of USCYBERCOM, to ask “is cyber so different, so specialized, so unique, so not well understood that it requires a very centralized, focused, unique construct to how we generate capacity and knowledge?”[4] While still heavily debated, many US government officials believe the existing organizational structure best meets current DoD requirements. However, there is an increasing necessity to transform the joint cyber construct into a stand-alone military service branch or similar entity that is separate from, yet integrated into the other military service branches. This necessity is based on cyberspace operations occurring in a separate operational domain, requiring a different organizational composition than traditional service branches, and hampered by the current joint cyber construct.

The most compelling reason for creating a separate, standalone cyber service is its distinct “global domain within the information environment consisting of the interdependent network of information technology infrastructures and resident data, including the Internet, telecommunication networks, computer systems, and embedded processors and controllers.”[5]  This DoD definition for ‘cyberspace’ establishes the specialization and uniqueness of the cyberspace domain.[6] While distinct from the other domains, cyber warfare often takes a supportive role to the other domains. USCYBERCOM defines three main focus areas in its mission: “Defending the DoD Information Networks, providing support to combatant commanders for execution of their missions around the world, and strengthening our nation’s ability to withstand and respond to cyber attack.”[7] Cyberspace operations align with the first two focus areas, and lend themselves to the current organizational structure. However, the third focus area, which involves responding to cyberattacks against our nation, describes a strategic capability that is outside the scope of the current service missions. Similarly, the Air Force, which separated from the Army in 1947 to become a distinct military service, has numerous supportive roles, which include “providing reconnaissance, transport, and direct attack against enemy forces.”[8] However, the Air Force also has other critical missions, such as strategic bombing, space, missile, and ISR roles, and “…it is in these realms that the Air Force provides indispensable capabilities that neither the Army nor the Navy can or will replicate, given their more limited core missions.”[9]

Just as the Air Force separated from the Army because of its unique strategic capabilities, cyber also needs to become a separate service. Conversely, some cyber professionals have stated that cyberspace must be viewed in a broader context than other operational domains and can be more effectively integrated into the existing service branches.[10] It is true that in some capacity all branches of the military operate in cyberspace to conduct missions, but the same interconnectedness applies to all military domains. For example, Marines navigate through the sea, supported by GPS from the space domain, and possess aviation assets supporting their land operations. This case demonstrates how all domains: air, land, maritime, space, and now cyberspace are all heavily interdependent in the operational environment. Cooperation is achieved through commanders effectively coordinating and de-conflicting the separate operational domains in their respective battlespace. While the degree of interconnectivity may vary from domain to domain, each is controlled by a centralized and distinct construct, except for cyberspace. Perhaps it is more interconnected than the other global domains, but as cyber warfare continue to increase in frequency, additional strategic cyber operations will fall outside existing service branches’ missions[11]

While cyberspace is widely considered its own operational , it is difficult to appreciate due to its increasingly complex and rapidly changing environment. Therefore, it requires a different organizational structure from the current matrixed organization used throughout all military services and nested organizations:[12] “The matrix organization contains a traditional vertical hierarchy but overlays an equally strong horizontal coordinating chain of command”.[13] While “matrix organizations do allow for greater flexibility and divided responsibilities,” information flow throughout the organization is still relatively slow and the vertical and horizontal vectors potentially present confusion when it comes to reporting.[14] It is impossible to accurately describe the DoD organizational model due to its complex nested organizations within which it deploys different organizational structures. In cyberspace, the speed of information flow and efficient communication is crucial to operational success. According to Pierluigi Paganini, Chief Information Security Officer at Bit4Id, “[t]he discovery of a zero-day vulnerability requires an urgent response…failure to follow the best practices in the process of patch management is the main cause of problems for private companies and governments. In some cases, patch management processes are extremely slow, and the window of exposure to cyber threats is extremely large.”[15]

While patch management is one element in network defense, it demonstrates the importance of speed for an organization operating in the cyberspace domain. For this reason, building up a cyber force within the existing military service branches is a fundamentally misguided approach; virtually all cyber operations require rapid actions or responses to be effective, and existing service organizational models have challenges related to the speed of information flow.  The operational requirement and authority to conduct offensive cyber operations currently has an extreme amount of overhead, and ultimately slows down the progress of operations. While there are still many variables that need to be considered, consolidating a cyber military service branch from current joint components would allow leaders to implement an organizational structure that makes sense for the cyber operational environment and increases the speed of information flow.

In addition to organizational inefficiencies, cyberspace operations in the joint cyber environment are inherently inefficient and limiting. Eric Bassel, director of the SANS Institute, believes there is a great deal of duplication regarding cyber funding between the different services and has advocated some form of future consolidation.[16] For example, each military service has their own cyber component with different methods of training and resourcing. The cost of funding separate training programs is potentially greater than the cost of a single, unified training program. Besides funding issues, unity of command problems are also inherent to the joint cyber structure. While each service component is subordinate to USCYBERCOM[17], this command structure creates a potential conflict of interest when respective service commanders have internal requirements that compete with USCYBERCOM operational priorities. The former NATO commander, Admiral (Ret) James Stavridis, and USCYBERCOM strategic planner, Mr. Weinstein, believe that “ stand-alone force would eliminate both the unity-of-command problem and the interservice rivalries … [and] prevent the inefficiencies associated with disparate personnel standards while allocating resources based on objectively adjudicated priorities”.[18]

Conclusion

Every minute wasted on organizational inefficiencies allows our adversaries the opportunity to widen the cyber capabilities gap. Now is the time for bold action from our US government—failure to create a separate cyber service allows our adversaries to further develop and increase their capabilities. Unfortunately, the idea of consolidating the different cyber service components into a single organization will remain a heavily discussed topic with advocates arguing both for and against the creation of a new military cyber service. Time will definitely play a factor as offensive and defensive cyber policies are still being developed and reviewed by national leaders. Until then, there will be an ever increasing necessity for the creation of an integrated military cyber service with the capacity to protect our nation. 

References

[1] “Global Information Assurance Certification Paper,” Sans Institute, (2004): 8 https://www.giac.org/paper/gsec/3873/information-warfare-cyber-warfare-future-warfare/106165.

[2] Ibid.

[3] “U.S. Cyber Command,” (2015), https://www.stratcom.mil/factsheets/2/Cyber_Command.

[4] Mark Pomerleau, “Rogers: Cyber Doesn’t Need Its Own Military Branch — Defense Systems,” Defense Systems, (2016), https://defensesystems.com/articles/2016/01/21/rogers-cyber-doesnt-need-to-be-separate-branch.aspx (accessed June 27, 2016).

[5] U.S. Joint Chiefs of Staff. “Cyberspace Operations,” Joint Publication 3-12, February 5, 2013: I-1.

[6] Pomerleau.

[7] “U.S. Cyber Command”, U.S. Strategic Command, (2015), http://www.stratcom.mil/f2 (accessed October 15, 2016).

[8] Michael Auslin, “Why America Needs The Air Force: Rebuttal to Prof. Farley”, (2013), http://breakingdefense.com/2013/08/why-america-needs-the-air-force-rebuttal-to-prof-farley/ (accessed October 15, 2016).

[9] Ibid.

[10] Pomerleau.

[11] Ty Cobb, “Cyber Warfare: Where the 21st Century Conflicts Will be Fought,” Harvard National Security Journal, (2012), http://harvardnsj.org/2012/03/cyber-warfare-where-the-21st-century-conflicts-will-be-fought (accessed July 19, 2016).

[12] Christopher Hicks, “Understanding and Designing Military Organizations For a Complex Dynamic Environment,” U.S. Army War College, (2008): 11-13

[13] Ibid.

[14] Ibid.

[15]  Pierluigi Paganini, “A World of Vulnerabilities,” Infosec Institute, http://resources.infosecinstitute.com/a-world-of-vulnerabilities/ (accessed July 19, 2016).

[16]  Andrew Tilghman, “Does Cyber corps merit its own service branch?” Military Times, (2015), http://www.militarytimes.com/story/military/pentagon/2015/04/09/cyber-corps-merit-own-service-branch/25530133/ (accessed July 19, 2016).

[17] James Stavridis and David Weinstein, “Time For a U.S. Cyber Force,” Proceedings Magazine 140 (2014), (accessed June 26, 2016).

[18] Ibid.



US Army Comments Policy
If you wish to comment, use the text box below. Army reserves the right to modify this policy at any time.

This is a moderated forum. That means all comments will be reviewed before posting. In addition, we expect that participants will treat each other, as well as our agency and our employees, with respect. We will not post comments that contain abusive or vulgar language, spam, hate speech, personal attacks, violate EEO policy, are offensive to other or similar content. We will not post comments that are spam, are clearly "off topic", promote services or products, infringe copyright protected material, or contain any links that don't contribute to the discussion. Comments that make unsupported accusations will also not be posted. The Army and the Army alone will make a determination as to which comments will be posted. Any references to commercial entities, products, services, or other non-governmental organizations or individuals that remain on the site are provided solely for the information of individuals using this page. These references are not intended to reflect the opinion of the Army, DoD, the United States, or its officers or employees concerning the significance, priority, or importance to be given the referenced entity, product, service, or organization. Such references are not an official or personal endorsement of any product, person, or service, and may not be quoted or reproduced for the purpose of stating or implying Army endorsement or approval of any product, person, or service.

Any comments that report criminal activity including: suicidal behaviour or sexual assault will be reported to appropriate authorities including OSI. This forum is not:

  • This forum is not to be used to report criminal activity. If you have information for law enforcement, please contact OSI or your local police agency.
  • Do not submit unsolicited proposals, or other business ideas or inquiries to this forum. This site is not to be used for contracting or commercial business.
  • This forum may not be used for the submission of any claim, demand, informal or formal complaint, or any other form of legal and/or administrative notice or process, or for the exhaustion of any legal and/or administrative remedy.

Army does not guarantee or warrant that any information posted by individuals on this forum is correct, and disclaims any liability for any loss or damage resulting from reliance on any such information. Army may not be able to verify, does not warrant or guarantee, and assumes no liability for anything posted on this website by any other person. Army does not endorse, support or otherwise promote any private or commercial entity or the information, products or services contained on those websites that may be reached through links on our website.

Members of the media are asked to send questions to the public affairs through their normal channels and to refrain from submitting questions here as comments. Reporter questions will not be posted. We recognize that the Web is a 24/7 medium, and your comments are welcome at any time. However, given the need to manage federal resources, moderating and posting of comments will occur during regular business hours Monday through Friday. Comments submitted after hours or on weekends will be read and posted as early as possible; in most cases, this means the next business day.

For the benefit of robust discussion, we ask that comments remain "on-topic." This means that comments will be posted only as it relates to the topic that is being discussed within the blog post. The views expressed on the site by non-federal commentators do not necessarily reflect the official views of the Army or the Federal Government.

To protect your own privacy and the privacy of others, please do not include personally identifiable information, such as name, Social Security number, DoD ID number, OSI Case number, phone numbers or email addresses in the body of your comment. If you do voluntarily include personally identifiable information in your comment, such as your name, that comment may or may not be posted on the page. If your comment is posted, your name will not be redacted or removed. In no circumstances will comments be posted that contain Social Security numbers, DoD ID numbers, OSI case numbers, addresses, email address or phone numbers. The default for the posting of comments is "anonymous", but if you opt not to, any information, including your login name, may be displayed on our site.

Thank you for taking the time to read this comment policy. We encourage your participation in our discussion and look forward to an active exchange of ideas.