Just as details of the covert American/Israeli collaboration in the delivery of the famed Stuxnet bug surface, the U.S. Defense Department has created a formal structure for cyber operations that places increased capability in the hands of geographic combatant commanders.
The structure, based on an outline drafted by the Joint Chiefs of Staff in January, creates new cyber-focused structures within each command that will organize the implementation of intelligence and cyber tools, both defensive and offensive. The transitional structure will be evaluated and potentially improved within the year.
Previously, combatant commanders had limited access to cyber tools, relying on reaching back to U.S. Cyber Command (CYBERCOM). The delay and lack of capability limited cyber operations.
The new structure looks to change that, allowing for tightly integrated cyber effects. In a memorandum marked “For Official Use Only,” dated May 1, U.S. Defense Secretary Leon Panetta authorized the plan designed as a “first step” toward standardized cyber operations, according to documents obtained by Defense News.
Under the new structure, joint cyber centers (JCCs) will have chief responsibility for forward cyber operations, and serve as a link between combatant commanders and CYBERCOM cyber support elements (CSEs) that will provide intelligence information and operational know-how.
The May 1 memorandum authorized the implementation of a transitional framework, and directed officials to act with haste.
“It is imperative that we move quickly and put the transitional framework in place as soon as possible,” Panetta wrote.
To combat the problem and provide greater offensive capability, the new structure includes creating a JCC at each geographic combatant command by this month, designed to serve as the “nexus for combatant command cyberspace enterprise.”
The JCC will organize offensive operations and protect the networks employed by each combatant command, combining disparate responsibilities not previously concentrated locally. Each JCC is set to be composed of existing cyber personnel at each command, although experts expressed skepticism that this combination could result in sufficient staffing.
U.S. Northern Command announced May 22 that it had created its JCC without specifying the details of the larger plan.
A DoD spokeswoman, Lt. Col. April Cunningham, said information on the status of implementation, including standing up the JCCs, was not immediately available.
“Although cyberspace presents some very unique characteristics, this transitional model is designed to continue DoD’s efforts at normalizing cyber as an integrated function with other land, maritime, air and space functions,” Cunningham said. “While we are operating under constrained resources and this may not be perfect, the need to move quickly in getting better organized for increased effectiveness of command and control in cyberspace is vital as cyber threats continue to grow in scope, magnitude and sophistication.”
In practice, a combatant commander will task its JCC with the use of a cyber tool, either to defend the network or as part of an attack. The JCC will, in turn, talk with its local CSE to gather additional intelligence and discuss technique before the JCC acts on its mission.
The JCCs will be staffed by combatant command personnel, while the CSEs will be staffed by
CYBERCOM. The CSEs will play a supporting role, not directly engaging in operations but providing intelligence and technical assistance to the JCCs.
The normalized use of cyber tools stands in stark contrast to recent news of covert operations surrounding the delivery of the Stuxnet bug, software designed to disrupt some of the control systems used in Iran’s nuclear program. According to media reports, the Stuxnet bug was developed as a special project by the intelligence community and with limited involvement of the combatant command structure.
Details of the Flame virus, a bug considered similar in scope to Stuxnet, but focused on intelligence gathering rather than system disruption, has also come to light and has led to speculation of U.S. authorship.
The new operational plan likely would not result in these types of highly complex tools — which have global consequences — being placed in the hands of regional military commanders. But other more localized capabilities, designed to defend U.S. military systems and affect adversaries as part of larger operations, would be included.
Staffing, Responsibility Questions
Experts voiced concern at the implementation of the plan, citing staffing and budget issues and a general lack of specific mechanics.
“A bunch of intel dorks wrote this, not understanding how people interact or how things work,” a former intelligence officer said.
The document outlining the framework, also labeled for restricted circulation, attempts to strike a careful balance between the increase of capability and authority at the geographic combatant commands and the continued concentration of cyber capabilities at CYBERCOM.
The National Security Agency has been the home of most cyber operations, and only with the creation of CYBERCOM, which reached full operational capability in late 2010, have many of those capabilities begun to gain greater exposure outside of the U.S. intelligence community. Still, many capabilities remain beyond the reach of combatant commanders, an issue meant to be rectified by the new plan.
While CYBERCOM will assist the combatant commands by staffing cyber support elements, the creation of the JCCs adds a localized capability that combatant commanders don’t have. Experts said that finding suitable personnel would be an issue as talent is scarce, and the expanded need for capable personnel does not include funding.
Much of the military’s cyber talent resides at Fort George G. Meade, Md., and CYBERCOM, meaning that it would be better to carry out operations from a central location instead of at the combatant commands.
“Some cyberspace operations can be contained within an AOR [area of responsibility], and are of immediate interest to a specific GCC [geographic combatant command] and its components; however, most cyberspace operations have the potential to cause simultaneous effects at the global, theater and local levels that make them trans-regional in nature and of interest to a broader community,” the framework says. “Given this complex interrelationship, providing all cyber support forward in the GCCs is neither feasible nor desirable. Many cyber capabilities can be provided through, and in some cases only through, reachback.”
The document does, however, maintain the need for forward capability.
“At the same time, GCCs must be able to operate and defend tactical and constructed networks or be assured their critical networks are operated and defended, and synchronize cyber activities related to accomplishing their operational objectives,” it says.
Panetta, seemingly anticipating concerns about resources and staffing, emphasized the need for quick action regardless of resource limitations in his memorandum.
“Although I expect you may find that you need additional resources to implement a complete and enduring C2 [command and control] framework within your commands, speed is important,” he wrote.
Experts also voiced concern about the lack of specifics on how the new JCCs and CSEs would interact, and the fact that neither the State Department nor the Department of Homeland Security were included.
“Nowhere is State mentioned,” an industry source said. “At some point, you need to provide them with some optics.”
The transitional strategy does not specify when the CSEs are set to be stood up, although U.S. Central Command’s CYBERCOM CSE is already fully operational, and U.S. Pacific Command (PACOM) is in the process of standing up its own capability. The framework leaves the timeline for other CSEs open, depending on available resources.
The CSE at PACOM has been the subject of a good deal of bickering, a source said, as the CSE ultimately answers to CYBERCOM, which frustrates staff members at the combatant command.
But the fact that subject-matter experts from CYBERCOM and the combatant commands will be interacting in the new plan with a designated JCC, as opposed to commanders interacting who may not have technical knowledge, could make the new structure better at producing results.
“What’s huge is that I’ve now got an operator telling other operators what to do, as opposed to relying on a bunch of intelligence guys,” another industry source said.
Although there have been efforts within the military command structure to reconsider operations in cyberspace, the fact that this new framework was authorized by the defense secretary means the issue is being taken seriously, the source said.
“It’s interesting in that this is coming from civilian leadership, not CYBERCOM,” the source said.
The development of the framework was mentioned by Madelyn Creedon, assistant defense secretary for global strategic affairs, in March testimony before the House Armed Services Committee, although she mentioned the framework along with the development of standing rules of engagement in the same breath.
“The [DoD] is currently conducting a thorough review of the existing rules of engagement for cyberspace,” she said. “We are working closely with the Joint Staff on the implementation of a transitional command and control model for cyberspace operations. This interim framework will standardize existing organizational structures and command relationships across the department for the application of the full spectrum of cyberspace capabilities.”
The framework does not address any of the questions surrounding the legality of a variety of cyber activities, and does not settle the fierce debate over rules of engagement. That debate centers on the division of responsibilities between combatant commands, the intelligence community and DHS, and has been brewing for years.
A final framework, based on lessons learned from the new transitional plan, is set to be mapped out within the year, the document said.