“I can assure you that, in appropriate circumstances and on order from the National Command Authority, we can back up the department’s assertion that any actor threatening a crippling cyber attack against the United States would be taking a grave risk,” wrote U.S. Army Gen. Keith Alexander, National Security Agency (NSA) and U.S. Cyber Command (CYBERCOM) chief. (File photo / U.S. Army)
Confronted with 10 million cyber attacks per day, the U.S. Defense Department is changing its tack.
The offensive cyber weapons that have long been wielded by centralized authorities, but whose existence was rarely acknowledged, are being distributed to regional combatant commanders as part of a new emphasis on deployment and deterrence.
“Our capabilities represent key components of deterrence,” Army Gen. Keith Alexander, National Security Agency (NSA) and U.S. Cyber Command (CYBERCOM) chief, wrote in prepared remarks delivered to the House Armed Services emerging threats and capabilities subcommittee as part of a routine budget hearing March 20. The new initiative did not come up during the hearing.
“I can assure you that, in appropriate circumstances and on order from the National Command Authority, we can back up the department’s assertion that any actor threatening a crippling cyber attack against the United States would be taking a grave risk,” he wrote.
Part of that aggressive posture comes in the form of arming combatant commanders, allowing for broader access to capabilities, more rapid action, and the pairing of traditional kinetic attacks with newly developed cyber capabilities.
While Alexander only alluded to the effort in his prepared remarks, it was confirmed by sources. CYBERCOM will establish Cyber Support Elements (CSEs) at all six combatant commands.
Thus far, U.S. Central Command in the Middle East is the only command with a fully operational element, while U.S. Pacific Command (PACOM) has a partial element, a CYBERCOM spokesman confirmed.
These support elements will provide technical capability and expertise, part of an effort to improve the integration of cyber attack capabilities, a source with knowledge of the efforts said.
“We are currently working closely with two of the geographic combatant commanders,” Alexander wrote. “Our goal is to ensure that a commander with a mission to execute has a full suite of cyber-assisted options from which to choose, and that he can understand what effects they will produce for him.”
A CYBERCOM spokesman confirmed that these options include offensive capabilities as well as defensive capabilities designed to protect systems, but said the details of the offensive capabilities are classified.
A source with knowledge of the effort at PACOM said the process is in its infancy there, as the infrastructure is still being developed and the integration of CYBERCOM personnel into mission planning is still being determined.
Alexander also wrote that CSEs are expected to be deployed at U.S. Africa Command and U.S. Southern Command within the next six months.
Problems With Deterrence
While deterrence has served as a crucial policy for national security in a variety of domains, most notably nuclear, some experts inside and outside of the military question the likelihood of success if the concept is applied to cyber.
“For deterrence to work, adversaries are expected to think and act rationally,” said Air Force Gen. William Shelton, commander of Air Force Space Command, speaking at the CyberFutures conference March 22. “There’s no guarantee that these players can be regarded as rational actors.”
Shelton said that because of the difficulties in attribution, the U.S. would have a hard time proving it could find and harm attackers, diminishing the impact of touting offensive capabilities.
“How do we put our own capabilities on display to show what could happen to our adversaries if they took unacceptable action against us in cyber space?” he said. “But without disclosure of a credible threat, our deterrent capacity is pretty weak.”
Showing capabilities is a problem, said Jeff Moulton, a researcher at the Georgia Tech Research Institute, because of the ability of adversaries to adjust.
“Once you use that arrow in that quiver, once you use that exploit, once you use that particular tactic, you’re showing your hand,” he said. “Cyber attacks, cyber exploits are disposable assets. You use them once and they’re pretty much gone, because once you do it people are very quick, they’ll figure it out, and they’ll learn how to block it for next time.”
Use of Cyber
As U.S. cyber strategy shifts, combat planning with the newly positioned weapons at the combatant commands is also changing. The new tools, now more readily accessible, are becoming a more integrated part of mission planning.
But there are reservations, Shelton told a group of reporters following his speech.
“When you develop a kinetic weapon, you do extensive testing to develop a probability of kill with that particular weapon,” Shelton said. “We don’t have that same assurance yet with cyber capabilities. There’s a little bit of a decision here on the part of combatant commanders as to how much he or she is willing to rely upon that particular objective being accomplished by a cyber capability.”
Providing cyber capabilities to combatant commanders notably differs from the traditional operational structure, in which most commands must coordinate with CYBERCOM, which in turn deploys cyber capabilities.
Before CYBERCOM was stood up in 2010, offensive capabilities resided with the NSA. But the transition away from reliance on the intelligence agency and toward local capability is a logical progression, said Chris Coleman, director of cybersecurity for the public sector at Cisco, as the NSA was never intended to engage in combat.
“The NSA is an intelligence agency, so the fact that they’re transitioning combat tools over to CYBERCOM and eventually the combatant commanders makes perfect sense,” he said. “It’s what they should be doing.”
Still, the murky legality of cyber warfare means the application of cyber tools is being hampered, experts said.
Alexander testified with Teresa Takai, the Pentagon’s chief information officer, and Madelyn Creedon, the assistant secretary of defense for global strategic affairs. All three said DoD is developing rules of engagement for cyber and should conclude the process soon.
“I think we’re making progress,” Alexander said at the hearing. “But we also note that the risks that face our country are growing faster than our progress.”