Before the establishment of U.S. Cyber Command in 2010, a combatant commander who wanted to take down an enemy’s surface-to-air missile sites or other defenses without blowing them up had only one option: Call the National Security Agency at Fort Meade, Md., and plead for assistance.
NSA jealously guarded its role as steward of the nation’s offensive cyber weapons, said one retired intelligence official, but that is changing. In May 2010, the Senate added “chief of Cyber Command” to the duties held by NSA’s director, Army Gen. Keith Alexander. Alexander subsequently directed NSA to begin turning over offensive cyber tools to Cyber Command.
Over the last few months, the dual-hatted general has set in motion an even bigger change. Cyber Command has begun arming combatant commanders with a selection of offensive tools and establishing teams of cyber warriors, called combat-support elements, at military sites beyond Fort Meade.
This is adding complexity to the legal questions being asked by members of Congress, retired defense officials and independent experts.
Alexander made a vague reference to the shift earlier this year in prepared testimony to Congress: “Our goal is to ensure that a commander with a mission to execute has a full suite of cyber-assisted options from which to choose, and that he can understand what effects they will produce for him,” he told the House Armed Services Committee.
These tools are at the moment focused on narrow, tactical goals — like taking a surface-to-air missile site offline — but observers wonder if the change amounts to opening the door to broader use of cyber weapons in military operations, or possibly outright normalization — meaning cyber weapons would be treated by the same rules governing the use of conventional weapons.
A U.S. Cyber Command spokesman said that the command would not comment on the deployment of cyber tools.
“As a matter of policy, we don’t discuss operational matters, perceived or otherwise,” said Army Col. Rivers Johnson.
Currently, each use of cyber weapons is approved by the government case by case.
“These are untested or untried things,” said a retired senior intelligence official. “Every time you use a cyber weapon, I know the discussion that they’re having: ‘Are we establishing a precedent that we are comfortable attaching the name of the United States to?’Ÿ”
During his confirmation hearings in 2010, Alexander acknowledged his concerns about the framework governing the use of cyber weapons, and little has changed since. Although Cyber Command was declared fully operational in October 2010, there are still no rules of engagement specific to cyber weapons and their use offensively.
Outside experts said it remains unclear who would be legally authorized to use cyber weapons, especially if they are applied beyond the battlefield, for example to cut power to a city. The roles of the intelligence community are covered by Title 50 of the U.S. Code, while the armed forces are covered by their Title 10 authority. The laws predate the emergence of cyberspace and weapons.
“There are those that ardently believe that there is no role [for] cyber in Title 10,” said retired Marine Corps Gen. James Cartwright, who stepped down as vice chairman of the Joint Chiefs of Staff in August.
Cartwright, who is now with the Center for Strategic and International Studies, said that while there is some ambiguity overall, existing laws leave certain areas very clear: the right to use cyber tools in traditional military environments and the right to self-defense.
“You have the right to self-defense. You have the right to proceed with hot pursuit,” he said.
But by moving cyber weapons into the hands of combatant commanders, Alexander is beginning to treat them like traditional weapons. In one view, cyber weapons that might generate massive power outages or other dramatic effects are so tied to intelligence and presidential approval that they could not be placed under the authority of combatant commanders. But targeting a SAM site seems to be covered by existing laws on warfare, said current and retired officials knowledgeable about the program.
In his March congressional testimony, Alexander acknowledged that small combat-support elements will be stood up at each command’s headquarters. Contingents of Cyber Command personnel will be placed at those sites, and software information technology would be added to handle the tools.
So far, only U.S. Central Command has a contingent that is fully operational, while the effort at U.S. Pacific Command is in the development stages and a time line has yet to be drawn up for the other geographic commands.
The creation of these support elements has not been without friction. Exactly who “pushes the button” remains unclear, said a person with knowledge of the program. The integration of outside personnel at the commands also has been difficult because commanders don’t always like it when cyber experts show up, this person said. Cyber Command has been sending a combination of offensive and defensive tools to the commands as infrastructure and personnel are rolled out. In theory, at least, that should provide easier access to the offensive tools once the operational kinks are ironed out.
That doesn’t mean, however, that combatant commands will have carte blanche to apply the tools. Alexander has said any major strike outside of an existing operational zone and against anything other than an obvious military target would require high level approval, likely from the president.
Still, creating greater familiarity would be beneficial, the retired official said. “I can understand moving some tools forward so that combatant commanders get used to them, they train with them, they exercise with them, they fold it into their operational thinking. That’s all good stuff.”
Before Cyber Command could move some tools out of its own headquarters at Fort Meade, it had to receive them from the NSA. The decision to let Cyber Command have the tools was based on a combination of needed attention in the area, and a longstanding debate over the application of the legal codes defining who in government is in charge of military actions, and who is in charge of intelligence activities, and the situations in which those actions are allowed.
The intelligence community’s Title 50 authority does not expressly cover the use of weapons, leading some to argue that cyber capabilities needed to be transferred to a new command. This thinking played prominently in the decision to create Cyber Command.
In the year and a half that Cyber Command has been in full operation, interest has grown among defense officials for distribution of offensive tools beyond Fort Meade.
“What you’re seeing is that the commands want to treat them like all the other weapons,” said the retired senior intelligence official.
Some experts, however, said that the ongoing debate about legal authority and cyber is not a top priority at the Defense Department.
“From my personal experience, the friction between Title 10 and Title 50 is more of a Washington, D.C., thing and less an area of operations thing,” said Dale Meyerrose, former associate director of national intelligence and founder of the Meyerrose Group.
Meyerrose said that while the discussion remains, the line between what intelligence agencies can and cannot do has shifted in part due to the use of drones by the intelligence community in recent years.
“There’s been an evolution brought about by what’s happened in the Middle East in the last decade,” he said. “It’s an evolution of warfare. Think about how instrumental remotely piloted vehicles have become in the prosecution of combat operations, and so you’re not hearing of F-16 strikes, you’re hearing of drone strikes. So the view that has been a traditional mindset that says that Title 50 and Title 10 are always in a friction-filled situation has been modified.”
Balance of Power
Cyberspace also exists in an unusual domain, making the traditionally debated division difficult to apply. Intelligence agencies are constantly using networks to gather information, monitoring activity and maintaining a field of view. The awareness and position on networks means that intelligence agencies are uniquely positioned to recognize vulnerability and have the tools to exploit them. While Cyber Command has the ability to push the button on an attack or ability previously held by the NSA, the command still needs essentially targeting information from the NSA in many cases.
“In the cyber world, the intel guys actually take the Title 10 guys to the point of attack,” said a person who works on the project. “The intel guys map the network. The intel guys take them to the point where they say, ‘Hit the return button and everything will be OK.’Ÿ”
That reliance on the intelligence community to lead the way so that weapons can be used means that the balance of cyber power is unlikely to shift even as tools themselves are moved.
“The IC [intelligence community] and DoD missions will not change because of transfers of tools,” said Bob Gourley, chief technology officer at Crucial Point LLC, who previously held the same position at the Defense Information Agency. “Missions change when authorities change. The IC mission has always been to achieve deep penetration of our adversaries by all means possible. The DoD mission has always been to deter or fight wars. The change in cyberspace-related missions has been the tight coupling between the two missions, and that will likely continue even if responsibility for tools change.”
Gourley pointed to the technical capability of the NSA as being critical.
“NSA has a great ability to provide focus to highly technical activities, so my hope is that they will always have insight into and oversight of all cyber tools,” he said.
But while the intelligence community continues to play a critical role in cyber operations, a senior Cyber Command official said that standing up the command has allowed action.
“What’s changed is: We’ve got a much closer relationship with those organizations that have the authorities and the capabilities to provide that picture in real time, so that we can do something about it rather than after the fact — that’s what’s changed,” the official said in a late 2011 interview. “We can’t bring the intelligence mission in, but we can be the beneficiary of that, and that’s why sitting next to the NSA gives us the ability to have that relationship and benefit from that relationship.”
Now that Cyber Command has been declared fully operational, and it is beginning to help the geographic combatant commanders get up to speed in cyber, the intelligence community’s control over all things cyber is starting to loosen, if only slightly. Just how far the shift goes could depend on who succeeds Alexander, who has led NSA since 2005.
“They’re going to be even more eager to distribute tools when Alexander leaves, to accelerate this trend,” said Jason Healey, director of the Cyber Statecraft Initiative of the Atlantic Council. “An intelligence guy is going to be worried about control and intelligence gain/loss and all of these intelligence equities, whereas someone else — ”
Healey doesn’t fill in the blank, but he means, “Who knows?”