U.S. Defense Secretary Leon Panetta said in his memo that "it is imperative that we move quickly and put the transitional framework in place as soon as possible.” (U.S. Defense Department)
Secretary of Defense Leon Panetta has approved a new organizational framework, a plan designed as a “first step” towards standardized cyber operations, according to documents obtained by Defense News.
The framework outlines a command structure that places more authority for both offensive and defensive operations under the geographic combatant commanders and creates Joint Cyber Centers (JCC) to serve as a link between combatant commanders and U.S. Cyber Command (CYBERCOM) Combat Support Elements that will provide intelligence information and operational know-how.
In a memorandum marked “For Official Use Only” dated May 1, Panetta authorized the implementation of the transitional framework, called the Joint Staff Transitional Cyberspace Operations Command and Control Concept of Operations, and directed the secretaries of the military departments, chiefs of the military services, chairman of the joint chiefs of staff, CYBERCOM commander, and Department of Defense chief information officer among others, to act with haste.
“It is imperative that we move quickly and put the transitional framework in place as soon as possible,” he said.
The framework itself describes a present security situation in dire need of action. “The speed and intensity with which adversaries could exploit vulnerabilities in the DoD Global Information Grid jeopardizes the Department’s ability to execute successful military operations,” it says.
To combat the problem and provide greater offensive capability, the new organizational structure includes standing up a JCC at each geographic combatant command by June 2012, designed to serve as the “nexus for combatant command cyberspace enterprise.” The JCC will organize both offensive operations as well as protecting the networks employed by each combatant command, combining disparate responsibilities not previously concentrated locally. Each JCC is set to be composed of existing cyber personnel at each command, although experts expressed skepticism that this combination could result in sufficient staffing. U.S. Northern Command announced that it had stood up its own JCC May 22 without specifying the details of the larger plan, although a DoD spokesman said information on the implementation of the plan and the creation of other JCCs was not immediately available.
The framework also includes standing up a CYBERCOM staffed combat support element at each geographic command. The two would work together to complete cyber tasks, with the CSE providing a link back to CYBERCOM and its collection of talent and intelligence.
“The JCC and CSE, collocated at each Combatant Command, will work toward the common goal of effective and efficient planning, allocation, and synchronization of cyber effects in three cyberspace LOOs (Lines of Operation) with the Combatant Commander’s campaign plans and operations while maximizing unity effort,” it says.
Experts voiced concern at the implementation of the plan, citing staffing issues, budget issues, and a general lack of specific mechanics. “A bunch of intel dorks wrote this not understanding how people interact or how things work,” a former intelligence officer said.
The document outlining the framework, also labeled for restricted circulation, attempts to strike a careful balance between the increase of capability and authority at the geographic combatant commands, and the continued concentration of cyber capabilities at CYBERCOM. Historically, the National Security Agency (NSA) has been the home of most cyber operational capabilities, and only with the creation of CYBERCOM, which reached full operational capability in late 2010, have many of those capabilities begun to gain greater exposure outside of the intelligence community. Still, many capabilities remain beyond the reach of combatant commanders, an issue meant to be rectified by the new plan.
While CYBERCOM will be assisting the combatant commands by staffing combat support elements, the creation of the JCCs adds a localized capability not previously present. Experts said that finding suitable personnel would be an issue as talent is scarce and the expanded need for capable personnel does not include funding. Much of the military’s cyber talent resides at Ft. Meade and CYBERCOM, meaning that many operations might best be carried out from a centralized location instead of at the combatant commands.
“Some cyberspace operations can be contained within an AOR [Area of Responsibility] and are of immediate interest to a specific GCC [Geographic Combatant Command] and its components; however, most cyberspace operations have the potential to cause simultaneous effects at the global, theater, and local levels that make them transregional in nature and of interest to a broader community,” the framework says. “Given this complex interrelationship, providing all cyber support forward in the GCCs is neither feasible nor desirable. Many cyber capabilities can be provided through, and in some cases only through, reachback.”
The document does, however, maintain the need for forward capability. “At the same time, GCCs must be able to operate and defend tactical and constructed networks or be assured their critical networks are operated and defended, and synchronize cyber activities related to accomplishing their operational objectives.”
Panetta, seemingly anticipating concerns about resources and staffing, emphasized the need for quick action regardless of resource limitations in his memorandum.
“Although I expect you may find that you need additional resources to implement a complete and enduring C2 (command and control) framework within your commands, speed is important,” he said.
Experts also voiced concern about the lack of specifics on how the new JCCs and CSEs would interact and the fact that neither the Department of State nor Department of Homeland Security were included. “Nowhere is state mentioned,” an industry source said. “At some point you need to provide them with some optics.”
The transitional strategy, the outline of which was initially agreed upon in a January 30 Joint Chiefs of Staff Tank meeting, does not specify when the CSEs are set to be stood up, although U.S. Central Command’s CYBERCOM CSE is already fully operational and U.S. Pacific Command (PACOM) is in the process of standing up its own capability. The framework leaves the timeline for other CSEs open depending on available resources. The CSE at PACOM has been the subject of a good deal of bickering, a source said, as the CSE ultimately answers to CYBERCOM, frustrating staff at the combatant command.
But the fact that subject experts from CYBERCOM and the combatant commands will be interacting in the new plan with a designated JCC, as opposed to commanders interacting who may not have technical knowledge, could make the new structure better at producing results. “What’s huge is that I’ve now got an operator telling other operators what to do, as opposed to relying on a bunch of intelligence guys,” another industry source said.
Although there have been efforts within the military command structure to reconsider operations in cyberspace, the fact that this new framework was authorized by the Secretary of Defense means that the issue is being taken seriously, the source said. “It’s interesting in that this is coming from civilian leadership, not CYBERCOM,” the source said.
The development of the framework was mentioned by Assistant Secretary for Global Strategic Affairs Madelyn Creedon in March testimony before the House Armed Services Committee, although she mentioned the framework along with the development of standing rules of engagement in the same breath.
“The department is currently conducting a thorough review of the existing rules of engagement for cyberspace,” she said. “We are working closely with the joint staff on the implementation of a transitional command and control model for cyberspace operations. This interim framework will standardize existing organizational structures and command relationships across the department for the application of the full spectrum of cyberspace capabilities.”
The framework does not address any of the questions surrounding the legality of a variety of cyber activities, and does not settle the fierce debate over rules of engagement. That debate centers on the division of responsibilities between combatant commands, the intelligence community, and DHS, and has been brewing for years.
A final framework, based on lessons learned from the new transitional plan, is set to be mapped out within the year, the document said.