Offensive Capabilities: Vice Adm. Michael Rogers, nominated to head US Cyber Command, said offensive and defensive capabilities 'can serve to deter an adversary from cyber attack.' (JIM WATSON/ / AFP/Getty Images)
WASHINGTON — Arguments for boosting US cyber spending over the past couple of years have largely begun with the need to greatly improve the resilience of government networks and ended with a call to grow the cyber force.
But as a new cyber chief awaits confirmation, the discussion has shifted toward how cyber can be part of larger operational planning and how its capabilities might be used to deter aggressive acts.
Gen. Keith Alexander, current head of US Cyber Command (CYBERCOM) and the National Security Agency (NSA), made what will likely be his last pilgrimage to Capitol Hill last week before his retirement this month.
His testimony contained the usual warnings about the continued vulnerability of US networks despite enormous efforts to patch holes. But it also included his vision for the use of cyber as a cost-effective war-fighting tool.
“It is fair, and indeed essential, for you to ask how we are utilizing such resources while others are cutting back,” Alexander wrote in prepared testimony. “Our answer is that the trained and certified teams of our cyber Mission Force are already improving our defenses and expanding the operational options for national decision-makers, the department’s leadership and joint force commanders.”
His likely successor awaiting confirmation, Vice Adm. Michael Rogers, even included providing “options” as his top priority in his opening statement during his confirmation hearing March 11.
“If confirmed as the commander, US Cyber Command, my priority will be to generate the capabilities and capacities needed to operate in this dynamic environment and to provide senior decision-makers and my fellow operational commanders with a full range of options within the cyber arena,” he said.
The idea that cyber forces can expand options, at reasonable cost, is a step beyond the catastrophic danger rhetoric that has inundated most discussion of cyber. To a degree, it represents a move out of a defensive crouch toward broader integration of the cyber tools the US has been developing.
One of the lingering questions is whether commanders will take advantage of the technology. In the past, senior commanders have voiced a lack of faith in cyber tools largely because damage assessment is much more complicated than looking at satellite imagery for a crater, as one would with a successful bombing run.
Jason Healey, director of the Atlantic Council’s Cyber Statecraft Initiative, said the notion of greater integration has been around for years but has yet to come to fruition.
“We’ve been saying that since the ’90s, but I haven’t really seen it because we seem to treat cyber as barely usable,” he said. “We could be using it for a lot for stuff that we don’t know, which I’m sure is possible if we look at what we did in Iran.”
The use of a US weapon to slow Iran’s nuclear program was a turning point in government application of cyber, but what may be causing the new push is the existence of cyber forces in a position to take action.
In his testimony, Alexander pointed to the hundreds of people trained in recent years that have bolstered what was a tiny cadre of cyber professionals.
“We’ve trained almost 900 people,” he said. “We have 900 more, roughly, in training right now. By the end of this year, that means we’ll have 1,800 trained and ready personnel and teams that cover our Cyber Protection Teams all the way up to the National Mission Force.”
The three types of teams Alexander has been developing include a combat mission force designed to provide combatant commanders with capabilities.
Rogers would step into the job with a partially built force that might allow for some more assertive policy.
In recent years, Alexander has been careful not to be too bullish on the strategic advantage a capable cyber force could provide.
Deterrence is still a hotly debated concept in the cyber community because traditional nuclear deterrence relies on the idea that an adversary has knowledge of the destruction that will result from transgressions. That’s not possible in cyber because the secrecy of weapons is necessary to preserve their effectiveness. If the adversary knows what’s coming, they can prepare far greater defenses.
But in his written response to questions submitted as part of the confirmation process, Rogers was bullish. Asked whether deterrence could work, he was unequivocal.
“Yes, the development of both offensive and defensive capabilities can serve to deter an adversary from cyber attack,” he wrote. “Strong capabilities can deter an attack by preventing an adversary from achieving his objectives and demonstrating the ability to impose costs on the adversary.”