At 5 Years Old, US Cyber Command Faces Growth, Challenges
FORT MEADE, Md. — The site of an Army golf course named for US President Dwight Eisenhower, one long drive from the National Security Agency, is an active construction site, the future of US military cyber.
Where there were once bunkers, greens and tees is a large gray building due to become an NSA-run 600,000-square-foot, state-of-the-art server farm, a skeletal structure that will one day house US Cyber Command's joint operations center, with plots reserved for individual Marine Corps and Navy cyber facilities.
The plans reflect the growth in ambition, manpower and resources for the five-year-old US Cyber Command. One measure of this rapid expansion is the command's budget — $120 million at its inception in 2010 rising to $509 million for 2015.
Another measure is the $1.8 billion in construction at Fort Meade, much of it related to Cyber Command. Though Cyber Command's service components and tactical teams are spread across the country, the headquarters for Cyber Command, the NSA and Defense Information Systems Agency make Fort Meade a growing hub for military cyber.
Earlier this year, Defense Secretary Ash Carter announced a new cyber strategy that acknowledges in the strongest terms that the Pentagon may wage offensive cyber warfare. The strategy emphasizes deterrence and sets up a reliance on the commercial technology sector, hinging on a push to strengthen ties between Silicon Valley and the Pentagon.
For all the talk of cyber offense, it remains to be seen how the US, and its military, will respond to the massive data breach at the Office of Personnel Management (OPM), attributed to China. In April, the administration added sanctions to its menu of responses to a cyber attack, alongside indictments or diplomatic complaints, called "demarches."
Eric Rosenbach, the principal cyber adviser to the secretary of defense, told lawmakers in April, "The Department of Defense is not here to defend against all cyber attacks, only the top 2 percent, the most serious."
Cyber Command's deputy commander, Air Force Lt. Gen. James McLaughlin, told an industry audience in mid-June that the command's responsibility following the OPM hack has thus far been to notify its personnel about whose information had been compromised. Its core mission is defending all Department of Defense networks, collectively known as the DoDIN.
"Our job one is to make sure we are operating and securing our [Defense Department] network against all threats," McLaughlin said in response to an audience member's question. "That is our focus, our lane, and what we remain focused on from day to day."
Adm. Michael Rogers, who leads the US Cyber Command and the National Security Agency, said during a Senate Armed Services Committee hearing in March that the nation should move beyond its "reactive strategy," confined only to defending against foreign attacks and embrace its offensive capability.
But, Rogers said, President Obama had not given him the authority to deploy such cyber weapons, adding, "we need to have that same discussion now."
"We're at a tipping point," Rogers said. "We also need to think about how can we increase our capacity on the offensive side here, to get to that point of deterrence."
US Senate Armed Services Committee Chairman Sen. John McCain asked: "But right now, the level of deterrence is not deterring?"
"That is true," Rogers said.
In early June, OPM announced it was the target of a data breach that exposed the personal information of 4 million current and former federal employees, later said to include security clearance information.
Though China has denied its involvement, officials and analysts have said China has been compiling personal data, from US healthcare companies and insurers, to create a database on American citizens for espionage purposes: to recruit spies or to gain a competitive advantage.
Lawmakers have since voiced frustration with the lack of an effective US deterrent against foreign cyber espionage.
The US has established it will take a hard stance against state-sponsored spying on US companies for economic gain, evidenced by the indictment of five Chinese hackers and sanctions against North Korea in the hack against Sony. However, it has yet to set norms for cyber-enabled, state-on-state espionage.
"This is plain old spying, and a lot of people in the cybersecurity community in Washington are kind of greeting this with a collective shrug, like, 'OK, they got us this time,'" said Rob Knake, a former White House cybersecurity chief and a senior fellow at the Council on Foreign Relations. "It's not outside the bounds of what is acceptable for nations to do when spying."
With cyber espionage there are no agents to catch red-handed and arrest, and, "very few limitations on how much espionage you can conduct in the cyber age," Knake said, speaking on a panel at the New America Foundation in the days after the hack was made public.
"I don't think we have yet a way to grapple with that," he said.
The US and the current administration have shown a reluctance to respond to cyber attacks in an escalatory way in cyberspace. Brandon Valeriano, author of "Cyber War versus Cyber Realities," said the US is "willfully constraining ourselves," for fear of the collateral damage that would ensue.
"We are aware of how devastating this domain could be," Valeriano said. "If there really were massive cyber attacks, there could be a massive loss of life. They would be massive effects throughout the world."
In any case, offensive cyber is not an all-purpose deterrent. Michael Sulmeyer, a former Pentagon cyber policy official and now director of the Cyber Security Project at Harvard University, said it is better to use a "whole of government."
"Offensive cyber may not be a great tool to always trot out, why, because to deter an adversary or get inside their head, you want to target where they are vulnerable," Sulmeyer said. "To make them get it, they have to feel a little bit of pain. If they're not particularly vulnerable in cyber, why would we or any state use offensive cyber to deter them?"
Building an Organization
A hackneyed expression in the US military that nevertheless applies to Cyber Command is that it is an airplane being built in midflight.
The command is operating and adding personnel at the same time. It's nascent Cyber Mission Force, as of March, was at about half of its target of 6,187 personnel in 133 teams. These teams are divided among the nation mission force, the combat mission teams and cyber protection teams.
In his April testimony, Rosenbach said the command lacked a unified command-and-control platform for fast-moving and large-scale cyber operations, particularly for offensive operations. It also lacks a virtual range environment for its personnel to conduct training exercises and obtain certifications, while fighting live, adversary-mimicking "red teams."
Meanwhile, the command is going through basic but necessary steps to refine its internal processes, and how to operate with joint and interagency partners in a seamless way, where all parties are mutually supportive and communicating.
"You can pick almost any interaction and it's not as simple as saying, 'I want to do it,'" he said. "It's critical that you get to the second, third and fourth level of detail for how you do it day to day."
While the military will probably never compete with Silicon Valley salaries as it seeks to attract and retain talent, Rogers told lawmakers the command can appeal to recruits through its national service ethos and its proximity to the action. Still, sustaining the force beyond the initial cadre, Rogers acknowledged, will be a challenge.
Sequestration budget cuts still loom over the effort and would imperil DoD cybersecurity, Rogers said, because the young command has "no flexibility to absorb a sequestration cut." Such cuts, he said, would likely slow improvements to the network, the creation of those teams and the more forceful response to cyber attacks Rogers advocates.
The command is working to weave cyber operations into the battle plans of the military's geographic combatant commanders so that they are, "fleshed out, mature and available to our senior leadership."
The services are organized such that each service has a two- or three-star headquarters whose commander provides forces both to their service and Cyber Command when they are supporting other joint forces headquarters. Each has to be able to perform standard mission-essential tasks, defined by Cyber Command, though each retains its service's organizational stamp.
To meet the command's personnel goals and produce its cyber teams, the services have in some cases doubled and doubled again their training pipelines, and developed career paths for them to stay in the military.
"It's no small feat to go from a standing start in fiscal 2013 and work with the services to bring on 6,187 new people to 133 separate teams," McLaughlin said. "It's exciting work, and if you look at the threats, our young people are involved in dealing with and responding to those every single day. For the most part we haven't been having to beat the bushes, and the services are providing the people that we need."
As host of five of the military's top seven cyber-centric organizations, Fort Meade's growth has mirrored the rise in importance and resourcing for cyberspace activities. So says the installation's commander, Col. Brian Foley, essentially the landlord to these tenant organizations.
Only Army cyber, at Fort Gordon, Georgia, and Air Force cyber, at Lackland Air Force Base, Texas, are elsewhere.
Unlike naval battles on water, dogfights in the skies or tank warfare on land, cyber warfare can be waged without troops having to travel anywhere, even from somebody's basement, which is why Foley regards Fort Meade as an "operational platform for cyber defense." There is something to the argument.
Of the $1.8 billion in military construction, the majority is for joint facilities connected to the cyber mission on the base's East Campus. The most unique and cost intensive of these is the 600,000-square-foot High Performance Computing Center-2, which will reportedly be cooled daily with 5 million gallons of "grey water," or waste water, meant to save money over the use of potable water.
Though the staff of Cyber Command on post has hovered at about 1,100, projected growth, largely attributed to cyber organizations at Meade, is estimated at 2,000 over the next five years.
People and organizations on post have attracted business off post, namely large government contractors and commercial cybersecurity firms. The growth of cyber at Fort Meade has in the surrounding area fueled infrastructure improvements and residential and commercial construction, said Claire Louder, president of the West Anne Arundel County Chamber of Commerce in Odenton, just outside Fort Meade.
Tech firms KeyW, Secure Innovations, Enterprise & Portal Software Systems, CyberReliant and iNovex Information Systems have either built or expanded their presence around the post.
State and federal funds have been allocated to widen Route 175, the traffic-choked highway spur from the Washington-Baltimore corridor to the post.
"Where you would drive around and see empty lots or grassed-over or wooded lots, now you're seeing construction," Louder said. "So there's definitely been a switch."