“After months of delay, the Trump administration is finalizing plans to revamp the nation's military command for defensive and offensive cyber operations in hopes of intensifying America's ability to wage cyberwar against the Islamic State group and other foes, according to U.S. officials. Under the plans, U.S. Cyber Command would eventually be split off from the intelligence-focused NSA.
Details are still being worked out, but officials say they expect a decision and announcement in the coming weeks. The officials weren't authorized to speak publicly on the matter so requested anonymity.
The goal, they said, is to give U.S. Cyber Command more autonomy, freeing it from any constraints that stem from working alongside the NSA, which is responsible for monitoring and collecting telephone, internet and other intelligence data from around the world — a responsibility that can sometimes clash with military operations against enemy forces.
Making cyber an independent military command will put the fight in digital space on the same footing as more traditional realms of battle on land, in the air, at sea and in space. The move reflects the escalating threat of cyberattacks and intrusions from other nation states, terrorist groups and hackers, and comes as the U.S. faces ever-widening fears about Russian hacking following Moscow's efforts to meddle in the 2016 American election.” (AP News)
********************************
This is a change that has been talked about for years and put into motion at the end of the Obama administration. I pointed it out last November. It looks like it will definitely happen. I learned today that Congress had enshrined the break up in the FY 2017 National Defense Authorization Act (NDAA) signed into law by Obama on 23 Dec 2016. Most significant in the elevation of CYBERCOM into a unified combatant command is a number of new authorities granted that are similar to those exercised by Special Operations Command including an acquisition arm. In effect many of the functions now exercised by the Services will pass to CYBERCOM. Although the ending of the dual-hatted command relationship of NSA and CYBERCOM is still a point of contention in Congress, I do not see how that could continue.
Congress also empowered the Principal Cyber Advisor (PCA) to the SecDef “with the authority, direction and control over most of Cyber Command’s new activities.” This is a major enhancement of the PCA which was established in 2014, but filled on an ad hoc basis. The new PCA will be in a position similar to the Assistant Secretary for Special Operations and Low Intensity Conflict.
One thing that is not clear to me, and I gather is not clear to CYBERCOM or the USG, is if this new organization and new authorities will bring a new mission emphasis to the command. From the earliest days of Joint Task Force – Computer Network Defense (JTF-CND), the mission was to defend the GIG, the global information grid or DOD information network. It was never to defend the country’s information network. That fell to the FBI, later the DHS and mostly to those in private industry who built, control and defend the infrastructure of our information network. CYBERCOM is tasked to work through the geographical combatant commands. That’s clear for the overseas geographical commands. But does CYBERCOM work with NORTHCOM “to conduct Homeland Defense” and “to defend, protect, and secure the United States and its interests” as specified in the NORTHCOM mission? I’m certain our DOD would “fight them on the beaches” and in the streets, the fields and the hills if we were physically invaded. Will CYBERCOM fight them in the data centers, fight them in the networks and fight them in the home-based routers to defend our country from a serious cyber attack? If CYBERCOM is called upon to defend the homeland in our data centers and our networks, under what conditions and at what point does that defense kick in?
I’ve often railed against pervasive NSA and FBI electronic surveillance of US citizens. I still find this pervasive mass surveillance abhorrent and want to see it curtailed. I've provided links to a few of my pieces on this to show just how seriously I view the matter. In spite of this, I think CYBERCOM should be prepared to fight in the data centers and in the networks and not just against some once in a lifetime existential cyber attack. This will require clear policies and procedures to be enunciated at the NCA level and accepted by the American public. It will also require a new relationship, not only among CYBERCOM, FBI and DHS, but also with private industry. It’s a tall order.
TTG
https://www.apnews.com/08ddd54284554c4c8b4d5dc7a498c5bf
https://www.lawfareblog.com/decoding-2017-ndaas-provisions-dod-cyber-operations
http://turcopolier.typepad.com/sic_semper_tyrannis/2015/05/the-lives-of-others-revisited-ttg.html
http://turcopolier.typepad.com/sic_semper_tyrannis/2013/07/collect-it-all-ttg.html
http://turcopolier.typepad.com/sic_semper_tyrannis/2013/06/the-lives-of-others-ttg.html
FY 2017 National Defense Authorization Act (NDAA) signed into law by Trump on 23 Dec 2016.
???
doug,
Ha! Good catch. Changed it.
About time we woke up. The weaponizing of the internet has gone on too long to be defended against as a secondary side mission by other agencies.
Let’s hope their acquisition arm also has a mandate to specify electronics protection in all DoD systems, not just their own. But instead of trying to make every military system impregnable, they should concentrate on resilient systems with a capacity to quickly bounce back after cyber attacks. IMHO.
I also believe that this new Cyber Command should have some sort of a say-so or advisory role in protecting interests of American civilians and the public sector. Perhaps not direct, but in a supporting role at least. There will be pushback against that.
I’d like to be a fly on the wall when they discuss offensive cyber strategy.
Does defense within a country (largely) at peace require constant patrolling in the street?
Does (cyber-)defense within a country (largely) at peace require constant bugging of all systems?
My take is “No” and “No”. Prepare the tools and keep them ready but stay out of the streets and systems.
—
Another difficulty here will be the delineation of offense and defense. The cyberfolks tend to dislike defense and to play offense. “Let’s keep that ‘zero-day’ alive for our next attack on XYZ” means to do nothing to fix it in your own country’s systems. It is a very bad attitude but seems to be the standard position at NSA and CIA.
If Cybercom does not change that it will be pretty useless for real defense.
It will also -inevitably- duplicate functions that are already there elsewhere. But that is probably a typical U.S. issues. You have two (three?) armies (Army, Marines, SpecOps), two air-forces (Air-force, Navy), two navies (Navy, Coast guard)- so why not have multiple cyber-defense/cyber-attack organizations. Cisco etc will be very happy to supply another large customer.
I only see one glaring problem: posse commitatus. However, this never seems to have stopped the NSA which is also a DOD element. A country which fails to execute its own laws is doomed to lawlessness.
TTG,
I too dislike mass surveillance. But legislative “reforms” purporting to advance the public interest in encryption, ITC and the Internet have a funny way of getting watered down to irrelevance and legitimizing a more dangerous reality on the ground than what they were supposed to have rectified. So I think if left unchecked for a while, brazen government and corporate surveillance are more likely to result in a genuine mass migration to effective privacy technologies than piecemeal efforts to tame the beast as it were.
As my great uncle Akbar used to say, “Legislation enshrines the balance of power among contestants, not the other way around.” In this case, IMHO the balance of power is going to tip in favor of the public when on one hand privacy technologies become so cheap and easy to adopt as to make mass surveillance cost-ineffective, and on the other, the economic value of what is being passed off as private lives of individuals tumbles down to negative. The former needs a major shock to wake people up (more likely with mass surveillance as I said above); the latter is the next step in the evolution of the lives of 20 something iPhone wielding baristas devoid of skills and increasingly unable to earn a living: bots can replicate their lives as easily as they can automate their jobs out of existence.
I wonder if we really have any power over these organizations anymore. Sounds to me like corporate hit squad.
> CYBERCOM should be prepared to fight in the data centers and in the networks
…against FBI, CIA and other Clintons’ anti-American agents.
IMO, the more datas, the less informations/intelligence.
More and more people to spy, within more countries, with more spying agencies, though more electronic apps… the zillions of collected datas is impossible to process and interpret. The huge infrastructure and manpower, the robots and algorithms, to build up in order to process these datas are becoming as many vulnerabilities and targets to cyber- and kinetic attacks, leakers, public resentment, etc.
Strategy is dialectic, and paradox is omnipresent.
PhT
mike,
If the new CYBERCOM does eventually have a strong role in setting US cyber policies, I hope it is defense-centric much like what existed in the original JTF-CND. I’d like to be a real push for ubiquitous encryption (God, I love that phrase.) and resiliency.
I also want to see CYBERCOM develop a new relationship with the private sector drawing from some of the lessons learned by Russian and Chinese cyber operations and even ground operations in the R+6 in Syria. Companies like Equinix and Verizon should be viewed as local defense forces. They can handle the day to day system attacks on their own with their own and contracted resources. However, whenever large scale, widespread or critical attacks or events occur, CYBERCOM could assume leadership to lead the defense and possible counterattack. These large private companies that control massive swaths of our information infrastructure would be deputized to conduct the defense. One could also use the letter of marque as a model to facilitate these companies in defending the networks. I mention Syria as an example because the SAA is largely dependent on various militias as well as allies to defend Syria. Our government and private sector have to develop a much more effective way of working together than what we have now.
Lastly, I want to see the defensive mission take precedence over the current “collect it all” approach espoused by the IC. Defending the networks at home must take precedence over offensive missions overseas in both resources and mindset.
b,
When a country is under attack, constant patrolling is needed. Our IT infrastructure, information and even our psychological space are under near constant assault. I think we need to defend ourselves. Your point of our current emphasis on offense rather than defense is correct. As I told Mike, the defense needs to take precedence over the offense and the “collect it all” mentality. Encryption and privacy should be cornerstones of this new defensive attitude.
OMB,
That will depend on where the line between criminal activity and foreign attack is made. Even most terrorist attacks are handled as criminal acts rather than foreign attacks on the homeland. The same rational thought has to be applied in cyberspace.
This will end up as one more reason to insist on backdoors in encryption systems–not what you should want if you care about individual liberty and privacy.
TTG –
Letters of Marque? I like the concept but how would that work. Privateers were primarily an offensive against an enemies LOCs. How would you work that into a defense? Guess they could get paid for each foiled attack.
And some privateers later ended up as pirates, or cheats claiming illegitimate prizes. Not that Verizon or Equinix would stoop to that but there are plenty of fringe companies out there teetering on bankruptcy that could be tempted.
This looks to be more offensive rather than defensive in nature.
A real operation protecting our NW’s would mutually disarm both us and any countries we entered into agreements with. Putin hinted at this by saying that the Russians could provide access to their data centers to track criminals (or by extension state actors) and agreements could be worked out on what meta-data needed to be saved. Now of course the Russians would expect reciprocation and this would in effect shut down our cyber operations against them.
I suspect that we believe that we have an edge against the Russians in cyber warfare which is why we are not interested in pursuing a treaty on the matter.
I’m certain TTG understands the technical matters better than I do and he can tell me if I am way off the chart here. While I do work in software, I don’t work in security and I know what I don’t know :-).
One thing I’d love to see developed is a means to detect if stolen information has been altered. It’s bad enough that information is hacked, but forgery after hacking would be an order of magnitude worse.
egl,
You’re reading this wrong. A defensive mindset will insist on the elimination of backdoors, crippled encryption and hoarding of vulnerabilities (0-days) for use in intelligence gathering and offensive operations. There will always be this conflict between the two mindsets, but it’s time for defense and security to take precedence.
mike,
The talk of letters of Marque has been around for years in the community. A lot more thought has to go into it beyond legal protection and issuance of get out of jail free cards. But since so much expertise and capability exists outside of government, it’s a concept that should be explored.
“Our IT infrastructure, information and even our psychological space are under near constant assault. ”
Oh, come on. Those ain’t IT attacks. It is some white noise and probably some light pin pricks. No one so far set all U.S. bank accounts to zero or induced critical fluctuations in all your electricity network. A real attack would look much different that what you now perceive as attack.
The danger for the U.S. “psychological space” has always been from the U.S. itself (see the current “liberal” neo-McCarthy wave). Even more dangerous are the hyper-nationalistic and militaristic attitudes throughout your culture. The CIA and Pentagon have heavily influenced (if not written) 1,800 movies and TV shows in the last decade or so. All to promote war and torture and to suppress any criticism of those organizations. That is an assault in size and result no (other) enemy of the people could ever hope to achieve.
https://medium.com/insurge-intelligence/exclusive-documents-expose-direct-us-military-intelligence-influence-on-1-800-movies-and-tv-shows-36433107c307
TTG wrote:
“…I think CYBERCOM should be prepared to fight in the data centers and in the networks and not just against some once in a lifetime existential cyber attack. This will require clear policies and procedures to be enunciated at the NCA level and accepted by the American public…”
I’m in the ‘amen choir’ on this one.
But “…clear policies and procedures…” don’t tend to generate as many billable hours as layers of policy machicolations 8(
Here’s hoping that someone has the guts and vision to aim for ‘simple, doable, and cheap’.
ROTL,
“Here’s hoping that someone has the guts and vision to aim for ‘simple, doable, and cheap’.”
I got roped into the DIA task force addressing the Y2K problem. At the time I thought it was a PITA, but I look back on it now with fond memories. We worked with people from governments and private industry from around the world to solve a problem with a firmly fixed deadline. We came up with hundreds of solutions and work arounds and shared them with everybody. It was like the international cooperation in the film “Independence Day.” The solutions were mostly simple, doable and cheap. It ended up being a nothing event, but that was because of the two years of work that preceded Y2K. If we could get a mindset of security, privacy and defense going in the new CYBERCOM, I think we can do this again.
I read, I think a Sputnik article, that china has now linked some of their military with quantum communications. I take it this is short range through fibre optic cable (I think max range for fiber optic a little over 100k’s) but recently successfully tested sending via satellite.
Rather than just using quantum entanglement as an encryption key, full text communications are being sent.
“…hopes of intensifying America’s ability to wage cyberwar against the Islamic State group”
As soon as ISIS is evoked as a reason for anything, can safely assume it is bullshit.
If the US at any point in time were wanting to destroy ISIS, they would have taken out the oil convoys.
Seems most likely to be used to conduct ongoing cyber warfare against Russia and China, sabotage and so forth, but the way China is moving ahead with quantum computing and coms.. US cyber warfare may be just flailing around in the dark?
Richardstevenhack,
What you describe is a generally accurate view of the present state of play, not totally accurate, but close enough. This new CYBERCOM with new policy powers is a chance to change that and that’s worth fighting for.
Celine’s First Law Edit
National Security is the chief cause of national insecurity.
Sort of OT question, but only sort of. The rumors I have heard suggest that this CYBERCOM would be recruiting people who would not conventionally fit into the military. Is that true? I certainly have mixed feelings about that. I think there is some value in an organization have shared values, culture, etc. OTOH, from our work with kids at our high school, we have certainly worked with a few math/computer smart kids who would probably, I am guessing, work well with a true cuber unit who would never make it through boot camp.
Steve
steve,
The kind of people who are good at this cyber stuff are not the kind of people good at living in a government bureaucracy. There are NSA and CIA offices that have become safe havens capable of shielding these types from the every day bureaucratic abrasions. One of the proposals put forth for the new CYBERCOM is to allow for more short term assignments so there is more movement between private industry and CYBERCOM. Another point to remember is that CYBERCOM is not going to be very large, no more than a few hundred. DIA has well under a hundred personnel dedicated to this area, now probably exclusively on the analytical side. FireEye dwarfs DIA’s capabilities except for DIA’s access to classified information.
If CYBERCOM is going to be at all effective, they have to find a way to integrate themselves with the private industry side. And I don’t mean the contractors. I mean the big players like Verizon, Equinix, Cisco, Juniper, Microsoft and Apple. That’s where the manpower for network defense is located.
Cyber-Green-Zone $$$ and more 4 Star Commands is all I see…