U.S. cybersecurity must-do’s
A critical shortage of cyberspace-domain-trained and certified personnel affects the U.S.’s ability to defend itself against the spectrum of conflict in the cyberspace. This shortfall is both quantitative and qualitative and goes beyond mere educational requirements.
There is potentially an even greater shortfall in the cyberspace work force in the event of a major national event in cyberspace. Cyberspace-domain assets and resources are not adequately trained or organized to meet the potential threats. The national educational system needs to be overhauled and reformed to produce an effective number of qualified personnel for both government and private-sector cyberspace-domain requirements. Our society must recognize and understand the comprehensive danger that exists in cyberspace and that threatens our security and economy.
A major-scale conflict in the cyberspace domain would initiate a tremendous competition for available cyberspace personnel resources with technology expertise — government and commercial entities already compete for limited cyberspace personnel and capability. Major cyber conflict will exponentially increase this requirement for federal capabilities (primarily in the military and Department of Homeland Security [DHS] but also in numerous other federal agencies, such as the Energy and Treasury Departments, because of their responsibilities and oversight of critical nation cyberspace infrastructure).
At the tactical level, networks will need to be patched, servers rebuilt from original media and perimeter defenses strengthened — all requiring increased network management personnel and automated systems support. Additional tactical network personnel will need to build quarantined intranets to maintain communications for government and private-sector entities across critical nodes and boundaries that would need to be disconnected, or air-gapped, from the resulting Internet degradation. At the operational and strategic levels, experienced staff planners and leaders will be needed to make the difficult decisions required to prioritize, ration and enforce restricted and degraded bandwidth communications; develop and direct full-spectrum response to cyber aggression; increase network resilience; develop and select courses of action; and make decisions necessary to “fight through” the communications degradation of cyberwarfare while weathering potentially disastrous national infrastructure damage and collapse.
Personnel and organizations with offensive cyberspace capabilities will have to be deployed to conduct critical operations at the national, agency and theater levels. This scenario will require large numbers of personnel organized into units that have collectively trained and exercised together. These units will have displayed measurable cyberwarfare competence and be capable of fully utilizing advanced technology. These personnel must have an intuitive grasp of cyberspace operations supported by sound judgment developed through individual and unit collective experience. This experience must be gained through years of focused cyberspace exercises and operations, network technology understanding and full-spectrum information operations background.
One method of helping ensure the quality of the cyberspace work force is the use of commercial professional certifications. There are several conflicting aspects to this method. On the positive side, these certifications ensure that an individual has had recognizable and measurable cyberspace security training and exposure to information technologies and techniques common to cyberspace operations/missions. However, a drawback to this method is that it limits the available pool of immediate and potential candidates and can lead to difficulties hiring fully capable but uncertified personnel. An overreliance on certifications prevents many otherwise capable personnel from participating in critical federal cyberspace-domain operations. It also tends to favor personnel who are good at test-taking, as opposed to those who do not have that talent but are good at practical application of cyberspace skills and experience. These certifications do not judge the ability of the test-taker to apply critical and innovative thinking skills to cyberspace-domain security missions. So while the certification process can be useful, an effective system of evaluating, hiring and promoting cyberspace-domain personnel still requires personnel to be judged qualitatively.
TARGET AND RECRUIT THE YOUNG
There should be a greater emphasis on educating our youth so they understand the threat that cyberspace poses to the nation and its critical infrastructure. As high-tech consumer products with escalating and critical vulnerabilities reach an increasingly younger audience, these consumers need to be taught about cyberspace security at the national and individual levels.
Local and state educational authorities need to overhaul the way cyberspace technology topics are taught in the primary educational system and also ensure there is a cyberspace career path similar to other disciplines such as civil engineering or medicine.
Similarly, the military should overhaul its force development and management processes to create cyberspace-domain maneuver units. But in conjunction, a new approach is needed to develop recruiting, training, employment, promotion and retention mechanisms to maximize productivity of the limited number of personnel who are qualified to effectively conduct military operations in the cyberspace domain. Recruitment should focus on youths who have grown up with competence in cyberspace activities and have an innate sense of its fundamental technology. These recruits may not be attracted to traditional military benefits, and the military is competing with high-tech companies that are much more flexible in their recruiting and retention. Much of the military’s cyberspace-domain capability is found in the reserve components; the military should leverage the attractiveness of the reserve-component system to potential high-tech recruits and exploit its civilian-acquired skills. These cyberspace maneuver units (active and reserve component) need to be supported with meaningful career fields and opportunities for promotion for cyberspace operators, staff and commanders.
The military should develop these units with joint doctrine at the national and theater levels. The Defense Department’s Information Assurance range would be a good environment for these units to train and be tested in free-play scenarios similar to exercises at the National Training Center (NTC), Joint Readiness Training Center and Red Flag combat range. Free-play, full-spectrum cyberspace combat replication should be structured to provide individual and unit certification. It should also test and refine joint doctrine and provide a greater understanding of the impact of advanced innovative technology on cyberspace effects-based operations and targeting.
There is a diverse set of military documents that provides doctrine for cyberspace warfare; this should be consolidated into one overarching document and then be continually tested and refined in a free-play environment. This “NTC for cyberspace” should not be restricted to military use. Unlike the NTC, it should be open to use by DHS and other federal civilian agencies with an emphasis on joint interagency operations. A large number of federal agencies claim primacy in cyberspace, and they need to learn to operate together in cyberspace via simulated exercises. However, this NTC for cyberspace should not be strictly technology-focused. It should incorporate human factors represented by current full-spectrum information operations doctrine. At some point in technology-centric cyberspace, there is a human actor at the other end of the Internet, and the ultimate objective is to implement effects on that human actor and entire targeted populations.
CHANGE HOW WE BUY
The military’s acquisition process must provide these cyberspace-domain units with cutting-edge technology in a market-driven environment that evolves at an exponential pace. The current federal process for acquiring cyberspace technology is slow and cumbersome and is designed to acquire large-scale industrial products built to government specifications rather than to commercial market standards. Often by the time they are delivered, they are outdated compared with available commercial technology, and they are expensive to maintain.
The intergovernmental Data at Rest Tiger Team (DARTT), led by DoD and the General Services Administration is an example of how rapid acquisition can be done. In six months, DARTT awarded multiple competitive blanket purchase agreements for encryption products for sensitive government data on mobile computing devices and removable storage media. This team was represented by 20 DoD components, 18 federal civilian agencies, NATO’s C3 agency, and state or local government agencies. This initiative was the first (and only) true effort to leverage the entire government to achieve huge product discounts, often 90 percent to 98 percent lower than previous GSA pricing, and negotiated favorable terms and conditions. It provided government customers with a set of acquisition vehicles containing interchangeable products. The per-user costs were so low (one encryption product was priced at $1.20 a user) that the products could be used for several years and discarded in favor of more advanced technology. It provides for after-award competition that maintains deep vendor discounts. It also includes an after-award process for technology refreshment that allows vendors on the five-year contract to upgrade their accepted products and offer vetted new technologies for government customers. This approach to cyberspace technology acquisition is rapid, flexible, inexpensive, interoperable, and it does not lock the government into a single homogeneous approach to network security. It also allows organizations to keep pace with the rapidly changing technology landscape via a formal technology refreshment process.
The Chinese government takes a radically different approach to education and training of its cyber work force. The Chinese approach to cyberspace conflict is strategic in nature and patient in its execution. They and the Russians often use their internal “patriotic hacker” community to conduct much of their cyberspace mission. According to SANS Institute research director Alan Paller, the training of computer experts is a top national priority for China. The Chinese government appears to be systematically building a cyber warrior force. “Every military district of the People’s Liberation Army runs a competition every spring, and they search for kids who might have gotten caught hacking,” Paller said. One of the Chinese youths who won that competition had earlier been caught hacking into a Japanese computer, Paller said, only to be rewarded with extra training. “Later that year, we found him hacking into the Pentagon,” Paller said. “So they find them, they train them, and they get them into operation very, very fast.”
The Chinese and Russian use of patriotic-hacker militia leverages an Internet trend toward the decentralization of cyberspace competition, conflict and warfare. The Internet was built to accommodate large numbers of decentralized collaborative users communicating and conducting business across an almost unlimited set of software tools, end points and nodes. Napoleonic France and World War II combatant nations (including America) were able to draw on their populations to participate in continental and worldwide conflict. In that same vein, the government should be prepared to mass mobilize and network large numbers of U.S. citizens with computer expertise to support national goals in the event of large-scale cyberspace domain conflict. The barriers to individual and cyber militia participation in cyber conflict are exceptionally low. The government might find a supportive patriotic cyber militia, a form of cyber corps civilian reserve, to be a valuable force. The Internet is the largest, most powerful and widespread tool for mass collaborative effort in history. There are several cyberspace-domain, militialike organizations in the U.S. such as the Shadowserver Foundation and Hackers for Charity that are primarily interested in fighting cyber crime, enhancing charity and protecting privacy rights and civil liberties. The government and its international defense partners should also be prepared to mobilize and synchronize cyberspace-domain citizens from across allied and coalition nations in support of mutually held goals and the defense of Western civilization.
A COMPREHENSIVE POLICY
National policy for the use and defense of the cyberspace domain must be closely coordinated and integrated across national, state and local government organizations and should include the national educational system. National policy also needs to be coordinated across the commercial sector because the greatest vulnerabilities — and most lucrative targets — lie within the private-sector commercial interest; the vast majority of the “terrain” that cyberwar will be fought on belongs to the commercial sector. The private sector is on the front lines of future cyber conflict — yet no government agency has the full legal authority or ability to protect this nation’s critical commercial networks from external attack. Commercial entities that coordinate with the government need to be protected from damaging information release, such as Freedom of Information Act searches by competitors searching for proprietary information, and from litigation, such as attempted Electronic Frontier Foundation and American Civil Liberties Union lawsuits against telecommunication companies that assisted the U.S. intelligence community. Most U.S. citizens have no idea how closely they are tied to national cyberspace vulnerabilities and the potential effect on the economic, social and cultural landscape that they increasingly take for granted.
The government must take additional steps to create a quality cyberspace-domain work force in adequate numbers to meet civilian, federal and military requirements. The government must create a certification body that develops standards for testing the cyber skills of federal employees, as well as contractors. DoD started this effort with the implementation of Directive 8570. This excellent DoD-wide effort, implementing certification standards for the information assurance/computer network defense work force, should be extended to the full-spectrum, offensive work force, as well. DoD must recognize and institute comprehensive changes in the way that the military personnel system treats cyberspace-domain personnel — requiring greater flexibility in the personnel system, providing for greater creativity and innovation, developing a more collaborative environment and allowing for wider latitude in lifestyle acceptance.
The military must develop cyberspace maneuver units with career tracks and promotion potential identical to those available to maneuver units in the other war-fighting domains (land, sea, air and space). Cyberspace should be accepted within DoD as just another war-fighting domain with combat units that fire/maneuver and perform command and control in ways that parallel combat units in the other war-fighting domains. DHS needs to develop cyberspace domain “combat” units in order to protect the dot-gov networks and provide assistance to state/local government and private-sector entities. The legal and political boundaries for a federal entity’s cyberspace-domain responsibilities need to be resolved via public debate and the interagency process. Doctrine for employment of cyberspace units generally needs to be developed, and what doctrine exists must be consolidated.
The government should examine more closely the Chinese and Russian methods of training, recruiting and employing the military cyberspace forces and their civilian hacker militia. It is likely that there are lessons and experiences that can be modified and adapted to our requirements. The U.S. has a tremendous number of civilian computer experts who are not part of the government or military — and who have no interest in participating in either. But their talents, skill and capabilities are necessary to the nation’s cyber defenses and to securing critical cyberspace infrastructure in the event of a national crisis. Steps must be taken to build these relationships, nurture this capability and plan for its employment. The concept and employment of national hacker militias fits into the basic foundational tenets of the Internet — decentralized and agile execution of operations.
It is probable that a major national cyberspace event will occur (and resolve for good or bad) far too quickly for these cyberspace-domain recommendations to remain unanswered and there are fundamental issues that remain undecided. If we plan on the assumption that there will be another war, and that this future war will include open conflict or formal combat in cyberspace, these preliminary recommendations and proposed reforms need to be addressed. Operations in the cyberspace domain are precursors to success in the other war-fighting domains, and cyberspace is a major domain for combat operations in and of itself. For these reasons, the cyberspace domain deserves drastically increased visibility, thought and resourcing.
LT. COL. DAVID M. HOLLIS is the senior Army Reserve officer with U.S. Cyber Command and is a senior policy analyst/planner with the Office of the Undersecretary of Defense. KATHERINE HOLLIS is a cyberspace operations and security consultant and is a graduate of the National War College. The views expressed here are the authors’ own and do not necessarily reflect those of the Army or the Defense Department.