The Department of Defense Cyber Strategy is a model for clear writing and thinking on cybersecurity. Unlike earlier DoD strategies, gone is tone-deaf language about “dominating” cyberspace. Instead, the strategy recognizes an important but limited role for the DoD in the security of cyberspace. The strategy divides that role into three missions: (1) defense of the DoD Information Network (DoDIN); (2) defense of the United States against nationally significant cyberattacks; and (3) conduct of cyber operations in support of conventional military operations.
How the DoD fulfills the first and third missions is clear based on what the strategy says (and does not say). Cyber Protection Forces will carry out the first mission; their role is pure network defense. In turn, the Combat Mission Forces will engage in cyber operations in support of military operations around the world. Their role is pure offense. In between the two is the second mission. Per the strategy, defending the United States in cyberspace is the job of the National Mission Forces. Yet, how the National Mission Forces will carry out their mission is left unanswered by the strategy. Many pundits assume that the answer will be a mixture of offense and defense—assisting private companies with network defense as well as conducting offensive operations to stop cyberattacks that overwhelm these defenses. While the DoD has a monopoly on offensive operations, the assumption that the DoD will also provide defensive support to the private sector is problematic. It could lead the DoD down a dangerous path, one that could upset long-standing traditions on the respective roles of civilian and military organizations in our democracy.
Teasing Out the Role of the National Mission Forces
The DoD’s intentions for how the National Mission Forces will carry out its mission are hard to divine from the strategy. The strategy makes clear that the role of the Cyber Protection Forces is what is traditionally considered network defense. In all, the strategy spends over four pages on defense of the DoDIN, delineating 15 tasks and 16 sub-tasks under this mission area. Cyber Protection Teams have a mission to “discover, detect, analyze, and mitigate threats and vulnerabilities to defend the DoD information network.” Their role is network defense, taking place on the DoDIN, not off it. When discussing the offensive mission, the strategy is noticeably and reasonably more circumspect and circumscribed, devoting only a couple of bullets to it. What the strategy does make clear is that the Combat Mission Forces are an offensive component, as their name implies, that takes the fight to adversary networks.
For the National Mission Forces, the strategy signals a hybrid mission—it is a hodgepodge of both offensive and defensive language. The National Mission Forces are meant to develop “capabilities to mitigate sophisticated, malicious cyberattacks before [emphasis added] they can impact U.S. interests.” This emphasis on preemption may indicate that the role of the National Mission Forces will be to conduct offensive operations in defense of U.S. networks; however, it could also imply a network defense mission to block attacks before they cause harm. The idea that the DoD should operate defenses for the private sector has proven to be unworkable, yet the strategy does not definitively rule out this role, leading many watchers of cyber policy to conclude that Cyber Command will only be a phone call away to assist with cleaning up intrusions and stopping follow-on attacks.
The assumption that the National Mission Forces will have a defensive role is based on two faulty premises: first, that the DoD has network defense capabilities that exceed those of the private sector; and second, that the government recognizes a responsibility to provide network defenses to private companies being targeted by national adversaries. Neither is true. The best network defense teams in the private sector are as good, if not better, than their DoD counterparts; moreover, while the DoD has strong capabilities, it does not have extensive capacity. Private sector capabilities are available for purchase and therefore subject to market forces rather than Congressional action in determining how quickly private sector capabilities grow.
Any attempt by the DoD to provide network defense capability to private companies will undermine the significant effort undertaken by the Obama administration to convince private companies that it is in their interest to address cyber threats on their own terms rather than by having government either dictate standards or directly intervene and provide network protection.
Attempting to scale the DoD’s network defense operations to cover vast swaths of the economy, if it could be done effectively, would undermine private investment in cybersecurity. Bringing the military into the domestic realm, would also raise significant privacy and civil liberties concerns and violate long-standing traditions in American civic life. Instead, the National Mission Forces should have a singular focus on developing the capability to deter and disrupt nationally significant attacks through the use of offensive operations when network defense and law enforcement action are ineffective.
The Pitfalls of a National Protection System
While the strategy provides little detail on how the National Mission Forces might provide defensive support to the private sector, the thinking behind the strategy has been made public. In a seminal 2010 piece in Foreign Affairs, then-Deputy Secretary of Defense Bill Lynn set out how the DoD would defend the nation in cyberspace. He began by describing how the DoD defends its networks. “The National Security Agency has pioneered systems that, using warnings provided by U.S. intelligence capabilities, automatically deploy defenses to counter intrusions in real time,” he wrote. “Part sensor, part sentry, part sharpshooter,” he continued, “these active defense systems represent a fundamental shift in the U.S. approach to network defense.” Lynn explained that this technology is placed at the points-of-presence where military networks connect with the Internet and block attacks before getting inside the DoDIN.
Lynn went on to raise the possibility that the protection system the Pentagon developed for its own network should be used to protect the rest of the United States in cyberspace. “Policymakers,” he wrote, “need to consider, among other things, applying the National Security Agency’s defense capabilities beyond the ‘.gov’ domain.” That was the idea behind the National Cybersecurity Protection System, the over-arching program under which the much maligned DHS Einstein program falls. While initially focused on providing protection to federal agencies, naming the program the National Cybersecurity Protection System implies that grander vision. Yet given the difficulties in deploying the system to federal agencies, well documented by the Government Accountability Office, the technical, legal, and policy hurdles to the government deploying the system to the private sector likely cannot be overcome even if the political environment created the appetite to do so.
Writing in 2010, Lynn could not have predicted the political environment that the Snowden revelations would create some three years later. In 2016, the FBI could not muster better than 50 percent public support for forcing Apple to assist in gaining access to the data on a phone owned by the employer of a deceased terrorist. Today, the idea of allowing the NSA to police domestic networks for cybersecurity purposes is almost laughable. Furthermore, the advantage that Lynn cites for NSA’s technology over commercial solutions no longer hold true.
The use of “government intelligence capabilities to provide highly specialized active defenses” in 2010 could potentially give network defenders a chance against malware that was not known to the commercial world of signature writers. Today, stopping new malware does not require “using warnings provided by U.S. intelligence capabilities” but signatureless detection systems that identify anomalies in how files are executed and in network traffic patterns. Solutions are sold by companies like FireEye, Palo Alto Networks, Fidelis, and others.
In the summer of 2015, the DoD’s defense system went up against an alleged Russian adversary. It lost. In August of that year, the DoD disclosed that the unclassified email system of the Joint Chiefs of Staff had been hacked. The attack, attributed to Russia by a Pentagon spokesperson, was said to be “sophisticated.” Yet in one respect, it was fairly routine: the attack began with a spear-phishing email. In response, the Pentagon shut down the system for two weeks, leaving 4,000 staff members without access to unclassified email systems.
The Pentagon deserves credit for quick detection and isolation of the incident. Yet the incident is instructive for those who would hope that the Pentagon has all the answers this nation needs on cybersecurity. The Pentagon’s network defense sensors clearly failed to identify and stop both the spear-phishing email and the malware used to infect and takeover the email system. Instead, it was detected after the malware had been installed and was engaging in some form of anomalous activity that the Pentagon’s intrusion analysts were able to detect.
What this event suggests is that the capabilities the Pentagon can bring to network defense are no doubt very good, but also that they are not far and away above solutions developed by private companies. If the Pentagon has yet to crack the code of spear phishing, which would force adversaries like the Russians to identify and exploit remotely executed vulnerabilities, the Cyber Protection Teams are still wrestling with the same set of problems the rest of the community also has yet to solve. While it may be appealing to hope that the Pentagon could deploy its sensors on the networks of private companies or on the backbone of the Internet and filter out malicious traffic before it reaches its intended victim, there is nothing to suggest that these capabilities would be better than those that private companies can buy on their own.
If in fact these systems did provide capabilities that the private sector needed to defend against advanced adversaries, the civil liberties implications of the DoD operating them would be enormous. In order to stop malicious activity on the Internet, you first need to monitor for them. Any system, whether established nationally to cover all traffic or only for enclaves behind which companies would be protected, would need to be able to scan all traffic, thus requiring that the traffic be unencrypted at the location of the sensor. The growing ubiquity of encryption would render these systems useless unless the DoD were able to mandate that it be provided clear text so its systems could read every email that crosses the networks they protect for signs of spear phishing and examine every packet for malware.
Given these concerns, a better solution than having the DoD operate network defense for the private sector would be to commercialize the capability. That is in fact the approach that the DoD took in 2012, when, in a partnership with the Department of Homeland Security and managed security service providers, it allowed private companies to buy security services that incorporate classified signatures provided by intelligence agencies through a program called Enhanced Cybersecurity Services. Thus far, interest in the program is reported to be low. The strategy references Enhanced Cybersecurity Services but does not definitively and categorically rule out operating network defenses for the private sector itself.
Cyber Command as a Supporting Actor
The hacking of the Joint Chiefs email system is a reminder that effective cybersecurity cannot be done at the network perimeter, but instead requires the ability to identify and contain malicious activity inside the network. Lynn identified the ability to “hunt” within the Pentagon’s own networks as a critical capability for when perimeter approaches fail. In the commercial market today, hunting for threats is the latest craze. Companies are recognizing that every endpoint must become a sensor inside their network for detecting malicious activity; that they must monitor “east-west” flows of data within their networks; and that they must store and process log data to conduct forensics on intruder activity. All this activity takes dedicated time, resources, and knowledge of a company’s network. If operating perimeter network defenses is not a viable option for the National Mission Forces to fulfill their mission, can they at least provide support to help ferret out threats inside private networks?
The strategy certainly contemplates that part of the DoD’s mission to assist the private sector in protecting itself as part of Defense Support to Civil Authorities (DSCA). The problem with relying on the DoD’s hunt teams to assist private companies is one of scale and incentives. While much has been made of Cyber Command’s plans to grow its personnel to 6,200, this is a relatively small number of people in a field that currently has 250,000 job openings. The number of job openings in the field is expected to grow four-fold in the next five years. Moreover, the National Mission Forces is expected to be a fraction of the total force size.
In a 2015 interview with Defense One, Lt. Col. Valerie Henderson, a spokesperson for Cyber Command, broke down how the 6,200 personnel would be deployed among the three force components. Nearly half (2,720) will go to the Cyber Protection Teams; 1,600 will be on the Combat Mission Teams; the remainder, only 780, are planned for the National Mission Teams. For perspective, the CEO of J.P. Morgan, Jamie Dimon, has committed to building his company’s cybersecurity staff to 1,000 people. With so few resources, the National Mission Teams will be forced to selectively choose which private companies receive free cybersecurity services from government; in so doing, they will compete with private companies that offer these same services on the open market and undermine the push to make the private sector absorb the costs of cybersecurity. As Mark Weatherford, former deputy undersecretary for cybersecurity at DHS has put it, “The government is not going to come riding in on a white horse to rescue you when you have a security incident.” Ironically, DoD’s positioning on the role of the National Mission Teams may undermine investments in cybersecurity by private companies, thereby leaving the nation less secure in cyberspace.
Offense in Support of Defense
If the DoD should not play a role in network defense, what then is Cyber Command’s role in defending the homeland? As in other areas of defense policy, the role of the military is to defend the homeland from foreign attacks by projecting power abroad, not by policing our cities or the networks of fiber and copper that connect them. Rather than operate firewalls and intrusion prevention systems for the private sector or provide advice on how to do so, Cyber Command should train, plan, and equip to use its offensive capabilities when defense is no longer tenable. Indeed, the strategy seems to recognize as much, noting that “[a]s a matter of principle, the United States will seek to exhaust all network defense and law enforcement options to mitigate any potential cyber risk to the U.S. homeland or U.S. interests before conducting a cyberspace operation.” Building the capability to carry out this mission is no small matter and should be the primary focus of the National Mission Forces.
In order for Cyber Command to use its offensive capability in defense of U.S. targets, it will need the ability to communicate securely and in real-time with companies suffering attacks. In the event of a large scale attack on the Internet, Internet routable communications could be down; moreover, if the attack involved the compromise of targeted systems, those systems might not be available and certainly would not be trusted to coordinate offensive action. Thus, in order for Cyber Command to play a role in defending the private sector, the government will need to extend a secure and classified communications network to Tier 1 Internet Service Providers, major information technology firms, and critical infrastructure companies. A model for such a network exists in the Defense Industrial Base Network (DIBnet), a Secret-level classified network that the DoD provisions for communicating with Defense Industrial-base companies. In line with the respective roles of the DoD and DHS, the role of provisioning the network should fall to DHS, with the DoD as one of many potential users.
The Digital Rubicon
The creation of DHS in 2002 after September 11 was an implicit recognition that even a catastrophic attack on American soil is not grounds for inviting the military into the domestic realm. In other areas parallel to cybersecurity, we can see why there is a role for a civilian agency in defending the homeland. Our borders are not patrolled by our military; that is the responsibility of the Border Patrol, a component of DHS. Likewise, the other civilian institutions that protect the American people within our borders are either contained within civilian federal agencies at DHS (the Coast Guard, the Transportation Security Administration, FEMA) or the Department of Justice (FBI) or vested at the state and local level. Cybersecurity should be no different.
When civilian capacity fails, as FEMA did during Hurricane Katrina, Defense Support to Civil Authorities may be an appropriate short-term response. As with that example, the appropriate long-term response is to build the necessary civilian capacity, not to make the military’s role permanent. In the decade since Hurricane Katrina, FEMA has gone from being the most maligned federal agency to being the most well respected. In the most recent polling by Gallup, 75 percent of Americans are satisfied with federal response to disasters (note that in this same poll, homeland security efforts at 57 percent barely nudge out national defense at 56 percent). While DHS is not well-regarded in cybersecurity, the appropriate response is to build the capacity there, not to turn civilian mission over to the military.
As the DoD works to further refine its talking points on cyber warfare, it should strive to be clear that its role in defending the homeland in cyberspace is primarily in the use of offense to deter and disrupt malicious cyber activity. Network defense activity beyond the DoDIN is not and should not be the responsibility of the DoD. While DoD elements may provide support to private companies through DHS, this support should be limited, temporary, and no substitute for investments in cybersecurity by companies.
If the government judges that it must provide assistance to private companies, that assistance should be provided by DHS and its partner (civilian) Sector-Specific Agencies. The mindset that DHS should be a conduit whose authorities are used to channel DoD capability must end. The DoD has neither the scale to provide broad support to the private sector nor possesses specialized capabilities that DHS could not acquire or that companies could not build or purchase on their own. If the next administration judges that government must intervene to provide protection to companies, it would be more effective and less cumbersome to simply subsidize cybersecurity for private companies rather than to attempt to provide security services.
Dating back to the Roman Republic, democracies have long held that the military’s involvement in civilian life should be strictly limited. When Julius Caesar crossed the Rubicon River in 49 B.C.E. and failed to turn over control of his legions to the ruling governor of the Italian province he entered, he violated that rule, setting into motion the events that would end the Republic. When President Obama issued a veto threat against the Cybersecurity Information Sharing Act in 2013 because it would allow direct sharing of information between the private sector and the NSA, it was in this vein of thinking.
“The Administration supports the longstanding tradition to treat the Internet and cyberspace as civilian spheres, while recognizing that the Nation’s cybersecurity requires shared responsibility from individual users, private sector network owners and operators, and the appropriate collaboration of civilian, law enforcement, and national security entities in government.” In short, the DoD must coordinate its role with the civilian agencies responsible for domestic security, not replace them. Its job is to conduct operations in cyberspace to blunt threats to the United States when network defenses are overwhelmed, not to operate those defenses. To do so would take our military service across the Digital Rubicon.
A version of this article appears in International Engagement on Cyber VI, forthcoming for Georgetown University Press in December 2016.