The nation's cyber warriors have been elevated to a unified combatant command to rank on the same plane of importance as U.S. Strategic Command, U.S. Special Operations Command, and U.S. Transportation Command.
By J.R. Wilson
Elevation of the U.S. Cyber Com-mand (CYBERCOM) to the status of a unified combatant command (COCOM), on the same level as the existing six geographical and three functional unified COCOMs, marks yet another step in the realization of cyber warfare as the fifth domain of war, as declared by NATO last year.
The change also will lead to CYBERCOM's separation from the National Security Agency (NSA), which was complicated because the two were governed by separate parts of U.S. Code - Title 10, covering the roles of the armed forces, and Title 50, which includes espionage.
A U.S. Air Force cybersecurity expert keeps watch for unusual computer and network behavior that might indicate a cyber attack or other unauthorized use of Air Force cyber assets.
U.S. Navy Adm. Michael S. Rogers was appointed head of CYBERCOM/NSA in 2014, the second to hold both titles. In testimony before the Senate Armed Services Committee in May 2017, he described the structure, roles, and future of the Command to lawmakers, emphasizing the growing threat of cyber warfare and the need for the U.S. to lead the world in offensive and defensive cyber capabilities.
The basic structure is expected to remain unchanged in the conversion to a unified command: six operational-level headquarters elements, assisted by U.S. Coast Guard Cyber within the U.S. Department of Homeland Security and the Cyber Mission Force - 133 teams, totaling some 6,200 military and civilian personnel and expected to reach full operational capability (FOC) by October 2018. That also is true for the Command's three operational duties: providing mission assurance for U.S. Department of Defense (DOD) operations (including defending the military information environment), supporting joint force commander objectives worldwide, and deterring or defeating strategic threats to U.S. interests and critical infrastructure.
"We conduct full spectrum military cyberspace operations to enable actions in all domains, ensure U.S. and Allied freedom of action in cyberspace and deny the same to our adversaries," Rogers told lawmakers. "Defense of DOD information networks remains our top priority, of course, and [we] will move this beyond a network focus to one that includes weapon systems/platforms and data."
Cyber-crimes and cyber war
Rogers also addressed the blurring of lines between what is typically labeled cyber crimes and what constitutes an act of cyber war.
"The pace of international conflict and cyberspace threats has intensified over the past few years. We face a growing variety of advanced threats from actors who are operating with ever more sophistication and precision. We track state and non-state adversaries as they continue to expand their capabilities to advance their interests in and through cyberspace and try to undermine the United States' national interests and those of our allies," Rogers told the senators.
The 24th Air Force, designated Air Forces Cyber (AFCYBER) in De-cember 2010, is one of the four service components of USCYBERCOM. The mission of the 5,600-member unit is to deliver global cyberspace capabilities and effects for USAF and the Joint Force. AFCYBER directs cybersecurity and cyber warfare operations around the world "across six Lines of Effort: Build, Operate, Secure, and Defend the Air Force Information Network (AFIN) and directed mission-critical cyber terrain, extend cyber capabilities to the tactical edge of the modern battlefield, and Engage the adversary in support of combatant and air component commanders."
Air Force Col. Eric DeLange, commander of the 688th Cyberspace Wing, says the constantly changing cyber landscape, heavily influenced by commercial developments, has raised a seemingly mundane task to one of daily, even hourly or more frequent, concern: "housekeeping - patching, knowing the latest evolution of whatever products we are employing, mostly defensive."
"The threat ranges from the 17-year-old hacker in his basement seeing if he can hack into a DOD database to our nation state adversaries. And we have to be responsive to all of those," he says. "It's a continuing evolution, from the standup of 24th AF in the last eight years to its pending elevation to address the increasing threat as cyber becomes a greater part of everything we do, inside and outside of the DOD.
"From an Air Force perspective, broadly speaking, as network technology has evolved and shown its value in efficiency, we've jumped on that bandwagon - and now you see the services trying to protect that and make security part of the process from the acquisition perspective. It's always harder to retrofit, in terms of cost and integration, than baking it into our processes and platforms from the start."
Securing the network
As AFCYBER has worked to address those issues, it has developed two capabilities DeLange believes are critical to securing the network.
"One thing the Air Force has used to great success is ARAD [Architected Rapid Application Development], a peer-to-peer capability that enables patching at a very rapid speed. To be able to get something out quickly to respond to a threat is something we have seen great results with, such as the WannaCry [ransomware] outbreak a few months ago," he says.
Because there are so many potential targets in today's militaries, it would be impossible - with current state-of-the-art or foreseeable future technologies - to provide the best possible security for all.
"The question we ask on the DOD side is this: Is the goal to defend everything or only what is critical to executing the mission?" the Air Force's DeLange says. "Cyberspace is not just the technology, but also the processes, the humans employing systems and capabilities, so a great deal of thought is going into whether we need to defend the entire ex-panse of the network or just those critical things to our missions.
"Hopefully, if it comes to a fight, we can say goodbye to [networked] toasters and such, but what we need to fight a war remains. It's a calculus of risk - is it worth putting resources into things that, in the greater scheme of things, won't really matter? To identify that critical cyber terrain and look at the right way to defend it is the key. Technology opens challenges, but also is there to help with the defense.
Teams of cyber protection experts undergo an exercise to validate their ability to locate, defend, and counter cyber attacks targeted toward critical infrastructure, systems, or platforms. Cyber Protection Teams travel to various locations to help protect an Air Force mission.
Part of that effort falls to the Air Force Center for Cyberspace Research, established within the Air Force Institute of Technology (AFIT) in March 2002 to conduct defense-focused cybersecurity research at the Master's and PhD levels. CCR is designated as a national Center of Academic Excellence in Cyber Defense Research by the Department of Homeland Security and NSA. In June 2008, AFIT was designated as the Air Force Cyberspace Technical Center of Excellence (AF CyTCoE) by the Secretary and Chief of Staff of the Air Force.
Under the AF CyTCoE charter, the CCR works with USAF leaders to develop and maintain the cyber workforce via cutting-edge graduate and continuing education. CCR affiliated faculty teach and direct graduate research focusing on understanding and developing advanced cybersecurity-related theories and technologies, including critical infrastructure protection, network intrusion detection, and avoidance, insider threat mitigation, cyber situational awareness, malicious software detection and analysis, software protection, and anti-tamper technologies.
An Air Force cyber transport technician, uses a punch down and tone generator to locate power for Ethernet cables during Vigilant Shield 16 at 5 Wing Goose Bay, Canada.
Cyber education
In 2018, Cyberspace Professional Continuing Education (CPCE) will increase its annual student throughput - ranging from captains, staff, and technical sergeants and GS-9-to-12 civilians to majors, lieutenant colonels, colonels, master and senior master sergeants, and GS-12-to-14 civilians - from 680 to 1000.
The first group takes a three-week course, to be held 10 times a year beginning in 2018, called Cyber 200, designed to take them from tactical to operations level thinking in cyber ops. The second group attends a two-week course (which will be held five times a year), taking them from an operations level to a strategic level of thinking.
"My school asks students to think about operations constructs that can be put around PLCs [Programmable Logic Controllers] and executed as needed, looking at what we use in day-to-day ops that need to be considered for a focused effort in cyber," Lt. Col. Reginald Smith, director-CPCE says. "The critical part is an overall increased awareness of cyber in what we do.
"The sourcing of an attack is a major problem. Identifying the source is one thing, pointed at certain parts of what you are trying to do. A lot of focus, internally, needs to be on how to defend, know your system and how and when it changes, and how to decrease response time to those changes. So, a lot of emphasis must be put on the day-to-day operational response that analyzes and monitors a network."
Dr. Scott Graham, an assistant professor of computer engineering at AFIT, says CCR's primary activity is researching cyber capabilities.
"We don't develop them, but do proofs of concept. Students might try to determine if something is possible, on either the offensive or defensive side, such as trying to gain access to a target or mitigate an attack against a broader number of threats," he says. "The goal not to deploy, but to see if it is meaningful to use those technologies. The way in which you use a technology may result in different vulnerabilities. A tool used for one purpose can be used for another, so it truly is a continuum of intent between cyber crime, terrorism, and warfare.
"Response can mean maintaining your own capability and recovering from whatever happens. Another is whether you do a counter attack, where attribution is a problem because if you assume one party did it and you are wrong, you've done an injustice while failing to solve the original problem. A lot of effort is being put into that, but it is very situational."
Speed of cyber attack
The speed at which a cyber attack occurs puts cyber warfare in a far faster-paced category than other domains, as does the speed with which an attack must be detected, identified, the impact assessed, the damage repaired, the source of the attack pinpointed, and any counter-attack launched. Some of that already is automated, but much is still routed through human analysts and commanders. As with other aspects of modern warfare, a major issue is the role artificial intelligence (AI) may play in the future of cyber warfare.
"Some responses are and will be automatic - the simple things we know how to deal with - but those that are more challenging or harder to detect or attribute could be delayed for a long time, depending on a lot of factors," AFIT's Graham acknowledges. "AI could respond faster and, in some cases, considerably better - but in others, worse. It is important to recognize that in the case of cyber, it is conflict with an active and intelligent opponent who has a voice in how things proceed.
"AI may be very good at a class of problems, but if the adversary finds a way to change the game, AI might be well-suited to the change or it may not. And we may not know how to prepare for that in advance. I would never want to put all our faith in an AI approach and claim it will be perfectly capable of defending against all threats. That would be naive. But it could be useful - just bounded," Graham says.
The Communications-Electronics RD&E Center (CERDEC) is the primary center for cyber R&D for the Army, with much of that work done in two directorates: Intelligence & Information Warfare (IIWD) and Space & Terrestrial Communications (STCD).
"CERDEC supports TRADOC and ASA/ALT in developing concepts and capabilities that enable the CEMA (Cyber Electro-Magnetic Activity) cell in Corps, Division, and Brigade staffs to plan, integrate and synchronize cyberspace and EW effects to support the commander's scheme of maneuver," says Dr. Michael Brownfield, senior technical advisor-CERDEC CEMA operations.
"TRADOC's Cyber and Intelli-gence Centers of Excellence are defining the doctrine, organizational, training, materiel, and policy requirements to effectively fight in cyberspace and the electromagnetic spectrum," Brownfield adds. "CERDEC is partnering with TRADOC and the Cyberspace/EW warfighters to develop advanced S&T technologies that will provide the CEMA cell with the requisite suite of tools to support these emerging requirements."
Ability to hide
Dr. Richard Wittstruck, STCD associate director, field-based experimentation and integration, says the current level of cyber threat to the military "is the ubiquitous nature of its ability to hide; there are millions of vectors an enemy can take.
"Our cyber defense posture is one of vigilance and diligence. We constantly monitor and patrol the defense networks," Wittstruck says. "There is always the chance of an intrusion through the JRSS' [Joint Regional Security Stacks] DOD puts up around the world that connect the defense enterprise and the commercial enterprise. That gets us into big data analytics and, eventually, AI, to know what a day in the life looks like across a JRSS and look for anomalies that may indicate a cyber attack."
"The first thing a commander will ask about a cyber attack is what is the impact on my maneuver and effects plan. He may allow it to continue, under surveillance, putting up whatever measures are needed to contain but not repulse it. But if the cyber attack prevents getting to the maneuver and effects plan, he has to augment his original with a contingency plan and find a new vector of the enemy to reach his military objective."
The high speed and precision in the 21st Century battlespace has turned situational awareness from a desired capability to a necessity, one that is becoming more and more critical with each new advance in technology, especially in terms of cyber warfare.
"One of the key themes to understanding emerging threats or zero day is a situational understanding of not only your network but partner networks so you can understand what normal looks like. The Army has a very wide footprint, from strategic to tactical, so one of our imperatives is providing situational awareness of not only our cyberspace but the spectrum and fuse those into a common picture to identify anomalies and present those to a commander," says Matthew Picerno, program manager for STCD Cybersecurity Special Projects.
"[Tracking and identifying the source of a cyber attack] is not necessarily a technical problem. There is no tool that can magically solve this. It really is a forensic process. Depending on where the attack is coming from, how sophisticated it is, how many potential rerouting points, it requires coordination with nation state partners to determine the true source. That's one reason cyber is so attractive as an attack engagement medium," Picerno says.
Combat cyber operations
Effective cyber operations in combat also require focused advance knowledge of the enemy and the ability to update that intel on-the-fly, in real time.
The 24th Air Force (AFCYBER) opened a new facility for U.S. Air Force cyber warriors at Port San Antonio, the former location of Kelly Air Force Base in San Antonio, Texas, last spring. Pictured is one of the stations used by Air Force cyber warriors.
"Conducting defensive cyber operations requires additional intelligence collection and analysis to understand the enemy's capabilities to deny or disrupt the network, a cyber IPB (Intel Prep of the Battlefield)," CERDEC's Brownfield says. "When an organization does not have the resources or expertise to conduct DCO-IDM (defensive cyber operations/internal defense measures), the CEMA team requests external support from an Expeditionary Cyber Team (ECT)."
Two developments - NATO's declaration of cyber as the fifth domain of war and the rapid move toward unmanned air, ground and underwater vehicles - have led to significant changes in the requirements documents industry gets with new programs. That is especially true for "data-at-rest" - data saved to a recorder for future analysis, which is when it is most vulnerable (i.e., an aircraft that goes down in enemy space) or is on removable high-density storage for transport, says Paul Davis, director-product management, Data Solutions Group, Curtiss-Wright Defense Solutions.
"[Cyber] is a huge concern and has really escalated in the last two to three years," Davis says. "Now pretty much every program we see has some level of cyber requirement. With UAVs, UUVs, UGVs - any unmanned vehicle with a potential to be lost or captured - we're seeing an increased focus on data security. From a product aspect, [NATO's decision] means specs coming down to us would include more specific data protection requirements.
"We've seen a number of specs that have that and are participating in a number of programs where secure data-at-rest is critical, especially in the protection of top secret data," Davis continues. "We've seen the pace increasing over the years and I expect we will see that focus on protecting data-at-rest continue to increase. Unmanned vehicles create another set of problems and now they are talking about using swarms, which could increase the possibility of loss or capture."
The military tries to make defensive and offensive counter responses to enemy cyber warfare operations as automatic and real-time as possible, notes Giorgio Bairdiella, IIWD senior engineer, "especially within 'blue space', our own networks where automation is something we strive for, from identifying an intrusion to quarantining. It gets problematic when we decide to strike back, which is where near real-time decision-making is often difficult to achieve without getting it to work at cyber speed rather than relying on humans to make decisions."
Cyber adversaries
"We've come a long way in improving cyber defense, military and commercial, much better than it was even five years ago," Bairdiella says. "From a military perspective, one thing you have to change with cyber is the mindset of 'who is my adversary,' which may not be the same on the ground as in the cyber domain. So, you have to think of what is the worst possible scenario I have to deal with."
Air Force cyber warfare experts work with new systems at the 24th Air Force (AFCYBER) new facility in San Antonio, Texas.
CERDEC's Brownfield, noting the U.S. is moving from two decades of counter-insurgent battles against an enemy with limited cyber effects to facing peer and near-peer adversaries with advanced means to detect and destroy U.S. forces, quotes USCYBERCOM Chief of Staff Maj. Gen. Stephen Fogarty, who told the 2017 CEMA Conference "if you can be detected, you can be killed."
"Against regional peers, this reality is true for both sides of the battle. We need to see the enemy to target his key weapon systems - and we need to see ourselves as our enemy does in order to protect our forces," Brownfield says. "Electronic warfare is important at all echelons within Joint theaters of operations, for the close and deep fight.
"Not only are we competing with friendly, civilian, and enemy for use of the spectrum, but electronic attack allows us to temporarily deny spectrum-enabled capabilities to our enemy in order to gain a tactical advantage. Small units on the ground are especially vulnerable since they rely on wireless communication to maintain their mobility. Small units also have the ability to deliver localized effects against the enemy."
Cyber and information warfare
The rise of cyber to an official domain of war and USCYBERCOM as a full unified joint command may not be the end of the debate over what is actually involved in cyber warfare.
"The Secretary of Defense and Chairman of the Joint Chiefs are raising the posture of 'is information a domain?' We're now seeing some military and civilian leaders asking whether we shouldn't just be talking about cyber itself, but about information warfare, because information is really the target," STCD's Wittstruck says. "So, you're seeing an evolution of thought in this nation and others, looking at trying to protect defense information against enemies of the state and using your own information to exploit and possibly attack the enemy. There will be more dialogue coming out of the Pentagon on that."
Whether it is called the cyber domain or the information domain, cyber warfare, or infowar, the concerns and objectives will remain the same - and continue growing.
"It all goes back to the risk-based concept. It is important to understand, from a DOD and USAF perspective, what are the 'crown jewel' targets, so when push comes to shove, with the right capabilities, we can defend those," DeLange concludes. "It will always be a knife fight. Today cyber is the most contested and congested domain. To say we're at war may be strong words, but we are in a fight every day, protecting our networks from intruders. Cyber will continue to move perpetually forward and we will have to respond to every new threat that develops, looking for ways that work to our advantage - offensive and defensive.
"The nature of war hasn't changed and won't change in the next 20 or 30 years. It's not really cyber warfare, but 'cyber in war,' with cyber being the newest and most dynamic domain. The capabilities will change, but not the nature," DeLange says. "The cyber domain is constantly shifting, patches being applied, new equipment being added or taken away. And as more things become IT-enabled, that surface space will just grow and the morphing of connections will keep accelerating."