Operations Policy

U.S. DoD Cyber Warfare Command and Cyber Warfare Policy Implementation

Written by AJ Powell

The Department of Defense has recently expressed increasing concerns over the growing use of cyber threats existing in today’s world. Threat assessments have come in all manner of possibilities, and one only needs to look at the threat’s made by the self-proclaimed islamic state’s laughable “hacking division” when they released a copy and pasted “wanted” list of 100 military personnel, encouraging others to kill them in their homes[1], to see where senior leaders’ concerns are coming from. There is no doubt about it, the continued growth of communication technology has seen cyber crimes and cyber threats grow in parallel, and with it, brings new challenges and difficulties in the development of ways to provide for the protection of information, equipment, and personnel – along with the general public and other assets – while still allowing law-abiding individuals the complete freedoms rightfully required to roam free about the vastness of the internet.

Terry Halvorsen, Chief Information Officer for the U.S. Department of Defense, issued a DoD-wide memorandum less than two weeks after assuming the responsibilities of the office warning of the growing threat of cyber-crime.[2] Highlighted within his warning were the usual suspects of phishing[3] and spear phishing[4]. His concerns were a beat on the familiar drum… be vigilant, be suspicious, know the warning signs, stay informed and educated, and report suspected breaches. However, his words were nothing new. For years the military has sought to educate, inform, and protect its personnel and its systems from potential cyber risks, and the problem is that the Department sees cyber risks more in-line with cyber threats, and is starting to show signs of aligning its policy and control efforts accordingly.

A good case of this is the issue of service members’ private behavior while using social media, and the privacy and personal freedoms and rights therein that has become a massive debate within the DoD.[5] Back in January, a U.S. Army First Sergeant felt personally offended by something she saw on social media, but instead of simply scrolling on, she noticed the content was being “liked” and “shared” by other soldiers – of course subordinate to her in rank – and she felt the need to correct the individuals and invade their private profiles to gather information about who they were. Afterwards, she decided to go far out of her way to send emails to those soldiers’ commands, and at the same time, made sure to also copy high-ranking officers in her email so she would be assured the credit for calling the other soldiers out.[6] What was the end result? Her command awarded her a medal and the vast majority of the Army sees her now as a glory hound that’s toxic for the Army.

However, more in-line with the cyber-threat is data exploitation and information protection issues that are inherent within social media today as social media companies do everything in their power to force into the public your privately set profiles so they can extort user information for sale behind the scenes to marketing companies – and who knows whom else – for a hefty profit. The concern is that, well… everyone is on social media now days, even the bad guys, and this makes social media new territory for cyber-warfare use in the exploitation of everyone’s data and information for DoD gains. The Department is more worried than ever about the protection of its personnel – especially its Special Operations Forces personnel – as well as all its other assets, but feels it is now justified in exploiting cyberspace in an offensive manner to go after anyone who “might” be considered a possible threat.[7]

Finally, cyber warfare seems to have become the newest rage against the United States by many around the world. China, Russia, Iran, North Korea, and many, many other nations have turned to hacking, spamming, hijacking, trolling, and attempted spying on American business and government networks at such an alarming rate, that many experts are only just now coming to the conclusions that the U.S. is far behind the power curve in both defending itself, and destroying its aggressors attempts to cause it harm.[8] Clearly there is now a need for new defense policy to empower the nation to combat these threats, but at the same time, many waive caution that the new initiative might become just another NSA spying ring.

Defense Secretary Chuck Hagel addressed concerns just like those when he spoke about the U.S.’s Cyber Warfare policy last March, and outlined the growth of the Pentagons newest Cyber Warfare units under the U.S. Cyber Command that stood up back in 2009.[9] His remarks were addressing the size and strength of the command, which will become the largest of its kind anywhere in the world, but also to rest tensions about the mission. Hagel made sure to note that the Defense Department is not out to militarize cyberspace, but the U.S. policy is clear in its efforts to seek out and destroy cyber threats to the nation, as well as to provide for the defense of the nation and its interests against enemies determined to cause the United States harm by nearly any means.

To attempt to answer the need for new cyber-threat protections, the Department of Defense setup the U.S. Cyber Command. Within it, each military branch now maintains it’s very own cyber command as well. The U.S. Army launched a new cyber initiative last year in the hopes of increasing protection capabilities across the force. The Army’s First Cyber Protection Brigade activated on September 5th, 2014 with the mission of advancing the Army’s cyberspace capabilities Army-wide.[10] A new Army MOS[11] – 25D, Cyber Network Defender – was created, and aggressive recruiting and training efforts began shortly thereafter. Other branches were quick to follow suit with the Navy opening its new U.S. Fleet Cyber Command and initiating recruiting efforts for their new Cyber Warfare Engineer Officer positions. The Air Force did the same with the launch of its very own Air Forces Cyber/24th Air Force Wing. Together, all commands work to accomplish the overarching three-fold mission of: First, provide cyber support to combatant commanders across the globe; Second, operate and defend the Department’s information networks; and Third, aid in defending the nations critical infrastructures and key resources when called upon.[12]

Yet, like all new initiatives within the military, now that everything is setup, the new problem is carrying out the mission. It should be noted that the DoD’s new cyber warfare policies are just that, new, and implementation of them means the development of new SOP’s[13] “Standard operating procedures are important for organizations because they reduce the amount of time spent processing each new situation and developing a response” (Peters, 2013, p. 133).[14] For the Cyber Warfare Command’s, that could quickly become a serious challenge for several reasons. To start, the world of cyberspace literally changes on a daily basis. Technology today moves at such a fast and rapid pace, that normal industries have found it harder and harder to simply keep up over the last decade. What is new today may be obsolete tomorrow. For the U.S. military, which is built as one of the largest bureaucratic institutions on the planet, that is a serious hurdle. “An organization is likely to persist in defining policies and problems in the standard manner, even when the old definition or procedure no longer helps it fulfill its mission” (Peters, 2013, p. 133). What this means is that the Defense Department is used to the idea of operations and procedures being standardized, and even when things change, the military typically has a difficult time letting go of old ways of thinking and adopting news perspectives for which to define those new operations and procedures.

Communication is a problem as well. As Peters (2013) also discusses, “Unfortunately, the more levels through which information has to be transmitted, the greater is the probability that it will be distorted when it is finally acted on” (p. 135). Bureaucratic institutions have hierarchical communication systems designed within their structure, so as to feed information from the bottom to the top, and then back down again before operations can commence. While this often serves to enhance the structure of the institution itself, what this does is overly complicate the communication process, effectively limiting capabilities and wasting a lot of time, effort, and resources in the process. Furthermore, very often those who know the most about the actual requirements necessary to carry out the operations – the Subject Matter Experts and Technical Experts – are all too often left at the bottom. These individuals actually do the job, but are not the decision makers, and while they will be the best bet in developing effective, adaptable SOP’s for this area, all too often they are excluded from the developmental process simple due to their rank, position, and status.

Finally, is the unknown vastness of the internet, and the complexity of potential encounters mathematically possible. It has been estimated that less than 15% of the internet is actually visible, searchable, and indexable. This is the surface web, and it is the internet we know of and use every day. The rest, 80% or more, is known as the deep web. The deep web is unindexed, anonymous, and often only accessible by using special software. Additionally, web browsers and internet access programs such as Tor make it impossible for cyber professionals and government agencies to track individuals on the internet through the use of massive network relays effectively creating the worlds best onion network.[15][16]

All that being said, it seems as if there are mountains to climb. But at the end of the day, the Defense Department is slowly stepping up to setup and execute its broad reaching new cyber policy in directives spanning the entire DoD. Accepting responsibility for defending the nations strategic information assets against the rest of the worlds nations hell-bent on exploiting, spying on, and destroying the nations information systems is not going to be an easy task. The DoD currently aims to employ more than 6,000 Soldiers, Sailors, Marines, Airmen, and Civilians to accomplish the mission, and while training has already begun, and individual units are being setup, SOP’s are still in development, and many challenges are at the doorstep. More interesting than the number of enemies, rapid advancement of technology, and the uncertainty of the playing field, it seems, might just be finding out exactly how such a massive institution will adapt to this new environment. In the end, it might finally have to learn how to get out of its own way, and it might finally realize the importance of letting those who actually do the job make the important decisions.


SOUND OFF!

What are YOUR thoughts? We WANT to hear from you!

Take a moment to collect your intelligent, reasoned thoughts, then let us know what you think in the comments below!

Open discussion helps everyone learn and grow.


References:

[1] Temple-Raston (2015). ISIS Posts ‘Wanted’ List of 100 U.S. Military Personnel. NPR News. Retrieved from: http://www.npr.org/2015/03/23/394789426/isis-posts-wanted-list-of-100-u-s-military-personnel

[2] Cronk, T. (2015). DoD Warns Troops, Families to be Cyber-Crime Smart. Retrieved from: http://www.army.mil/article/145060/DoD_warns_troops__families_to_be_cyber_crime_smart/

[3] Phishing usually comes in the form of fraudulent emails that look like they are from real businesses – such as banks – that try to get you to give the sender your personal information. They usually include a message to update your account information or change your password, and when the link is followed, they often take you to a website that looks exactly the same as the business mentioned, but the web address is slightly different.

[4] Spear Phishing is similar, except the targets are government computers, and instead of a followed link, malicious code and software programs are used to enter the system to gain access to information.

[5] Powell, A. (2015). UCMJ Overreach into Social Media… Just How Far is TOO Far? Military Media. Retrieved from: http://www.militarymedia.net/2015/01/28/ucmj-overreach-into-social-media-just-how-far-is-too-far/

[6] Jahner, K. (2015). First Sergeant earns ARCOM for calling out online antics. Retrieved from: http://www.armytimes.com/story/military/2014/12/31/moerk-commendation-award-trolling/21103073/

[7] Schehl, M. (2015). Special Forces face increased cyber risks, challenges. Retrieved from: http://www.armytimes.com/story/military/tech/2015/01/29/special-forces-cyber-conference/22527419/

[8] Sanger, D. (2015). Document Reveals Growth of Cyberwarfare Between U.S. and Iran. Retrieved from: http://www.nytimes.com/2015/02/23/us/document-reveals-growth-of-cyberwarfare-between-the-us-and-iran.html?_r=0

[9] Nakashima, E. (2014). U.S. cyberwarfare force to grow significantly, defense secretary says. Retrieved from: http://www.washingtonpost.com/world/national-security/us-cyberwarfare-force-to-grow-significantly-defense-secretary-says/2014/03/28/0a1fa074-b680-11e3-b84e-897d3d12b816_story.html

[10] Tan, M. (2014). Army Activates its First Cyber Protection Brigade. Retrieved from: http://www.armytimes.com/story/military/tech/2014/09/09/army-activates-its-first-cyber-protection-brigade-/15352367/

[11] MOS – Military Occupational Specialty.

[12] Department of Defense (n.d.). The Cyber Domain. Retrieved from: http://www.defense.gov/home/features/2013/0713_cyberdomain/

[13] SOP – Standard Operating Procedure.

[14] Peters, B. G. (2013). American Public Policy: Promise and Performance. Ninth Edition. Sage Publications.

[15] Wikipedia (2015). Tor. Retrieved from: http://en.wikipedia.org/wiki/Tor_%28anonymity_network%29

[16] The Week (2014). Dark net: what lurks beneath the surface of the internet? Retrieved from: http://www.theweek.co.uk/technology/59043/dark-net-what-lurks-beneath-the-surface-of-the-internet

About the author

AJ Powell

AJ is a retired U.S. Army NCO who served in both the U.S. Navy and U.S. Army. He is a combat veteran, and has participated in contingency operations around the world. AJ is a graduate of Pennsylvania State University with a focus on Sociology and a degree in Organizational Leadership, and is published in the field of sociology. AJ is an inductive analyst, writer of military and leadership articles, aviator, a certified advanced operational diver, professional mentor and adviser, snowboarder, motorcycle rider, world traveler, and enjoys long distance endurance events.

  • Start the discussion today.

    Peters (2013) stated, “Unfortunately, the more levels through which information has to be transmitted, the greater is the probability that it will be distorted when it is finally acted on” (p. 135). Tell us, what challenges do you think the massively over-bureaucratic US DoD will face in the near future as it steps up its cyber warfare capabilities? Why and how so? Do you think there could be a better, more effective way?

    Let us know your thoughts, we want to hear from you!