Cybersecurity remains a priority for the U.S. Defense Department, with officials protecting resources for it in the face of overall budget constraints. Guidance from the National Defense Authorization Act for Fiscal Year 2014 directs a mission analysis of cybercapabilities not only in the active military, but also across partners, to help forces maintain their edge in protecting the nation.
The military is conducting the analysis of its cybermission with a requirement to report to congressional defense committees by July. The analysis is mandated to contain a concept of operations and concept of employment for cyber operations forces across the personnel spectrum. A senior defense official explains that although the evaluations will be thorough, cyber is a dynamic field that requires constant evaluation and adjustment. The summer report will reflect the best answers at the time, but “we’ll continue to conduct analysis as we learn more in the coming years to meet the demands of the evolving security environment ... there is no end to this process,” the senior official states.
In effect, the guidance in the National Defense Authorization Act (NDAA) simply requires the military to do what it already was doing, but with an accelerated time line. “As you know, because it’s a total force process, [it] takes a lot of time,” the senior official says. Further complicating the effort is the reduced resourcing faced by the services. However, various documents and statements from the Defense Department continue to emphasize the cybermission as a priority, so leaders will continue to protect the domain. The recent requirement will help personnel focus on details.
The senior defense official explains it is important for people to understand why cyber is “such a big deal.” The threat is evolving, becoming more persistent and pervasive in both the public and private sectors. Military officials are building the trained and qualified forces who can counter a large cyber attack against the United States that would harm national and economic security. Though priority one is to defend military networks, protection of other assets is also part of the mission.
Because the analysis includes the total force, personnel will include groups outside of the military such as the Department of Homeland Security and industry. “It does include contracts and the capabilities that might best be fulfilled by going to the private sector,” the official states. “Industry really leads the way in terms of developing new capabilities.”
A large part of that total force is the reserve component of the larger military, with particular mention of and emphasis on the National Guard. The unique military/civilian nature of the reserve force brings in not only defense expertise and training, but also critical skills resident in the private sector. According to the NDAA, after consultations with the secretaries of the military departments and the commander of U.S. Cyber Command, officials should evaluate cybermission requirements that members of the reserve components can undertake.
Furthermore, the analysis, in consultation with the Secretary of Homeland Security, should consider “ways to ensure that the governors of the several states, through the Council of Governors, as appropriate, have an opportunity to provide the Secretary of Defense and the Secretary of Homeland Security an independent evaluation of state cyber capabilities, and state cyber needs that cannot be fulfilled through the private sector.”
Additional requirements involve identifying existing capabilities facilities and plans for cyber activities in reserve components; assessing National Guard authorities to support certain missions and requirements; and considering cost requirements of various facets of cyber operations. Also necessary in the analysis are various examinations of personnel in the reserve components, including restrictions on lower numbers. The act prohibits reductions in the personnel of a cyber unit of the Air National Guard before the submittal of the report. No reductions are permitted in the personnel or capacity of the Red Team of the Air National Guard, either, unless the report includes a certification that the personnel or capacity to be reduced directly relates to capabilities that are no longer necessary. Red Teams carry out cyber operations for the Guard.
In the past, decisions about how the National Guard contributes to the cybermission total force did not always take into account full input from the Guard itself, which, Col. David L. Collins, ARNG, National Guard Bureau J-6 and chief information officer, says, “We in the National Guard believe ... may have been a premature assumption or decision.” In a document produced by the Guard evaluating the NDAA, it clearly states concern about the Defense Department’s approach to incorporating non-active-duty resources, pointing out that while all the military services have Reserves, only the Army and Air Force have Guard contingents. As analysis progresses, and interim command and control and concepts of employment and operations are further resolved, more certainty should evolve about how the Guard will furnish capability. No later than 30 days after the mission analysis report is submitted, the Chief of the National Guard Bureau will deliver an assessment of the role of his organization in supporting the cyber operations mission of the Defense Department as described in the report.
Col. Collins emphasizes that confusion still surrounds who qualifies as Cyber National Mission Force personnel. Currently, 133 different teams are identified across the military that fall unambiguously under that designation, but other groups such as intelligence, surveillance and reconnaissance units or various signal units lack such clear-cut labeling. Decisions on how to incorporate them affect cyberwarfare. Even determining what is such warfare is still unclear, yet the decisions have national security and defense ramifications. Col. Collins explains that in the case of battles in other domains, the provision of reserve component forces is fairly straightforward. Without such delineations in cyber, questions abound, including how requests for troops even move forward. “The devil is in the details of perception,” the colonel explains. Answering the questions surrounding the issues requires the proper caveats.
How to request or supply Guard troops remains under discussion; the mission analysis should help resolve some of those uncertainties. But as long as definitions remain loose, what qualifies as cyber to whom will remain contentious.
The Guard’s dual nature reflects the cyberdomain itself. Adversaries often want to harm not military forces deployed in an operational setting, but stateside civilian infrastructure. Though the .mil domain requires protection, the most severe attackers are likely to target the .gov and .com domains, the colonel asserts.
Leadership believes the Guard is uniquely positioned to contribute to the nation’s cybercapabilities because of what it calls the big three plus one. First, troops have proximity to vulnerable cyber infrastructure in the homeland as well as relationships with the owners and operators of it. Second, the Guard has a unique law-enforcement authority that varies by state. As long as units remain outside of federal control, they can perform activities prohibited to the active-duty military. Third, the Guard has robust civilian-acquired skills within its ranks, including those from the technology sector. The “plus one” denotes the Guard offers a place for cyberwarriors who leave active duty but are willing to serve in certain circumstances. It keeps military-trained skills in the force while allowing personnel to move mainly in the civilian world.
Col. Collins emphasizes that without clear concepts of operations and employment, much of how these factors come into play remains unclear. States and their leadership can use Guard resources in certain ways, opening up additional options for cyberdefense. “What the NDAA means to us, is it attempts to illuminate some difficult questions about how the Guard will be resourced with federal mission units,” Col. Collins says. The document mentions gubernatorial use in limited circumstances, but how the federal versus state missions are balanced, or combined when necessary, needs further elucidation. In its position, the Guard can employ proper release authority, unavailable to the larger military, and shift from national to non-national status. However, the work depends on public comfort and other concerns.
“The most important thing we want to get out ... is the National Guard will provide cybercapabilities to the DOD [Defense Department] and the nation via the cyberforce structure that is designed, developed and allocated by one of our two parent services, which are the Department of the Air Force and the Department of the Army,” Col. Collins says. Several arrangements already are in place, such as the allocation of a traditional Guard cyberdetection team to be activated in fiscal year 2016, though the Army Guard is looking to provide capabilities sooner.