Convergence Dominates Army Cyber Activities
The broadening invisible threat requires a change in operational mindset.
The U.S. Army is converging many of its communications, electronics and intelligence disciplines to combat a cyberthreat that already has eroded much of the competitive advantage the U.S. military has possessed in recent years. Countering this threat virtually mandates that cyber operations move into the realm of fully integrated operations.
When Lt. Gen. Edward C. Cardon, USA, took command of Army cyber about two years ago, he admits that he was surprised at “the speed of the threat.” In addition, the operational and organizational concepts of cyber did not match other Army commands. Cyber issues had been approached from either a communications perspective or an intelligence perspective—not from an operational perspective, says the head of U.S. Army Cyber Command/2nd Army. But over the past two years, the Army now has a mission that can be task-organized within the service’s construct. The general adds that Army doctrine for elements such as fire maneuver and protection fits well with cyber.
The greatest problem with cyber is that many people do not realize what is going on all around them because they cannot see it, Gen. Cardon offers. Over time, their awareness is increasing as their own lives have been affected by events such as credit card hacks. These attacks have brought cyber issues more to the forefront, he points out. Paraphrasing Russian revolutionary Leon Trotsky, Gen. Cardon says, “You may not be interested in cyber, but cyber is interested in you.”
Commercial hacks are but one type of cyberthreat, and others apply in military terms. Gen. Cardon notes that Russia used cyber attacks in Estonia, Georgia, Crimea and Ukraine as an effective part of integrated military operations. Iran launched cyber attacks on commercial targets such as Saudi Aramco in Saudi Arabia and RasGas in Qatar, and both saw their data wiped clean and their databases reduced to “bricks.” North Korea undertook a similar attack on Sony, and it is a small leap to consider the effects of these kinds of attacks on U.S. command and control systems.
Then there is China, which has tapped U.S. government and commercial databases for vital information to aid its military-industrial buildup. “How come a lot of their systems look like ours?” Gen. Cardon asks. “Billions of dollars we have spent to develop a competitive advantage in our military capabilities are wiped out by cyber theft and cyber espionage. That comes directly back on the military.”
All military cyber elements must work as an integrated whole with operations, the general emphasizes: “It will be most effective when you converge it with physical operations, much as the Russians have shown in some ways in Ukraine. That’s the future; we have to do that, and it involves a lot of change because cyber does not come right to the forefront when you start to think about operations.”
Ultimately, the cyber problem will be resolved when the Defense Department, industry and academia come together better to address its challenges, Gen. Cardon offers. Many of the same threats the Defense Department faces already have struck industry, he points out, and that expertise can be applied to military vulnerabilities. Too many people think of cyber as a military problem, when it often is not. Defense cyber organizations can focus only on protecting defense information networks, but commercial cybersecurity may be key to defending against a range of cyberthreats.
The general observes that many commercial information technology firms each have science and technology budgets that run in the billions of dollars. In contrast, the Army’s science and technology budget is dwarfed by those corporate equivalents. The Army must work with them by keeping them informed; in turn, industry can build products and capabilities at speed. But forming closer relationships with private industry that allow for a freer exchange of ideas need not focus on cutting-edge technologies, he notes. He suggests taking an operational approach that would not affect patentworthy capabilities.
The cost-benefit ratio with cyber is strongly out of line, the general continues. According to some experts, for each cent it costs to launch an attack, it costs $1 to defend against it—a 100-to-1 ratio against defense. Fixing that will require some dynamic action, he says.
A convergence of defense, industry and academia is only one type of convergence needed for cybersecurity. The Army is undergoing its own merger of cyber activities, such as intelligence, electronic warfare and information operations.
“Convergence by its nature is disruptive, and whenever you have disruption, it involves change—and change is hard,” Gen. Cardon offers. “Exactly what this is going to look like in the future, I’m not sure … I think it is going to evolve over time.
“But you can see that the defense is informed by intelligence, and intelligence is informed by the defense,” he adds.
Throw electronic warfare into the mix, and the definitions become even more blurred, as electronic protect and electronic attack combine to interface with other facets. The same holds true for traditional labels such as offensive and defensive cyber operations.
“We don’t talk about defensive and offensive infantrymen,” the general analogizes. “We just talk about infantrymen. Over time, it will just be cyber.”
The Army has begun to bring full-spectrum cyber into its combat training center rotations, he adds. The service used to bring in a cyber opposing force, which would hammer blue forces extensively. Now, the opposing force is working against defensive cyberspace operations, and commanders can integrate lower-level offensive cyber capabilities. The result is a more realistic two-way cyber environment.
“If you don’t recognize [that] cyber is a form of maneuver, then it’s just another capability that may or may not be integrated based on the expertise of the staff,” Gen. Cardon declares.
The cyber realm is contested space 24 hours a day, seven days a week, he observes—“and it’s unforgiving.” The enemy needs only to succeed once. With a perfect defense being virtually unattainable, the Army aims for a defense in depth “with a proper articulation of risk,” the general says. “You cannot rely on just a firewall, [and] you can’t rely on just the latest patch. You have to rely on a constantly improving architecture, network hygiene and good user practices.” He decries people who continue to click on email links even when they are aware that spear phishing is probably the most visible attack vector.
Army cyber has had discussions with private industry on security, Gen. Cardon allows. The conclusion is that protecting against a nation-state actor is almost impossible because the attacker has the resources of a government to bear against a small target. The nation-state attacker can wait a long time for that single opportunity, perhaps born of a human mistake, to become available.
Some emerging technologies offer hope, he notes. Data analytics could aggregate information in ways never before achieved, for example. Some cyber companies already are releasing threat data that would have been top secret a few years ago, the general observes, but these companies simply are using available data aggregated in new ways. “If you take that aggregated data that has given you actionable pieces that you can act at speed, then you will have a defense in depth that can operate at the speed of the adversary,” he suggests.
Each of the U.S. services created its cyber forces differently, Gen. Cardon explains. The U.S. Navy’s cyber force grew out of its cryptologic cyber service, and U.S. Air Force cyber grew out of the service’s communications side. The Army did it the hardest way: It spent a significant amount of time determining how to do it and ultimately created an entirely new command to serve as its cyber force, the general states. Over the long term, this will prove an advantage, he adds.
Each service also tends to approach cyber from the perspective of its main operational domain—air for the Air Force and sea for the Navy. The Army has an inherent advantage in cyberspace, Gen. Cardon offers, because ultimately most cyber effects are against a person. That plays into the Army’s domain of land warfare with its focus on people. “We approach cyber through a land-doctrine view, which often is organized against people and often is the way cyber interacts. That is congruent with the way cyber works,” he says.
This does not mean the Army goes alone in cyber. “Cyber was born joint,” Gen. Cardon declares. The service will have 133 teams in the Cyber Mission Force by 2017, and they are being trained to the same joint standard, which improves interaction among the services in cyber. Gen. Cardon points out that he has substantial interaction with his counterparts in the other services. “The environment itself drives collaboration. If you don’t collaborate, you’re not going to be able to be defended,” he says.
While the U.S. Cyber Command (CYBERCOM) is the font of support for the services, each service also has networks that are radically changing as a result of the Joint Information Environment. The four individual service networks are becoming a single network, but the current construct still is service-related, Gen. Cardon says.
CYBERCOM will play an increasingly greater role, but the issue of centralization versus decentralization will continue to define its relationship with military cyber organizations. The general views Army cyber’s role as generating options for the national command authority. Along the same lines, many exercises have shown the value of a joint approach to cyber. For example, a Navy team offers a Navy perspective, and an Air Force team presents an Air Force perspective. When these different perspectives are put together, the result is a joint view that accounts for all the physical domains, which provides a greater competitive advantage for U.S. forces. “It’s really important to bring the power of the services into this space under an organizational construct led by CYBERCOM,” Gen. Cardon declares.
Competence and character really matter in cyberspace, the general adds. The Army must staff cyber personnel with top talent, which is in high demand throughout government, academia and the commercial sector. The Reserve components provide an option, but the Army must work to retain its skilled cyber professionals.
Gen. Cardon allows that he has spoken with the directors of the Army National Guard and the Army Reserve components on how to identify the right people within those two organizations to provide effective cyber expertise when needed. This is a good opportunity for the Army, given the size of the Guard and Reserve together. The goal would be to have people who work in cyber in the private sector “have their foot on both sides,” the general says.
One of his top worries is to continue to have “the innovative and adaptive culture that can keep up with the speed of change,” Gen. Cardon allows. “Staying static in this space is a losing proposition.” Army cyber training is adjusted for every course, which is a departure from standard Army practice. He believes the Army should completely re-examine the way it conducts cyber training.
Conventional Army forces deploy, return and experience a reset period before they go back to the field. Cyber forces have no reset period; they are deployed all the time. They must adapt while operational in an Army that is fairly hierarchical, with well-established rules built over a number of years. “The challenge for us is to take what we learn, be able to roll it right back into our force and have a much faster churn than we have today,” the general emphasizes.
He says the Army is not struggling to recruit the right people for cyber. Many people join the Army to receive this type of training, he points out. This year’s crop of cyber recruits had the highest scoring of any career management field in the Army, and the service required no waivers to fulfill its targets for the six-year enlistment.
The problem is on the other end. After six years of training, the Army-minted cyber experts are hard to retain. Other branches of government as well as the private sector are attractive alternatives for a variety of reasons. Army cyber personnel retention is an issue for both uniformed and civilian experts, the general allows, and the solution likely will require another type of change. “The traditional way we manage people is not going to work in this space,” he states. “We have to be different.”
Budget resources are not an issue. Army cyber receives what it needs and is inside the Army’s programming mechanisms, the general adds. The problem is that the government shutdown and furloughs have wreaked havoc with consistent and predictable long-term funding, which in turn affects programs and training.