Crowdsourcing Confronts Cyber Challenges
The military can tap a wellspring of solutions from its own ranks.
An offshoot of social media, crowdsourcing could hold solutions to some of the biggest cybersecurity problems the U.S. Defense Department faces. The burgeoning field could find fixes for thorny legacy problems as well as emerging cyberthreats. This is exactly what is taking root at the Joint Forces Staff College in a course offered to service members and their Defense Department civilian equivalents learning cyber concepts in joint, interagency and multinational environments.
Understanding how to operate in and defend cyberspace are just two of the many challenges the department faces daily. It has focused on rapidly developing its Cyber Mission Force approach, launched in 2012 by military cyber leaders to meet these challenges, to provide cyber support to combatant commands and to operate and defend the Department of Defense Information Network (DODIN). Five years later comes the question: Is this approach working? The research of more than 120 students who have attended the Joint Command, Control, Communications, Computers and Intelligence/Cyber Staff and Operations Course (JC4ICSOC) suggests there is room for improvement.
The three-week Joint Staff-sponsored course, offered six times a year at the college, prepares intermediate-level staff officers, senior noncommissioned officers and their civilian counterparts for duty in command, control, communications, computers, intelligence/cyber (C4I/C) operations at a combatant command, a Joint Task Force or a headquarters. During the course’s second week, the class visits the national capital region to receive briefings from the National Security Agency, the U.S. Cyber Command (CYBERCOM), the CIA’s Center for Cyber Intelligence, the Department of Homeland Security’s (DHS’) National Cybersecurity and Communications Integration Center (NCCIC), the National Reconnaissance Office, the U.S. Secret Service cyber crimes division and the Defense Information Systems Agency. These visits expose students to each organization’s wide range of responsibilities and contributions to warfighters as well as the challenges each faces.
During the course’s final week, students must submit a five- to seven-page research paper on a relevant C4I/C-related topic. Nearly 70 percent of the topics over the past two and a half years have been directly related to cyberspace. Ideas that have emerged include elevating CYBERCOM to a functional combatant command and creating an entirely new cyber force on par with the other five military services. In a multitude of research papers on these subjects, students draw on their own experiences to arrive at solutions. Each student offers unique insights to complex cyber challenges and sheds light on some of the gaps that exist with current approaches.
Some of their ideas are now becoming realities. At least one research paper from each class has made the case that CYBERCOM should be elevated from a subunified command under the U.S. Strategic Command (STRATCOM) to a functional combatant command, a process now underway. Others have suggested the Defense Department not only elevate CYBERCOM to combatant command status but also model its acquisition processes after those of the Special Operations Command and authorize the new command with independent acquisition authority. Congress recently addressed this gap by providing the CYBERCOM commander limited authority for certain acquisition activities in the fiscal year 2016 National Defense Authorization Act, Section 807.
Another student idea is an entirely new military branch, as the modern-day Air Force was born from the U.S. Army Air Corps. This would be a natural progression for the cyber domain, which touches all the services.
In another example, students have offered ways for the DHS to safeguard the nation’s critical infrastructure better. The department’s NCCIC, which is charged with this task, lacks the authority to force any company within the 16 critical infrastructure sectors to comply with remedies to known vulnerabilities. This subject has spawned numerous research efforts to identify possible solutions. Some students have posited that private companies should be required to obtain a form of cyber insurance that would help influence compliance with National Institute of Standards and Technology cyber infrastructure standards. Any noncompliance could result in significant insurance premium increases. Others have suggested rolling up the nation’s critical infrastructure under the authority of the Defense Department. However, this proposal comes with its own set of obstacles because of Title 10 prohibitions on defense personnel mandating standards for the private sector. Some students have contended that the risk of not doing so is too great and that solutions can be found without government intervention. Every student understands the nation’s dependence on its critical infrastructure and seeks to offer unique solutions for safeguarding it.
Several students have researched the growing problem of retaining top cyber talent within the military’s ranks. The services always have been concerned about retention of highly trained and skilled professionals. That difficulty is exacerbated further by the unique skillset of cyber forces. Private industry also requires highly trained cyber personnel, and years of sequestration, pay caps and hiring freezes have left the military struggling to compete with commercial-sector pay.
Some students have suggested streamlining service-specific cyber training into joint training pipelines, which the Defense Department is beginning to do as it implements a new federated joint cyberspace training model. Each service and CYBERCOM have defined roles, and this should produce cost savings that could be applied toward retention bonuses or other incentives to retain valuable workers. Another suggestion to keep specialized talent: Apply Army Band or special forces methods, which base promotion on skillsets obtained rather than billets filled. Retaining cyber experts is crucial to the success of the Cyber Mission Force, and while steps are being taken to address this challenge, more can be done.
Courses such as JC4ICSOC can inspire original ideas to solve such complex problems. This is just the beginning of what crowdsourcing can offer to the joint force, and the information-gathering method has other applications. (For more on crowdsourcing, see Disruptive by Design.) Policy makers can crowdsource their challenges to students for possible solutions. Answers may come from a combination of ideas and sources, but in the end, the nation will be better prepared. The country always prepares for the war it last fought, but it also must prepare for the war at its doorstep.
Lt. Cmdr. Jon T. Wende, USN, is a JC4ICSOC instructor at the Joint Forces Staff College. The views expressed are his own.