U.S. Cyber Command Means To Magnify Cyber Intelligence

U.S. Cyber Command officials anticipate—and are prepared to counter—multiple arguments against its proposal to create a dedicated cyber intelligence center to provide intelligence on international cyber forces.

The arguments presented by Air Force Brig. Gen. Matteo Martemucci, Cyber Command’s director of intelligence, include the fact that other organizations already provide elements of cyber intelligence, the possibility a new center could pull resources and talent from existing organizations and the idea that the cyber domain is not yet mature enough to warrant such a center.

Working with the Defense Intelligence Agency, Gen. Martemucci recently completed a 30-day mission analysis for a foundational cyber intelligence center. He discussed the proposal on the record November 8 with AFCEA’s Cyber Committee. With the mission analysis, officials determined what types and numbers of intelligence products the proposed center would provide. Gen. Martemucci estimated at the time that officials were 18 months into their initial assessment. He also reported that both Gen. Paul Nakasone, USA, who commands U.S. Cyber Command and the National Security Agency, and Lt. Gen. Scott Berrier, USA, commander of the Defense Intelligence Agency, “agree in principle on the need” for the center.

The next step, he indicated, is to define the requirements, such as the budget, number of personnel and the amount of office space needed. “We are in the stage of defining the actual requirement to allow for the resourcing discussions to happen. And we are now at the point where there is, I believe, a collective recognition for the need.”

Congress, he added, is “very much aware” and asking about needed resources.

During the presentation, Gen. Martemucci countered each of the anticipated arguments. He acknowledged, for example, that existing science, technology and intelligence centers—the Missile and Space Intelligence Center, National Air and Space Intelligence Center (NASIC), the Office of Naval Intelligence, the National Ground Intelligence Center and the newly created National Space Intelligence Center—already provide some elements of cyber intelligence. But they do not offer the intelligence on foreign cyber forces that Cyber Command and the 11 regional combatant commands need for daily operations.

Gen. Martemucci compared cyber weaponry to more traditional weapon systems, which include an operator, platform and munitions—a pilot, fighter jet and attached missiles, for example. NASIC, he noted, studies air weapon systems and produces assessments on, for instance, the latest Chinese fighter aircraft, the missiles, its pilots, capabilities, training, tactics, techniques and procedures, the system’s data link, command and control, and its integration with other systems.

NASIC also produces foundational order of battle, basic organization of an adversary air force, the disposition, its location and organizations including individual units, their equipment and their capabilities and senior leader profiles. Additionally, the center generates tailored reports on how an adversary air force is learning, adapting in a current conflict, or when an adversary changes or increases a particular capability, doctrine, tactic, technique or procedure.

He noted that NASIC produces intelligence on cyber threats to, and vulnerabilities of, U.S. aircraft and weapons. “But this is only a small part of the foundational intelligence necessary to enable global operations in the cyber domain. None of these service centers that I’ve mentioned are producing the sort of foundational adversary cyber order of battle, for example,” Gen. Martemucci said. “A large and capable cyber force—like China or Russia or the forces of violent extremist organizations—need to be assessed and cataloged and tracked in the way we assess, catalog, track and measure adversary armies, navies and air forces.”

Cyber Command sees the Missile and Space Intelligence Center within the Defense Intelligence Agency (DIA) as a model for the envisioned cyber intelligence center. Of the existing organizations, it is the only one not housed within a military service. “These are all service [science, technology and intelligence] centers organized, trained, equipped by the respective service for that domain. Missile and space intelligence is the outlier because that is not owned by a service, but … affects all the services and therefore, it is a direct reporting unit to DIA,” he said. “We happen to be the only domain without a dedicated center producing foundational intelligence.”

AFCEA Cyber Committee member Marc Sachs, deputy director for research, McCrary Institute for Cyber and Critical Infrastructure Security, Auburn University, applauded Cyber Command’s approach but predicted the command will see some resistance. “Until cyber becomes a branch, I think they’re going to get pushback,” Sachs said in an interview.

Gen. Martemucci contended that none of the other centers were needed until the United States saw its adversaries building up significant forces and capabilities in those domains. “Now we see our adversaries rapidly building tools, capabilities and expertise in the cyber domain. And we expect that they’re going to increasingly use cyber operations to advance their national interests, much in the same way that they might use their navies and their air forces,” he predicted. “By any reasonable measure, our adversaries are building cyber armies. And so, for all those reasons that I’ve just laid out, the time is now for a defense cyber intelligence center. It needs to exist.”

For the second argument—that a new center would draw talent from other organizations—the intelligence director suggested that, over time, the center itself might be part of the solution to the problem. It is true, he acknowledged, that the Defense Department faces stiff competition from industry, academia and other government organizations, but currently, cyber analysts have no clear career path within the Defense Department and little reason to sign up or to stick around when they do.

“There currently is no cyber analytic career field or even a career path for cyber analysts within the Department of Defense. And within the Department of Defense intelligence enterprise construct, I recognize that there is currently little incentive to stay or make a career. However, a defense cyber intelligence center could help fix that by creating a destination for foundational [science, technology and intelligence] cyber expertise. Over time, a center would be an attractor and an incubator of new analytic talent and a generator of tradecraft, training and professional development that would grow the force we need.”

Cyber Command officials are armed with an array of data points to counter the notion that the domain is not yet mature. “The data prove this argument false both in terms of bottom-up growth and top-down demand, and we’ve got the empirical data to prove it,” Gen. Martemucci said.

The data points include:

• U.S. cyber forces have been operating in enemy cyberspace for more than 20 years.
• The department’s 133 Cyber Mission Forces will grow to 147 in five years.
• Cyber Mission Forces conduct more than 400 discrete cyber operations in adversary cyberspace each month.
• U.S. Cyber Command has deployed more than 600 cyber warriors to 16 countries to conduct forward operations.
• Hundreds of cyber operators have spent tens of thousands of hours interacting with adversaries in cyberspace.

Cyber Command is not the only command in need of more cyber-related intelligence. “Functional geographic combatant commands are more frequently turning to cyber domain operations to achieve military objectives below the level of armed conflict, and those operations require increasingly tailored intelligence. That’s the area where, again, foundational intelligence is lacking to enable the kind of influence that we seek to have in competition.”

As a practical example, he added, the combatant commands have cyber intelligence requirements for their respective areas of responsibility. Collectively, they produce hundreds of target systems analyses, all of which may consider full-spectrum cyber effects, not just kinetic solutions.

Anticipating an explosion in requests for cyber intelligence, U.S. Cyber Command alone has submitted more than 600 unique requirements in DIA’s Community On-Line Intelligence System for End-Users and Managers (COLISEUM), an automated system for reporting intelligence production requirements. Only about 270 of those had been validated by the Defense Cyber Intelligence Committee at the time of the presentation, the general reported.

Sachs noted that Cyber Command could potentially turn to the private sector for the required intelligence. “Most of the intelligence they’re looking for, particularly what Cyber Command needs to really do their job, is first seen by the private sector. Right now, the private sector is running circles around the government. This initiative is great, but it can’t happen without the private sector.”

Sachs added that he was not talking specifically about defense contractors but about critical infrastructure asset owners and others. Without the private sector, “You just wind up with government intelligence for the sake of the government, and it doesn’t do anything to help the protection of our critical infrastructure, which should be the primary thing they’re after,” Sachs maintained.

Using Microsoft as an example, Sachs added that automatic updates and system performance reports potentially provide industry with an array of cyber intelligence. “Overwhelmingly, the vast majority of the planet uses Microsoft products. They’re getting intelligence from every country on the planet coming back to Redmond, Washington. They can detect the ground shaking,” Sachs stated.