Rustici Previously Served as a Technical Lead, Intrusion Analyst and East Asia Cyber Lead at the Department of Defense
Cyber as a Strategic Capability: How do we get there?
By Ross Rustici
The Defense Science Board released the executive summary of its findings regarding Cyber as a Strategic Capability. The five primary findings are:
- Current cyber strategy is stalled, self-limiting, and focused on tactical outcomes. The DoD must build and adopt a comprehensive cyber strategy.
- Defense is a necessary foundation for offense. Effective offensive cyber capability depends on defensive assurance and resilience of key military and homeland systems.
- Cyber forces, including leadership, require more experience and readiness. Sustained experience in operations is essential to readiness of U.S. cyber capability (USCC).
- The DoD must integrate cyber into a whole-of-government approach. Cyber capabilities developed by DoD must be integrated into a whole-of-government approach, and integrated with private sector and coalition efforts to most effectively defend our collective interests.
- Current policies often thwart cyber capability. Policy guidance is both essential and currently at odds with effective use of cyber capabilities.
These findings succinctly summarize the issues that prevent the United States from leveraging Cyber in a strategic context.
However, the recommendations demonstrate a fundamental failure to address the structural failings that currently underpin the system. The deficiencies of DHS to help defend Critical Infrastructure I/Key Resources (CI/KR) have as much to do with statues as they do capacity. Adding an even more immature organization with less legal standing to the mix is only going to undermine what little progress that has been made. Furthermore, the fundamental question of what constitutes the military cyber mission is skirted throughout the document. If the military is going to take on a defensive mission of systems that it does not own, that is akin to deploying the U.S. army around civilian power plants or in railroad stock yards. Which raises issues around the Posse Comitatus Act.
What constitutes an enemy military operation that merits a U.S. military response? Increasing USCC’s defensive commitments to include the broader mandate of protecting CI/KR only dilutes effectiveness and mires USCC in an unwinnable situation. Ultimately, this type of thinking will result in further findings that the DoD is not able to effectively defend CI/KR at the individual sites and so they must to it at the perimeter, this is the thought process that leads to unmanageable projects like national missile defense.
The U.S. military has accepted fundamental dependencies and vulnerabilities by building the backbone of its operational capacity on civilian transportation and communication systems. Retrofitting a defensive capacity onto that system not only is likely to end in failure but also expand the purview of the military domestically in ways that deserve serious consideration.
Finally, the offensive recommendations reinforce the structures and guidance that have led to the first finding. Letting loose the dogs of cyber war to enhance operational capacity only strengthens a tactical view of how to use operations. Furthermore, this continues to build foundational norms that the use of cyber capabilities outside of war is acceptable. This will increase the fire break between cyberspace and the conditions necessary for justified physical retaliation. Specifically, clearing the statutory restrictions on “continuous offensive actions” coupled with the expanded authority already granted to USCC under the new NDAA and the rescinding of PPD20 creates an environment that expands the scope of current U.S. operations and justifies adversary aggression and consolidation.
Cyber as a strategic capability is something that needs serious consideration and is an achievable goal. To get there, the DoD needs to understand that cyber capabilities fall largely into two categories:
- as a substitute for precise munition strikes; and
- as a way to carry out covert operations without inserting physical assets.
Viewing cyber as an expansion of the tool kit to carry out existing operational constructs will go a long way to better leveraging it in a strategic context. Additionally, the conversation about capacity needs to be divorced from doctrinal usage. Once the DoD figures out how they want to leverage the tool of cyber, then USCC and others can build the capacity to fulfil the mission. Building capacity and then looking for a way to employ it always results in tactical, stunted planning.
-- Stay Tuned for more CYBER MAVEN Columns --
Ross Rustici - A Warrior Maven Columnist and Senior Contributor -
Ross previously served as Technical Lead - DoD, East Asia Cyber Lead - DoD, and Intrusion Analyst - DoD.