CYBERCOM, the IC, and Cyberwarfare
In 2018, U.S. CYBERCOM published its command vision titled “Achieve and Maintain Cyberspace Superiority.” ¹ This vision follows in a long line of U.S. military documents outlining the pursuit of dominance in all domains of warfare. Unfortunately for Cyber Command (CYBERCOM), the Intelligence Community (IC), and private sector cybersecurity actors, securing cyberspace is a fundamentally different and challenging project compared to the traditional domains of warfare. For decades, the U.S. has pursued, and largely maintained, military superiority in the land, air, and sea domains of warfare. For a new generation of both military personnel and cybersecurity practitioners, this historic dominance may be coming to an end. To face this growing challenge of cyber warfare, it is imperative for both public and private sector actors to reevaluate the current cyber strategies.
As a result of the anonymous and distributed nature of the cyber domain, the pursuit of cyberspace superiority is a challenging task for national security actors. Furthermore, the recent waves of cyber-attacks including the SolarWinds hack and the ransomware attacks of summer 2021 have shown U.S. weakness in cyber defense.²³ Without credible deterrence and forceful responses, adversarial nations will continue to threaten economic and security interests with impunity.
Cyberwarfare has offered adversaries the opportunity to attack both the economic interests and compromise sensitive national security information without placing their service members in harms way. Unlike traditional forms of espionage, cyber capabilities allow nations to gain access to information without putting intelligence officers and assets at risk of exposure. The most concerning aspect of these recent attacks is that while they were mostly designed for espionage or ransomware purposes, history shows that these same tools can be weaponized to cause significant damage to network devices.⁴
Cyber-enabled espionage and cyberwarfare pose a significant threat to U.S. interests and will require a remaking of U.S. strategy. It is critical for the U.S. defense community to begin building a “whole-of-government” response to adversarial cyber activities, with support from the IC, other national security actors, and the private sector. Unlike other domains of warfare, cyberwarfare inherently occurs in the shadows, which are traditionally occupied by the IC. Resultingly, the IC should continue to play a leading role in the response to malicious cyber activities, requiring an update to the stagnant strategy of the past decade.
First and foremost, the capabilities for defensive cyber-operations should be spread across a much wider set of national security actors, while the authority for standard setting should be consolidated within a single organization, likely the Critical Infrastructure Security Agency. The distinction between responsibility and standard setting is crucial as it forces each actor to improve their indigenous capabilities while holding them accountable to a single authority. Second, CYBERCOM should be formally separated from the NSA, allowing for a separation between intelligence gathering, network defense, and offensive cyber operations. While there are connections between these three areas, for legal and administrative purposes, separating CYBERCOM from its civilian counterparts would improve the flexibility in responding to cyber threats.⁵
By officially separating CYBERCOM from the NSA, its leadership will be empowered to focus on increasing the costs incurred by adversaries in the cyber domain while protecting the important Signals Intelligence (SIGINT) mission of the NSA.⁶ Like many forms of conflict, imposing costs on adversaries is critical to deterring malicious activities. Without the credible threat of response, Russia and China have utilized these capabilities with increasing consistency, threatening our economic, military, and political interests. While some have argued that norm-building, economic entanglement, and other forms of soft power may provide credible deterrence, the events of 2021 appear to counter this optimism.⁷
The federal government has taken many important steps to mitigating the widespread threat of malicious cyber activities including the designation of the National Cyber Director, the delegation of authorities to CISA, and the publishing of the National Cyber Strategy. Despite these changes, our adversaries continue to challenge our digital sovereignty with persistent and devastating attacks. As they continue to impose high costs through cyber-enabled means, it is critical that the U.S. responds in a similar manner.
Historically, allowing attacks on U.S. interests to go unchallenged would be seen as a critical weakness for adversaries to exploit, but in the cyber domain, that appears to be business as usual. In the face of forward leaning responses, led by a standalone CYBERCOM, our adversaries would begin to reconsider their widespread use of cyber capabilities. The strategies of conflict must adapt to face this rapid and ever-growing threat, or the U.S. will remain weak and powerless in the cyber domain.