InfoSec News: What U.S. Cyber Command Must Do: http://www.ndu.edu/press/what-US-cyber-command-must-do.html
By Wesley R. Andrues
Joint Force Quarterly
Issue 59 - October 2010
Wesley R. Andrues is the Plans and Readiness Division Chief for the U.S.
Army Global Network Operations Center.
In June 2009, the Secretary of Defense announced the creation of U.S.
Cyber Command (USCYBERCOM), a new subunified command to be led by the
director of the National Security Agency (NSA). While the press colored
the announcement with Big Brother undertones and hints of civil
liberties surrendered, the real story lies in the intriguing legal
landscape of USCYBERCOM and what it could mean for the security,
efficiency, and economy of the military's networks. The Department of
Defense (DOD), the largest single consumer of Federal information
technology dollars, has struggled for decades to bring a singular voice
and management process to its communications infrastructure. Although
this is not the stated intent of the new command, USCYBERCOM must
ultimately reconcile its role in information technology "ownership" and
draw clear operational boundaries if it is to administer cyber security
through unified standards and procedures.
As USCYBERCOM now has its first commander and begins shaping its core
functions, fundamental changes in the legal landscape must occur in
parallel with the new organizational structure if the command hopes to
effect a "comprehensive approach to Cyberspace Operations."1 In short,
it must go beyond cosmetic organizational change and set to work on a
campaign that genuinely reduces interdepartmental friction, repairs
ailing processes, and truly empowers it to meet its mission, both
specified and implied.
Step One: Establish Priorities
To compel its components to organize confidently and appropriately,
USCYBERCOM must provide solid, intuitive operational imperatives and
priorities. What tangible problem does the command seek to solve, and
how does the formation of this single entity contribute to the integrity
of DOD networks? One of the main impediments to answering this question
is the lack of any meaningful cyberspace doctrine, or at least a serious
consideration of how cyberspace operations differs from the closely
related computer network operations, which is itself a key component of
information operations. How does the emerging rubric of cyber now fit
against the broad operational backdrop of information operations as a
whole? This is an elemental question that demands top-down clarification
if USCYBERCOM expects to contain its mission space and lead decisively.
The question must be answered: Is it about securing the network itself,
or achieving military effects through the targeted application of
information in all its forms? To call it both takes a middle road that
complicates the identity of this new command and makes task organization
It is not that DOD has failed to invest intellectual capital toward
defining cyberspace. On the contrary, a good deal of self-examination is
under way across all the Services, yet precious little substance has
emerged signifying a strong, novel environmental foundation. To its
credit, the Joint Staff devoted significant effort toward articulating
broad cyberspace priorities in its National Military Strategy for
Cyberspace Operations (2006). The basic premise echoed the notion that
the United States must secure freedom of action in a "contested domain"
and deny the same to its adversaries, yet its ambitious goal of
achieving "military strategic superiority in cyberspace" glosses over
the vast complexity of such an all-consuming endstate.