As cyber issues permeate more of our society – from military operations and defense to the integrity of the financial sector to allegations of foreign nations interfering in elections – U.S. Cyber Command has a lot on its plate.
CYBERCOM Commander Adm. Michael Rogers, who is also director of the NSA, discussed the laundry-list of activities his command is undertaking during a May 9 hearing before the Senate Armed Services Committee, many of which are aimed at maturing the organization, deterring foreign attacks on U.S. infrastructure and escalating the digital fight against terrorist groups.
Below are the six things topping CYBERCOM’s to-do list:
Committee Chairman Sen. John McCain, R-Ariz., has been adamant about the need for a cyber strategy and policy. He frequently lamented the lack thereof during hearings over the course of the Obama administration.
His frustration has continued, as he noted during his opening statement that the committee was hopefully, “after years without any serious effort to develop a cyber deterrence policy and strategy from the last administration,” going to get such a strategy, which the new administration promised within 90 days of inauguration.
“90 days have come and gone and no such policy or strategy have been provided,” he said.
When asked if there is a policy or a strategy, Rogers told McCain there currently is not but that the new team is working on it.
Similarly, Sen. Angus King, I-Maine, was sure to remind Rogers that the deadline for a report directed by last year’s National Defense Authorization Act directing the administration to outline military and non-military options available for deterring and responding to imminent threats is fast approaching.
The report, due 180 days after the law was signed, puts the deadline at mid-June. Rogers told King that the Office of the Secretary of Defense is working on this and Cyber Command has provided some insights.
An OSD spokesperson recently told FifthDomain that the office’s Cyber Policy Office is the lead for this report.
Russia’s recent forays into the elections of western democracies, including the recent 2016 U.S. presidential election, has been the subject of intense scrutiny on the Hill. Lawmakers have held several hearings with the intent of better understanding how to combat these types of information operations that use disinformation, cyber operations and so-called social media bots to spread misinformation and leaked documents stolen through cyber means.
Rogers noted that such operations are not currently a defined set of Cyber Command’s responsibilities, per se, and the command has not been tasked with these types of operations.
Rogers was sure to clarify later that combating these types of threats is not wholly outside his lane, but explained information is just one aspect of the problem.
He pointed to the way the spectrum and network world are converging and the way the information dynamic is playing out. Rogers said he, as well as the department, is trying to conceptualize how to deal with the conflation of electronic warfare, cyber and the information dynamic.
“It is all blurring in this digital world we live in,” he said. “How do we do this in an integrated way? Right now we’re not there yet, we’re still trying to figure out the right way forward.”
He did concede there are some things they are doing in the fight against the Islamic State group in this regard, but declined to go into specifics in an open forum.
Many have indicated that the authorities in cyberspace from a military perspective are too slow and not deliberate enough.
Rogers explained that the authorities issue is one he has highlighted with Secretary of Defense James Mattis, adding this is an important area that needs to be reassessed.
He also explained that he is bound under Presidential Policy Directive 20, a White House policy directive signed by the previous administration that governs offensive and defensive cyber operations.
While the debate around authorities has focused on the polices set forth from the White House – especially during the Obama administration, which had a reputation for centralized decision making in the National Security Council as opposed to farther down the ladder within DoD, for example – some, including congressional aides, have noted this is a DoD problem and not something Congress can legislate. This starts to get into execute orders issued from the Pentagon, as opposed to national level policies from the White House.
Senators asked Rogers what suggestions he might have for Congress on this issue.
“I’m trying to have a dialogue with my immediate bosses on what might such a framework look like,” he said. “I think I owe them time to come to their own conclusions first.”
He said the department is broadly looking at cyber authorities, writ large, and he has provided his input to the secretary.
Operations against ISIS
Rogers, in written and oral testimony, provided some insights into what his organization is doing in the fight against ISIS.
“Joint Task Force (JTF)-Ares [was] established by me as the Commander of USCYBERCOM in the spring of 2016 to coordinate cyberspace operations against ISIS,” Rogers said in written testimony. “JTF-Ares’ mission is to provide unity of command and effort for USCYBERCOM and coalition forces working to counter ISIS in cyberspace. The JTF model has helped USCYBERCOM to direct operations in support of [Central Command] operations, and marks an evolution in the command-and-control structure in response to urgent operational needs.”
Related to the authorities front is the issue of virtual and physical infrastructure. The cyber domain is such that organizations or persons can reside in one area of the world and exact effects in another. The infrastructure that facilitates this resides in various third party nations, presenting potential conflicts for cyber operations.
Sometimes, “you have to use some other nation’s infrastructure in order to mount” a cyberattack, former Director of National Intelligence James Clapper told Congress on Jan. 5. “That gets into, as I’ve learned, complex legal issues involving international law,” leading to the judgement often times to impose costs other than a direct cyber retaliation, such as sanctions. These types of decisions are typically undertaken at the National Security Council level rather than the operational level.
Rogers said he tries to stress to policy makers that the challenge in the cyber arena is that the infrastructure being used might not be where an actor is physically located. He used ISIS as an example, noting that while the group is located in Iraq and Syria, the infrastructure used to conduct remote operations or spread propaganda is not.
He said requirements and authorities are not as fast as he would like to meet combatant commander needs, using the ISIS example as reference. Declining to get into many specifics, he said this issue of authorities and third party infrastructure came to a head in some of the operations underway against the group. He noted they were able to work it out in the interagency process and were granted the authorities to execute some of the ongoing activities against ISIS beyond the immediate physical environment of Syria and Iraq.
The Washington Post reported details on May 9 of what appear to be Rogers’ anecdote.
“A secret global operation by the Pentagon late last year to sabotage the Islamic State’s online videos and propaganda sparked fierce debate inside the government over whether it was necessary to notify countries that are home to computer hosting services used by the extremist group, including U.S. allies in Europe,” the article read.
Elevation to full combatant command
As directed in last year’s NDAA, Cyber Command will become a full unified combat command independent of Strategic Command under which is presently sits.
Pentagon officials have expressed they are working on this issue and the elevation will happen “ fairly quickly.”
Rogers provided, without getting into the specifics given that this is an ongoing issue, some of the criteria they are looking at to make this happen:
- Shift current responsibility from STRATCOM down to CYBERCOM.
- Make changes to the unified command plan, which is a document signed by the president defining what combatant commands exists, what their responsibilities are, if there is a geographic responsibility, etc.
- Investments in manpower.
Assistance during election
There is currently much debate about whether election systems should be deemed critical infrastructure, prompted by hacking attempts – successful and not – during the 2016 U.S. elections. Such a designation could trigger special authorities that might have assisted during the alleged Russian influence operation.
Rogers explained that while he was aware of the Russian intrusions in the summer of 2015, under his role as the director of NSA, which defends the civilian government agency networks and conducts foreign signals intelligence, from a Cyber Command perspective, his job is to ensure that the DoD system is optimized to withstand potential attacks, noting that the Russians were coming after DoD at the same time.
If the voting infrastructure was defined as critical infrastructure, he said under the set of duties assigned to Cyber Command, had the president or the secretary of defense determined that DoD needed to insert themselves in this, he would’ve been tasked to do that, adding that Cyber Command would have tried to disrupt these operations.