Under a new plan put in place late last year, the head of U.S. Cyber Command received expanded authorities, but Fifth Domain has learned Congress and the Department of Defense have considered further extending those powers.
The discussion, which included members of the Joint Staff, comes as Cyber Command is expected to become a full combatant command.
While Cyber Command is often thought of as replicating the constructs of Special Operations Command, the commander of USCYBERCOM — unlike the commander of SOCOM — did not possess the authority to move cyber forces around the globe.
Instead, the commander of SOCOM can move special operations forces around the world based on demands and particular theaters. With its global reach and small staff cells located at each geographic combatant command, SOCOM can be much more flexible to respond to threats around the world.
One of the advantages of these cells — theater special operations commands (TSOC) — is they are small and tend to have a strong understanding of what’s going on from a global and transregional level, Peter Haynes, senior fellow at the Center for Strategic and Budgetary Assessment, told Fifth Domain. With this understanding, they can act as a connective tissue between seams in geographic regions and anticipate which threats may need more resources.
Leaders in Congress and at the Pentagon have examined replicating this authority for Cyber Command.
“It’s definitely in the dialogue,” a House aide said. The aide added that there’s a conversation occurring within the Joint Staff as far as incorporating these authorities within the boundaries of the national defense strategy. It is not immediately clear if those authorities already have been approved.
Adm. Michael Rogers, commander of Cyber Command, in both written and oral testimony before the Senate Armed Services Committee Feb. 27, made reference to new authorities as part of the updated unified command plan. That plan, which was approved by the president in November, defines scopes and authorities of the geographic and functional combatant commands as well as investments in manpower.
This new plan “gave USCYBERCOM new duties in keeping with Congress’ intent to make it something of a hybrid Command along the general lines of U.S. Special Operations Command.”
It also made USCYBERCOM responsible for the planning and execution of global cyberspace operations.
“In supporting Joint Force commanders, USCYBERCOM is working to synchronize the planning and operations of cyber forces as ‘high-demand/low density’ assets. Two secretaries of defense have now endorsed this change in how our cyberspace assets are managed,” Rogers wrote in prepared testimony.
The construct provides USCYBERCOM authority to balance risk across the joint force and focusing resources where they are needed. It also enables the force to deter and preempt cyber threats, Rogers wrote, adding they are building these concepts in to USCYBERCOM’s operational and contingency plans.
A DoD spokeswoman wrote to Fifth Domain in an email that:
… the elevation of USCYBERCOM consolidates the mission to direct, synchronize and coordinate cyber planning and operations under a single commander, establishing a direct path between the command and secretary of defense for “inherently time-sensitive cyber operations.”
The House aide noted that while DoD has been looking at this, it’s a very complex dialogue with lots of dynamics. “You still have all the cyber mission force, all these different other capabilities that are being developed at the same time as those larger construct conversations are being had,” they said.
Cyber Command’s cyber forces are also assigned to the regional — as well as functional — combatant commands and thus once there, fall under the command of the geographic combatant commander.
“We put a new process in place … and was granted authority to re-allocate some of our capability against” threats and challenges, Rogers told the Senate Armed Services Committee. “That didn’t exist a year ago … it wasn’t envisioned. The thought was the cyber forces we created would be permanently aligned; I argue it’s not going to get us where we need to be.”
This approach is also something the Government Accountability Office is examining as it tries to help DoD work through command and control and authorities issues as Cyber Command matures.
“It’s related to a lot of the recommendations we made about clarifying command and control responsibilities,” Joseph Kirschbaum, the director of defense capabilities and management at GAO, told Fifth Domain. He pointed to GAO recommendations to Congress that DoD determine clear roles and responsibilities for who’s supposed to do what, command and control constructs, under what conditions cyber forces would be used and who would command them.
There’s a value of a command such as USCYBERCOM to prioritize how to use their forces against different threats, Katherine Charlet, who formerly served as the acting deputy assistant secretary of defense for cyber policy, told Fifth Domain.
On the other hand, she said, regional combatant commands are protective of their areas of responsibility and have a level of control over how they use their forces toward their priorities planning for the availability of these teams.
If a team is aligned to one combatant command and six months later is put somewhere else, this can be destabilizing from a planning perspective and may slow the initiative to integrate cyber in to regional efforts, she said.
The benefits of such an authority, according to a House aide, is there could be a need to move forces against a particular threat.
If a state sponsor is operating in multiple geographic combatant commands, a single informed, authorized combatant commander that can move forces across military, allied or private-sector networks as needed could create a significant advantage, the aide said.
Cyber Command recently begun standing up planning cells locally at the combatant commands around the world to help better coordinate offensive and defensive cyber effects. Some have equated this model to the TSOCs at the combatant commands, noting that they were stood up to help the combatant commands better integrate cyber into their plans.
The other argument against this approach is that there are also very robust regional combatant commander command and control constructs in place and these four-star commanders already know how to employ forces regardless of domain, the aide added, indicating that regional combatant commander should take the lead.
Congress will be using the upcoming posture hearings to examine these issues further, they added.
US Cyber Command gets unified military command status
August 23, 2017
Last week, US President Donald Trump announced that the United States Cyber Command, which is currently a division of the NSA, will be elevated to the status of a Unified Combatant Command focused on cyberspace operations.
“This new Unified Combatant Command will strengthen our cyberspace operations and create more opportunities to improve our Nation’s defense. The elevation of United States Cyber Command demonstrates our increased resolve against cyberspace threats and will help reassure our allies and partners and deter our adversaries,” President Trump pointed out.
“United States Cyber Command’s elevation will also help streamline command and control of time-sensitive cyberspace operations by consolidating them under a single commander with authorities commensurate with the importance of such operations. Elevation will also ensure that critical cyberspace operations are adequately funded.”
US Secretary of Defense James Mattis will be in charge of nominating a new Cyber Command leader and, apparently, the one who will have the final word on whether the US Cyber Command can be – now or at a later date – separated from the NSA altogether.
The move was not at all unexpected, as it has been obvious for quite a while that the US Cyber Command is growing too big to remain in a such a subordinate position. Also, that national cyber defense needs to become a priority – and this is one move that indicates that this realization has finally hit home.
As stated by the US Department of Defense, the US Cyber Command “plans, coordinates, integrates, synchronizes and conducts activities to: direct the operations and defense of specified Department of Defense information networks and; prepare to, and when directed, conduct full spectrum military cyberspace operations in order to enable actions in all domains, ensure US/Allied freedom of action in cyberspace and deny the same to our adversaries.”
If, initially, it was created with defense in mind, it gradually became considered and viewed as a (potentially) offensive force.
The question of self-defense
Perhaps President Trump’s decision was also a reaction to the recent breakdown of longstanding United Nations negotiations regarding the application of international law norms to cyberspace, over the issue of whether or not member states should have the right of self-defense in the face of cyber attacks.
As noted by The Guardian, the schism happened along old cold war lines: western countries on one side, Cuba, Russia and China on the other.
The Cuban representative noted that they could not accept the establishment of “equivalence between the malicious use of information and communications technologies and the concept of ‘armed attack’” so that self-defense actions can be taken.
He opined that this would lead to the legitimization of “unilateral punitive force actions, including the application of sanctions and even military action by States claiming to be victims of illicit uses of ICTs,” and that this situation would favor the interests of most powerful States to the detriment of the most vulnerable.
Russia and China did not offer a public explanation for their stance, but international law scholar Michael Schmitt and Cyber Law International CEO Liis Vihul suggested that these countries perhaps want to avoid the perception that “the West” gets to dictate the rules of the game for cyberspace.
“Or perhaps the answer is legal-operational in the sense that they want to deprive the West of a legal justification for responding to hostile cyber operations that they themselves launch. Although the deprivation would apply equally to them, the States concerned are less frequently the target of unlawful cyber operations mounted by other States and therefore the benefits thereof would arguably outweigh the costs,” they pointed out.
Finally, they admitted, it could also be a simple political reaction to the “current dismal state of relations outside the cyber realm.”