27 April 2017

** Cyber Warfare Beyond Domains

JACQUELYN G. SCHNEIDER

In 2010, then-Deputy Secretary of Defense William J. Lynn III made a pivotal decision for the future of cyberspace and the U.S. military: He saw to it that the U.S. Department of Defense declared cyberspace a “domain” of warfare.

This decision created the organizational impetus for the DoD to organize and equip forces to defend and attack from cyberspace. Lynn anticipated that the future of warfare would be determined by competitions for information and that without the ability to organize for missions in cyberspace, the DoD would be unable to ensure the digital freedom it needed to win modern wars. Since that time, the DoD has not only developed an overarching Cyber Strategy and stood up an entire Cyber Command with more than 6,000 personnel, and has also brought to initial operating capability 133 teams for its Cyber Mission Force. Under the auspices of the cyberspace domain, the DoD has made huge strides to defeat and deter adversaries in cyberspace.

But while labeling cyberspace an independent warfighting domain may have been administratively useful for the Pentagon, the arbitrary separation between “cyber” and the conventional domains has potentially deleterious effects for U.S. military effectiveness. The problem is that cyberspace does not operate within its own stovepipe. Instead, “cyber” is a general term that captures the role that digital information – the ones and zeros of modern warfighting – plays in creating conventional military power. These digital capabilities are embedded within tactical datalinks, smart weapons, unmanned and autonomous systems, in logistics platforms and mission planning software, and the millions of emails that direct military power. 

This digital terrain of modern warfare is increasingly contested by cross-domain threats. These threats could come from cyber attacks on networks, but also undersea cable-cutting, conventional bombing attacks of database farms, and anti-space attacks on the satellites that transmit digital navigation and targeting information. It is impossible to understand the significance of offense and defense in cyberspace without understanding the digital technologies that create the cyber terrain. Network-centric warfare and the digital capabilities it is dependent on have created a cyber terrain in which the U.S. is incredibly vulnerable to cross-domain threats to its cyber dependencies. You cannot separate these capabilities and vulnerabilities created in cyberspace from the ability to achieve victory in the air, land, sea, and space domains.

The administrative separation of cyberspace from the conventional domains with which it is linked leads to two significant problems for the modern American military.

First, the delineation of a cyberspace domain creates cyber stovepipes. Warfighters, particularly below the Combatant Command, are unaware of potential offensive cyber capabilities to support conventional domains of warfighting, nor are they authorized to execute any of these cyber capabilities. This problem is likely a combination of a legacy of secrecy passed down from the National Security Agency, coupled with the inherent technical difficulty of obtaining and maintaining cyber accesses. Without the ability to assure access, organizations that safeguard offensive cyber capabilities are necessarily wary of sharing information with conventional warfighters. Cyber capabilities remain confined to the special access and special technical operations world. 

The second problem was highlighted recently, when Army and Special Operations leaders pointed out that kinetic attacks were often easier to authorize than similar, or even less intense, cyber attacks. These officials were so concerned with the authorization problem that they staffed normally tactical-level exercises with Congressional representatives and members of the Office of the Secretary of Defense.

The reality is, separation of cyberspace from the other domains creates an incentive to centralize cyber defense. The consequence is that conventional warfighting units have limited capability or agency to protect and defend their own digital terrain. This problem is exacerbated because “cyber” warriors are increasingly distinct from the conventional mission set. While they are well-trained and equipped for identifying potential cyber vulnerabilities in military networks, these cyber warriors have limited knowledge of how various cyber vulnerabilities affect the conventional mission.

Indeed, the explosion of digital technologies within conventional missions means that vulnerabilities have expanded beyond network access points to vulnerabilities in software, datalinks, and even hardware. While the conventional warfighter may not have the cyber skills to mitigate these vulnerabilities, he does understand the impact that losing any of these components might have on air, land, sea, and space missions.

The conventional warfighter needs to be given the agency, some knowledge, and the ability to lean on cyberspace defenders in order to give priority to the defense of the crucial cyber terrain.

The solution to the cyberspace domain problem is not likely a change in nomenclature. Making cyberspace its own domain has provided useful incentives for organizing and – most importantly – funding key components of victory in the 21st Century world. Instead of renaming the cyberspace domain, we need to devote effort to better understanding the linkages between cyberspace and conventional capabilities, both in the offensive realm where authorities and access are the primary problems, and the defensive realm, where agency and knowledge are the primary issues.

Cyberspace is not solely Cyber Command’s problem nor is it solely Cyber Command’s tool. The state that will succeed at cyber warfare of the future is the one that understands the link between conventional operations and cyber capabilities and vulnerabilities.

No comments: