SAN DIEGO: Adm. Mike Rogers, who heads both NSA and Cyber Command, is looking past CYBERCOM’s elevation to an independent Unified Command towards a much wider reorganization of military cyber. Some reorganization is implicit in a Feb. 17 memo in which Defense Secretary Jim Mattis charges Deputy Secretary Bob Work to “develop an initial plan… for more optimized organizational structure and processes to support information management and cyber operations.” But speaking to the AFCEA-USNI West 2017 conference here, Rogers proposed an array of specific changes, from giving tactical units more authority to conduct cyber attacks to creating a new structure to oversee both cyber and electronic warfare.
Rogers was notably silent on one burning issue: splitting the two agencies he runs. Obama Defense Secretary Ash Carter and Director of National Intelligence James Clapper both pushed to separate NSA and CYBERCOM, but Rogers was publicly reluctant, as was Senate Armed Forces Chairman John McCain. The 2017 defense bill elevated CYBERCOM from a component of Strategic Command to an independent top-level Unified Command (Sec. 923), but it but forbade separating CYBERCOM from NSA until the Pentagon studied the split and certified it would not pose “unacceptable” risk (Sec. 1642). “We’re looking at the issue,” DoD spokesman Capt. Jeff Davis told The Hill. That study and other NDAA provisions are the impetus for Mattis’s memo.
“In the immediate near term, (we’ll) elevate CYBERCOM to Unified Command. I think that’s pretty easy, we’re getting no pushback,” Rogers said today, “(though) it’s not my decision.” The law doesn’t specify a date by which the change must happen, and the Pentagon hasn’t yet set one.
Cyber & Electronic Warfare
Rogers is already looking ahead to a future, far larger change: Whether the Defense Department should create an organization that oversees not only cyber warfare but the intimately intertwined fields of electronic warfare and spectrum management.
“For the first time in the last year, I’m starting to get sometimes in very public forums this question(:) As you see the spectrum and the network converging, as you see the integration of the spectrum, the network, information, and effects, does that argue then that you need to view cyber as an element of something broader?” Rogers said. “And would you…build around CYBERCOM or some another organizational construct the idea of bringing those functions together?”
“I would argue the most likely answer, over time, is yes,” Rogers said. In the near term, he added with rueful laughter, his agenda’s already overloaded with cyber by itself.
On the strategic level, where Cyber Command mostly operates today, it’s possible to treat cyber and electronic warfare separately. Strategic cyber war is fought with 1s and 0s that zip around the planet on fiber optic cables. Electronic warfare, by contrast, is waged with radio-frequency signals that have limited range and local effects. But there are few fiber optic lines on the battlefield, so tactical networks run over radio waves that electronic warfare can detect, jam, or spoof — and the best way to get a virus in the enemy’s system is to encode it in radio waves. As a result, the closer cyber warfare gets to the tactical level, to ships and planes and troops in trenches, the more it becomes mingled with electronic warfare.
“What I want to see happen in the five to 10-year timeframe is, can we integrate cyber, both offensively and defensively, down to the operational and tactical level?” Rogers continued. Today we have very different authorities and rules of engagement for offensive as opposed to defensive cyber operations. In fact, he said, “offensive cyber in some ways is treated almost like nuclear weapons, in the sense that their application outside an area of defined hostilities is controlled at the chief executive level (i.e. the President). It’s not delegated down.”
The cyber force needs to build trust and confidence among policymakers that authorities to use offensive cyber can be delegated, Rogers said. Instead of reserving authority to employ offensive cyber at the strategic level, like nuclear weapons, the admiral envisions it becoming part of the regular toolkit of tactical units, such as Carrier Strike Groups. This idea would fit well with the Navy’s Electromagnetic Maneuver Warfare concept or the Army’s experiments with cyber teams augmenting combat brigades.
In a sense, said the panel moderator, retired Adm. James Stavridis, Rogers is proposing cyber operations follow the path of special operations: Once little understood and tightly restricted, special ops are now part of the day to day activities of conventional commanders.
“I totally agree,” Rogers said. “I would create Cyber Command much in the image of SOCOM (Special Operations Command),” with a mix of responsibilities to both develop the force and to use it. Ultimately, much as there are Theater Special Operations Commands, there could be theater cyber commands within each geographical Combatant Command as well, Rogers said — but we’re not ready to do that yet. There just aren’t enough cyber forces to go around, Rogers said, so, for now, they have to be centrally managed. Further, he said, there’s no point in creating theater and tactical cyber forces until theatre and tactical commanders get the full authority required to use them.
Command & Control: Richardson & Neller
Command authorities for cyber are a complex challenge, emphasized two of Rogers’ fellow four-stars speaking later at the conference. “Where we are working hard is the command and control of all of that,” said the Chief of Naval Operations, Adm. John Richardson. From space and cyber to the “physical domains” of land, sea, and air, “all of that has to be orchestrated… just like the San Diego symphony,” he said. “(To figure out) the authorities that have to come with that, to be able to act with that synchronization, to achieve the effects, there’s a lot of wargaming that needs to be done to iron all that out.”
Using tactical cyber needs to become routine, like other technical arms of service, said the Commandant of the Marine Corps, Gen. Robert Neller: “When the artillery liaison officer or the naval gunfire liaison officer shows up, the cyber liaison officer’s going to show up.”
You need such technical specialists to advise commanders because, “as a commander, I’m not really interested in the 1s and 0s, I just want to get the effect on that target,” Neller continued. “We’re going to have to grow people — and we’re in the process of doing it — who understand how to achieve that effect.”
“That’s happening, but it’s not going to happen overnight,” the commandant continued. “Over time, as we attrit out of the force people like me who are digitally challenged, and the digital generation takes over, it’s going to become second nature.”
Perhaps the biggest change will in the geographic areas of responsibility that today define most military commands. “We used to look at certain plans for certain areas, they were just kind of regionally focused; now we realize any conflict isn’t going to be bounded by a certain part of the Pacific (for example), it’s going to be transregional,” Neller said.
That’s particularly true in cyber, where attacks can cross the planet at near light speed. “The one thing that makes cyber so difficult,” Neller said, “is it’s hard to geographically bound it, (unlike) dropping a bomb or shooting an artillery shell.”
Rogers sounded more optimistic. Yes, a cyber attack can have consequences far beyond the vicinity of the target — but so can an artillery barrage or airstrike that mistakenly kills civilians and inspires global backlash against the United States. We need training and processes, authorities and rules of engagement, to control the potential strategic backlash of tactical missteps in either case.
“In the world we’re living in now, the tactical application of kinetic force often has strong strategic implications beyond the immediate physical environment,” Rogers. “Just as we have come up with a series of processes, controls, and oversight that governs the application of force in traditional ways…I think we can do the exact same thing — over time — with cyber.”
“We have to,” he said.