Monday, April 18, 2016

Who is running Cyber Command?

Ever wonder about senior military leaders trying to make decisions about cyber operations?  Based on some of what we hear about in the press, I sure do.  And I think the picture below sums up the problem better than anything else can.

The commander of US Cyber Command graduated college in 1981 (Naval ROTC).  He was commissioned into the Navy and went to whatever schools the Navy uses to train its officers.  But what were Navy Officers learning about cyber operations that year?  I'm pretty sure that most Navy officer schools then didn't even use computers.  I say that because 1981 is the same year that Cosby was advertising this TI computer with a whopping 16KB of RAM.


Let that sink in for a minute - 16KB of RAM is only 25% of the capacity of the venerable (and oft mocked) Commodore 64.  But that was the top of the line when our current US Cyber Command commander (what a mouthful) graduated college and was commissioned.  Now, I'm honestly less worried about Adm. Rogers since he has been working in intelligence with an active interest in cyber for years.  But many transitioning from regular military intelligence to cyber lack the same experience that Rogers has.  

Even worse, senior combatant commanders are asked to comprehend cyber at some level.  Unfortunately, this is an attack surface that didn't exist when many of them were commissioned.  Try as they might, cyber will always be something that is newer and foreign to them than it is to their younger counterparts.

Has this happened before?
Definitely.  Military officers have had to adapt to new combat paradigms before.  The advent of long range, accurate artillery.  The advent of the tank over cavalry.  The advent of combat aircraft.  Most recently, we've seen ground commanders adapting to the reality that they have drones at their disposal for surveillance without committing troops to perform recon.  Just as concerning, lesser advanced and equipped adversaries have drones that equalize this advantage and give them time to react to preemptive attacks.

In every case, commanders have had to make changes - and cyber will be no different.  What is different is the speed at which they will be forced to make these changes.  Drones took time to catch on just like tanks and artillery before them.  They were also relatively expensive capabilities for forces to acquire.  Not true with cyber.  Today's military commanders must learn how cyber impacts traditional kinetic warfare at a rapid pace or be overtaken by it.

Closing thoughts
My point in talking about this isn't to say that old military officers can't make effective decisions about cyber operations.  But I do think that they are at a significant disadvantage when compared to those younger officers who grew up with the technology and are trained in cyber as a warfare discipline from the ground up.

I'll write some later points on the problems of cyber warfare attribution, escalation of cyber operations into kinetic operations, and suggestions for training combatant commanders in what they actually need to know to integrate cyber (mostly defense) into their current operations.

P.S. This photo has to be the most 80's thing ever between the really old computer and Cosby still being popular.

5 comments:

  1. There are good officers out there in the military today. The career pathing that is utilized to make rank is what kills the leadership potential in cyber. Come on dude you know this.

    ReplyDelete
  2. There are good officers out there in the military today. The career pathing that is utilized to make rank is what kills the leadership potential in cyber. Come on dude you know this.

    ReplyDelete
  3. I think that it requires a complete shift of what a cyber military force actually is. Even if the leadership is trained to "know" cyber, ultimately they are still commanding military members that retire into GS positions that they don't qualify for, and/or MOS trained soldiers that earned just high enough on the ASVAB to qualify as a cyber enlisted. What if being a cyber warrior (or a cyber warrior leader) didn't require you to know how to shoot a weapon? When exactly is drill and ceremony going to help someone with creating a log parser? Are the new cyber "warriors" expected to execute fire team movements during incident response?
    Some people will say that there are non-military avenues to being a cyber "warrior" via one of the numerous 3-letter agencies. However, post-Snowden most of those agencies have tightened their "security" processing down tighter than a wedding corset. "So you say you downloaded 'x' number of movies/music/software when you were in high school. In other words you've stolen over 'x' hundreds of thousands of dollars from those rights holders. How can we trust that you won't steal something from us?" And just don't even bother if you've ever 'h@x0r3d' anything EVER before, even outside of the 10 year investigation window. Something tells me that the nation states that we fight aren't nearly as worried about those sorts of things. I have a feeling it's probably more, "So you have an aptitude for computers... let's put that to use."

    ReplyDelete
  4. I think part of the major problem we face is that many senior leaders are only considering the visible computers and networks they rely on each day. The fact that most of the critical military systems (Missile Defense Systems, Aircraft, GPS, etc) short of the rifles in the hands of the infantry are controlled by computer systems. Basically the military has been running IoT before it was the buzz word it is today. In my experience, prior to getting out of the military, we add this "cyber" piece to exercises now, but run it on a separate network and treat it as, "oh you've been hacked, now what." We don't truly know how we could operate without the technologies we currently employ. It's like saying I've got a great disaster recovery plan, and I've had awesome table top exercises of it, so I know that if it actually needed to be used it would go off flawlessly. The problem there is, if you don't actually go through your disaster recovery plan in a real scenario, you may have things you never considered in the table top that could derail the whole process. Just my 2 cents.

    ReplyDelete
  5. Simple math. The effort to fix the issues outweigh the gain. Oh the beautiful little salmon which swim against the current with vigor and youth who think they can change the will of the current. The private industry will always appreciate the tributes to them from Cyber 6 and the circle. :)

    ReplyDelete

Note: Only a member of this blog may post a comment.