Computer Network Defense
“It was September of 1998 when the decision was made to move computer network defense to US Space Command. The efforts, up to that point, had been the starting up of the joint task force for computer network defense in Washington. … The other service chiefs and unified commanders decided that this particular mission area was so important that it should be placed in a warfighting Commander in Chief or unified command.
“So, we started working in September 1998 and we got the formal tasking later than that when the unified command plan came out and they formally gave it to us. But we started working all that and coordinated our implementation plan, our concept of operations. Basically, a joint task force for computer network defense fell under US Space Command on 1 October of 1999. We’ve been working the issue ever since.”
Computer Network Attack
“This coming October we are slated to get the computer network attack mission. Right now we are in the implementation planning phase of that. There will be a lot of work between now and 1 October to sort through all of that and try to bring focus to the particular mission area. This will be a lot more difficult than the defense piece of the computer network business.
“There are a lot of policy and legal ramifications for everything we do in that area. We haven’t even begun to organize for that particular mission yet. In computer network defense, the services organize themselves to some degree. There were network operation centers. There were computer emergency response teams set up. There was a framework out there that you could overlay the joint task force for computer network defense. That framework for computer network attacks doesn’t exist yet. …
“There is a sense [that] there are a lot of capabilities out there, but they are worked by small groups of people, sometimes highly classified. Trying to put all that together and figure out how we can provide a warfighting CINC … with the tool kit is going to have to be the thing we have to work the hardest.”
Computer Attacks During Allied Force
“After the mistaken bombing of the [Chinese] Embassy in Serbia, there was stepped-up activity. Exactly from where, I don’t think I can go into. There was some attack on NATO computers and other sites. Most of it was fairly innocuous and was thwarted fairly easily. I think we are a long way from saying any of it was state-sponsored. Some of it was just sympathizers. In fact, most of the attacks, we think, were from folks who were sympathetic to the Serbian cause and would get together in groups and then try to have some impact on our network. But as I said before, those were fairly easily dealt with and there was absolutely no mission impact by any of those attempts.”
Effect of Reliance on Commercial Systems
“Reliance on commercial systems and software … does not make us more vulnerable. We obviously are very reliant on commercial systems. We want to go more toward commercial systems and when I say we, I am talking about Space Command. We are already heavily outsourced. We have a large contractor force that supports us. …
“That is just not an issue with us. When we talk about commercial off-the-shelf software, I don’t think that in itself makes us any more vulnerable than it would if we had our own software. I think we have a lot of confidence in the software that is provided by our contractors, and it is all done under the appropriate security umbrella.”
Can Private Sector Provide Defenses
“We rely on the private sector to a large degree to help us with the intrusions, detecting devices that we set up in our firewall and so forth. Our relationship with the private sector will grow. It is one of the things we are looking at in computer network defense. We have a logical partnership here with the private sector, perhaps informal, perhaps formal, we haven’t decided on the mechanism or the venue or any of that yet, where they would be very much interested in what our take is on the threat and they would see some value in that, and we could have this continuous dialogue and they could also notify us of possible weaknesses in some of the software applications. We are working that very hard with industry.”
Legal Issues in Computer Network Attack
“Come this October, [the question of legal constraints] ought to be one of our primary issues. [We must] bring these issues to the forefront and work through the process. We’d like to get to the point with some of these capabilities that all the unified commanders know what they are, [that] they have been apportioned.
“The commander in theater, for instance, … would say, ‘I know I have these certain tools available. I know that on Day 1 of the conflict that they would be available for use.’And that is where we have to get. We are a long way from that today for good and sufficient reasons, I think. Those are the kinds of issues that I think we will help work through. Just like we’ve been doing on space. We are still in the process of operationalizing our space capabilities, integrating that down to the tactical level. …
“I think the legal concerns are absolutely real, and we’ve got to work through those and we’ve got to come up with a process by which we can do that. The legal community is going to have to be an ally here, and I think they will be and they have been in Kosovo. There was some work done and I don’t think anybody is going to point any fingers at the lawyers for not having done their job. Again, these are legitimate issues that we need to work through, and I expect the legal community inside DoD to help.”
The Emerging Threat
“In general, cyberattack is deemed useful by those countries that perhaps don’t have the conventional military capability the United States does. And so it’s a way of, asymmetrically perhaps, attacking adversaries, not just the United States but potentially other adversaries. So you can read in a lot of the military literature that people more and more, of most of the world, are looking at this as a potential area for some growth. …
“I think we are pretty well prepared. We have invested a lot of resources in defending our capabilities. And it’s not just the JTFCND [Joint Task Force-Computer Network Defense], and it’s not just the intrusion software and the firewalls and so forth. It’s also the training of our people. And we are working on all pieces of it. …
“I think we’re in reasonably good shape, but it will be like everything else we do: You know, we come up with the defense, somebody else comes up with a different offense, and back and forth. And so it’s not that we’re going to sit back and rest on our previous work; we’re going to continue to work it.”
Decentralized Operations
“We did not envision that US Space Command in Colorado Springs is going to be the focal point. … This is not something that’s going to be kept behind in Cheyenne Mountain and only be turned on by that level. These are tools that need to go to the operational and tactical level.
“So our first job is to figure out what our capabilities are out there. Every service has some capability in this area. We need to round those up, focus them, apportion them to the warfighters, and then ensure that they are tested and that we work through the policy and legal implications, which there will be and there are. That will be a very big part of what we do. …
“We see our job more as focusing what we currently have, giving confidence to the warfighter that these tools are available, that they have been tested, that they have some assurance that they will work, and that we have worked through the policy and legal implications of using them.”
The Computer Attack Tool Box
“It gets into the ability of denying, disrupting, degrading systems. It could be in the area of air defense, for instance. If you can degrade an air defense network of an adversary through manipulating ones and zeros, that might be a very elegant way to do it, as opposed to dropping 2,000-pound bombs on radars, for instance. So that’s–you know, the whole idea would be that we can do this, … perhaps with keystrokes, preventing casualties on our side and collateral damage on the adversary’s side.
“It’s an elegant solution in some cases, and as I said, there are going to be some policy and legal ramifications of all this that we have yet to work through.”
Where To Get Cyberwarriors
“We ‘Red Team’ essentially everything we do. In fact, we have a Space Aggressor Squadron that we are just standing up at Schriever AFB [Colo.] to do that for the exercises that we run traditionally, to bring a force in there that would try to disrupt our ability to take advantage of these space resources. So that’s another analogy. And we would do the same thing, of course, for computer network attack. And that is being done–it’s a very prudent thing to do. But it’s-a lot of the other issues are to be determined, as we work through our implementation plan this year. …
“People are what is going to make all this work. It’s not the software, it’s not the hardware; it always boils down to competent people. And that’s a real issue for us in US Space Command and for the Department of Defense as a whole. Now, the services are trying to attract the best and the brightest to come into this area. We think we can do that because we are going to be working on leading-edge technology, we’ll give them the right tools, and they’ll be doing something for their country. So we think all of that will make it appealing.”
Role of Cyberattack
“Well, I think it’s just going to be one more arrow in the quiver … in terms of the tools we can use. … I’ll use the air defense analogy again. If you want to take down an air defense system, we know how to do that kinetically. We know that we can drop bombs, we can send cruise missiles against it, we can use attack helicopters against that kind of system. As I suggested, there might be other ways to do that, and I don’t know–I mean this is premature-but there might be other ways to do that similar job. And I don’t think it’s going to fundamentally take us in too different a direction, although I would say that I think the ones and zeros part of this equation will be more important in the future than it is today-I mean dramatically more important. [It] will probably never supplant kinetic weapons.”
Unintended Consequences
“There may be unintended consequences, depending on how you work that. If you’re working on a communications network, for instance, it does more than just air defense. They use it for other things. Then there is the question of what are the consequences of perhaps taking down a communications system that may support other needs that may have no direct impact on the conflict, and then you’d have to study that.”
Special Cybercorps
“We want to build not a corps but a group of individuals that can work in this area. And you know, in the way it’s kind of grown up-this had been a sort of a pickup ball game. I mean, we don’t have specialties in the Air Force [for] information warrior. One of the things, I think, that we will bring to the table is: Should we create specialties that encourage a career path in this kind of work? Right now, for the most part, [we have] those that are most inclined or like to do it, and that’s fine for the time being, at least on the active duty side. Of course, on the contractor side, which we use heavily, we can get real specialists and real expertise.
“I guess my overall comment would be that creating a special corps would tend to put this in a stovepipe that would tend to revolve in its own world and … the product of their work would not necessarily get pushed down to the operational and tactical level like we’re trying to do for information operations.
Operations in Kosovo
“I would like to say–without giving you a lot of detail–that we worked through some policy and legal issues during Kosovo that will hopefully help us in the future, because we addressed some issues … and, I think, came up with a good resolution. And I think that portends well for our future capability in this area. But, as you know, the opposing forces in Serbia were not reliant, for instance, on space systems. They were not reliant on systems that were heavily involved with information technology; so, limited opportunities, there. …
“A lot of the existing capability is very immature, has not been tested. And we need to operationalize this like we do for everything else. It needs to be thought of like that. The planning for that needs to happen up front and early, so people like General Clark [Army Gen. Wesley K. Clark, Supreme Allied Commander Europe] can say, ‘I have got this arrow in my quiver, and I’d like to use it here.’ We are short of that capability, today.”
Decision-Making Issues
“Any time we prosecute war, … certain decisions have to migrate up to the national command authorities, and I think certain aspects of this would. I think our hope in the future is that we’ve thought through it, and for certain capabilities that we might want to use, that it would become understood what the effects are and that that would be something that would be very easily approved. Other capabilities might have to go all the way to the President for approval. That would not be unusual. We do that today in a conventional sense, as you know. …
“I think it’s fair to say that we have done this in the past on a case-by-case basis. And of course if you’re in the middle of a conflict, you’d prefer to not work this on a case-by-case basis. That usually takes longer. So, we would look to a process to be a little more robust in that area where we could have, like I said before, preapproval of some capabilities–I’m not talking-this is all very notional-of some capabilities. … There will still be–no doubt there will still be some case-by-case issues. … We have done certain things on a case-by-case basis, yes.”