U.S. Cyber Command is in talks with the Defense Information Systems Agency to give DISA more day-to-day responsibilities for defending DoD networks from cyber threats.
The precise division of labor between the two DoD organizations is a long way from being sorted out, but Adm. Michael Rogers, who took over as commander of U.S. Cyber Command two months ago, said his preferred approach would involve the creation of a Joint Force Headquarters at DISA. The organization would absorb a significant amount of DoD’s workload with regard to defensive cyber operations and would play a supporting role to U.S. CYBERCOM.
“As the new guy at U.S. Cyber Command, one of the things I’ve been asking is what we should be doing or not doing as a subunified command,” he said. “We can’t do everything, and one of the conclusions I’ve come to is that if CYBERCOM is going to be intimately focused on the tactical-level details of how we’re going to defend the network every day, we’re not going to get much else done. That’s when I said, ‘DISA can really help here.'”
Rogers, addressing a Washington cybersecurity summit organized by AFCEA’s Washington, D.C. chapter Wednesday, said he believes the cybersecurity construct would make sense given the greater responsibility for department-wide IT DISA has already signed up for under DoD’s still-evolving Joint Information Environment.
As JIE takes shape, DISA already has pivoted from its historical role of connecting military service-centric IT systems to one another, and instead, building and operating enterprise IT systems that each military service will share, such as core data centers, email and collaboration platforms and centrally- managed mobility services.
“We’ve got to give DISA the ability to create a command and control node that can coordinate with others to defend the DoD Information Network (DoDIN), and as we bring JIE online and start to operate a truly integrated, global network that’s not so oriented around the individual military services, DISA’s role gets to be even bigger,” he said. “The military services have had some role up until now in securing four different global backbones, and my attitude is that this is an important role for DISA, and the services need to optimize themselves so that they only operate the last tactical mile and plug into it.”
Exploring the idea of JIE
The idea of a joint force headquarters got a brief mention in the updated strategic plan DISA released earlier this month, but the agency has been actively exploring the idea since at least last fall, when it published a sources sought notice that attempted to identify vendors who could help develop operational concepts for the headquarters. In it, officials said they wanted to create an implementation plan that would align a theoretical DISA task force with cyber activities at CYBERCOM and U.S. Strategic Command.
Rogers said starting up the task force would require at least a slight realignment in the way DISA currently organizes itself and allocates its resources.
“DISA is largely an acquisition and engineering organization,” he said. “For DISA to do what it needs to do in order to help us operate and defend the networks, some portion of DISA needs to become an operational entity that’s focused on how we maneuver and defend the network.”
Rogers said delegating some level of “tactical” cyber defense to DISA would let CYBERCOM focus on what he views as the appropriate niche for his organization: the “strategic” level of cyber warfare.
To that end, DoD is attempting to build a cadre of 6,000 cyber operators between now and 2016, divided into three types of teams:
One focused on defending U.S. civilian critical infrastructure;
One devoted to defending Defense networks;
One that will handle offensive cyber operations when CYBERCOM or combatant commanders around the world decide they need to use cyber weapons against adversaries.
Taking ownership over standard-setting
CYBERCOM is overseeing the construction of the teams and has dictated that personnel from each military service should be trained to a single set of standards so that Army, Navy, Air Force, Marine Corps and Coast Guard personnel can interoperate seamlessly, Rogers said. At the same time, he seemed to walk away from the responsibility for creating those standards and did not specify who would perform the standard-setting function if CYBERCOM would not.
“I am the operational commander. I’m not the standards guy, I’m not the architecture guy,” he said.
Rogers did make clear that he believes the longer-term task of developing cyber warriors in a sustainable fashion is a job best left to the military services, and not one that should be subsumed into CYBERCOM.
“My view is we need to use the methodologies we’ve been using for decades and that people understand,” he said. “Our services know how to generate ready forces; they’ve been doing it for decades, and that’s where the roles of the services are critical for us. That’s their mission: to generate, man, train and equip a capability to deploy to an operational commander. Much of the time I’m going to be the operational commander, but I’m not the only one. So I’ve spent a lot of time figuring out how we’re going to generate a trained, ready force.”
The development of those forces is well underway, said Lt. Gen. Edward Cardon, the commander of Army Cyber Command. His service has been tasked with contributing 2,000 cyber soldiers to the joint force and said the Army’s will be halfway to that target by the end of this year.
Training those soldiers is one thing. Keeping them in the cyber positions, or in the Army, period, is another challenge altogether.
“Everybody’s competing for the same people. We need to grow more capacity, not poach people from each other,” Cardon said. “That’s also the challenge I’ve posed to our guard and reserve: If we’re recruiting people who are already working in (computer emergency response teams) in other government agencies to come work for Army Cyber Command, we’re just taking people from one government agency and putting them to work in another. That’s not helpful.”
At the same time, Cardon has taken steps to make sure his own uniformed workforce can’t be poached by other elements of his own service: If a soldier wants to move from Army Cyber Command to another job outside its immediate jurisdiction, the transfer can’t happen without Cardon’s personal approval.
To build and sustain the workforce, the Army also needs to make formal revisions to its personnel system so that soldiers can spend an entire career in the cyber field, Cardon said.
Without providing details, he said the Army will soon create a new branch dedicated to cyber.
“What this will allow us to do is to create a separate career field that will manage the leader development and talent management for this entire group,” he said. “We haven’t created a new branch since the early 1980s, so we’re going to be breaking a lot of china. But at the end of it, we’re going to be able to much better manage the cyber workforce.”