Some cyber forces created as part of the Defense Department’s cyber strategy released this spring are trained, ready and participating in operations.
Forces tasked with defending the United States and its interest against cyber attacks of “significant consequence” now are working in real-life scenarios, said Maj. Gen. Paul Nakasone, commander of the Cyber National Mission Force.
The Cyber Mission Force is made up of 133 teams commissioned by DoD’s cyber strategy.
“Our mission … is to ensure that we are prepared if there are disruptive and destructive attacks against the nation that we can operate,” said Nakasone during an Oct. 9 speech at the Center for Strategic and International Studies (CSIS).
The cyber mission forces have drawn particular attention due to their ability to operate in combat missions, possibly in an offensive capacity.
Nakasone declined to go into detail as to the nature of the operations in which the Cyber National Mission forces have acted.
DoD’s goal is to have all of its mission forces trained, ready and capable by 2018. Lt. Gen. Kevin McLaughlin, deputy commander of U.S. Cyber Command, said the forces are about halfway there.
Cyber National Mission Force makes up only part of the total cyber mission forces in protecting the homeland and DoD networks. Other mission forces will provide support to the combatant commands, and analytic and planning support to other cyber mission teams.
Nakasone said his forces are about 80 percent military and have an average age of 24 years old.
The force’s activity with cyber operations isn’t the first organization to take action across DoD.
The Defense Information Systems Agency’s Joint Force Headquarters – DoD Information Networks already has participated in seven named operations.
The Pentagon created JFHQ-DoDIN to take over operations and defensive work from U.S. Cyber Command. The headquarters reached initial operating capability in January and assumed 14 to 19 tasks from CYBERCOM.
Nakasone said he works closely with the joint force headquarters.
Pleading for Policy
As U.S. cyber forces become more of an operational reality to prevent and fight cyber attacks, lawmakers have called on the Defense Department to come up with a cohesive policy on U.S. action toward cyber incidents.
Lawmakers say a definitive policy would further define the authorities given to different government entities on when and how to respond to a cyber attack. Furthermore, a policy could act as a means of deterrence against an attack if adversaries know the consequences of breaching the U.S. cyber domain.
In an attack like the one on Sony Pictures Entertainment, for example, should cyber forces step in because it involved a foreign country, should the corporation deal with the hack itself, or should another government agency take the helm.
Senate Armed Services Committee Chairman John McCain (R-Ariz.) pressed Deputy Defense Secretary Bob Work for a clear policy during a Sept. 29 hearing.
“Suppose there is an attack like the one on [the Office of Personnel Management]. … Do you respond by counterattacking? Do you respond by trying to enact other measures? What do we do in case of a cyber attack?” McCain said.
Work told the committee DoD does have a cyber strategy, but not a policy per se.
“That does not mean if we had an attack tonight that we do not have the structure in place right now with the national security team to get together to try and understand who caused the attack, to understand what the implications of the attack were and what response we should take,” Work said. “Those are in place right now.”
Aaron Hughes, deputy assistant secretary of defense for cyber policy, reiterated Work’s point at the CSIS event, that a cyber strategy is something that will evolve over time and through military exercises.
“[Responses are] going to depend on the circumstances … has there been damage to property, has there been financial implications, and then our response is going to be a whole-of-government response,” Hughes said.
Still, with many overlapping authorities and multiple agencies, Harvey Rishikof, senior counsel at Crowell & Moring, LLP, said policy will truly determine how the law is used.
“Though the threshold question is a legal issue to give authority and legitimization and justification for force, it ultimately will be a policy determination. The threshold will be a political determination that allows us to use all the force that we have in our defense,” Rishikof said. “If we tell this general, ‘this is the hard line and if there is a violation you must respond,’ that puts us in a situation that historically most policy makers don’t like to be in.”
Some lawmakers, however, feel like other countries exploit that ambiguity and the only way to truly deter attacks is to have a clear policy on attacks.
“I think [deterrence] has got to be a high priority. Deterrence doesn’t work unless people know about it. … The cyber war has started,” Sen. Angus King (I-ME) said, during a Sept. 24 hearing. “We are in the cyber war with our hands tied behind our back. We would never build a destroyer without guns … you cannot defend, defend, defend, defend and never punch back.”