Defending U.S. critical infrastructure against cyber warfare has been one of the three primary missions of U.S. Cyber Command almost since its creation in 2009, yet various DoD policy documents are at odds with one another when it comes to which organization would lead the military response to an actual cyber attack.
Defense leaders said they’re beginning the process to formally iron out those discrepancies. In a meeting two weeks ago in Colorado Springs, Colorado, commanders from Cyber Command and U.S. Northern Command began to sketch out policies that would dictate the roles and responsibilities of NORTHCOM, which has handled threats against the U.S. homeland since its inception compared to CYBERCOM, which controls the vast majority of the military’s defensive cyber expertise.
“We’re putting meat on the bones to determine what’s the framework for a national incident with cyber implications, whether that’s a natural disaster or an incident caused by an adversary in the homeland that demands the response of military forces,” said Lt. Gen. Kevin McLaughlin, CYBERCOM’s deputy director. “We, as a military, know how to provide support to civil authorities. What’s being added to that is the cyber element.”
The CYBERCOM-NORTHCOM discussions follow a Government Accountability Office report earlier this month that pointed to “uncertainty” about which of those commands would lead the effort to help state and local governments in the aftermath of a cyber incident. The report said that recent exercises had shown worrying gaps in coordination between various state National Guard forces and the dual-status commanders who are supposed to lead a combined military response that also involves full-time federal troops.
But McLaughlin, speaking on a panel at AFCEA’s defensive cyber operations symposium in Washington, said he was confident that his cyber teams would be able to mount an effective response if called upon, even if the written policies about command and control of his forces during a domestic incident aren’t entirely clear.
“While we haven’t done this before — we haven’t had to execute one of these missions yet — if it happened, our cyber forces we would just fold in and support the commander, like we do in other domains,” he said. “We would support NORTHCOM or the Department of Homeland Security, depending on who was designated as the lead agency. There’s been a lot of discussion saying that we don’t know how to do this, but I don’t think that’s the case. I think we know how we would to do it. We’re now making sure we know exactly how to execute that in the event that it happens.”
Rear Adm. Dwight Shepherd, the chief of cyberspace operations at Northern Command, agreed that Cyber Command and the Joint Force Headquarters-DoD Information Networks (JFHQ-DoDIN) would do most of the heavy lifting in case of a major cyber event, even though NORTHCOM does have cyber defensive capabilities of its own.
“We’re really good at hurricanes and tornadoes, but truthfully, we’re really not capable of tackling a significant cyber event,” he said. “The experts are at CYBERCOM and JFHQ-DoDIN, and our role would be coordinating and synchronizing their efforts with DHS and FEMA and the states. We’ll use our existing authorities, but we’ve got more work to do. We’re still catching up on defining our challenges around authorities and legislation.”
McLaughlin said anyone concerned that there would be confusion over roles and responsibilities in the event of an attack should take comfort in the fact that DoD, states and civilian agencies now routinely train for an attack against critical infrastructure via an annual exercise called Cyber Guard.
The first exercise in 2012 involved only U.S. Cyber Command, DHS, the FBI and the National Guard. By last year, it had grown to 100 organizations. Most were state, local and tribal governments, but Cyber Guard 15 also included representatives from Information Sharing and Analysis Centers representing the financial services and electric utility sectors.
“We run that exercise, but it’s usually a non-DoD scenario,” McLaughlin said. “We’re practicing and teeing up any areas where we, interagency or between the government and the private sector need refined policies or procedures so that we can respond to a national emergency. I do think we know how to do this, and we’re plugged into the parts of DoD that do that kind of interagency response for a living.”
As for DoD’s own infrastructure, the department argues that recent policy changes have put it in a much better position to respond to an attack that might compromise its own networks and to ferret out potential vulnerabilities in advance.
Until recently, CYBERCOM had no official authority to order security fixes on military networks. That changed in a recent policy memo by the secretary of Defense, and from there, the authority was delegated to the director of the Defense Information Systems Agency in his dual-hatted role as the commander of JFHQ-DoDIN.
“I have the authorities I need to direct changes to the DoD information network in total,” said Lt. Gen. Alan Lynn, who has worn those hats since last July. “Before, we could never do that. My DISA hat makes me responsible for operating the networks that are the connective tissue between the services and the agencies. The DoDIN commander hat gives me the authority to direct security changes all the way down to the services, and when there’s a vulnerability on the network we can shoot that down to everybody at one time so they all know this is a change that needs to take place right now. Those are not suggestions, but at the same time, it’s collaborative. Everybody understands the importance of securing the networks, so we haven’t gotten much pushback. And when we give those directions, we also provide technical support when it’s necessary.”