A few years ago, the Central Intelligence Agency (CIA) working cooperatively with Saudi Arabia set up a honey pot website1 to attract jihadi sympathizers. By all reports, the website served as a useful intelligence gathering tool, giving the unseen CIA and Saudi observers insights into the activities and interests of the terrorists who frequented the site. By 2008, however, it had become apparent that some were using the website to make operational plans to infiltrate jihadists into Iraq where they would join the insurgency, potentially threatening the lives of American troops. The National Security Council (NSC) convened a group of representatives from the Department of Defense (DoD), CIA, Department of Justice (DOJ), the Office of the Director of National Intelligence (ODNI), and the NSA to consider the matter. Eventually, over the CIA's objections, a DoD team from Joint Functional Component Command—Network Warfare (JFCC-NW) (the predecessor of U.S. CyberCommand)—took down the website. Their actions caused collateral effects as far away as Germany, and disappointed our Saudi collaborators.2
The incident illuminates a host of definitional and policy issues and challenges in the cyber realm, many of which are considered in other chapters of this book. But, equally clear from this anecdote are the challenges we face from the lack of any effective, purpose-built, standing organizations or processes within the U.S. government for developing policy or making decisions about cyber attacks and cyber defense. Rather, as this particular event makes clear, critical decisions that may set a precedent are frequently made in an ad hoc manner often without the benefit of either the time or the inclination for a broader and comprehensive consideration of the policy implications of the decisions.
The organizational deficit is two-fold: It is, first and foremost, a lack of structures for the making of a comprehensive policy and a lack of organizational cohesiveness in driving solutions forward in a way that includes all relevant stakeholders. It is, secondarily, a lack of adequate structures for implementing the policy decisions that have been made and for auditing our success (or failure) in doing so. This organizational deficit is not for a lack of effort. For more than 10 years, various Executive boards, agencies, and working groups have struggled to create a cohesive framework for cyber decision-making.
Yet, today, most observers would agree that the United States has yet to develop a stable solution. As two well-regarded observers recently noted:
[W]e also developed on an ad hoc basis over the last two decades various organizational structures in response to the cyber threat. Yet those infrastructure protection boards and cyber commissions typically lacked leadership, had no real authority, and were often made up of individuals who did not have combined expertise in national security, cyber security, policy, and law.
Meanwhile, the private sector, owners of most of our critical cyber infrastructure, pursued an unstructured response to the threats, relying in the first instance on government systems for cyber security.3
A number of legitimate reasons explain why we have yet to develop these structures and processes. There are, first, several unique challenges inherent in deterring or preventing cyber attacks. These include the well-known attribution problem, the dependence of the civilian economy and military capability on information technology, and the difficulty in distinguishing between attack and exploitation. More prosaically, despite the proliferation of boards and commissions, we simply have not paid enough sustained attention to the problem: organizational structures for the U.S. government to support our cyber deterrence activities have developed organically, over the past 20 years, through episodic and often reactive attention, rather than the product of a concerted policy-making process.
Then, too, by virtue of the nature of the cyber intrusions we have experienced, our organizational efforts have focused systematically on defensive measures rather than on offensive ones. As a consequence, though our organizational structures for cyber defense are incomplete and lack coherence, with gaps and overlaps in responsibility and authority that have yet to be resolved, our structures for controlling attack/response mechanisms are even more immature and have yet to evolve to permit consideration of a “whole of government response” that would bring to bear all aspects of government power.
The lack of coherence is magnified because existing structures tend to conflate two distinct operational functions—those of policy decision-making and those of implementation. The function of setting cyber policy and deciding a course of action will typically rest with governmental authorities. However, in the cyber domain (unlike, say, the nuclear domain), aspects of the implementation of those decisions will affect private sector actors who deploy their own defensive mechanisms and whose networks may be used to deliver a cyber response. The complex interaction between civilian, governmental, and military organizational structures for both offensive and defensive operations requires simplification.
In this chapter, we review the history of existing American structures and processes within the Executive Branch and examine the role of nonexecutive structures in the Legislative and Judicial branches of government. From this background, the next chapter proceeds to a consideration of several particularly challenging questions relating to cyber policy and organization.
Some government structures (like those intended to foster cyber resilience) have a relatively long history (in cyber terms); others (like those relating to cyber attack) are almost nonexistent and just recently developed. Let's examine the existing federal structures and how they came to be.
Though conceptually distinct, the U.S. government has treated cyber defense and resilience functions as interrelated, and developed structures that seek to address both aspects of deterrence/denial through a single set of mechanisms.
President Clinton made the first significant U.S. effort to address cyber defense and resilience issues with the issuance of Presidential Decision Directive (PDD)-63 in May 1998.4 The directive noted the potential vulnerability of American infrastructure (ranging from transportation to water systems) and set forth a process for the development of an infrastructure assurance plan to protect critical assets. Notably, the directive treated cyberspace as a mode by which threats to infrastructure would be propagated and did not identify cyberspace, itself, as a critical infrastructure asset. Each sector of the economy was to identify its vulnerabilities and propose remedies for them. The directive called for development of response plans to minimize the damage of attacks on infrastructure and reconstitution plans for restoring capabilities rapidly.5
PDD-63 also devised a coordination structure that has, in effect, become the model for all succeeding cyber defense and resilience activities. Within the federal government, each economic sector was associated with a lead agency that would have the principal responsibility for coordinating activities with the private sector and developing the federal plans. As one might expect, these designations followed the regulatory functions of then-existing federal agencies: Treasury was the lead for banking activities, HHS for public health, Energy for electric power, and so on.6 These agencies would appoint senior officials to serve as Sector Liaisons who would, in turn be coordinated by a National Coordinator for Security, Infrastructure Protection and Counter Terrorism who would, himself, be a subordinate of the national security advisor (i.e., part of what today we would call the National Security Council). The work of this federal organization would be supplemented by the appointment of a board of prominent nonfederal leaders (infrastructure providers and state and local officials) who would provide advice under the auspices of the National Infrastructure Assurance Council (NIAC), a board that continues to exist today.7
As a direct result of PDD-63, the U.S. government fostered the creation of sector-specific Information Sharing and Analysis Centers (ISACs). The purpose of the ISACs, as the name suggests, is to enable the sharing of information, within each sector, about threats and vulnerabilities to that sector. Since 1998, ISACs have been created in many of the critical infrastructure sectors (e.g., Financial Services; Real Estate; and Electricity). Most notably, an Information Technology ISAC was one of the first created. The current reach of the ISACs to the various critical infrastructures is extensive. When considered collectively, the individual private/public sector ISACs possess an outreach and connectivity network to approximately 85 percent of the U.S. critical infrastructure.
The ISAC structure is intended to: provide each sector with 24/7 information sharing/intelligence capabilities; allow the sector to collect and analyze threats based on its own subject matter analytical expertise; and coordinate with the government on sector-specific impacts. The efforts have been moderately successful in disseminating information, but complaints from the industry continue to arise that the government is not effectively using private sector expertise to leverage its capabilities,8 and does not (often for classification reasons) adequately share threat information in the cyber domain.9
President Bush sought to advance the Clinton initiative, and gave voice to the first National Strategy to Secure Cyberspace.10 For the first time, the strategy recognized that cyberspace was a separate infrastructure in its own right, worthy of protection because of its inherent value (rather than, as before, because it provided a means by which attacks on other infrastructure could occur). The principal noteworthiness of the strategy, for purposes of this inquiry, lay in its call for the development of a public–private architecture for responding to national cyber incidents.11
This recognition of the uniqueness of cyberspace as an independent infrastructure was confirmed in Homeland Security Presidential Directive (HSPD)-7, which defined critical infrastructure as “both physical and cyber-based” assets so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on American interests.12 HSPD-7 sought to define the coordinating role of the DHS in protecting cyber assets, directing the DHS Secretary to “maintain an organization to serve as a focal point for the security of cyberspace. The organization will facilitate interactions and collaborations between and among Federal departments and agencies, State and local governments, the private sector, academia and international organizations. To the extent permitted by law, Federal departments and agencies with cyber expertise, including but not limited to the Departments of Justice, Commerce, the Treasury, Defense, Energy, and State, and the Central Intelligence Agency, will collaborate with and support the organization in accomplishing its mission.”13
As the laundry list of involved agencies makes clear, the coordinative function on cybersecurity issues is a daunting task. The challenge is magnified when one considers the multivariate nature of the tasks that comprise a government-wide approach to cybersecurity. In January 2008, President Bush adopted a Comprehensive National Cybersecurity Initiative (CNCI), portions of which were declassified by President Obama in 2010. The CNCI identifies 12 broad cybersecurity initiatives, ranging from increased cyber education and cyber domain situational awareness to a call for the development of a comprehensive cyber deterrence strategy. All but three of these initiatives are fairly characterized as requiring efforts of cyber defense and/or cyber resilience.14
The complexity of the coordination task was highlighted by the principal recommendation of President Obama's Cyber Space Policy Review, a comprehensive review of American cyber policy undertaken at the start of the Obama Administration.15 Recognizing the difficulty of coordinating so many initiatives in so many agencies, the Review called for the appointment of a White House-level policy coordinator (colloquially knows as a Cyber Czar) who would anchor leadership on cyber issues within the White House.16 Indeed, the need for leadership was so palpable that the Review's first chapter was entitled “Leading from the Top.” Responding to this call, in December 2009, President Obama appointed Howard Schmidt as the first Special Assistant to the President and Cybersecurity Coordinator.
The Cybersecurity Coordinator's powers remain, however, consultative and coordinative rather than directive and mandatory. As the Review made clear, the coordinator does not (and was not intended to) have any operational authority or responsibility, nor the authority to make policy unilaterally. Rather, the coordinator is intended to act through the normal interagency process to harmonize and coordinate policy across interagency boundaries.17 Here too, as the CNCI's task-list makes clear, the predominant effort for the coordinator has been in the realms of cyber defense and cyber resilience.
The U.S. military has moved aggressively to establish doctrine and structures for the control of military operations in cyberspace. The Army, for example, has developed a concept of operations and a set of capabilities requirements for military action in cyberspace.18 Likewise, the Navy has created a Fleet Cyber Command and reactivated the 10th Fleet for cyber warfare.19 Similarly, the Air Force has designated its existing Space Command as the locus for its cyberspace mission and begun inculcating its Airmen with the need to be Cyber Wingmen.20
To coordinate these sometimes disparate efforts, on June 23, 2009, the Secretary of Defense issued a memorandum creating a new command, the U.S. Cyber Command, within the structure of our military forces. More particularly, the Secretary created Cyber Command as a sub-unified command subject to the authority of the commander of the U.S. Strategic Command.21 As detailed in section 18.d(3) of the DOD Unified Command Plan, the U.S. Cyber Command (USCC) is tasked with securing American freedom of action in cyberspace and mitigating the risks to national security that come from its dependence on cyberspace. It is, therefore, the home of both offensive and defensive military cyber missions of all sorts. A catalog of its missions includes:
In short, Cyber Command serves as a broad-based, comprehensive locus for U.S. military cyberspace operations, with significant impact on nonmilitary civilian operations. And, consistent with existing joint doctrine, the commander of Cyber Command will, generally, have the freedom to select and approve specific courses of action to achieve the mission objectives set by his superiors.23
It is, of course, difficult to develop a concrete sense of what USCC actually will do. The Command did not become operational until October 2010. It was only in May 2010 that its first nominated commander was confirmed by the Senate. Since then, the Command has been deeply engaged in developing its strategic vision—the result in 2011 was two documents: a broad-based strategy and a narrower statement of how and when offensive cyber operations can be undertaken.
The broad strategy (the Department of Defense Strategy for Operating in Cyberspace)24 is comprehensive in one sense—it takes a wide and holistic view of the problem. But, it is narrow in another sense—it focuses almost exclusively on defensive measures. Thus, the strategy began by explaining why the DoD had chosen to consider cyber a domain separate from the land, sea, and air. It then went on to develop new defensive operating concepts to protect DoD networks and systems, while touting partnerships between the DoD and other government agencies, the private sector and international partners. These are, indeed, worthwhile objectives. But, as General James Cartwright (retired Vice-Chairman of the Joint Chiefs of Staff) put it in an interview, the all-defense/no-offense perspective of the Strategy was incomplete: “We've got to step up the game; we've got to talk about our offensive capabilities and train to them; to make them credible so that people know there's a penalty to this…. You can't have something that's a secret be a deterrent.” And, as Cartwright added, the Strategy needs to make clear that there is a right of self defense, “because otherwise everything is a free shot at us and there's no penalty for it.”25
Some of General Cartwright's concerns may, however, have been answered by the more recent and narrower DoD statement on its offensive cyber policy. In the Department of Defense Cyberspace Policy Report,26 the DoD made clear that the United States “reserves the right to respond using all necessary means to defend our Nation…from hostile acts in cyberspace [which] may include significant cyber attacks directed against the U.S. economy.”27
But, even this declaration leaves some ambiguity: what, after all, is a significant cyber attack? One assumes that the current spate of cyber espionage intrusions (mainly from China) is not an attack, so even this declaratory policy leaves an open question regarding a response to these less significant intrusions. Even more problematic, since cyber espionage looks just like a cyber attack coming in, distinguishing them based on the end result may be unduly passive. To that end, the United States needs a policy (likely broader than a military response) that engages all of the instruments of government power (diplomacy, law enforcement, economic sanctions, etc.) in responding to small-scale cyber espionage intrusions.
As these policies get developed, Cyber Command remains, ironically, a bit of a virtual command as of early 2012. The most that can be said is that it appears to be quite flexible in its scope. The authorizing documentation provides DoD with ample ability to develop within Cyber Command any number of cyber-related missions. With respect to cybersecurity matters, it is likely in the end that the limitations on the scope of activity in Cyber Command will be more in the nature of resources and external competition with other U.S. government agencies, rather than inherent limitations in its authorities. In short, we have a new Cyber Command, but the policy and doctrine that will define its objectives remain to be better defined. We can, however, expect a significant investment of effort and resources in the Command's development as it grows over the next few years.
The military is not, of course, the only U.S. governmental institution that would be responsible for a cyber response. The dynamics of the domain will necessarily involve other governmental agencies in any cyber action. After all, the Internet is a uniquely borderless domain.28 Thus, any effective strategy will necessarily require a governmental organization and process that enables international engagement. While one could, in theory, imagine a situation in which all of our cyber responses were enabled by military-to-military interactions, the prospects for such a scenario are dim. Rather, one can readily anticipate that international engagement will require engagement across the domain of diplomacy, law enforcement, and infrastructure protection, with a necessarily wide variety of international interlocutors.
Likewise, our government's cyber capabilities are not only useful as a cyber response measure. They may well play a role when kinetic military strikes would be viewed as too drastic or disproportionate, or even as a response to diplomatic disagreements, both overtly and covertly. And, of course, these capabilities can and will be used as a tool to supplement more traditional military operations to disable an enemy's command and control structures. We have only begun our efforts to build the structures necessary to direct these multiple missions.29