The following is an excerpt. See the full text here.
This paper analyzes cyber’s role in deterrence and defense—and specifically the military-civil nexus and the relationship between the Department of Defense (DoD), the civil agencies, and the key private operational cyber entities, in particular the Internet Service Providers (ISPs) and electric grid operators.
The focus of the paper is on high-end conflict including actions by an advanced cyber adversary, whether state or non-state, and not on the “day-to-day” intrusions and attacks as regularly occur and are generally dealt with by governmental agencies and the private sector without military involvement. High-end conflict can be expected to include attacks within the United States homeland as well as in forward theaters.
Last year, the Barack Obama administration issued PPD-41, “Cyber Incident Protection,” setting forth cyber security incident roles and missions for federal agencies but with no explicit reference to the Department of Defense. By contrast, the DoD Cyber Strategy provides that DoD will be prepared to “defend the U.S. homeland and U.S. vital interests from disruptive or destructive cyberattacks of significant consequence.” Certainly, in a conflict where an adversary will utilize cyber as part of an overall military attack, the DoD will necessarily play a major operational role. This paper discusses what that role should entail. In a high-end conflict, the military will rely heavily on the availability of the telecommunication and electric grid networks, and those networks—including those abroad—will likely need assistance from the military to remain operationally effective. Understanding cross-sectoral dependencies and potential cascading effects from attacks will be crucial. Accordingly, to achieve deterrence and/or successful defense with respect to such a conflict or potential conflict situation, particularly against high-end cyber adversaries, the military, civil authorities, the ISPs, and grid operators will need to work closely together both prior to and during the conflict. This will be true both inside the United States and in the forward theaters where conflict is likely to occur.
This paper is organized in two parts. The first, and more extensive section, focuses on requirements necessary inside the United States. The second discusses requirements for forward theaters, building on the analysis for the US territory and the authors’ previous paper “Cyber, Extended Deterrence, and NATO.” The broad conclusion of the paper is that effective planning and operations require two overlapping sets of requirements to be undertaken:
• The military needs to develop a concept of operations that allows it to determine the required support from the ISPs and the electric grid in a high-end contingency (such as defense of the Baltics) and to provide the basis for a prioritized approach to cyber protection, resilience, and recovery of those networks. To prioritize mission-essential networks and industrial control systems that are critical for responding to regional crises, coordination with civil authorities, the ISPs, and electric grid operators both prior to and during a crisis will be necessary.
• The civil authorities, the ISPs, and electric grid operators need to develop contingency planning to elucidate the type of assistance they are likely to need from the military to provide the protection, resilience, and recovery necessary to maintain adequate telecommunications and grid operations for the nation in the event of a high-end contingency. The grid and ISP operators have unique knowledge of their specific system architectures and restoration plans; therefore, they are the best experts to convey that information to the military so the military is ready to actively support their efforts both during an attack and for post-cyberattack restoration. Without this foreknowledge about the specific systems, DoD personnel who undertake to assist during a crisis would be ineffective and could in fact cause harm to the systems and contribute to other adverse consequences.
To accomplish these objectives in the United States, six steps need to be undertaken:
1. First, contingency plans for military, civil authority, ISP, and electric grid operator interactions must be established for a high-end contingency through the use of an effective planning process supported by regular exercises and detailed playbooks that are routine in other emergency scenarios such as storms, fires, and earthquakes.
2. Second, clear chains of command for a high-end contingency need to be established between the civil authorities and the DoD and within the DoD itself, and an operational mechanism needs to be created to include the ISPs and the electric grid to allow prompt and responsive actions. To remedy existing disconnects between the DoD and other departments and to allow for proper interaction with the ISPs and grid operators in the context of a high-end contingency, Congress should consider creating a requirement for “unified cyber actions” along the lines of what the Goldwater-Nichols Act established for the DoD, requiring joint actions among the four services for war-fighting purposes.
3. Third, it is important to undertake actions in advance of a high-end attack to establish the greatest likelihood of effective protection, resilience, and recovery, as numerous analyses have determined that to generate desired results defenders cannot wait for the actual attack. Among other important steps prior to conflict, intrusions need to be blocked as much as possible; malware needs to be removed; and capabilities for maintaining data integrity, confidentiality, and availability need to be built and exercised. Critical to this effort is the use of a variety of adaptive resilience techniques, ranging from diversity and redundancy to moving target defenses and deception. All these resiliency features require development and implementation prior to conflict. Not all attacks can be protected against, but their effects can be mitigated if steps are taken in advance. DoD can utilize the knowledge generated in the defense of its own networks to assist defenders, and undertake research and development through the Defense Advanced Research Projects Agency and other DoD applied research and development activities to provide advanced capabilities.
4. Fourth, the roles of the National Mission Teams (NMTs), and the associated National Guard–supported teams, currently being established by Cyber Command to respond to cyberattacks of significant consequence, must be developed and clarified. NMTs and National Guard missions during an attack should be developed, specifying how they will interact with ISPs and grid operators. NMTs and the National Guard will not have the degree of expertise that ISP and grid operators have in their respective domains, but a combined effort utilizing exercises and modeling can establish tactics, techniques, and procedures for operating in a degraded environment. Additionally, NMTs and the National Guard should operate not only once a high-end attack has begun, but should help support actions prior to such an attack that will enhance protection, resilience, and recovery of the ISPs and the electric grid if an attack occurs. In addition to substantive planning, operational legal authorities must be clarified before an attack occurs. Moreover, a determination should be made whether the capabilities of the active force and the National Guard are sufficient or whether they need to be supplemented by private sector cyber security expertise, working under government direction and control in connection with high-end contingencies or in direct support to the ISPs and grid operators. For both conflict and restoration operations, such private sector skilled personnel may be necessary, especially if the NMTs and National Guard are needed to give direct support to DoD in a time of crisis. Any private sector personnel will need to be familiar with the specific operational technology networks, software applications, and protocols of the specific critical infrastructure.
5. Fifth, DoD should establish programs and funding to support resilience and recovery. The US government should leverage the Defense Production Act to ensure that readiness reserves in hardware and systems exist for critical infrastructure providers as they reconstitute/recover. The DoD could provide a contractual program for the purchase of key infrastructure components. Companies who participate could be further incentivized through payments and limited liability protection to provide greater levels of security to their industry supply chain and vendor management processes and to adopt best-practice secure engineering and better-engineered products. DoD funding could also support the Department of Energy efforts contemplated under the Strategic Transformer Reserve of the Fixing America’s Surface Transportation Act (FAST Act).
6. Sixth, offense will be a key element of effective operations. Prior to conflict, it will be important to undertake expanded “fusion” efforts, largely by civil authorities, to bring to bear intelligence, cyber, financial, law enforcement, and other capabilities to disrupt adversarial cyber planning and operations. Campaign planning should include courses of action to respond to so-called hybrid warfare, including cyber-enabled “flexible deterrent (and response) options,” so that commanders will have a full spectrum of options to utilize if the president determines it appropriate. In the event of conflict, cyber capabilities can be used against an adversary, targeting not only adversary cyber but also military capabilities such as sensors, communications, logistics, and military supporting infrastructures.
In forward theaters, effective operations will require all of the foregoing to be undertaken including contingency planning; clear delineation of command chain; clarity on the role of cyber teams; identification of prior actions to enhance protection, resilience, and recovery; and use of offense. However, as the United States will be operating as part of an alliance or organized coalition, cyber requirements will have to be coordinated and undertaken with allies and coalition partners. Accordingly, in addition to the specifics noted above, three additional elements will be key: the United States should act as a “cyber framework nation” to help support national capabilities; operational partnerships should be created between and among the military, civil authorities, the ISPs, and grid operators in the host nation; and cyber tools should be part of the military war-fighting effort, to disrupt adversary cyber operations and military capabilities including sensors, communications, logistics, and war-supporting critical infrastructure.
Franklin D. Kramer is a distinguished fellow and on the board at the Atlantic Council and a former assistant secretary of defense. Robert J. Butler is an adjunct fellow at the Center for a New American Security and served as the first US deputy assistant secretary of defense for cyber policy. Catherine Lotrionte is the director of the CyberProject in the School of Foreign Service at Georgetown University, former counsel to the President’s Foreign Intelligence Advisory Board, and former assistant general counsel at the Central Intelligence Agency.
January 3, 2017