DoD’s cyber rules of engagement
How do you talk about something without talking about it? That is the trick for America’s new breed of cyber-troops and their commanders.
As we keep hearing, the world of cyber is so incredibly super-secret, and so densely complicated, there’s no way to actually discuss it in an open environment. But congressional lawmakers and defense leaders and reporters want to talk about it in the open, to make clear that they’re hep to the cyber-jive; they wink-wink know what’s happening, can you wink-wink dig it? So then we get this:
“We are working closely with the Joint Staff on the implementation of a transitional command-and-control model for cyberspace operations” while reviewing existing rules of engagement, Madelyn R. Creedon told the House Armed Services Committee’s subcommittee on emerging threats and capabilities.
Teresa M. Takai, DOD’s chief information officer, and Army Gen. Keith Alexander, commander of U.S. Cyber Command, joined Creedon at the hearing. “This interim framework,” Creedon told the panel, “will standardize existing organizational structures and command relationships across the department for the application of the full spectrum of cyberspace capabilities.”
That’s from DoD’s official account of a cyber-hearing Tuesday, at which cyber-leaders tried to describe to House members their progress in treating cyber just like another warfare area. And what they seemed to be saying is that cyber already needs a new org chart for the second or third slide in its deck, as well as codified rules of engagement to govern how cyber-troops actually wage cyber-combat. Do not expect much granularity about that to emerge in these open sessions.
There was some good news: Takai told lawmakers DoD was making good steps forward in a few key areas:
A pillar of that modernization is a move to a single, joint network architecture, Takai said, allowing DOD and Cyber Command better visibility into network activity and better defense against cyber attacks. Individually, she said, the services and agencies have taken action to better position the information enterprise and security posture.
The department has made significant progress in several areas, Takai said. One effort involved deploying a modular system called a host-based security system that enhances situational awareness of the network and improves the ability to detect, diagnose and react to cyber intrusions.
“We’ve also taken the lead in assessing the risk of the global supply chain to our critical information and communications technology,” Takai added, and has instituted a successful defense industrial base cyber security and information assurance program
Meanwhile the manning, training and equipping of the cyber-corps goes on. Cyber Command boss Gen. Keith Alexander told lawmakers he is focusing on five areas in his new command, which is charged with defending DoD’s networks:
Building the enterprise and training the force; developing a defensible architecture; getting authorities needed to operate in cyberspace; setting the teamwork properly across U.S. government agencies; and creating a concept of operations for operating in cyberspace.
“I think we’re making progress,” Alexander said, “but … the risks that face our country are growing faster than our progress and we have to work hard on that.”
So we keep hearing. As ever, it’s impossible to know what to make of it. Alexander’s update could mean DoD is getting its ducks in a row and will be well-fixed if it gets hit by the Big One — though it’s also possible that kind of mentality is the wrong way to think about it. If DoD and the intelligence community and the rest of the federal government is bombarded each day by tens of thousands of attacks, the government could be wasting time ordering cubicle dividers and having team-building activities in its new offices. Bad guys and foreign governments could still be robbing us blind as the agency alphabet soup plays not-it on cyber responsibilities. When there’s no way to talk about this stuff, there’s no way to know.