Cybersecurity and Deterrence
To Defend Forward, the U.S. Must Strengthen the Cyber Mission Force
Editor's note: This article is part of a series of short articles by analysts involved in the Cyberspace Solarium Commission, among others, highlighting and commenting upon aspects of the commission's findings and conclusion.
The Cyber Mission Force is the locus of the Department of Defense’s efforts to counter, disrupt and impose costs for malicious adversary behavior in cyberspace. Three key changes enabled it, under Title 10 authorities, to conduct cyber effects operations more routinely outside of the Defense Department’s information network and outside of a defined area of hostilities in support of campaign plans. The first was the debut of the 2018 Department of Defense Cyber Strategy, which introduced the strategic concept of defend forward. The second was the 2019 National Defense Authorization Act (NDAA), which defined cyberspace operations as a traditional military activity. The third was National Security Presidential Memorandum-13 (NSPM-13), which, as described by the Pentagon’s General Counsel in March 2020, “allows for the delegation of well-defined authorities to the Secretary of Defense to conduct time-sensitive military operations in cyberspace.” Together, these changes reflect a significant shift in strategic thinking from the 2015 Department of Defense Cyber Strategy, and from operational engagement limited to the kinetic battlefield, such as Joint Task Force ARES. However, while the Cyber Mission Force’s operational goals have grown in scope and scale commensurate with the threat environment, its force size and structure have remained constant. Therefore, one of the Cyberspace Solarium Commission’s key recommendations is to ensure the Cyber Mission Force achieves the appropriate resourcing, force size and capability mix.
Planning and conducting cyber operations and campaigns demands a significant investment in resources, human capital, access and tool development, and time. Yet, the core component of the cyber force across the joint services is essentially the size of one conventional army brigade. The Cyber Mission Force reached full operational capability in the spring of 2018; this includes 133 teams comprising a total of approximately 6,200 individuals. These teams are responsible for a plethora of diverse missions, including national mission teams that defend the nation by countering malicious adversary activity, combat mission teams that support the missions of the geographic combatant commands, cyber protection teams that defend the Defense Department’s information network, and cyber support teams that conduct analysis in support of the national mission teams and combat mission teams.
However, full operating capability requirements were determined in 2013, well before the U.S. experienced or observed key events that subsequently shaped our understanding of the urgency and salience of the threat posed by malicious adversary behavior. Examples of such activity include Russia conducting cyberattacks against Ukraine’s power grid in 2015, as well as Russian cyber-enabled interference in the 2016 U.S. presidential elections. The full operating capability requirements were also determined prior to the development of the Defense Department’s defend forward strategic concept, which broadened the scope of what it means for the Cyber Mission Force to defend the nation in cyberspace short of war.
This raises a number of critical questions. First, is the Cyber Mission Force appropriately sized and resourced given current and future mission requirements? The Cyber Mission Force is tasked with conducting a diverse set of missions, at scale, and must also have sufficient capacity to maintain steady-state operations while surging to respond to an emerging crisis.
Second, is the allocation of resources across teams within the Cyber Mission Force matched to the prioritization of threats? For example, if U.S. strategy identifies the most salient and significant threat to be malicious adversary behavior against the homeland below the threshold of armed attack, it follows that the national mission teams, which make up the Cyber Mission Force and are the operational arm of U.S. Cyber Command, should merit additional teams.
Finally, concurrent with an increase in the size of the Cyber Mission Force, how can the U.S. ensure that supporting entities, particularly the National Security Agency (NSA) in its combat support agency role, are also appropriately resourced? The NSA provides critical intelligence support to cyber operations conducted by Cyber Mission Force teams, particularly at the tactical and operational levels. As the Cyber Mission Force’s operations and needs grow, intelligence collection demands corresponding resourcing.
There has been some progress in assessing Defense Department cyber personnel, structure and organizations, particularly in Sections 1652, 1655, and 1656 of the recently passed FY2020 NDAA. However, Congress must also ensure that the Cyber Mission Force, in particular, conducts a force structure assessment and troop-to-task analysis that takes into account the increasing scope and scale of Cyber Mission Force missions compared to previous fiscal years and projected into the future, as well as an assessment of resource requirements for the NSA in support of this aspect of its mission. This is why the commission recommends that Congress should request in the next Cyber Posture Review, and quadrennially thereafter, that the Defense Department provide an assessment of the requirements to grow the Cyber Mission Force, including projected force size and mixture necessary to sustain all Defense Department missions in cyberspace. The results of this assessment should drive resource allocation, force size and mix, and continued congressional oversight of these efforts.
Further, the threat environment and rapid pace of technological change in cyberspace demand speed and agility. These realities drove additional recommendations from the commission. Here, we highlight three in particular that, taken together, would enhance the flexibility of acquisitions and decision-making to enable adaptability, and rapid response and maneuver.
First, Congress should establish a major force program funding category for U.S. Cyber Command. Congress requires the Defense Department, according to 10 U.S.C. § 221, as part of the Future Years Defense Program, to annually submit a budget that includes estimated expenditures and appropriations projected over a 5-year period. This program is currently organized into 12 different major force program funding categories that represent a total amount of dollars, manpower and forces appropriated for each category. A new major force program funding category for U.S. Cyber Command, similar to what currently exists for U.S. Special Operations Command, would provide U.S. Cyber Command with acquisition authorities over goods and services unique to the command’s needs. It should also provide a process to expeditiously resolve combatant command/service funding disputes.
Second, Congress should request that the Defense Department provide in the next Cyber Posture Review an analysis of, and recommendations for, the conditions under which further delegation of cyber-related authorities is appropriate to U.S. Cyber Command, as well as to other Defense Department components, such as the NSA. The pace of cyberspace operations may require delegated authorities under certain conditions to pursue and deliver effects against adversary targets. This would, when appropriate, remove friction and support rapid response and maneuver. Importantly, this recommendation does not call for new authorities within the scope of Title 10. Rather, it is focused on the cyber-related authorities that already exist within the Defense Department but may be fragmented across different elements (for example, functional combatant commands, geographic combatant commands and the various services). Examples of these authorities include those that support planning and implementing offensive cyber operations, such as information operations-related authorities that include creating, procuring and deploying personas. Relevant authorities to review for delegation to the NSA should include those authorities that enable the agency to rapidly tip relevant foreign intelligence collection to private entities within the Defense Industrial Base and their service providers to support the latter’s own defensive operations.
Finally, as part of the next Cyber Posture Review, the Defense Department should produce a study that assesses and provides recommendations for amendments as necessary to the Standing Rules of Engagement and Standing Rules for Use of Force for U.S. forces. These rules have not been updated in more than a decade, despite major changes in technology and the strategic environment. The commission, in particular, recommends assessing how these rules apply to activities in cyberspace below the level of war or armed conflict, and how unique aspects of cyberspace (for example, the absence of “high seas” and the definition of “territory”) affect their current application. Importantly, this recommendation should not be construed as necessarily calling for a loosening of the rules under all conditions. Rather, updating and clarifying how these apply in cyberspace where U.S. forces are already operating in day-to-day competition is as important for risk mitigation as for reducing operational friction.
Taken together, these recommendations will empower the Cyber Mission Force and U.S. Cyber Command to plan for cyber operations above the level of armed conflict as well as to rapidly maneuver against and engage adversaries below it.