There are some basic components that are needed by any military so that they can succeed. The military force is required to have the appropriate technology to create an advantage and the training to overcome any adversaries corresponding advantage. The key is asymmetry since equally opposed opponents will simply annihilate each other. Since an attacker can choose the place and time of a fight the defender must be aware constantly. Since cyber warfare is of a totally different kinetic and cognitive dimensions there are specific differences within the scope of similarities of conflict. The naval commander has much in common with the infantry command, but each is a specialist within his or her own domain. Why would you think to mix the two unless you were trying to make Marines? To do so would require twice as much training and a principle of generalized training through the entirety of the force. In some ways you could say every cyber warrior is a rifle man.
Cyber space is a dangerous place. For some reason people try to make cyber space into a version of the Internet. They try to keep cyber warfare related to personal computers and eBay. People try to equate and limit cyber warfare in ways they would instantly understand were wrong about other terrains like the sea or air. The consistent narrowing of the cyber focus is like a naval commander only looking at the surface for naval warfare. Submarines? Who cares about them they aren’t as cools as battleships! Narrowing the focus has detrimental effects on understanding the risks. Cyber warfare is a broad spectrum of capabilities, skills, targets, and strategies. The tactical picture of cyber warfare is a spectrum rather than a point.
Technology is a key concept. The type of technology though is especially important. A cyber warrior is going to use the technology of the adversary against them. As such the basics of scrounging off the land like some type of special operator or guerilla insurgent is going to be needed. In the land of cyber space the concept will be to harvest the configurations from computing systems, leave the metaphorical snares such as Trojans and root kits behind, and operate as an anonymous entity until needed. The technology needs include fast computing power, high speed data lines dropping into global networks in numerous (millions) of locations, high speed databases with rapid deployment tool sets, large amounts of background data on targets and support for collating that kind of data. These kind of support technologies need to be highly flexible and adaptive to the needs of the operator.
I have this concern. We create some special cyber force that operates in dark buildings and all of these cyber Ninjas read my blog and snicker at my obtuse and decrepit ways. Well they would laugh at me except the military and government information technology types have banned my website because I have the word BLOG on it. These cyber Ninjas operate in the dark dank foul encrusted halls of autocratic protectionist administrators who say “you might get hurt”. Turning cyber Marines into day care sycophants.
Training is important to success. NSA has some pretty good red team guys but they might not be the perfect cyber warriors. All right NSA put away the long knives and let me continue. The NSA is not a combatant command. They are basically intelligence and though that is sometimes combat what we are talking about his a consumer of NSA capabilities as a combatant commander or CIA operative in the field might consume information. The cyber militia would operate not as a gathering mechanism that is the NSA role, but they would use tools to operate under the notice of foreign (and domestic) system administrators. There are intelligence conundrums that occur when a capability might be degraded by the action on intelligence. That should not be an intelligence agencies decision, but should be a decision for the political entities for domestic and combatant commanders for military operations.
Much of the education a cyber warrior is going to need can be found in any information technology or computer science program of a university. Like anything though technical education has to be backed up with thinking and cognitive education. A sprinkling of networking, operating system, security, and programming will go a long way when mixed with social sciences. What won’t be found is the inherent mental twist to look at things sideways. Students will need to understand at a fundamental level how computers communicate externally and internally. A principle based fundamental (not low level education, but depth of the medium) understanding of computer systems is required. Here is one of the traps.
In a society of pervasive computing we have a tendency to make the personal computer and the operating systems of that technology primary rather than secondary. The Internet does not run on personal computers the personal computer is an edge device. For the sake of cyber warfare we want to know about all of the edge devices and all of the core devices. Suddenly the requirements for education jump forward. The good thing is that different categories of equipment, and in fact all equipment, have patterns or ways of doing things.
The purpose is to create an asymmetry in technology which is realized in battlefield wins. If they have a new tank, our new tank is bigger, and faster. If they have faster ships we make ours into hovercraft with lasers. The key is to maintain asymmetry within the technology space. It is also important to do so with training. Superior training, conditioning, and mental acuity can overcome adversarial advantage. Think of the Spartans taking on an army (go ahead and imagine the 300 from the movie the metaphor sticks). The Spartans had better tactics and training, but not the flexibility or technology. Though they fought bravely the volumetric asymmetry means they lost. Coincidentally there are now 300 million Americans. The population ratio is on the adversaries’ side and they have been building their technologies as well. Can America not repeat the Spartan defeat even if glorious?
A new domain and a new force structure do not necessarily mean a new combatant command. There are large and onerous legal issues with militarizing cyber space. Since the battle space for cyber encompasses so much the implications are huge when considering the American experience. Since cyber is so wide and inherently a domestic issue along with trans-national issue any force working within this domain will have to mirror the political realities. Those realities are constitutional and legislated restrictions. The force for this would be very flat with a high quality open minded managerial layer operating in geographic/mission teams. Within each team an offensive and defensive role would be set with mission objectives. The offensive team would take action while the defensive team covered those actions. In law enforcement there is a technique that officers use called contact and cover. This is necessary to insure that while the suspect is being dealt with they aren’t blind sided by a sideways attack. The combatant commander structure of the United States military could be layered into this organization. Thereby following the specific legislated rules of how combatant commanders wage war.
However, Northern Command would require special consideration and a larger constituency for their cyber efforts. The legal hurdles of domestic operation mean that several players need to be within the command. This would include private parties. When I say private I mean the telco carriers. Waging war is inherently a government activity and should not be outsourced at all to contracting companies. The terrain may be different but it is still war and should not be profitized. The National Guard and Coast Guard (and interesting enough the Marine Corps) are the only government entities that can truly operate currently in this domestic space legally and cover foreign and domestic issues equally. Since domestic incidents are a foregone conclusion the issues of attribution and consideration of proportional response need to be up front in a ladder of force hierarchy.
A few of my friends in the Air Force are going to notice I am not talking about a cyber command or a special unified command. StratCom is also off the table. I am not sure in my opinion that a military command can accomplish this mission. I am not sure that any government command can accomplish this mission. For all the skill at Fort Meade and Langley they get stomped on by 15 year olds too often. Remember we are no longer talking about just hardening systems or probing personal computers. The way to cyber warfare is creating kinetic results through use of command and control networks on either end of the OSI 7 layer model.