We need a cyber corps as a 5th service
At U.S. Cyber Command at Fort Meade last week, newly appointed Secretary of Defense Ashton Carter said that a new, independent branch is “one of the futures cyber might have.” He is right.
By Alexander McCoy
Best Defense guest columnist
At U.S. Cyber Command at Fort Meade last week, newly appointed Secretary of Defense Ashton Carter said that a new, independent branch is “one of the futures cyber might have.” He is right. We need a new branch of military service. We need a U.S. Cyber Corps.
In today’s increasingly connected world, critical infrastructure such as energy and communications utilities, as well as key corporations and the financial markets, are increasingly vulnerable to cyber-attack. In 2010, a targeted computer worm named Stuxnet destroyed at least one fifth of Iranian nuclear centrifuges, setting back Iran’s project to develop nuclear weapons significantly. In 2012, an Iranian cyber-attack struck Saudi Arabia’s national oil company, Aramco, destroying more than 30,000 computers and significantly impacting the oil production which forms the basis of Saudi Arabia’s economic strength. In 2012, then Secretary of Defense Leon Panetta warned that the United States faced the possibility of a “cyber-Pearl Harbor”. In the wake of the recent high-profile cyber-attack against Sony by North Korea, few would contest that the United States must take cyber-attacks seriously and move to shore up our defenses against this emerging threat. Yet despite the damage inflicted through cyber-attacks in the past, only a fraction of this technology’s destructive potential has ever been unleashed.
Secretary Panetta’s description of a “cyber-Pearl Harbor” paints a picture of an attack that would clearly constitute an act of war. “An aggressor nation or extremist group could use these kinds of cyber tools to gain control of critical switches. They could derail passenger trains, or even more dangerous, derail passenger trains loaded with lethal chemicals. They could contaminate the water supply in major cities, or shut down the power grid across large parts of the country.” This kind of attack would be no less devastating if caused by a virus than it would be if caused by a bomb. It is certain that the capacity to unleash such destruction would be a critical piece of any war between two developed countries which rely on digital infrastructure.
Policymakers throughout the world seem to agree. At a NATO summit in September, 2014, participating heads of state released a joint statement saying that “cyberattacks can reach a threshold that threatens national and Euro-Atlantic prosperity, security, and stability. Their impact could be as harmful to modern societies as a conventional attack.” They went on to clarify that “cyber defense is part of NATO’s core task of collective defense,” and warned potential enemies that a sufficiently severe cyberattack would trigger NATO Article 5, the commitment to shared defense that states that “an armed attack against one or more of [the 28 NATO member states] shall be considered an attack against them all.” In 2011, the Pentagon released its first formal cyber strategy, which declared that a state-sponsored act of cyber sabotage can constitute an act of war and would be responded to no differently than traditional military force.
The United States has maintained a constant state of readiness to engage in warfare with another superpower, should it become necessary. The country’s massive investment in developing the next generation F-22 fighter demonstrates that this mission plays heavily into strategic decision-making. No American service member has been killed by hostile aircraft since the Vietnam War, and aircraft are currently used primarily to support ground troops against foes on the ground. Yet the F-22 is primarily designed to gain air superiority against cutting-edge enemy aircraft; the kind of fight the U.S. has not actually faced in decades. Similarly, cyber-warfare must be considered not only in the context in which it is currently utilized, but in how it could and would be utilized in wars in the future. We must anticipate and prepare for total cyber war.
Cyber-operations have long been portrayed as a law enforcement matter. Civilian law enforcement and intelligence agencies have been given the bulk of the responsibility to defend from cyber-attacks, and develop the capability to strike back if called upon to do so. But the nature of cyber-attacks has evolved as we become more interconnected and our society depends more heavily on digital infrastructure. While cyber-crime including data theft by individuals and groups hoping to profit economically is a real and growing problem, state-sponsored cyber-warfare is a distinct and separate phenomenon. One major challenge of combating cyber threats is attribution; determining who the attacker was. However, in the case of significant cyber-attacks of the level of severity that might plausibly trigger a NATO Article 5 response, only state actors possess the necessary means. According to Pentagon officials, the most sophisticated cyber-attacks, such as taking out a power grid, would require technological prowess only available to states. Additionally, this scale of attack would require not merely a lone hacker behind a computer, but the information-collection and access only available to a state intelligence service working in support. Cyber-warfare is a military act, distinct from cyber-crime, and as such it requires a military response. If the United States is not only to successfully adapt to the changing nature of warfare, but also maintain the democratic ideals the country was founded on, the role of conducting cyber operations must not be left to civilian law enforcement agencies.
If a cyber-attack can constitute an act of war, then the use of cyber-attacks must be governed by the constitutional limitations governing the use of military force. With civilian law enforcement and intelligence agencies holding the keys to our cyber power, Congressional oversight of Presidential war-making authority will be continuously degraded as the technology continues to advance. This makes as much sense as requiring Congressional authorization for the use of the Air Force, but not for the use of the Navy. If the role of creating the country’s offensive cyber capability is left to civilian intelligence agencies such as the NSA by default, they will either go under-developed, or the civilian agencies (which are designed to be primarily defensive and advisory in nature) will take on a disturbing new paramilitary character.
This system is not only undemocratic, it is ineffective. In the wake of the disclosures of Edward Snowden, agencies such as the NSA have struggled with a damaged reputation which has much to do with their increasingly dual role. In 2013, the hacker convention DefCon announced that federal agencies would no longer be welcome to recruit at the conference. Returning the intelligence agencies to their more passive intelligence-collection role, and placing offensive cyber operations in the hands of a military would aid the recruitment messages of both. The intelligence agencies would be able to legitimately cast themselves as defenders, not Big Brother, and the military cyber force would be able to take the ethical high ground of being bound by stronger constitutional limitations.
The U.S. military currently lacks the ability to take on this role, however. Cyber warfare represents a very different form of operations than anything else the current branches of the armed forces conduct. Each branch, by nature, will have a tendency to view cyber operations through the lens of how it impacts the basic function of their branch. The Marine Corps will naturally tend to approach cyber warfare from the perspective of how it can aid the basic Marine Corps infantry squad. The Navy will tend to view it in terms of how cyber warfare can contribute to or defeat efforts to project power from naval vessels, etc. Each of these functions are necessary for successful conduct of warfare, and should be explored and developed, but are only a limited piece of the range of ways cyber warfare can contribute and be deployed. By merely allowing each branch to organically develop a specialized cyber warfare capability, we risk both duplicating our efforts, competing for talent, and failing to exploit the full potential of cyber warfare.
The uniformed services have also struggled to attract sufficiently qualified candidates to serve in their nascent cyber occupations, either from outside or from within their present ranks. A large part of this challenge is the preexisting institutional culture of these branches, which often finds itself in opposition to the ideal characteristics of a cyber warfare organization. An expectation of a strict physical fitness regimen bares little relevance to a soldier whose entire contribution will take place within an office in front of a computer screen. Standard, mandatory training requirements such as swimming tests and rifle qualifications similarly are distractions from a cyber warfare specialist’s mission. Secretary Carter acknowledged this challenge in Friday remarks, describing how the skills and outlook necessary for a good cyber-warrior are out of sync with anything to be found in the traditional armed services. “For the institutions that you join, be they military services or field agencies or new commands, they are trying to figure out how to welcome this new breed of warrior to their ranks,” Carter told an audience of troops.
In a realm of warfare requiring creativity and innovative thinking, it is important to identify and quickly reward the best and brightest minds, yet the standard, rigid system of promotion and recognition in the current military branches and intelligence agencies singularly lacks the flexibility to allow this. The armed forces offer little more than patriotism to entice their most skilled cyber warriors to stay in service, when the booming private sector demand for cyber security specialists entices them away with the potential for high pay and rapid promotion. The limits of the force structure, promotion system, and pay scale have forced the services to fight to keep their newly trained cyber specialists. For example, the Marine Corps has had to invest more than 16 percent of its entire retention bonus budget for its tiny cadre of cyber specialists. This is a fundamental problem for the development of cyber warfare capability. A single excellent cyber warrior is significantly more valuable than one hundred mediocre ones, yet the standard force structure creates an incentive for quantity over quality and rapid turn-over rather than longevity. It is critical that we create an environment where talented, motivated individuals can serve in the armed forces and conduct cyber operations without feeling alienated by the culture in which they find themselves.
The Air Force serves as a useful model. The United States Air Force came about as a result of experimentation with the new technology of aviation on the part of the U.S. Army. The Navy and Marine Corps also pioneered fixed wing flight within the context of its usefulness to their own organizations. By the end of World War Two, however, it became apparent that aviation had become a realm of warfare in its own right. The air was no longer merely a vertical extension of the battleground on land, it was a battleground in its own right. As technology and tactics advanced, war in the air became increasingly disconnected from the war on the ground. Divorce from the Army in 1947 allowed the Air Force to develop in its own direction, gaining the freedom to innovate in how its force could be applied, and the space to develop its own unique culture. The same freedom is needed for cyber warfare. We need a new branch, a U.S. Cyber Corps.
The creation of a Cyber Corps would have a dramatic impact on the way we view defense. The mere existence of a Cyber Corps as an explicitly military branch will emphasize to policy makers the ramifications of its use, and draw a clear dividing line between offensive and defensive operations in this new realm of war. The development of an officer corps with expertise in this area will bring a new perspective to joint operations planning, and a member of the Joint Chiefs of Staff explicitly representing cyber warfare capability when advising the Secretary of Defense will result in our armed forces making greater advantage of this new technology. The independent Cyber Corps would have the freedom to innovate and develop a culture best suited to success in this new battleground. It is time to actively foster our evolution to the battlefield of the future, and ensure that the United States retains its military advantage as the world’s strongest superpower.
Alexander McCoy served in the United States Marine Corps for six years, and deployed as an embassy guard to Saudi Arabia, Honduras, and Germany. He left the Marines as a sergeant. He currently is studying political science at Columbia University in New York City.
Tom: Why are Marine sergeants the best writers in the military? What happened?