The military's current cyber capabilities remain limited and the Pentagon is mapping out a new strategy for boosting defenses and mounting offensive attacks, top cyber officials say.
"Today I think we are, we could be, an easy target," Air Force Lt. Gen. James McLaughlin, deputy commander of U.S. Cyber Command, told lawmakers on Capitol Hill on April 14.
The military services are about halfway through their effort to man, train and equip 133 operational teams and a total of about 6,200 cyber warriors by the end of 2016.
And Defense Secretary Ash Carter is finalizing an updated cyber warfare strategy document, the first major revision since 2011, said Eric Rosenbach, Carter's top adviser for cyber issues.
The updated strategy is likely to be unveiled in late April, Rosenbach said.
The Pentagon's top cyber official offered a stark assessment of the force's current limitations.
Eric Rosenbach, the Pentagon's principal adviser on cybersecurity, gives remarks Aug. 4 at the opening ceremony for Exercise Fortune Guard 2014 at the Asia-Pacific Center for Security Studies in Hawaii.
Photo Credit: MC1 Amanda Dunford/US Navy
Rosenbach faced questions from Sen. Bill Nelson, D-Fla., who asked whether Cyber Command "lacks robust joint computer network infrastructure to execute military cyber campaigns effectively."
"They currently do not have a robust capability," Rosenbach said at the April 14 hearing before the Senate Armed Services subcommittee on emerging threats.
Nelson also asked: "Do you agree that Cyber Command lacks a robust command and control platform and system to plan and execute fast-moving and large-scale cyber operations?"
"Yes sir, I agree with that," Rosenbach said.
The Defense Department has "pretty robust capabilities" for defending against cyber attacks, but less so for offensive operations, Rosenbach said.
To boost the military's cyber skills, the Pentagon plans to turn to civilians, both those from the military's National Guard and reserve components as well as those who choose not to serve in uniform at all.
"There is an important role for the National Guard and reserve. We want to capitalize on the expertise of folks who are in the private sector but still want to serve their county," Rosenbach said.
DoD also is drawing up plans to create new "centers of excellence" in places known for technological innovation, including California's Silicon Valley, the New York City area and others.
"We've been thinking a lot about ways we can get new pipelines or tunnels of talent into the department from nontraditional places," Rosenbach said.
"We would also like to find other ways into the department, where you don't have to go into one of the services, for example. So we are thinking a lot about that. Silicon Valley is a natural place. In and around New York City is another place. There are a couple of places like that, where we are looking at 'centers of excellence.' "
The Army, Navy, Air Force and Marine Corps all are assembling operational teams of cyber warriors, but it remains unclear whether the services will adopt specialties in the cyber realm. For example, one service might focus on defensive operations while another might take the lead on developing offensive tools and tactics.
That is just one of the unresolved issues facing CYBERCOM. Another is whether to transform the organization into something resembling the U.S. Special Operations Command, which would allow it to own more people and assets and depend less on support from the individual services.
"There is a big decision to be made about the model we want for CYBERCOM and essentially it comes down to this: Is CYBERCOM going to be more like [Special Operations Command] with those types of authorities and that type of model? Or is it going to be something closer to now that is much more reliant on service-generated man-train-and-equip [forces]" Rosenbach said.
"We are thinking very consciously about [that] but have not made a decision," he said.
First created in 2009, Cyber Command does not yet have the equivalent of a training range, McLaughlin said.
"We need to have a range environment, so there is virtual environment where these forces can do training. It needs to be interconnected throughout the United States. We need to have aggressor forces that replicate the adversary so there is someone to train against. We have to have people who are actually managing the training scenarios and preparing scripts," McLaughlin said.
CyberCom also faces the cultural challenge of breaking away from the signals community and data-driven professionals who first tackled the mission years ago.
"We have to operationalize this mission set," McLaughlin said.
"We have to focus on ... bringing an operational mentality to this space. This is not an [information technology] focused endeavor. This is an operational domain. … That is a critical transition, culturally and from a mindset perspective about how we operate in military cyberspace," he said
Military leaders are often fond of saying they never want to send U.S. troops into a fair fight — meaning they want those troops to have the capabilities to dominate any fight.
But McLaughlin said that despite the Defense Department's vast technological edge in virtually every other field, the military might have to face a "fair fight" in the cyber realm because troops could find themselves outgunned.
"So I think our goal, at least in the DoD side, is to make it where it's not fair. … so that our military forces don't have to go into conflicts in the future thinking 'this is going to be a fair fight." McLaughlin said.