Lawmakers pressed the Department of Defense's top cyber commanders Tuesday on the policy discussions needed to address authorities for carrying out offensive operations as their Cyber Mission Force (CMF) teams operationalize and peer adversaries continue to carry out threats in the domain.
Members of the Senate Armed Services cyber subcommittee heard from the commanders of the four military cyber commands on plans to sustain their CMF components, which have nearly all reached full operational capability, and the challenges in effectively utilizing their capabilities to deter future threats.
“Maturation of the Cyber Mission Force continues at an impressive pace. However, challenges remain as your focus now shifts from building a first-of-its-kind force to a sustaining one,” Sen. Mike Rounds (R-S.D.), the subcommittee chairman, said during his opening remarks. “When it comes to providing the cyber weapons that the force will need to deter and defend in cyberspace, there too is significant room for improvement. It is incumbent upon each of you to deliver those fundamental tools and capabilities as quickly as possible to make certain that the impressive gains you have made in training the force are not lost because of this lack of cyber weapons.”
The Army, Navy and Marine Corps’ CMF teams have all reached FOC, with the Air Force on track to meet the designation by June 2018, according to the witnesses at Tuesday’s hearing
The Department of Defense’s FY '19 budget request included $1.8 billion for manning, training and equipping the CMF across the services.
Both Rounds and Sen. Bill Nelson (D-Fla.), the ranking member on the subcommittee, pushed the cyber leadership on addressing the slow pace of progress in equipping their cyber units now that they’ve nearly all reached FOC.
“I still believe we have much room to grow. In particular, we need to continue to seek improvements in how we recruit, how we retain, how we train, how we reward, how we fight, all the while ensuring that our forces are equipped to compete and defeat the adversary,” Vice Adm. Mike Gilday, commander of Fleet Cyber Command, said.
Nelson wants to see the cyber components make use of Cyber Command’s new acquisition authorities to improve the capabilities needed for continued efforts to sustain the growing CMF.
“We’re looking forward to employing Cyber Command acquisition authority, when it makes sense,” Maj. Gen. Loretta Reynolds, commander of Marine Forces Cyberspace Command, said.
Sen. Ben Sasse (R-Neb.) pressed the witnesses on their view regarding a directive issued during the Obama administration requiring top DoD cyber leadership to receive specific authorities before carrying out cyber campaigns, including offensive operations.
“You can cite specific examples of times when the process has worked, but I assume if we were in a classified space there would also be specific operations that you’d tell us about that you were never able to carry out because of how slow it is,” Sasse said.
Lt. Gen. Paul Nakasone, commander of Army Cyber Command, cited successes for campaigns such as Joint Task Force AREA, to deter ISIS cyber campaigns but agreed that the current process may require policy discussion to address effectively countering future threats.
“It’s a work in progress, in terms of the way that we’ve approached getting approvals. Is the process perfect? No, it’s not. But this is a constant dialogue that goes on between ourselves, certainly Cyber Command and the Department of Defense and the National Security Council,” Nakasone said.
Rounds followed up to inquire which current policies are inhibiting cyber leadership from effectively operating in cyberspace.
Naksone responded that conversations need to take place on how DoD’s cyber components should address risk and the gains and losses associated with deciding whether to pursue operational or intelligence campaigns against an adversary.
“If we do want to compete, deter and win in cyberspace then we have to get to Lt. Gen. Nakasone’s point, more oriented on mission outcomes, risk models and threat-driven operations that allow us to become the challenger instead of the challenged,” Maj. Gen. Christopher Weggeman, commander of Air Force Cyber Command, said.
Nelson reiterated that there’s a conversation to be had on improving the organization of DoD cyber responsibilities as adversaries plan future information operations.
“Cyber Command doesn’t have the responsibility for information operations, which these days are largely conducted through cyberspace. Information operations and electronic warfare are the responsibility still of other parts of the department,” Nelson said. “We conduct information operations in support of commanders at the tactical level. Putin and other adversaries are coming at us at the strategic level. I am afraid we are ceding the playing field.”