New command does not signal a significant shift in cybersecurity strategy
Operational responsibilities for securing our information infrastructures have remained largely unchanged
The establishment of the Cyber Command, which Defense Secretary Robert Gates announced last month in a memo, has been heralded as evidence that the country is getting serious about defending its cyber turf — and the memo was greeted with some trepidation that it could represent a militarization of cyberspace.
But Cybercom, which will be a subordinate unified command of the Strategic Command, represents more of an organizational change than an operational change at the Defense Department. It does not appear to signal a significant shift in the nation’s cybersecurity stance.
DOD is still working on the details of Cybercom's organization. An implementation plan is due by Sept. 1, with initial operating capability expected by October and full operating capability within a year of that. The new command is expected to be located at Fort Meade, Md., which is home to the National Security Agency, and NSA's director likely will head Cybercom.
As part of the new command's creation, the undersecretary of Defense for policy will lead a review to develop a comprehensive approach to DOD cyberspace operations. However, the scope of those operations already is detailed in Stratcom’s Unified Command Plan, and authority for the operations will be delegated to Cybercom.
“This memorandum reinforces, but does not expand, Stratcom authorities and responsibilities for military cyberspace operations,” Gates said in the memo that introduces the new command.
Since cybersecurity emerged as a national security issue, operational responsibilities for securing our information infrastructures have remained largely unchanged, with NSA taking care of the dot-mil portion of the government’s cyber turf and the Homeland Security Department looking after dot-gov. Security for the dot-com and other nongovernmental domains rests primarily with the private sector. Officials at Fort Meade and the Pentagon have been consistent in saying that they will not alter that arrangement. NSA said it has its hands full with dot-mil and has no plans for the rest of the world’s networks. NSA and the new Cybercom will offer their offensive and defensive expertise to their counterparts at DHS and the U.S. Computer Emergency Readiness Team as requested, but they will not patrol the rest of the government’s, nation’s or world’s networks.
Of course, domain boundaries are somewhat arbitrary. Hackers do not respect them, and there is no reason to think that offensive and defensive activities in a cyber theater of war would be limited to military assets any more than they are in conventional land, air and naval operations. Critical civilian assets are likely to be targeted by both sides in a cyber exchange, and collateral damage is likely.
And who is to say what NSA is up to? Not that many years ago, NSA stood for “No Such Agency,” and as recently as the last administration, it was engaged in illegal monitoring of civilian communications. However, that is on the spook side of things.
On the military side, establishing Cybercom represents a less-than-dramatic shift in DOD’s approach to defending an emerging theater of operations. It is evolutionary rather than revolutionary, and although it offers the prospect of greater organizational efficiency and a path for new development, it probably does not represent a growing militarization of cyberspace.