Cyber Command creation leaves key details to be addressed

Defense Secretary Robert Gates' memo Tuesday creating a Cyber Command sets high-level policy goals, but leaves key budget and operational issues to be worked out in the coming months.

As expected, Gates announced the creation of Cyber Command under U.S. Strategic Command on Tuesday. It will be headed by Lt. Gen. Keith B. Alexander, director of the National Security Agency, who will pick up his fourth star in the new job.

"Cyberspace and its associated technologies offer unprecedented opportunities to the United States and are vital to our nation's security, and by extension, to all aspects of military operations," Gates said in his memo, sent to the Joint Chiefs of Staff and all the services.

But, Gates wrote, "Our increasing dependency on cyberspace, alongside growing threats and vulnerabilities, adds a new element of risk to our national security."

Deputy Defense Secretary William Lynn said at a cyber defense forum sponsored by the Center for Strategic and International Studies last week that the 15,000 networks operated by the Defense Department -- which host some 7 million computers -- make a "tempting target" for attackers. Lynn said, "Our defense networks are constantly under attack. They are probed thousands of times a day. They are scanned millions of times a day. And the frequency and sophistication of attacks are increasing exponentially."

Lynn said attackers range from teenage hackers to more than 100 foreign intelligence agencies.

Gates said in the memo he established Cyber Command because Defense needs an organization "that possesses the required technical capability and remains focused on cyberspace operations....this command must be capable of synchronizing warfighting effects across the global security environment, as well as providing support to civil authorities and international partners."

Gates said Undersecretary of Defense for Policy Michele Flournoy will lead a comprehensive review of the policy and strategy for the new command, which will begin operations in October. Its headquarters will be at Fort Meade, Md., home of the National Security Agency. Gates ordered Joint Chiefs Chairman Adm. Mike Mullen to develop a plan by September delineating the missions, roles and responsibilities for the Cyber Command and describing its relationships with the military services.

The House Armed Services Committee, in its report on the fiscal 2010 Defense authorization bill, said the Pentagon needs to conduct a thorough cost-benefit analysis for Cyber Command. The new organization, the committee said, should be compared to the units it will replace: Joint Task Force-Global Network Operations, which currently conducts defensive cyberspace operations, and Joint Functional Component Command-Network Warfare, which directs offensive operations. Those organizations were part of Strategic Command.

Air Force Lt. Col. Eric Butterbaugh, a Pentagon spokesman, said the formation of Cyber Command would streamline Defense's ability to operate and defend military networks.

Dale Meyerrose, former chief information officer in the Office of the Director of National Intelligence who is now as vice president and general manager of cyber and information assurance for Harris Corp., said the new command will provide a "sharper focus" for cyber operations in Defense and the intelligence community.

Meyerrose added he hopes the new command will take a fresh approach to network defense that goes beyond today's emphasis on the use of intrusion detection systems. "Intrusion detection is not security," he said. "It means you have already been violated."

The Defense Information Systems Agency could play a key support role in Cyber Command, Meyerrose said. For years, it has not only operated global Defense networks, but also acquired the hardware and software the Joint Task Force-Global Network Operations uses to defend them. DISA has spent $530.7 million in the past two years on military network defense and requested a budget of $314 million for such activities in 2010.

Meyerrose said Cyber Command could tap DISA to extend its expertise to protecting networks managed by the services and other defense agencies.

But Philip Coyle, senior adviser with the Center for Defense Information, a security policy research organization in Washington, said under his reading of the Gates memo, "it looks like DISA is out of the mix now." Coyle, who served as assistant secretary of Defense and director of the department's operational test and evaluation directorate from 1994 to 2001, said the memo appears to transfer the work DISA did on network defense to Cyber Command.

Coyle said Gates' memo also lacks details on funding for the new command.

DISA officials declined to comment on what role the agency would have with Cyber Command, and referred all questions to the Pentagon. Butterbaugh said Defense will spend between now and September working out details for the new organization, including its budget and the role of DISA.