Cyber Command: So much still to know

After months of waiting and speculating, defense and cybersecurity experts now know what there is to know about the Defense Department’s new Cyber Command. They also know what they don’t know, and some worry about the unknown unknowns — the things they don’t know that they don’t know.

Here is what we do know: The new command, announced by Defense Secretary Robert Gates in a June 23 memo, will take the lead in protecting military networks and conducting offensive cyber operations against hostile forces. Although a subunit of the Strategic Command, the Cyber Command likely will be led by the director of the National Security Agency, Lt. Gen. Keith Alexander, and based at Fort Meade, Md.

We also know that whoever takes charge has a lot of work to do.

In a June 25 speech, as reported by Wyatt Kash, editor-in-chief of Government Computer News, Alexander said military personnel needed more training in securing networks and protecting civil liberties.

To accomplish that, he said, “we have to have a common block of training for all the [military] people [who] operate in cyberspace so that everyone understands the nature of the network.”

Alexander also noted the need to give network operations specialists the appropriate security clearances so they can understand the nature of the threats the military is dealing with on a daily basis.

The magnitude of those threats is best captured by three numbers bandied about by DOD leaders in the past two weeks: 15,000 networks and 7 million computers to protect, with 50,000 attacks occurring every day.

The size and importance of DOD’s military operations have caused some observers to wonder how big an effect the Cyber Command might have outside its own domain.

This is where the unknowns begin to creep in.

The Washington Post, among others, has quoted analysts who say Gates announced the command in a memo rather than a speech in an “effort to tamp down concerns that the Defense Department and the NSA will dominate efforts to protect the nation's computer networks.”

That certainly is not the policy of the Obama administration, which has already announced plans to name a cybersecurity coordinator to oversee the defense of civilian networks. But some observers are still wary, especially given the federal government’s track record.

"Is it going to be the dominant player by default because the Department of Homeland Security is weak and this new unit will be strong?" asked James Lewis, a cybersecurity expert at the Center for Strategic and International Studies, in an interview with the Post. "That's a legitimate question, and I think DOD will resist having that happen. But there are issues of authorities that haven't been cleared up. What authorities does DOD have to do things outside the dot-mil space?"

Apparently, that is a known concern in the halls of the Pentagon. The Associated Press reported that DOD officials “have stressed in recent weeks that the Cyber Command will not infringe on the Department of Homeland Security, which is the lead agency for other federal digital systems.”

But quash one concern and, before you know it, another pops up.

Alan Paller, director of research at the SANS Institute, told GCN’s Bill Jackson that he considers the Cyber Command a spectacular idea. But he also said it is possible that the new command will so militarize the Information Assurance division of NSA that it could harm the public/private partnerships that are important for security.

Other observers are concerned about the diplomatic ramifications of taking military operations into cyberspace, according to the New York Times.

“I can’t reiterate enough that this is not about the militarization of [cyberspace],” said Bryan Whitman, a DOD spokesman, in discussing Gates’ order June 23. “This is an internal Department of Defense reorganization. It is focused only on military networks to better consolidate and streamline Department of Defense capabilities into a single command.”

But the Russians are not convinced, as reported later by the Times.

“The United States and Russia are locked in a fundamental dispute over how to counter the growing threat of cyber war attacks that could wreak havoc on computer systems and the Internet,” wrote John Markoff and Andrew Kramer.

According to their report, Russia would like an international treaty to govern cyberspace, while the United States is looking for a less formal approach that focuses on better cooperation among international law enforcement groups.

But don’t get the wrong impression. Most observers are not criticizing DOD for creating the Cyber Command. It’s just that now that it’s here, there is so much more — known and unknown — that they want to know.