When someone states that cyber warfare and cyber security are the ultimate team sport between the public and private sector, what sport comes to mind? Are the public and private sectors rowing in unison to outpace a rival crew team, potentially undone by the briefest moment of disharmony? Is the public sector the offensive line that defends the private sector as the private sector advances the ball up the field, or vice versa? Are the public and private sectors even on the same team? The answer is, it depends.
What are the enabling objectives and final objective? Are the problems and objectives tactical, operational, or strategic? What ways and means are available? Does the Department of Defense develop personnel capable of thinking through the intersection of the public and private cyber domains at all levels of war?
In Bill Watterson’s comic strip, Calvin and Hobbes play a nearly incomprehensible game called “Calvin Ball,” with shifting teams, rules, and objectives. The cyber thinkers who will understand, protect, and employ the capabilities of the public- and private-sector cyber team will not play static offense or defense, or always row in perfect harmony. They will move fluidly from interaction to interaction, adapting to change and adopting roles as required. DOD should prioritize developing the personnel who can understand the dynamic games of the cyber domain and play to win.
The current U.S. cyber posture is to protect network access and fidelity for friendly entities and assets while exploiting adversary networks. Yet this position also raises more complicated questions. Which private-sector networks, if compromised, affect national security? What network attacks generate effects at the tactical level that can be overcome at the operational or strategic level of war? What processes do those networks facilitate, and how many avenues of vulnerability do those processes have that may impede DOD’s objective?
Imagine you command a carrier air wing (CVW) preparing for deployment. Your CVW consists of squadrons on both coasts. The consolidation of your aircraft, personnel, and support equipment depends on a Herculean feat of logistics relying on both private- and public-sector networks. Can you deploy when the private-sector network contracted to ship your E-2 Hawkeye squadron’s tools from Norfolk to San Diego is compromised? Is the impact any less significant if the same malware infects a Navy network at the origin of the same process?
The pervasiveness of networks makes the problems of attack and defense, absent their relationship to objectives, ethereal and crushing. In this example, the process that facilitates the objective depends on preserving the applicable networks. In this process, DOD can dictate the terms of the interaction, demand sufficient network safeguards, or shift to another provider. We may row together in this example, but DOD is both an oar man and the coxswain.
The central problem of cyber warfare and security is one of imagination, as specific processes, objectives, and capabilities will quickly outpace any attempt to develop a universal playbook. As such, DOD should prioritize identifying and developing agile thinkers who view cyber as an integral domain to campaign planning and execution. DOD personnel should view cyber holistically throughout a campaign, recognizing it as unique in impact and integral to the whole.
DOD possesses pieces of framework that, once assembled, will further the development of agile, cyber-aware thinkers, planners, and commanders. Take the gloves off. Let commanders learn from the pain of a full-scale cyber-incorporating campaign. Crash networks, divert personnel and equipment, and let participants learn through failure. Leaders at the tactical level need to learn that even when their primary logistics flow through interior lines, the networks facilitating the same process may not. Further, provide planners and operators who identify and exploit adversary networks with realistic effects within the exercise or scenario.
Expanding corporate partnerships may prove crucial to the development of DOD personnel who view cyber security and warfare across the public and private spheres. Current and future commanders will not understand how easily a process can be corrupted by network attacks if they do not understand the process. Offer representatives from our corporate partners the opportunity to participate in exercises as planners or adversaries. Hopefully, the outside partners will challenge our cyber assumptions and provide answers to questions that have yet to occur to DOD.
Treat cyber warfare as a core competency for all combat arms designators across the U.S. military. There is no reason why an aviator charged with understanding the offensive and defensive capabilities of various ships of the line, or an infantry officer who can call for fire from an airborne asset cannot understand, protect, and exploit cyber capabilities. A core group of cyber professionals should remain as subject-matter experts and pioneers of future developments, but would find their skills used to a far greater degree if understood by their peers.