Since U.S. Cyber Command (CyberCom) was established in 2009, most of its effort has focused on building out structures to support strategic level operations. CyberCom’s elevation to a unified combatant command in May makes now a particularly good time to consider how it can better support tactical warfighters. Here are six recommendations:
1. Avoid spreading cyber FUD.
FUD—fear, uncertainty, and doubt—is an approach used across the computer security industry to generate sales. The pitch typically goes, “Your systems are highly vulnerable to advanced persistent threats, ransomware, denial-of-service attacks, point-of-sale machine compromises, and spearphishing—but all will be safe if you buy my company’s gadget!”
Fighters must see the battlefield as it is, not as they want it to be. A big challenge in supporting tactical forces is accurately characterizing cyber threats, opportunities, capabilities, and degradations in a useful, comprehensible manner. Cyber adversaries are not 10 feet tall—nor are they 3 feet tall—but they are hardworking, experienced, and intelligent and believe in their cause.
Cyber risk should be characterized properly. Inserting a malicious flash drive into a maintenance computer on a ship could cause a lot of damage—so could dumping metal shavings into a reduction gear system or damaging the lube-oil system. Many of the mistakes I have made throughout my career have resulted from misunderstanding what actually is important. Let’s not give the tactical warfighters bad advice or constrain their freedom of action because cyber is the “shiny object” currently getting all the attention.
2. Don’t oversell cyber capabilities.
Cyber has been an extremely effective platform for espionage; almost all countries conduct some form of cyber-spying.[1] Cyber’s effectiveness as a weapon system is much less clear and the subject of considerable FUD.
The effectiveness question is best framed in the context Joint Publication (JP) 3-13, “Information Operations.”[2] (Think trolling rather than hacking.) The booklet advises identifying a target audience and then striving to change the audience’s behavior using information-related capabilities. Advice to tactical cyberwarriors: Be cautious! It is tempting but erroneous to substitute “target system” for “target audience” and immediately start picking physical targets (routers, cell towers, C2 systems, radars, etc.).
Conventional wisdom in 1940 held that German bombing attacks on London would terrify the population into submission. The attacks actually had the opposite effect: they galvanized Londoners. As author Malcom Gladwell put it, “Bombing, it became clear, didn’t have the effect that everyone had thought it would.”[3]
Cyberattacks on Estonia in 2007 may have produced a similar outcome, according to a 2013 study by Jason Healey:
Though it has been portrayed as a cyber disaster, it was actually a tactical and strategic defeat for the ethnic Russian attackers: The Estonian government was not coerced, and the statue was still moved; the attacks did not result in long-term damage or a negative impact to the economy; and in the longer term, Estonia has become a rallying cry for cyber defenders and a stain on the Russian reputation.[4]
Stuxnet was probably the most complex cyberattack in history. Fred Kaplan’s Dark Territory notes, “U.S. intelligence analysts estimated a setback in Iran’s enrichment program of two to three years.”[5] The actual result may have been even less.[6]
Cyber weapons are not magic.
3. If you don’t practice during the week, don’t expect to play in the game.
The Greek poet Archilochus is credited with having said, “We don't rise to the level of our expectations, we fall to the level of our training.”
For tactical users to benefit from cyber capabilities, they need to practice with the capabilities they will need to employ to acquire intimate knowledge of strengths and limitations. They need the confidence that is only obtained through realistic training and repetitions.
When the cyber threat was new, a simple buffer overflow often could be exploited to do damage.[7] Twenty years later, most cyberattacks now require multiple highly technical exploits strung together correctly to get root-level privileges on a target.[8]
Many cyber weapons have low reliability. A spearphishing campaign may take months against a savvy target—if it succeeds at all. One mistake can compromise years of hard work. Empowering tactical users with cyber capabilities will not involve dusting off a PC at H-Hour and effectively integrating it into a complex, chaotic combined-arms battle.
4. Avoid absolute faith in technology.
Department of Defense (DoD) culture promises that superior technology will lead the U.S. military to victory. Our cell phones, computers, networks, and email are phenomenally more reliable than they were 25 years ago and taken for granted in day-to-day life. At the same time, the most important part of the “Third Offset” strategy is not increased spending on innovative technologies but the acknowledgement that innovative operational concepts, tactics, techniques, and procedures are required or the technological investment will be for naught.[9]
Historians often attribute the success of Germany’s 1940 Blitzkrieg offensive through Belgium and France to the technical superiority of German tanks. A closer examination, however, shows that French tanks were very close in capabilities to German ones.[10] The Germans conquered France because they were innovative at all levels of war and utilized a combined-arms approach.
Unfortunately, the United Sates operates at close-to-parity with its cyber adversaries. The Navy hasn’t faced this situation since 1941. Technology is not going to save us, but as John Paul Jones put it, “Men mean more than guns in the rating of a ship.”
5. Don't rob Peter to pay Paul.
Malcolm Gladwell’s Outliers advances the theory that “prodigies” are often the result of thousands of hours of experience at a young age rather than innate talent.[11] Some extrapolate from this to advocate that cyberwarriors should spend the bulk of their careers tucked away at hubs such as Fort Meade. The thinking goes that cyberwarriors require so many hours of rigorous education and training to win—and the National Security Agency is equipped to deliver it.
This approach has drawbacks. The military as a whole has access to a more-or-less fixed amount of cyber talent coming up through the U.S. education system both eligible for and interested in military service. Standing up “Cyber Regiments” in 2016 tilted the distribution of talent away from tactical units and toward operational and strategic ones. CyberCom’s 6,000 new billets are heavily concentrated in a few locations far removed from tactical forces.
The entire concept for 133 “cyber platoons” seemed to be straight from a vintage Army infantry Military Table of Equipage without considering how this construct would siphon talented network defenders away from tactical forces. Our best defenders have been centralized in teams who are subsequently employed to perform “clean up on aisle five”–type missions to assist tactical forces who lacked the talent to manage their defenses properly in the first place. An “interchangeable parts” platoon approach may simplify training and certification, but it ignores the fact that most cyber missions are best accomplished by a small customized team of specialists. Specialists may lose proficiency if not called on regularly to perform missions requiring their particular skill set. The large number of teams may have been driven by a perceived need to provide command-slot opportunities. This ties up manpower in administrative overhead and command groups and support staff.
The talent pool is for all intents and purposes a zero-sum game. DoD should reexamine the cyber force structure and push talent down to tactical forces. It should reduce the number of mission teams and tailor their organization and manning to actual employment. The Navy should ensure sailors get a healthy rotation between deckplate tours and the NSA hubs. It may be true that “you get what you inspect,” but tactical forces need to be “inspection ready” day to day, rather than busy prepping for the upcoming cyber inspection or fixing the hit list from the last inspection.
6. Properly balance active duty, reserve, civilian, and contract personnel.
The Navy lost a tremendous training opportunity for its military and civilian work forces when it outsourced all ashore information technology (IT) operations through the Navy-Marine Corps Intranet (NMCI) and One Net contracts. While a contractor probably is cheaper than a sailor for supporting base infrastructure, significantly fewer sailors now are able to gain critical experience and the Navy lacks uniformed-military expertise in a number of critical IT skill sets. This has also damaged sea/shore rotations impacting morale. Challenges managing the contract also led to an embarrassing breach.[12]
Overreliance on contractors has not been limited to the Navy. DoD lacks sufficient uniformed capacity to meet wartime requirements, resulting in the not uncommon sight of recently separated E-4s earning six figures as IT contractors in Afghanistan or Iraq doing the same job the military had trained and paid them to do a few months earlier. NATO currently spends more than €41 million ($47 million) per year in a single-source contract to operate and maintain IT for approximately 1,000 eligible personnel in Afghanistan.[13] While contractors have provided quality support for both DoD and NATO, these staggering costs divert funds away from tactical units and exacerbate readiness issues.
All four personnel categories must support the tactical warfighters. Contractors should not be viewed as an all-purpose substitute for young men and women in uniform even in the face of recruiting challenges. IT contracts must be properly administered by cyber-savvy government personnel (civilian and military) to avoid foxes guarding the proverbial henhouse. Reservists offer a great cyber capability to fill gaps but historically often have been mismanaged and constrained by archaic rules.
Tactical forces need cyber. Cyber warriors need to help tactical forces integrate digital and information warfare capabilities fully into combined-arms operations and help them maintain their freedom of action in cyber.
[3] Malcolm Gladwell, David and Goliath: Underdogs, Misfits, and the Art of Battling Giants (Little, Brown and Company, 2013, Kindle Edition), 130–31.
[4] Jason Healey, A Fierce Domain: Conflict in Cyberspace 1986 to 2012 (Cyber Conflict Studies Association, 2013 Kindle Edition), Kindle Locations 1678–81.
[5] Fred Kaplan, Dark Territory: The Secret History of Cyber War (New York: Simon & Schuster Kindle Edition, 2016), Kindle Locations 2844–45.
[6] Joby Warrick, “Iran's Natanz nuclear facility recovered quickly from Stuxnet cyberattack,” Washington Post, 15 February 2001.
[7] Aleph One, “Smashing the Stack for Fun and Profit,” Phrack Magazine Issue 49, 1996..
[8] Lookout Security Whitepaper, “Technical Analysis of the Pegasus Exploits on IoS,” 2016,.
[9] Center for Strategic and International Studies. Assessing the Third Offset Strategy. March 2017.
[10] John T. Greenwood, ed., The Blitzkrieg Legend. The 1940 Campaign in the West (Annapolis, MD: Naval Institute Press, 2005).
[11] Malcolm Gladwell, Outliers: The Story of Success (Boston: Back Bay Books, 2008 Kindle Edition), 46.
[13] NATO Communications and Information Agency, “Contracts Awarded by NCI Agency Valued at EUR 100,000 and above,” reporting period: 1–31 December 2016.
Commander Thaeler is a member of the Naval Institute serving on active duty.