On May 4, 2018, U.S. Cyber Command was elevated from a sub-unified command under U.S. Strategic Command, making it America’s 10th unified combatant command. At a ceremony marking this change, Deputy Secretary of Defense Patrick Shanahan described the command’s challenge as strengthening “our arsenal of cyber weapons, cyber shields and cyber warriors.”1
Shanahan’s words evoke the image of a traditional warrior, fighting with weapons and a shield. And yet, cyber “warfare” differs dramatically from traditional combat.2 In fact, many cyber warriors spend less time using virtual “weapons” than they do inventing or maintaining them. While joint doctrine treats use, invention, and maintenance as important components of cyber “operations,” i.e., warfighting, this paper shows that, in practice, the individuals who perform these activities do not all have equal “warrior” status.
Of course, it may seem strange that any cyber experts would have warrior status. After all, they typically work at desks, and without substantial physical risk. Furthermore, while missiles, drones, combat aircraft, and other high technology have all changed how militaries fight and what it means to be a warrior, the technologies with which cyber warriors work are not unique to the military.3 Every major civilian organization today also relies on complex computer networks and experts who defend them. While some cyber warriors attack adversary computer networks, many spend their time focused on defensive work that differs very little, if at all, from that of civilian computer security experts. Indeed, the U.S. Defense Department has leveraged the civilian U.S. National Initiative on Cybersecurity Education workforce framework to build its own cyber workforce.4 For that matter, the Department of Defense uses civilian contractors for both offensive and defensive cyber operations.
So, why are some kinds of cyber experts who work for the Defense Department considered “warfighters” but others are not? This paper examines the historical process by which some of these kinds of experts gained warfighter status while others did not. It shows how, throughout the 1990s and early 2000s, key leaders in intelligence, communications, and warfighting communities made the case that computer network operations should be treated as a kind of warfighting. While specific approaches varied across different services and professional specializations, all of these leaders struggled against a culture that has historically treated information-related work such as intelligence, computing, and communications as a warfighting support function, something lower in status than warfighting itself.
Elevating the status of cyber expertise entailed challenging organizational hierarchies that made cyber experts subordinate to traditional warfighters. For example, it meant empowering cyber experts and organizations to effectively issue commands to warfighting units, directing them to remediate vulnerabilities in their computer networks. It also involved reorganizing well-established military specializations, such as signals intelligence, electronic warfare, and communications, around cyber infrastructure and operations. Perhaps most importantly, it meant establishing new career paths through which cyber experts might advance to the highest levels of command.
Military leaders made their case for elevating cyber expertise in a variety of ways. For example, they developed concepts of cyber operations that were analogous to well-established concepts of kinetic operations. They also conducted exercises that revealed the potential impact of cyber operations on military warfighting and gathered data that highlighted a steady increase in intrusions that might have gone completely unnoticed if not for the work of cyber experts.
I argue that these and related activities succeeded in establishing cyber operations as a type of warfighting, but that some kinds of skills, knowledge, and ability were more readily seen as warfighting than others. In particular, threat-focused activities like offensive operations, intrusion detection, and incident response, which were first developed within signals intelligence units, were most easily viewed as warfighting. By contrast, vulnerability-focused activities such as password management, software patching, and other forms of technology maintenance, which were primarily the responsibility of communications units, were slow to be seen as a kind of warfighting.
Today, the distinction between threat-focused and vulnerability-focused activities can be found in joint doctrine, which outlines three primary missions for cyberspace operations. The first mission, offensive cyber operations, is unique to the military. U.S. law prohibits civilian organizations from conducting offensive cyber operations unless they are operating under military authority. The second mission, defensive cyber operations, responds to threats that have already breached Defense Department networks. Some of these activities, including incident response, intrusion detection, and network monitoring, are very similar to defensive work within major corporations, civilian government, and other non-military organizations.
The third mission, Department of Defense Information Network (DODIN) operations, focuses on mitigating vulnerabilities. It includes “actions taken to secure, configure, operate, extend, maintain, and sustain [Defense Department] cyberspace and to create and preserve the confidentiality, availability, and integrity of the DODIN.” Like defensive cyber operations, these activities are commonplace in non-military organizations. Furthermore, by virtue of their focus on mitigating vulnerabilities rather than attacking adversaries, they have struggled to gain the status of warfighting. In an effort to cast its work as warfighting, Joint Force Headquarters-DODIN describes its mission with the phrase “Fight the DODIN,” not “secure,” “maintain,” or “sustain” the DODIN.5 And joint doctrine seems to recognize the lower regard in which such operations might be held, noting that “although many DODIN operations activities are regularly scheduled events, they cannot be considered routine, since their aggregate effect establishes the framework on which most DOD [Department of Defense] missions ultimately depend.”6
Joint doctrine does not formally prioritize any one of these three missions over the others. Yet, as this paper shows, the personnel assigned to offensive or defensive cyber operations tend to have greater warfighting status, and thus greater prestige and opportunities, than do personnel assigned to DODIN operations. Offensive and defensive cyber operations, by virtue of their focus on confronting intelligent and changeable adversaries, tend to be less routine than DODIN operations and are therefore more readily construed as warfighting. By contrast, DODIN operations are focused on maintaining and sustaining technology. Such work can be carried out in innovative ways. However, it is also very often routine and mundane. Furthermore, although effective DODIN operations require an understanding of how threats operate, their focus is ultimately on infrastructure rather than adversaries, further reducing any claim to warfighting.
And yet, DODIN operations are also the first line of defense, without which defensive cyber operations would become impossible. Without a defense of computer networks, the modern military simply could not function with any level of confidence. While I do not take a position on whether DODIN operations and other forms of security maintenance should be considered “warfighting,” I do argue that such work has tended to be undervalued and that its lower status continues to impact military cybersecurity.
By analyzing historical efforts to make computer network attack and defense a kind of warfighting, this paper builds upon and extends existing histories of cyber operations. The earliest books and papers to describe the rise of military cyber operations treated them as the necessary response to a series of “wake-up calls” that came in the form of computer network intrusions, by both real adversaries and penetration testers, in the 1990s and 2000s.7 This narrative first emerged in the 1990s among Defense Department insiders who advocated putting greater emphasis on cyber operations.8 More recently, scholars have analyzed the rise of military cyber operations as a response to a broad set of technological changes that took place in the 1990s and early 2000s.9 In the most thorough account to date, Sarah White argues that the unique cultures and professional subcultures of the military services — including intelligence, signals intelligence, cryptology, communications, and electronic warfare — led to considerable variation in their cyber doctrines.10 White describes a two-stage process of innovation, wherein the services experimented with many different forms of cyber doctrine in the 1990s, but these doctrines became more similar after cyber operations became a major activity at the joint level.
The history of military cyber operations is thus not just about innovation, but also about the importance of mundane maintenance work, such as training users, patching software, and strengthening passwords.
This paper draws on the work of White and others, but its theoretical assumptions and contributions differ in three significant ways. First, I focus not only on innovation, but on what comes after innovation: maintenance and repair.11 To be sure, this is partly a story of innovation, as the establishment of military cyber capabilities entailed transforming the relationships between many distinctive professional communities and the computer networks that they continually created, operated, and maintained. These innovations were simultaneously organizational and technological — that is, they were sociotechnical. But, contrary to a substantial body of scholarship on the sources of military innovation, I argue that innovation is not always an unmitigated good.12 As discussed further below, as the Defense Department incorporated innovations in microcomputers and networking into its information systems in the 1980s, its vulnerability to computer network attack grew substantially.13 This vulnerability dramatically increased the need for new kinds of sociotechnical repair and maintenance that constitute the majority of cyber operations today. The history of military cyber operations is thus not just about innovation, but also about the importance of mundane maintenance work, such as training users, patching software, and strengthening passwords.
Second, whereas most historical accounts treat the rise of military cyber operations as a response to technological changes that were taking place external to the military, I examine these technological changes as internal to the military. The U.S. military did not simply respond to the rise of computer networking. It also actively drove the development of new technological capabilities as it pursued various functional advantages, such as increased efficiency in logistics systems or operational advantages in network-centric warfighting.14 The vulnerabilities associated with military computer networking were not simply a product of flawed commercial technology. They were also produced by practices internal to the Department of Defense. These include the decentralized pursuit of new networking technologies, a lack of strong security standards, and a lack of security training and a security culture among the communications and computing personnel charged with deploying computer systems.15
Third, I analyze cyber expertise as more than a set of knowledge, skills, and abilities that people and organizations possess. Rather, I draw on work that examines expertise as a set of dynamic relationships between people or groups claiming to possess specialized knowledge and skills and people or groups lacking such knowledge and skills.16 Experts must do more than simply possess knowledge, skills, and abilities. They must also persuade others of the veracity of their claims and the effectiveness of their actions.17 This process of persuasion may include, for example, gaining professional certification, demonstrating mastery over technologies, and other cultural practices that establish trust between experts and non-experts.18
This relational understanding of expertise is critical to understanding how organizations create and compete with cyber forces. Organizations must do much more than train, recruit, or contract for talented personnel: They must also establish effective relationships between cyber warriors and the many other military professionals with whom they work. A relational conception of expertise is also crucial for explaining how some skilled and knowledgeable individuals and groups are able to raise their status within an organization while others are not. Finally, international competition in cyberspace depends not only on acquiring and organizing skilled personnel, but also on persuading adversaries of the capability of a nation’s cyber warriors, that is, on establishing a relationship of superiority.
Expertise provides a unique basis for authority — not the formal authority of command structures or legal statutes, but the authority that comes from being able to effectively persuade. However, what counts as a persuasive argument, and therefore what counts as an authoritative expert, differs from one culture to the next. For example, while Ayurvedic doctors are respected as highly effective throughout much of India, they are likely to be considered quacks in Western cultures. Culture also shapes what counts as relevant and important knowledge and skills and what counts as a persuasive and effective expert.
The U.S. military is by no means a monolithic culture,19 but its primary mission is warfighting. Expertise generally gains in status the more essential it is to warfighting. All of the services’ career fields explicitly distinguish between warfighting and warfighting support. Moreover, traditional warfighting experience has often been a prerequisite for professional promotion. The most senior commanders lead warfighting rather than warfighting support units, and organizational hierarchies empower warfighting commands over warfighting support. In this context, raising the status of cyber expertise entails reframing it as a form of warfighting rather than warfighting support.
The remainder of this paper is organized in three parts. First, I briefly outline the origins of computer network operations in the Defense Department, highlighting both vulnerability-oriented and threat-oriented approaches. Second, I discuss the rise of “information warfare,” which provided a conceptual and organizational context for further developing computer network operations during the 1990s. Third, I discuss the growing challenge of defending networks and the associated rise of joint computer network operations in the mid- and late-1990s. Defending military operations from computer network intrusions demanded a level of coordination that no single service could provide. Fourth, I discuss how the services began to elevate computer network operations in the new millennium, partly in response to the growing prominence of joint cyber operations. I conclude with a discussion of current cyber operations, in particular the challenge of raising the status of work focused on mitigating vulnerabilities.
The Origins of U.S. Computer Network Operations
Technological, Organizational, and Professional Vulnerability
The origins of what came to be called computer network operations can be found in U.S. intelligence organizations, which tested the security of several state-of-the-art computer systems in the late 1960s and early 1970s by attempting to break in and take control of them.20 These “tiger teams” were always successful, demonstrating pervasive vulnerabilities in even the best-designed systems.21 It is reasonable to assume that intelligence agencies were also exploring ways of compromising adversaries’ computer systems, although the existence of any such operations remains highly classified.22
By contrast, the need for computer network defense became a subject for public discussion after a panel of computer scientists addressed it at a 1967 conference and, for the first time, publicly acknowledged the existence of the National Security Agency, previously described as “No Such Agency.”23 For computer scientists, the ease with which computers could be penetrated by outsiders was partly a technological problem: Hardware-software systems were so complex that they inevitably contained errors that could be exploited. With the sponsorship of the National Security Agency and the Air Force, computer scientists worked on developing techniques for reducing such errors and proving that computer systems actually enforced the security policies that they were programmed to enforce. These efforts failed to produce a provably secure computer, but succeeded in growing a community of government, industry, and academic computer security experts.24
This community recognized that security was also a market problem: Companies had no incentive to design secure systems in the 1970s and 1980s because there was little consumer demand for security. Although the 1974 Privacy Act mandated that federal agencies undertake information security measures, and although the U.S. federal government had substantial market power as a major consumer of computing hardware and services, the personnel responsible for buying systems usually lacked the understanding needed to specify the security requirements for new purchases.25 Similarly, computing managers got “mostly ‘arm waving’ from the vendor,” rather than an objective evaluation of the “secure-worthiness” of computer systems.26 Accordingly, computer scientists convened by the National Bureau of Standards in 1978 proposed to develop “a process for evaluating the security of computer systems, and for accrediting particular systems for particular applications.”27
These recommendations led to the creation of the Trusted Computer System Evaluation Criteria and the associated National Computer Security Center at the National Security Agency.28 The center helped coordinate the development of these criteria and then used them to evaluate the security of commercial computer systems. But rapid innovation and the rise of computer networking threatened to make the criteria obsolete and led to a long series of “interpretations” to guide evaluations of new kinds of products.29 Meanwhile, the slow process and high expense of evaluation deterred many organizations, including those in the Defense Department, from demanding high security ratings.30 That changed somewhat after 1987, when the National Telecommunications and Information Systems Security Committee directed that, by 1992, all federal agencies must use only operating systems evaluated at level “C2” or higher to process national security information.31 Evidence suggests that this mandate was indeed successful in improving security standards in the computer market.32
[T]he need for computer network defense became a subject for public discussion after a panel of computer scientists addressed it at a 1967 conference and, for the first time, publicly acknowledged the existence of the National Security Agency, previously described as “No Such Agency.”
Nevertheless, C2 was still not a particularly high level of security, and communications and computing personnel did not typically demand more security than was required by the federal mandate.33 Furthermore, these personnel did not know how to use “trusted” systems to build secure networks.34 Computer network vulnerabilities were thus also a result of training and management problems, in addition to being technological and market problems. In 1990, the assistant secretary of defense for command, control, communications, and intelligence tasked the National Security Agency and Defense Communications Agency (soon to become the Defense Information Systems Agency) with developing means of better managing information security. This led to the creation of the Defense Information Systems Security Program, whose aim was to develop a comprehensive and integrated security architecture and policy for the Defense Department.35
However, the purchase, deployment, and management of computer networks remained highly decentralized across the military, and networks proliferated in the 1980s and early 1990s.36 This left the problem of configuring and maintaining such networks to disparate personnel in communications and computing fields throughout the services.37 As outlined briefly below, each of the services structured its computer and communications career fields a bit differently, but the personnel charged with deploying and managing computer networks generally received little or no training in computer security.38
In the late 1980s and early 1990s, the U.S. Army Information Systems Command was responsible for the Army’s global networking and communications.39 However, in late 1996, the Information Systems Command was made subordinate to the Army Forces Command, where it became Army Signal Command, reducing its independence and underscoring its support role.40 The community responsible for computer networking and communications, the Signal Corps, was a support field focused on making networks available to commanders, not securing networks from adversaries.41 Additionally, the Army’s cultural preference for officers who were generalists rather than technical specialists did not reward deep investment in technical skills in the early 1990s.42 None of this encouraged the development of technically deep, security-savvy computer network managers.
By contrast, the Air Force has historically rewarded technical depth, expecting its officers to develop substantial technical expertise prior to taking command.43 The Air Force was also an early leader in networked computing and communications. By December 1989, Air Force Communications Command was the most globally dispersed command in the Air Force, including more than 54,000 personnel working in 430 U.S. locations and 27 foreign locations.44 Yet, in the early 1990s, as part of post-Cold War streamlining and downsizing, the Air Force reduced the independence and strength of its communications command and associated personnel. In October 1990, communications personnel were put under the command of the operational units that they served, shrinking the command to less than 8,000 personnel. In July 1991, the Communications Command was further demoted from major command to field operating agency.45 Over the next several years, the number of distinct Air Force Specialty Codes for computing and communications officers were substantially reduced as very different areas of work were merged together and officers were explicitly encouraged to be generalists rather than specialists.46 Taken together, these changes eroded any possibility of centralized control of computer network security in the Air Force, while discouraging communications officers from pursuing technical depth that would be needed to ensure security.
The Navy’s communications and computing management was even more decentralized than the Air Force’s in the 1980s and 1990s. Throughout the 1990s, the Naval Computer and Telecommunications Command was responsible for ensuring interoperability of legacy and new communications-computing systems and for providing, operating, and maintaining shore-based and non-tactical communications systems.47 However, this left myriad other systems to be developed by other commands. By the turn of the millennium, the Navy had 28 different commands independently developing, operating, and maintaining their own computer systems.48 The Navy also lacked a centralized communications command or career field in the 1990s, despite having enlisted ratings such as “radioman” and “data processing technician.”49 Afloat, responsibilities for communications were often assigned to officers for a limited period, without any formal training.50 Ashore, much of the communications and computing work was performed by general unrestricted line officers, a non-combat, shore-based community that was 93 percent female in 1990.51 It became the fleet support officer community after laws barring women from combat roles were lifted in 1995, and continued to perform many of the same functions both ashore and afloat. Yet, there was no formal training required for performing these roles. People typically had to learn on the job.52
To summarize, vulnerabilities in Defense Department networks were not just a matter of external technological changes or insecurities in commercial products that the department could not control. The Department of Defense actively drove many innovations in computer networking and security but failed to ensure that its networks would be securely deployed or maintained. Although communications and computing personnel in the services comprised the first line of computer network defense — responsible for configuring networks, managing passwords, and much more — most lacked an understanding of how to secure networks. It was ultimately the Defense Department’s inability to centrally manage the security of computer networks, combined with a lack of security skills and knowledge among its disparate communications-computing personnel, that made its networks so vulnerable.
Threat-Oriented Approaches to Computer Network Defense
Computer scientists working with intelligence agencies recognized early on that even if they could create systems that would enforce security policies perfectly, an insider could wittingly or unwittingly compromise the system.53 This recognition led to the development of one of the first threat-oriented approaches to computer network defense — intrusion detection systems — that would monitor computers and networks for suspicious behavior and alert security officers about potentially unauthorized activity. The National Security Agency, the Navy, and the Air Force all sponsored research into intrusion detection systems in the 1980s, and by the early 1990s were using such systems to monitor select networks.54 They also developed new kinds of expertise associated with intrusion detection systems, as security officers learned how to evaluate alerts about suspicious activity and determine what actions, if any, should be taken.55
Another early threat-oriented approach to computer network defense came in the form of computer emergency response teams, also known as computer incident response teams. These teams were first created in response to the Internet worm of Nov. 2, 1988.56 The worm was the first to significantly disrupt the Internet, which was then primarily a research network sponsored by the Defense Department. The Computer Emergency Response Team Coordinating Center, a federally funded, nongovernmental organization based at Carnegie Mellon University, was established in January 1989 with the goals of preventing future incidents, providing a network of elite experts who could be called upon to diagnose future attacks, and facilitating the creation of a network of similar response teams.57
Defense Department units and the national nuclear laboratories were among the first organizations to form their own computer emergency response teams. In the early 1990s, the Defense Intelligence Agency formed an incident response team for its classified Intelligence Information Systems network, which, in late 1992, was renamed the Automated Systems Security Incident Support Team and moved to the Defense Information Systems Agency, where it was tasked with responding to incidents across the Defense Department.58 Each of the services also began to form incident response capabilities.59
Intrusion detection systems and incident response teams were important not only for identifying and stopping intruders, but also for making the argument that computer networks were increasingly under attack.
In the early 1990s, response teams helped to identify and make visible intrusions that might otherwise have gone unnoticed. For example, the Department of Energy’s Computer Incident Advisory Capability helped discover that between April 1990 and May 1991, at least 34 of the Defense Department’s computers had been hacked.60 Further investigation eventually concluded that the hackers were teenagers in the Netherlands who called themselves “High Tech for Peace” and had gained access to a computerized logistics management system. During preparations for Operation Desert Storm in Iraq, the hackers offered to sell the capabilities gained through that system to Saddam Hussein for $1 million. Had the Iraqi government responded to the offer, which fortunately it did not, the hackers could have disrupted the flow of supplies to U.S. troops preparing for Desert Storm.61
Intrusion detection systems and incident response teams were important not only for identifying and stopping intruders, but also for making the argument that computer networks were increasingly under attack. Response teams tracked an exponential rise in incidents that paralleled the exponential rise in internet host sites in the 1990s.62 By presenting these statistics to policymakers both within and beyond the military, they could make an argument for devoting more resources to defending networks.
But intrusion detection and incident response did more than simply demonstrate the growth of threats and the need to confront them. Incident investigators also worked to identify the causes of the breaches and, in the process, repeatedly underscored the importance of a prior layer of defense: the systems administrators and personnel who were charged with deploying and maintaining secure networks. The 1989 Internet worm, the Dutch hacking incident, and many other breaches were enabled by a lack of security knowledge, skills, and practice among systems administrators.63 In 1999, an analysis by the Air Force Office of Special Investigations showed that a majority of root intrusions in the previous year had resulted from noncompliance with security policies or emergency response team advisories. Only 13 percent were definitively determined to be “unpreventable.”64
Thus, the Defense Department’s threat-oriented approaches to network defenses became critical in the mid-1990s in no small part because of failings in the first line of defense: the systems administrators and maintainers who were uniquely positioned to prevent and mitigate vulnerabilities. Although both threat-oriented and vulnerability-oriented forms of expertise would eventually be incorporated into a new conception of warfighting, that transition was slower and more difficult for vulnerability-oriented expertise, as discussed in more detail below.
The Rise of Information Warfare and Information Assurance
In the mid-1990s, computer network operations began to find an organizational and conceptual home in “information warfare.” To be clear, information warfare was not primarily about computer network operations. When military officers described Operation Desert Storm as the “first information war,” they were discussing much older traditions of work such as gathering intelligence through satellites and airborne reconnaissance systems, using such intelligence to bomb command-and-control facilities, and setting up an in-theater communications system.65
Similarly, when the Department of Defense issued a top secret directive on information warfare in December 1992, it devoted little, if any, attention to the opportunities and risks inherent to using computer networks in military and intelligence operations.66 The directive defined information warfare as the “competition of opposing information systems” through methods such as “signals intelligence and command and control countermeasures.”67 Such countermeasures, also known as command-and-control warfare, were defined as the “integrated use” of five elements — “operations security (OPSEC), military deception, psychological operations (PSYOP), electronic warfare (EW), and physical destruction” — all “mutually supported by intelligence.”68 Information warfare thus encompassed a very diverse range of military specializations, all of them long predating computers.69
Nonetheless, information warfare provided the primary conceptual and organizational context for efforts to raise the status of computer network defense and attack in the mid-1990s.70 As discussed further below, each of the services approached computer network operations somewhat differently, but they all built upon incident response and intrusion detection work that had begun in their signals intelligence organizations rather than their communications and computing units.
Air Force: Cyberspace as a New Warfighting Domain
Of the three services, the Air Force was the most willing to see computer network operations as a new area of warfighting. Nonetheless, its initial response to the 1992 information warfare directive was not to create a new warfighting unit. Instead, it merged the security functions of the Air Force Cryptologic Support Center with the Air Force’s Electronic Warfare Center, thereby creating the Air Force Information Warfare Center at Kelly Air Force Base in San Antonio, Texas.71 About half of the center’s personnel had backgrounds in signals intelligence, while the rest came from a variety of fields.72 At its founding in September 1993, the Information Warfare Center was within the Air Force Intelligence Command, but in October 1993 this command was demoted from a major command to a field operating agency, the Air Intelligence Agency. The Information Warfare Center was co-located with the Joint Electronic Warfare Center, which became the Joint Command and Control Warfare Center in September 1994.73 Despite the “warfare” moniker, both of these centers played supporting roles, helping integrate various information warfare methods into combat operations.
In the early 1990s, the Air Force also began to integrate some computer network operations into warfighting through the Special Technical Operations system. Air Force Col. Walter “Dusty” Rhoads, a fighter pilot who was assigned to the planning division of Tactical Air Command in 1991, recalls that he began to integrate an early version of computer network operations into war plans after helping set up a Special Technical Operations office for Tactical Air Command, which would soon become Air Combat Command.74 The Special Technical Operations system provided a means for regional commands to integrate highly classified capabilities — such as computer network attack — into military operations.75 When he briefed the general who was directing Tactical Air Command operations, the general told him, “You’re going to make this information warfare.”76 As a result, Rhoads became the director of a new information warfare branch at the Air Combat Command, with the Special Technical Operations office as a focus of the new branch.77
In 1994, the information warfare branch, under Rhoads’ direction, put together a plan to support Operation Uphold Democracy, which aimed to undo the 1991 coup of democratically elected Haitian President Jean-Bertrand Aristide. It worked with the Air Force Information Warfare Center, where a junior officer who had once been a “demon dialer” — someone who manipulates the phone system to make free long-distance calls — figured out how to tie up all the phone lines in Haiti. This in turn would shut down Haiti’s air defense system because the system communicated via phone lines, allowing the Air Force to fly over undetected.78
Although Operation Uphold Democracy was called off after a delegation led by Jimmy Carter persuaded the military leaders of Haiti to step down, the phone hacking plan impressed Maj. Gen. Kenneth Minihan, commander of the Air Intelligence Agency. In the fall of 1994, Minihan became the assistant chief of staff for intelligence at the Defense Department and began to advocate for creating an information warfare squadron — a warfighting unit that would have Title 10 authorities (military operations) rather than Title 50 authorities (intelligence).79 Rhoads also helped make the case for such a squadron, briefing the commander of Air Combat Command who, in turn, briefed the Air Force chief of staff.80
Meanwhile, the Air Force was developing doctrine that highlighted the uniqueness of computer network operations. In 1995, Air Force Maj. Andrew Weaver, who had a background as a weapons operator but was working in the doctrine division of the Air Staff, wrote a paper titled “Cornerstones of Information Warfare,” which was published with a preface signed by the Air Force chief of staff and the secretary of the Air Force.81 Weaver emphasized that the “revolution” associated with information technology was doing more than simply increasing the efficiency of traditional combat operations. Rather, he argued that “information age technology is turning a theoretical possibility into fact: directly manipulating the adversary’s information.”82
To the five elements of information warfare established in the 1992 directive, Weaver added “information attack” as a sixth element. He argued that, unlike other elements of information warfare, direct information attack bypassed the enemy’s observations. He contended that direct information attack could have the same result as one causing physical destruction, but with more certainty, less time, and less cost, suggesting a similarity between bombing a telephone switching station and destroying its software. And he argued that information should be understood as a new “realm” or “domain” for operations, akin to land, sea, and air, noting “strong conceptual parallels between conceiving of air and information as realms.”83
The arguments of Minihan, Rhoads, and Weaver proved persuasive to Air Force leadership.84 In August 1995, the Air Force ordered the formation of the 609th Information Warfare Squadron under the 9th Air Force at Shaw Air Force Base. The squadron was charged with conducting both defensive and offensive missions in support of the 9th Air Force and Central Command’s Air Operations Center. The squadron thus remained a kind of operations support, but unlike the Air Force Information Warfare Center, it operated under the authority of Title 10.85
Rhoads was selected as commander of the new unit and Weaver was chosen as the operations officer. Rhoads and Weaver handpicked eight additional individuals to serve as the first cadre. Rhoads recalls that since nobody “knew what a cyber warrior was,” they put together “a combination of past war fighters, J-3 [Operations] types, a lot of communications people and a smattering of intelligence and planning people.”86 Of the initial 10-person team, five had a background in computers or networking, but the leadership — Rhoads and Weaver — came from traditional operational backgrounds.87
Since many of the initial members of the squadron lacked an understanding of computer networking, they took a three-day course on computer networking in April 1996. This is described in the squadron’s official history as “a huge success,” but the squadron needed a more comprehensive training program, particularly as the initial 10-person team grew.88 It considered existing Defense Department courses, but concluded that none would work because the courses were geographically dispersed and only portions of the courses were relevant to what the squadron needed to know. So instead, the squadron arranged for a series of commercial courses to provide training in June and July of 1996.89
In keeping with an emphasis on warfighting, the squadron’s work appears to have been focused on threat-oriented activities, such as intrusion detection and response, rather than vulnerability mitigation, which would have included password management, configuration management, and training.90 Shortly after undergoing initial training, the squadron tested and selected a “defensive system,” a network-monitoring and intrusion-detection system.91 Over the next two years, this equipment allowed the squadron to demonstrate its defensive capabilities to hundreds of “distinguished visitors” in numerous exercises.92
The squadron’s emphasis on offense, however, makes perfect sense from the perspective of a new unit eager to demonstrate its value to warfighters. Offensive operations could create dramatic military effects, at least in theory.
While the squadron’s official history emphasizes the defensive mission, Rhoads recalls that the majority of its mission time was actually spent on offensive operations.93 The squadron also privileged offensive work by requiring individuals to do defensive duty before they were allowed to take the offensive.94 At Blue Flag 1998, one of the Air Force’s annual operational exercises, this approach led to an easy victory for the offense. The squadron’s official history recounts that the squadron’s red team “created a steep learning curve” for the defense.95 A National Research Council committee that witnessed the exercise offered a less varnished assessment: “The defensive cell … was overwhelmed by its red team counterpart. (For example, the red team was able to download the air tasking order before it was transmitted.)”96 The committee critiqued the squadron’s overall emphasis on offense:
With a culture that values the taking of the offensive in military operations, the military may well have difficulty in realizing that defense against information attack is a more critical function than being able to conduct similar operations against an adversary, and indeed is more difficult and requires greater skill and experience than offensive information operations.97
The National Research Council committee went on to note that “the National Security Agency requires code-breaking experience before an analyst can begin to develop encryption algorithms.”98 In other words, the agency required trainees to practice offense before graduating to the more difficult work of defense.
The squadron’s emphasis on offense, however, makes perfect sense from the perspective of a new unit eager to demonstrate its value to warfighters. Offensive operations could create dramatic military effects, at least in theory. By contrast, the effects of a successful defense are unremarkable: Military operations and networks would continue to function as planned.
While the 609th Squadron was widely regarded as successful, in June of 1998, senior Air Force leadership decided to change the organization of information operations in an effort to cut costs and personnel requirements. This led to the termination of the squadron. Most of its functional responsibilities were transferred to what soon became the 67th Information Operations Wing within the Air Intelligence Agency at Kelly Air Force Base, returning computer network operations to its intelligence roots.99
Navy: Net-Centric Warfare
Like the Air Force, the Navy responded to the 1992 information warfare directive by reorganizing ongoing work within the Naval Security Group, the Navy’s cryptologic unit. Navy cryptologists perform functions similar to signals intelligence and electronic warfare personnel in other services but have held a special place in the Navy since their decisive role in the Battle of Midway and similar clashes during World War II.100 In the Navy, cryptology and intelligence are distinct career fields with a history of rivalry, despite the close connection between the two. In July 1994, the Naval Information Warfare Activity was formally launched within the Naval Security Group, building on earlier, highly classified work on command-and-control warfare.101 The activity was staffed by handpicked technical experts who developed new information warfare capabilities.102
The Navy also established the Fleet Information Warfare Center under Atlantic Command in October 1995 to help operationalize capabilities developed by the activity.103 The center had a defensive focus: The Navy’s director of command-and-control warfare explained that it would ensure “the battle groups are buttoned up against” information threats.104 He described the Fleet Information Warfare Center as the Navy’s “911” service for information warfare, which was likely a reference to the new Navy Computer Incident Response Team that was formalized within the Fleet Information Warfare Center at its founding.105 The center was a tiny organization comprised of warfighters — its first director was a former fighter pilot — along with cryptologists, electronic warfare technicians, and intelligence officers.106
The Naval Information Warfare Activity and the Fleet Information Warfare Center played supporting roles similar to the Air Force’s Information Warfare Center, but the Navy did not create a warfighting unit focused on computer network operations, akin to the Air Force’s 609th Squadron. Instead, it sought to integrate the much broader field of information warfare into its composite warfare commander construct, wherein each battlegroup designates an officer to command a particular mission area. In 1989, well before the 1992 information warfare directive was issued, the Navy designated space and electronic warfare as a major warfare area, equal to surface, underwater, and air operations.107 Two years later, the Space, Command and Control Directorate was renamed the Space and Electronic Warfare Directorate, and a new billet was created within the composite warfare commander construct — the space and electronic warfare commander.108 By the late 1990s, this had become the “command and control warfare” commander, and by the early 2000s it was changed to the “information warfare commander.”109
Nonetheless, there was little consensus on what role information warfare should play in naval operations. Was it really a new area of warfare on par with surface, subsurface, and air, or was it a disparate set of tools to be used in support of more established warfighting areas? The Navy did not issue any formal doctrine on information warfare in the mid-1990s, and discussions in the Proceedings of the U.S. Naval Institute from this period indicate a wide range of views.
For example, one naval intelligence officer argued that the wide-ranging methods of information warfare could not be assigned to a single commander. Activities such as destruction belonged to all warfare commanders and operational security was everyone’s responsibility. He suggested that the only “unique” thing brought by an information warfare commander was “computer war,” which was coming to be seen as “the sixth element of information warfare.” However, he argued that “for the foreseeable future, such capabilities most likely will remain under theater-level and strategic planners” rather than at the battlegroup level.110
An officer specializing in electronic warfare similarly noted that many areas of information warfare were the domain of others including computer network defense, which was managed by information system security personnel. Furthermore, because there was no focused career field for officers specializing in computing or communications in the 1990s or a corresponding warfare qualification, the officers assigned to be the information warfare commander typically did not have substantial expertise in computing or any other aspects of information warfare.111 However, rather than suggesting that the information warfare commander position should be abolished, this officer argued that the Navy should create a career specialization to provide adequate training.112
In general, naval officers were more skeptical than their Air Force counterparts about the notion that cyberspace constituted a new domain. Naval intelligence officer Robert Gourley objected to discussions of “‘fighting in cyberspace’ and of creating teams of ‘cyberwarriors’ to lead those fights.”113 Gourley insisted that “we cannot fight in cyberspace any more than we can walk inside a Picasso painting” and framed information warfare in terms of its intelligence impact, arguing that it “has the potential to do for today’s military what Ultra and Magic did for our forces during World War II—provide insight into enemy intentions and form the basis of our deception plans.”114 Another naval intelligence officer went further, arguing that while the “military has viewed information services (traditionally, intelligence and communications) as supporting inputs to the actual warfare functions of fire, maneuver, and strike,” information warfare “might not always be a supporting function; in some future campaigns, it might take a leading role.”115
The most influential articulation of the growing importance of computer networking came from Vice Adm. Arthur K. Cebrowski, a fighter pilot who had earned a master’s degree in Information Systems Management from the Naval Postgraduate School in 1973.116 In the early 1990s, Cebrowski became the Navy’s director for space, information warfare, and command and control.117 In 1994, he became the director of the Joint Staff’s Command, Control, Communications and Computers Directorate and established a new unit for defensive information warfare, described further below. In 1996, Cebrowski returned to his position as director for space, information warfare, and command and control, and in this role, he co-authored a Proceedings article outlining the concept of “network-centric warfare.”118 Cebrowski and his co-author, John Garstka, technical adviser to the Command, Control, Communications and Computers Directorate, argued that computer networks were revolutionizing military affairs, but not because they were part of a new domain. Rather, just as computer networks were transforming U.S. business operations and making them more profitable and productive, computer networking should transform naval operations. The article advocated shifting from platform-centric operations (i.e., focusing on ships, submarines, and aircraft) to network-centric operations.
Importantly, Cebrowski and Garstka argued that this shift entailed elevating the status of individuals with particular technical talents, noting that “the military fails to reward competence” in information-based processes:
“Operator” status frequently is denied to personnel with these critical talents, but the value of traditional operators with limited acumen in these processes is falling, and ultimately they will be marginalized … The services must both mainstream and merge those with technical skills and those with operational experience in these areas. These are the new operators.119
The Navy did make some changes to its information technology specializations in the late 1990s. In 1998, it merged the enlisted radioman and data processing technician ratings, and in 1999 this new rating was dubbed the information systems technician.120 In October 2001, the Navy created a new, restricted line specialization — information professional — to be filled by members of the fleet support officer community.121 However, individuals in these specializations continued to face limitations in career advancement. Since warfare qualifications were important milestones for promotion, individuals specializing in fields related to computer networking or other areas of information warfare often spent time pursuing those qualifications rather than developing technical depth in their own field.122
Army: The Global Information Environment
Like the Air Force and Navy, the Army responded to the 1992 information warfare directive by reorganizing its intelligence units. Since the mid-1980s, the Army’s Intelligence and Security Command had maintained a highly classified Studies and Analysis Activity, which worked with other intelligence groups to explore ways of getting inside enemy command-and-control systems. In 1995, the Studies and Analysis Activity was absorbed into a new Land Information Warfare Activity, also within the Intelligence and Security Command. This activity began with 55 personnel, including 11 enlisted and roughly a dozen government civilians, and grew to about 250 by October 1997. The majority of the personnel were field-grade or higher-level officers from signals or intelligence. In the late 1990s, the Land Information Warfare Activity sought to incorporate more traditional operators, and it often augmented its technical capabilities by hiring contractors, with one member recalling that it was half contractors at one point in its history.123
Although the Land Information Warfare Activity was administratively within the Army’s Intelligence and Security Command, it reported to the assistant chief of staff for operations and training rather than intelligence.124 This helped to move what had primarily been an operations support function — intelligence — toward warfighting. But the Land Information Warfare Activity was explicitly in a supporting role. Like the Air Force Information Warfare Center and the Fleet Information Warfare Center, it helped commands plan information operations but did not conduct them. It deployed two kinds of teams: Field support teams would help Army units plan and integrate information warfare into their operations, while vulnerability assessment teams would help identify weaknesses.125 In September 1996, the Land Information Warfare Activity also established the Army Computer Emergency Response Team, which engaged in defensive operations.126
Because specialization was not typically a path to career advancement, the Army faced a shortage of technically deep personnel in the mid-1990s. This was one reason that the Army established a task force to redesign the officer personnel management system in 1996.
Like the Air Force, in the mid-1990s, the Army began to explicitly discuss computer network operations in its publications. Army “Field Manual 100-6: Information Operations,” published in 1996, highlighted “database corruption” and “malicious software” as means of attacking information systems.127 It also featured discussion of the Internet worm and Rome Labs breaches, which was excerpted in the Joint Doctrine for Command and Control Warfare, issued in February 1996.128 The Army’s “Field Manual 100-6” did not suggest that information comprised a new domain akin to land, sea, and air, but focused on a “global information environment” that was undergoing rapid transformation due to “modern information technology” and the associated “explosive potential of rapid dissemination and use of information.”129
In 1998, the Army began creating a dedicated computer network operations force within Intelligence and Security Command’s signals intelligence group, as discussed further below. However, the Army struggled to grow a computer network operations capability in the late 1990s because its personnel management system did not reward technical depth. The Army trained its officers to be generalist-leaders, with the expectation that technical work would be conducted primarily by enlisted personnel.130 Because specialization was not typically a path to career advancement, the Army faced a shortage of technically deep personnel in the mid-1990s.131 This was one reason that the Army established a task force to redesign the officer personnel management system in 1996. The task force director, Gen. David Ohle, noted that with “information age technology, we see that officers have to be more specialized.”132 He explained that he had been given “the mission to broaden the definition of warfighting to include not only combat, but also stability and support operations” as a means of improving opportunities for individuals outside of traditional warfighting roles.133
In July 1997, the task force’s final report noted the “propensity of promotion boards to select officers with a warfighting background (commonly referred to as the ‘command track’) over those possessing functional area skills.”134 It recommended leaving intact the system for developing company-grade officers. But for the development of field-grade (major) or higher levels, it recommended creating four distinct career fields through which individuals could be promoted: operations, information operations, operations support, and institutional support.135
Operations consisted of the Army’s 16 branches, including the Signal Corps and Military Intelligence Corps, and two functional areas: psychological operations and civil affairs and multifunctional logistics. The new information operations career field included two previously established functional areas — telecommunications engineering and information systems management — which were relevant to computer network operations. Information operations also included simulation, space operations, strategic intelligence, and public affairs — an eclectic mix. A new, seventh area was created for information operations generalists.136 Unfortunately, this last area gained a reputation for mediocrity. It suffered from a lack of adequate training — information operations was a very broad field and the training regimen established for it was too short — and it tended to attract officers who were not excelling in any other specialization.137
Although the revised Officer Personnel Management System formally provided a path to promotion for officers specializing in computer networking, this did not necessarily increase their cultural status. Senior officers continued to argue that people chose to specialize in a functional area simply because they couldn’t succeed in a warfighting branch.138 Then, in 2006, a new Officer Personnel Management System eliminated the information operations career field, establishing only three broad career areas: maneuver, fire, and effects (previously operations); operations support; and operations sustainment. Most of the functional areas previously in the information operations field, including telecommunications engineering and information systems management, were placed within operations support, reaffirming that even if individuals could advance professionally in these areas, they were playing a support role.139
The Problem of Defense
By the late 1990s, the services were exploring various forms of computer network operations, but their formal doctrine and tactics, organizational hierarchies, and career structures still framed these activities as warfighting support rather than warfighting in its own right. Nonetheless, computer network operations were increasingly seen as the only “new” aspect of information warfare.
Additionally, as discussed further below, the mid-1990s saw a growing concern about one sense in which computer network operations were crucially different from other methods for information warfare: They depended upon civilian assets that the U.S. military could not control. This reliance made the problem of defense both more urgent and more difficult. In February 1994, the Joint Security Commission, which had been established by the secretary of defense and the director of central intelligence, described “the security of information systems and networks” as “the major security challenge of this decade and possibly the next century,” arguing that “there is insufficient awareness of the grave risks we face in this arena.” The commission noted the challenge of “protecting systems that are connected and depend upon an infrastructure we neither own nor control.”140 A 1994 Defense Science Board task force echoed these concerns, noting that out of necessity “DoD [the Department of Defense] has tied its information systems to the private/commercial sector and routinely use [sic] INMARSAT, INTELSAT, EUROSAT, etc. Additionally, many DoD users are directly hooked to the INTERNET.”141 The task force was “persuaded that DoD is currently spending far too little on defensive IW [information warfare], and that the gravity and potential urgency of the problem deserves [sic] redress.”142
Articles in the trade press at the time also suggest that defense was not a major focus in the early 1990s. An August 1994 Defense Daily article noted that “[a]ll of the services’ information warfare tactics are currently focused more heavily on the offensive mission.”143 Reporting on an Information Warfare Conference in October 1995, one technology journalist described “Pentagon skeptics who joke that information warfare is just ‘computer security with money.’”144 As this suggests, computer security — a defensive activity — was seen as something that was different and less important than warfare.
Nonetheless, some military leaders worked to elevate the status of computer network defense.145 As noted earlier, when Cebrowski became the director of the Joint Staff’s Command, Control, Communications and Computers Directorate in 1994, he established an information warfare division. Cebrowski brought in William Gravell, a captain in the Naval Security Group, to set it up. Gravell was not a technologist — he had entered the Naval Security Group through language training — but he had developed some important concepts in command, control, and communications countermeasures while assigned to the Office of the Chief of Naval Operations in the mid-1980s. There, he had also demonstrated to Cebrowski and others his ability to reduce highly technical subjects into compelling briefings.146 A part of Gravell’s work, as head of the Joint Staff’s Information Warfare Division, was to persuade both military and private organizations to improve the security of computers and other information systems upon which military operations depended. The division soon commissioned a comprehensive review of laws, policies, and initiatives related to defensive information warfare and produced several educational publications targeted at both the private sector and portions of the defense establishment.147
As Gravell recalls, while he “was going to military commands and conferences, but also trade associations, conferences, [and] boards of directors,” trying “to drum up support” for defensive information warfare, he quickly concluded that “private sector organizations and their lawyers and stockholders did not want to hear that they were engaged in ‘warfare.’ Such associations threatened, and sometimes even stymied, the collaboration which was needed to secure military networks.”148 Roger Callahan, a colleague from the National Security Agency, suggested that Gravell instead adopt the term “information assurance.” This term was seeing growing use among computer scientists seeking to broaden conceptions of information security beyond privacy, and the National Security Agency had recently changed the name of its Information Security Directorate to the Information Assurance Directorate.149 By 1995, the Joint Staff’s Information Warfare Division had been officially renamed the Information Assurance Division.150
In the Defense Department, information assurance was sometimes treated as synonymous with defensive information warfare.151 However, “information assurance” could also connote something that went beyond the military, as it was concerned with the vulnerability of critical infrastructure that the military did not own or control.152 And even within the military, information assurance was sometimes seen as something focused more on technology management than warfighting, as noted below.
Ultimately, elevating the status of computer network defense required more than an information assurance program from the Defense Department’s chief information officer. The path to elevating computer network defense to the level of warfighting went through the Joint Staff’s Operations Directorate.
Despite the efforts of the Joint Staff’s Information Assurance Division, the decentralized procurement and management of information technology posed challenges to information assurance.153 Recognizing that “the complexity of managing DOD’s [the Department of Defense’s] information assurance efforts had increased due to the proliferation of networks across DOD and that its decentralized information assurance management could not deal with it adequately,” the Information Assurance Task Force, led by the Office of the Assistant Secretary of Defense for Command, Control, Communications and Intelligence and the Joint Staff’s Information Assurance Division, began developing a more comprehensive and integrated approach in 1997.154 This led to a Defense-Wide Information Assurance Program, which was launched by the assistant secretary of defense for command, control, communications and intelligence in his capacity as the Defense Department’s chief information officer in January 1998.155
The Defense-Wide Information Assurance Program aimed to combine “centralized oversight with decentralized execution” of information assurance activities.156 But it was not given the authority or resources needed to fulfill its charter. Although the program was initially approved for between 30 and 34 personnel, by 2001 the greatest number of positions that had ever been filled at one time was 16. The Joint Staff, services, and other defense agencies were all directed to provide staff to the program, but there was no mechanism to enforce these directives, and most of the staff were detailed from the National Security Agency and the Defense Information Systems Agency. In 2001, the Government Accountability Office found that while some Defense Department officials “expressed a need for products and activities” from the Defense-Wide Information Assurance Program, others “cited a lack of DOD [Department of Defense] leadership and support for DIAP [the Defense-Wide Information Assurance Program] and stated that individual components should continue to manage their own IA [Information Assurance] activities without DIAP involvement.”157
Ultimately, elevating the status of computer network defense required more than an information assurance program from the Defense Department’s chief information officer. The path to elevating computer network defense to the level of warfighting went through the Joint Staff’s Operations Directorate.
The Need for a Joint Operational Defense
In 1997, the Joint Staff’s annual no-notice interoperability exercise, known as Eligible Receiver, included a computer network intrusion for the first time. The intrusion was proposed by Minihan, who, as noted earlier, had become familiar with the potential impact of computer hacking on military operations as director of the Air Intelligence Agency. However, in subsequent positions as the Air Force’s assistant chief of staff for intelligence and then as the director of the Defense Intelligence Agency, he struggled to persuade others to take computer security seriously. When Minihan became director of the National Security Agency in February 1996, he finally had the chance to demonstrate the problem persuasively by including computer network attack in Eligible Receiver.158
In June 1997, as part of the exercise, a National Security Agency red team comprised of about 25 personnel successfully broke into the computer systems of the U.S. Pacific Command, the National Military Command Center, and a number of other joint command facilities. Eligible Receiver was set to run for two weeks, with an additional two weeks set aside if necessary, but the National Security Agency red team was so successful that it ended after just four days.159
The Joint Staff had assigned a new Division for Information Operations to monitor the exercise around the clock and make recommendations. The division was spun off from the Joint Staff’s Operations and Plans Division and was headed by Brig. Gen. John “Soup” Campbell, an Air Force fighter pilot. Campbell recalls that, after a few weeks of gathering observations and recommendations, his group began to brief the Joint Staff’s director of operations, Gen. Peter Pace. It quickly became clear that the recommendations were directed to organizations that “were scattered all over the map” and that no single organization could be given primary responsibility for implementing them.160 Pace ended the meeting early and sent the briefers off to figure out who should lead the effort to remediate the problems identified by Eligible Receiver.
Representatives of three directorates in the Joint Staff — intelligence; operations; and command, control, communications, and computers —and the Defense Information Systems Agency joined the operations deputies of each of the services in exploring who should be in charge. By November of 1997, the services’ operations deputies were considering several possible organizational structures, including augmenting the Information Operations Response Cell (a group led by the Joint Staff’s Division for Information Operations), or assigning the task to an existing military command or an agency such as the Defense Information Systems Agency or the National Security Agency.161 However, Campbell recalls “resistance from the Services who didn’t want any outside agency telling them how to run their networks, and having a Combat Support Agency (e.g. DISA [the Defense Information Systems Agency] or NSA [the National Security Agency]) do so was a non-starter.”162 Campbell and others eventually concluded that they should establish a new task force to direct computer network defense. They also recognized the importance of making sure that the task force would be “doctrinally correct,” so that it would have proper authorities.163
Efforts to establish the task force were made more urgent by the discovery of new intrusions. On Feb. 3, 1998, monitors at the Air Force’s Information Warfare Center noticed an intrusion at Andrews Air Force base, just outside Washington, D.C. Within a few days, a task force that included members of the Joint Staff’s Information Operations Directorate, the FBI, the Defense Information Systems Agency, and the National Security Agency were investigating. After determining that the hackers had exploited a known vulnerability in its operating systems, known as Sun Solaris 2.4 and 2.6, the operation was dubbed “Solar Sunrise.”164 Further investigation determined that the hackers were a couple of teenagers in the suburbs of San Francisco who were getting help from an 18-year-old hacker in Israel. By the end of the month, they had all been arrested by the authorities in their respective governments.165 Nonetheless, the breach demonstrated the ease with which the military’s information systems could be compromised.
Not long after the discovery of Solar Sunrise, Deputy Secretary of Defense John Hamre called a meeting of about 30 people in the Pentagon. He asked the same question that had been looming since Eligible Receiver: Who’s in charge? Recounting the meeting 14 years later, Campbell stated that he couldn’t recall “if I raised my hand or if somebody poked me and I jumped,” but as the director of the Joint Staff’s Information Operations Division (“the J-39 Bubba”), he became the answer to Hamre’s question.166 Eventually Campbell became the commander of the new Joint Task Force-Computer Network Defense that the Information Operations Division was helping to organize.
By May 1998, two different proposals for the new task force were under consideration: It could be in San Antonio with the Joint Command and Control Warfare Center or it could be located in the Defense Information Systems Agency’s facilities in Washington D.C.167 At a meeting in May 1998, the services’ deputy secretaries for operations endorsed the San Antonio option.168 But subsequently, Defense Information Systems Agency Director and Army Lt. Gen. David Kelley made a strong case for locating the new unit at his agency. He offered the new task force use of the agency’s Global Network Operations and Security Center, a sophisticated facility with network monitoring capabilities. This was a “big piece” of why ultimately the Joint Task Force-Computer Network Defense was established there, where it could leverage the agency’s technical expertise.169
What Does an Operational Computer Network Defense Do?
But what exactly would the new task force do? The answer to this question was shaped not only by analysis of the results of Eligible Receiver, but also by distinctive conceptions of the kinds of expertise and work that might constitute “warfighting.”170
Eligible Receiver demonstrated the need for improvements in both mitigating vulnerabilities and responding to threats. Some of the vulnerabilities were about poor security awareness and training: Personnel at targeted units gave out their passwords over the phone or left them in the trash to be discovered by dumpster divers. Other vulnerabilities were well-known technological weaknesses that nonetheless remained unmitigated. Threat-oriented defenses had also failed. In an after-action report on Eligible Receiver, the National Security Agency red team targeting officer noted that intrusion detection systems had worked well, but reporting on intrusions came two weeks late: “They now know that the horse is out of the barn after it burned down and the ashes are cold.”171 He concluded, “We tend to fight everything by throwing technology and money at it and not spending the time it takes to get the people to learn how to use it effectively.”172
These weaknesses suggested that the new computer network defense task force needed to address both vulnerability mitigation and threat response. And indeed, representatives from the Defense Information Systems Agency and the Joint Staff’s Command, Control, Communications, and Computing Directorate argued that the task force should include vulnerability assessment, red teaming, and other kinds of work to prevent successful intrusions.173 However, according to an October 1998 background paper by Air Force Capt. Jay Healey, an intelligence officer in the Air Staff, efforts to prevent intrusions “are not part of the JTF’s [Joint Task Force’s] computer network warfighting role and have been strongly resisted by the Services.”174 In a later briefing, Healey described computer network defense as outward-focused, engaging enemies, active, and requiring operational expertise. By contrast, he depicted information assurance as inward-focused, not engaging enemies, passive, and requiring network management expertise.175 Consistent with the services’ preference for a warfighting focus, Healey noted that the task force would be “staffed mostly by traditional operators (pilots, combat arms, etc.), relying on DISA [the Defense Information Systems Agency] for technical comm-computer expertise.”176 Specifically, the task force was projected to consist of 19 billets, 10 of which were dedicated to operations, four to communications, and five to intelligence.177
Eligible Receiver demonstrated the need for improvements in both mitigating vulnerabilities and responding to threats. Some of the vulnerabilities were about poor security awareness and training: Personnel at targeted units gave out their passwords over the phone or left them in the trash to be discovered by dumpster divers.
This tiny task force functioned by leveraging technological expertise within the Defense Information Systems Agency and the services, as well as contractors. By 2000, it was composed of about one-third contractors, one-third military personnel, and one-third government civilian personnel.178 The services were each tasked with designating component forces and an associated commander that the Joint Task Force would have authority to coordinate and direct. Consistent with the emphasis on responding to threats, each of the services drew on its computer emergency response teams and information warfare units from its respective intelligence organizations.179 The Defense Department’s computer emergency response team was also placed under the Joint Task Force-Computer Network Defense.180
The operational focus was partly driven by the need to persuade war fighters of the value of this new activity. As Campbell recalls:
[I]f you’re going to have any credibility with the war fighters, you had to have operational people… . We thought the best approach was to start with people who had some credibility in the operational side of the house, and then provide them with training and additional help that they needed to be technically proficient.181
For example, some members of the task force took courses provided by James Madison University, which, in May 1999, was certified by the National Security Agency as one of seven initial Centers of Academic Excellence in Information Assurance.182
Although the Joint Task Force-Computer Network Defense was initially chartered as a defensive organization, by January 1999, the Joint Chiefs of Staff had agreed that it would become part of U.S. Space Command and that it would integrate both offensive and defensive operations.183 The task force remained physically co-located at the Defense Information Systems Agency, and the commander of the joint task force was made its vice director, allowing the task force to leverage the technical expertise at the agency. But members of the task force continued to distinguish their work from the technical support focus of the Defense Information Systems Agency. In October 1999, Army Col. Larry Frank, the chief of the task force’s operations division, asserted, “We bring an operational focus” to defense and “We don’t fix computers.”184
The joint task force’s charter in December 1998 made it “responsible for coordinating and directing the defense of the Department of Defense’s computer systems and computer networks,” a potentially enormous range of activities.185 However, many vulnerability mitigation activities were effectively delegated to the Defense Information Systems Agency or the services’ communications organizations. For example, the Defense Information Systems Agency developed the Information Assurance Vulnerability Alert process, wherein all of the Defense Department’s systems administrators were required to receive, acknowledge, and report on their compliance with vulnerability alerts.186
Nonetheless, in briefings before Congress, Campbell explicitly included red teaming and the Information Assurance Vulnerability Alert process within the category of “operations,” alongside the Joint Task Force-Computer Network Defense. As this suggests, the concept of computer network operations was beginning to broaden, despite the task force’s threat-oriented focus. And yet, this expanding concept of operations still excluded certain forms of vulnerability mitigation, such as training and certifying systems administrators and users.187
The Rising Status of Joint Cyber Operations and Service Responses
Computer network operations, both defensive and offensive, grew in influence, size, and authority in the 20 years following the establishment of the Joint Task Force-Computer Network Defense. That task force became the Joint Task Force-Computer Network Operations in 2000, when it assumed responsibility for both offensive and defensive operations.188 After the terrorist attacks of Sept. 11, 2001, operations in Afghanistan and Iraq underscored the importance of defense. Thus, in 2004, the joint task force was returned to its initial defensive focus, with the new name, the Joint Task Force-Global Network Operations.189 Offensive operations were moved to a new Joint Functional Component Command-Network Warfare within the National Security Agency. Both defensive and offensive components were commanded by Strategic Command, which had taken over several functions of Space Command when the latter dissolved in 2002.190
But the Joint Task Force-Global Network Operations did not discover the first known breach of classified U.S. military networks in October 2008. Instead, it was the National Security Agency’s Information Assurance Directorate that first detected the problem and within a day had devised a software solution to neutralize it (although implementing that solution across all of the Defense Department’s networks would take well over a year).191 The National Security Agency’s rapid response to the problem — code-named “Buckshot Yankee” — bolstered its case for unifying computer network attack and defense under the agency’s authority. In June 2009, Secretary of Defense Robert Gates announced the formation of U.S. Cyber Command, a unified command under Strategic Command that merged the Joint Task Force-Global Network Operations and the Joint Functional Component Command-Network Warfare. He also announced his intention to make the director of the National Security Agency dual-hatted as a four-star commander of U.S. Cyber Command.192 After decades of arguing for the importance of computer network operations, leaders in the intelligence community had finally gained the authority of a combatant command.
The services were all instructed to designate component commands, which were expected to be three-star commands. Additionally, in late 2012, U.S. Cyber Command began establishing standard training requirements to be used in building cyber mission forces — some 133 teams. These teams would be comprised of more than 6,200 personnel and would support Cyber Command’s three primary missions: defending Defense Department networks, supporting combat operations, and defending the United States from cyber attacks with national security implications.193
The following sections show how the elevation of joint computer network operations galvanized the services to elevate the professional and organizational status of computer network expertise. This process was slow and difficult because it entailed reorganizing existing organizations, career fields, and training programs — particularly those associated with signals intelligence and communications — to give them greater warfighting status. Ultimately, some kinds of expertise, particularly threat-oriented expertise that tended to reside within signals intelligence communities, were more readily promoted into an operational role than the technology-oriented expertise of communications and computing communities.
Air Force: Transforming Communications into “Operations”
Just as in the 1990s, the Air Force remained the most eager of the services to establish cyberspace as a warfighting domain. In November 2005, it revised its mission statement to include “to fly and fight in air, space and cyberspace.”194 In 2006, the Air Force also began to centralize its acquisition and management of computer networking, recognizing that many of its vulnerabilities resulted from decentralization and the associated lack of enforcement of strong security standards.195
However, the Air Force Communications Agency was not put in charge of centralizing computer networking. Instead, in July of 2006, the Air Force established a new Network Operations Command under the 8th Air Force — the previous home of the 609th Information Warfare Squadron — within Air Combat Command.196 At the same time, the 67th Information Operations Wing, which, as noted previously, inherited many of the tasks assigned to the 609th squadron, was renamed the 67th Network Warfare Wing. Its responsibilities were explicitly expanded to include attack, and its defensive role also increased as the wing took control of network operations and security centers that had previously been dispersed across 10 different locations, serving 17 different units.197
In November 2006, the Air Force announced plans to establish a major cyberspace command under the 8th Air Force “that stands alongside Air Force Space Command and Air Combat Command.”198 The Air Force also began planning for a new career field that would “ensure a full career with full opportunities for advancement to the highest ranks of the Air Force.”199 The new field would draw on specializations within four existing fields: communications, intelligence, electronic warfare, and space.200
However, these plans slowed significantly after 2007, when nuclear mismanagement led to the 8th Air Force being put in charge of all nuclear operations and nothing else, leaving the proposed command without a home.201 The Air Force nonetheless established the headquarters of Air Force Cyber Command (Provisional), which began planning for a more permanent home for the Air Force’s cyber command.202 In 2008, the provisional command proposed creating a three-star command consisting of a headquarters, a numbered Air Force, and four wings: the 67th Network Warfare Wing; 688th Information Operations Wing (which had evolved from Air Force Information Warfare Center); 689th Cyber Wing (a reactivated unit that had been retired when the Air Force Communications Command was demoted to a field operating agency); and a new 450th Electronic Warfare Wing.203 In 2009, the Air Force followed through on this proposal by activating the 24th Air Force/Air Forces Cyber as a three-star command under Space Command, which would also serve as the Air Force component to U.S. Cyber Command.204 Additionally, the Air Force Communications Agency was put under Space Command and renamed the Air Force Network Integration Center so that it could better support the 24th Air Force.205
On April 30, 2010, the entire communications and information officer field, which included over 3,000 officers, changed to a new cyberspace officer field. This marked an explicit shift from a support field to an operational field, but many legacy support functions remained.
Thus, the Air Force built its operational Cyber Command upon the earlier work of intelligence organizations — particularly the 67th Network Warfare Wing and the 688th Information Operations Wing — while keeping communications organizations in a support role. However, when the Air Force finally established a new cyber operations career field, it drew most heavily on the communications career field. This was not because such personnel were seen as the natural operators, but because Air Force Combat Command was unwilling to surrender its electronic warfare personnel to the new field and the Air Force Intelligence, Surveillance and Reconnaissance Agency (formerly the Air Intelligence Agency) was unwilling to lose personnel to a field that it would not control. By contrast, computing-communications personnel were eager to raise their status by becoming the core of a new career field in cyber operations.206
On April 30, 2010, the entire communications and information officer field, which included over 3,000 officers, changed to a new cyberspace officer field.207 This marked an explicit shift from a support field to an operational field, but many legacy support functions remained.208 The cyberspace and information officer field quickly became a very broad career field that included both vulnerability reduction roles (e.g., DODIN operations) and threat-oriented roles (e.g., offensive and defensive cyber operations).209 Personnel could also enter cyberspace operations through intelligence specializations.210
However, Air Force officers continue to view threat-oriented roles as preferable to vulnerability-oriented roles, by virtue of their greater warfighting status. For example, in 2013, 1st Lt. Robert Lee, a cyber team leader in the Air Force Intelligence, Surveillance, and Reconnaissance Agency, argued against categorizing the roles of establishing, maintaining, and overseeing networks as “operations,” i.e., warfighting. He recognized that these vulnerability-oriented roles were very important, and “maybe even more important than a defense operator’s role when done correctly.” But he insisted on differentiating them from operational defense: “Applying vendor-issued software patches is not defense; it is maintenance.”211 Lee argued that combining these different kinds of activities into a single career field, with a single training pipeline, undermined the Air Force’s ability to develop both kinds of expertise.
Similarly, in a recent survey of the Air Force’s cyberspace operations officers (17D), one officer asserted that “all 17Ds should be executing cyber operations, whether on the offensive line or defending a weapon system. Not supporting and maintaining.”212 Another criticized senior Air Force leadership for not understanding “that cyberspace operations = maintaining the network, i.e., email.”213 Yet another argued that they were “making ‘support’ and ‘maintenance’ dirty words by calling everything ‘operations,’ and the true operational community sees that a huge portion of what we do is support or maintenance, and our marketing campaign costs us credibility.” This officer argued for the need to both be honest with officers in this field about the kind of work they would probably be doing and to build “understanding and appreciation for how critical cyber support and maintenance are for EVERY other mission area.”214
Navy: Organizing an Information Warfare Community
The Navy began consolidating its computer networks even earlier than the Air Force, recognizing significant inefficiencies and vulnerabilities associated with decentralization. In October 2000, it awarded a contract for the development of the Navy Marine Corps Intranet, which would merge up to 200 different networks, many of which were not interoperable, into a single seamless network.215 By 2004, the Navy intranet had reduced the number of distinct applications from 90,000 to 10,000. The secretary of the Navy noted that the “most deficient aspect” of legacy information technology was insecurity, acknowledging that it “was insecure because we bought it and built it that way.”216 This was a management as well as an acquisition problem: “It wasn’t just that we weren’t following our own rules; in many cases we weren’t even aware of them.”217 The Navy also greatly underestimated the complexity of its networks, which slowed the deployment of the intranet considerably. Efforts to speed up the process alienated many of the system’s users and created problems. Nonetheless, by 2006, the Navy Marine Corps Intranet had consolidated over 1,000 legacy networks and had greatly improved security.218
The Navy also centralized security management by consolidating commands responsible for communications and computing. In 2001, it merged the Naval Computer and Telecommunications Command with the Task Force-Navy Marine Corps Intranet, forming a new Naval Network Operations Command. The following year, elements of that command and the Naval Space Command were incorporated into a new Naval Network and Space Operation Command.219 On May 1, 2002, the Naval Network Warfare Command was established as a three-star flag-rank command. Subordinate commands included the Naval Network and Space Operation Command, the Fleet Information Warfare Center, and the Navy Component Task Force-Computer Network Defense.220 The Navy’s Computer Incident Response Team was moved from Fleet Information Warfare Center to the Navy Component Task Force-Computer Network Defense in 2003 and became the Navy Cyber Defense Operations Command in January 2006.221
The establishment of the Naval Network Warfare Command expanded the authority and responsibilities of the Navy’s communications-computing personnel. While the Naval Network Warfare Command was a type command, meaning that it managed training for a particular kind of weapons system (cyber), it was also an operational command. For example, it included the Navy’s component of the Joint Task Force for Computer Network Operations, which conducted both defensive and offensive operations. Network Warfare Command was initially staffed primarily by information systems technicians (enlisted) and information professional officers.222
However, the commander of the Naval Security Group and other leading cryptologists saw an opportunity in the growing prominence of computer network operations.223 As a result, in 2005, the Naval Security Group was transformed into the new Information Operations Directorate within Network Warfare Command, and the Naval Security Group’s detachments and activities became Navy Information Operations Commands within the Information Operations Directorate.224 For example, the Naval Information Warfare Activity became the Naval Information Operations Command in Suitland, Maryland.225 Around the same time, the Navy restructured the cryptology career field to emphasize the growing importance of computer network operations. In 2004, the secretary of the Navy approved a new enlisted rating, cryptologic technician networks, and converted over 240 enlisted information technology specialists into the new specialization.226 The following year, naval cryptology officers were redesignated as information warfare officers, a move intended to acknowledge their “expanded skill sets and responsibilities” associated with information operations.227
The Navy considered making more dramatic changes to professionalize cyber operations as something distinct from both communications and cryptology. In 2008, the Strategic Studies Group XXVI, an elite group of naval officers commissioned by Chief of Naval Operations Adm. Michael Mullen in 2006 to study the impacts of cyberspace on naval operations, delivered a report concluding that in order to “fight and win,” the Navy should create “a Cyber Warfare Community comprised of warriors equal in every way to those who operate in traditional warfighting domains.”228 The report, which had been commissioned by Mullen two years earlier, argued that cyberspace officers should be trained “to be warfighters, not administrators” —individuals who possessed not only technical skill, but also the ability to command in a manner equal to commanders in the traditional areas of surface, subsurface, and air warfare.229
However, these recommendations were rejected. Both Mullen and the succeeding chief of naval operations, Adm. Gary Roughead, viewed cyberspace as just one component of a much broader problem in managing intelligence and information.230 This view was supported by the Navy’s cryptologic community, which saw cyber operations as part of cryptology.231
Nonetheless, with the establishment of U.S. Cyber Command and associated directives to supply component forces, the Navy did elevate cyber operations. In 2009, it reactivated the 10th Fleet, which had played a critical role in anti-submarine warfare during World War II, making it Fleet Cyber Command, the Navy component of U.S. Cyber Command. By reactivating the 10th Fleet, the Navy underscored that “victory will be predicated on intelligence and information rather than fire power.”232 The Navy moved all network organizations under Fleet Cyber Command/10th Fleet, including Network Warfare Command. But to emphasize the warfighting role of the new command, its first commander was Vice Adm. Barry McCullough, a seasoned surface warfare officer — not a cryptologist or communications-computing specialist.233
Despite this elevated status, Navy personnel specializing in cyber operations have yet to gain the full opportunities available to traditional warfighters.
With growing demand for personnel with skills in computer network operations, the Navy also reorganized and elevated relevant career fields. In 2010, the Navy created the cyber warfare engineer specialization.234 Officers were directly commissioned into this new specialization based on records of excellence in academic computer science and engineering and were required to serve for a minimum of six years. After that, they would be encouraged to transfer to another community within the Information Dominance Corps, a new career field also established in 2010. The cyber warfare engineer became one of five specializations within the corps. The other four were meteorology and oceanography, information warfare, information professional, and intelligence.235 Perhaps most significantly, in 2010, the Navy made information dominance a warfare specialization with an associated qualification process and associated pin — something support fields typically lacked.236 In 2016, the Information Dominance Corps was renamed the Information Warfare Community to further “mainstream information warfare as one of four predominate warfare areas.”237
Despite this elevated status, Navy personnel specializing in cyber operations have yet to gain the full opportunities available to traditional warfighters. In general, officers within the Information Dominance Corps are restricted line officers, which means they are not eligible for command at sea.238 Some have called for an unrestricted line officer cyber warfare community that might “evolve from its historic support role to an operationally proactive and predictive role.”239 Cyber warfare engineers must change specializations after their six-year service term, which means they cannot advance above the rank of lieutenant.240 Arguably, the limitations have been most significant within the information professional community — the Navy’s network maintainers. Information professionals saw dwindling command billets in the new millennium, not only due to technology and mission changes but because of civilian outsourcing.241 The information warfare community, which conducts defensive and offensive cyber operations, does not seem to have seen a similar reduction in command billets.242 This suggests that individuals specializing in threat-oriented work continue to have more opportunities than those engaged in vulnerability reduction and maintenance work.
Army: Intelligence, Communications, and the Creation of Cyber Branch
Like the Navy, by the late 1990s, the Army recognized that security and efficiency both demanded a more centralized approach to computer network procurement and management. While the Army did not participate in Operation Eligible Receiver, it “got religion” after Solar Sunrise revealed that it had no effective means of monitoring its networks for intruders.243 In response, U.S. Army Signal Command was tasked with developing intrusion detection systems. In 2002, Signal Command was absorbed by a new Network Enterprise Technology Command at Fort Huachuca, AZ, which was established to centralize the acquisition and management of the Army’s computer networks.
The new command was tasked with centralizing situational awareness and helping to defend networks, and it worked with U.S. Army Intelligence and Security Command to establish distinctive responsibilities for defense.244 The Army’s Network Operations and Security Center was part of the Network Enterprise Technology Command, but the former was co-located with the Army’s Computer Emergency Response Team at Fort Belvoir, VA so that the response team could provide the center “direction without command” and help to coordinate network defense.245 Communications and intelligence commands thus came to share some responsibility for threat-oriented approaches to defense.
However, intelligence units continued to play the leading role. In 2002, Land Information Warfare Activity became the 1st Information Operations Command, with two battalions. The first consisted of field support teams and vulnerability assessment teams, and the second focused on computer network operations. The second battalion developed considerable expertise, in no small part by relying heavily on contractors. By the mid-2000s, it consisted of only eight active-duty personnel, supplemented by about 190 contractors, 30 government civilians, and 60 reservists.246
Intelligence and Security Command’s signals intelligence group, the 704th Military Intelligence Brigade, had been tasked with developing a computer network operations capability even earlier, in 1998. B company from the 742nd Military Intelligence Battalion took on this challenge. In June 2000, it became Detachment Meade.247 Initially, Detachment Meade had trouble filling positions. Of an initial group of about three dozen people, only about half were technically qualified.248 Nonetheless, in the early 2000s, Detachment Meade grew rapidly, both in response to growing demand for cyber effects in the “War on Terror” and with the encouragement of Keith Alexander, who as a major general served as director of Intelligence and Security Command from 2001 to 2003 and who then as lieutenant general became the Army’s Deputy Chief of Staff for Intelligence from 2003 to 2005.249 After Alexander became the director of the National Security Agency in 2005, and as cyber operations continued to grow in national importance, Detachment Meade went through several organizational changes that increased its prominence. In 2009, it became the 744th Military Intelligence Battalion (also known as the Army Network Warfare Battalion).250
The rise of joint cyber operations further elevated the status of these activities. In 2009, Secretary of Defense Gates directed the services to establish component support to U.S. Cyber Command.251 Both Intelligence and Security Command and Network Enterprise Technology Command lobbied for ownership of the new mission, recognizing that it would come with substantial resources and an increase from two- to three-star status. However, Network Enterprise Technology Command was seen as lacking the threat-focused orientation needed for an operational command.252 In fact, it was reportedly inconsistent in cooperating with the Army’s computer emergency response team to remediate vulnerabilities or otherwise respond to network incidents, likely because such actions could temporarily reduce network availability and otherwise inconvenience users — the primary focus of maintainers.253
Thus, Network Enterprise Technology Command was not given the cyber operations mission, but rather was put under the operational control of Army Cyber Command, a new unit established in October 2010 at Fort Belvoir, VA, home to both the Army’s Computer Emergency Response Team and the Army Network Operations and Security Center.254 While both of Intelligence and Security Command’s cyber-operational units — the 744th Military Intelligence Battalion and 1st Information Operations Command — were also put under the operational control of Army Cyber Command, they stayed under the administrative control of Intelligence and Security Command, which remained independent of Army Cyber Command.255 In 2011, the 744th Military Intelligence Battalion was reorganized as the 781st Battalion and placed under a new unit, the 780th Military Intelligence Brigade, within Intelligence and Security Command.256
As the scale of joint cyber operations grew, so did the need for trained personnel, spurring the Army to create new specializations.257 The Army’s signals branch created the information protection technician warrant officer in 2010, and the cyber network defender enlisted specialization in 2014. Similarly, the intelligence branch created the cryptologic cyberspace intelligence collector in 2012. In 2014, the Army finally created a new Cyber Branch, with three initial specializations: cyberspace officer, cyber operations technician (warrant officer), and cyber operations specialist (enlisted).258 In 2014, the Army announced the new cyber branch as one “that will take its place alongside infantry, artillery and the other Army combat arms branches.”259
Thus, while Army cyber operations gained considerable status after the establishment of Cyber Command, threat-oriented roles continue to have greater warfighting status than vulnerability-oriented roles.
Consistent with the tendency to treat threat-oriented activities as more akin to combat than vulnerability-oriented activities, it was Cyber Branch that became “a maneuver branch with the mission to conduct defensive and offensive cyberspace operations (DCO and OCO).”260 By contrast, the Army’s information protection technician warrant officers, an operations support field, conduct DODIN operations — activities that tend to be oriented toward reducing vulnerabilities.261 Cyber network defenders, also a support field, conduct vulnerability assessments and other kinds of infrastructure support work, although they also conduct incident response, a threat-oriented activity.262 Thus, while Army cyber operations gained considerable status after the establishment of Cyber Command, threat-oriented roles continue to have greater warfighting status than vulnerability-oriented roles.
Developing military cyber expertise has entailed much more than simply developing a supply of personnel with specialized skills, knowledge, and abilities. It has also involved persuading traditional warfighters of the critical importance of cyber skills, knowledge, and abilities and elevating certain work roles within organizational hierarchies. In other words, the relationships between and among distinctive kinds of cyber experts, other military personnel, and the computer networks with which they all must work to achieve operational goals had to undergo a transformation.
Key leaders in military operational and intelligence communities achieved this transformation by framing cyber operations as a kind of warfighting in their own right, rather than as being merely operations support. The leaders developed concepts of cyberspace and cyber operations that were analogous to well-accepted concepts of kinetic operations. Leaders in the intelligence community grew particularly adept at using exercises to demonstrate the potential impact of cyber attacks on warfighting. Incident response teams made visible that these types of attacks were increasing. These efforts succeeded in formally raising the status of cyber offense and defense, culminating in the 2018 elevation of U.S. Cyber Command to become the nation’s 10th Unified Combatant Command.
Even as they highlighted the growing threats in cyberspace, leaders in the intelligence community recognized that such threats could not be successful unless there were vulnerabilities, which were partly of the Defense Department’s own making. While the Department of Defense succeeded in improving the security of commercial products, those products could be, and often were, deployed and managed in insecure ways. Many Defense Department intrusions were enabled by errors in network management and maintenance. But in the 1990s, most communications and computing personnel did not know how to configure and manage networks securely and had no immediate incentive to do so. The efficient mitigation of vulnerabilities was enhanced by some technological and organizational innovations, such as vulnerability scanning tools and the Information Assurance Vulnerability Alert process. But ultimately, these were innovations in the service of better management and maintenance. This history has thus highlighted the importance of maintenance as much as it has innovation.
By 2013, Joint Publication 3-12, “Cyberspace Operations,” explicitly included maintenance in its definition of DODIN operations. This was reiterated when the publication was reissued in 2018. Joint doctrine defines these operations in terms of mitigating a wide range of vulnerabilities, both technological and human. For example, DODIN operators are charged with training everyday users in good security practices as well as operating firewalls. However, as discussed above, these operations continue to be seen by many as lower in status than threat-focused activities, i.e., defensive and offensive cyber operations. This status difference is most visible in the Air Force, due to DODIN operations being placed in the same career field with defensive and offensive cyber operations. Yet it is also visible in subtler ways in the Navy and the Army, where vulnerability-oriented roles tend to have less warfighting status and fewer opportunities for command.
This paper does not take a position on whether vulnerability mitigation should or should not be considered a kind of warfighting. Rather, my aim has been to analyze the historical process by which such activities came to be officially included in the scope of operations and how the cultural status of varying forms of cyber expertise has evolved over time. I have also sought to highlight the importance of vulnerability mitigation, regardless of its “warfighting” status.
Evidence suggests that vulnerability mitigation continues to be less of a priority than it should. In September 2015, the chairman of the Joint Chiefs of Staff and the secretary of defense launched a Cybersecurity Culture and Compliance Initiative, noting that “roughly 80 percent of incidents in the cyber domain can be traced to three factors: poor user practices, poor network and data management practices, and poor implementation of network architecture.”263 The initiative directed Cyber Command and the Department of Defense chief information officer to complete 11 tasks, including developing leadership training materials for combatant commanders and other units, establishing training requirements for providers of equipment and services, and recommending specific changes to technological capabilities for patching vulnerable systems. The initiative also directed all combatant commanders to introduce certain security principles into training, thereby reducing human vulnerabilities.
One month later, the commander of Cyber Command and the Defense Department chief information officer went further by creating a Cybersecurity Discipline Implementation Plan, arguing that Defense Department networks were “not defendable.”264 They noted “an unacceptable number of unpatched vulnerabilities,” and gave commanders and supervisors responsibility for verifying that “all servers and network infrastructure devices” were compliant with the Information Assurance Vulnerability Alert process. This was just one of 17 tasks assigned to commanders and supervisors. Finally, consistent with Defense Department directives for information assurance training, the Defense Information Systems Agency in 2015 launched the Cyber Awareness Challenge training program to reinforce “best practices” among service members, civilians, and contractors.265
However, in 2020, the U.S. Government Accountability Office identified significant shortcomings in the implementation of each of these three programs. Seven of 11 tasks in the Cybersecurity Culture and Compliance Initiative were still not completed, despite 2016 deadlines. Four tasks in the Cybersecurity Discipline Implementation Plan were difficult to complete because of legacy equipment, and the status of another seven tasks was unknown because no one had been assigned responsibility for ensuring their completion. Similarly, units did not keep track of which computer users did or did not take the Cyber Awareness Challenge training.266 In 2019, the Defense Department’s inspector general concluded that the Defense Department had not consistently remediated vulnerabilities discovered by cyber red teams.267
By establishing DODIN operations as a kind of warfighting, along with offensive and defensive cyber operations, the Defense Department has sought to raise the status of vulnerability remediation and those who manage it. But ultimately, vulnerabilities cannot be completely eliminated by even the most expert of cyber forces. Rather, the complete elimination of vulnerabilities would require a transformation of everyday users — individuals who are not cyber experts but nonetheless can compromise systems by careless practices. Recognizing this problem, some officials have sought to frame everyday computer network users as warfighters.
In 2009, the Air Force began advocating the “Rise of the Cyber Wingman” philosophy, outlining 10 principles that all Air Force personnel should observe, and arguing that “every Airman is a defender in cyberspace.”268 By 2012, the Marines had come to consider “every Marine a cyber warrior” and instituted a cyber security training regimen analogous to its well-known mantra, “every Marine a rifleman.”269 A recent critical review of Navy cyber security, commissioned by the secretary of the Navy after multiple breaches, concluded that the “workforce is generally uneducated in cybersecurity, largely complacent,” and tends to see cyber security “as an ‘IT issue’ or ‘someone else’s problem.’”270 As a result, the review explained, “cybersecurity is undervalued, and often used as a bill-payer within programs of record.”271 It proposed that the Navy inculcate an “Every Sailor a Cyber Sentry” mindset.272 And a recent article entitled “Every Warrior a Cyber Warrior” argues for improving Army cyber security education because “every U.S. Army soldier must be ready to fight on the digital battlefield.”273 Whether these metaphors will ultimately be persuasive, however, remains to be seen.
Rebecca Slayton is associate professor at Cornell University and is jointly appointed in the Science & Technology Studies Department and the Judith Reppy Institute for Peace and Conflict Studies. Her first book, Arguments that Count: Physics, Computing, and Missile Defense, 1949–2012 (MIT Press, 2013) shows how the rise of computing as a new field of expertise reshaped public policies and perceptions about the risks of missile defense in the United States. She is currently working on Shadowing Cybersecurity, a book that examines the history of cyber security expertise through the interplay of innovation and repair.
Acknowledgements: Thanks go to Captain Jason Healey for very informative emails and contacts and for donating documents to the National Security Archive. I also thank Gen. John Campbell for email correspondence about the formation of the JTF-CND and Col. Walter Rhoads and Capt. William Gravell for granting me phone interviews and email correspondence that answered numerous questions about their work. I am also grateful to Herb Lin for sharing a copy of the partially declassified 1992 Directive on Information Warfare. I thank two anonymous reviewers and Doyle Hodges, the executive editor of Texas National Security Review for constructive criticism that improved this paper. Finally, I thank Megan Oprea, managing editor of Texas National Security Review, for carefully reviewing and improving the clarity and accessibility of the manuscript.
This paper is based upon research supported by the National Science Foundation under Grant No. 1553069