Deputy assistant secretary of defense for cyber policy Eric Rosenbach cited Defense Department progress in creating a concept for operating in the newest warfare domain, building and training a joint cyber force, and updating the standing rules of engagement for operating in cyberspace to align with Presidential Policy Directive 20, or PPD-20, on cyber operations, Defense-Update reports.
Without naming specific countries, Rosenbach also said that senior DOD officials have made a conscious decision to expand the traditional U.S. circle of allied engagement to “key regions” to defend common interests in cyberspace.
“Through an intense deliberative process, the [most senior] leadership in the department decided that we needed to make a significant investment in the people who would constitute the cyber force,” the deputy assistant secretary told American Forces Press Service. “The investment is going into a structure that is now more defined than it ever was in the past, and this has been helpful in having everyone in the department understand what the missions will be for the new influx of personnel.”
From now until at least fiscal year 2016, each service will contribute teams of fully trained cyber warriors to U.S. Cyber Command, which has three operational focus areas: defending the nation, supporting the combatant commands and defending the DOD information networks.
The service teams will become what Cybercom Commander Army Gen. Keith B. Alexander described June 12 in written testimony before the Senate Appropriations Committee as the command’s cyber mission forces, organized into national mission teams, combat mission teams and cyber protection teams.
“The idea of defending the nation in cyberspace is just like it is in other domains,” Rosenbach explained. “If there’s a very significant attack that’s launched against the United States, it’s the department’s mission to stop that attack.” The main role of the combat mission forces, he added, “is to support the Combatant Commands in their missions and to support contingency operations when directed by senior civilian leaders.”
A contingency operation is one in which members of the armed forces become involved in military actions, operations or hostilities against an enemy of the United States or against an opposing force, according to Title 10 of the U.S. Code. Rosenbach said the job of cyber protection teams will be to defend DOD’s information networks against all attacks. “A lot of credit should go to Cybercom leadership for figuring out a structure that would work,” the deputy assistant secretary noted.
Below the large team framework is a smaller team framework, and then specific positions that drive training, standards and exercise requirements for everything Cybercom will do within its mission areas, Rosenbach said. The teams are not completely in place, “but Cybercom has a very good plan within the next few years of getting everyone there trained to standard and operational,” he added.
“It’s going to take time to find and train the right people and get them out there, and also for us to become more confident with the doctrine and the way doctrine works compared to the way the threat is evolving,” Rosenbach said. “We’re doing all these things at once, which makes it very interesting on one hand and very complicated on the other.”
DOD also has made progress in updating the standing rules of engagement for cyber, which had more to do with information technology and network security than operating in cyberspace when they were put in place in 2005, the deputy assistant secretary said.
“It’s important to remember that standing rules of engagement are about defense and defending either your unit or the country or something in particular, like critical infrastructure,” Rosenbach said. “Very often, you’ll see in the press people confusing these standing rules of engagement with something that has to do with offensive cyber operations, but that’s not the case.” Rules of engagement always are classified to keep such knowledge from adversaries, he noted, “but the intellectual work and process work is complete now, and it’s very close to the official signature.”
The department’s process for establishing standing rules of engagement is closely intertwined with the process for creating a presidential policy directive on cyber operations, Rosenbach said, referring to the classified PPD-20 issued by the White House in October and then leaked to the media this month. But in an unclassified fact sheet released Oct. 16, the White House described PPD-20 as a classified policy that, among other things, does the following:
- Takes into account the evolution of the threat and growing experience with the threat;
- Establishes principles and processes for using cyber operations so cyber tools are integrated with the full array of national security tools; and
- Provides a whole-of-government approach consistent with values promoted domestically and internationally and articulated in the International Strategy for Cyberspace.
“It is our policy,” the fact sheet states, “that we shall undertake the least action necessary to mitigate threats and that we will prioritize network defense and law enforcement as preferred courses of action.”
In Senate Appropriations Committee testimony June 12, Cybercom Commander Army Gen. Keith B. Alexander referred to the presidential policy directive. “Last fall, the departments negotiated and the president endorsed a broad clarification of the responsibilities of the various organizations and capabilities operating in cyberspace,” he said. The Cybercom commander added that the clarification revised “the procedures we employ for ensuring that, in the event of a cyber incident of national significance, we are prepared to act with all necessary speed in a coordinated and mutually supporting manner.”
Rosenbach called the policy an important step forward for the administration and the government.
“It was a very intense yearlong effort to sharpen the decision-making process for deciding when to use cyber operations,” he said. “That includes getting a better conceptual idea of what is offense and what is defense, and it’s the framework you would use to decide when those types of operations are appropriate.”
Rosenbach stressed that offensive operations in cyberspace would be extremely rare and would depend on specific situations. Such a decision is made by the president in very unique cases, he added, “and some of the criteria would be outlined in the presidential directive. “But a very small number of cases would ever be under consideration,” he said.