OMAHA, Neb. — As the military works feverishly to have the nascent Cyber Command fully operational by Oct. 1, U.S. cyberwarfare security experts met here last week and stared down a very long, sobering to-do list.
“Let’s get on with it,” said Gen. Kevin Chilton, chief of U.S. Strategic Command, which oversees the barely 2-week-old CYBERCOM, speaking to a packed ballroom at the two-day conference. “Spring training is over. The season started. We’re in the pennant race right now, and you know it’s not that long until October.”
Speaking later to reporters, Chilton hedged about whether the military would meet the Oct. 1 goal set by Defense Secretary Robert Gates.
“We’ve developed ... the metrics ... and then we’ll assess those along the way and make a recommendation to the secretary,” Chilton said.
That on-the-fly ethos is a common theme underlying CYBERCOM since Gates called for its creation one year ago this month. This year’s two-day STRATCOM Cyberspace Symposium was hosted by the Armed Forces Communications and Electronics Association near the command’s headquarters at Offutt Air Force Base. More than 1,000 people attended panels with heavy hitters such as security chiefs from Microsoft, IBM, Cisco and Verizon; cyber commanders from several U.S. combatant commands, NATO, Japan and the U.K.; university professors; and the Pentagon’s science and technology geek wing, the Defense Advance Research Projects Agency.
Panelists repeatedly said the U.S. was playing catch-up to its adversaries in building its cyber defenses. Yet critics in Congress have expressed concern that the Pentagon launched CYBERCOM before knowing what it wants or needs — from the right legal authorities to privacy concerns, organizational structure and personnel. A Senate panel delayed CYBERCOM commander Gen. Keith Alexander’s confirmation for months demanding fuller answers in a questionnaire posed to the nominee.
But the Pentagon’s message remains: Let us get started and we’ll figure it out.
On May 26, Chilton and Deputy Secretary of Defense William Lynn said the next step in the process would be to develop the rules of engagement of cyber warfare, including laws and regulations they need to pursue their mission.
That is a discussion happening across the federal government, they said, and includes the White House, National Security Council staff, and cyber elements of the departments of Homeland Security, Justice and State.
There is no specific interagency task force to coordinate those efforts, and much of the work remains classified.
“You’re only going to see pieces of the elephant,” said Lynn, as CYBERCOM pulls together what was a “loose confederation” of units across the Defense Department.
Chilton said his top concerns are developing training, better exercises and inspections. But as tens of thousands of servicemembers, civilians and contractors are given new assignments or relocated, the military has not yet settled on the size of its cyber work force.
A STRATCOM spokesman said CYBERCOM headquarters — staffed at Fort Meade, Md., where it shares space with the National Security Agency — will require more than 1,000 servicemembers, civilians and contractors, but the command still is determining the right mix.
The branches also are grappling over the manpower required to build a cyber force, with representatives of all four questioning who would qualify as a cyber operator.
“Is it a radio operator who operates a digital radio?” said panelist Col. Laura Little, commander of the Marine Corps Network Operations and Security Center at Quantico, Va., whose unit has expanded by more than 100 civilians in the past year.
The Air Force is devising two- to three-hour courses on “how to be a good cyber operator,” said Maj. Gen. Richard Webber, commander of the 24th Air Force, which has identified jobs, crews and units that would require special certifications.
Maj. Gen. Steven Smith, director of the Army’s Cyberspace Task Force, said the Army has devised midlevel training for warrant officers at Fort Benning, Ga., while the Navy has begun a career path to train “cyber warfare engineer” teachers, said Rear Adm. Peg Klein, director of global operations, Naval Network Warfare Command.
Little wasn’t worried about recruiting from a pool of young people who grew up online.
“They’re digital natives,” he said. “They come tech savvy.”
The military’s bigger concern is training mid-level commanders. Chilton was optimistic at the conference, declaring that a culture change over cyber responsibility had swept across the military since their first conference in February 2009.
“It has almost become trite to hear someone stand up and say cyberspace is essential to military operations. People get it,” he said.
Last year, he said, the feeling was that “cyberspace was not commanders’ business.”
Instead, cyberspace belonged to systems administrators, or “someone in your outer office when there’s a problem with machines.”
“I can tell you in a year that has changed,” Chilton said in his speech. “It’s changed dramatically.”
A nervous stir fell over the audience when a panel moderater, Noah Shachtman, editor of Wired magazine’s popular blog Danger Room, noted that a ship driver who runs aground is fired and demoted. How much blame will everyday commanders have to bear if a cyber attack thwarts their networks?
Add that question to the list.