December 21, 2024
In the United States, defense of the homeland is no easy task. In the physical realm, the different agencies that are charged with detecting, preventing, defeating and reacting to threats to the nation have different authorities and capabilities along with differing philosophies and tactics, techniques and procedures. The cyber realm is no different and often more complicated because of the intertwining of commercial, governmental and military spaces and vulnerabilities. WAR ROOM welcomes Jamel Neville as he examines what must be done to improve DoD's coordination with the public and private sectors and align efforts, actions and wills.

In today’s globalized world, asymmetric attacks against friendly supply chains and economic activity could have devastating effects on U.S. and coalition war efforts.

As war raged throughout the European and Asia-Pacific regions in 1942, America’s adversaries penetrated and maneuvered throughout key United States East Coast supply chain nodes resulting in the deaths of thousands of people over several months. In February 1942, adversary attacks against one Southern California oil refinery generated mass hysteria across the West Coast. Adversaries continued to operate undetected throughout the spring despite shared threat intelligence and lessons from United States’ allied partner in the weeks and months preceding the initial attacks. During the February attack, electricity and electromagnetic spectrum outages across Los Angeles and San Diego stemmed from the inability of the U.S. military and local authorities to coordinate responses. Due to the war overseas, the military committed the preponderance of its focus and effort to operations abroad, resulting in an inability to surge forces to counter adversarial attacks at home. The impact on the Northeast fuel supply chain forced nationwide gasoline rationing throughout the next two years.

This vignette on Germany’s Operation Drumbeat and Japanese actions against the Santa Barbara Bankline Company aviation fuel storage farm illustrates how the U.S. was unprepared to counter asymmetric attacks or handle their non-kinetic effects.

Could this happen again? One must assume that our adversaries would try. In today’s globalized world, asymmetric attacks against friendly supply chains and economic activity could have devastating effects on U.S. and coalition war efforts. Unified action across the federal government is how the U.S. overcame German and Japanese attacks and characterizes the type of response that the U.S. must prepare for in the next fight.

A complex catastrophe is an incident that “results in cascading failures of multiple, interdependent, critical, life-sustaining infrastructure sectors and causes extraordinary levels of mass casualties, damage or disruption severely affecting the population, environment, economy, public health, national morale, response efforts, and/or government function.” Complex catastrophes can be precipitated through natural or man-made incidents, including cyber-attacks, power grid failures, and terrorism. Of these, cyber-attacks are of greatest concern because of adversarial abilities to attack from a long distance at little risk to themselves.

Today, sophisticated cyber actors have the potential to exploit information and communication systems vulnerabilities to establish undetected access and control of these systems. Russia presents a credible example, as she can conduct cyber-attacks against critical infrastructure in the U.S. In March 2022, the Biden Administration warned that Russia is exploring options to conduct cyber-attacks on U.S. critical infrastructure in retaliation to the economic sanctions levied on Russia following its invasion of Ukraine.

While the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) collaborates with organizations to protect U.S. critical infrastructure, these efforts are more passive. The Department of Defense (DoD) is ultimately responsible for posturing cyber forces to counter, blunt, and actively defend the homeland against complex cyber-attacks by foreign adversaries. However, the myriad of federal cyber laws, regulations, and authorities; DoD inter- and intra-organizational relationships (e.g., interagency and intelligence community); and public and private sector stakeholder equities could hinder DoD’s ability to prepare and respond with speed and agility in cyberspace. As U.S. Army General Paul Nakasone stated, national cybersecurity is “a team sport,” yet players on the same team may use different playbooks or play by different rules.

Current strategic threat assessments highlight the need for unified action to protect and defend against complex cyber-attacks against the U.S. power grid and other critical infrastructure. DoD – specifically, USNORTHCOM and USCYBERCOM – must effectively team with CISA and other stakeholders to counter, thwart, or minimize the impacts of large-scale cyber-attacks. Though DoD cyber force and capability-positioning are important planning factors (e.g., liaison officers and cybersecurity infrastructure), they are not critical as geography does not constrain cyberspace operations. Paramount is the DoD and Joint Force’s ability to effectively orchestrate stakeholders’ cyber authorities, capabilities, and equities to protect, prevent, mitigate, respond, and recover from complex catastrophes. 

The U.S. intelligence community assesses that peer adversaries will employ cyber warfare capabilities to degrade DoD networks, hold national infrastructure at risk, and delay and disrupt the U.S.’ ability to project forces globally. The latter is both a critical capability and vulnerability as power-projection capability is highly reliant upon the private sector, which owns more than 80% of the Nation’s critical infrastructure. And given the open and interdependent nature of the Internet, the U.S. and other democratic nations are more susceptible to cyber-attacks against critical infrastructure than countries with restrictive Internet systems. Due to these vulnerabilities and the capability of adversaries, these threats could potentially result in considerable damage across the United States, severely impacting national security.

There is a potential for tension in that USNORTHCOM and USCYBERCOM’s mission sets are likely to overlap if cyber-attacks strike homeland critical infrastructure. Joint doctrine states that USNORTHCOM commands and controls DoD homeland defense cyberspace operations, specifically, “defending against, mitigating, and defeating cyberspace threats.”  However, only USCYBERCOM possesses the cyber expertise and intelligence apparatus to respond to such a crisis. Commanders and staff must share an understanding of these command relationships and plan cyber authorities and capabilities accordingly. USNORTHCOM must closely coordinate with CISA, the interagency, intelligence community, allies, and partners to enable DoD cyber forces to detect, target, attribute and respond to malicious cyber actors.

In 2012, the then-Commander of USNORTHCOM, General Charles Jacoby, Jr., aptly forecasted that USNORTHCOM’s role could be much broader than Defense Support of Civilian Authorities (DSCA) operations. During a complex catastrophe in CONUS, USNORTHCOM would likely activate one or more of its Joint Task Forces and execute DSCA operations following requests for assistance for cyberspace incident response, law enforcement support, or other domestic activities. Defense Support to Cyber Incident Response (DSCIR) – included within the DSCA framework – authorizes the DoD to support federal departments and agencies for asset and threat response to cyber incidents outside the DoD Information Network.

USNORTHCOM and supporting cyber forces, directly and indirectly, contribute to the intelligence community’s attribution processes, hence the need for sound information-sharing and knowledge management activities. USCYBERCOM’s operations following adversaries’ attacks against the Colonial Pipeline and JBS beef plants in 2021 noted this level of coordination. In short, USNORTHCOM and Joint Force cyberspace operations planners must clearly understand capabilities, requirements, operational limitations, liaison, and legal considerations to optimize intelligence coordination for offensive cyber operations.

International business relations can put U.S. companies in tricky situations, making decisions that may accommodate one entity but offend another.

USNORTHCOM and supporting cyber forces must also remain aware and sensitive to public and private sector stakeholders’ equities and interests and find common ground. These entities primarily tend to the prosperity and success of their companies, while the federal government focuses on the United States and national security. Additionally, private companies have global business partnerships and work with federal and non-federal entities. International business relations can put U.S. companies in tricky situations, making decisions that may accommodate one entity but offend another. In short, shared trust between the DoD, federal government, and public and private sector stakeholders is essential in protecting and defending U.S. critical infrastructure.

Rapid detection and attribution of malicious cyber activity efforts enable the federal government, allies, and partners to leverage appropriate authorities to expel adversaries from network infrastructure and impose costs. According to the U.S. Department of State, when allied and partner nations contribute, attribution becomes more impactful to deterrence and legitimizes responsive actions. Critical intelligence-sharing between the U.S. and Ukraine exposed Russia’s malign intentions before its 2022 invasion of Ukraine. Since Russian forces began deploying on Ukraine’s borders in late 2021, USCYBERCOM deployed a “hunt team” to collaborate with mission partners and “gain critical insights that have increased homeland defense for both the United States and Ukraine.” Overall, unified action enhances DoD’s ability to deter and respond to cyber threats and attacks with speed and agility.

Should DoD’s “defend forward” operations fail, adversaries penetrating America’s borders with a sophisticated cyber-attack against the U.S. power grid would impact energy, banking, finance, transportation, communication, and the defense industrial base. The DoD will respond to a catastrophe of this type as outlined in Presidential Policy Directive-41, “United States Cyber Incident Coordination.” Specifically, USCYBERCOM’s cyber national mission teams would detect, deter, and, if necessary, defeat adversaries in cyberspace. Cyber protection teams would also defend and hunt for adversaries in DoD networks and non-DoD mission partner or critical infrastructure networks.

In addition to developing a shared understanding of CISA and other federal cyber authorities, the Joint Force and federal and state governments should capitalize on the capabilities of the National Guard and Reserve cyber forces. According to Lieutenant General Jon Jensen, Director of the Army National Guard, his forces gain mission-relevant experience as they rotate through USCYBERCOM in a Title 10 status. USCYBERCOM also benefits from these rotations since most National Guard and Reserve members perform cybersecurity for their civilian jobs and bring great perspectives and knowledge. Their operational experience should be leveraged to build and strengthen ties between their home stations with local governments and public and private sector entities where they live and work, thereby building strategic depth, one of General Nakasone’s objectives.

Before, during, and after a complex catastrophe, the relationships built by cyber–National Guard and Reserve members are foundational for improving coordination and cooperation. They can function as primary DoD liaisons, improving shared understanding and building trust between organizations. National Guard cyber protection teams would conduct initial cyber incident response operations in a State Active Duty status under the direction of a state governor. Regardless of status, USNORTHCOM should routinely seek opportunities to leverage U.S. Code Title 10 and Title 32 authorities to activate cyber–National Guard and Reserve members for complex catastrophe cyber mission rehearsal exercises.

A DoD Complex Catastrophe Cyber Stakeholders, Communications, Authorities, and Narratives (C3 SCAN) framework could serve as an information and knowledge management tool, enabling the Secretary of Defense to facilitate DoD cyberspace operations communication and collaboration with CISA and other public and private sector stakeholders. Moreover, the framework could assist USNORTHCOM and supporting cyber forces in effectively orchestrating CISA Title 6 and other federal entities’ cyber authorities, capabilities, and equities in DSCIR operations. Finally, as a common operating picture, the DoD C3 SCAN captures the various information flows, means, and narratives, serving as a useful tool for guiding the Department’s strategic communications and key leader engagements with stakeholders, including partner nations.

Over time, USNORTHCOM and supporting cyber forces will improve their credibility with constituents and stakeholders. The communications mechanisms identified within the DoD C3 SCAN could be exercised and rehearsed in table-top and large-scale exercises such as CISA’s biennial Cyber Storm exercise, joint training, and other whole-of-nation response scenario exercises. After these events, USNORTHCOM should review and refine the C3 SCAN’s communications means, capabilities, and authorities. USNORTHCOM should also update all cyber-related orders, directives, and draft requests for additional forces. Finally, DoD’s interagency coordination activities should include reviewing and rehearsing DSCIR processes to ensure DoD cyber forces’ rapid and seamless activation following mission partners’ formal requests for Defense Support to Civil Authorities.

Complex catastrophes precipitated by cyber-attacks against the U.S. power grid and critical infrastructure could lead to multiple second and third-order effects across the Nation. Moreover, these attacks could significantly impact DoD mission-critical infrastructure and Joint Force power projection capabilities. In close coordination with USCYBERCOM, USNORTHCOM must effectively orchestrate stakeholders’ cyber authorities, capabilities, and equities to protect, prevent, mitigate, respond, and recover from complex cyber-attacks. Tools such as a DoD C3 SCAN could provide a framework to unify USNORTHCOM and USCYBERCOM’s coordination with public and private sector stakeholders and effectively posture DoD cyber forces to detect and thwart asymmetric attacks against the U.S. power grid and other critical infrastructure. In 1942, effective civil-military coordination enabled the U.S. military to partner with the newly-established Civil Air Patrol to deter future U-Boat attacks and thwart Germany’s Operation Drumbeat strategic objectives. The combined authorities, capabilities, and partnerships of the DoD, CISA, and the public and private sector can enable cyber forces to rapidly counter, thwart, and defeat asymmetric attacks against the homeland.

Jamel Neville is a U.S. Marine Corps cyberspace warfare officer and certified information systems security professional. He has had the privilege of leading U.S. cyber forces to conduct defensive and offensive cyber operations in support of national objectives, and coordinating kinetic and non-kinetic fires and effects during Operation FREEDOM’s SENTINEL. He graduated resident U.S. Army War College AY22 with distinction and has been selected to serve as the J3 of a U.S. Cyber Command joint task force.

The views expressed in this article are those of the author and do not necessarily reflect those of the U.S. Army War College, the U.S. Army, or the Department of Defense.

Photo Description: Marines with Marine Corps Forces Cyberspace Command pose for photos in the cyber operations center at Lasswell Hall aboard Fort Meade, Maryland, Feb. 5, 2020. MARFORCYBER Marines conduct offensive and defensive cyber operations in support of United States Cyber Command and operate, secure and defend the Marine Corps Enterprise Network. This image is a photo illustration.

Photo Credit: Staff Sgt. Jacob Osborne, USMC

1 thought on “ORCHESTRATING U.S. CYBER OPERATIONS TO DEFEND THE HOMELAND

Leave a Reply

Your email address will not be published. Required fields are marked *