The thin line between military and civilian cyber defense
U.S. Cyber Command's charge includes working with the Department of Homeland Security to defend critical infrastructure from a cyberattack, and that collaboration is very much a work in progress.
Lt. Gen. James "Kevin" McLaughlin, deputy commander of U.S. Cyber Command
How will military and civilian cyber response teams collaborate in the event of a cyberattack on U.S. critical infrastructure?
It's not clear yet, but the maturing U.S. Cyber Command does not currently entertain ideas of going it alone in defense of critical infrastructure.
"In every case that we currently imagine, we would do that in support of another government agency," said Lt. Gen. James "Kevin" McLaughlin, the command's deputy, at an Oct. 9 cybersecurity forum at the Center for Strategic and International Studies.
McLaughlin said there is a "broad framework" in place for determining the threshold at which his command will aid DHS in response to a cyberattack, adding that attacks that cause loss of life certainly qualify. The annual Cyber Guard exercise is an opportunity to tease out these legal and policy questions, he said.
McLaughlin's boss, Adm. Michael Rogers, has identified the industrial control systems that underpin the power grid as increasingly vulnerable targets. McLaughlin said CyberCom is training personnel to specialize in defending against attacks on industrial control systems. In terms of defending the Pentagon's own infrastructure, McLaughlin said defense officials were prioritizing critical components of platforms to make sure they are resilient in the face of a hack.
Harvey Rishikof, a senior counsel at the law firm Crowell & Moring, speaking at the same event, said the threshold at which the Defense Department feels compelled to respond to a cyberattack "ultimately will be a policy determination." Use of cyber force is not a straightforward legal issue, either: a raft of legal provisions governing the national guard, the armed forces and the intelligence community come into play, Rishikof said.
Holding military officers accountable
The Pentagon also is working to hold military officers more accountable for the cybersecurity of the programs under their watch, McLaughlin said. "Accountability -- to the individual level and really at the leader level -- is a key part of the cultural change that's occurring."
Deputy Defense Secretary Robert Work has called for that accountability by comparing negligence in the cyber and physical worlds. "Right now, if you discharge a weapon, you are held accountable for that…What we need to do is inculcate a culture where a 'cyber discharge' is considered just as bad," Work told a Sept. 29 hearing of the Senate Armed Services Committee.
In his Oct. 9 remarks, McLaughlin also reflected on the irony of assigning a separate command for cyberspace but also asking military officers from multiple domains to focus on the field.
"We have to operate in a way that's beyond what we typically have been comfortable doing with other parts of the military, other combatant commands," McLaughlin said. "Cyber warfare doesn't just live nicely within one either geographic area [or] one functional area."