The site of an Army golf course named for President Dwight Eisenhower, which is just one long drive from the National Security Agency (NSA), is an active construction site that will eventually be the home of U.S. military cyber.
Where there were once bunkers, greens and tees is a large gray building that is due to become an NSA-run 600,000-square-foot, state-of-the-art server farm, a skeletal structure that will house U.S. CyberCommand’s joint operations center, with plots reserved for individual Marine Corps and Navy cyber facilities.
The plans reflect the growth in ambition, manpower and resources for the five-year-old CyberCommand. One measure of this rapid expansion is the command’s budget — $120 million at its inception in 2010, but rising to $509 million for 2015. Another measure is the $1.8 billion in construction at Fort Meade, much of it related to the CyberCommand. Though its service components and tactical teams are spread across the country, the headquarters for the CyberCommand, NSA and the Defense Information Systems Agency make Fort Meade a growing hub for military cyber.
Earlier this year, Defense Secretary Ash Carter announced a new cyber strategy that acknowledges, in the strongest terms, that the Pentagon may wage offensive cyber warfare. The strategy emphasizes deterrence and sets up a reliance on the commercial technology sector, hinging on a push to strengthen ties between Silicon Valley and the Pentagon.
For all the talk of cyberoffense, it remains to be seen how the U.S., and its military, will respond to the massive data breach at the Office of Personnel Management (OPM), attributed to China. In April, the administration added sanctions to its menu of responses to a cyberattack, alongside indictments or diplomatic complaints, called “demarches.”
Eric Rosenbach, the principal cyber adviser to the secretary of defense, told lawmakers in April, “The Department of Defense is not here to defend against all cyberattacks, only the top 2%, the most serious.”
Cyber Command’s deputy commander, Air Force Lt. Gen. James McLaughlin, told an industry audience in mid-June that the command’s responsibility following the OPM hack has thus far been to notify its personnel about whose information had been compromised. Its core mission is defending all Department of Defense networks, collectively known as the DoDIN.
“Our job one is to make sure we are operating and securing our [Defense Department] network against all threats,” McLaughlin said, in response to an audience member’s question. “That is our focus, our lane, and what we remain focused on from day to day.”
Adm. Michael Rogers, who leads the U.S. CyberCommand and NSA, said during a Senate Armed Services Committee hearing in March that the nation should move beyond its “reactive strategy,” confined only to defending against foreign attacks, and embrace its offensive capability.
But, Rogers said, President Obama had not given him the authority to deploy such cyberweapons, adding, “We need to have that same discussion now.
“We’re at a tipping point,” Rogers said. “We also need to think about, ‘How can we increase our capacity on the offensive side here, to get to that point of deterrence.’”
In turn, U.S. Senate Armed Services Committee Chairman Sen. John McCain queried, “But right now, the level of deterrence is not deterring?”
“That is true,” Rogers said.
In early June, Office of Personnel Management announced it was the target of a data breach that exposed the personal information of 4 million current and former federal employees, later said to include security clearance information.
Though China has denied its involvement, officials and analysts have said China has been compiling personal data, from U.S. health care companies and insurers, to create a database on American citizens for espionage purposes: to recruit spies or to gain a competitive advantage.
Lawmakers have since voiced frustration with the lack of an effective U.S. deterrent against foreign cyberespionage.
The U.S. has established it will take a hard stance against state-sponsored spying on U.S. companies for economic gain, evidenced by the indictment of five Chinese hackers and sanctions against North Korea in the hack against Sony. However, it has yet to set norms for cyber-enabled, state-on-state espionage.
“This is plain old spying, and a lot of people in the cybersecurity community in Washington are kind of greeting this with a collective shrug, like, ‘OK, they got us this time,’” said Rob Knake, a former White House cybersecurity chief and a senior fellow at the Council on Foreign Relations. “It’s not outside the bounds of what is acceptable for nations to do when spying.”
With cyberespionage there are no agents to catch red-handed and arrest, and “very few limitations on how much espionage you can conduct in the cyber age,” Knake said, speaking on a panel at the New America Foundation in the days after the hack was made public.
“I don’t think we have yet a way to grapple with that,” he said.
The U.S. and the current administration have shown a reluctance to respond to cyber-attacks in an escalatory way in cyberspace. Brandon Valeriano, author of “Cyber War versus Cyber Realities,” said the U.S. is “willfully constraining ourselves,” for fear of the collateral damage that would ensue.
“We are aware of how devastating this domain could be,” Valeriano said. “If there really were massive cyberattacks, there could be a massive loss of life. [There] would be massive effects throughout the world.”
In any case, offensive cyber is not an all-purpose deterrent. Michael Sulmeyer, a former Pentagon cyber policy official and now director of the Cyber Security Project at Harvard University, said it is better to use a “whole of government.
“Offensive cyber may not be a great tool to always trot out. Why? Because to deter an adversary or get inside their head, you want to target where they are vulnerable,” Sulmeyer said. “To make them get it, they have to feel a little bit of pain. If they’re not particularly vulnerable in cyber, why would we or any state use offensive cyber to deter them?”
A hackneyed expression in the U.S. military that nevertheless applies to CyberCommand is that it is an airplane being built in mid-flight.
The Command is operating and adding personnel at the same time. Its nascent Cyber Mission Force, as of March, was at about half of its target of 6,187 personnel in 133 teams. These teams are divided among the nation mission force, the combat mission teams and cyber protection teams.
In his April testimony, Rosenbach said the command lacked a unified command-and-control platform for fast-moving and large-scale cyber operations, particularly for offensive operations. It also lacks a virtual range environment for its personnel to conduct training exercises and obtain certifications, while fighting live, adversary-mimicking “red teams.”
Meanwhile, the Command is going through basic, but necessary, steps to refine its internal processes, and how to operate with joint and inter-agency partners in a seamless way, where all parties are mutually supportive.
“You can pick almost any interaction and it’s not as simple as saying, ‘I want to do it,’” he said. “It’s critical that you get to the second, third and fourth level of detail for how you do it day to day.”
While the military will probably never compete with Silicon Valley salaries as it seeks to attract and retain talent, Rogers told lawmakers the command can appeal to recruits through its national service ethos and its proximity to the action. Still, sustaining the force beyond the initial cadre, Rogers acknowledged, will be a challenge.
Sequestration budget cuts still loom over the effort and would imperil DoD cybersecurity, Rogers said, because the young command has “no flexibility to absorb a sequestration cut.” Such cuts, he said, would likely slow improvements to the network, the creation of those teams and the more forceful response to cyberattacks Rogers advocates.
The command is working to weave cyber operations into the battle plans of the military’s geographic combatant commanders so that they are, “fleshed out, mature and available to our senior leadership.”
The services are organized such that each service has a two- or three-star headquarters whose commander provides forces both to their service and CyberCommand when they’re supporting other joint forces headquarters. Each has to be able to perform standard mission-essential tasks, defined by CyberCommand, though each retains its service’s organizational stamp.
To meet the command’s personnel goals and produce its cyber teams, the services have, in some cases, doubled and doubled again their training pipelines, and developed career paths for them to stay in the military.
“It’s no small feat to go from a standing start in fiscal 2013 and work with the services to bring on 6,187 new people to 133 separate teams,” McLaughlin said. “It’s exciting work and, if you look at the threats, our young people are involved in dealing with and responding to those every single day. For the most part, we haven’t been having to beat the bushes, and the services are providing the people that we need.”
As host of five of the military’s top seven cyber-centric organizations, Fort Meade’s growth has mirrored the rise in importance and resourcing for cyberspace activities, said the installation’s commander, Col. Brian Foley, who is essentially the landlord to the tenant organizations; only Army Cyber, at Fort Gordon, Ga., and Air Force Cyber, at Lackland Air Force Base, Texas, are elsewhere.
Unlike naval battles on water, dogfights in the skies or tank warfare on land, cyber warfare can be waged without troops having to travel anywhere, even from somebody’s basement — which is why Foley regards Fort Meade as an “operational platform for cyberdefense.”
There is something to the argument. Of the $1.8 billion in military construction, the majority is for joint facilities connected to the cybermission on the post’s East Campus. The most unique and cost intensive of these is the 600,000-square-foot High Performance Computing Center-2, which will reportedly be cooled daily with 5 million gallons of “grey (or waste) water,” which is slated to save money over the use of potable water.
Though the staff of CyberCommand on post has hovered at about 1,100, projected growth, largely attributed to cyber organizations at Fort Meade, is estimated at 2,000 during the next five years.
People and organizations on-post have attracted business off-post, namely large government contractors and commercial cybersecurity firms. The growth of cyber at Fort Meade has, in the surrounding area, fueled infrastructure improvements and residential and commercial construction, said Claire Louder, president of the West County Chamber of Commerce, in Odenton.
Tech firms KEYW, Secure Innovations, Enterprise & Portal Software Systems, CyberReliant and iNovex Information Systems have either built or expanded their presence around the post; and state and federal funds have been allocated to widen Route 175, which runs along the northern boundary of the post.
“Where you would drive around and see empty lots or grassed-over or wooded lots, now you’re seeing construction,” Louder said. “So, there’s definitely been a switch.”
Joe Gould is a reporter with Defense News. He can be contacted at 703-642-7343 and [email protected].