Weaponizing Cyberspace

Published: December 16, 2015

CybersecurityDEFENSEJoint Information Environment (JIE)National Defense Authorization Act

The Department of Defense is slowly converting information technology networks and capabilities into the next battlespace and it needs industry’s help to succeed.

Turning information technology networks into weapons of war has been a common theme at Department of Defense events in recent years. Faced with increasingly brazen cyberattacks and high-profile breaches, the DoD responded by developing a doctrinal basis for waging war in cyberspace, or the cyber “domain,” as it is often called. The DoD Cyber Strategy, released in April 2015, outlined three primary missions for department: first, to defend DoD networks, systems, and information; second, to defend the United States and its interests against cyberattacks of significant consequence; and, third, to provide integrated cyber capabilities to support military operations and contingency plans in the event the DoD is directed by the President or Secretary of Defense to conduct cyber combat operations.

In the event such operations are required, they will be conducted by United States Cyber Command (USCYBERCOM) utilizing the Cyber Mission Force (CMF), an organization of military and contractor personnel divided into 133 teams deployed across the DoD. Defense networks cannot be defended in their currently fragmented and stovepiped state, however, necessitating that they be converged into a new Joint Information Environment. The JIE is thus as much about providing a setting for enabling military operations in cyberspace, both defensive and offensive, as it is about gaining efficiencies and reducing costs.

The next step for DoD is to mature the capabilities required by the CMF to carry out its mission. Capabilities in this sense are akin to weapon systems in cyberspace and activities developing them are occurring on multiple levels, including R&D, modeling and simulation, building a command and control function, and creating what the DoD Cyber Strategy refers to as a “Unified Platform.” To quote the strategy concerning the UP: “DoD will develop detailed requirements for integrating disparate cyber platforms and building an interoperable and extendable network of cyber capabilities. This Unified Platform will enable the CMF to conduct full spectrum cyberspace operations.” Little information concerning the Unified Platform has been available publicly since the release of the DoD Cyber Strategy. That is until the signing of the National Defense Authorization Act for Fiscal Year 2016 in November 2015. It sets the stage for accelerated activities surrounding the development of the Unified Platform and other military cyber capabilities in the 2016 fiscal year.

Section 1645 of the NDAA directs the Secretary of Defense to designate an entity within each military department that will be responsible for acquiring critical cyber capabilities, including the Unified Platform, a persistent cyber training environment, and a cyber situational awareness and battle management system. The latter capability will enable the C2 function mentioned above. Section 1645 also provides some insight into the timeline for development of these capabilities. The first step is for the Secretary of Defense to provide a report within 90 days, basically by the beginning of March 2016, that a) identifies the military department responsible for the acquisition of each of the capabilities, b) estimates of the funding requirements and acquisition timelines for each capability, c) an explanation of whether these cyber capabilities could be acquired more quickly with changes to acquisition authorities, and d) whatever recommendations the SECDEF “may have for legislation or administrative action to improve the acquisition of, or to acquire more quickly, these critical cyber capabilities.”

A lot remains in flux with this timeline, but we do know a little more about what is coming. First, we know that each of the military departments is likely to be responsible for acquiring one of the three mentioned capabilities. This means a distribution of procurement and fielding efforts with business opportunities in multiple locations. Second, we can probably expect the first market research for these capabilities to surface in the second half of FY 2016 or early FY 2017. The DoD’s budget request for FY 2017 will undoubtedly contain information related to these capabilities and with the budget slated for release in February 2016, the timing will be perfect for tracking these new initiatives. In the meantime, it would be wise for vendors to begin assembling teams with capabilities in cyber C2, cybersecurity training, and capabilities integration solutions.