The problem of fighting a cyberwar is that there is no effective way of separating warfare involving civilian targets from warfare involving military ones… whether the fighting is being done by us towards a third party adversary, or by them towards us. Because of this, the U.S. military must be able to fight both a civilian cyberwar, and a military one, and in fact mix the two fluidly as the war (or battle) progresses. At this point in time, based on how America has structured its military, doing this would be an impossibility. That is, there is no way in hell that the U.S. military would be allowed to insert itself into, say, the civilian operations of an American company, to take over that company's defense of its cyber assets, to either defend the company from attack, or use it as a base from which to counter attack the enemy that started the cyber war.

Can you see the problem inherent in the U.S. military helping to fight cyber wars mounted against American civilian corporations? Yet the civilian sphere of influence is not the only area in which enemies of America can wage cyberwar. Two paragraphs up we listed America’s economy, political system, ability to govern and manage itself, privacy and security, system of beliefs, and very way of life as being under threat of cyberwarfare. What this means is that any enemy of America that wishes to can wage a cyber war against any of these seven key areas, and because of how the American military is organized within the hierarchy of our federal government, it would be all but impossible for our military to step forward to take the frontline position in fighting a cyber battle mounted against almost any of these seven key areas.

One can see the extent of this truth by looking at just one example: the case of America’s "way of life." How can the U.S. military step in to wage cyberwarfare against enemies trying to undermine America's way of life? By giving you the example below, we hope to make two points: first, that America's way of life is under attack from cyberwarfare, and second, that the U.S. military is needed to help formulate and implement a plan to stop these attacks from breaking the fabric that holds America's way of life together.

To keep things simple, we will use just one example of a part of America's "way of life" that is under threat. As our example we will use the case of how parents rear their children. Surely, all would agree that the American approach to raising a child is part and parcel of "the American way of life."

In using this example, let us take this position: on the issue of "parenting," America’s way of life is under threat via cyberwar activities. Again, our view is that the way by which American parents bring up their children is being threatened, and it is being threatened through the use of cyber activities being conducted by America's enemies. In particular, the cyber activities being used to undermine this part of America's way of life fabric are being enabled through cyber communications. One byproduct of this is that, as a result, today external sources are able to interfere with a parent’s efforts in rearing their adolescent child, by using cyber communication to redirect that child’s energies away from the traditional pursuits a parent would encourage towards things like terrorism.

In the past American parents could govern their children using age old techniques, from praise and limit-setting to discipline and more. Today those techniques may work for forcing compliance in homework studies, and dating, but they have no impact on the child when it comes to the ideas and values he or she might internalize through his interaction with the internet and social networks. One need only look at the ability of ISIS cyber-warriors to reach out to American youth… in their own home… in their own bedroom… without their parent’s knowledge… and indoctrinate them to the point that they will take terrorist actions against soft, local targets, to see the truth in this. If this is not an example of cyberwarfare threatening the very way of life of Americans, what is?[1]

How can the U.S. military fight this?

Clearly, if the U.S. military is going to stand up an organization to fight cyberwars, it must have a civilian component to it as well as a military one. Cyberwar as fought by America can’t be limited to simply military matters, because the damage the enemy does to us takes place in both the civilian and military realm, and that damage is inflicted by actions that take place in both civilian and military domains.

What are these domains? They are the domains that encompass data and the means by which it is propagated.

Yes, we understand that there is a difference between military data and means of communication, and that of civilians, as well as that used by civilian government agencies… but when it comes to all of these forms of data (and the forms of communication that propagate them), the line that separates them is not just grey but fuzzy in the extreme.

Is the data and communication that emanates from the White House civilian, or does it have a military component to it? What about the data and communication that comes from the Office of the Secretary of State? Did the private servers that Hilary Clinton maintained at her home in New York, on which she stored not just her eMails but the government information (read: data) contained within the text and attachments of those eMails... about the topics she worked on as Secretary of State... contain data that had a military component? Does anyone really believe that the Chinese didn’t hack those servers? Did her daughter, when visiting, use PCs within the house that connected her to the outside world through those servers? How does one separate the 1s and 0s that made up all of that data… their data streams… into data and communication that was civilian versus government versus military?

You see our point? In today’s world, all forms of government data and communication contain elements of military data and communication, and because of the way people use these systems both at home and at work, personal or civilian data and communication too. There is no way to separate the three. And that being the case, the U.S. military… if it is going to have the mission of protecting America by stopping cyberwarfare being waged against it… needs to set up a new paradigm that allows it to work within these three areas.

Setting up one agency to defend against (and counter) cyberwarfare aimed at American citizens, another to defend against (and counter) cyberwarfare aimed at our civilian and federal government systems, and a third to just handle military cyber issues won’t work. Data and communication, the primary weapons of cyberwarfare, are amorphous and cross all lines of society. The agency that is set up to counter the kind of warfare that can be fought via these means must be amorphous too.

In our view, the U.S. military needs to be the one that takes the lead when it comes to waging cyberwar… commercial cyberwar, civilian cyberwar, government cyberwar, and military cyberwar.

Further, we make the case that when it comes to cyberwarfare no longer should the U.S. military be relegated to defending against and fighting battles that are simply battlefield, state actor-to-state actor, or military-to-military related. Now, because of the ubiquity of government data being found inside of military data… military data being subsumed within government documents and data… and as important, the use by America’s enemies of cyber systems able to reach into the homes of American citizens and wage cyberwarfare directly against them, the U.S. military needs to take the lead in designing, integrating, building, managing and operating the systems required to stop such forms of warfare.[2]

If you add to this issue of government versus military and civilian forms of data and communication the matter of commercial versus government/military/civilian data, you can begin to see why America has, to date, developed little more than, at best, an inelegant and clumsy approach to stopping these activities. The reason is that there is no precedent for our federal government telling our military to build a new form of war fighting capability where the military has carte blanche to reach into… on a daily basis… the data and communication infrastructure of these four entities (government, military, civilian, commercial). Put another way, as of now there is no clear cut divide as to how the United States should respond to commercial vs. civilian vs. government vs. military espionage… or who within the U.S. should respond in each case.

A solution is needed. We believe that the Signal Corps should play a major role in creating, building, implementing and managing that solution. Before looking at how the Signal Corps can do this though, we should look more closely at exactly who is at risk from this new type of warfare? By doing so, we will gain a better understanding of what role the Signal Corps should play.

The Reality of Cyberwarfare

Peter W. Singer, a writer for a technology blog, tells the story of “a senior official in the Syrian government” who, in 2006, “brought his computer with him on a visit to London. One day, he stepped out of the hotel and left the laptop behind. While he was out, agents from Mossad, the Israeli intelligence agency, snuck into his room and installed a Trojan horse onto the machine, which allowed them to monitor any communications.

“For the Syrians, that would have been bad enough, but when the Israelis began to examine the official’s files, a photo caught their attention. It showed an Asian man in a blue tracksuit standing next to an Arab man in the middle of the desert. It could have been an innocuous meeting of friends, even a vacation photo. But Mossad identified the two men as Chon Chibu, a leader of North Korea’s nuclear program, and Ibrahim Othman, director of the Syrian Atomic Energy Commission. When they paired the image with other documents lifted from the hard drive, such as construction plans and photos of a type of pipe used for work on fissile material, the Israelis came to a disturbing conclusion: With aid from North Korea, the Syrians were secretly constructing a facility at al Kibar to process plutonium, a crucial step in assembling a nuclear bomb. An International Atomic Energy Agency investigation would later confirm their suspicions.

“Troubled by this revelation about their openly hostile neighbors, the Israelis mounted Operation Orchard. Just after midnight on September 6, 2007, seven Israeli F-15I fighter jets crossed into Syrian airspace. They flew hundreds of miles into enemy territory and dropped several bombs, leveling the Kibar complex. The Syrian air-defense network never fired a shot."

As Singer goes on to say, “The security failure wasn’t because all Syrian radar officers turned traitor that night. Rather, their technology did. If planting the Trojan horse into the Syrian official’s laptop was an act of cyberespionage—uncovering secret information by digital means—Operation Orchard was its armed cousin. Prior to the bombing, the Israelis had penetrated the Syrian military’s computer network in such a way that they could monitor their adversaries’ actions. More importantly, the Israelis were able to direct their own data streams into the air-defense network. Once inside, the Israelis introduced a false image of a radar screen, misleading Syrian radar operators into believing all was well—even as enemy jets flew deep into their airspace. By effectively turning off Syria’s air defenses for the night, the Israelis gave the world a chilling glimpse of the future of cyberwar.”

Our question: how do we know the Chinese didn’t do something similar to what the Israelis did to Syria (when the Israelis inserted malware into the Syrian government computer network) when last year they broke into the U.S.’ own Office of Personnel Management computer system and stole the private details of over 22.1 million government employees?

Why would they do that you ask? Who knows… perhaps such a route would enable them to gain copies of every eMail written or stored in the servers supporting every eMail account related to every U.S. government employee whose eMail address was in turn stored in the OPM computer system the Chinese hacked. All 22.1 million of them. Now, wouldn’t that be useful to the Chinese?

You see the problem? While what the Chinese did may seem low level and innocuous on the surface, one can easily see via the Israeli–Syria story the extent to which such innocent hacking, when done at the national level, can quickly lead to very real examples of nothing short of acts of war. This then is what we talk of when we call this kind of activity cyberwarfare, and call for it to come under the purview of the U.S. military… and for the Signal Corps to play a greater role in addressing it than it does now.

Cyberwarfare: A New Kind Of Warfare

But what exactly is cyberwarfare? The mainstream media uses the term cyberwarfare to describe everything from large-scale, Web-based crime to the latest online maneuverings ISIS uses to promote its cause. Yet few explain in what manner these activities hold a connection to actual military operations. For the most part, this is not a problem, however, when nation states… including rogue actors like ISIS that claim for themself the aura of a nation state… or Boko Haram, for that matter… develop the ability to unleash their forces onto a digital battlefield, they carry the potential to reshape warfare as much as happened when a hundred years ago civilian airplanes were turned into military machines. The fact is, technology is amorphous. It will expand to fill any void that it finds. Develop a new technology that is good for society, and watch… soon it will seep into and expand to fill the void left behind by some old technology that is no longer useful in warfare. Cyber technology is doing just that.

At the moment, over 100 of the world’s militaries have in place an organization dedicated to fighting cyberwarfare. Of far greater concern, over 140 countries have organizations dedicated to developing cyber weapons! The U.S. is no exception. The Fort Meade complex in Maryland, home to the NSA and the U.S. Cyber Command (USCYBERCOM), contains more personnel than the Pentagon. China, who embarked on this kind of an exercise long before we did, houses its Fort Meade equivalent on Datong Road, in Shanghai. This author has seen the Datong Road facility, and while small, it is impressive in intensity… and might we say, security. Go to any street corner within the city, from which you can see and take a picture of the building, and you are likely as not to find a Chinese Communist Gong-An policeman standing there, taking a picture of you trying to take a picture of the building.  Unit 61398, the Chinese group that is most usually linked to hacks on everything from U.S. military communications to the New York Times’ internal eMail system, is located in the Datong Road facility.

Classified by the Chinese military as an Advanced Persistent Threat Unit, while the size, scale, training and budget of Unit 61398 (Chinese: 61398部队, Pinyin: 61398 bùduì) may be different than that of our own NSA and Cyber Command, their goals are the same: to destroy, deny, degrade, disrupt, and deceive. And of course, added to this is the additional duty of defending the homeland—in this case China—against any enemy’s use of cyberspace, for the same purpose.

Within China, this paradigm is known as the “five D’s plus one.”

In addition to Unit 61398 the Chinese government has formed a federal level agency known as the Central Leading Group For Cyberspace Affairs. This group reports directly to the country's President, and works with him to set cyber policies on all matters from cyberwarfare to the internet. Adding to this, to assure that cyber policy is fully implemented, China recently formed a government agency called the Cyberspace Administration of China. At the highest level of government, it oversees all aspects of cyber policy and use, including directing military cyberwarfare and hacking efforts. To back up China's determination to excel in cyberwarfare, the Cyberspace Administration expanded the Third Department of the PLA's General Staff Department by over 100,000 cyberspies, hackers and digital linguists.

Where, we ask, is such a coordinated, dedicated, single minded, mission focused cyber affairs group in our government?

Our concern then is who within America’s government should be spearheading this kind of mission, and what roles it should be playing? It’s not that what those rare elements of our military's cyber activities are doing at present is so bad, it’s that there needs to be much more, and the work being done needs to be much better… significantly better.. and much better organized across all societal elements… and more thorough if it is going to be effective. What we have now is good for a starter, but it is being built by the wrong people, to fight the wrong war.

For example, over the past few years the U.S. has moved aggressively against foreign governments accused of stealing corporate secrets from major U.S. firms, but less aggressively against the same kind of activity when the target is the government itself. In 2014 the Justice Department filed criminal charges against five Chinese military officers accused of involvement in hacks that targeted U.S. Steel, Westinghouse and other companies. But no action has been taken against China as re. the OPM hack.

One reason for this is the simple fact that the U.S. government is doing the same… hacking into China’s systems, and stealing their data. So does this mean that this kind of activity does not rise to the level of cyberwarfare? We can understand that economic espionage is different than government espionage done for military purposes, but as our earlier Israeli–Syrian story showed, the line becomes blurry when military activities result from civilian espionage and hacking. So, while U.S. spy agencies are supposed to not involve themselves in economic espionage, the simple fact is that if they are to combat, say, China’s attempts to hack Westinghouse, then they are going to be playing in an arena that requires them to be able to mount a forceful response when the adversary they face is a foreign, state sponsored adversary... especially if that adversary is seeking military secrets from commercial American companies.

If you ask us, it’s time that America redefine what constitutes espionage, as it relates to hacking, commercial espionage, government espionage, cyber security, and cyberwarfare. The simple fact is that while we may make a distinction between commercial and government espionage, most of America's adversaries do not. And considering that companies like Westinghouse house within their data systems both non-military and military secrets, of both commercial and non-commercial kinds, trying to hang onto an old 1950s definition of what constitutes commercial versus military espionage makes no sense.

It’s time we redefine these terms, and wherever the case can be made that the entity involved (whether a commercial U.S. company, a private citizen, or a government agency) has in their possession information of military utility, or is part of some activity that could have consequences for the U.S. military or government, then the hacking or cyber events surrounding that “entity” should come under the purview of the U.S. military. And just so that we are clear here, any adversary that tries to recruit through the cyber universe American citizens to fight for their cause is doing something that should fall within the purview of the U.S. military, because while the target in question might be an unknowing and innocent U.S. citizen/civilian, the activity being planned for them by the recruiting entity will impact the U.S. government and/or military.

This kind of activity is the essence of cyberwarfare; it constitutes a warring activity, not a civilian crime. It is therefore military in nature.

As of today though, the U.S. doesn't see it this way. While things may change, the Obama administration currently sees these kinds of activities as civilian crimes. If America is to become serious about thwarting cyberwarfare, it is going to have to change its view on what constitutes cyberwarfare, and who should be fighting it. The U.S. court system is not the ideal venue within which to challenge China's hacking of commercial American interests, never mind our central government.

The fact is, while the United States may be adhering to unwritten rules that separate these kinds of activities, other countries are not. ISIS is one example, but so is China. In the case of China., the U.S. taking action against China for its espionage with respect to Westinghouse, but not the Office of Personnel Management, makes no sense. By playing the game this way America risks sending a signal that it is willing to go further to defend the secrets of American industry than it is to protect either the employees of federal agencies, or our government as a whole.

It’s time that Washington redefine cyberwarfare, and put the military in full charge of it.

Cyberwarfare, A Definition

To make sure we are all talking about the same thing then, let’s start with a definition of cyberwarfare, and work on it until it fits our needs.

Cyberwarfare involves the actions of a nation-state, international organization, group or individual, in attacking or attempting to gain access to key elements of a nation's commercial, civilian or government infrastructure, including its people, for the purpose of diverting those assets to its own benefit, whether in a way that is detrimental to the commercial, civilian, government or personal entities involved or not, where such attempt to attack or gain access is done via computers, information systems, digital and/or analog networks, data bases, data warehouses, or any other “cyber” means. While not a precedent to the determination that an activity constitutes cyberwarfare, any such action that involves active real time hacking attempts, and/or the placement of computer command and control programs, systems, viruses, denial-of-service attacks or the like, should immediately be considered an act of cyberwarfare against the United States of America.

To see what we are talking about here, one need only imagine that China launches a cyber attack on America… tomorrow. In this example, the purpose of China’s attack is to confound America’s civilian banking and stock market processing system(s) in a way that could cripple America’s financial sector… perhaps as a means of lessening the economic impact of its own recent stock market crash, and/or to maintain social stability within its own country.

Does this kind of activity merit a military response? Our current government would say no. Our answer would be an unequivocal yes… after all, the activity involves a planned incursion by another country into America’s economic system, for the purpose of causing a degradation in America’s economic strength, in such a manner that it benefits the attacking country. As to why this should amount to cyberwarfare, it’s because such an activity would undermine America’s true power, as well as its world wide “quiet” power.

For starters then, we would say that the U.S. government should define cyberwar as being of a kind that is "as harmful to modern societies as a conventional attack," a definition we happen to have taken from a recently released NATO position paper.[3] Attacks of this nature should be assigned for a response to the U.S. military, no matter how innocuous the attack may seem, whether it succeeds or not, or whether the only people impacted are within America’s commercial or civilian sphere, or not. Cyberwarfare activities do not need to involve kinetics then to be considered an act of war… all they have to do is threaten another country’s well being. When that happens, a response is called for, and the American military should mount that response… whether kinetic, in kind, or both.

To see our reasoning behind this, and our definition above, one need only look at a recent incident involving Russia and Estonia. In our view, the actions that Russia took to an act taken by the Estonian government, wholly within its territorial boundaries, crossed over the threshold between civilian cyber mischief and cyberwarfare. While no kinetics were involved, Russia’s activities—fully underwritten and performed by the government of Russia—were equivalent to conventional warfare.

The incident was as follows: on April 27, 2007, Estonia, a NATO member, relocated a Soviet-era war memorial from its place of prominence in one of its city centers to another location less obvious. Within hours a large-scale denial of service attack (technically known as a DDoS) was mounted by Russia. The campaign targeted the websites of Estonian government departments, banks, telecoms, and news organizations. Many sites were completely shut down, while others were defaced with crude remarks, profanity and more. Worse, unlike a mischievous attempt on the part of some disgruntled hacker group to play pranks, these attacks continued for weeks, essentially shutting down the Estonian banking sector for over a month, as well as preventing the people from having access to their own government. Further, attacks on the country’s telephone infrastructure shut down the national telephone system (for both land lines and mobile communication), thus preventing Estonians from being able to make basic phone calls, or even call for help. And finally, to add insult to injury, attacks on the country’s news infrastructure prevented the country’s people from finding out what was going on.

This doesn’t rise to the level of a cyberwar, you say? Consider this then, what would the equivalent of this kind of activity be in kinetic warfare? Our answer: bombing of the country’s telephone infrastructure, invading the country and taking over its banks, locking their doors and looting their vaults. And in the case of the government, decapitating its leadership in such a way that the people no longer had access to their elected officials… perhaps by arresting them and confining them to their rooms until the “invasion” was over.

Clearly, while no dead bodies littered the streets of Estonia in this attack, the impact of Russia’s actions was no different than if it had rolled tanks down the streets of Tallinn or Tartu. In our view, this cyber crime rises to the level of cyberwarfare.

Is the Russia–Estonia incident any different than what China did when it broke into the cyber system that underlies America’s Office of Personnel Management? We think not.

How does one define cyberwarfare then? Earlier we offered our view, but what exactly are the limits to this definition? To answer that question, we propose that cyberwarfare be defined on the basis of four dimensions: the impact of a nation’s aggressive actions against another with regard to the matters of intent to harm (as measured by the country coming under attack), information and data confidentiality, the availability of data, and the nation’s integrity.

Again, examples will help us make our point.

As we mean it here, confidentiality refers to the principle that sensitive data should be kept out of the wrong hands. For ex-military Officers, we Signal Corps guys understand this. After all, we were the first to propose that confidential information be classified according to its level of confidential importance. In a cyber attack, breaches of confidentiality form the most common type of cyber attack. If we use the case of the claim that the Chinese hacked Lockheed’s systems and stole blueprints for the new F-35 aircraft, we can see this truth coming home to roost.

The simple fact is, if it weren’t for cyberwarfare, getting its hand on such information would have required kinetic military action… whether via drugs and prostitution (low level kinetics, but kinetics nevertheless), or an invasion. As to the importance of what the Chinese accomplished, without doubt this attack produced a massive, real strategic loss for the U.S. Already the Chinese have begun to use the information it stole to improve their aircraft weapon systems. But perhaps more importantly, they are using the information to build better defense capabilities into their air defense systems… to thwart those capabilities they now know the F35 contains.

Is this not then an act of war, for one country to take such information by stealth and deceit from another? And if your answer is that it is nothing more than routine espionage, then doesn’t the level of confidentiality (from a military perspective) as defined with respect to how America classifies this information, not the Chinese, raise this action to the level of an act of war? And if you still continue to say that this form of espionage is nothing but routine and nowhere near an act of war, then doesn’t the fact that the Department of Defense was the intended victim make it, again, an act of war?

In our view, this is no different than what Bradley Manning did when he released confidential military secrets… and he’s sitting in jail for his actions… a military jail, because he performed a traitorous act… i.e., an act of war against his own country. Well, if you are a country and perform such an act, and, because you are a country instead of an individual, obviously not a member of the U.S. military, then instead of your act being traitorous, isn’t it an act of war?

Yes, it is... and even more to the point, the fact is, as the law stands today, confidentiality breaches are treated as crimes. This means that when they occur within the realm of military secrets they constitute an act of war.

The next criteria we would focus on that helps explain when cyber activities constitute an act of war deals with the concept that data must be allowed to be available to its users. In the case of the DDoS campaign by Russia against Estonia, we can see an example of an attack that compromised the availability of data... originally made available by the Estonian government for use by its citizens... to the Citizens of Estonia.

Whether taking down the country’s phone system, disrupting the dissemination of news, or shutting down the country’s banking system, what Russia did was prevent the government of Estonia from making available to its citizens all of those services which they had previously authorized, and on which its people depended (on the availability of information and data) in order to conduct their lives. On this basis, Russia’s actions were an act of war, as it struck at the heart of the very services a government exists to provide to its people.

So why didn't the event in Estonia trigger a NATO response, considering that Estonia is part of NATO? The answer is that while they were egregious, NATO didn’t feel that Russia’s actions went so far as to affect the integrity of the country and its data. Integrity then becomes the third principle which we look to in our effort to define cyberwarfare. Specifically, two forms of integrity are needed, and when one or both of these two forms are violated via cyber activities, an act of war exists. They are the integrity of the nation, and the data the nation promotes the existence of... whether of a military, civilian, government, commercial, or personal nature.

As far as NATO was concerned, while the integrity of the data Russia messed with may have been compromised, the integrity of Estonia was not affected by Russia’s actions. The country went on to govern, and therefore all was fine.

We think this kind of thinking is wrong.

While we understand the concept that NATO’s threshold as regards impacting the integrity of a nation deals with those kinds of things that affect a state’s ability to govern—as regards the result of a conventional kinetic attack—in our view this is too myopic and restrictive a viewpoint to take in today’s world.

The ability of a nation to govern, as well as the integrity of its data, is critical to a nation’s ability to preside over, regulate and administer its people. So too is the government’s ability to insure that the data its people depend on in order to run their lives continues to be made available as and where needed… again, whether it’s the kind of data that has to do with a citizen’s bank account, or the data that enables a power plant or other industrial control system to work. If another country steps in and attempts to govern where and when a country’s people can gain access to the data they need to live, then they are usurping the authority of the government of the nation being attacked. In other words, the attacking country is challenging the integrity of the country being attacked. It’s in this realm then where the concept of both national and data integrity becomes important, and should play a part in helping to define when cyber crime has elevated itself to the level of cyberwarfare.

Need we say more on this issue? In our view, data can be manipulated, and it is easier for one country wishing to enact war against another to attack the data of the target country, then to dispatch bombers to fly over its capital and reign terror from above. The integrity of a nation’s data impacts the country’s leaders’ ability to continue to govern. In this regard, it becomes the essence of the concept that defines when cyber activities become activities of war.

It matters not whether the actor that mounts a cyberwar against the U.S. is a nation state or an extremist group, when it comes to America, such acts should be addressed by the U.S. military, not some cobbled together group of government agencies or civilian businesses contracted for that purpose. As a capitalist, this author likes civilian businesses... but not so much that he would want them standing on the front line defending this country against cyberattacks. That's the U.S. military's job, and we think that when it comes to cyberwarfare, the Signal Corps should be running the show.

Why The Signal Corps?

O.k., you say… so America needs to redefine what constitutes cyberwarfare, and begin fighting it from within the realm of the military. But why promote the Signal Corps to lead this charge? Don’t we already have these capabilities inherent in the NSA and Cyber Command?

Our answer: to some extent yes… and to some extent no. More importantly however, to whatever extent it exists it is not enough to prevent the kind of cyberwarfare activities China is mounting against us, or for that matter ISIS, Russia, Iran, or any other actor out there that finds our way of life threatening to their own.

Worse, for the kind of cyberwarfare activities America needs to cultivate to work when put into practice, these activities will need to be integrated across all elements of our society, not just our military. This means we need cyberwarfighting capabilities able to be used in defensive and offensive capacities on cyber activities that deal with our military, as well as within government areas, civil society, and within America’s commercial sectors, with individual commercial players. The NSA is inappropriate for this kind of power play, as is Cyber Command.[4]

You can see the reasoning behind our saying this by considering the following.

In 2010, when the U.S. Cyber Command was established, its mission was only loosely defined. Since then it has cleverly promoted itself via the media, in order to gain visibility as well as authority over those areas it seeks to have control over.

On the surface, there is nothing wrong with a military group promoting itself… however, such activities hardly represent best case means for developing a mission that will address the strategic problems America faces, especially when it comes to cyberwarfare.

For example, leaving it up to the Marines to decide which battles it will fight is not the best way of assuring that America fields the best, fully integrated, unified fighting force to address any particular battle. That kind of decision is made at a higher level, not at the branch level. Similarly, leaving it up to the boys in Cyber Command to decide what their mission will be, and how they will fight it, falls far short of what America needs if it is going to take the concept of cyberwarfare seriously.

For the men of Cyber Command, the challenges they face go far beyond the complaints they now speak of when they talk of recruiting problems, and how they have little to offer new recruits when it comes to turning these people into career cyberwarriors. Rather, the real problem Cyber Command faces if it wants to be the lead player in conducting cyberwarfare for America has to do with how it will develop a fulsome, effective strategic cyberwarfare capability able to perform the tens-of-thousands of tactical missions that need to be implemented daily, if the mission is to be achieved.

The reason we say this is because for the strategy to be effective in achieving the mission, the tactical component being performed must carry across—as well as through—every military unit the U.S. has on hand (i.e., from the Coast Guard to the Army, Navy, Marines, Air Force, ROTC programs, and beyond), as well every government agency (at both federal, State and municipal levels), as well as the management organizations that operate every industrial control system of importance to America (i.e. from dams and electric grids, to civilian navigation aids, etc.), to the well over 5,000 commercial American companies whose disruption (by cyber means) has the potential to bring America to its knees, as well as... are you ready... the 17,985 state and local law enforcement agencies and the over 120,000 uniformed personnel they field.[5]

The existing Cyber Command does not have this capability, nor is its mission attuned to these needs.

Winning at Cyberwarfare then requires that America has an organization that is able to wage cyberwarfare in conjunction with and through all of these players… and while the Cyber Command that has been set up may be able to play a role in some of these areas, it certainly wasn't constituted to do the job we are outlining here, nor is it the right organization to be leading this kind of a military charge.

Who is the right military organization to take this role? The U.S. Army Signal Corps is. The simple fact is, the Signal Corps is the only organization that has, since its inception, worked through and with every element of America’s military, as well as its government infrastructure and civilian enterprises, not to mention America’s universities and research institutions, to achieve its mission. Upgrading America’s cyberwarfare capabilities to embrace all elements of our military, as well as both federal and State government agencies, and civilian enterprises, is a necessity. Protecting these groups in time of war (cyberwar) is a necessity. Waging war (cyberwar) through the infrastructures these elements maintain is also a necessity. And finally, having one U.S. military group able to do all of this as a unified force is an absolute necessary.

The future direction of America’s cyber force cannot be left to happenstance. Waging cyberwar is about much more than merely conducting cyber activities, social media campaigns or hacking into another countries’ computers… it’s about integrating cyberwarfare activities across all four of the previously mentioned sectors, from America’s entire military to its federal, State and municipal government sectors, and our country’s key civilian and commercial enterprises (what we will call the “Four Critical Sectors”). It also involves everything from taking offensive action in each of, and in conjunction with, these Four Critical Sectors, to defense of them and more, as well as defense of every form of digital infrastructure in between.

For the Cyber Command to gain this kind of clout would take decades. The Signal Corps, on the other hand, having integrated its work and efforts with each of the Four Critical Sectors since its formation on June 21, 1860, knows how to do this, and has already proven its abilities in this regard. The Signal Corps knows what it’s like to integrate civilian and military efforts to achieve a national goal… especially during warfare. Taking responsibility for waging cyberwar—something that is little more than a natural extension of the Signal Corps' usual duty of overseeing wartime communications in the first place—would come naturally to... the Signal Corps.

We say again, Cyber Command cannot do the work needed to build an effective strategic and tactical response capability able to cover the Four Critical Sectors, and the NSA has no place in this form of military activity. As it stands today, the Cyber Command is little more than a nascent force of digital warriors. It has no national strategy to speak of, nor does it have inroads into the top level management groups that drive the Four Critical Sectors. While it fills an important role and provides a critical service, its activities fall far short of what is needed to put together a nationwide, fully integrated cyberwarfare capability… from defense to offense, across all Four Critical Sectors.

Looking back on the history of the Cyber Command, we can see this to be the case, as when they were a nascent organization they struggled to find an institutional champion that would give them cover. Eventually they found their champion, in the form of the U.S. Special Operations Command. That’s good, as regards helping America to develop a base level of cyber force capabilities… but again it falls far short of what is needed for our nation as a whole to be able to wage cyberwarfare, or protect itself against it.

As it stands today, both Cyber Command and its parent, Special Operations Command, are at their operating core small teams of highly skilled specialists. They do a great job at what they do… superb, in fact… but they are not up to the task of being the responsible party that is needed to build and manage for America a new 22nd century Cyberwarfare capability. At best what they are qualified to do is carry on with their goal of mounting irregular warfare within the cyber area.

Part of the reason for this is that Cyber Command was formed, like the early Special Forces teams, around the idea that they would eschew large force capabilities for small scale organizational cohesion centered on a unified operational strategy, based on specialized but limited capabilities drilled into their mindset via institutionalized training. This makes the people of Cyber Command specialists in the field of small scale, pinpoint warfare… but not at large scale battle scenarios. And while there is clearly a need within cyberwarfare for men who can target and hack into, say, the personal server of a country’s Secretary of State… there is also a need for people who can design and implement nationwide programs intended to prevent dams from self-emptying when a malware program is turned on, or military aircraft from having their internal guidance systems hijacked when they fly too close to an enemy ship.

The reader can gain some insight into the shortcomings of Cyber Command by looking at its structure, and its plans for growth:

On September 14, 2014, the first American Army Cyber Protection Brigade became active. The unit was created to provide a base level of competent personnel able to set up and maintain network defenses for the military. No mention was made in their mission of the need to support federal, state or municipal governments, America's commercial sector, or help protect civilians against cyber recruitment or attacks from foreign enemies. Nor was any mention made as to the need to protect America's industrial infrastructure (dams, telecom networks, electric grids) against attack. Instead, the goal was simply to recruit and staff a number of experienced personnel who could investigate and deal with military cyber intrusions.

Structurally, the unit was originally set up with a core brigade of twenty cyber protection teams. Each contained 39 military and civilian network security experts. Most of these were classified under MOS (Military Occupational Specialty) 25D, Cyber Network Defender. At the present, there seems to be about 700 troops with the 25D MOS. Supplementing this group are a few civilians.

By now the astute reader will see an obvious problem with this structure... in addition to the mission being lacking in scope, and the size of the unit being absurdly small if America is to be protected from cyber attacks, is the obvious fact that 25D troopers will leave the military at the first chance they get... since people with this kind of skill set could easily make 5 to 9 times more money in the civilian sector than they could ever make in the military.

That problem aside, the unit suffers from inadequacies in other ways. Like the Special Forces brigades that the group was patterned after, it is intended that Cyber Command be a small, highly skilled fighting unit. Where Special Forces brigades (called groups) usually contain only 1,500 troops, versus regular combat brigades having over 4,000 personnel, the new Cyber Protection Brigades will have in the order of 1,100 personnel. Because of this, the Cyber Protection Brigades will need to depend on the integration and inclusion of massive numbers of civilian contractors, if the job is to be done. In our view, while this may be a good way to provide food and housing for combat troops... hiring civilian contractors... it is not a useful means by which to fight a cyberwar. After all, does America really want Verizon trying to stop ISIS from recruiting its sons and daughters?

Finally, even if changes are made to try to address these, and the many other problems we see in the way in which the new U.S. Cyber Command is being constituted, there will always be the problem of the unit being intended to be little more than a blip on the screen of  the overall military's TOE. After all, it is an Army unit, and as such is intended to serve little more than the Army's needs. At the moment there are only 40 cyber-teams operating. By 2016 plans are to have no more than three Cyber Protection Brigades, at max. This is nowhere near the force projection size required to allow America to fight the number and types of cyberwars it will face.

More important than all of this though is the fact that absolutely no one in our government is looking at the big picture. Instead of building a national cyberwarfare fighting capability that can handle the needs of the Four Critical Sectors, what our government... and the Pentagon... is doing is allowing individual military groups to develop their own capabilities. In other words, the path being followed will end up with each branch having its own cyberwarfare capability, with none being built to address the nation's needs as a whole

One need only look at the U.S. Navy to see it trying desperately to get into the game.

In 2009 the U.S. Navy created what it called an "Information Domination Corps." Behind this new unit was a new headquarters (assigned to the 10th Fleet), with over 40,000 people re-assigned to staff it. Intended to be a cyberwar command, its purpose was to deal with intelligence and network security issues within the Navy environment. So, while this  effort ended up giving the navy a more powerful and secure position in cyberspace, it contributed absolutely nothing to the cause of fighting cyber attacks that might target America as a whole. Little more than internal, branch specific network security forces, while both the Army and the Navy may parade their new cyber commands as being part of a national, military cyberwarfare capability, they are not. America remains unprotected against cyberwarfare... no matter what the Army, Navy, or even the 800 men who work within the U.S. Marine Corps' Forces Cyberspace Command may tell you.

In terms of core capabilities, force accession, and tradition, the force projection capabilities needed by any military group America might stand up to provide the cyberwarfare capabilities we so desperately need does not exist. Such a capability could, however, be stood up by the Signal Corps, if our government ever got around to being serious about preparing for cyberwar. The Signal Corps has a long and glorious history in the realm of science, technology, data, information, communication, encryption, decryption, transmission, reception, system and network design, and much, much more. It has over 150 years of working with all elements of American society, from the military to government and civil society, and America’s commercial sector, and it could do the job if called on to do so.

America would do well to start today to build a fully formed, coherent cyberwarfare capability. It could do this best by assigning both the strategic and tactical missions outlined above to the U.S. Army Signal Corps. This would, of course, require that Congress grant non-traditional authorities to the Signal Corps, as well as non-traditional lines of reporting, but at least on this issue the precedent has already been set. During World War II Congress assigned to the Signal Corps simultaneous lines of reporting to the Secretary of War (as head of the then Department of War) as well as the Secretary of State. Any unit that can satisfy the needs of these two traditionally contending agencies, not to mention the Army itself, and the Joint Chiefs, and keep all sides happy, is qualified to head a new Department of Cyberwarfare (… or National Cybersecurity Force, if you like). 

Cyberwarfare Is Civilian Warfare

Finally, as to what one can expect such a new Department of Cyberwarfare to do, all that is required is to recognize that cyberwarfare is, for the most part, civilian warfare. The actions America’s cyber enemies take will, in most instances, be aimed at the United States’ civilian sector, not its military sector. One can see this in Russia’s actions when it attacked Estonia. For traditional military men, civilian targets are seen as “soft targets,” but don’t let that fool you. The goal will be to cripple America’s ability to fight back, militarily and otherwise.

Fight back against what, you ask? Fight back against any activity an American enemy may conceive of, as a means of bringing our country to its knees. Although it will happen, what we will find ourselves fighting against will rarely be attacks on our military infrastructure, but more normally our national infrastructure, grids, communication systems, finance systems, ability for American commercial enterprises to conduct business, and perhaps worst of all, the numerous spurious means that exist by which our enemies can mount propaganda efforts to sow doubt within and topple our society.

To wage this kind of cyberwar America’s new Department of Cyberwarfare will need to be at a Branch level within the Department of Defense, on an equal footing with the other 5 Branches, and develop means for both attacking America’s enemy’s soft targets, as well as protecting our own. In terms of what we can expect this new Branch of the military to do, by now we all know that Clausewitz was right; for every tactic and strategy one side develops, the other side will try to counter it. This new Branch will be tasked with countering both the enemies initial efforts at cyberwarfare, as well as countering their counter efforts.

Such an approach to fighting a war will require tens-of-thousands of programmers, with program development facilities and labs akin to that which companies like Microsoft maintain. While no specifics are available about Microsoft's staffing level, this author has been told that Microsoft has 43,680 software engineers and developers on staff at this time. They are further supported by over 390,000 additional developers who work under contract with Microsoft, from countries like India, China the Philippines and more. It would not be out of the ordinary then to expect that a new Branch constituted as a Signal Corps Department of Cyberwarfare might need to employ in excess of 150,000 cyber-software experts, when fully formed.

Properly staffing a new Branch like this then is important, because unlike in traditional combat roles, where front line soldiers are only needed when the country goes to battle and there is a need for people to pull triggers, in cyberwarfare the development experts needed will have to be on hand and working from the get go... that is, long before a cyberwar or cyber-battle ever starts... just to make sure that what the enemy is developing as a cyber weapon America is fully able to counter, regardless of whether it is placed in the field by the enemy or not. This point should not be forgotten: waiting until the enemy has emptied every one of America’s dams before bringing on board software developers able to ferret out and counteract the kind of malware that can cause such incidents is not a viable means for a nation to fight a cyberwar.

In conclusion, we can say with certainty that dynamic cyberwarfare will take place in areas involving soft targets. To best fight this kind of war America will need a new Department of Cyberwarfare, constituted as a 6th Branch of the military. In doing its job, this Branch will need to interface with civilian networks and operators, as well as the other Branches of the military, since all of these and more will be the targets of America’s enemies.

As to why we think the Signal Corps should head this new Branch, again, the Signal Corps’s historic experience in working in the areas of communication, data, security, et al will be of great advantage. Consider if you will the simple example of the Signal Corps’ Monmouth labs and how they have, down through the ages, worked with civilian companies to transition the research done at Fort Monmouth into production, so that useful, reliable, combat ready information technology products came to the field when they were needed, as they were needed, and in a cost effective manner. In the past, all manner of systems were developed in this manner by the Signal Corps, from radar to communication systems, targeting systems, and more. In the future, the software solutions needed to win a cyberwar can just as easily be developed this way too.

Continuing to press our case, the Signal Corps has experience working with private contractors, and they too will be needed to provide much of the development and logistical support required to place the Department of Cyberwarfare’s software tools in the field. So, whether it’s working across national boundaries, coordinating cyber defense and offense with the Four Critical Sectors, developing new cyber weapons, finding ways to get them into the enemy’s systems and networks, or mixing cyber technologies with other battlefield technologies to make them even more effective, America needs a Department of Cyberwarfare, and we believe the Signal Corps is not only well placed but the only military group able to take on this role.

Notwithstanding all of this, it does give one pause to think of the incredible irony that a Department of Defense DARPA project that first helped bring ubiquitous, high speed communication to the world—the internet—has now come full circle to the point that it requires that same Department of Defense to develop a means of combating the kind of abuse the system it gave to us makes possible: cyberwarfare.

 

 

 

Footnotes

[1] The following are quoted examples of ISIS' recruitment of children, right under the eyes of their own parents. The examples were taken from CNN online, march 11, 2015, Propaganda and military training, By Jethro Mullen:

“The decision of three British teenage girls to travel to Syria last month was a stark example of ISIS' ability to attract young Westerners.

“Another young British woman who left Scotland to join ISIS in 2013 now appears to write a blog about her life under the extremists' rule, describing perks and offering reassurances to those who might follow in her footsteps.

“Western officials, though, say that ISIS is pushing a false narrative of what things are really like in its territory.

“But officials also admit they're struggling to counter the relentless wave of propaganda churned out on social media by ISIS members and supporters.

“ ‘There's no question what we're combating with ISIL's propaganda machine is something we have not seen before,’ U.S. State Department spokeswoman Jen Psaki told CNN last month.”  - To return to your place above, click here.

[2] In this regard, organizations like the NSA, which have taken on a life of their own, should be made subservient to the U.S. military, as they were originally intended to be. In the process, the U.S. military can then take over oversight to assure that the NSA’s activities stay outwardly focused on America’s enemies, rather than internally in support of civilian espionage intended to support of societal police activities and crime. Leave crime suppression via espionage up to civilian agencies and the courts, and get the NSA out of this area of influence. Unless it amounts to the equivalent of warfare against America—cyber or otherwise—the NSA does not belong in it. - To return to your place above, click here.

[3] Quote taken from documents published by and in the summit meeting of NATO Heads of State and Government, held in Newport, Wales, United Kingdom, on 4 - 5 September, 2014. - To return to your place above, click here.

[4] To integrate military cyberwar fighting capabilities with American commercial players, so that their activities are protected too, the U.S. military will need to form a new special branch unit to handle this military–to–civilian interfacing. Such a unit, while it should be established under the auspices of the U.S. Army Signal Corps, should constitute a new, 6th Branch of the military. While somewhat radical in design, there is a need to consolidate all of the cyberwarfare activities of the existing 5 Branches under one coherent, unified command effort. Thus, a new cyber command branch is needed, rather than a bunch of new commands, i.e. one per Branch. Further, a structure of this type would be far better for the government, civil and commercial sectors of American society than asking ech of these areas of interest to trust the NSA with access to their sensitive data, information and communication protocols. Finally, the existing Cyber Command, being a combat arm of the Army, holds far too restricted a position within the overall U.S. Government, civil society, and commercial sectors to be appropriate as the agency to head such an undertaking. - To return to your place above, click here.

[5] State and local law enforcement agencies are crucial to cyberwarfare, as the men in uniform that these agencies field are the first to hear of a cyber-related problem. They are the first to hear that little Johnny is talking about joining ISIS, and the first to hear that the local bank branch's eMail system was hacked, etc., etc. - To return to your place above, click here.

Sources

What Constitutes Cyber Warfare, Popular Science, September 8, 2014.

Data Security; These 5 Facts Explain the Threat of Cyber Warfare, online blog, Ian Bremmer, June 19, 2015.

The Other Quiet Professionals; Lessons for Future Cyber Forces from the Evolution of Special Forces, Rand Corporation, Christopher Paul, Isaac R. Porche III, Elliot Axelband

US not accusing China in data theft, won't retaliate, Fort Wayne Journal Gazette, 22 July 2015.