In 2012, then-Secretary of Defense Leon Panetta predicted that the United States faced the threat of a “Cyber Pearl Harbor,” a devastating digital attack on critical national infrastructure. That single pronouncement would help to shape the nation’s cyber strategy in the short term, and the ramifications of that warning continue to be reflected in Cyber Command’s evolving mission today.
Setting the scene
When Panetta warned of a cyber Pearl Harbor, Cyber Command was still just getting on its feet. In an interview with Fifth Domain, the former secretary said he was aiming, in part, to let the nascent cyber agency’s leaders know that the Department of Defense was in their corner.
The cyberwarriors needed to hear “that we were supporting financially the efforts there to stay on the cutting edge, and that we were developing the plans that needed to be developed to ensure the United States would remain one of the strongest players in the cyber arena,” Panetta said.
The long game, Panetta said, was to shake up ordinary citizens, to awaken them to the seriousness of the situation at a time when the nation’s cyber defenses were still in their formative stages.
Gen. Keith Alexander, then the head of Cyber Command, warned in 2012 that American readiness for a major cyberattack was “around a three [out of 10].” Panetta knew he needed to sound the alert about that situation.
“The American people needed to know that the potential for a paralyzing attack was there,” Panetta said. “We had known that cyberattacks could be used to interrupt business, to gain intellectual property. We knew about hacking. But the fact that a sophisticated virus could be used to virtually paralyze our country, to take down our electric grid, take down our financial systems … that potential was there and real.”
The arrow found its mark. “It was a clarion call, evoking the specter of a horrific national disaster as a way to galvanize public support,” said Edward Wittenstein, executive director of the Johnson Center for the Study of American Diplomacy at Yale. “It also communicated that urgency to members of Congress, whose support was needed for solidifying and resourcing Cyber Command.”
Given the hyperbole of the remark — something he describes as a form of “shock therapy” — Cyber Command’s response may appear muted.
In 2014, Panetta’s successor, Defense Secretary Chuck Hagel, established a deliberately low-key tone in describing the cyber mission. Speaking at Fort Meade, Maryland, which is home to both Cyber Command and the National Security Agency, he said the United States would “maintain an approach of restraint to any cyber operations outside of U.S. government networks. The United States does not seek to militarize cyberspace.”
He added that the United States wanted to leverage the internet as a “catalyst for freedom and prosperity” instead.
In hindsight, analysts today say the keyword “restraint” doesn’t suggest that the Defense Department wasn’t taking cyber seriously. Rather, Hagel may have been seeking a muted approach with Cyber Command’s mission as a way to cool down, rather than heat up, potential use of cyber as a combatant arena.
“There was a sentiment at the time that we should try to make cyberspace a peaceful place. We would reserve the right to use force there — but only as a last resort,” Herbert Lin, senior research scholar at the Center for International Security and Cooperation and Hank J. Holland fellow at the Hoover Institution, told Fifth Domain.
“Hagel was saying that we will exercise a policy of restraint, that we will not be very aggressive, that we will try to do everything diplomatically before resorting to force in cyberspace,” Lin said.
With cyberwarfare still a relatively new domain, some felt that any overly aggressive steps by the United States could lead to rapid escalation. Cyber Command at that time embodied “a wariness about wading into cyberwarfare,” said James Di Pane, a research assistant at the Heritage Center for National Defense. “We don’t want to be the ones moving the goalpost and creating global norms where it is okay for countries to do that kind of thing.”
Today, Panetta explains what that “restraint” means in a military sense: to be prepared, but also to be circumspect. “The idea of restraint was that we have to be serious about the potential for this weapon, but that we can’t panic. Rather, we have to be restrained in terms of our emotions.”
Today’s cyber policy appears to be driving Cyber Command in a more proactive direction.
The new ethos
The national cyber strategy, rolled out in September 2018, makes the case that the best defense is a good offense. Rather than merely fend off attacks, the United States would let our enemies know that the U.S. is not afraid to use cyber as a weapon. The United States will “ensure adversaries understand the consequences of their malicious cyber behavior,” according to the plan.
The nation has since witnessed offensive cyber operations in action. In 2017 a Defense official confirmed the United States had been dropping “cyber bombs” on ISIS in a program dubbed Joint Task Force-Ares, led by Adm. Michael Rogers, then the head of Cyber Command.
That program aimed “to coordinate cyberspace operations against ISIS,” Rogers said in written testimony to Congress. “JTF-Ares’ mission is to provide unity of command and effort for [Cyber Command] and coalition forces working to counter ISIS in cyberspace. The JTF model has helped USCYBERCOM to direct operations in support of USCENTCOM operations, and marks an evolution in the command-and-control structure in response to urgent operational needs.”
The JTF “brought cyber out of the shadows and successfully demonstrated the value and capabilities of cyberspace operations to the Joint Force when integrated as part of [a] broader coordinated military effort,” then Lt. Gen. Paul Nakasone, commander of Army Cyber Command and JTF-Ares, wrote in congressional testimony.
This kind of operation marks a new direction for Cyber Command and was reflected in an August 2017 move by the Defense Department, recommended by then-Secretary Jim Mattis, to elevate the agency to a standalone combatant command. Until then, it had been a sub-unified command under U.S. Strategic Command.
“They now have the full operating capacity to conduct cyberwarfare. They have the people and the tools they need,” Di Pane said.
Experts say the new status, and the new approach, reflect the realities of the changed cyber landscape. There may not be an imminent Pearl Harbor: Most experts agree a single cataclysmic attack on national infrastructure seems unlikely, given the present posture of likely threat actors. But even smaller-scale attacks pose a hazard. The repeated cyber incursions unfolding daily could have a devastating cumulative effect on American infrastructure.
“In the last five years the policy of restraint hasn’t worked. People continue to break into our networks,” Lin said. “And Cyber Command doesn’t want to just sit around and wait. No military guy wants to play defense all the time. They want to go on the offensive, and the new strategy calls for a much more aggressive posture.”
To effectively execute on that new strategy, Cyber Command may have to overcome new institutional or organizational hurdles.
“They want to be like Special Operations Command, but right now Cyber Command is not postured to have that same level of success,” said Jacquelyn Schneider, an assistant professor at the Naval War College. She noted she wasn’t speaking for the Defense Department.
“They need to set up processes to acquire technology and to execute on contracts. This is about the acquisition of software, and that’s something DoD struggles with,” she said. “There is no good model, so they will need to create all these institutional processes, while they are already dealing with major threats.”
Despite the hurdles, Panetta lauds the new alignment as appropriate to the current threat.
“You’ve got to fight fire with fire. The Russians would be thinking twice about doing what they are doing in our election process if they knew they were going to be paying a price for it,” he said. “They have to know that it is not a free pass.”
To learn more about the ways Cyber Command has evolved over the last decade, download our series of essays that reflect on the origins and future of defend forward and hybrid warfare.