Transcom is a case in point for whole-of-nation cyber posture
- By Mark Pomerleau
- Mar 16, 2016
Administration and Defense Department officials have been promoting the idea of a “whole of nation” approach to cybersecurity, because the interconnected nature of the Internet means that it traverses multiple sectors, making defense a multiple-sector responsibility. Gen. Darren McDew, commander of the U.S. Transportation Command, knows what they mean.
“I am concerned about our ability to operate in increasingly contested environments, including the cyber domain, where nearly 90 percent of our traffic flows on unclassified networks to and from our commercial providers,” McDew told lawmakers on March 15.
Transcom, which provides capabilities and support for the eight global combatant commands, making it a global organization, has a unique posture adjacent to commercial companies and combatant commands.
Noting that the nation is in its infancy in dealing with the cyber threat at large, McDew asserted that, while Transcom has extremely hardened defenses on its own networks, adversaries can circumvent through unclassified commercial networks. “We have some great cyber professionals who won awards in how well we defend our network,” he said. “On the periphery of that defense, though, lies 90 percent of what we do, which is on the unclassified commercial networks and, outside of that, we have commercial providers that are under attack every single day. So you might not necessarily have to attack my strong position inside U.S. Transcom, but go after someone who provides us a service.”
There is a lack of clarity conveyed by military and government officials regarding who responds to domestic cyber attacks – the Defense Department, the Homeland Security Department or some other agency. Those debates over what constitutes cyber attacks on commercial providers puts Transcom in position to work with agencies such as Homeland Security toward “bridging the gap between military capabilities and commercial capabilities,” McDew said. “And that’s where [the U.S.] Cyber Command squarely fits.” He said that Adm. Michael Rogers, commander of the Cyber Command and the national Security Agency, “are tied at the hip – he fully understands our dilemma. His team is completely linked with ours and they are great supporters.”
McDew’s comments harkened to the Obama administration’s “whole of nation” approach to the cyber challenge—the idea that the public and private sectors need to cooperate in order to protect networks, data and infrastructure.
In addition of the roles played by DOD and DHS, this approach also involves law enforcement, as evidenced by the indictment of Chinese hackers, the indictment of a Kosovar man alleged to have sold stolen data on military personnel to ISIS and the forthcoming indictment of Iranian hackers that gained access to a dam in New York state.
Those arrests illustrate on tenet of the United States’ evolving cyber policy—that responses to cyber incidents do not have to take place in cyberspace. “Cyberspace is one domain,” Rand Corp. researcher Isaac Porche told a panel of lawmakers in early March. “The United States military operates in many other domains and so we’ve heard press articles talk about potential Iranian hacktivists attacking a U.S. dam – I don’t have any information that says it’s there. But what prevents nation states from taking action [is] the fact that they would have to deal with the United States in other domains. And so it always has to include all domains, not just cyber. Our response to a cyber attack may not be in cyber.”
A third pillar includes sanctioning cyber actors, under an April 2015 Executive Order, for malicious cyber activity that threatens U.S. national security, foreign policy or economic stability.
Some, however, are critical of the administration’s cyber deterrence approach. “I feel we have not articulated and haven’t demonstrated a deterrence strategy,” Frank Cilluffo, associate vice president and director of the Center for Cyber and Homeland Security at George Washington University, told members of Congress. He also noted that there have been several litmus tests, from the hack of Officer of Personnel Management databases to other breaches, that require responses and clearer policies.
Paul Rosenzweig, founder of Red Branch Consulting PLLC and a senior advisor to The Chertoff Group, questions if the cyber sanctions Executive Order was just a bluff, an idle threat that cyber bullies can ignore given that the administration has not sanctioned a single person as a result of the order.
Mark Pomerleau is a former editorial fellow with GCN and Defense Systems.