March 22, 2017
On the Economics of Cyber Weapons, Part 2
Some industrial organization in cyber, and the organization of cyber forces
By James Hasik
What was “far scarier,” as Weaver wrote on the Lawfare blog, was that “somebody managed to steal 301 MB of data from a TS/SCI system at some point” over the preceding three years. As Ellen Nakashima of the Washington Post quoted a former NSA hacker, these may have been the “keys to the kingdom.” As previously described in documents stolen by Edward Snowden, this was the real stuff, from the probably American crew that Moscow-based Kaspersky Lab has dubbed the Equation Group. Responsible for at least 500 computer infections in at least 42 countries, that outfit has been deemed "The Crown Creator of Cyber-Espionage.” And last August, it got pwnded.
All this has become so important because, as Byron Callan recently put it, the world has become “overdependent on undependable things”—perhaps even our highly digitized weapon systems. If the NSA, OPM, Target, and the rest cannot keep their data safe, things will continue to be grim. Since that time, we’ve lived through tales of Hillary’s e-mail, Ambassador Kislyak’s wireless phone, the Democratic Party getting Guccifered, and something I still don’t understand about Trump Tower. I keep looking at my smart phone like it’s looking back at me.
Damian Paletta, Danny Yadron, and Jennifer Valentino-Devries once wrote of how nuclear weapons may require huge investments, but “getting into the cyberweapon club is easier, cheaper, and available to almost anyone with cash and a computer.” As Max Smeets of Oxford and Herb Lin of Stanford have each written for the Council on Foreign Relations, perhaps we’re not really sure how much all this costs. But in a pair of recent studies—“The Life Cycles of Cyber Threats” and “How States Drive the Diffusion of Cyber Capabilities”—Ben Buchanan of the Wilson Center has outlined how cyber tools diffuse more rapidly than other offensive capabilities, basically just because “computer code is easy to copy.”
Who’s not helping against this onslaught? Big defense contractors. They're continuing their relative exit, at least from commercial cyber defense. As Washington Business Journal has been observing, Northrop Grumman sold its business, BluVector, to private equity firm LLR Partners in January. General Dynamics sold its unit, Fidelis Cybersecurity, to another PE outfit last June. Boeing sold Narus to Symantec that year too. Lockheed Martin spun its work into Leidos in that transaction. BAE Systems and Airbus aren’t in the business either. Forcepoint remains “powered by Raytheon,” but in joint venture with Vista Equity Partners.
Perhaps these big companies have serially exited the business because the economics of cyber software development are foreign to their business models. Big defense contractors do write lots of software. They just spend years on it, baking it into tangible products. Lockheed Martin is still finishing ALIS, the Joint Strike Fighter’s Autonomic Logistics Information System, some 19 years after starting work on the application. Getting cyber right was even in Better Buying Power 3, but that was mostly about baking in robustness and resilience. Responsive cyber is simply on a different clock cycle of development. Perhaps, then, we should not blame the big guys. This is a whole other realm of conflict, and we don’t expect the shipbuilders to build tanks, or vice versa.
This issue of who should build cyber weapons and defenses parallels the unsettled question of who should employ them. The Pentagon, after all, has big hopes for Big Cyber—perhaps to create a weapon that can inflict widespread “blunt force trauma” on the command networks of enemies. If that’s another bombing-to-win enthusiasm, perhaps the military would want another branch, just as air forces have evolved. Last October, the semi-independent US Cyber Command reached its initial operating capability, with approximately 5,000 troops in 133 mission teams. NSA Director and Cyber Commander Admiral Mike Rogers was very complimentary of them, even if he never says much else at Congressional hearings. Naturally, that spooky reticence is part of what complicates the organizational analysis. This is all very new, and no one who knows much will talk.
The military services do agree that an actually separate cyber service isn’t a good idea—but of course they would. More fairly, as Robert Ackerman reported from the 2014 AFCEA International Cyber Symposium, the Navy and the Coast Guard particularly think that cyber is part of electronic warfare, and thus a local responsibility for every unit. Unfortunately, as Jen Judson wrote for Federal Times last November, the Army admits that it has too few people to cover the cyber defenses for the big data that it already can’t manage. Today, as Sydney Freedberg recently wrote for Breaking Defense, the Army has about 15 cyber-troopers in each brigade. That’s likely not enough, so as he wrote just this past December, the Army is working fast to build a real cyber corps, graduating as many lieutenants in the speciality as its units can absorb. On Task & Purpose, Brad Hardy opined that the Army should bring back its senior enlisted specialist ranks to fill its units. However they’re doing it, they’re not finding enough people.
Perhaps part-time is part of the answer. As Inside Defense reported in September 2014, then-Defense Secretary Chuck Hagel had received advice from a formal panel to “lean strongly on [the] reserves in crafting [his] cyber force.” As Freedberg wrote that year, the National Guard is keen for a role here too. In February 2015, the Army Reserve entered into a “Cyber Public-Private Partnership” with eight universities and eight companies to produce citizen-scholar-soldiers for digital duty. As Alicia Sternstein wrote for Defense One back then, they’re aiming to produce as many as 5,000 reservists this way.
But as of late 2015, the military services had filled only 43 to 64 percent of the cyber billets they believed they needed to operate effectively under attack. As Justin Doubleday wrote last November for Inside Defense, the Marine Corps has been zero-baselining its cyber operating concept, “literally counting butts in seats” to figure out what it has and what it needs. Maybe they just need a few good mercenaries. Note that the University of Central Florida has won the National Collegiate Cyber Defense Challenge for the past three years. Joe Davidson wrote for the Washington Post in August 2015 of how the second championship team came to DC as part of its victory tour, but couldn’t much respond to offers of federal employment. Following the OPM breach, the feds were getting serious about recruiting, but most of the team had already committed to private industry. If you can’t recruit, maybe just hire out.
Perhaps the scariest part, though, and to beg Nicolas Weaver’s indulgence, is that the military has such inadequate systems for recruiting, retaining, and managing its cyber-troopers. As the Bipartisan Policy Center’s Task Force on Defense Personnel just reported, none of the services can effectively build cyber teams the way they have built infantry battalions, ship crews, and flying squadrons. We’re still not sure of how to organize cyber battalions, but until they get the human resources issues right, all the services should be scared that the Russians will pwn them far worse than the Shadow Brokers got the Equation Group.
James Hasik is a senior fellow at the Brent Scowcroft Center on International Security. He last wrote on the economics of cyber weapons in August 2012.