Even though major conflicts have occurred in cyberspace since the mid-1980s, these are largely unknown and untaught, making it far more likely that the United States will have to continually relearn the same lessons.
A recent event at the Atlantic Council, in partnership with the Cyber Conflict Studies Association, is helping to kickstart the study of cyber conflict history to break this cycle. “Lessons from our Cyber Past: The First Cyber Military Units,” featured three of the earliest cyber commanders.
- Colonel Walter “Dusty” Rhoads USAF (Ret.) the founding commander of the 609th Information Warfare Squadron, activated in September 1995
- Lieutenant General John H. “Soup” Campbell USAF (Ret.) the founding commander of the Joint Task Force – Computer Network Defense, which became operational in 1998
- Major General James D. Bryan USA (Ret.) commanded JTF-CND from 2000 to 2001, transformed it to Joint Task Force – Computer Network Operations, assuming both the defensive and offensive cyber missions from 2001-2004.
As discussed at the event, though US Cyber Command is the newest and best-known cyber command, it is not the first. By understanding the history of these units, we are more likely to be able to understand our cyber past and identify lessons for our future.
Prior to the mid-1980s, while there were elements of cyberspace and conflict within it, the components were not mature or interconnected enough for these concepts to have real meaning. By the 1980s the computers and interconnecting networks needed for cyberspace – and cyber conflict – were largely in place. After early incidents in the late 1980s and the revelation of the military power of information from the 1991 Gulf War, the US military responded, experimenting with new doctrines and organizations for information warfare. The first known cyber unit was the 609th Information Warfare Squadron, established in 1995.
The mission of this unit was split between offense and defense, supporting the Air Force component of US Central Command. The offensive component had perhaps only 30% of the unit’s personnel, but quickly came to represent 70% of their effort. While the 609th inherited offensive missions, their defensive work was mostly original and had to be invented on the fly.
At the time, Rhoads, the commander of the 609th, compared his mission in a way that will still seem familiar: “’I liken it to the very first aero squadron when they started with biplanes … We are not exactly sure how combat in this new dimension of cyberspace will unfold. We only know that we are the beginning.” Much of what his unit invented is still in place. For example, they invented the first INFOCON, or “Information Condition” to simply describe readiness levels, an innovation that has remained a staple of defensive cyber techniques ever since.
The Defense Department as a whole began to get serious about cyber commands in 1998, with the creation of the Joint Task Force – Computer Network Defense. In the words of Campbell, the Task Force’s founding commander, “really the whole reason that JTF-CND existed was ELIGIBLE RECEIVER … frankly, it scared the hell out of a lot of folks.” In this 1997 military exercise, a National Security Agency Red Team successfully, and apparently effortlessly, intruded into Pentagon networks.
Even as the Pentagon and White House were absorbing these lessons, another shock quickly followed. SOLAR SUNRISE, a large-scale set of intrusions in February 1998 which appeared to originate in the Middle East and coincided with heightened tensions with Iraq, appeared to be the start of cyberwar. Deputy Secretary of Defense John Hamre called together his senior cyber team and asked, “Who is in charge?” No one responded until, as Campbell (then the J-39, the Pentagon official responsible for information operations) tells it, someone “elbowed me in the side” and he raised his hand.
Within ten months , the Pentagon had rushed completion of a new command, the JTF-CND, with 23 authorized billets so the US military would have a single unit to command the response to future incidents. Campbell went on to keep his leading role, now as the JTF-CND’s founding commander, reporting to the Secretary of Defense himself. Like the 609th Information Warfare Squadron, this unit was meant to be a warfighting unit: the view was that the unit needed to fight adversaries that chose cyberspace as a battlefield. Accordingly, the unit was staffed heavily with traditional warfighters (such as fighter pilots, a Marine armor officer and a Ranger) in addition to technologists.
JTF-CND matured under Campbell, before picking up an offensive cyber mission and a new name, JTF-CNO, under Bryan, who took command in 2000. At his assumption of command of the JTF, Bryan remarked “I thought you were bigger,” because of their outsized efforts to professionalize this new military mission area. JTF-CNO’s defensive mission was the most important in Bryan’s opinion, but the amount of bureaucracy and process surrounding the offensive mission often dominated his attention, much as it did for Rhoads with the 609th.
Concurrent with Bryan’s departure in 2004, JTF-CNO changed to Joint Task Force – Global Network Operations, gaining the mission to not just defend but manage DoD’s networks. At that point, Air Force Lt. Gen. Harry Raduege took command, adding that authority to his primary role as the director of the Defense Information Systems Agency. The offensive mission shifted to a new unit, the Joint Forces Component Command – Network Warfare, located at Fort Meade, Maryland. However, the need to have an integrated command for offense and defense reasserted itself, and both the JTF-GNO and JFCC-NW were folded into the new Cyber Command in 2010.
One of the most important lessons these commanders agreed upon was the essential continuity in the skill set for the cyber workforce, in the needed DoD policies, and in the kinds of cyber conflicts. Regardless of whether the DoD uses the terms information warfare, information assurance, GIG operations, or cyber operations, commanders still rely on the system administrators, networking specialists, developers, planners and operators.
The commanders also found it humorous, if a bit frustrating, that so few controversies from their days been resolved. These issues – such as the definitions of “active defense” or “cyberspace” but also command and control issues – are an exasperating reminder of how little progress the DoD has made over fifteen years. For example, to some degree, the DoD is still stuck with the same “great getalong” described by Bryan, where informal cooperation forged of operational necessity and the goodwill of individual commanders replaces more doctrinal command and control authorities.
Likewise, though cyber conflicts have become more frequent and dangerous, they are not qualitatively different today than ten years ago. There has been state-sponsored cyber espionage since the 1980s, “wake up” hacker attacks occurred in 1991 and 1994, a major cyber-enabled bank heist took place in 1995, and hacktivist attacks on DoD were first launched in 1999.
Just as today’s military officers learn the lessons of Cannae, Trafalgar, the Chosin Reservoir, and MIG Alley, so must DoD’s new cyber cadre study yesterday’s cyber operations to understand those of tomorrow.
This is the goal of the partnership between the Atlantic Council and Cyber Conflict Studies Association. Together, these organizations will feature a series of events and publications to understand the lessons from the history of cyber conflict, so that the newest cyber warriors can learn from key events and organizations of the past.
Jason Healey is the director of the Cyber Statecraft Initiative at the Atlantic Council of the United States. He is the principal investigator for the cyber conflict history project with the Cyber Conflict Studies Association. You can follow his comments on cyber cooperation, conflict and competition on Twitter, @Jason_Healey.
Karl Grindal is the project manager for the cyber conflict history project with the Cyber Conflict Studies Association.