Full transcript from the March 5, 2012 Cyber Statecraft Initiative event “Lessons From Our Cyber Past: The First Military Cyber Units.”
Director of the Cyber Statecraft Initiative,
Lieutenant General John H. “Soup” Campbell, USAF (Ret.),
Joint Task Force-Computer Network Defense
Major General James D. Bryan, USA (Ret.),
Joint Task Force-Computer Network Operations
Colonel Walter “Dusty” Rhoads, USAF (Ret.),
609 Information Warfare Squadron
Location: Atlantic Council, Washington, D.C.
Date: Monday, March 5, 2012
Transcript by Federal News Service Washington, D.C.
JASON HEALEY: Ladies and gentlemen, thank you for coming to the Atlantic Council. This is our lunch event – hopefully y’all got your sandwich and chips – on the first cyber commanders, “Lessons From Our Cyber Past.” Thank you very much for coming. If you’re not familiar with the Atlantic Council, we’re just celebrating our 50th anniversary as a national security think tank that particularly specializes in trans-Atlantic issues. I know many of you are from the cyber community; you might not have heard of us. But hopefully you’ll be hearing more of us soon.
For today’s event, we’ve got three distinguished gentlemen here. We’ll – I’ll introduce them in a second. But I wanted to kick off by saying, this is part of a project that Atlantic Council is doing with the Cyber Conflict Studies Association to produce the first cyber conflict history book. And as far as we know, it’s – there has never really been an event like this.
And there’s never been a book about the conflicts that have been happening in cyberspace. There have been some essays and some articles, including by a lot of distinguished people here in the room. But it’s probably not a surprise that we seem to be repeating the same lessons and making the same mistakes in cyberspace and cyber conflict – and no wonder, because we don’t have a history that we’re teaching to the new people coming into the field.
So today’s event is on the record. It’s public. And we’ll be recording it, and it will become part of the archive of cyber conflict history. Quick, if you can just wave – Karl Grindal here is my project manager for our cyber conflict history. We’re doing a case study competition, teaming up with AFCEA, with $3,000 prizes for the best essays in cyber conflict history.
You each got a quiz, which was on your – in your packet when you came in, with some of the key events in cyber conflict history. I’d be curious how many people – how you can do. My students at Georgetown – all except one person got every one of them correct. Also, we have a short draft – very draft, not for publication or reference – history of cyber conflict history, just to bring everyone up to speed. And since there are so many people in the room that participated in that history, we’d love to get any suggestions and corrections and improvement to that history.
So then, without any further introductions, let me start by introducing – (chuckles) – the next three – the three panelists here. To my right, Lieutenant General Air Force Retired, “Soup Campbell.” He was the – he came to cyber from the F-15 community and joined staff J-39. And he was the first commander of the Joint Task Force-Computer Network Defense.
To his right, Major General Army Retired, Dave Bryan, who came from Army special forces, communicator. He was the second commander of the Joint Task Force-Computer Network Defense and the first commander of Joint Task Force-Computer Network Operations.
And to his right, Colonel Air Force Retired, Dusty Rhoads, also an Air Force pilot from F-117 stealth fighters. Went from that into information warfare and was the first commanding officer of a cyber unit that we know of, the 609th Information Warfare Squadron in South Carolina, and also went on to JTF-CND.
We are going to run this as a – as a relatively informal discussion, and we’ll pause to take questions as we go along. But first I wanted to start out with you, Dusty, in – then we’ll ask all the panelists – in, what was the creation of your unit? Bureaucracies only create something like a new unit and authorize a first commander if they – if they’re trying to solve a particular problem. So for each of you three gentlemen in turn, what led the military to say, we need the kind of organization that they set you to command? What problem were they trying to solve?
COLONEL WALTER “DUSTY” RHOADS (RET.): Well, back in the ancient days of horse and buggies when we started all this stuff, the problem they were trying to solve was understanding what at the time was information warfare. We really didn’t have anybody dedicated to do that type of a mission; didn’t have anybody that really defined what that mission was. And the then-commander, Air Combat Command, took the proposal up to the Air Staff, and –
MR. HEALEY: And when was this?
COL. RHOADS: That was in ’94, is when we first started doing that.
MR. HEALEY: Wow.
COL. RHOADS: We took the proposal up to the chief of staff of the Air Force. He said, yeah, it’s probably a good idea to put a unit to see what kind of capability we have and how we would play in the information warfare game. Fortunately we got a very good sponsor, General John Jumper, 9th Air Force – rose his hand and said, OK, I’ll take on that mission as a – as a trial – because he was supporting CENTCOM at the time, which was always engaging in conflicts, unfortunately, about that timeframe. And they said, OK, let’s give it a shot.
And the concept behind the unit was both sides of the cyber mission: the defensive side, which was just barely getting started at the moment. We had been in discussions with the Air Staff of how to solve this information warfare question. A couple panels, papers were put out about treating it like air defense and those type of things. And they said, let’s go for it, down at Shaw Air Force Base.
Now one of the biggest problems we had with that unit was, nobody really understood what information warfare was. A lot of – there was a few commanders; there was a few places that discussed those type of things. But the hardest part was getting everybody familiar with what the mission was.
Let’s go a little bit more about the unit and some of the complexities in starting it – was not just the logistics things, because back then there wasn’t anybody that knew what a cyberwarrior was, what the definition was. It was a combination of past war fighters, J-3 types, a lot of communications people and a smattering of intelligence and planning people. We threw it all together to make this one particular unit.
The unfortunate part for the 609th was that the offensive piece was still classified. You couldn’t even discuss it in an open forum. You had to be inside a SCIF to even talk about information warfare. So the development of the unit was based on – I wouldn’t call it a cover story, because we didn’t do defensive missions.
But behind the scenes was the offensive piece of it, getting it integrated into the war fighters’ mentality, understanding into – at the time – the air tasking orders, because it was Air Force – it was an Air Force unit; how to get cyber introduced into the thinking of the commanders. So that was fairly – we couldn’t even talk about it. A lot of the publicity that went out about the 609th was on the defensive side, where we were first starting taking a look at IPS systems, not even – we didn’t even start with IDS; we started with IPS at the 609th.
MR. HEALEY: Right. There’s a lot of talk now about whether cyber is a domain or not. And the Department of Defense has recently come out and said, we’ll treat it as if it were a domain. What was the thinking about it back then? Did you – did that matter? Did you see it as a domain?
COL. RHOADS: There were discussions in the Air Staff to talk about it as a domain. A lot of the issues that are being brought up right now in discussions were discussed way back then, back in the – (off mic.) – timeframe. I think my mic just went dead.
MR. HEALEY: Yeah.
COL. RHOADS: Domain itself, no. Conceptually, yeah. We were thinking way out there. But, you know, if we – if we made this a domain where we could play in it back and forth and things – but it was fledgling at the point, so we knew that was just a vision. And it wasn’t drug-induced vision; it was just a – (chuckles) – vision. (Laughter.)
MR. HEALEY: There’s a great quote that I read of yours in the – in your unit history that talked about how you felt like we were at the first aero squadrons. And you didn’t really know how warfare was going to develop – especially because right around the time I read that quote, I read a very similar quote from General Webber in the Air Force, and thought: Boy, your quote was probably ’96. His was 2008, and here we are 12 years, and we still feel like we’re at the branch of a new – a new brand of warfare.
COL. RHOADS: Well, sitting down in South Carolina, we caught – we caught a lot of flak for stepping on a lot of people’s toes, just like Billy Mitchell did. And we did feel like we were plowing a path. And sometimes your nose gets really beat up when you’re plowing a path.
MR. HEALEY: (Laughs.) Yeah. So how does that compare, General Campbell, with the – with the creation of the JTF-CND? What were you doing at the time, and how did that compare?
LIEUTENANT GENERAL JOHN H. “SOUP” CAMPBELL (RET.): Well, I came to the Pentagon in the summer of ’97. As you said, I had been a – an aviator almost all of my career, and so this whole cyberworld was fairly new. But I was the – I was the joint staff J-38, which is sort of the cats-and-dogs directorate of the – of the joint staff. And one of the things we had was the STO Division – Special Technical Ops Division. And when I got there, that – plans were already in motion to spin that off into a separate directorate, which became the J-39 which still exists today. So that was – that was sort of in play. And I owned that.
But the other thing which was in play when I got there, which really became the whole – the whole reason the JTF-CND existed, was something called Eligible Receiver ’97. I don’t know if – how many of you all are familiar with the Eligible Receiver exercises, but they’re a series – I think they’re semi-annual exercises for – that the chairman, really, the JCS owns. And ’97, the subject was cyberdefense.
And so in preparation for that, for about six months NSA had chartered a red team to go in with the permission of the DepSecDef, John Hamre – to go in and do a reconnaissance of DOD’s networks, unclassified and some classified networks, and to penetrate them if they could – not to do any damage, but each place that they penetrated, they left what they called a marker file – which basically was, you know, “Kilroy was here,” just a note to prove that they had had access.
And by the way, the red teams were restricted. They were not – as much as you can restrict NSA smart folks – (laughter) – from using insider information or special knowledge. They tried to make them representative, like we usually do on these red teams, of the threat. So that’s how they were structured to – what they were structured to replicate.
So then they took the access that they had with the systems that they thought they could logically influence and control, and then built a series of events around the world. I think it was PACOM-oriented. In fact, I think PACOM had specifically one of the few commands that would – wanted to participate. So they were into PACOM networks and built a series of world events which involved social engineering and rolling blackouts and, you know, social unrest.
One of the interesting parts of the exercise was, every evening in the afternoon session there was a very professionally produced news summary – like the evening news, except it was the ER ’97 events of the day. And it was really pretty attention-getting. And so anyway, this whole thing took place in – over this period of about – period of about 10 days. And frankly it scared the hell out of – out of a lot of folks, because the implications of what this team had been able to do were pretty – were pretty far-reaching.
So there were lots and lots of lessons learned. You can figure out all the obvious ones. The one that got the ball rolling for what became JTF-CND was the observation that, in all of this – in all of this play, there was no – really no one in charge; no one in charge of the DOD response for recognition, assessment, attribution and reaction. And it’s interesting because, over the – over the period of the last decade, there had been a series of meetings; they all kind of had the same theme. Somebody at the meeting looks around and says, who’s in charge?
Well, the one that got me involved was the one that took place in the secretary of defense’s conference room, third floor. Hamre’s at the end of the table, looks around the table, and it’s – we’ve got probably 30 people in the room – and looks around the table and said, who’s in charge? Well, I was the joint staff, you know, J-39 STO bubba and so – I couldn’t recall if I raised my hand or if somebody poked me and I jumped and – (laughter).
But anyway, that – we sort of got – the J-39 bubba sort of got the action to do the after-action piece of this. And again, one of the things as we worked through this was the – just the obvious observation that somebody really needed to be in charge. There needed to be an operational commander with the mandate to direct action and direct response.
I can go into it now or later if you want some of the machinations. But I’ll just suffice to say at this point, it took a lot of – a lot of work, a lot of – a lot of work in the tank with the service-op steps. If it had not been for the top cover that John Hamre provided as the DepSecDef and – Denny Blair I think was the – was the director of the joint staff who had a big piece of this – we probably wouldn’t have made it. And there was a lot of care taken to make what we put together be doctrinally correct, so you couldn’t argue with it on the basis of doctrine.
So you had to have commanders working for commanders; you had to have a joint organization; and we finally got the skeleton of that put together. There were questions about where it was going to live. That’s another story in itself. It finally ended up at DISA, which I think most folks thought was the right place, although the Air Force made a heck of a play for it because they really were the – by far the furthest – had thought most about this whole issue, I think because of the experience that Dusty related. So we went through that process, kicked it off – I think we got the charter done the summer of ’98 – then started up at the – at the end of ’98. And that’s how we got started.
MR. HEALEY: Great. So something that –
MR. : (Off mic) – it was the second of November in – (inaudible). I have a copy of it. (Chuckles.)
MR. HEALEY: (Chuckles.) And something that Dusty had mentioned was, how do you staff this unit? You use war fighters, do you use comms, do you use – how did – how did they do the JTF?
GEN. CAMPBELL: Well, the philosophy was that if you’re going to have any credibility with the war fighters, you had to have operational people in the – in the JTF. And the question is, do you take – do you take computer guys and gals and make them – you know, kind of put them in an operational perspective, or go the other way? And we thought the best approach was to start with people who had some credibility in the operational side of the house, and then provide them with training and additional help that they needed to be technically proficient.
And I’ll say, by the way, the whole time I’m working this, I had no designs on being the first commander. In fact, the Air Force General Officer Management office had assured me I was going to be in the Pentagon for 18 months and then go back out in the field. So I was looking forward to my next flying assignment. But as we worked through this, the timing was either good or bad, depending on your point of view.
And as the – as the mission got bedded down at DISA, we decided, in what I think was a very good construct the service – (inaudible) – for several years, to dual-hat the commander of the JTF with the vice director of DISA. And that’s got some other implications from support and cooperation perspective that you can – you can figure out. But I was in the – at the right or wrong spot and ended up with that job. And so I ended up as the first commander of the JTF.
So it really had kind of an operational perspective from top to bottom. We quickly realized that that wasn’t going to be enough, and so we took care to fill it out with people who really knew what they were doing technically. And we also went back and tried to get the right kinds of training. And I think it was through George Mason – somebody remind me of that –
MR. : James Madison.
GEN. CAMPBELL: – James Madison – to go back and – go back and make sure that those people had the technical training they needed to at least be conversant in the – in the threat and the reaction.
MR. HEALEY: So we had this joint task force that was the first real joint war fighting organization in the cyber domain. And the leadership decided that we needed more. We had to do – we needed to – need more than the JTF-CND.
MAJOR GENERAL JAMES D. BRYAN (RET.): Well, thanks, Jay. And if I may say, it’s great to see so many alumni of the joint task force here today. The story could best be told if you lined all them up out there. By the way, PT’s at 6:15 in the morning – (inaudible). (Laughter.) You know –
MR. HEALEY: By the way, just show of hands, how many – how many JTF-ers do we have in the room here? Not bad.
GEN. BRYAN: So you know, it’s amazing how quickly the world and how tightly the world sometimes spins – tie a couple of things together that General Campbell just talked about. I was a brand-new brigadier general. I mean, my first – you know, my one star was – I didn’t even have both pins connected to it yet. (Laughter.) And I was told that, hey, you’re now the deputy G-6 on the Army staff. I had been the XO.
And by the way, your first meeting is, you got to go up there to the SecDef’s conference room. Don’t know what it is, but take notes. (Laughter.) I was present when DepSecDef Hamre looked across that table and said, who’s in charge? And I don’t think you raised your hand voluntarily; I do think somebody kicked your chair, Soup. (Laughter, chuckles.)
GEN. CAMPBELL: That’s the way over the – over the course of time. I think Dick Myers will tell us some story about the – (inaudible).
GEN. BRYAN: Yeah, how the – (inaudible) – yeah. That’s another story.
But about a month later – so I went back and reported out to the Army, we got to get serious about this. And the closest thing the Army had at that time was the first IO command, which was not really concerned very much about cyber warfare per se, although they had created a version of what today we would call a CERT function. But there was little or no coordination in the Army between staff agencies at G-6, G-2, G-3. There was little coordination between the Army’s network command that actually ran the Army networks in this – in this thing out at Fort Belvoir called the first IO command.
So anyway, I reported out. And then promptly about a month later – you know, just before they were about to say, you go solve this problem, I went out to be the Pacific Command J-6, who had just gotten hammered in Eligible Receiver. And Admiral Prueher was – you know, in my walking-in-the-door guidance, he was the commander of the U.S. Pacific Command; said, I don’t know anything about this. Say, you know, I’m a – I’m a carrier guy. But – (chuckles) – this seems pretty important, and we’ve got some – we live in a tough neighborhood out here, so figure this out and see what we need to do with it.
The interesting thing about that is that, falling back just on my natural instincts as a – as a tactical communicator that had spent about 16 years of my career in special operations and contingency units, the first thing I knew I had to have somehow was situation awareness. I had no – believe it or not, as the J-6 I had no – I couldn’t see the networks.
I had no idea what the loading on the satellites over the Pacific theater were. I did not know who our friends were or not. I did not know what the status of our networks through – I mean, at any level of detail, other than if something – somebody’s call didn’t go through, I’d get called in the middle of the night and get hammered.
So my instincts told me, I’ve got to stand up some kind of operations center function to look at this. And by the way, at that time the Pacific Command J-3 was completely disinterested. So I stood it up over in the J-6 shop, and put a direct line into the DISA theater coordination center, which was in the middle of the island of Oahu. And we were down, of course, at Camp Smith.
And we immediately began to look and act like a military unit that was getting its hands around a mission. Within a few weeks, I knew what the status of the networks were. We were actually tracking. We actually wrote a nine-page paper and sent it in to the joint staff, J-6 and the director of DISA, saying, you know, we’ve got some ideas about something we’re calling global network operations that we’re actually employing here in this theater that we’d like to share with others.
I would say that, by that time General Campbell and Dusty and many of the folks in the room here, the JTF was up and functioning. Now, I did not know what the JTF – I didn’t know anybody in the JTF per se, but in VTCs I began to see General Campbell talking about trying to come up with priorities and basically going – really, breaking – the tough job of breaking the ground early on a whole new mission area. And thank goodness Admiral Blair was there to bring the weight of the tank to bear – the op’s depth of services to bear on this problem.
And so our theater network operations security center began interacting directly with the JTF. And I’ll never forget that one of the big accomplishments from our perspective in a combatant theater was – and I don’t know how long it took, but it seems to me it was only a few months – the JTF actually published a taxonomy. And we all began to talk about these cyber issues in the same way.
It’s hard to believe now perhaps, but in 1998 it was the first time that we could all agree that this is what a root-level attempt is – you know, a category-one, root-level attempt means this. So when you say that, everybody knows what that is now. And that taxonomy clarified the language of the day, which allowed us to really begin to make tremendous progress.
Well, after about a year in that job, guess who came to be the commander of the U.S. Pacific Command: Admiral Blair. And so he walked in there and said, hey, I’ve been wanting to meet you. You’ve been making noises out here in the Pacific theater, and by the way, I am a huge fan of this mission area. So he began to pump money and talent into our organization in the Pacific. A year later, I got the call from General Raduege and – who had just been selected to be the next director of DISA – and said, by the way, you’re going to be my deputy.
And I believe it was June 8th – wasn’t it, General Raduege, that you took command? And on June 9th General Campbell and I had a change of command for JTF-CND. And I’ll never forget that day. Larry, you’ll – you – my favorite story with Larry Frank is – Larry, I think you were sort of commander of troops that day, weren’t you, or something. And we stood out on the parking lot behind the DISA building. (Laughter.)
And I looked out there, and there was this – you know, a few folks in uniforms, and some of them had on flight jackets, and some of them had on BDUs, and bunch of civilians with no ties. And I – and there are only about 30 of them standing there. And I looked over and I said, is this it? (Chuckles, laughter.) I thought – I thought you were bigger – (laughter) – because the JTF had already begun to have an impact on professionalizing this mission area.
Now to jump forward in the story a little bit, I believe that the biggest challenges that we faced from 2000 to 2001, my first year in command, was that we had to take advantage of the momentum that the JTF had managed to establish. And there was momentum. But there was so much work to be done, because what they had done was, they had rattled everybody’s cage. And everybody – they either loved it or they hated it, but they could see it coming.
So we had to deal with massive policy issues. Do you know that in the year 2000 there wasn’t even a law that said that cybertheft was a crime? It’s hard to believe. We quickly moved to address policy issues, which led us to actually interacting a lot with congressional staffers. There was no shortage of Congress – elected officials, I’ll say – who wanted to be the champion for this new thing. Unfortunately none of them knew anything about it, or they just wanted to be in charge, be the expert.
But they had some really smart young men and women who were willing to come over and listen to us, because now you’re – the JTF had a couple of years under its belt. And we had pretty much standardized on a really good mix which stood us – stood the test of time. We had one-third military, one-third government civilian and one-third contractor. And we were able – that mix allowed us to really begin to go deep in the technical skill arena.
And once we were able to – particularly on the civilian side and contractor side – and once we did that, then the services began to send us technically deep military officers because we were real. The Army had gone so far as to create a functional area for information operations. And we began to get folks like Michele and Mike in, who had graduate degrees in – from the Army in computer science, and understood all of this.
But we also had to work with doctrine. You know, my – as a good policy with a new commander – and I say, well, I’d like to have a meeting with my subordinate commanders. I didn’t have any. (Laughter.) But there were military officers in charge of critical functions in the services. And so we said, well then, invite them all.
So, you know, two Air Force guys showed up, one from San Antonio and one from somewhere else. Three Army guys showed up, one from NETCOM, one from first IO command and one off the Army staff. We had to talk the Navy into sending somebody. They didn’t have anybody really in command of their mission. The Marines had – because they had centralized their network, by default they had a single commander who reported.
But I had no authority over any of them. And basically we got together in the conference room. And so when we left, though, we actually had a little huddle. And we went, hey, hut – because all we had was what I call the great get-along. They all understood how important this mission was and how important it was that we all cooperate together – and that there were times that, even though I did not have official command and control authority over them, that we were going to have to issue directives – because we were already operating in hours, and we knew we had to get to minutes and to seconds.
And we couldn’t go through this inexorably difficult staffing process in the Pentagon to try to get permission to – so we really – and I must give all of them – and somehow we got to write them all into the history, Jay, because we – they all agreed to kind of get along. That was critically important.
MR. HEALEY: So, the jump from CND to CNO?
MAJ. GEN. BRYAN: Yeah, so along that journey we had really begun to professionalize. Now we had a command change at U.S. Space Command; General Eberhart had taken over. And he was really, I think, fond of us and impressed that the JTF was a very – we were a very professional organization, even in our really early part of our third year of existence by then. And he had retained responsibility for the offense mission at U.S. Space Command. And I think it’s fair to say that it wasn’t going as well as he would have liked.
And so he decided that it – unified combatant commanders do best when they hand their combatant missions off to sub-unified commands or JTFs. And so in March of 2001, he called me up one afternoon and said, I want to have lunch with you tomorrow. (Chuckles) – and I thought he was coming to the Pentagon. It wasn’t; I had to get on a plane and fly to Colorado that night. And at lunch the next day – I’ll never forget, it was a tuna sandwich –
MR. HEALEY: (Chuckles) – which you can get outside – (inaudible).
MAJ. GEN. BRYAN: And so – that’s right. So he said, you know, I want you to take on the offense mission too. And so I said, well, what’s my E-date for assuming that mission? He said, well, how much time do you need? And literally two weeks later, we worked all – I called back, and we worked all around the clock for two weeks to get ready for this mission. And on April 2nd, 2001, we were redesignated Joint Task Force-Computer Network Operations, to recognize that we now had both the defense and the offense mission.
MR. HEALEY: And so – thank you very much. So we’ve got three different cyber commands from 1995 – was IOC for – up through early 2000s. So what is it about what you’ve done that you think is most important for today – you know, whether that was, you know, major operations or incidents, or – I mean, I’ve got a few other specific questions that I’ll – that I’ll jump in. And maybe we will keep the same order and – Colonel, you want to go first?
COL. RHOADS: Well, I think probably the best thing we did at that time was to kick-start a lot of stuff. Earlier General Keys – we were talking about blue flag exercises. 609th played in two of them down there, and the second one – I believe it was in ’96, February of ’96, where we actually put an IO cell together and got all the commanders in a little group talking about how to use cyber effects on the offensive piece, and played the defensive piece in the exercise for the first time. And I want to throw a little credit out here to Mr. Doug Harlow who is sitting back in the back of the room. That was the first time INFOCON was ever used. It was in February of –
MR. HEALEY: Of ’96?
COL. RHOADS: – ’96. It was an exercise of the 609th. Of course we got the dragnet along with us when we went up to the joint staff. And we got that one pushed through. But we got people thinking about it. We got people talking about it –
MR. HEALEY: Yeah, that was a –
COL. RHOADS: – realizing that what is – it actually was a viable capability. And you needed to be on the defensive of it, because we had the ATO long before they ever had it when we were doing our offensive – (inaudible)
MR. HEALEY: Oh, really? So if you were in an exercise, you were able to get the –
COL. RHOADS: We had it.
MR. HEALEY: – blue forces air tasking order.
COL. RHOADS: We had control of the blue force air tasking order. They gave us a two-hour window to play in, and we got it.
MR. HEALEY: Within two hours.
COL. RHOADS: Within two hours. And that was not an insider job, by the way. (Chuckles.)
MR. HEALEY: Yeah. So did that – did that have an impact on how –
COL. RHOADS: Well, I think it did, because a lot of – (inaudible) – Eligible Receiver stomped things home. And then Solar Sunrise stomped things home. And you know, it (kept ?) a lot of people thinking about things. And I would like to think that we set the foundation down there to get started.
MR. HEALEY: (Wow, that makes sense ?).
COL. RHOADS: And initially the concept of combining the two units, the offense and the defense, was cranked up down at Shaw. And then in – was it ’01? I thought it was ’02 – it may have been ’01, I don’t know. It all blends together – when we took –
MR. : It was April of ’01, I think.
COL. RHOADS: Was it?
MR. : Yeah.
COL. RHOADS: When we took those two missions and threw them back together, and I got thrown in the jumble again.
MR. HEALEY: And then the INFOCON and some of those –
COL. RHOADS: The INFOCONS, rights.
MR. HEALEY: – that got picked up for JTF-CND also, right? General?
LT. GEN. CAMPBELL: Yeah. No – I mean, I think clearly that the initial – the hard part, and probably the – you know, the biggest accomplishment of the JTF-CND was just to get things started – just to break the ice on the idea that, in this huge thing we call, you know, the DOD-IT enterprise, there had to be somebody with some organization, with directive authority – or somebody that – some focal point that was recognized and they understood was going to – was going to be responsible for assessment and then directive action.
You know, I – frankly I never thought the JTF construct would last. I think we all – we all thought it was going to be a – it was – it was a joint mission, clearly. We thought the JTF would probably last for two or three years tops and then be rolled into some kind of a – some kind of a – of a – of a joint structure, sub-unified command or something like that. And in fact that’s what happened, but, you know, a decade later.
So the fact we got that part right and it lasted for 10 years was pretty good. And again, it wouldn’t have happened without the – that top cover of some pretty visionary people who were willing to, you know, buck the headwind that developed. None of the services were fond of the idea that they were going to give up any visibility or direction of their – of their networks. So that was a huge – a huge hurdle to get over. But once we got past that I think, as Dave said, the cooperation of those – of those tasked units was really pretty good.
And by the way, we talked about what that specific – you know, as we talked a lot about doctrine and what the specific relationship was going to be. We talked about OPCON as the proper relationship – that was not going to float. We end up with TACON, which is a much lower level of directive authority. And again, it depends on – sort of upon the consent of the governed, if you will, to make it – to make it all work.
We did have – and Dusty reminded me – we had something called Solar Sunrise. It was actually between the initial start of the staff with the – for the JTF and the stand-up of JTF-CND. And that was a – it was a series of intrusions that we thought at the time was going to be attributed back to some nation-state. It turned out to be a couple of hackers in California that were – they were screwing around with the networks. But it really did get people’s attention coming right on the heels of ER ’97, and sort of reinforced the idea that we were on the right track and really ought to do this.
Something else that Dave said that sparked a memory – that day we stood out in the parking lot with Herb Brown (sp) doing the – doing the change in command, and you were wondering where all your troops are – (laughter) – we’ve – the initial authorization for the JTF was 23 people plus me. I was the dual-hat, and I didn’t count. I was the vice director of DISA.
We actually had, I think, when we turned it over to you, about 40 because, as we got together, people began to see this was probably a pretty good – a pretty good organization and something we wanted to attach people to. So we got – I think we got a lawyer as a – as extra. We got a law enforcement counter-intel cell, which turned out to be a real stroke of genius. I wish – I’m not sure who was responsible for that, probably –
MR. HEALEY: Those were both Air Force. So Air Force came in and said, if we do this – so that was me (chuckles).
LT. GEN. CAMPBELL: Yeah. And that turned out to be great – OK, well, you can take responsibility for that.
LT. GEN. CAMPBELL: It turned out to be great, because it turns out that, at least back then, almost all these things initially take on a law enforcement perspective. You kind of got to start from the perspective that this is a law enforcement issue. And only after you get a certain level of attribution and characterization can you graduate to other things. I also – and that – and that of course slowed the process down. But having those law enforcement folks who knew how to handle that and make sure we didn’t get out of our lane was really pretty important.
So again, I think in terms of what was right and what were the accomplishments – I think for JTF-CND it was just getting critical mass, getting started and providing a nucleus to build on as the mission – as the mission grew.
MAJ. GEN. BRYAN: And you know, Jay, I think in JTF-CNO we very quickly – some really interesting things happened in 2001. First of all, the first of the really sophisticated viruses began to really hammer networks worldwide. And I’ll just mention one, and everybody’s eyes will roll: Code Red was really an eye-opener. It had a huge effect. But we were able to contain it in a couple of hours in terms of its impact on DOD. The JTF hadn’t have been in place with its relationship with DISA to do that, it would have had a devastating effect on DOD’s networks.
And then of course, just two months later, September 11th occurred. And I think that, you know, and within – you know, shortly thereafter the nation was at war. So our support of combatant commands – it went from spending most of our time talking to the services or wrestling with the services over networks, to actually getting geared up with the combat and commands for a nation at war. And that really changed the dynamics for us.
MR. HEALEY: That’s really interesting. I hadn’t heard that before. How much – since you had both offense and defense mission, maybe for both gentlemen that have both offense and defense, how much did you split your unit? How much was focused on defensive and how much on offensive if you can say?
COL. RHOADS: Well, initially with the 609th, personnel was probably 70/30, offensive being 30 percent. Mission time – it was probably reversed. It was fledgling, operations that were all classified. Those few that were actually doing things were hopping all over the place.
COL. RHOADS: — we would do this thing called a shun – and Doug can give you all the details – it’s basically blocking IPs and things of that sort. So there was a lot of scope time, watching the new systems and developing –
COL. RHOADS: — processes to handle those and start talking taxonomy, at least with the Air Force and U.S. CENTCOM, which General Raduege was down at CENTCOM at the time. So we had a lot of discussions with you, sir. I remember I those.
COL. RHOADS: But so that was probably split.
MR. HEALEY: That’s interesting.
MAJ. GEN. BRYAN: I think – I think that – you know, what’s interesting? I would have used the same formula. We were about 70 –
COL. RHOADS: Sir, you have same guy doing it. (Laughter.)
MAJ. GEN. BRYAN: I know. The guy in charge was the same guy. And it was – but it was about – the interesting thing was though, as the commander, and whosever brilliant idea – the JTF could not have done what it was doing, offensive or defensive, if it hadn’t been for its close relation – close, close relationship with DISA and its close relationship with NSA. And so having the – being integrated – getting integrated support from both of those great agencies really enabled us.
But what I realized by about 2003 was that the mission – the offensive mission – by then, you may recall, folks, that we had – we’d done a pretty good job. We’d actually treated cyber offensive missions as a – for lack of a better doctrine, we actually treated it as a kinetic effect generating thing in terms of process. We actually went out into the combatant commands and asked them for their target list. And we actually went through the drill of weighting them and analyzing them and prioritizing them on a global scale.
But the fact of the matter is that I had realized that it was taking probably – you know, it was 30 percent of my mission, and it was taking up 70 percent of my time, because it was so sensitive and so classified. And every time I turned around somebody wanted to give me another polygraph to read me onto a program and it was really so intense. And I had begun to realize, you know, because – and I – you know, we can’t talk about the actual missions in here because they’re still extraordinarily sensitive – the fact is we’d actually been conducting the missions.
And I often had begun – even when the missions were wildly successful from a cyber perspective, we were still in our infancy in terms of fully appreciating the effects we could achieve, but even then, you know, I began to think, you know, if we – if we achieve the desired effect or don’t on the offensive side, you know, it may be embarrassing or it may be great, but the nation’s not at risk. If we fail on the defensive side, the nation is at risk.
MR. HEALEY: It reminds me, the – if I remember right, DepSecDef Hamre made that very clear, you know, coming out and saying defense first. Is that true, General Campbell?
LT. GEN. CAMPBELL: Well, I think so. I mean, I – when I – that was one of the things that I usually said and in the presentations I gave particularly near the end as I had time to sort of absorb what we were doing.
You know, the offensive stuff is neat. I mean, we got some really good capabilities. We got some really smart folks working on it. But it’s typically they support the kinetic part of what you’re doing. In the best case, they may prevent a need for kinetic activity, but in most cases they support the kinetic part. And if you don’t do them, it’s probably going to work just fine. It may take a little longer. It may – it may take more resources. But you’re probably not going to lose the – not going to lose the war. If you don’t do the defense right, you can be in big trouble. If you can’t organize your forces, deploy them, support them, employ them, communicate, navigate, you got some big problems.
So in a sense, we have a very asymmetric situation, where we have tremendous capability, but we also have tremendous vulnerability in all of that infrastructure that we built up. And on the offensive side, you know, there’s not that much difference in capabilities between what we have and what our opponents might have. So I think the risk is much greater for us on defense.
MR. HEALEY: Do you get the feeling that that defense first is still part of the doctrine of the strategy? Or has that kind of been lost in the push for offense?
LT. GEN. CAMPBELL (?): Well, I –
MR. HEALEY: And that’s going to lead into a question about active defense, because I know –
LT. GEN. CAMPBELL (?): Well, my take – personal take is I – you know, I don’t know because I don’t want the – as (Dave ?) would imply and as we see, in a lot of the cases where you use – you have very classified capabilities, you never see the successes. You sometimes see the failures. You rarely see the successes. So it’s hard to judge from the uninformed perspective what the balance is. I would hope that we still prioritize the defense or something. You got to – it’s sort of the basics. You got to do that right. And once you got that done, protect your base, then you can build up and do other things.
MR. HEALEY: Now, as military commanders, under normal rules of engagement, you get to shoot back and – if you’re being shot at – and you also can use your forces to explore over the other hill even if that might be enemy territory, and you get – you get to look over the next hill. How did that fit in with what you could do here? Did you have the opportunity for not just offensive but active defense? And what does that mean?
And the context of the question is this is one of the big issues right now that Department of Defense is struggling about. I see Ellen Nakashima here – she just wrote a great article and blog on this last week about active defense. But I was looking at the JTF CONOP early on – a draft – and it said that JTF would do active defense back in 1998. And the Air Force comment was, you can’t – you shouldn’t include active defense in the CONOP for this thing unless you actually define it. So here we are, you know, 14 years and we’re still there – how did you experience that as commanders? And that’s an open question to whomever.
COL. RHOADS: Well, let me take it real quickly. The way we attacked that particular problem – no pun intended –
MR. HEALEY: At the 609?
COL. RHOADS: — at the 609th was we were focused just on one theater, one small area. And we could see the enemy coming. And we could – we had capabilities where we could just kind of play back with them. And it was very limited. It wasn’t a strategic event or anything of that sort. And that’s how we blended the active defense role. That was one of the rationales behind having the two units together –
MR. HEALEY: Yeah.
COL. RHOADS: — because the defenders would see that type of thing, gather the information. You would actually be doing the reconnaissance because you’re getting hammered. It’s the unfortunate way to get some, but – and then you know where to go back. Of course the attribution question is always out there no matter what you are, whether it’s tactical or strategic.
And Jay, you do recall the discussions of the CONOPS for the JTF where active defense was actually in there –
MR. HEALEY: Mmm hmm.
COL. RHOADS: — and there was a classified annex for it.
MR. HEALEY: Oh, I remember that.
COL. RHOADS: You do remember that?
MR. HEALEY: I (know ?). I’m older than I look, so –
COL. RHOADS: You’re the one that commented on it, I believe. And it was pulled out of the concept of operations so –
COL. RHOADS: — for those precisely things that General Campbell mentioned about the politics and defense first.
MAJ. GEN. BRYAN: I remember the meeting that we had with the Department of Defense General Counsel on this issue. And we basically got posse comitatus handed to us –
MR. : Mmm hmm. (Chuckles.)
MAJ. GEN. BRYAN: — and you know – you know, when an – somebody who is, I guess, equivalent to an assistant secretary of defense points his finger in your face and says, “Listen, Bryan, the dot-mil boundary is your boundary” –
MAJ. GEN. BRYAN: — because we were advancing aggressively. (Laughter.) And I must say but, you know, another historical event – (chuckles) – that was kind of pushing us along was U.S. Space Command had been inactivated and we had a new boss, U.S. Strategic Command Admiral Ellis. And you know, this guy wanted to go out and kill the enemy, and on behalf of the nation. (Laughter.) And so – he was a great warrior – I don’t know if any of you have ever had the pleasure of knowing him – just a great warrior and a brilliant strategist, a true national resource, in Dave’s opinion.
But what really allowed us to move forward was that by that time, again, the early work that General Campbell and his team had done to get law enforcement connections into – had gone to the next level. We had not only law enforcement connections within DOD, we had law enforcement connections across the federal government. And we had a great working relationship with them. And so when we were able to track an adversary in an active defense role with a reasonable degree of attribution to the dot-mil boundary, we had someone now to turn to and hand it to – (laughter) – no, but we had someone to turn to –
MR. : General Alexander.
MAJ. GEN. BRYAN: — we did have someone who we could turn to and hand – and we had full authorization to exchange information so that they had the legal jurisdiction to go and you actually interact with their international partners and Interpol and the justice officials of other nations. And we had some remarkable successes in that regard. You know, within relatively a short time, the bad actor in London got arrested and then the bad actor in the Netherlands got arrested. And these were all handoffs that – so it got better.
We weren’t able to actually, you know, pursue the bandits across the border ourselves because of – frankly, the general counsel said don’t do that. We were – we had someone to hand it off to. And at the same time, we were feeding – for exploitation purposes, the – we had – by that time had real good processes in place of how we exchanged, for intelligence purposes, information that we were gleaning from the defensive side. So that – all of those things had really matured rapidly, I think, in the 2003 timeframe.
MR. HEALEY: So I’d like to take a few more minutes, maybe 10 more minutes, to just talk about some of the – how cyber conflict has changed or stayed the same since then – also maybe the cyber workforce involved – and use that to get more into what do you see as the lessons for today’s cyber commanders.
So let me start – it’s just an open question – the cyber conflicts that we’re facing now – we still have some very active non-state groups, whether that’s Anonymous or Lulz, which get the headlines – but what seems to be worrying people more are the espionage that seems to be tied to some of the states, particularly Russia or China for example. How have you seen that change over the years from the incidents that you did, whether it was at the 609th or the – or at JTF? How has that changed over the past 10 or 15 years? Open question.
MR. : (Off mic) – I’ll comment – (inaudible) – I remember when we began to see the (pattern ?) of intrusions we call the Moonlight Maze, which – and I frankly checked out of the – out of that program some time ago, so I don’t know how it came out, but I can kind of guess.
And it really disturbs me today – I noticed a statement, I think, by General Alexander some time ago who said – talking about the surprise that the big companies, the Northrup Grummans and Booz Allens – those companies have been – have been hacked pretty badly. And his comment was not – he said those guys were the gold standard for cybersecurity; they’re just the ones that know that they’ve been hacked.
And so it seems like to me we’ve kind of ceded that battleground to the guys who would – the nation-states who would like to exploit our intellectual property. I mean, it’s – you know, it’s almost – today if you haven’t been intruded upon, if you don’t have an advanced persistent threat, then you haven’t – you’re really not in the – in the big leagues in the world of defense contractors. (Laughter.) And that – and that’s kind of a – that’s kind of a disturbing perspective.
So I’m not sure how – if you took a balance of security versus capability back in – snapshot in 2000, took that same snapshot today, if the trends would be in the right direction. So that’s – as a taxpayer and citizen – that’s kind of what worries me.
MAJ. GEN. BRYAN: Well, you know, we had a chart – and we didn’t create it while I was there; I think it was your chart, Soup – but we continued to use it. It was – came up – used in every briefing, public or private, and it was that hierarchy of the threat. And it started with the – you know, the kid, the teenager, the garage, but it – but it went all the way up to the nation-state threat. And it was along the same thing – what’s most likely, but what’s – could have the most serious effect. And that chart served us well over time. They’re still using a very similar chart, because the hierarchy of the threat, we’ve known now all along what that is. If you apply a volumetric measure to it, the volume of activity has shifted somewhat. We have a tremendous amount of criminal activity now that – and we have – but we – but the hacktivists have been there all along. You may recall that group, the Silver Lord(s), which we tracked all over the world. Well, now we have Anonymous, you know, that’s very much active. But the top threat, at the top, the nation-state threat has always been the – been the same.
And so it’s interesting that – again, that was something that we got right early on and it continues to be – to your question, Jay, about – to some degree, it’s almost like – I don’t know – back to the future to some degree. I – let me say publicly that I’m – when we created U.S. Cyber Command, it actually came out of JTF-GNO, which was the follow-on to JTF-CNO. And I don’t know that there’s a better officer who could have done a better job than General Keith Alexander in that job. But it – but it clearly is the impossible job to some degree. Even with the thousands of people he has now from the dozens you had and the hundreds I had, he has the tens of thousands and the hundreds of millions, and it’s still a very, very difficult job, because the command and control issues have not been formally and finally resolved.
The threat is constantly changing. The technology is changing so fast that it’s difficult to even have a current threat assessment based on the technical threat that you’re facing, so you have to be tremendously agile. And big organizations have a difficult time, just like big companies have a big – have a very difficult time being as agile as they – as they need to be.
So you know, I recently saw a chart that General Alexander used, and it was – I think it was his top 10 priorities. And gosh, I thought it was a slide that you’d prepared for me, Jay. The challenge is still there. It’s – in many ways, it’s back to the future. It’s the same kinds of challenges.
MR. HEALEY: And as we get –
MR. : Keep it rolling – (laughter) – another 10 years before that same –
MR. : Yeah. Same kind of things.
MR. : OK.
MR. : I heard a speech from a senior flag officer a few months ago, and the 90 percent of it could have been taken from the notes that we used a decade ago. So it’s the same issues – attribution, detection, reaction, speed of response, legal issues – that still seem to –
MR. : Yeah.
MR. : — be the tough parts.
MR. HEALEY: So I’m going to ask one last interim question, and then I’d like to finish on that. You know, of that – so we haven’t seemed to be learning the lesson. So from your experience, what are the things that you’d really like to emphasize that’s maybe going to break us out of this loop?
But one last question in front of that is about workforce, because cyber workforce – how do we build the cyberwarriors and whatever we want to call them – how much do you see that the skill set – now the technical skills have changed because now we have mobile and cloud – could you still take, you know, the same skill sets that you used in ’95 or ’98 or 2000 and the same rough skill set? Or are the skill sets needed to do offense and defense radically changed?
COL. RHOADS: I think the same still skill set works – same mixture of skill set. The very fortunate piece is there’s a lot more to choose from.
MR. HEALEY: How so? What do you mean?
COL. RHOADS: Back in ’95 there were like maybe 50 people that knew how to do it. Now there’s probably 50,000.
MR. HEALEY: Huh. Interesting. Yeah. Would you – would you –
MR. : Well, yeah, I mean, I think it’s – I think it is – it is the same skill set. I think that the scale has – the scale has grown. Obviously, the – you know, the adversaries are adapting probably faster than we are. There’s also – there’s also a – there’s also a motivational issue, you know. If cybercrime is a very low risk, high reward activity, how do you provide the compensation that brings those same capabilities – not the same people necessarily – but the same capabilities, motivation into the government – the government service or the – or the private sector? And – but I do think that it is really important to have an operational perspective though as you do this, because otherwise you’ll never break through all those issues you got to get passed – you know, again, the legal issues, the mindset that you’re supporting – you’re supporting national objectives and the war fighters. It’s not a technical exercise. It’s a – it’s an exercise of national power, and you got to do it from an operational perspective.
MR. HEALEY: It’s one of the things that struck me as we were putting together our history, whether we were thinking about conflict or workforce, and that there seems to be a lot of continuity that – from the early days on. You know, the same workforce mix seems to be about right, that the nature of cyber conflict has shifted, but it hasn’t changed dramatically.
I mean, if you took the JTF or the – or the 609th facing the challenges of today, the nature of cyber conflict doesn’t seem like it’s that different. Yes, it’s faster. There’s more of it. There’s – but it’s not like there’s been too many significant incidents. I mean, we’ve had Estonia, we’ve had Georgia, but we had large DDoSs before that also. Would you – would you think that was the –
MR. : Yeah, I think – I think the cyberforce has gotten a lot stronger – but that’s not the weakest link and it never has been.
The weakest link is the user in our network. I’ve always found it interesting – and I used to use this example, and I think it’s still true – that we would – in the Army, today’s modern generators, all you got to do is, you know, check the oil, put some fuel in it and push the start button. And yet, in order to – for a soldier to be authorized to do that, that soldier’s going to go through about eight hours of training with a sergeant at the end of which he will be tested and personally certified by the motor pool sergeant that this soldier is authorized to do this fairly simple task, and yet we’ll take anybody by assignment and put them down at a computer terminal and give them access to the SIPRNET after a very short online thing to get their password.
And that’s – you know, whether it’s Anonymous or whether it’s the Chinese or whether it’s anywhere else, generally the attack vector that’s most successful is to go pop somebody inside and then take their privileges. And so I really think that the number-one priority, if I were running U.S. Cyber Command today, it would be to do a better job of professionalizing the users on the networks.
Everybody – just about – in America has access to the Internet in their own home computers. Unfortunately, they bring a lot of sloppy skills to that environment, and then will sit down in front of a Department of Defense or government network and that’s their framework. And so they have to bring – somehow we’ve got to train them and instill in them and discipline them to a very much more strict environment and understanding of their role as the user in the network.
MR. HEALEY: Colonel? General?
MR. : Well, I – I’d take a little different look at the question that you – and the skillset I – no question about that. I mean, I think it was two years ago I did an interview with Washington Post or something, one of the things I said, the biggest way to fix the cyber problem is the person sitting behind or in front of the keyboard, whichever way they’ve termed it. I get – (audio break) – a lot of – a lot of issues taken care.
But to answer your other question, I think the nature of – right now we we’ve been talking in the context of the military, DOD’s change in cyberwarfare. But I think our country and any major developed country is at a much larger risk because of the capability of cyberwarfare against us. And I think that’s gotten some attention. I’m glad that’s gotten some attention, because we could be in hurt city if somebody really decided to come after this country.
MR. HEALEY: One of my favorite quotes from Greg Rattray is, when we talk about cyberdeterrence, why do we think we’re the ones that are going to be doing the deterring? You know, it’s much more likely that we’ll be the ones getting deterred –
MR. HEALEY: — considering our vulnerability. Any concluding remarks? And then we’ll open it up for questions.
MAJ. GEN. BRYAN: Mike – you know, Mike Hayden, who’s one of the smartest guys around, used to say that when you talked about the taxonomy of a computer network, defense attack and exploitation is – his contention was that attack is a lesser included form of or case of exploitation, because if you’re in the networks, you have the access to exploit; you also have the capability to use those – that same access for attack.
And so as we watch – we’ve kind of gotten blasé, in my view, about the level of – the level of exploitation of access that we – that our adversaries have gotten. And frankly, their motive right now is just to – just to extract information. But if you take a worse case and with the right conditions, you can also use that access for other things, and that’s what frankly worries me.
MR. HEALEY: Mmm hmm. Right. Thank you. And let’s start with the questions. And right here in front, Randy Fort. And then I – and then I see Robert Tomes in the back.
Q: Yeah, hi. I’m Randy Fort with Raytheon. I guess I’ve been struck throughout your comments by a name that I – we heard only once and barely in passing, from General Bryan, and that’s the National Security Agency. So I’d be interested to know your thoughts, a little bit more about what was the role of NSA as your organizations were working, and what sort of Title 50 versus Title 10-type dynamics did you have to work through for this very point that General Campbell just made, that CNE and CNA were a few strokes away and NSA is responsible for doing CNE? So I’d just be a little more interested in your thoughts about what that dynamic was like.
MR. : So who’s the question directed to?
MR. : Well, I think – I’ll – I mean, I’ll take a stab. I think NSA is exactly the right place. I think the missions are so closely tied together that that’s where – that’s where it ought to be. I think you – we – you have to depend on the structure. I mean, the NSA knows – they’ve been doing their business for a long, long time and understand the ground rules and the lanes of the road. And you’ve got to depend on that structure and the oversight that they have to make sure that the missions are kept in their appropriate lane. But I fully support that as the right place for – you know, for the cybermission.
MR. : Well, we couldn’t have done our job without both agencies. I don’t think you can talk about cyberdefense – I think it is the greater of the two missions with respect to importance – and you can’t do that without the Defense Information Systems Agency and truly (affect/effect ?) and protect the Department of Defense’s networks. But you also can’t exploit nor attack your enemy without the support of National Security Agency.
And I think that the reason that it’s sometimes difficult to talk about that is because the specifics associated with that role are – have always been extraordinarily sensitive and, frankly, complicated from – as you picked up on it – from a Title 10, Title 50. You always had the natural stresses of people who had access for exploitation in a Title 50 role who said: Look, we’re in the natural position to execute Title 10. Well, you know what? There are a lot of people in the nation who are our political leadership who didn’t agree with that. They did not want – they said: We have Title 10 for a reason.
So the constant question that was wrestled with all the time in the tank, in conference rooms, in discussions was striking the balance between the provisions of Title 10 and Title 50. And I might add, I guess I could throw – I think it’s Title 18 – throw the law enforcement side into that as well. Those were all three – always up on the table together and finding the right mix.
But I think that certainly the role of the National Security Agency as a world-class, best organization in cyberarena is unquestionable. It’s just difficult sometimes to talk about how we interacted with them beyond generalities, without getting into the extraordinary sensitivities that went with that. And that’s not a cop-out; I think it’s just true.
MR. HEALEY: And – (inaudible) – Robert Tomes.
LT GEN. CAMPBELL : Let me – before you do – let me tackle that a bit, because the other – the other agency we’ve only mentioned passing is DISA, of course. And they’re the other – the other, you know, agency that contributed immensely to the growth of what we got. We, frankly, were ready to send the mission, the JTF-CND, to San Antonio, because the Air Force wanted that mission very badly. And I’m convinced we’ve done a good job with it.
DISA – and Dave Kelly was the director that preceded Harry – at really the 11th hour stood up and said, hey, we think this is important enough to – because it leverages the core capabilities and experience and mission that we do, that we need to have that mission collocated with DISA. And so that was the beginning of that partnership, which I think really has been – was very successful throughout the life of the JTF structure. And Dave Kelly basically said, I’ll – we’ll give you the Global Network Operations and Security Center as an element take on to the JTF-CND. So that was a big piece of that. We didn’t really talk much about the DISA role, but that was – they were a big contributor.
COL. RHOADS: I was just going to tag onto that comment. In the earlier days, playing with NSA was very, very vital. But it wasn’t just NSA: The intelligence community as a whole played in that area quite a lot. And as a combatant person, I was always at odds with the intelligence community for intel gain/loss . But they were a necessary and very vital piece of both missions, both defense and the offense.
MR. HEALEY: When you say you’re a combatant, you mean you had come from the combat arms, or just – you’re just generally surly?
COL. RHOADS: I grew up as a fighter – well, that too. (Laughter.) I grew up as a fighter pilot. My job was to blow things up, make smoking holes and things of that sort. So I always took at it in that direction. But yeah, the other part’s very true.
MR. HEALEY: OK, and next is Robert Tomes. And while the mic is going there, I also have Kristian in the back was next, and then Dan here, and then I’ll try and get – and then I’ll do Michael after that.
Also, sorry to do this. Larry, your anecdote about on the phone and the missile defense warning conference, would you be willing to talk – (would you throw that in ?)? You always called me out, so I’m going to call you out here. So we’re going to try and find time for that.
OK. Also, since we have time, I just want to call out something very important to those of us that were in the alumni. I wanted to just call – Scott Williams is here, who was one of the founders of Cap City Brewery Company – so where more CND policy has gotten done at Cap City Brewery Companies than any other location.
OK, Robert Tomes, BAE Systems.
Q: Good afternoon. Robert Tomes from BAE Systems. My question is, if we look at the timeline we’ve covered here from I guess the mid-90s through today, and from that time we’ve seen a lot of shifts in U.S. doctrine and everything from security and stability operations being a co-equal mission for DOD. We’ve seen a lot of changes obviously from the COIN, you know, doctrine coming back in.
But my question is, as the DOD has looked at Cyber and IO, preparing the force, looking at readiness, looking at the dot-mil, dot-com, dot-gov problem, how would you compare that with our adversaries and with others? And how would you rate our ability to respond to those changes and conflict and warfare – both from kind of a policy and a doctrine perspective – but from the perspective of what our adversaries may be thinking about?
MR. : I think our adversaries may have a much more streamlined process for working through some of the issues than we do. I mean, I’m again struck by the fact we still after a decade are still working through some basic – some basic questions. Again, I think that we have – we kind of have an asymmetric situation here in that our ability to leverage information technology to our advantage also creates a huge target set for our adversaries. So the – it may be that our ability to defend that infrastructure has not grown proportional to the value – the value we place in it as a war-fighting tool. Does that kind of get where you’re going?
Q: It does. But I guess where I was thinking about is how the services – we talked about workforce and skill development and the – pressing the generator. And you read, you know, stories of infantry units, for example, in China, where they’ll go do their infantry training and then they’ll come home at night and do a cyber mission. And from the perspective of seeing that and recognizing that, but then as the services make recommendations, and the GC putting – you know, pointing, saying you end at the dot-mil boundary – it seems that those things haven’t changed over the last 15 years as much as they could. And they’re not changing in proportion to how much we’ve changed COIN doctrine in response to the (war ?) security and stability operations, in response to the pressures of the last 10 years. So there’s – it seems like there’s lot of things that have been innovative and transformational in the last 10 years, but this seems to be the one area of war fighting doctrine and skill development that is either staying compartmentalized and not making it to the rest of the force, or isn’t getting the attention.
COL. RHOADS: I would think the Department of Defense has done an excellent job in the skillset and the training and the pieces. I hate going back to the horse and buggy ages, but anybody that was in charge of running a network was somebody that knew how to turn a computer on. Now you have to have certifications. You have to go through specific training and stuff – at least in the military pieces of it – in order to get certain ratings to even touch it. You know, I will harp again on, you got to teach the people behind the keyboards what they’ve really got in their hands, which would go a long way in stopping a lot of things.
MAJ. GEN BRYAN: I think there’s a real trend coming, Dusty, too. You know, I realized the other day, you know, the digital natives are now field grade officers. Ten years ago, you know, we were all – all of this was being run, but we were all digital immigrants, right? I mean, we grew up in an analog world, and we learned how to – how to think in terms of networks along the way.
MR. HEALEY: I had Pong. (Laughter.)
MAJ. GEN BRYAN: But now – but now – (chuckles) – but now there are field grade officers who are influencing policy and going to be commanding units soon, who have grown up in this environment. And I think that the skill set issue is going to take another leap forward just because of that.
MR. HEALEY: And I think we are limited, though, in how much – how much classification sensitivity we have – we have around far too much of this stuff. You know, I mean, if we wanted to talk about the lessons learned from a 12-year-old cyber event – you know, one of the – one of the early espionage cases – can’t do it.
If – you know, if I’m – if I’m teaching, and I want to teach my students about a modern operation, about how a cyber-operation works, I’ve got to point to Google or something that Dmitri Alperovitch has done. The best that my government has equipped me with is, you know, a paragraph in an NCIX report. And that’s just – that’s just not enough for us to really be getting this – getting this across.
All right, let’s – OK, in the back there was next. And then Larry for just a minute – a minute. The gentleman here with the red lanyard – sorry.
Q: Timothy Walton with Delex Consulting, Studies and Analysis. Thank you very much for your remarks. You spoke about sort of a sense of blasé within the government maybe regarding the level of exploitation. And we hear for example how transportation commands on NIPR and – might not work if a war actually happens, et cetera. Did you have unbelievers or very strong organizations that resisted your efforts during your era? And do you think there are similar organizations today? Why? Thank you.
MAJ. GEN. BRYAN: I think one of the great accomplishments that General Campbell and his team in the early JTF was hammering home the realization that, when you drop a pebble in the pond, in a network, the world, eventually the ripple gets everywhere. Now maybe he didn’t say that, but that was always the way I looked at it. And the fact that they drove home the need for, when you issue IAVA – maybe we didn’t do it very well for a while, but everybody understood, as we continued to hone the process of causing change to occur to protect the networks faster and faster and faster – as the process got better, as the doctrine got better, the TTP got better – that whole mission got better.
I – initially people just didn’t understand what was at risk. They didn’t understand how much we depended on the networks and how at-risk our networks were if we didn’t do something about it. But I think you overcame that pretty quickly with your first team, Soup. And if we characterized the leadership as being blasé, I don’t – I don’t think that’s a fair characterization. It’s just that it took some time – it was a whole new mission area – took some time to – for people to understand.
MR. : Yeah, I don’t – I don’t – I don’t think the – I don’t think the government – I don’t think the Department of Defense is blasé about it. I’m talking about a larger view outside that, in business for instance. It’s – you know, for business that’s – that has that problem, the advanced persistent threat, it’s a – it’s a business decision and calculation of how you react to it. I mean, you can try to make yourself bulletproof if you want. That’s going to be really expensive and really hard and really inconvenient. Or you can just accept it as a fact of life.
And it seems to me, again, just reading the paper, that we’re sort of gravitating to the idea of, well, this is almost inevitable – you know, it’s just a – it’s just a cost of doing business. Recent stories about the costs associated with the additional features for the Joint Strike Fighter because of what had been compromised just through exploitation of intellectual property – I mean, that’s – to me that’s really kind of a disturbing mindset, I guess, is that this is something we just got to deal with, just got to live with. But maybe it – maybe it’s a fact of life. I don’t – I don’t think the department, though, takes that attitude.
MR. HEALEY: Something that has surprised me over time, though, is – I’m monitoring the halls of the – of the Pentagon now, and how often I meet people that say, well, this stuff started in 2005 and we finally get a DepSecDef that gets it. And we didn’t really realize prior to 2005 about how dependent we were on these networks. And you go back to Defense Science Board reports from ’95, not 2005.
And I’ve had people in the Pentagon say, oh, if someone says they were doing cyber before 2005 they’re full of it. And so I think, even though the – we’ve just heard the DOD does get it, they’re getting it fresh and they’ve gotten it in the past. And I hope that the getting-it now is going to mean that we don’t have more wake-up calls, because we’ve had a lot of wake-up calls now. And I hope the wake-up calls stop because we’re awake. We’ll see.
OK. Larry, the – I’m sorry to call – but I just loved this anecdote, if you know the one that I’m going to ask. And then we’re going to go Christian in the front here, and Dan Kuehl over here.
MR. HEALEY: (Inaudible) – this is Larry Frank, who’s the director of operations – (inaudible) – JTF-CND.
Q: So I was General Campbell’s J-3. And the really funny part of that is, he really didn’t want me, but the Army forced me on him. And I think we did a good job, sir. I hope we – you think so too. Anyway. (Chuckles.) Anyway, so we had our first real big incident in the JTF-CND in about April, May of 1999. And it was Melissa, which was a macrovirus, Word – you know, document stuff. We generated a lot of work and scrambled around, and it took 48 hours for us to get warning out to the combatant commands, then called CINCs, and services and agencies. We recognized that was horrible. But it was the first time anybody’d done it at all, so I guess that wasn’t too bad.
In a – in the – then we stood up under Space Command in October. And the J-3 colonel at Space Command used to just beat me unmercifully about response time. And I kept telling him – you know, he kept trying to force the missile response model on us, and I kept pushing back, saying we weren’t really reacting to inbound nuclear missiles. I think this might be a little different.
But anyway, in April of 2000 we had I Love You, which very – you know, which seemed like déjà vu all over again. But by that point we had put together a red switch network, conference call capability, and had got our TTPs and all those things put together. Eighteen minutes from the time the watch got some notification that something was going on – we had enough understanding of what I Love You was about to be able to convene a conference call and tell the service agencies and combatant commanders, this is coming. You got to watch it; it’s – works like this.
And I can’t tell you that it protected a lot of people, because there is anecdotes about guys saying, gee, this is probably one of them virus things, and infecting their network. And, you know, the deputy commander of CENTCOM I think was the one that I heard, but that’s, you know, anecdotal. I don’t have any proof of that fact.
Anyway, I got a call from this colonel at Space Command saying, not fast enough. And my response was, fine, I give up. What’s the missile warning standard? We’ll go with that. And he said, 30 minutes. And I said, wait a minute. Inbound computer virus, 18 minutes is not fast enough; inbound nuclear missile, 30 minutes is. I think we – and he never said another word to me about response time after we had that discussion. But – so it’s – I guess it depends on your perspective and where you’re sitting at the time. But, you know.
MR. HEALEY: I always liked that anecdote. You always hear cyber is speed of light. But, you know, yes and no. Harry – did you have a two-finger on that one, Harry?
MR. HARRY RADUEGE: (Inaudible) – Soup will remember this. Is – let me tell you why you got that call – because Soup will remember this. General Eberhart was the commander of U.S. Space Command. And I was – we were out at a missile launch competition out at – in Vandenberg. And I was getting ready to go out to jog that morning before, and somebody told me, come on over to the NOSC. I think there’s this big event that’s happening.
And so I went over to the NOSC and it was the I Love You thing that was started in Germany and was moving across and had hit the East shore. And I gave Soup a call because General Eberhart didn’t know about it. And that was one of the things in our little procedures and processes that we didn’t have, you know – the combatant commander, the CINC at that time, didn’t know all this was going on. And I think that was where the breakdown – and that’s why you got the call from the J-3 saying that wasn’t fast enough.
MR. HEALEY: (Off mic) –have a two-finger back there, Jeff. And then we’re going to go to Christian, because we can’t spend too much on this. We’re running out.
Q: (Off mic) – warning. SM20 was 20 seconds after the rise of – (inaudible). It was a missile alert –
MR. HEALEY: (Chuckles.) Mic, Jeff.
Q: SM30 message was, this is a missile warning message; and SM50, this is now a confirmed missile attack. Those were seconds, not minutes, counting above atmosphere. So 30 minutes from launch is, you know, not even close. You have 26 minutes of arrival time from most of Soviet Russia for an ICBM flying nominal trajectories.
MR. HEALEY: One of the things that struck me about when we – when – from the J3 was that they were using a same or similar call to warn about cyberviruses as they did for nuclear – for nuclear missile launches. And so the – I believe it was the exact same. So when the phone rang, you didn’t know if it was nuclear death coming or a – or a new virus.
OK. We’re going to go Christian and then Dan and then Michael. And I think that’s it for the – for the questions, because we only have about five minutes left.
MR. : (Inaudible) – one quick 30-second color commentary to that. By the time the mission was at STRATCOM, Admiral – because the volume of activity was so high, Admiral Ellis basically said: Look, you’re the first commander in the chain who knows about it. You – I give you complete authority on my behalf to make decisions, because you just could not have to go up the chain – any time took too long. So the JTF commander, Admiral Ellis, was the one who said: It’s your mission, you do it.
MR. HEALEY: Right. Thank you. Thank you, sir.
Kristian Prikk, embassy of Estonia.
Q: Yeah. Thanks, Jay. I’m from the embassy of Estonia. And I think the only time the international partnerships were really mentioned was when General Bryan referred to the data sharing with the law enforcement agencies to catch the criminals. But could you sort of describe the attitude back at that time regarding international partnerships? Was the perception so that the area was so sensitive, and the allies or the partners were too, sort of, not developed? Or did anyone see any value in actually sharing information more with us?
MR. HEALEY: And let’s expand that even into NATO and things like that. Colonel?
COL. RHOADS (?): I can start – in fact, that was – I’m glad you mentioned that, because that reminded me of a – of a trip we took with Secretary Hamre. This was probably in fall of ’97, early ’98 maybe, once we had sort of worked through the – worked through the ER97 events, and has pulled out the lessons and had sort of extracted the implications. We took a trip – we went through – went to NATO and to several of the – of the partner countries in Europe at very high levels and walked through this whole thing and sort of laid out the way we saw the threat and the opportunities for partnerships going forward, because we clearly saw this as a – particularly where you have coalition operations.
As he used to say, you know, a vulnerability accepted by one is a risk – or risk accepted by all. So we’re clearly – clearly the need for partnership. And so I left before those took – you know, took root, but I think – and early on at least the (Hamre level ?), there was clearly a realization that this was – this was a coalition activity.
MR. HEALEY: And we had a – I mean, from the very, very early days, we had a Canadian officer fully integrated into the unit –
MR. : That’s a very good point.
MR. HEALEY: — from the very, very earliest days.
MR. : Yeah.
MR. : And it’s – and the other liaison officers that were at NSA and particularly at DISA were also sort of, you know, filling in that role as well in the JTFs. So –
MR. : There was international –
MR. HEALEY: Yeah. Yeah. Go ahead.
MR. : — there was international cooperation even back in horse and buggy days. I had Australia come out and spend two weeks with me talking about how to set up one of these particular type of units, and the U.K – I was down talking all the time. Multiple times when working with the – General Campbell and the J-3, we had international partnerships going. Both sides of the mission also, we worked very closely with the allies. And after I had the urge of retiring from the government – from the military, I went over to the State Department. And I spent a whole year coordinating with all U.S. allies and –
MR. HEALEY: What year was that?
MR. : — conferences and things of sort – both critical infrastructure.
MR. HEALEY: Yeah. What year?
MR. : 2003 to (200)4.
MR. HEALEY: Mmm hmm. Yeah. Yeah. So we had two out of the original, you know, 30 or so that went on to State Department.
MR. : That was just a short time.
MR. HEALEY: OK. Dan Kuehl, National Defense University.
Q: Thanks. I’m going to make an assertion and – by way of analogy and ask you all to respond to it. And notwithstanding your comments about the importance of the user and the work force, which I think are spot-on, I’m going to argue that we’re really, really good right now at the cyberwarrior, at the tactical level, doing stuff with cyber. We’re getting, as you’ve all alluded to, really much better than we used to be at the cyberoperator, at putting this into, for example, military operations and plans, et cetera.
I’m going to say – argue that where we’re the weakest is at the strategy level. We don’t have a cyber-Mahan – all the Navy guys understand who Mahan is. We don’t have a cyber-Mitchell or Douhet – all the Air Force guys know who that is. And I’m going to suggest that until someone does that level of theoretical analysis, we’re not going to really come to grips with what cyber means at a strategic level to national security and national power. I ask you to respond to that.
MR. HEALEY: What an (into you ?) question. (Laughter.) Gentlemen?
MR. : — I think you’re right. I agree. I think part of the problem is that we – early on, we thought this was going to be the huge – a huge tool for us, a huge war fighting advantage. And it never really played out. And I think people just kind of got disillusioned with the idea that cyber was going to be the war-winning thing, that we then wouldn’t need other parts of the – of the machine.
I do think – I suspect we’ve gotten very good at integrating IO into – and cyber capabilities – into our – into our plans. And that’s great. But I think – I just don’t think we’ve got that center of gravity yet that says, hey, there’s going to be a cyber – just a cyberwar and we won’t need anything else.
MR. HEALEY: OK. And final question. I’m sorry we don’t have time for more. Go ahead, Michael.
Q: Hi. Michael Warner. I’m with U.S. Cyber Command. I’m the command historian there. In 2004, we took the offense and defense that had been put together under CNO, and we split them off under strategic command. Was that a step forward or a step backward or a step sideways? Or how would you view that? And why did that happen?
MAJ. GEN BRYAN: (Off mic.) I was – I was the JTF commander who went to Admiral Ellis and said, look – he was – he was being very complimentary to us – how far we had come. He was in very close contact, I might add also, with General Eberhart, who had continued even after his retirement to stay very closely in touch with this mission through Admiral Ellis. And so Admiral Ellis was very complimentary of the fact that we had, I think, done a good job of professionalizing our support of theater combatant commanders, as well as the national leadership, in this area of offense. But it was taking an extraordinary toll on my personal time as a commander, and it was taking a toll on my staff, which was still measured in – literally I think we were up to, like, 150 or so people by that time from the 42 that JTF-CND had originally had. And because I had realized that when we had success in CNA, nobody – we couldn’t talk about it and nobody would know. Those who needed to know knew, but it wasn’t anything that was going to make the headlines But if we failed in CND, I don’t think I was overstating when I said – would say, as Soup had said, the nation’s at risk. And I believed that to be true.
And so I had gone to Admiral Ellis and said, here’s what I’ve learned about having done this now for three years; I really need to spend my time as a JTF on the most important mission, which is the defense of the department’s networks, and therefore – and the very broad and important role we had with the infrastructure providers for our nation. That was a very important mission that we haven’t even talked about today, but that had taken on enormous impact.
And so I said, I think we need a separate attack organization and – at NSA, and oh, by the way, they want it so bad they can taste it. And the only thing that’s kept them at bay on this – because they were always after that mission – for the – (audio break) – I might add, because they had the exploit mission, they had accesses – was that they didn’t have the Title 10 authority. And so U.S. STRATCOM wrestled with who that Title 10 commander ought to be, and they looked at lots of alternatives. And eventually they settled on the director of NSA as the commander of their sub-unified command, known as Joint Task Force Net Attack, as that.
Well, when they decided that, then I said, well, the JTF commander who’s going to run the CND mission needs to have rank equivalency, and it needs to not be the vice director of DISA, but be the director of DISA. This is going to become a three-star-level mission. The defense commander can’t be outranked, frankly, at the end of the day, by the attack commander. And so that, and for lots of other good reasons, but that was one of the more important reasons.
So actually, on the date of my retirement from active duty, we actually inactivated JTF-CNO, activated JTF-GNO, had a change of command ceremony between General Raduege and me. So I guess I was commander for about 92 seconds of JTF-GNO. (Laughter.) Whatever time it took the sergeant major to exchange the flags on the podium. And then I retired.
But we actually had gone to the tank and gotten the approval to do that, because Admiral Ellis, being a very, very smart guy, knew this is not a – I can make this decision, but I think it’s a decision that I want the service chiefs involved in. And so it was actually a tank briefing to get the decision to make these changes within his combatant command.
And I think that that – I think that was the right decision. I’ll ask General Raduege to respond to that. I think it was the right decision for the time and the fact that JTF-GNO has now become U.S. – GTF-GNO and GTF-Net Attack has become U.S. Cyber Command, you know, is a waypoint on a journey that’s been under way now since 1995, really.
MR. HEALEY: I’m going to have to apologize to General Raduege. We’ll have to have this as a side conversation afterwards, because I’ve always kept you 10 minutes over. So my apologies, General Raduege, and apologies to everyone for going 10 minutes over.
So today we’ve heard about the first cyber commands. Everybody now knows about U.S. Cyber Command, but we learned today that actually that history goes back to 1998 for the first joint cyber war fighting command, the JTF-CND, and its follow-on, JTF-CNO, which brought in offense responsibilities. And that wasn’t even the first cyber commanders that it went back back to 1995 for the 609th Information Warfare Squadron. And we heard essential continuity between a lot of the kinds of conflicts and workforce issues since then. And this is all — we’re all going to capture this as part of our archive and go into the book that we’re putting together. That will be out in 2013.
As a reminder, if you’re a student of this or a teacher or just interested, we will have $3,000 first prizes for the best case study that’s written on this. And you can talk to me or any of the Cyber Conflict Studies Association people.
The video from this, and transcript, will be posted online within the next day or two.
And with that, I just wanted to thank you for your questions, and please join me in thanking the panelists.