WHAT IS A CYBER WARRIOR? THE EMERGENCE OF U.S. MILITARY CYBER EXPERTISE, 1967-2018 (Continued)

Part 1: Going here

What Does an Operational Computer Network Defense Do?

But what exactly would the new task force do? The answer to this question was shaped not only by analysis of the results of Eligible Receiver, but also by distinctive conceptions of the kinds of expertise and work that might constitute “warfighting.” 170

Eligible Receiver demonstrated the need for improvements in both mitigating vulnerabilities and responding to threats. Some of the vulnerabilities were about poor security awareness and training: Personnel at targeted units gave out their passwords over the phone or left them in the trash to be discovered by dumpster divers. Other vulnerabilities were well-known technological weaknesses that nonetheless remained unmitigated. Threat-oriented defenses had also failed. In an after-action report on Eligible Receiver, the National Security Agency red team targeting officer noted that intrusion detection systems had worked well, but reporting on intrusions came two weeks late: “They now know that the horse is out of the barn after it burned down and the ashes are cold.” 171 He concluded, “We tend to fight everything by throwing technology and money at it and not spending the time it takes to get the people to learn how to use it effectively.” 172

These weaknesses suggested that the new computer network defense task force needed to address both vulnerability mitigation and threat response. And indeed, representatives from the Defense Information Systems Agency and the Joint Staff’s Command, Control, Communications, and Computing Directorate argued that the task force should include vulnerability assessment, red teaming, and other kinds of work to prevent successful intrusions. 173 However, according to an October 1998 background paper by Air Force Capt. Jay Healey, an intelligence officer in the Air Staff, efforts to prevent intrusions “are not part of the JTF’s [Joint Task Force’s] computer network warfighting role and have been strongly resisted by the Services.” 174 In a later briefing, Healey described computer network defense as outward-focused, engaging enemies, active, and requiring operational expertise. By contrast, he depicted information assurance as inward-focused, not engaging enemies, passive, and requiring network management expertise. 175 Consistent with the services’ preference for a warfighting focus, Healey noted that the task force would be “staffed mostly by traditional operators (pilots, combat arms, etc.), relying on DISA [the Defense Information Systems Agency] for technical comm-computer expertise.” 176 Specifically, the task force was projected to consist of 19 billets, 10 of which were dedicated to operations, four to communications, and five to intelligence. 177

Eligible Receiver demonstrated the need for improvements in both mitigating vulnerabilities and responding to threats. Some of the vulnerabilities were about poor security awareness and training: Personnel at targeted units gave out their passwords over the phone or left them in the trash to be discovered by dumpster divers.

This tiny task force functioned by leveraging technological expertise within the Defense Information Systems Agency and the services, as well as contractors. By 2000, it was composed of about one-third contractors, one-third military personnel, and one-third government civilian personnel.178 The services were each tasked with designating component forces and an associated commander that the Joint Task Force would have authority to coordinate and direct. Consistent with the emphasis on responding to threats, each of the services drew on its computer emergency response teams and information warfare units from its respective intelligence organizations.179 The Defense Department’s computer emergency response team was also placed under the Joint Task Force-Computer Network Defense.180

The operational focus was partly driven by the need to persuade war fighters of the value of this new activity. As Campbell recalls:

[I]f you’re going to have any credibility with the war fighters, you had to have operational people… . We thought the best approach was to start with people who had some credibility in the operational side of the house, and then provide them with training and additional help that they needed to be technically proficient. 181

For example, some members of the task force took courses provided by James Madison University, which, in May 1999, was certified by the National Security Agency as one of seven initial Centers of Academic Excellence in Information Assurance. 182

Although the Joint Task Force-Computer Network Defense was initially chartered as a defensive organization, by January 1999, the Joint Chiefs of Staff had agreed that it would become part of U.S. Space Command and that it would integrate both offensive and defensive operations. 183 The task force remained physically co-located at the Defense Information Systems Agency, and the commander of the joint task force was made its vice director, allowing the task force to leverage the technical expertise at the agency. But members of the task force continued to distinguish their work from the technical support focus of the Defense Information Systems Agency. In October 1999, Army Col. Larry Frank, the chief of the task force’s operations division, asserted, “We bring an operational focus” to defense and “We don’t fix computers.” 184

The joint task force’s charter in December 1998 made it “responsible for coordinating and directing the defense of the Department of Defense’s computer systems and computer networks,” a potentially enormous range of activities. 185 However, many vulnerability mitigation activities were effectively delegated to the Defense Information Systems Agency or the services’ communications organizations. For example, the Defense Information Systems Agency developed the Information Assurance Vulnerability Alert process, wherein all of the Defense Department’s systems administrators were required to receive, acknowledge, and report on their compliance with vulnerability alerts. 186

Nonetheless, in briefings before Congress, Campbell explicitly included red teaming and the Information Assurance Vulnerability Alert process within the category of “operations,” alongside the Joint Task Force-Computer Network Defense. As this suggests, the concept of computer network operations was beginning to broaden, despite the task force’s threat-oriented focus. And yet, this expanding concept of operations still excluded certain forms of vulnerability mitigation, such as training and certifying systems administrators and users. 187

The Rising Status of Joint Cyber Operations and Service Responses

Computer network operations, both defensive and offensive, grew in influence, size, and authority in the 20 years following the establishment of the Joint Task Force-Computer Network Defense. That task force became the Joint Task Force-Computer Network Operations in 2000, when it assumed responsibility for both offensive and defensive operations. 188 After the terrorist attacks of Sept. 11, 2001, operations in Afghanistan and Iraq underscored the importance of defense. Thus, in 2004, the joint task force was returned to its initial defensive focus, with the new name, the Joint Task Force-Global Network Operations. 189 Offensive operations were moved to a new Joint Functional Component Command-Network Warfare within the National Security Agency. Both defensive and offensive components were commanded by Strategic Command, which had taken over several functions of Space Command when the latter dissolved in 2002. 190

But the Joint Task Force-Global Network Operations did not discover the first known breach of classified U.S. military networks in October 2008. Instead, it was the National Security Agency’s Information Assurance Directorate that first detected the problem and within a day had devised a software solution to neutralize it (although implementing that solution across all of the Defense Department’s networks would take well over a year). 191 The National Security Agency’s rapid response to the problem — code-named “Buckshot Yankee” — bolstered its case for unifying computer network attack and defense under the agency’s authority. In June 2009, Secretary of Defense Robert Gates announced the formation of U.S. Cyber Command, a unified command under Strategic Command that merged the Joint Task Force-Global Network Operations and the Joint Functional Component Command-Network Warfare. He also announced his intention to make the director of the National Security Agency dual-hatted as a four-star commander of U.S. Cyber Command. 192 After decades of arguing for the importance of computer network operations, leaders in the intelligence community had finally gained the authority of a combatant command.

The services were all instructed to designate component commands, which were expected to be three-star commands. Additionally, in late 2012, U.S. Cyber Command began establishing standard training requirements to be used in building cyber mission forces — some 133 teams. These teams would be comprised of more than 6,200 personnel and would support Cyber Command’s three primary missions: defending Defense Department networks, supporting combat operations, and defending the United States from cyber attacks with national security implications. 193

The following sections show how the elevation of joint computer network operations galvanized the services to elevate the professional and organizational status of computer network expertise. This process was slow and difficult because it entailed reorganizing existing organizations, career fields, and training programs — particularly those associated with signals intelligence and communications — to give them greater warfighting status. Ultimately, some kinds of expertise, particularly threat-oriented expertise that tended to reside within signals intelligence communities, were more readily promoted into an operational role than the technology-oriented expertise of communications and computing communities.

Air Force: Transforming Communications into “Operations”

Just as in the 1990s, the Air Force remained the most eager of the services to establish cyberspace as a warfighting domain. In November 2005, it revised its mission statement to include “to fly and fight in air, space and cyberspace.” 194 In 2006, the Air Force also began to centralize its acquisition and management of computer networking, recognizing that many of its vulnerabilities resulted from decentralization and the associated lack of enforcement of strong security standards. 195

However, the Air Force Communications Agency was not put in charge of centralizing computer networking. Instead, in July of 2006, the Air Force established a new Network Operations Command under the 8th Air Force — the previous home of the 609th Information Warfare Squadron — within Air Combat Command. 196 At the same time, the 67th Information Operations Wing, which, as noted previously, inherited many of the tasks assigned to the 609th squadron, was renamed the 67th Network Warfare Wing. Its responsibilities were explicitly expanded to include attack, and its defensive role also increased as the wing took control of network operations and security centers that had previously been dispersed across 10 different locations, serving 17 different units. 197

In November 2006, the Air Force announced plans to establish a major cyberspace command under the 8th Air Force “that stands alongside Air Force Space Command and Air Combat Command.” 198 The Air Force also began planning for a new career field that would “ensure a full career with full opportunities for advancement to the highest ranks of the Air Force.” 199 The new field would draw on specializations within four existing fields: communications, intelligence, electronic warfare, and space. 200

However, these plans slowed significantly after 2007, when nuclear mismanagement led to the 8th Air Force being put in charge of all nuclear operations and nothing else, leaving the proposed command without a home. 201 The Air Force nonetheless established the headquarters of Air Force Cyber Command (Provisional), which began planning for a more permanent home for the Air Force’s cyber command. 202 In 2008, the provisional command proposed creating a three-star command consisting of a headquarters, a numbered Air Force, and four wings: the 67th Network Warfare Wing; 688th Information Operations Wing (which had evolved from Air Force Information Warfare Center); 689th Cyber Wing (a reactivated unit that had been retired when the Air Force Communications Command was demoted to a field operating agency); and a new 450th Electronic Warfare Wing. 203 In 2009, the Air Force followed through on this proposal by activating the 24th Air Force/Air Forces Cyber as a three-star command under Space Command, which would also serve as the Air Force component to U.S. Cyber Command. 204 Additionally, the Air Force Communications Agency was put under Space Command and renamed the Air Force Network Integration Center so that it could better support the 24th Air Force. 205

On April 30, 2010, the entire communications and information officer field, which included over 3,000 officers, changed to a new cyberspace officer field. This marked an explicit shift from a support field to an operational field, but many legacy support functions remained.

Thus, the Air Force built its operational Cyber Command upon the earlier work of intelligence organizations — particularly the 67th Network Warfare Wing and the 688th Information Operations Wing — while keeping communications organizations in a support role. However, when the Air Force finally established a new cyber operations career field, it drew most heavily on the communications career field. This was not because such personnel were seen as the natural operators, but because Air Force Combat Command was unwilling to surrender its electronic warfare personnel to the new field and the Air Force Intelligence, Surveillance and Reconnaissance Agency (formerly the Air Intelligence Agency) was unwilling to lose personnel to a field that it would not control. By contrast, computing-communications personnel were eager to raise their status by becoming the core of a new career field in cyber operations. 206

On April 30, 2010, the entire communications and information officer field, which included over 3,000 officers, changed to a new cyberspace officer field. 207 This marked an explicit shift from a support field to an operational field, but many legacy support functions remained. 208 The cyberspace and information officer field quickly became a very broad career field that included both vulnerability reduction roles (e.g., DODIN operations) and threat-oriented roles (e.g., offensive and defensive cyber operations). 209 Personnel could also enter cyberspace operations through intelligence specializations. 210

However, Air Force officers continue to view threat-oriented roles as preferable to vulnerability-oriented roles, by virtue of their greater warfighting status. For example, in 2013, 1st Lt. Robert Lee, a cyber team leader in the Air Force Intelligence, Surveillance, and Reconnaissance Agency, argued against categorizing the roles of establishing, maintaining, and overseeing networks as “operations,” i.e., warfighting. He recognized that these vulnerability-oriented roles were very important, and “maybe even more important than a defense operator’s role when done correctly.” But he insisted on differentiating them from operational defense: “Applying vendor-issued software patches is not defense; it is maintenance.” 211 Lee argued that combining these different kinds of activities into a single career field, with a single training pipeline, undermined the Air Force’s ability to develop both kinds of expertise.

Similarly, in a recent survey of the Air Force’s cyberspace operations officers (17D), one officer asserted that “all 17Ds should be executing cyber operations, whether on the offensive line or defending a weapon system. Not supporting and maintaining.” 212 Another criticized senior Air Force leadership for not understanding “that cyberspace operations = maintaining the network, i.e., email.” 213 Yet another argued that they were “making ‘support’ and ‘maintenance’ dirty words by calling everything ‘operations,’ and the true operational community sees that a huge portion of what we do is support or maintenance, and our marketing campaign costs us credibility.” This officer argued for the need to both be honest with officers in this field about the kind of work they would probably be doing and to build “understanding and appreciation for how critical cyber support and maintenance are for EVERY other mission area.” 214

Navy: Organizing an Information Warfare Community

The Navy began consolidating its computer networks even earlier than the Air Force, recognizing significant inefficiencies and vulnerabilities associated with decentralization. In October 2000, it awarded a contract for the development of the Navy Marine Corps Intranet, which would merge up to 200 different networks, many of which were not interoperable, into a single seamless network. 215 By 2004, the Navy intranet had reduced the number of distinct applications from 90,000 to 10,000. The secretary of the Navy noted that the “most deficient aspect” of legacy information technology was insecurity, acknowledging that it “was insecure because we bought it and built it that way.” 216 This was a management as well as an acquisition problem: “It wasn’t just that we weren’t following our own rules; in many cases we weren’t even aware of them.”217 The Navy also greatly underestimated the complexity of its networks, which slowed the deployment of the intranet considerably. Efforts to speed up the process alienated many of the system’s users and created problems. Nonetheless, by 2006, the Navy Marine Corps Intranet had consolidated over 1,000 legacy networks and had greatly improved security. 218

The Navy also centralized security management by consolidating commands responsible for communications and computing. In 2001, it merged the Naval Computer and Telecommunications Command with the Task Force-Navy Marine Corps Intranet, forming a new Naval Network Operations Command. The following year, elements of that command and the Naval Space Command were incorporated into a new Naval Network and Space Operation Command. 219 On May 1, 2002, the Naval Network Warfare Command was established as a three-star flag-rank command. Subordinate commands included the Naval Network and Space Operation Command, the Fleet Information Warfare Center, and the Navy Component Task Force-Computer Network Defense. 220 The Navy’s Computer Incident Response Team was moved from Fleet Information Warfare Center to the Navy Component Task Force-Computer Network Defense in 2003 and became the Navy Cyber Defense Operations Command in January 2006. 221

The establishment of the Naval Network Warfare Command expanded the authority and responsibilities of the Navy’s communications-computing personnel. While the Naval Network Warfare Command was a type command, meaning that it managed training for a particular kind of weapons system (cyber), it was also an operational command. For example, it included the Navy’s component of the Joint Task Force for Computer Network Operations, which conducted both defensive and offensive operations. Network Warfare Command was initially staffed primarily by information systems technicians (enlisted) and information professional officers. 222

However, the commander of the Naval Security Group and other leading cryptologists saw an opportunity in the growing prominence of computer network operations. 223 As a result, in 2005, the Naval Security Group was transformed into the new Information Operations Directorate within Network Warfare Command, and the Naval Security Group’s detachments and activities became Navy Information Operations Commands within the Information Operations Directorate. 224 For example, the Naval Information Warfare Activity became the Naval Information Operations Command in Suitland, Maryland. 225 Around the same time, the Navy restructured the cryptology career field to emphasize the growing importance of computer network operations. In 2004, the secretary of the Navy approved a new enlisted rating, cryptologic technician networks, and converted over 240 enlisted information technology specialists into the new specialization. 226 The following year, naval cryptology officers were redesignated as information warfare officers, a move intended to acknowledge their “expanded skill sets and responsibilities” associated with information operations. 227

The Navy considered making more dramatic changes to professionalize cyber operations as something distinct from both communications and cryptology. In 2008, the Strategic Studies Group XXVI, an elite group of naval officers commissioned by Chief of Naval Operations Adm. Michael Mullen in 2006 to study the impacts of cyberspace on naval operations, delivered a report concluding that in order to “fight and win,” the Navy should create “a Cyber Warfare Community comprised of warriors equal in every way to those who operate in traditional warfighting domains.” 228 The report, which had been commissioned by Mullen two years earlier, argued that cyberspace officers should be trained “to be warfighters, not administrators” —individuals who possessed not only technical skill, but also the ability to command in a manner equal to commanders in the traditional areas of surface, subsurface, and air warfare. 229

However, these recommendations were rejected. Both Mullen and the succeeding chief of naval operations, Adm. Gary Roughead, viewed cyberspace as just one component of a much broader problem in managing intelligence and information. 230 This view was supported by the Navy’s cryptologic community, which saw cyber operations as part of cryptology. 231

Nonetheless, with the establishment of U.S. Cyber Command and associated directives to supply component forces, the Navy did elevate cyber operations. In 2009, it reactivated the 10th Fleet, which had played a critical role in anti-submarine warfare during World War II, making it Fleet Cyber Command, the Navy component of U.S. Cyber Command. By reactivating the 10th Fleet, the Navy underscored that “victory will be predicated on intelligence and information rather than fire power.” 232 The Navy moved all network organizations under Fleet Cyber Command/10th Fleet, including Network Warfare Command. But to emphasize the warfighting role of the new command, its first commander was Vice Adm. Barry McCullough, a seasoned surface warfare officer — not a cryptologist or communications-computing specialist. 233

Despite this elevated status, Navy personnel specializing in cyber operations have yet to gain the full opportunities available to traditional warfighters.

With growing demand for personnel with skills in computer network operations, the Navy also reorganized and elevated relevant career fields. In 2010, the Navy created the cyber warfare engineer specialization. 234 Officers were directly commissioned into this new specialization based on records of excellence in academic computer science and engineering and were required to serve for a minimum of six years. After that, they would be encouraged to transfer to another community within the Information Dominance Corps, a new career field also established in 2010. The cyber warfare engineer became one of five specializations within the corps. The other four were meteorology and oceanography, information warfare, information professional, and intelligence. 235 Perhaps most significantly, in 2010, the Navy made information dominance a warfare specialization with an associated qualification process and associated pin — something support fields typically lacked. 236 In 2016, the Information Dominance Corps was renamed the Information Warfare Community to further “mainstream information warfare as one of four predominate warfare areas.” 237

Despite this elevated status, Navy personnel specializing in cyber operations have yet to gain the full opportunities available to traditional warfighters. In general, officers within the Information Dominance Corps are restricted line officers, which means they are not eligible for command at sea. 238 Some have called for an unrestricted line officer cyber warfare community that might “evolve from its historic support role to an operationally proactive and predictive role.” 239 Cyber warfare engineers must change specializations after their six-year service term, which means they cannot advance above the rank of lieutenant. 240 Arguably, the limitations have been most significant within the information professional community — the Navy’s network maintainers. Information professionals saw dwindling command billets in the new millennium, not only due to technology and mission changes but because of civilian outsourcing. 241 The information warfare community, which conducts defensive and offensive cyber operations, does not seem to have seen a similar reduction in command billets. 242 This suggests that individuals specializing in threat-oriented work continue to have more opportunities than those engaged in vulnerability reduction and maintenance work.

Army: Intelligence, Communications, and the Creation of Cyber Branch.

Like the Navy, by the late 1990s, the Army recognized that security and efficiency both demanded a more centralized approach to computer network procurement and management. While the Army did not participate in Operation Eligible Receiver, it “got religion” after Solar Sunrise revealed that it had no effective means of monitoring its networks for intruders. 243 In response, U.S. Army Signal Command was tasked with developing intrusion detection systems. In 2002, Signal Command was absorbed by a new Network Enterprise Technology Command at Fort Huachuca, AZ, which was established to centralize the acquisition and management of the Army’s computer networks.

The new command was tasked with centralizing situational awareness and helping to defend networks, and it worked with U.S. Army Intelligence and Security Command to establish distinctive responsibilities for defense. 244 The Army’s Network Operations and Security Center was part of the Network Enterprise Technology Command, but the former was co-located with the Army’s Computer Emergency Response Team at Fort Belvoir, VA so that the response team could provide the center “direction without command” and help to coordinate network defense. 245 Communications and intelligence commands thus came to share some responsibility for threat-oriented approaches to defense.

However, intelligence units continued to play the leading role. In 2002, Land Information Warfare Activity became the 1st Information Operations Command, with two battalions. The first consisted of field support teams and vulnerability assessment teams, and the second focused on computer network operations. The second battalion developed considerable expertise, in no small part by relying heavily on contractors. By the mid-2000s, it consisted of only eight active-duty personnel, supplemented by about 190 contractors, 30 government civilians, and 60 reservists. 246

Intelligence and Security Command’s signals intelligence group, the 704th Military Intelligence Brigade, had been tasked with developing a computer network operations capability even earlier, in 1998. B company from the 742nd Military Intelligence Battalion took on this challenge. In June 2000, it became Detachment Meade. 247 Initially, Detachment Meade had trouble filling positions. Of an initial group of about three dozen people, only about half were technically qualified. 248 Nonetheless, in the early 2000s, Detachment Meade grew rapidly, both in response to growing demand for cyber effects in the “War on Terror” and with the encouragement of Keith Alexander, who as a major general served as director of Intelligence and Security Command from 2001 to 2003 and who then as lieutenant general became the Army’s Deputy Chief of Staff for Intelligence from 2003 to 2005. 249 After Alexander became the director of the National Security Agency in 2005, and as cyber operations continued to grow in national importance, Detachment Meade went through several organizational changes that increased its prominence. In 2009, it became the 744th Military Intelligence Battalion (also known as the Army Network Warfare Battalion). 250

The rise of joint cyber operations further elevated the status of these activities. In 2009, Secretary of Defense Gates directed the services to establish component support to U.S. Cyber Command. 251 Both Intelligence and Security Command and Network Enterprise Technology Command lobbied for ownership of the new mission, recognizing that it would come with substantial resources and an increase from two- to three-star status. However, Network Enterprise Technology Command was seen as lacking the threat-focused orientation needed for an operational command. 252 In fact, it was reportedly inconsistent in cooperating with the Army’s computer emergency response team to remediate vulnerabilities or otherwise respond to network incidents, likely because such actions could temporarily reduce network availability and otherwise inconvenience users — the primary focus of maintainers. 253

Thus, Network Enterprise Technology Command was not given the cyber operations mission, but rather was put under the operational control of Army Cyber Command, a new unit established in October 2010 at Fort Belvoir, VA, home to both the Army’s Computer Emergency Response Team and the Army Network Operations and Security Center. 254 While both of Intelligence and Security Command’s cyber-operational units — the 744th Military Intelligence Battalion and 1st Information Operations Command — were also put under the operational control of Army Cyber Command, they stayed under the administrative control of Intelligence and Security Command, which remained independent of Army Cyber Command. 255 In 2011, the 744th Military Intelligence Battalion was reorganized as the 781st Battalion and placed under a new unit, the 780th Military Intelligence Brigade, within Intelligence and Security Command. 256

As the scale of joint cyber operations grew, so did the need for trained personnel, spurring the Army to create new specializations. 257 The Army’s signals branch created the information protection technician warrant officer in 2010, and the cyber network defender enlisted specialization in 2014. Similarly, the intelligence branch created the cryptologic cyberspace intelligence collector in 2012. In 2014, the Army finally created a new Cyber Branch, with three initial specializations: cyberspace officer, cyber operations technician (warrant officer), and cyber operations specialist (enlisted). 258 In 2014, the Army announced the new cyber branch as one “that will take its place alongside infantry, artillery and the other Army combat arms branches.” 259

Thus, while Army cyber operations gained considerable status after the establishment of Cyber Command, threat-oriented roles continue to have greater warfighting status than vulnerability-oriented roles.

Consistent with the tendency to treat threat-oriented activities as more akin to combat than vulnerability-oriented activities, it was Cyber Branch that became “a maneuver branch with the mission to conduct defensive and offensive cyberspace operations (DCO and OCO).” 260 By contrast, the Army’s information protection technician warrant officers, an operations support field, conduct DODIN operations — activities that tend to be oriented toward reducing vulnerabilities. 261 Cyber network defenders, also a support field, conduct vulnerability assessments and other kinds of infrastructure support work, although they also conduct incident response, a threat-oriented activity. 262 Thus, while Army cyber operations gained considerable status after the establishment of Cyber Command, threat-oriented roles continue to have greater warfighting status than vulnerability-oriented roles.

Conclusion

Developing military cyber expertise has entailed much more than simply developing a supply of personnel with specialized skills, knowledge, and abilities. It has also involved persuading traditional warfighters of the critical importance of cyber skills, knowledge, and abilities and elevating certain work roles within organizational hierarchies. In other words, the relationships between and among distinctive kinds of cyber experts, other military personnel, and the computer networks with which they all must work to achieve operational goals had to undergo a transformation.

Key leaders in military operational and intelligence communities achieved this transformation by framing cyber operations as a kind of warfighting in their own right, rather than as being merely operations support. The leaders developed concepts of cyberspace and cyber operations that were analogous to well-accepted concepts of kinetic operations. Leaders in the intelligence community grew particularly adept at using exercises to demonstrate the potential impact of cyber attacks on warfighting. Incident response teams made visible that these types of attacks were increasing. These efforts succeeded in formally raising the status of cyber offense and defense, culminating in the 2018 elevation of U.S. Cyber Command to become the nation’s 10th Unified Combatant Command.

Even as they highlighted the growing threats in cyberspace, leaders in the intelligence community recognized that such threats could not be successful unless there were vulnerabilities, which were partly of the Defense Department’s own making. While the Department of Defense succeeded in improving the security of commercial products, those products could be, and often were, deployed and managed in insecure ways. Many Defense Department intrusions were enabled by errors in network management and maintenance. But in the 1990s, most communications and computing personnel did not know how to configure and manage networks securely and had no immediate incentive to do so. The efficient mitigation of vulnerabilities was enhanced by some technological and organizational innovations, such as vulnerability scanning tools and the Information Assurance Vulnerability Alert process. But ultimately, these were innovations in the service of better management and maintenance. This history has thus highlighted the importance of maintenance as much as it has innovation.

By 2013, Joint Publication 3-12, “Cyberspace Operations,” explicitly included maintenance in its definition of DODIN operations. This was reiterated when the publication was reissued in 2018. Joint doctrine defines these operations in terms of mitigating a wide range of vulnerabilities, both technological and human. For example, DODIN operators are charged with training everyday users in good security practices as well as operating firewalls. However, as discussed above, these operations continue to be seen by many as lower in status than threat-focused activities, i.e., defensive and offensive cyber operations. This status difference is most visible in the Air Force, due to DODIN operations being placed in the same career field with defensive and offensive cyber operations. Yet it is also visible in subtler ways in the Navy and the Army, where vulnerability-oriented roles tend to have less warfighting status and fewer opportunities for command.

This paper does not take a position on whether vulnerability mitigation should or should not be considered a kind of warfighting. Rather, my aim has been to analyze the historical process by which such activities came to be officially included in the scope of operations and how the cultural status of varying forms of cyber expertise has evolved over time. I have also sought to highlight the importance of vulnerability mitigation, regardless of its “warfighting” status.

Evidence suggests that vulnerability mitigation continues to be less of a priority than it should. In September 2015, the chairman of the Joint Chiefs of Staff and the secretary of defense launched a Cybersecurity Culture and Compliance Initiative, noting that “roughly 80 percent of incidents in the cyber domain can be traced to three factors: poor user practices, poor network and data management practices, and poor implementation of network architecture.”263 The initiative directed Cyber Command and the Department of Defense chief information officer to complete 11 tasks, including developing leadership training materials for combatant commanders and other units, establishing training requirements for providers of equipment and services, and recommending specific changes to technological capabilities for patching vulnerable systems. The initiative also directed all combatant commanders to introduce certain security principles into training, thereby reducing human vulnerabilities.

One month later, the commander of Cyber Command and the Defense Department chief information officer went further by creating a Cybersecurity Discipline Implementation Plan, arguing that Defense Department networks were “not defendable.” 264 They noted “an unacceptable number of unpatched vulnerabilities,” and gave commanders and supervisors responsibility for verifying that “all servers and network infrastructure devices” were compliant with the Information Assurance Vulnerability Alert process. This was just one of 17 tasks assigned to commanders and supervisors. Finally, consistent with Defense Department directives for information assurance training, the Defense Information Systems Agency in 2015 launched the Cyber Awareness Challenge training program to reinforce “best practices” among service members, civilians, and contractors. 265

However, in 2020, the U.S. Government Accountability Office identified significant shortcomings in the implementation of each of these three programs. Seven of 11 tasks in the Cybersecurity Culture and Compliance Initiative were still not completed, despite 2016 deadlines. Four tasks in the Cybersecurity Discipline Implementation Plan were difficult to complete because of legacy equipment, and the status of another seven tasks was unknown because no one had been assigned responsibility for ensuring their completion. Similarly, units did not keep track of which computer users did or did not take the Cyber Awareness Challenge training. 266 In 2019, the Defense Department’s inspector general concluded that the Defense Department had not consistently remediated vulnerabilities discovered by cyber red teams. 267

By establishing DODIN operations as a kind of warfighting, along with offensive and defensive cyber operations, the Defense Department has sought to raise the status of vulnerability remediation and those who manage it. But ultimately, vulnerabilities cannot be completely eliminated by even the most expert of cyber forces. Rather, the complete elimination of vulnerabilities would require a transformation of everyday users — individuals who are not cyber experts but nonetheless can compromise systems by careless practices. Recognizing this problem, some officials have sought to frame everyday computer network users as warfighters.

In 2009, the Air Force began advocating the “Rise of the Cyber Wingman” philosophy, outlining 10 principles that all Air Force personnel should observe, and arguing that “every Airman is a defender in cyberspace.” 268 By 2012, the Marines had come to consider “every Marine a cyber warrior” and instituted a cyber security training regimen analogous to its well-known mantra, “every Marine a rifleman.” 269 A recent critical review of Navy cyber security, commissioned by the secretary of the Navy after multiple breaches, concluded that the “workforce is generally uneducated in cybersecurity, largely complacent,” and tends to see cyber security “as an ‘IT issue’ or ‘someone else’s problem.’” 270 As a result, the review explained, “cybersecurity is undervalued, and often used as a bill-payer within programs of record.” 271 It proposed that the Navy inculcate an “Every Sailor a Cyber Sentry” mindset. 272 And a recent article entitled “Every Warrior a Cyber Warrior” argues for improving Army cyber security education because “every U.S. Army soldier must be ready to fight on the digital battlefield.” 273 Whether these metaphors will ultimately be persuasive, however, remains to be seen.

Rebecca Slayton is associate professor at Cornell University and is jointly appointed in the Science & Technology Studies Department and the Judith Reppy Institute for Peace and Conflict Studies. Her first book, Arguments that Count: Physics, Computing, and Missile Defense, 1949–2012 (MIT Press, 2013) shows how the rise of computing as a new field of expertise reshaped public policies and perceptions about the risks of missile defense in the United States. She is currently working on Shadowing Cybersecurity, a book that examines the history of cyber security expertise through the interplay of innovation and repair.

Acknowledgements: Thanks go to Captain Jason Healey for very informative emails and contacts and for donating documents to the National Security Archive. I also thank Gen. John Campbell for email correspondence about the formation of the JTF-CND and Col. Walter Rhoads and Capt. William Gravell for granting me phone interviews and email correspondence that answered numerous questions about their work. I am also grateful to Herb Lin for sharing a copy of the partially declassified 1992 Directive on Information Warfare. I thank two anonymous reviewers and Doyle Hodges, the executive editor of Texas National Security Review for constructive criticism that improved this paper. Finally, I thank Megan Oprea, managing editor of Texas National Security Review, for carefully reviewing and improving the clarity and accessibility of the manuscript.

ENDNOTES:

1. Jim Garamone, “Cybercom Now a Combatant Command, Nakasone Replaces Rogers,” DOD News, May 4, 2018, https://www.defense.gov/Explore/News/Article/Article/1512994/cybercom-now-a-combatant-command-nakasone-replaces-rogers/.

2. I am using terms such as “cyber warfare” and “cyber warrior” colloquially. I do not mean to imply that what they do qualifies as “war” as war is understood in international law. The term “cyber warrior” has been used broadly to refer to a wide range of career specializations within the military.

3. For discussion of the warfighting identity of missileers, see George L. Chapman, "Missileer: The Dawn, Decline, and Reinvigoration of America's Intercontinental Ballistic Missile Operators," Master's Thesis, Air University, 2017, https://apps.dtic.mil/dtic/tr/fulltext/u2/1045804.pdf. On drones and warfighting, see P. W. Singer, Wired for War: The Robotics Revolution and Conflict in the 21st Century (New York: Penguin Press, 2009) and Hugh Gusterson, Drone: Remote Control Warfare (Cambridge, MA: MIT Press, 2016). Air Force pilots continue to be the butt of jokes implying that they are not tough enough, as compared to marines. For example, see Mark Thompson, "Petraeus Zinger Wounds Air Force Egos," Time, Aug. 21 2009, http://content.time.com/time/nation/article/0,8599,1917841,00.html.

4. William Newhouse et al., National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, National Institute of Standards and Technology, Publication 800-181, August 2017, https://doi.org/10.6028/NIST.SP.800-181. The framework consists of seven broad functions, 33 areas of work, and 52 work roles. Each of the work roles consists of specific tasks and requires specialized knowledge, skills, and abilities. Altogether, the framework lists 1,007 tasks, 630 kinds of knowledge, 374 kinds of skills, and 176 abilities.

5. Jeffrey R. Jones, “Defense Department Cyber Requires Speed, Precision and Agility,” Signal, May 1, 2019, https://www.afcea.org/content/defense-department-cyber-requires-speed-precision-and-agility.

6. “Joint Publication 3-12: Cyberspace Operations,” Joint Chiefs of Staff, June 8, 2018, II-2–II-3. The definition does exclude “actions taken under statutory authority of a chief information officer (CIO) to provision cyberspace for operations, including IT architecture development; establishing standards; or designing, building, or otherwise operationalizing DODIN IT for use by a commander.” See page II-2.

7. Jason Healey, A Fierce Domain: Conflict in Cyberspace, 1986 to 2012, Kindle ed. (Vienna, VA: Cyber Conflict Studies Association, 2013) and Gregory J. Rattray, Strategic Warfare in Cyberspace (Cambridge, MA: MIT Press, 2001).

8. See, for example, “Security in Cyberspace,” Hearings Before the Committee on Governmental Affairs, U.S. Senate, 104th Congress, 2nd Session, 1996 and “Department of Defense Authorization for Appropriations for Fiscal Year 2001 and the Future Years Defense Program, Part 5: Emerging Theats and Capabilities,” Senate Armed Services Committee, 106th Congress, 2nd Session, 2000.

9. Fred Kaplan, Dark Territory: The Secret History of Cyberwar (New York: Simon & Schuster, 2016); Thomas Rid, Rise of the Machines: A Cybernetic History (New York: W.W. Norton & Company, 2016); Myriam Dunn Cavelty, Cyber-security and Threat Politics: US Efforts to Secure the Information Age (New York: Routledge, 2007); Michael Warner, "Cybersecurity: A Pre-history," Intelligence and National Security 27, no. 5 (2012), https://cyberdefensereview.army.mil/CDR-Content/Articles/Article-View/Article/1136012/notes-on-military-doctrine-for-cyberspace-operations-in-the-united-states-1992/; and "Notes on Military Doctrine for Cyberspace Operations in the United States, 1992-2014," updated Aug. 27, 2015.

10. Sarah P. White, “Subcultural Influence on Military Innovation: The Development of U.S. Military Cyber Doctrine,” Harvard University, 2019, http://nrs.harvard.edu/urn-3:HUL.InstRepos:42013038. White defines doctrine broadly to include “personnel management processes, organizational reform, and conceptual development.” See page 5.

11. David Edgerton, The Shock of the Old: Technology and Global History Since 1900 (London: Profile Books, 2007); Andrew L. Russell and Lee Vinsel, "After Innovation, Turn to Maintenance," Technology and Culture 59, no. 1 (January 2018): 1–25, https://doi.org/10.1353/tech.2018.0004; and Rebecca Slayton and Brian Clarke, "Trusting Infrastructure: The Emergence of Computer Security Incident Response, 1989-2005," Technology and Culture 61, no. 1 (January 2020): 173–206, https://doi.org/10.1353/tech.2020.0036.

12. The literature on military innovation is vast. Some key works include the following: Barry R. Posen, The Sources of Military Doctrine: France, Britain, and Germany Between the World Wars (Ithaca, NY: Cornell University Press, 1984); Stephen Peter Rosen, Winning the Next War: Innovation and the Modern Military (Ithaca, NY: Cornell University Press, 1991); Kimberly Martin Zisk, Engaging the Enemy: Organization Theory and Soviet Military Innovation, 1955–1991 (Princeton, NJ: Princeton University Press, 1993); Carl H. Builder, The Masks of War: American Military Styles in Strategy and Analysis (Baltimore, MD: Johns Hopkins University Press, 1989); Dima Adamsky, The Culture of Military Innovation: The Impact of Cultural Factors on the Revolution in Military Affairs in Russia, the US, and Israel (Stanford, CA: Stanford University Press, 2010); Williamson Murray and Allan R. Millett, eds., Military Innovation in the Interwar Period (New York: Cambridge University Press, 1998); and Terry C. Pierce, Warfighting and Disruptive Technologies: Disguising Innovation (New York: Frank Cass, 2004).

13. For example, the number of Defense Department microcomputers expanded from roughly 500 in 1980 to more than 36,000 in 1985. Terminals to use those computers expanded from roughly 9,000 to nearly 68,000. Federal Government Information Technology: Management, Security, and Congressional Oversight, Office of Technology Assessment, 1986. Most of these computers did not have security features built into them. Additionally, the rise of microcomputers and networking expanded the number of users radically and further decentralized control over networks, which itself increased the problems of security management and contributed to vulnerability.

14. The development of the internet through the Defense Advanced Research Projects Agency is the most obvious example of military-driven innovation, but it is by no means an isolated example. The U.S. military’s influence on the computer industry waned in the 1980s as other significant market segments emerged, but it remained the largest U.S. government computer consumer.

15. This conclusion has been reiterated in numerous reports on military cybersecurity. See, for example, Task Force Report: Resilient Military Systems and the Advanced Cyber Threat, Department of Defense Science Board, 2013, 65, https://nsarchive2.gwu.edu/NSAEBB/NSAEBB424/docs/Cyber-081.pdf; Department of Defense Cybersecurity Culture and Compliance Initiative, Department of Defense, (September 2015), 1, https://dod.defense.gov/Portals/1/Documents/pubs/OSD011517-15-RES-Final.pdf; and A Review and Assessment of the Department of Defense Budget, Strategy, Policy, and Programs for Cyber Operations and U.S. Cyber Command for Fiscal Year 2019, Committee on Armed Services, House of Representatives, 115th Congress, 2nd Session, (2018), 7.

16. See, for example, E. Summerson Carr, “Enactments of Expertise,” Annual Review of Anthropology 39 (October 2010): 17–32, https://doi.org/10.1146/annurev.anthro.012809.104948; Trine Villumsen Berling and Christian Bueger, eds., Security Expertise: Practice, Power, Responsibility (New York: Routledge, 2015); Brian Wynne, “Sheep Farming After Chernobyl: A Case Study in Communicating Scientific Information,” Environment Magazine 31, no. 2 (1989): 10–39, https://doi.org/10.1080/00139157.1989.9928930; and Steven Epstein, “The Construction of Lay Expertise: AIDS Activism and the Forging of Credibility in the Reform of Clinical Trials,” Science, Technology, & Human Values 20, no. 4 (Autumn 1995): 408–37, http://www.jstor.org/stable/689868.

17. Stephen Hilgartner, Science on Stage: Expert Advice as Public Drama (Stanford, CA: Stanford University Press, 2000); Epstein, “The Construction of Lay Expertise”; Sheila Jasanoff, Science at the Bar: Law, Science, and Technology in America (Cambridge, MA: Harvard University Press, 1995); Gwen Ottinger, Refining Expertise: How Responsible Engineers Subvert Environmental Justice Challenges (New York: New York University Press, 2013); and Rebecca Slayton, Arguments that Count: Physics, Computing, and Missile Defense, 1949-2012 (Cambridge, MA: MIT Press, 2013).

18. Carr, “Enactments of Expertise.”

20. James P. Anderson, Computer Security Technology Planning Study, Vol 1, Electronic Systems Division of the Air Force Systems Command, October 1972, https://csrc.nist.gov/csrc/media/publications/conference-paper/1998/10/08/proceedings-of-the-21st-nissc-1998/documents/early-cs-papers/ande72a.pdf; James P. Anderson, Computer Security Technology Planning Study, Vol 2, Electronic Systems Division of the Air Force Systems Command, October 1972, https://apps.dtic.mil/dtic/tr/fulltext/u2/772806.pdf.

21. For examples of early tests, see discussion in Jeffrey Yost, "Oral History Interview with Roger R. Schell," Charles Babbage Institute, May 1, 2012, http://hdl.handle.net/11299/133439 and Warner, "Cybersecurity: A Pre-history," 786.

22. Asked in 2012 whether penetration tests of U.S. systems led to offensive work within the intelligence community, Roger Schell, an Air Force officer who played a leading role in developing more secure computer systems, responded that “we recognize that it would not be unexpected if an adversary were to take an offensive thing, and we didn’t consider ourselves stupider than the adversary, you know, you can pretty well connect those dots.” Yost, "Oral History Interview with Roger R. Schell.”

23. For the introductory talk in this session, see Willis H. Ware, "Security and Privacy in Computer Systems," paper presented at the spring Joint Computer Conference, New York, April 18–20, 1967.

24. For an excellent summary of the research agendas begun to solve this problem, see Donald MacKenzie, Mechanizing Proof: Computing, Risk, and Trust (Cambridge, MA: MIT Press, 2001).

25. For more on the Privacy Act and associated requirements, see Rebecca Slayton, "Measuring Risk: Computer Security Metrics, Automation, and Learning," IEEE Annals of the History of Computing 37, no. 2 (April–June 2015): 32–45, https://doi.org/10.1109/MAHC.2015.30.

26. Clark Weissman, “Access Controls Working Group Report,” in Susan K. Reed and Dennis K. Branstad, "Controlled Accessibility Workshop Report: A Report of the NBS/ACM Workshop on Controlled Accessibility," Dec. 10–13, 1972, Santa Fe, CA, 19.

27. Theodore M.P. Lee, “Processors, Operating Systems and Nearby Peripherals: A Consensus Report,” in Ruthberg, "Audit and Evaluation of Computer Security II: System Vulnerabilities and Controls," Proceedings of the National Bureau of Standards Invitational Workshop Held at Miami Beach, FL, Nov. 28-30, 1978, 8–13.

28. Slayton, "Measuring Risk."

29. These became known as the “rainbow series.” See discussion in M. Schaefer, "If A1 Is the Answer, What Was the Question? An Edgy Naïf's Retrospective on Promulgating the Trusted Computer Systems Evaluation Criteria," paper presented at the Annual Computer Security Applications Conference, Tucson, AZ, December 6–10, 1984.

30. Schaefer, "If A1 is the Answer"; Steven B. Lipner, "The Birth and Death of the Orange Book," IEEE Annals of the History of Computing 37, no. 2 (April–June 2015): 19–31, https://doi.org/10.1109/MAHC.2015.27.

31. The National Security Telecommunications and Information Systems Security Committee (NTISSC) was first established as the U.S. Communications Security Board in 1953 by NSC-168. “CNSS History,” Committee on National Security Systems, accessed Dec. 20, 2020, https://www.cnss.gov/CNSS/about/history.cfm. In 1984, President Ronald Reagan’s national security decision directive (NSDD-145) gave the Committee responsibility for safeguarding “national security information” — something that could include sensitive, but non-classified, information. The directive also appointed the director of the National Security Agency as the national manager for telecommunications and information systems security, a role that made the director of the agency the executive secretary for a steering group that oversaw the NTISSC. The NTISSC was chaired by the assistant secretary of defense for command, control, communications, and intelligence and included representatives from the military services and intelligence agencies. National Security Decision Directive Number 145, The White House, Sept. 17, 1984, https://fas.org/irp/offdocs/nsdd145.htm.

32. Lipner, "The Birth and Death of the Orange Book."

33. The Trusted Computer System Evaluation Criteria outlined seven levels of security (D, C1, C2, B1, B2, A1, A2), which were defined by the extent to which they fulfilled four kinds of criteria: security policy, accountability mechanisms, assurance mechanisms, and documentation. The levels were ordered hierarchically, with increasingly stringent security requirements. For example, the second lowest level (C1) enforced a discretionary security policy while C2 added better accountability to level C1.

34. John C. Nagengast, "Defining a Security Architecture for the Next Century," Journal of Electronic Defense 15, no. 1 (January 1992): 51–53.

35. Nagengast, "Defining a Security Architecture for the Next Century." The Defense Information Systems Security Program would be managed by a new Center for Information Systems Security and jointly staffed by personnel from the Defense Information Systems Agency and the National Security Agency. It is not clear from published records whether the Defense Information Systems Security Program ever produced the unified security architecture and policy. "Budget Plan Leaves Military Computers Vulnerable to Intrusion," Defense Daily 184, no. 54 (1994).

36. In the early 1990s, efforts to give the Defense Information Systems Agency centralized control over the services’ information technology purchasing and management largely failed. See, e.g., "Services Retain Information Technology Design, Acquisition powers," Defense Daily 180, no. 57, Sept. 21, 1993. On the proliferation of networks, see Allen Li, "DOD's Information Assurance Efforts," Letter to the Chariman of the House Subcommittee on Military Research and Development, June 11, 1998, 4, https://www.gao.gov/assets/90/87860.pdf.

37. Although National Telecommunications and Information Systems Security Directive No. 500, “Telecommunications and Automated Information Systems Security Education, Training, and Awareness,” issued in June 1987, officially required agencies to implement security education and training programs, its effectiveness seems to have been limited. This directive is mentioned in the one that superseded it: “NSTISS Directive 500: Information Systems Security (INFOSEC) Education, Training, and Awareness," National Security Telecommunications and Information Systems Security Committee, Feb 25, 1993, https://apps.dtic.mil/sti/pdfs/ADA362604.pdf.

38. The lack of skills and training among systems administrators throughout the military was repeatedly identified as a principal reason for breaches in Defense Department networks. See, for example, Virus Highlights Need for Improved Internet Management, General Accounting Office, June 12, 1989, 20–21, https://www.gao.gov/products/IMTEC-89-57; Jack L. Brock, "Hackers Penetrate DOD Computer Systems," Testimony Before the Subcommittee on Government Information and Regulation, Committee on Governmental Affairs, U.S. Senate, (November 1991), 1, https://www.gao.gov/assets/110/104234.pdf; and Information Security: Computer Attacks at Department of Defense Pose Increasing Risks, Government Accountability Office, May 22, 1996, 6.

39. See, e.g., Maura Harrington, "Army's IS Ready for the Worst," Computerworld XXV, no. 2 (1991).

40. "Army Streamlines Information Services for Force XXI," Army Logistician, no. Jan/Feb (1997). This change was ostensibly made in support of efforts to create a digitized force for the 21st century, Force XXI.

41. White, "Subcultural Influence on Military Innovation," 108–09.

42. See White, "Subcultural Influence on Military Innovation," chap. 3.

43. Sarah White discusses this cultural preference in "Subcultural Influence on Military Innovation," chap. 4.

44. Thomas S. Snyder, ed., Air Force Communications Command, 1938-1991: An Illustrated History (Scott Air Force Base, Illinois: Air Force Communications Command Office of History, 1991), 259. For more about the Air Force’s early contributions to computing, see discussions of air defense in Slayton, Arguments that Count and in Paul N. Edwards, The Closed World: Computers and the Politics of Discourse in Cold War America (Cambridge, MA: MIT Press, 1996).

45. Snyder, Air Force Communications Command, 1938-1991, 261.

46. A much more detailed account of these changes can be found in Joseph R. Golembiewski, "From Signals to Cyber: The Rise, Fall, and Resurrection of the Air Force Communications Officer," Master's Thesis, School of Advanced Air and Space Studies, Air University, 2010.

47. Michael R. “Mo” Morris, “History of NAVNETWARCOM,” Navy CT History, July 13, 2008, https://www.navycthistory.com/COMNAVTELCOMtoNETWARCOMHistory.txt.

48. Sharon Anderson, "Why We Need the Navy Marine Corps Intranet," CHIPS, July–September 2004, https://www.doncio.navy.mil/Chips/ArticleDetails.aspx?ID=3296.

49. Danelle Barrett, "Developing a Community of C4IW Professionals," Proceedings 126, no. 6 (June 2000), https://www.usni.org/magazines/proceedings/2000/june/developing-community-c4iw-professionals.

50. Robert L. Buchanan and Sean Donohoe, "Is Navy 'Information Management' Becoming an Oxymoron?" Proceedings 125, no. 6 (June 1999), https://www.usni.org/magazines/proceedings/1999/june/navy-information-management-becoming-oxymoron.

51. Lori Turley, "The Feasibiltiy of Specialized Subcommunities within the General Unrestricted Line Officer Community," Master’s Thesis, Naval Postgraduate School, 1990; Barrett, "Developing a Community of C4I Professionals."

52. Barrett, "Developing a Community of C4I Professionals."

53. James P. Anderson, Computer Security Threat Monitoring and Surveillance, Fort Washington, PA, Feb. 26, 1980, revised April 15, 1980, https://csrc.nist.gov/csrc/media/publications/conference-paper/1998/10/08/proceedings-of-the-21st-nissc-1998/documents/early-cs-papers/ande80.pdf. This is the earliest known study of threat monitoring. Anderson was an independent computer security expert who worked as a contractor primarily for military and intelligence agencies. While it is unclear what agency commissioned this report, it was very possibly the National Security Agency. And despite its opaque origins, the report was widely circulated and became very influential.

54. The early history of this work is described well in Jeffery R. Yost, "The March of IDES: Early History of Intrusion-Detection Expert Systems," IEEE Annals of the History of Computing 38, no. 4 (October–December 2016): 42–54, https://doi.org/10.1109/MAHC.2015.41. Systems were deployed by the Navy’s Space and Naval Warfare Systems Command, the Air Force Cryptologic Support Center, and the National Computer Security Center.

56. “Internet” is capitalized here to highlight that it refers to a specific network developed under contract to the U.S. Department of Defense. This was an important predecessor to the much larger and more public network that is known as the “internet.” Internet is also capitalized throughout this paper in references to this specific worm.

57. For a more detailed history, see Slayton and Clarke, "Trusting Infrastructure."

58. Author interview with Kenneth van Wyk, Feb. 20, 2018, Alexandria, VA.

59. The exact date on which each service formed an incident response team is unclear from the historical record. The Computer Emergency Response Team (CERT) Coordinating Center held invitational workshops each year immediately following the worm and by 1990, presentations discussing a preliminary “CERT System” indicated the involvement of all three services. Mention of the Air Force Computer Emergency Response Team can be found at the 15th National Computer Security Conference, sponsored by the National Institute of Standards and Technology and the National Computer Security Center in October 1992. However, White’s thesis dates the formation of the Navy’s Computer Incident Response Team to 1995 and the Army’s Computer Emergency Response Team to September 1996. See White, "Subcultural Influence on Military Innovation," 67, 307. Most likely, all services had nascent incident response capabilities by 1990 but subsequently strengthened those capabilities.

60. John Markoff, "Dutch Computer Rogues Infiltrate American Systems with Impunity," New York Times, April 21, 1991, https://www.nytimes.com/1991/04/21/us/dutch-computer-rogues-infiltrate-american-systems-with-impunity.html. The attackers had broken into computers at national laboratories that served as hosts for the MILNET, a non-classified military network.

61. John J. Fialka, "Pentagon Studies Art of 'Information Warfare' To Reduce Its Systems' Vulnerability to Hackers," Wall Street Journal, July 3, 1995; Brock, Hackers Penetrate DOD Computer Systems; author phone interview with William Gravell, May 22, 2020.

62. See, for example, the testimony of Computer Emergency Response Team Coordination Center Director Richard Pethia in the hearing, “Security in Cyberspace," 306–23. Although Pethia was focused on civilian security incidents, he spoke in hearings that were motivated by intrusions of Department of Defense networks. Additionally, a presentation from January 1999 demonstrates that the Air Force Computer Emergency Response Team and Office of Special Investigations were collecting similar statistics by the late 1990s. See “Information Assurance Update,” U.S. Air Force, Jan. 29, 1999, https://nsarchive.gwu.edu/dc.html?doc=6168264-National-Security-Archive-US-Air-Force.

63. General Accounting Office, Virus Highlights Need for Improved Internet Management, 20–21; Brock, Hackers Penetrate DOD Computer Systems, 1; Government Accountability Office, Information Security: Computer Attacks at Department of Defense Pose Increasing Risks, 6.

64. U.S. Air Force, “Information Assurance Update.”

65. Alan D. Campen, ed. The First Information War: The Story of Communications, Computers, and Intelligence Systems in the Persian Gulf War (Fairfax, VA: AFCEA International Press, 1992). Edward Mann, "Desert Storm: The First Information War?" AirPower Journal VIII, no. 4 (Winter 1994): 4–14, https://www.airuniversity.af.edu/Portals/10/ASPJ/journals/Volume-08_Issue-1-Se/1994_Vol8_No4.pdf.

66. It is possible that the directive mentioned attacking and defending computer systems — approximately 14 lines of the four-page document remain classified — but computer network attack and defense are not mentioned in the declassified portion of the document, which is much larger than the classified portion. Donald J. Atwood, “Information Warfare,” Department of Defense Directive TS 3600.1, Dec. 21, 1992.

67. Atwood, “Information Warfare,” 1.

68. “Electronic Warfare (EW) and Command and Control Warfare (C2W) Countermeasures,” Department of Defense Directive 3222.4, July 31, 1992, 1. Revisions issued on Oct. 22, 1993 included replacing all references to “command, control, and communications countermeasures” with “command and control warfare.”

69. In March 1993, the chairman of the Joint Chiefs of Staff issued a revised memorandum of policy on command-and-control warfare, calling it “the military strategy that implements information warfare.” “Memorandum of Policy Number 30: Command and Control Warfare,” Department of Defense, March 1993, 3, https://archive.org/details/JCSMemoofPolicyNumber30CommandandControlWarfare. This was a revision to a 1990 memo on command, control, and communications countermeasures (C3CM). This revision replaced C3CM with C2W. It also added “psychological warfare” as one of five elements of C2W.

70. In December 1996, Directive S-3600.1, Information Operations, replaced the 1992 Directive on Information Warfare, and explicitly acknowledged the threat that “computer network attack” posed to command-and-control systems. The 1996 directive expanded the focus of the 1992 directive on winning in military conflict and included the goal of securing “peacetime national security objectives” through civil and public affairs activities. It was only in 1998 that Joint Doctrine on Information Operations noted that offensive information operations “may include computer network attack.” John P. White, “Department of Defense Directive S-3600.1: Information Operations,” Department of Defense, Dec. 9, 1996, 1-1, http://www.iwar.org.uk/iwar/resources/doctrine/DOD36001.pdf.

71. "EW Expands Into Information Warfare," Aviation Week & Space Technology 141, no. 10 (October 1994): 47–48.

72. White, "Subcultural Influence on Military Innovation," 195.

73. Aviation Week & Space Technology, "EW Expands Into Information Warfare."

74. Author phone interview with Walter Rhoads, June 4, 2020.

75. The Joint Staff’s Operations Directorate was home to the Special Technical Operations Division, which monitored dozens of “black” programs. Regional commands maintained Special Technical Operations divisions and could help integrate these highly classified capabilities into military operations. William M. Arkin, "Phreaking Hacktivists," Washington Post, Jan. 18, 1999, https://www.washingtonpost.com/wp-srv/national/dotmil/arkin011899.htm. The Special Technical Operations office was also part of Atlantic Command’s Information Warfare Cell.

76Author phone interview with Rhoads, June 4, 2020.

77Similarly, at the Atlantic Command, the Special Technical Operations office also played a role in expanding the range of “information warfare” to include computer network attack. A 1995 depiction of Atlantic Command’s Information Warfare Cell structure included the five traditional pillars of command-and-control warfare along with the Special Technical Operations office, which served as a liaison to the Joint Command and Control Warfare Center and the Special Technical Operations Division of the Joint Staff (J-33). Joanne Sexton, "A Combatant Commander's Organizational View of Information Warfare/Command and Control Warfare," Naval War College, 1995. The Special Technical Operations office also shows up in 1998 joint doctrine on information operations.

78Author phone interview with Rhoads, June 4, 2020. Also, Kaplan, Dark Territory, 58.

79Kaplan, Dark Territory, 108.

80Author phone interview with Rhoads, June 4, 2020.

81Although Weaver’s name does not appear on this document, his authorship has been acknowledged elsewhere. See, e.g., Joseph A. Ruffini, 609 IWS: A Brief History, Oct 1995-Jun 1999, Department of the Air Force, 1999, https://pdf4pro.com/fullscreen/department-of-the-air-force-securitycritics-org-5b034d.html.

82"Cornerstones of Information Warfare," Department of the Air Force, 1995, 2, https://hdl.handle.net/2027/uc1.31210023608514. Although Andrew Weaver’s name does not appear on this document, his authorship has been acknowledged elsewhere. See, e.g., Ruffini, 609 IWS: A Brief History.

83Department of the Air Force, “Cornerstones of Information Warfare," 8.

84Kaplan, Dark Territory.

85The potential legal problem of having the Air Force Information Warfare Center engaged in “warfighting” in Operation Uphold Democracy was one rationale for creating an operational information warfare unit. Kaplan, Dark Territory.

86"Transcript: Lessons from Our Cyber Past — The First Military Cyber Units," Atlantic Council, March 5, 2012, https://www.atlanticcouncil.org/commentary/transcript/transcript-lessons-from-our-cyber-past-the-first-military-cyber-units/.

87Ruffini, 609 IWS: A Brief History, 36. Specifically, the five communications or networking backgrounds listed are communications networking, space operations, telecom information warfare at the Information Warfare Center, computer security, and information management. The backgrounds of the other five members are listed as fighter pilot (Rhoads), weapons system operator (Weaver), acquisition, intelligence, and security police.

88Ruffini, 609 IWS: A Brief History, 10.

89Ruffini, 609 IWS: A Brief History, 11.

90See, e.g., discussion of Exercise Fort Franklin V in Ruffini, 609 IWS: A Brief History, 14.

91Ruffini, 609 IWS: A Brief History, 11.

92Ruffini, 609 IWS: A Brief History, 13.

93Atlantic Council, "Transcript: Lessons from Our Cyber Past — The First Military Cyber Units."

94Realizing the Potential of C4I: Fundamental Challenges (Washington, DC: National Academy Press, 1999), 161, http://nap.edu/6457.

95Ruffini, 609 IWS: A Brief History, 25.

96National Academy Press, Realizing the Potential of C4I, 161.

97National Academy Press, Realizing the Potential of C4I, 161.

98National Academy Press, Realizing the Potential of C4I, 161.

99Ruffini, 609 IWS: A Brief History, 27.

100White, "Subcultural Influence on Military Innovation," 984.

101"Navy C4I Budget Safe for Now," Defense Daily 184, no. 41, Aug. 29, 1994, 321.

102White, "Subcultural Influence on Military Innovation," 304. The Naval Information Warfare Activity grew to 200 to 300 people by the early 2000s and was primarily focused on developing technology and capabilities. Eventually it became the Navy Cyber Warfare Development Group within Tenth Fleet. Mario Vulcano, “Navy Information Warfare Activity Was Established in July, 1994,” Station HYPO, July 22, 2017, https://stationhypo.com/2017/07/22/navy-information-warfare-activity-was-established-in-july-1994/.

103Bryan Bender, "Navy Chief Commissions Fleet Information Warfare Center," Defense Daily 189, no. 17, Oct. 25, 1995. Also, “Implementing Instruction for Information Warfare/Command and Control Warfare,” OPNAV Instruction 3430.26, Office of the Chief of Naval Operations, Jan. 18, 1995, http://www.iwar.org.uk/iwar/resources/opnav/3430_26.pdf.

104Bender, "Navy Chief Commissions Fleet Information Warfare Center."

105It is not entirely clear when the Navy Computer Incident Response Team was established. On May 31, 1990, the Naval Electronic Systems Security Engineering Center hosted a meeting that included representatives from all of the services to discuss cooperation among computer emergency response teams that dealt with national security information. This suggests that the Navy and other services already had some nascent incident response capabilities. However, some date the formation of the incident response team to the formation of the Fleet Information Warfare Center in October 1995. See, e.g., David Finley, "Navy Cyber Defense Operations Command Celebrates Its Past, Present and Future," CHIPS, Feb. 11 2016, https://www.doncio.navy.mil/chips/ArticleDetails.aspx?ID=7445.

106Bender, "Navy Chief Commissions Fleet Information Warfare Center." The exact size of the Fleet Information Warfare Center is difficult to establish. According to a 1996 Government Accountability Office report, only three of 30 personnel spots were granted for the Fleet Information Warfare Center. Computer Attacks at Department of Defense Pose Increasing Risks, Government Accountability Office, May 1996, 38. On the other hand, the Navy Computer Incident Response Team, formed at the same time within the Fleet Information Warfare Center, is described as having five people at its founding, growing to 250 people by 2003, and becoming the operational arm of the Fleet Information Warfare Center. Finley, "Navy Cyber Defense Operations Command Celebrates Past, Present, Future." One of White’s interviewees states that the Fleet Information Warfare Center started as a “handful” of officers and contractors. White, "Subcultural Influence on Military Innovation," 306. Most likely, the discrepancies in numbers relate to the question of whether new billets were created or simply reassigned. Reportedly, the “Navy did not create new billets for the command, but rather, ‘extracted’ operation and maintenance funds from facilities which have been stood down.” Bender, "Navy Chief Commissions Fleet Information Warfare Center."

107John Morton, "Space and Electronic Warfare Comes of Age," Proceedings 117, no. 1 (1991): 94–95. The elevation of the information warfare commander was driven, in part, by the growing volume of over-the-horizon targeting data that were being transmitted from shore to ship, without the corresponding ability for shooters to use them.

108White, "Subcultural Influence on Military Innovation," 301–02.

109For these uses, compare Erik J. Dahl, "We Don't Need an IW Commander," Proceedings 125, no. 1 (January 1999), https://www.usni.org/magazines/proceedings/1999/january/we-dont-need-iw-commander and Mitch Houchin, "Get Serious About Tactical Information Ops," Proceedings 129, no. 10 (October 2003), https://www.usni.org/magazines/proceedings/2003/october/get-serious-about-tactical-information-ops.

110Dahl, "We Don't Need an IW Commander."

111Barrett, "Developing a Community of C4I Professionals." Houchin, "Get Serious About Tactical Information Ops."

112Houchin, "Get Serious About Tactical Information Ops."

113Robert D. Gourley, "The Devil Is in the Details," Proceedings 123, no. 9 (September 1997), https://www.usni.org/magazines/proceedings/1997/september/devil-details.

114Gourley, "The Devil Is in the Details." Gourley went on to become the first intelligence officer for the Joint Task Force-Computer Network Defense.

115George F. Kraus, Jr., "Information Warfare in 2015," Proceedings 121, no. 8 (August 1995), https://www.usni.org/magazines/proceedings/1995/august/information-warfare-2015.

116“About the Cebrowski Institute,” Naval Postgraduate School, accessed Oct. 19, 2020, https://nps.edu/web/cebrowski/about.

117"Cebrowski Will Return to Post as Chief of Navy IT Operations," Government Computer News 15, no. 17, July 15, 1996.

118According to the article, the term was introduced by Chief of Naval Operations Adm. Jay Johnson in an address to the U.S. Naval Institute Annapolis Seminar and 123rd Annual Meeting on April 23, 1997, where Johnson described "a fundamental shift from what we call platform-centric warfare to something we call network-centric warfare." Arthur K. Cebrowski and John H. Garstka, "Network-centric Warfare: Its Origin and Future," Proceedings 124, no. 1 (January 1998): 28, https://www.usni.org/magazines/proceedings/1998/january/network-centric-warfare-its-origin-and-future.

119Cebrowski and Garstka, "Network-centric Warfare."

120“Navy Information Systems Technician,” U.S. Navy, accessed Oct. 22, 2020, https://www.navycs.com/navy-jobs/information-systems.html.

121“Establishment of Information Professional and Human Resources Officer Communities and Fleet Support Officer (FSO) Transition,” Chief of Naval Operations, July 25, 2001, https://www.public.navy.mil/bupers-npc/reference/messages/Documents3/NAV2001/nav01182.txt.

122James Murphy, "Give Information Personnel More Training and Credibility," Proceedings 134, no. 9 (September 2008), https://www.usni.org/magazines/proceedings/2008/september/professional-notes.

123My discussion of the Land Information Warfare Activity draws primarily on White, "Subcultural Influence on Military Innovation," 61–71.

124White, "Subcultural Influence on Military Innovation," 64. For discussion of the Army’s general staff structure, see “Field Manual 100-5: Staff Organization and Operations,” Department of the Army Headquarters, May 31, 1997, https://www.globalsecurity.org/military/library/policy/army/fm/101-5/f540.pdf.

125According to White, they viewed their work as “educational.” White, "Subcultural Influence on Military Innovation," 62.

126As noted previously, it appears that all of the services were involved in discussions about incident response by 1990, but the formalization of a coordinated incident response team came later. White cites a source that dates the formation of the Army Computer Emergency Response Team to September 1996. White, "Subcultural Influence on Military Innovation," 67. However, public announcements of the Army Computer Emergency Response Team only appeared in March 1997. Bryan Bender, "Army Stands Up Computer Security Coordination Center," Defense Daily, March 18, 1997; David L. Grange and James A. Kelley, "Victory through Information Dominance," Army 47, no. 3 (March 1997).

127"Field Manual 100-6: Information Operations," U.S. Army, Aug. 27 1996, https://www.hsdl.org/?view&did=437397. The field manual broadened information operations to include civil and public affairs as well as command-and-control warfare, but did not expand the five elements of command-and-control warfare to include computer network operations.

128“Joint Pub 13-13.1: Joint Doctrine for Command and Control Warfare,” Joint Chiefs of Staff, Feb. 7, 1996, https://www.bits.de/NRANEU/others/jp-doctrine/jp3_13_1.pdf. Although “Field Manual 100-6” was not formally published until August 1996, this discussion is quoted in the joint doctrine issued in February 1996, suggesting that “Field Manual 100-6” was far along in its development earlier in that year.

129"Field Manual 100-6: Information Operations," 1-1.

130White discusses this problem, which continues to manifest today in the fact that the Army relies primarily on enlisted personnel rather than officers for its cyber operations, despite lower rates of success. Officers tend to have college degrees and thus are more likely to be better suited for cyber operations. However, they are encouraged to be generalists rather than specialists. White, "Subcultural Influence on Military Innovation," 46–48, 152-65.

131Stephanie Ahern, "Breaking the Organizational Mold: Why the Institutional U.S. Army Has Changed Despite Itself since the End of the Cold War," Doctoral Dissertation, University of Notre Dame, 2009.

132Mary Blake French, "OPMS XXI—an Integrated Strategy," Army 47, no. 2 (1997): 52.

133French, "OPMS XXI—an Integrated Strategy," 50.

134OPMS XXI Final Report, OPMS XXI Task Force, U.S. Department of the Army (July 1997), 5-1. https://cgsc.contentdm.oclc.org/digital/collection/p4013coll11/id/1951/

135Maxwell S. Thibodeaux, "Organizing the Army for Information Warfare," Strategy Research Project submitted in partial fulfillment of the requirements for the Master of Strategic Studies degree, U.S. Army War College, 2013, https://apps.dtic.mil/dtic/tr/fulltext/u2/a590350.pdf.

136Thibodeaux, "Organizing the Army for Information Warfare."

137White, "Subcultural Influence on Military Innovation," 78–79.

138Ahern, "Breaking the Organizational Mold," 117.

139The exceptions were public affairs and information operations, which were moved to maneuver, fire, and effects. Ahern, "Breaking the Organizational Mold," 390–91.

140Redefining Security: A Report to the Secretary of Defense and the Director of Central Intelligence, Joint Security Commission, (Feb. 28, 1994), chap. 8 and chap. 1, https://fas.org/sgp/library/jsc/.

141Report of the Defense Science Board Summer Study Task Force on Information Architecture for the Battlefield, Office of the Undersecretary of Defense for Acquisition and Technology (1994), 30, https://www.hsdl.org/?abstract&did=464955.

142Report of the Defense Science Board Summer Study Task Force, 32.

143Defense Daily, "Navy C4I Budget Safe for Now."

144Paul Constance, "From Bombs to Bytes: Era of On-line Weaponry Is Here," Government Computer News 14, no. 21, (October 1995).

145In January 1995, the Defense Information Systems Agency elevated its Center for Information Systems Security out of the Joint Interoperability Engineering Organization and made it the operating arm of a new Information Warfare Division. The center included a focus on reducing vulnerabilities within the Defense Department. For example, it aimed to develop a standardized information security training program for the Defense Department. It also continued to include operational aspects of defense, such as the Defense Department’s incident response team ASSIST, which was moved into the Defense Information Systems Agency’s Global Control Center. Vanessa Jo Grimm, "In War on System Intruders, DISA Calls In Big Guns," Government Computer News 14, no. 3 (1995).

146Gravell recalls a particularly well-received briefing to Chief of Naval Operations James Watkins in 1985. Cebrowski was present. Telephone interview with Gravell, May 22, 2020, and subsequent email correspondence.

147See, e.g., Information Warfare: Legal, Regulatory, Policy and Organizational Considerations for Assurance, 2nd Edition, The Joint Staff, Department of Defense, July 4, 1996, https://nsarchive.gwu.edu/dc.html?doc=5989661-National-Security-Archive-Joint-Chiefs-of-Staff.

148Phone interview with Gravell, May 22, 2020.

149For example, in 1993, computer scientist Fred Cohen discussed “information assurance” as something that means integrity and availability rather than simply confidentiality. Fred Cohen, Planning Considerations for Defensive Information Warfare — Information Assurance. Prepared for DISA Joint Interoperabilty and Engineering Organization (JIEO) Center for Information Systems Security, Dec. 15 1993, http://all.net/books/iwar/index.html. This is similar to the discussion in Defense Science Board, Report of the Defense Science Board Task Force on Information Warfare-Defense (IW-D) (November 1996), E-2–E-3.

150Email correspondence with Gravell, July 20, 2020.

151For example, the December 1996 Defense Department directive on information operations defined “information assurance” as “Information Operations that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and nonrepudiation.” White, “Department of Defense Directive S-3600.1: Information Operations.” The equation of information assurance and defensive information warfare is explicit in an analysis commissioned by the Joint Staff’s Information Warfare Division. Information Warfare: Legal, Regulatory, Policy and Organizational Considerations for Assurance, 1-1.

152For example, in his 1996 congressional testimony, Deputy Secretary of Defense John White explained that “information assurance … goes beyond what we traditionally think of as computer or information security” and “is not the realm of just security specialists,” but rather “is the responsibility of all who plan operations, manage enterprises, and are responsible for the delivery of critical infrastructure services.” See “Security in Cyberspace,” 418. Information assurance was thus directly related to the increasingly visible problem of critical infrastructure protection. See, for example, discussion in Kaplan, Dark Territory.

153By 1997, a report for the assistant secretary of defense for command, control, communications and intelligence noted that “the complexity of managing DOD’s information assurance efforts had increased due to the proliferation of networks across DOD and that its decentralized information assurance management could not deal with it adequately.” Quote in Li, "DOD's Information Assurance Efforts," 4.

154Quote is the summary of a November 1997 report from the assistant secretary of defense for command, control, communications and intelligence, found in Li, "DOD's Information Assurance Efforts," 4. The interim report of the task force was presented on Jan. 27, 1997, and the final report, “Improving Information Assurance: A General Assessment and Comprehensive Approach to an Integrated IA Program for the Department of Defense,” is dated March 1997. These latter two documents are described in J.V. Gray, Information Operations: A Research Aid, Institute for Defense Analysis, September 1997, 31.

155In response to fiscal years 1999–2003 planning guidance, the assistant secretary of defense for command, control, communications and intelligence developed “A Management Process for a Defense-wide Information Assurance Program (DIAP),” published Nov. 15, 1997. See Li, “DOD's Information Assurance Efforts,” 4, note 3. The assistant secretary of defense for command, control, communications and intelligence was made the Defense Department chief information officer in response to the 1996 Clinger-Cohen Act, which required that all federal agencies appoint a chief information officer and use performance-based management to oversee information technology acquisition and use.

156Serious Weaknesses Continue to Place Defense Operations at Risk, Government Accountability Office, Aug. 26, 1999, 15, https://www.gao.gov/products/GAO/AIMD-99-107.

157Information Security: Progress and Challenges to an Effective Defense-wide Information Assurance Program, Government Accountability Office, March 30, 2001, 22.

158Kaplan, Dark Territory.

159Kaplan, Dark Territory, 68. Kaplan states that “the entire defense establishment’s network was penetrated” in four days, though the video briefing by the National Security Agency red team targeting officer Keith Abernethy indicates that one target was denied to the team.

160Email to author from John Campbell, Sept. 28, 2020.

161“DOD Organization for Computer Network Defense: Summary of Proposals,” Joint Chiefs of Staff, Slide 4, June 1998, National Security Archive, https://nsarchive.gwu.edu/dc.html?doc=6168257-National-Security-Archive-Joint-Chiefs-of-Staff. Kaplan states that the Information Operations Response Cell was formed shortly before Solar Sunrise, but slides showing the timeline for discussion of options for computer network defense show it starting earlier. Campbell recalls that it was established before Eligible Receiver. Email to author from Campbell, Sept. 28, 2020.

162Email to author from Campbell, Sept. 28, 2020. Emphasis in original.

163Email to author from Campbell, Sept. 28, 2020.

164Kaplan, Dark Territory, 74.

165Kaplan, Dark Territory, 78.

166Atlantic Council, "Transcript: Lessons from our Cyber Past."

167In the San Antonio option, the task force would consist of 23 members of the Joint Command and Control Warfare Center and 20 members of the Air Force’s Information Warfare Center, with nine representatives drawn from the Defense Information Systems Agency and the Army’s and Navy’s computer emergency response teams. With the Defense Information Systems Agency option, it would consist of 29 members, four of which were already at that agency. This option would be less expensive and would allow for ready coordination with related agencies in Washington, but would require more personnel to be identified prior to startup.

168Joint Chiefs of Staff, “DOD Organization for Computer Network Defense,” Slide 4.

169Atlantic Council, "Transcript: Lessons from our Cyber Past."

170Some documents related to Eligible Receiver, including an after-action report summarizing the major lessons of the exercise, have been declassified and are available at the Digital National Security Archive as part of an electronic briefing book. Michael Martelle, ed., “Eligible Receiver 97: Seminal DOD Cyber Exercise Included Mock Terror Strikes and Hostage Simulations,” Department of Defense, Briefing Book no. 634, Aug. 1, 2018, https://nsarchive.gwu.edu/briefing-book/cyber-vault/2018-08-01/eligible-receiver-97-seminal-dod-cyber-exercise-included-mock-terror-strikes-hostage-simulations. Other weaknesses revealed by Eligible Receiver are based on interviews conducted by Fred Kaplan and reported in his book, Dark Territory.

171“Eligible Receiver ‘97 After Action Report,” in Martelle, ed., “Eligible Receiver 97.” Also available on YouTube:  “Eligible Receiver ‘97 After Action Report,” YouTube, accessed Dec. 22, 2020, https://youtu.be/iI3iZAq0Nh0.

172YouTube, “Eligible Receiver ‘97 After Action Report,” at 9:40. Interestingly, the exercise also demonstrated the potential effectiveness of operational defenses: One marine at Pacific Command had recognized an intrusion underway and reconfigured his firewall to shut out the red team. As a result, Abernethy reported, “a major strategic target … was denied to us.” YouTube, “Eligible Receiver ’97 After Action Report,” at 8:40.

173Jay Healey, "Bullet Background Paper on Computer Network Defense-Joint Task Force (CND-JTF)," Office of the Deputy Chief of Staff for Air and Space Operations, Oct. 14, 1998, 3, https://nsarchive.gwu.edu/dc.html?doc=6168259-National-Security-Archive-Captain-Healey-US-Air. Emphasis in original.

174Healey, “Bullet Background Paper.” Emphasis in original.

175"Organizing for Information Warfare: An Air Staff Perspective," U.S. Air Force Office of the Director of Intelligence, Surveillance, and Reconnaissance, 1999, slide 25, https://nsarchive.gwu.edu/dc.html?doc=6168263-National-Security-Archive-US-Air-Force-Office-of. Jay Healey confirmed that he was the author of this presentation in an email to the author dated May 15, 2020.

176Healey, "Organizing for Information Warfare,” slide 2.

177Jay Healey, "JTF Computer Network Defense Update," U.S. Air Force Office of the Director of Intelligence, Surveillance, and Reconnaissance, October 1998, slide 17, https://nsarchive.gwu.edu/dc.html?doc=6168258-National-Security-Archive-US-Air-Force-Office-of.

178Atlantic Council, "Transcript: Lessons from our Cyber Past."

180The organization of the Joint Task Force for Computer Network Defense can be found in John H. Campbell, “Computer Network Defense: Computer Network Defense Update to the Defense Science Board,” National Security Archive, Jan. 18, 2000, slide 13, https://nsarchive.gwu.edu/dc.html?doc=3145117-Document-03.

181Atlantic Council, "Transcript: Lessons from our Cyber Past."

182“NSA Designates First Centers of Academic Excellence in Information Assurance Education,” National Security Agency, Release No. PA-224-18, May 11, 1999, https://www.nsa.gov/news-features/press-room/Article/1636090/nsa-designates-first-centers-of-academic-excellence-in-information-assurance-ed/.

183Healey, "Organizing for Information Warfare," slide 6.

184Dan Verton, "DOD Boosts IT Security Role," Federal Computer Week, Oct. 3, 1999, https://fcw.com/articles/1999/10/03/dod-boosts-it-security-role.aspx.

185Campbell, “Computer Network Defense,” slide 10.

186For a discussion of this process, including questions about the role that the Joint Task Force-Computer Network Defense should play in it, see Department of Defense Inspector General, DoD Compliance with the Information Assurance Vulnerability Alert Policy, Department of Defense, Office of Inspector General, Dec. 1, 2000, https://www.dodig.mil/reports.html/Article/1116364/dod-compliance-with-the-information-assurance-vulnerability-alert-policy/.

187Senate Armed Services Committee, “Department of Defense Authorization for Appropriations for Fiscal Year 2001 and the Future Years Defense Program," 19. In this testimony, Campbell presented “operations” as one part of “defense-in-depth,” along with technology and people. Certifying systems administrators and users was in the “people” category, not “operations.”

188Senate Armed Services Committee, “Department of Defense Authorization for Appropriations for Fiscal Year 2001 and the Future Years Defnse Program," 42.

189Atlantic Council, "Transcript: Lessons from our Cyber Past."

190For an overview of the evolution of the Joint Task Force-Computer Network Defense into U.S. Cyber Command, see “U.S. Cyber Command History,” U.S. Cyber Command, accessed Oct. 21, 2020, https://www.cybercom.mil/About/History/.

191Kaplan, Dark Territory, 180–85; Ellen Nakashima, "Cyber-intruder Sparks Response, Debate," Washington Post, Dec. 8, 2011, https://www.washingtonpost.com/national/national-security/cyber-intruder-sparks-response-debate/2011/12/06/gIQAxLuFgO_story.html; and William J. Lynn III, "Defending a New Domain: The Pentagon's Cyberstrategy," Foreign Affairs 89, no. 5 (September/October 2010): 97, https://www.foreignaffairs.com/articles/united-states/2010-09-01/defending-new-domain.

192Robert Gates, “Establishment of a Subordinate Unified U.S. Cyber Command Under U.S. Strategic Command for Military Cyberspace Operations,” Memoranda, Department of Defense, June 23, 2009, https://fas.org/irp/doddir/dod/secdef-cyber.pdf.

193DOD Training: U.S. Cyber Command and Services Should Take Actions to Maintain a Trained Cyber Mission Force, U.S. Government Accountability Office, March 6, 2019, https://www.gao.gov/products/GAO-19-362.

194Elaine M. Grossman, "'Sovereign Options': Say What? Air Force Mission Statement Leaves Many Officials, Experts, Baffled," Inside the Air Force 16, no. 50 (Dec. 16, 2005): 8–11, https://www.jstor.org/stable/24794921. This announcement was criticized by many, including people who saw it as a power grab.

195Maryann Lawlor, "Command Takes Network Control," Signal (October 2006), https://www.afcea.org/content/command-takes-network-control. As this article noted, “vulnerabilities that exist in the Air Force’s networks are the result of more than a decade of individual commands and bases acquiring individual technologies that met their own needs.”

196Lawlor, "Command Takes Network Control."

197Lawlor, "Command Takes Network Control."

198Michael W. Wynne, “Cyberspace as a Domain in Which the Air Force Flies and Fights,” Remarks to the C4ISR Integration Conference, Crystal City, VA, Nov. 2, 2006, https://www.airforcemag.com/PDF/SiteCollectionDocuments/Reports/2006/November/Day03/Wynne110206.pdf.

199Wynne, “Cyberspace as a Domain.”

200White, "Subcultural Influence on Military Innovation," 222.

201Specifically, on Aug. 30, 2007, a munitions crew at Minot Air Force Base in North Dakota mistakenly loaded six nuclear missiles onto a B-52. The error was discovered only after the B-52 had flown the missiles to Barksdale Air Force Base in Louisiana and had been parked for about nine hours without any special guards. Peter Grier, “Misplaced Nukes,” Air Force Magazine, June 26, 2017, https://www.airforcemag.com/article/misplacednukes/.

202Approximately 55 percent of the staff in the provisional command came from the Air Force Communications Agency. Markus Rogers, “Air Force Network Integration Center’s Journey to Consolidated Cyber Capabilities,” CHIPS, May 14, 2019, https://www.doncio.navy.mil/CHIPS/ArticleDetails.aspx?ID=12434.

203The organization is shown in William T. Lord, "USAF Cyberspace Command: To Fly and Fight in Cyberspace," Strategic Studies Quarterly 2, no. 3 (Fall 2008): 5–17, https://www.airuniversity.af.edu/Portals/10/SSQ/documents/Volume-02_Issue-3/Lord.pdf. For more on the 689th Cyber Wing (subsequently called the Combat Communications Wing) see “689 Combat Communications Wing (AFSPC),” Air Force Historical Research Agency, Nov. 24, 2010, https://web.archive.org/web/20140512213403/http://www.afhra.af.mil/factsheets/factsheet.asp?id=15897.

204Initially, the 24th Air Force was named Air Forces Strategic. This changed in 2010. Scott McNab, “24th AF Becomes AFCYBER,” U.S. Strategic Command, Dec. 9, 2010, https://www.stratcom.mil/Media/News/News-Article-View/Article/983649/24th-af-becomes-afcyber/.

205Katherine Kebisek, "Behind the Scenes: Air Force Network Integration Center Shapes the Future of Air Force Cyberspace Operations," Air Force Space Command, Nov. 17, 2010, https://www.afspc.af.mil/News/Article-Display/Article/250078/behind-the-scenes-air-force-network-integration-center-shapes-the-future-of-af/.

206These developments are described in White, "Subcultural Influence on Military Innovation," 251–52.

207This field was labeled 17D. Golembiewski, "From Signals to Cyber." Additionally, on Nov. 1, 2009, roughly 43,000 enlisted and 8,800 civilian personnel in communications fields were transitioned into a new cyberspace support career field, the 3DXXX series. Rita Boland, "Military Branch Undertakes Massive Troop Conversion," Signal, Feb. 2, 2010, https://www.afcea.org/content/military-branch-undertakes-massive-troop-conversion.

208In the Air Force, the first digit of the Air Force Specialty Code indicates the career group, with  “3” indicating a support field and “1” indicating an operational field. For more on legacy support functions, see Katrina A. Terry, "Overcoming the Support Focus of the 17D Cyberspace Operations Career Field," Master's Thesis, Air Force Institute of Technology, 2011.

209Initially, the Air Force created two “shreds” of the 17D field, one for cyberspace operators (17DXA) and another for network maintainers (17DXB). Less than 10 percent of the officers initially fell into the “operator” shred, but training for these shreds was similar and officers were rotated through the different roles. This was criticized in a 2015 paper which noted that “[t]he Air Force cannot cultivate a war-fighting culture in cyberspace operations if officers in the mission area are treated like a first-grade soccer team where ‘everybody needs an opportunity’ to play.” Matthew T. Hyland, "Operationalizing the 17D Workforce," in Cyber Compendium: Professional Continuing Education Course Papers 2, no. 1, ed. Robert Mills (Wright-Patterson Air Force Base, OH: Air Force Institute of Technology, 2015), https://apps.dtic.mil/dtic/tr/fulltext/u2/a617022.pdf. Today, officers in the 17D career field are typically assigned to defending the DODIN — which, as noted earlier, focuses on maintenance and sustaining functions — but some receive additional training for 17S assignments, which are typically offensive or defensive cyber operations and are seen as more desirable. Chaitra M. Hardison et al., Attracting, Recruiting, and Retaining Successful Cyberspace Operations Officers (Santa Monica, CA: RAND Corporation, 2019), https://www.rand.org/pubs/research_reports/RR2618.html.

210These include intelligence officers, fusion analysts (an enlisted specialization), and cyber warfare operations enlisted personnel. White, "Subcultural Influence on Military Innovation," 239–42.

211Robert M. Lee, "The Failing of Air Force Cyber," Signal, Nov. 1, 2013, https://www.afcea.org/content/failing-air-force-cyber.

212Hardison et al., Attracting, Recruiting, and Retaining, 57.

213Hardison et al., Attracting, Recruiting, and Retaining, 56.

214Hardison et al., Attracting, Recruiting, and Retaining, 56.

215George I. Seffers, "Navy Intranet Sets Sail," Federal Computer Week, Oct. 16, 2000.

216Anderson, "Why We Need the Navy Marine Corps Intranet."

217Anderson, "Why We Need the Navy Marine Corps Intranet."

218Information Technology: DOD Needs to Ensure that Navy Marine Corps Intranet Program Is Meeting Goals and Satisfying Customers, Government Accountability Office, (December 2006), 104, https://www.gao.gov/assets/260/254360.pdf.

219Morris, “History of NAVNETWARCOM.”

220"Spinning the Web," Sea Power 46, no. 4 (April 2003): 61–65.

221David Finley, "Navy Cyber Defense Operations Command Celebrates Its Past, Present, and Future," Defense Visual Information Distribution Service, Jan. 29 2016, https://www.dvidshub.net/news/188493/navy-cyber-defense-operations-command-celebrates-its-past-present-and-future.

222White, "Subcultural Influence on Military Innovation," 331.

223White, "Subcultural Influence on Military Innovation," 333; Mike Lambert, "The Navy's Cryptologic Community: A Transformational Phoenix?" Proceedings 131, no. 10 (October 2005).

224Joseph Gunder, "Naval Security Group Aligns With NETWARCOM," U.S. Federal News Service, Oct. 5, 2005.

225Additionally, the Fleet Information Warfare Center was merged with the Navy Information Operations Commands at its two locations in Norfolk, VA and San Diego, CA. “OPNAV Notice 5450: Disestablish Naval Security Group Command (COMNAVSECGRU), Fort George G Meade, MD; Rename and Realign all Subordinate NAVSECGRU Commands and Detachments,” Chief of Naval Operations, Department of the Navy, Dec. 29, 2005, https://fas.org/irp/agency/navsecgru/5450_273.pdf.

226Lambert, "The Navy's Cryptologic Community."

227Teresa J. Frith, "Cryptology Officers Get New Name, Boss," U.S. Federal News Service, Oct. 14, 2005. https://coldwar-c4i.net/NSG/NNS051014-04.html.

228Quoted in White, "Subcultural Influence on Military Innovation," 339. The Strategic Studies Group began in 1981 as a handpicked set of officers who would generate revolutionary concepts in naval warfare and continued through 2016. New officers were nominated each year for approximately one-year assignments.

229Quoted in White, "Subcultural Influence on Military Innovation," 339.

230Roughead did make changes that elevated the authority of information operations, a much broader category than cyber operations. In early 2008, he elevated the deputy chief of naval operations for intelligence from a two-star to a three-star position and in 2009, merged the Office of the Director of Naval Intelligence (N2) and the Office of the Deputy Chief of Naval Operations (DCNO) for Communication Networks (N6) into one three-star office, the “deputy chief of naval operations for information dominance.” Jack N. Summe, "Navy's New Strategy and Organization for Information Dominance," CHIPS (January-March 2010), https://www.doncio.navy.mil/(vvz3oz2uutryo0bujuhcxzrz)/CHIPS/ArticleDetails.aspx?ID=2557.

231White, "Subcultural Influence on Military Innovation," 342–43.

232"Navy Stands Up Fleet Cyber Command, Reestablishes U.S. 10th Fleet," U.S. Department of Defense Information / Federal Information News Dispatch, 2010.

233White, "Subcultural Influence on Military Innovation," 353–54.

234“Establishment of the Cyber Warfare Engineer Designator,” Chief of Naval Operations, June 21, 2010, https://www.public.navy.mil/bupers-npc/reference/messages/Documents3/NAV2010/NAV10205.txt.

235“Information Dominance Corps Officer Designator Alignment,” Chief of Naval Operations, June 22, 2010, https://www.public.navy.mil/bupers-npc/reference/messages/Documents3/NAV2010/NAV10206.txt. In 2016, the “Information Warfare” designator was changed to “Cryptologic Warfare.”

236White, "Subcultural Influence on Military Innovation," 357.

237Ted N. Branch, “The ‘Information Dominance Corps’ is now the ‘Information Warfare Community,’” CHIPS, (January-March 2016), https://www.doncio.navy.mil/Chips/ArticleDetails.aspx?ID=7307.

238“Information Warfare Community Overview,” Navy Personnel Command, last modified Oct. 21, 2019, https://www.public.navy.mil/bupers-npc/officer/communitymanagers/active/restricted/Pages/Information_Warfare_Community.aspx.

239Nancy Brown, Danelle Barrett, and Jesse Castillo, "Creating Cyber Warriors," Proceedings 138, no. 10 (October 2012): 32, https://www.usni.org/magazines/proceedings/2012/october/creating-cyber-warriors. See also Vincent A. Augelli, "Information-Dominance Officers Need to Command," Proceedings 138, no. 3 (March 2012): 79–81.

240White, "Subcultural Influence on Military Innovation," 358–59.

241Augelli, "Information-Dominance Officers Need to Command."

242See, e.g., "Cryptologic Warfare Group 6 Stands Up New Commands," Cryptologic Warfare Group 6 Public Affairs Office, Aug. 10, 2018, https://www.dvidshub.net/news/288472/cryptologic-warfare-group-6-stands-up-new-commands.

243Thomas King, "Nonpassive Defense of the Army's Computer Networks," Military Intelligence Professional Bulletin 29, no. 3 (July­-September 2003): 38, https://fas.org/irp/agency/army/mipb/2003_07.pdf.

244Maryann Lawlor, "Information Systems Get Marching Orders," Signal 57, no. 5 (January 2003). Interestingly, many announcements of Network Enterprise Technology Command only emphasized its goal of reducing costs. See, e.g., Hunter Keeter, "New Army NETCOM to Consolidate IT Acquisition Authority," C4I News, Sept. 26 2002.

245Robert K. Ackerman, "Network Center Ensures Security," Signal 59, no. 12 (August 2005), https://www.afcea.org/content/network-center-ensures-security.

246White, "Subcultural Influence on Military Innovation," 72–73.

247“History,” 780th Military Intelligence Brigade, accessed Oct. 25, 2020, https://www.inscom.army.mil/MSC/780MIB/history.html.

248White, "Subcultural Influence on Military Innovation," 88. The group developed its capability through a combination of targeted recruiting and ad hoc training by the National Security Agency and private companies. While these enabled it to develop a technically capable organization by the mid-2000s, it was still not well integrated into military operations, in part because of a lack of public guidance about how computer network operations were to be included in traditional military operations.

249White, "Subcultural Influence on Military Innovation," 92–93.

250780th Military Intelligence Brigade, “History.”

251Gates, “Establishment of a Subordinate Unified U.S. Cyber Command.” The Army began by establishing Army Forces Cyber Command headquarters within Army Space and Missile Defense Forces/Strategic Command, which had already been serving as a coordinating headquarters for computer network operations, helping to meet the Army’s requirements to support joint operations. White, "Subcultural Influence on Military Innovation," 105–06.

252White, "Subcultural Influence on Military Innovation," 108–09.

253White, "Subcultural Influence on Military Innovation," 73–74.

254"Army Establishes Army Cyber Command," U.S. Army, Oct. 1 2010, https://www.army.mil/article/46012/army_establishes_army_cyber_command.

255The 1st Information Operations Command was put under the operational control of Army Forces Cyber Command in 2011. “1st IO Command Overview,” 1st Information Operations Command, accessed Oct. 25, 2020, https://www.1stiocmd.army.mil/Home/aboutus.

256780th Military Intelligence Brigade, “History.”

257In the 2000s, the specializations most relevant to computer network operations were telecommunications engineering and information systems management. The commander of the second battalion within the 1st Information Operations Command, who was also in charge of the Army’s computer emergency response teams, typically came from one of these fields. White, "Subcultural Influence on Military Innovation," 73. In late 2008, the Army chief of staff decided to create a set of additional skill indicators to indicate capabilities relevant to cyber operations, but both signals and intelligence branches felt they did not go far enough.

258Eventually all of the electronic warfare personnel were converted to two new specializations in the cyber branch: electronic warfare officer and electronic warfare technician. “Army Cyber Branch Offers Soldiers New Challenges, Opportunities,” Fort Gordon Public Affairs Office, U.S. Army, Nov. 25, 2014, https://www.army.mil/article/138883/army_cyber_branch_offers_soldiers_new_challenges_opportunities.

259. Fort Gordon Public Affairs Office, “Army Cyber Branch Offers Soldiers New Challenges, Opportunities.”

260. “Cyber Operations Officer (17A),” U.S. Army, accessed October 25, 2020, https://www.goarmy.com/careers-and-jobs/browse-career-and-job-categories/computers-and-technology/cyber-operations-officer.html. Interestingly, however, the Army’s Officer Personnel Management Directorate still classifies cyber operations officers as “operations support.” “Officer Personnel Management Directorate,” United States Army Human Resources Command, Nov. 17, 2020, https://www.hrc.army.mil/Officer/Officer Personnel Management Directorate.

261. “Warrant Officer Prerequisites and Duty Description: 255S - Information Protection Technician,” U.S. Army Recruiting Command, Aug. 18, 2020, https://recruiting.army.mil/ISO/AWOR/255S/.

262. “Cyber Network Defender,” U.S. Army, accessed October 26, 2020, https://www.goarmy.com/careers-and-jobs/browse-career-and-job-categories/computers-and-technology/cyber-network-defender.html.

263. Department of Defense, Department of Defense Cybersecurity Culture and Compliance Initiative, 1.

264. DOD Cybersecurity Discipline Implementation Plan, Department of Defense, October 2015, 16, https://dodcio.defense.gov/Portals/0/Documents/Cyber/CyberDis-ImpPlan.pdf.

265. A revised training directive was issued in November 2015: “Information Assurance Workforce Improvement Program, Incorporating Change 4, 11/10/2015,” Assistant Secretary of Defense for Networks and Information Integration/Department of Defense Chief Information Officer, Dec. 19, 2005, https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodm/857001m.pdf. The Cyber Awareness challenge training program is described in, “CYBERSECURITY: DOD Needs to Take Decisive Actions to Improve Cyber Hygiene,” Government Accountability Office, April 13, 2020, https://www.gao.gov/products/GAO-20-241.

266. Government Accountability Office, “CYBERSECURITY: DOD Needs to Take Decisive Actions to Improve Cyber Hygiene.”

267. "Followup Audit on Corrective Actions Taken by DoD Components in Response to DoD Cyber Red Team-Identified Vulnerabilities and Additional Challenges Facing DoD Cyber Red Team Missions (DODIG-2020-067)," Department of Defense, Office of Inspector General, March 13, 2020, https://www.dodig.mil/reports.html/Article/2114391/followup-audit-on-corrective-actions-taken-by-dod-components-in-response-to-dod/.

268. “Rise of the Cyber Wingman,” U.S. Air Force, Nov. 12, 2009, https://www.af.mil/News/Article-Display/Article/118545/rise-of-the-cyber-wingman/.

269. Statement of Lt. Gen. Richard Mills in, “Digital Warriors: Improving Military Capabilites for Cyber Operations,” House Armed Services Committee, 112th Congress, 2nd Sess., July 25, 2012, 12, https://www.govinfo.gov/content/pkg/CHRG-112hhrg75668/pdf/CHRG-112hhrg75668.pdf.

270. Cybersecurity Readiness Review, Department of the Navy, March 2019, 12, https://www.wsj.com/public/resources/documents/CyberSecurityReview_03-2019.pdf?mod=article_inline.

271. Department of the Navy, Cybersecurity Readiness Review, 12.

272. Department of the Navy, Cybersecurity Readiness Review, 15.

273. Christopher J. Heatherly and Ian Melendez, "Every Soldier a Cyber Warrior: The Case for Cyber Education in the United States Army," Cyber Defense Review (Spring 2019): 64, https://cyberdefensereview.army.mil/Portals/6/HEATHERLYMELENDEZ_CDR_V4N1.pdf?ver=2019-04-30-105206-983