nuiansongtra.net - Nui An Song Tra - WHAT IS A CYBER WARRIOR? THE EMERGENCE OF U.S. MILITARY CYBER EXPERTISE, 1967-2018 (Part 1)

WHAT IS A CYBER WARRIOR? THE EMERGENCE OF U.S. MILITARY CYBER EXPERTISE, 1967-2018 (Part 1)

By Rebecca Slayton

Texas National Security Review

Vol 4, Iss 1 Winter 2020/2021

Cybersecurity

How have military cyber operations, a diverse set of activities that often differ little from civilian cyber security work, achieved the status of “warfighting”? What activities have the greatest warfighting status, what activities have the least, and why? This paper examines the establishment and growth of expertise associated with cyber operations in the individual services and at the joint level since the late 1960s. Threat-oriented activities, such as attacking adversaries or responding to adversaries that have breached U.S. networks, have more readily achieved warfighting status than have vulnerability-oriented activities, such as patching software, training users in good security practices, and other actions that aim to prevent intrusions. Ultimately, the lower status of work and expertise associated with vulnerability mitigation remains a significant problem for military cyber operations.

On May 4, 2018, U.S. Cyber Command was elevated from a sub-unified command under U.S. Strategic Command, making it America’s 10th unified combatant command. At a ceremony marking this change, Deputy Secretary of Defense Patrick Shanahan described the command’s challenge as strengthening “our arsenal of cyber weapons, cyber shields and cyber warriors.” 1

Shanahan’s words evoke the image of a traditional warrior, fighting with weapons and a shield. And yet, cyber “warfare” differs dramatically from traditional combat. 2 In fact, many cyber warriors spend less time using virtual “weapons” than they do inventing or maintaining them. While joint doctrine treats use, invention, and maintenance as important components of cyber “operations,” i.e., warfighting, this paper shows that, in practice, the individuals who perform these activities do not all have equal “warrior” status.

Of course, it may seem strange that any cyber experts would have warrior status. After all, they typically work at desks, and without substantial physical risk. Furthermore, while missiles, drones, combat aircraft, and other high technology have all changed how militaries fight and what it means to be a warrior, the technologies with which cyber warriors work are not unique to the military. 3 Every major civilian organization today also relies on complex computer networks and experts who defend them. While some cyber warriors attack adversary computer networks, many spend their time focused on defensive work that differs very little, if at all, from that of civilian computer security experts. Indeed, the U.S. Defense Department has leveraged the civilian U.S. National Initiative on Cybersecurity Education workforce framework to build its own cyber workforce. 4 For that matter, the Department of Defense uses civilian contractors for both offensive and defensive cyber operations.

So, why are some kinds of cyber experts who work for the Defense Department considered “warfighters” but others are not? This paper examines the historical process by which some of these kinds of experts gained warfighter status while others did not. It shows how, throughout the 1990s and early 2000s, key leaders in intelligence, communications, and warfighting communities made the case that computer network operations should be treated as a kind of warfighting. While specific approaches varied across different services and professional specializations, all of these leaders struggled against a culture that has historically treated information-related work such as intelligence, computing, and communications as a warfighting support function, something lower in status than warfighting itself.

Elevating the status of cyber expertise entailed challenging organizational hierarchies that made cyber experts subordinate to traditional warfighters. For example, it meant empowering cyber experts and organizations to effectively issue commands to warfighting units, directing them to remediate vulnerabilities in their computer networks. It also involved reorganizing well-established military specializations, such as signals intelligence, electronic warfare, and communications, around cyber infrastructure and operations. Perhaps most importantly, it meant establishing new career paths through which cyber experts might advance to the highest levels of command.

Military leaders made their case for elevating cyber expertise in a variety of ways. For example, they developed concepts of cyber operations that were analogous to well-established concepts of kinetic operations. They also conducted exercises that revealed the potential impact of cyber operations on military warfighting and gathered data that highlighted a steady increase in intrusions that might have gone completely unnoticed if not for the work of cyber experts.

I argue that these and related activities succeeded in establishing cyber operations as a type of warfighting, but that some kinds of skills, knowledge, and ability were more readily seen as warfighting than others. In particular, threat-focused activities like offensive operations, intrusion detection, and incident response, which were first developed within signals intelligence units, were most easily viewed as warfighting. By contrast, vulnerability-focused activities such as password management, software patching, and other forms of technology maintenance, which were primarily the responsibility of communications units, were slow to be seen as a kind of warfighting.

Today, the distinction between threat-focused and vulnerability-focused activities can be found in joint doctrine, which outlines three primary missions for cyberspace operations. The first mission, offensive cyber operations, is unique to the military. U.S. law prohibits civilian organizations from conducting offensive cyber operations unless they are operating under military authority. The second mission, defensive cyber operations, responds to threats that have already breached Defense Department networks. Some of these activities, including incident response, intrusion detection, and network monitoring, are very similar to defensive work within major corporations, civilian government, and other non-military organizations.

The third mission, Department of Defense Information Network (DODIN) operations, focuses on mitigating vulnerabilities. It includes “actions taken to secure, configure, operate, extend, maintain, and sustain [Defense Department] cyberspace and to create and preserve the confidentiality, availability, and integrity of the DODIN.” Like defensive cyber operations, these activities are commonplace in non-military organizations. Furthermore, by virtue of their focus on mitigating vulnerabilities rather than attacking adversaries, they have struggled to gain the status of warfighting. In an effort to cast its work as warfighting, Joint Force Headquarters-DODIN describes its mission with the phrase “Fight the DODIN,” not “secure,” “maintain,” or “sustain” the DODIN. 5 And joint doctrine seems to recognize the lower regard in which such operations might be held, noting that “although many DODIN operations activities are regularly scheduled events, they cannot be considered routine, since their aggregate effect establishes the framework on which most DOD [Department of Defense] missions ultimately depend.” 6

Joint doctrine does not formally prioritize any one of these three missions over the others. Yet, as this paper shows, the personnel assigned to offensive or defensive cyber operations tend to have greater warfighting status, and thus greater prestige and opportunities, than do personnel assigned to DODIN operations. Offensive and defensive cyber operations, by virtue of their focus on confronting intelligent and changeable adversaries, tend to be less routine than DODIN operations and are therefore more readily construed as warfighting. By contrast, DODIN operations are focused on maintaining and sustaining technology. Such work can be carried out in innovative ways. However, it is also very often routine and mundane. Furthermore, although effective DODIN operations require an understanding of how threats operate, their focus is ultimately on infrastructure rather than adversaries, further reducing any claim to warfighting.

And yet, DODIN operations are also the first line of defense, without which defensive cyber operations would become impossible. Without a defense of computer networks, the modern military simply could not function with any level of confidence. While I do not take a position on whether DODIN operations and other forms of security maintenance should be considered “warfighting,” I do argue that such work has tended to be undervalued and that its lower status continues to impact military cybersecurity.

By analyzing historical efforts to make computer network attack and defense a kind of warfighting, this paper builds upon and extends existing histories of cyber operations. The earliest books and papers to describe the rise of military cyber operations treated them as the necessary response to a series of “wake-up calls” that came in the form of computer network intrusions, by both real adversaries and penetration testers, in the 1990s and 2000s. 7 This narrative first emerged in the 1990s among Defense Department insiders who advocated putting greater emphasis on cyber operations. 8 More recently, scholars have analyzed the rise of military cyber operations as a response to a broad set of technological changes that took place in the 1990s and early 2000s. 9 In the most thorough account to date, Sarah White argues that the unique cultures and professional subcultures of the military services — including intelligence, signals intelligence, cryptology, communications, and electronic warfare — led to considerable variation in their cyber doctrines. 10 White describes a two-stage process of innovation, wherein the services experimented with many different forms of cyber doctrine in the 1990s, but these doctrines became more similar after cyber operations became a major activity at the joint level.

The history of military cyber operations is thus not just about innovation, but also about the importance of mundane maintenance work, such as training users, patching software, and strengthening passwords.

This paper draws on the work of White and others, but its theoretical assumptions and contributions differ in three significant ways. First, I focus not only on innovation, but on what comes after innovation: maintenance and repair. 11 To be sure, this is partly a story of innovation, as the establishment of military cyber capabilities entailed transforming the relationships between many distinctive professional communities and the computer networks that they continually created, operated, and maintained. These innovations were simultaneously organizational and technological — that is, they were sociotechnical. But, contrary to a substantial body of scholarship on the sources of military innovation, I argue that innovation is not always an unmitigated good. 12 As discussed further below, as the Defense Department incorporated innovations in microcomputers and networking into its information systems in the 1980s, its vulnerability to computer network attack grew substantially. 13 This vulnerability dramatically increased the need for new kinds of sociotechnical repair and maintenance that constitute the majority of cyber operations today. The history of military cyber operations is thus not just about innovation, but also about the importance of mundane maintenance work, such as training users, patching software, and strengthening passwords.

Second, whereas most historical accounts treat the rise of military cyber operations as a response to technological changes that were taking place external to the military, I examine these technological changes as internal to the military. The U.S. military did not simply respond to the rise of computer networking. It also actively drove the development of new technological capabilities as it pursued various functional advantages, such as increased efficiency in logistics systems or operational advantages in network-centric warfighting. 14 The vulnerabilities associated with military computer networking were not simply a product of flawed commercial technology. They were also produced by practices internal to the Department of Defense. These include the decentralized pursuit of new networking technologies, a lack of strong security standards, and a lack of security training and a security culture among the communications and computing personnel charged with deploying computer systems. 15

Third, I analyze cyber expertise as more than a set of knowledge, skills, and abilities that people and organizations possess. Rather, I draw on work that examines expertise as a set of dynamic relationships between people or groups claiming to possess specialized knowledge and skills and people or groups lacking such knowledge and skills.16 Experts must do more than simply possess knowledge, skills, and abilities. They must also persuade others of the veracity of their claims and the effectiveness of their actions. 17 This process of persuasion may include, for example, gaining professional certification, demonstrating mastery over technologies, and other cultural practices that establish trust between experts and non-experts. 18

This relational understanding of expertise is critical to understanding how organizations create and compete with cyber forces. Organizations must do much more than train, recruit, or contract for talented personnel: They must also establish effective relationships between cyber warriors and the many other military professionals with whom they work. A relational conception of expertise is also crucial for explaining how some skilled and knowledgeable individuals and groups are able to raise their status within an organization while others are not. Finally, international competition in cyberspace depends not only on acquiring and organizing skilled personnel, but also on persuading adversaries of the capability of a nation’s cyber warriors, that is, on establishing a relationship of superiority.

Expertise provides a unique basis for authority — not the formal authority of command structures or legal statutes, but the authority that comes from being able to effectively persuade. However, what counts as a persuasive argument, and therefore what counts as an authoritative expert, differs from one culture to the next. For example, while Ayurvedic doctors are respected as highly effective throughout much of India, they are likely to be considered quacks in Western cultures. Culture also shapes what counts as relevant and important knowledge and skills and what counts as a persuasive and effective expert.

The U.S. military is by no means a monolithic culture, 19 but its primary mission is warfighting. Expertise generally gains in status the more essential it is to warfighting. All of the services’ career fields explicitly distinguish between warfighting and warfighting support. Moreover, traditional warfighting experience has often been a prerequisite for professional promotion. The most senior commanders lead warfighting rather than warfighting support units, and organizational hierarchies empower warfighting commands over warfighting support. In this context, raising the status of cyber expertise entails reframing it as a form of warfighting rather than warfighting support.

The remainder of this paper is organized in three parts. First, I briefly outline the origins of computer network operations in the Defense Department, highlighting both vulnerability-oriented and threat-oriented approaches. Second, I discuss the rise of “information warfare,” which provided a conceptual and organizational context for further developing computer network operations during the 1990s. Third, I discuss the growing challenge of defending networks and the associated rise of joint computer network operations in the mid- and late-1990s. Defending military operations from computer network intrusions demanded a level of coordination that no single service could provide. Fourth, I discuss how the services began to elevate computer network operations in the new millennium, partly in response to the growing prominence of joint cyber operations. I conclude with a discussion of current cyber operations, in particular the challenge of raising the status of work focused on mitigating vulnerabilities.

The Origins of U.S. Computer Network Operations

Technological, Organizational, and Professional Vulnerability

The origins of what came to be called computer network operations can be found in U.S. intelligence organizations, which tested the security of several state-of-the-art computer systems in the late 1960s and early 1970s by attempting to break in and take control of them. 20 These “tiger teams” were always successful, demonstrating pervasive vulnerabilities in even the best-designed systems. 21 It is reasonable to assume that intelligence agencies were also exploring ways of compromising adversaries’ computer systems, although the existence of any such operations remains highly classified. 22

By contrast, the need for computer network defense became a subject for public discussion after a panel of computer scientists addressed it at a 1967 conference and, for the first time, publicly acknowledged the existence of the National Security Agency, previously described as “No Such Agency.” 23 For computer scientists, the ease with which computers could be penetrated by outsiders was partly a technological problem: Hardware-software systems were so complex that they inevitably contained errors that could be exploited. With the sponsorship of the National Security Agency and the Air Force, computer scientists worked on developing techniques for reducing such errors and proving that computer systems actually enforced the security policies that they were programmed to enforce. These efforts failed to produce a provably secure computer, but succeeded in growing a community of government, industry, and academic computer security experts. 24

This community recognized that security was also a market problem: Companies had no incentive to design secure systems in the 1970s and 1980s because there was little consumer demand for security. Although the 1974 Privacy Act mandated that federal agencies undertake information security measures, and although the U.S. federal government had substantial market power as a major consumer of computing hardware and services, the personnel responsible for buying systems usually lacked the understanding needed to specify the security requirements for new purchases. 25 Similarly, computing managers got “mostly ‘arm waving’ from the vendor,” rather than an objective evaluation of the “secure-worthiness” of computer systems. 26 Accordingly, computer scientists convened by the National Bureau of Standards in 1978 proposed to develop “a process for evaluating the security of computer systems, and for accrediting particular systems for particular applications.” 27

These recommendations led to the creation of the Trusted Computer System Evaluation Criteria and the associated National Computer Security Center at the National Security Agency. 28 The center helped coordinate the development of these criteria and then used them to evaluate the security of commercial computer systems. But rapid innovation and the rise of computer networking threatened to make the criteria obsolete and led to a long series of “interpretations” to guide evaluations of new kinds of products. 29 Meanwhile, the slow process and high expense of evaluation deterred many organizations, including those in the Defense Department, from demanding high security ratings. 30 That changed somewhat after 1987, when the National Telecommunications and Information Systems Security Committee directed that, by 1992, all federal agencies must use only operating systems evaluated at level “C2” or higher to process national security information. 31 Evidence suggests that this mandate was indeed successful in improving security standards in the computer market. 32

[T]he need for computer network defense became a subject for public discussion after a panel of computer scientists addressed it at a 1967 conference and, for the first time, publicly acknowledged the existence of the National Security Agency, previously described as “No Such Agency.”

Nevertheless, C2 was still not a particularly high level of security, and communications and computing personnel did not typically demand more security than was required by the federal mandate. 33 Furthermore, these personnel did not know how to use “trusted” systems to build secure networks. 34 Computer network vulnerabilities were thus also a result of training and management problems, in addition to being technological and market problems. In 1990, the assistant secretary of defense for command, control, communications, and intelligence tasked the National Security Agency and Defense Communications Agency (soon to become the Defense Information Systems Agency) with developing means of better managing information security. This led to the creation of the Defense Information Systems Security Program, whose aim was to develop a comprehensive and integrated security architecture and policy for the Defense Department. 35

However, the purchase, deployment, and management of computer networks remained highly decentralized across the military, and networks proliferated in the 1980s and early 1990s. 36 This left the problem of configuring and maintaining such networks to disparate personnel in communications and computing fields throughout the services. 37 As outlined briefly below, each of the services structured its computer and communications career fields a bit differently, but the personnel charged with deploying and managing computer networks generally received little or no training in computer security. 38

In the late 1980s and early 1990s, the U.S. Army Information Systems Command was responsible for the Army’s global networking and communications. 39 However, in late 1996, the Information Systems Command was made subordinate to the Army Forces Command, where it became Army Signal Command, reducing its independence and underscoring its support role. 40 The community responsible for computer networking and communications, the Signal Corps, was a support field focused on making networks available to commanders, not securing networks from adversaries. 41 Additionally, the Army’s cultural preference for officers who were generalists rather than technical specialists did not reward deep investment in technical skills in the early 1990s. 42 None of this encouraged the development of technically deep, security-savvy computer network managers.

By contrast, the Air Force has historically rewarded technical depth, expecting its officers to develop substantial technical expertise prior to taking command. 43 The Air Force was also an early leader in networked computing and communications. By December 1989, Air Force Communications Command was the most globally dispersed command in the Air Force, including more than 54,000 personnel working in 430 U.S. locations and 27 foreign locations. 44 Yet, in the early 1990s, as part of post-Cold War streamlining and downsizing, the Air Force reduced the independence and strength of its communications command and associated personnel. In October 1990, communications personnel were put under the command of the operational units that they served, shrinking the command to less than 8,000 personnel. In July 1991, the Communications Command was further demoted from major command to field operating agency. 45 Over the next several years, the number of distinct Air Force Specialty Codes for computing and communications officers were substantially reduced as very different areas of work were merged together and officers were explicitly encouraged to be generalists rather than specialists. 46 Taken together, these changes eroded any possibility of centralized control of computer network security in the Air Force, while discouraging communications officers from pursuing technical depth that would be needed to ensure security.

The Navy’s communications and computing management was even more decentralized than the Air Force’s in the 1980s and 1990s. Throughout the 1990s, the Naval Computer and Telecommunications Command was responsible for ensuring interoperability of legacy and new communications-computing systems and for providing, operating, and maintaining shore-based and non-tactical communications systems. 47 However, this left myriad other systems to be developed by other commands. By the turn of the millennium, the Navy had 28 different commands independently developing, operating, and maintaining their own computer systems. 48 The Navy also lacked a centralized communications command or career field in the 1990s, despite having enlisted ratings such as “radioman” and “data processing technician.” 49 Afloat, responsibilities for communications were often assigned to officers for a limited period, without any formal training. 50 Ashore, much of the communications and computing work was performed by general unrestricted line officers, a non-combat, shore-based community that was 93 percent female in 1990. 51 It became the fleet support officer community after laws barring women from combat roles were lifted in 1995, and continued to perform many of the same functions both ashore and afloat. Yet, there was no formal training required for performing these roles. People typically had to learn on the job. 52

To summarize, vulnerabilities in Defense Department networks were not just a matter of external technological changes or insecurities in commercial products that the department could not control. The Department of Defense actively drove many innovations in computer networking and security but failed to ensure that its networks would be securely deployed or maintained. Although communications and computing personnel in the services comprised the first line of computer network defense — responsible for configuring networks, managing passwords, and much more — most lacked an understanding of how to secure networks. It was ultimately the Defense Department’s inability to centrally manage the security of computer networks, combined with a lack of security skills and knowledge among its disparate communications-computing personnel, that made its networks so vulnerable.

Threat-Oriented Approaches to Computer Network Defense

Computer scientists working with intelligence agencies recognized early on that even if they could create systems that would enforce security policies perfectly, an insider could wittingly or unwittingly compromise the system. 53 This recognition led to the development of one of the first threat-oriented approaches to computer network defense — intrusion detection systems — that would monitor computers and networks for suspicious behavior and alert security officers about potentially unauthorized activity. The National Security Agency, the Navy, and the Air Force all sponsored research into intrusion detection systems in the 1980s, and by the early 1990s were using such systems to monitor select networks. 54 They also developed new kinds of expertise associated with intrusion detection systems, as security officers learned how to evaluate alerts about suspicious activity and determine what actions, if any, should be taken. 55

Another early threat-oriented approach to computer network defense came in the form of computer emergency response teams, also known as computer incident response teams. These teams were first created in response to the Internet worm of Nov. 2, 1988.56 The worm was the first to significantly disrupt the Internet, which was then primarily a research network sponsored by the Defense Department. The Computer Emergency Response Team Coordinating Center, a federally funded, nongovernmental organization based at Carnegie Mellon University, was established in January 1989 with the goals of preventing future incidents, providing a network of elite experts who could be called upon to diagnose future attacks, and facilitating the creation of a network of similar response teams. 57

Defense Department units and the national nuclear laboratories were among the first organizations to form their own computer emergency response teams. In the early 1990s, the Defense Intelligence Agency formed an incident response team for its classified Intelligence Information Systems network, which, in late 1992, was renamed the Automated Systems Security Incident Support Team and moved to the Defense Information Systems Agency, where it was tasked with responding to incidents across the Defense Department. 58 Each of the services also began to form incident response capabilities. 59

In the early 1990s, response teams helped to identify and make visible intrusions that might otherwise have gone unnoticed. For example, the Department of Energy’s Computer Incident Advisory Capability helped discover that between April 1990 and May 1991, at least 34 of the Defense Department’s computers had been hacked.60 Further investigation eventually concluded that the hackers were teenagers in the Netherlands who called themselves “High Tech for Peace” and had gained access to a computerized logistics management system. During preparations for Operation Desert Storm in Iraq, the hackers offered to sell the capabilities gained through that system to Saddam Hussein for $1 million. Had the Iraqi government responded to the offer, which fortunately it did not, the hackers could have disrupted the flow of supplies to U.S. troops preparing for Desert Storm. 61

Intrusion detection systems and incident response teams were important not only for identifying and stopping intruders, but also for making the argument that computer networks were increasingly under attack. Response teams tracked an exponential rise in incidents that paralleled the exponential rise in internet host sites in the 1990s.62 By presenting these statistics to policymakers both within and beyond the military, they could make an argument for devoting more resources to defending networks.

But intrusion detection and incident response did more than simply demonstrate the growth of threats and the need to confront them. Incident investigators also worked to identify the causes of the breaches and, in the process, repeatedly underscored the importance of a prior layer of defense: the systems administrators and personnel who were charged with deploying and maintaining secure networks. The 1989 Internet worm, the Dutch hacking incident, and many other breaches were enabled by a lack of security knowledge, skills, and practice among systems administrators. 63 In 1999, an analysis by the Air Force Office of Special Investigations showed that a majority of root intrusions in the previous year had resulted from noncompliance with security policies or emergency response team advisories. Only 13 percent were definitively determined to be “unpreventable.” 64

Thus, the Defense Department’s threat-oriented approaches to network defenses became critical in the mid-1990s in no small part because of failings in the first line of defense: the systems administrators and maintainers who were uniquely positioned to prevent and mitigate vulnerabilities. Although both threat-oriented and vulnerability-oriented forms of expertise would eventually be incorporated into a new conception of warfighting, that transition was slower and more difficult for vulnerability-oriented expertise, as discussed in more detail below.

The Rise of Information Warfare and Information Assurance

In the mid-1990s, computer network operations began to find an organizational and conceptual home in “information warfare.” To be clear, information warfare was not primarily about computer network operations. When military officers described Operation Desert Storm as the “first information war,” they were discussing much older traditions of work such as gathering intelligence through satellites and airborne reconnaissance systems, using such intelligence to bomb command-and-control facilities, and setting up an in-theater communications system. 65

Similarly, when the Department of Defense issued a top secret directive on information warfare in December 1992, it devoted little, if any, attention to the opportunities and risks inherent to using computer networks in military and intelligence operations. 66 The directive defined information warfare as the “competition of opposing information systems” through methods such as “signals intelligence and command and control countermeasures.”67 Such countermeasures, also known as command-and-control warfare, were defined as the “integrated use” of five elements — “operations security (OPSEC), military deception, psychological operations (PSYOP), electronic warfare (EW), and physical destruction” — all “mutually supported by intelligence.” 68 Information warfare thus encompassed a very diverse range of military specializations, all of them long predating computers. 69

Nonetheless, information warfare provided the primary conceptual and organizational context for efforts to raise the status of computer network defense and attack in the mid-1990s. 70 As discussed further below, each of the services approached computer network operations somewhat differently, but they all built upon incident response and intrusion detection work that had begun in their signals intelligence organizations rather than their communications and computing units.

Air Force: Cyberspace as a New Warfighting Domain

Of the three services, the Air Force was the most willing to see computer network operations as a new area of warfighting. Nonetheless, its initial response to the 1992 information warfare directive was not to create a new warfighting unit. Instead, it merged the security functions of the Air Force Cryptologic Support Center with the Air Force’s Electronic Warfare Center, thereby creating the Air Force Information Warfare Center at Kelly Air Force Base in San Antonio, Texas. 71 About half of the center’s personnel had backgrounds in signals intelligence, while the rest came from a variety of fields. 72 At its founding in September 1993, the Information Warfare Center was within the Air Force Intelligence Command, but in October 1993 this command was demoted from a major command to a field operating agency, the Air Intelligence Agency. The Information Warfare Center was co-located with the Joint Electronic Warfare Center, which became the Joint Command and Control Warfare Center in September 1994. 73 Despite the “warfare” moniker, both of these centers played supporting roles, helping integrate various information warfare methods into combat operations.

In the early 1990s, the Air Force also began to integrate some computer network operations into warfighting through the Special Technical Operations system. Air Force Col. Walter “Dusty” Rhoads, a fighter pilot who was assigned to the planning division of Tactical Air Command in 1991, recalls that he began to integrate an early version of computer network operations into war plans after helping set up a Special Technical Operations office for Tactical Air Command, which would soon become Air Combat Command. 74 The Special Technical Operations system provided a means for regional commands to integrate highly classified capabilities — such as computer network attack — into military operations. 75 When he briefed the general who was directing Tactical Air Command operations, the general told him, “You’re going to make this information warfare.” 76 As a result, Rhoads became the director of a new information warfare branch at the Air Combat Command, with the Special Technical Operations office as a focus of the new branch. 77

In 1994, the information warfare branch, under Rhoads’ direction, put together a plan to support Operation Uphold Democracy, which aimed to undo the 1991 coup of democratically elected Haitian President Jean-Bertrand Aristide. It worked with the Air Force Information Warfare Center, where a junior officer who had once been a “demon dialer” — someone who manipulates the phone system to make free long-distance calls — figured out how to tie up all the phone lines in Haiti. This in turn would shut down Haiti’s air defense system because the system communicated via phone lines, allowing the Air Force to fly over undetected. 78

Although Operation Uphold Democracy was called off after a delegation led by Jimmy Carter persuaded the military leaders of Haiti to step down, the phone hacking plan impressed Maj. Gen. Kenneth Minihan, commander of the Air Intelligence Agency. In the fall of 1994, Minihan became the assistant chief of staff for intelligence at the Defense Department and began to advocate for creating an information warfare squadron — a warfighting unit that would have Title 10 authorities (military operations) rather than Title 50 authorities (intelligence). 79 Rhoads also helped make the case for such a squadron, briefing the commander of Air Combat Command who, in turn, briefed the Air Force chief of staff. 80

Meanwhile, the Air Force was developing doctrine that highlighted the uniqueness of computer network operations. In 1995, Air Force Maj. Andrew Weaver, who had a background as a weapons operator but was working in the doctrine division of the Air Staff, wrote a paper titled “Cornerstones of Information Warfare,” which was published with a preface signed by the Air Force chief of staff and the secretary of the Air Force. 81 Weaver emphasized that the “revolution” associated with information technology was doing more than simply increasing the efficiency of traditional combat operations. Rather, he argued that “information age technology is turning a theoretical possibility into fact: directly manipulating the adversary’s information.” 82

To the five elements of information warfare established in the 1992 directive, Weaver added “information attack” as a sixth element. He argued that, unlike other elements of information warfare, direct information attack bypassed the enemy’s observations. He contended that direct information attack could have the same result as one causing physical destruction, but with more certainty, less time, and less cost, suggesting a similarity between bombing a telephone switching station and destroying its software. And he argued that information should be understood as a new “realm” or “domain” for operations, akin to land, sea, and air, noting “strong conceptual parallels between conceiving of air and information as realms.” 83

The arguments of Minihan, Rhoads, and Weaver proved persuasive to Air Force leadership. 84 In August 1995, the Air Force ordered the formation of the 609th Information Warfare Squadron under the 9th Air Force at Shaw Air Force Base. The squadron was charged with conducting both defensive and offensive missions in support of the 9th Air Force and Central Command’s Air Operations Center. The squadron thus remained a kind of operations support, but unlike the Air Force Information Warfare Center, it operated under the authority of Title 10. 85

Rhoads was selected as commander of the new unit and Weaver was chosen as the operations officer. Rhoads and Weaver handpicked eight additional individuals to serve as the first cadre. Rhoads recalls that since nobody “knew what a cyber warrior was,” they put together “a combination of past war fighters, J-3 [Operations] types, a lot of communications people and a smattering of intelligence and planning people.” 86 Of the initial 10-person team, five had a background in computers or networking, but the leadership — Rhoads and Weaver — came from traditional operational backgrounds. 87

Since many of the initial members of the squadron lacked an understanding of computer networking, they took a three-day course on computer networking in April 1996. This is described in the squadron’s official history as “a huge success,” but the squadron needed a more comprehensive training program, particularly as the initial 10-person team grew. 88 It considered existing Defense Department courses, but concluded that none would work because the courses were geographically dispersed and only portions of the courses were relevant to what the squadron needed to know. So instead, the squadron arranged for a series of commercial courses to provide training in June and July of 1996. 89

In keeping with an emphasis on warfighting, the squadron’s work appears to have been focused on threat-oriented activities, such as intrusion detection and response, rather than vulnerability mitigation, which would have included password management, configuration management, and training. 90 Shortly after undergoing initial training, the squadron tested and selected a “defensive system,” a network-monitoring and intrusion-detection system. 91 Over the next two years, this equipment allowed the squadron to demonstrate its defensive capabilities to hundreds of “distinguished visitors” in numerous exercises. 92

While the squadron’s official history emphasizes the defensive mission, Rhoads recalls that the majority of its mission time was actually spent on offensive operations. 93 The squadron also privileged offensive work by requiring individuals to do defensive duty before they were allowed to take the offensive. 94 At Blue Flag 1998, one of the Air Force’s annual operational exercises, this approach led to an easy victory for the offense. The squadron’s official history recounts that the squadron’s red team “created a steep learning curve” for the defense. 95 A National Research Council committee that witnessed the exercise offered a less varnished assessment: “The defensive cell … was overwhelmed by its red team counterpart. (For example, the red team was able to download the air tasking order before it was transmitted.)” 96 The committee critiqued the squadron’s overall emphasis on offense:

With a culture that values the taking of the offensive in military operations, the military may well have difficulty in realizing that defense against information attack is a more critical function than being able to conduct similar operations against an adversary, and indeed is more difficult and requires greater skill and experience than offensive information operations. 97

The National Research Council committee went on to note that “the National Security Agency requires code-breaking experience before an analyst can begin to develop encryption algorithms.” 98 In other words, the agency required trainees to practice offense before graduating to the more difficult work of defense.

The squadron’s emphasis on offense, however, makes perfect sense from the perspective of a new unit eager to demonstrate its value to warfighters. Offensive operations could create dramatic military effects, at least in theory. By contrast, the effects of a successful defense are unremarkable: Military operations and networks would continue to function as planned.

While the 609th Squadron was widely regarded as successful, in June of 1998, senior Air Force leadership decided to change the organization of information operations in an effort to cut costs and personnel requirements. This led to the termination of the squadron. Most of its functional responsibilities were transferred to what soon became the 67th Information Operations Wing within the Air Intelligence Agency at Kelly Air Force Base, returning computer network operations to its intelligence roots. 99

Navy: Net-Centric Warfare

Like the Air Force, the Navy responded to the 1992 information warfare directive by reorganizing ongoing work within the Naval Security Group, the Navy’s cryptologic unit. Navy cryptologists perform functions similar to signals intelligence and electronic warfare personnel in other services but have held a special place in the Navy since their decisive role in the Battle of Midway and similar clashes during World War II. 100 In the Navy, cryptology and intelligence are distinct career fields with a history of rivalry, despite the close connection between the two. In July 1994, the Naval Information Warfare Activity was formally launched within the Naval Security Group, building on earlier, highly classified work on command-and-control warfare. 101 The activity was staffed by handpicked technical experts who developed new information warfare capabilities. 102

The Navy also established the Fleet Information Warfare Center under Atlantic Command in October 1995 to help operationalize capabilities developed by the activity. 103 The center had a defensive focus: The Navy’s director of command-and-control warfare explained that it would ensure “the battle groups are buttoned up against” information threats. 104 He described the Fleet Information Warfare Center as the Navy’s “911” service for information warfare, which was likely a reference to the new Navy Computer Incident Response Team that was formalized within the Fleet Information Warfare Center at its founding. 105 The center was a tiny organization comprised of warfighters — its first director was a former fighter pilot — along with cryptologists, electronic warfare technicians, and intelligence officers.106

The Naval Information Warfare Activity and the Fleet Information Warfare Center played supporting roles similar to the Air Force’s Information Warfare Center, but the Navy did not create a warfighting unit focused on computer network operations, akin to the Air Force’s 609th Squadron. Instead, it sought to integrate the much broader field of information warfare into its composite warfare commander construct, wherein each battlegroup designates an officer to command a particular mission area. In 1989, well before the 1992 information warfare directive was issued, the Navy designated space and electronic warfare as a major warfare area, equal to surface, underwater, and air operations. 107 Two years later, the Space, Command and Control Directorate was renamed the Space and Electronic Warfare Directorate, and a new billet was created within the composite warfare commander construct — the space and electronic warfare commander. 108 By the late 1990s, this had become the “command and control warfare” commander, and by the early 2000s it was changed to the “information warfare commander.” 109

Nonetheless, there was little consensus on what role information warfare should play in naval operations. Was it really a new area of warfare on par with surface, subsurface, and air, or was it a disparate set of tools to be used in support of more established warfighting areas? The Navy did not issue any formal doctrine on information warfare in the mid-1990s, and discussions in the Proceedings of the U.S. Naval Institute from this period indicate a wide range of views.

For example, one naval intelligence officer argued that the wide-ranging methods of information warfare could not be assigned to a single commander. Activities such as destruction belonged to all warfare commanders and operational security was everyone’s responsibility. He suggested that the only “unique” thing brought by an information warfare commander was “computer war,” which was coming to be seen as “the sixth element of information warfare.” However, he argued that “for the foreseeable future, such capabilities most likely will remain under theater-level and strategic planners” rather than at the battlegroup level. 110

An officer specializing in electronic warfare similarly noted that many areas of information warfare were the domain of others including computer network defense, which was managed by information system security personnel. Furthermore, because there was no focused career field for officers specializing in computing or communications in the 1990s or a corresponding warfare qualification, the officers assigned to be the information warfare commander typically did not have substantial expertise in computing or any other aspects of information warfare. 111 However, rather than suggesting that the information warfare commander position should be abolished, this officer argued that the Navy should create a career specialization to provide adequate training. 112

In general, naval officers were more skeptical than their Air Force counterparts about the notion that cyberspace constituted a new domain. Naval intelligence officer Robert Gourley objected to discussions of “‘fighting in cyberspace’ and of creating teams of ‘cyberwarriors’ to lead those fights.” 113 Gourley insisted that “we cannot fight in cyberspace any more than we can walk inside a Picasso painting” and framed information warfare in terms of its intelligence impact, arguing that it “has the potential to do for today’s military what Ultra and Magic did for our forces during World War II—provide insight into enemy intentions and form the basis of our deception plans.” 114 Another naval intelligence officer went further, arguing that while the “military has viewed information services (traditionally, intelligence and communications) as supporting inputs to the actual warfare functions of fire, maneuver, and strike,” information warfare “might not always be a supporting function; in some future campaigns, it might take a leading role.” 115

The most influential articulation of the growing importance of computer networking came from Vice Adm. Arthur K. Cebrowski, a fighter pilot who had earned a master’s degree in Information Systems Management from the Naval Postgraduate School in 1973.116 In the early 1990s, Cebrowski became the Navy’s director for space, information warfare, and command and control.117 In 1994, he became the director of the Joint Staff’s Command, Control, Communications and Computers Directorate and established a new unit for defensive information warfare, described further below. In 1996, Cebrowski returned to his position as director for space, information warfare, and command and control, and in this role, he co-authored a Proceedings article outlining the concept of “network-centric warfare.” 118 Cebrowski and his co-author, John Garstka, technical adviser to the Command, Control, Communications and Computers Directorate, argued that computer networks were revolutionizing military affairs, but not because they were part of a new domain. Rather, just as computer networks were transforming U.S. business operations and making them more profitable and productive, computer networking should transform naval operations. The article advocated shifting from platform-centric operations (i.e., focusing on ships, submarines, and aircraft) to network-centric operations.

Importantly, Cebrowski and Garstka argued that this shift entailed elevating the status of individuals with particular technical talents, noting that “the military fails to reward competence” in information-based processes:

“Operator” status frequently is denied to personnel with these critical talents, but the value of traditional operators with limited acumen in these processes is falling, and ultimately they will be marginalized … The services must both mainstream and merge those with technical skills and those with operational experience in these areas. These are the new operators. 119

The Navy did make some changes to its information technology specializations in the late 1990s. In 1998, it merged the enlisted radioman and data processing technician ratings, and in 1999 this new rating was dubbed the information systems technician. 120 In October 2001, the Navy created a new, restricted line specialization — information professional — to be filled by members of the fleet support officer community. 121 However, individuals in these specializations continued to face limitations in career advancement. Since warfare qualifications were important milestones for promotion, individuals specializing in fields related to computer networking or other areas of information warfare often spent time pursuing those qualifications rather than developing technical depth in their own field. 122

Army: The Global Information Environment

Like the Air Force and Navy, the Army responded to the 1992 information warfare directive by reorganizing its intelligence units. Since the mid-1980s, the Army’s Intelligence and Security Command had maintained a highly classified Studies and Analysis Activity, which worked with other intelligence groups to explore ways of getting inside enemy command-and-control systems. In 1995, the Studies and Analysis Activity was absorbed into a new Land Information Warfare Activity, also within the Intelligence and Security Command. This activity began with 55 personnel, including 11 enlisted and roughly a dozen government civilians, and grew to about 250 by October 1997. The majority of the personnel were field-grade or higher-level officers from signals or intelligence. In the late 1990s, the Land Information Warfare Activity sought to incorporate more traditional operators, and it often augmented its technical capabilities by hiring contractors, with one member recalling that it was half contractors at one point in its history. 123

Although the Land Information Warfare Activity was administratively within the Army’s Intelligence and Security Command, it reported to the assistant chief of staff for operations and training rather than intelligence. 124 This helped to move what had primarily been an operations support function — intelligence — toward warfighting. But the Land Information Warfare Activity was explicitly in a supporting role. Like the Air Force Information Warfare Center and the Fleet Information Warfare Center, it helped commands plan information operations but did not conduct them. It deployed two kinds of teams: Field support teams would help Army units plan and integrate information warfare into their operations, while vulnerability assessment teams would help identify weaknesses. 125 In September 1996, the Land Information Warfare Activity also established the Army Computer Emergency Response Team, which engaged in defensive operations. 126

Because specialization was not typically a path to career advancement, the Army faced a shortage of technically deep personnel in the mid-1990s. This was one reason that the Army established a task force to redesign the officer personnel management system in 1996.

Like the Air Force, in the mid-1990s, the Army began to explicitly discuss computer network operations in its publications. Army “Field Manual 100-6: Information Operations,” published in 1996, highlighted “database corruption” and “malicious software” as means of attacking information systems. 127 It also featured discussion of the Internet worm and Rome Labs breaches, which was excerpted in the Joint Doctrine for Command and Control Warfare, issued in February 1996. 128 The Army’s “Field Manual 100-6” did not suggest that information comprised a new domain akin to land, sea, and air, but focused on a “global information environment” that was undergoing rapid transformation due to “modern information technology” and the associated “explosive potential of rapid dissemination and use of information.” 129

In 1998, the Army began creating a dedicated computer network operations force within Intelligence and Security Command’s signals intelligence group, as discussed further below. However, the Army struggled to grow a computer network operations capability in the late 1990s because its personnel management system did not reward technical depth. The Army trained its officers to be generalist-leaders, with the expectation that technical work would be conducted primarily by enlisted personnel. 130 Because specialization was not typically a path to career advancement, the Army faced a shortage of technically deep personnel in the mid-1990s. 131 This was one reason that the Army established a task force to redesign the officer personnel management system in 1996. The task force director, Gen. David Ohle, noted that with “information age technology, we see that officers have to be more specialized.” 132 He explained that he had been given “the mission to broaden the definition of warfighting to include not only combat, but also stability and support operations” as a means of improving opportunities for individuals outside of traditional warfighting roles. 133

In July 1997, the task force’s final report noted the “propensity of promotion boards to select officers with a warfighting background (commonly referred to as the ‘command track’) over those possessing functional area skills.” 134 It recommended leaving intact the system for developing company-grade officers. But for the development of field-grade (major) or higher levels, it recommended creating four distinct career fields through which individuals could be promoted: operations, information operations, operations support, and institutional support. 135

Operations consisted of the Army’s 16 branches, including the Signal Corps and Military Intelligence Corps, and two functional areas: psychological operations and civil affairs and multifunctional logistics. The new information operations career field included two previously established functional areas — telecommunications engineering and information systems management — which were relevant to computer network operations. Information operations also included simulation, space operations, strategic intelligence, and public affairs — an eclectic mix. A new, seventh area was created for information operations generalists. 136 Unfortunately, this last area gained a reputation for mediocrity. It suffered from a lack of adequate training — information operations was a very broad field and the training regimen established for it was too short — and it tended to attract officers who were not excelling in any other specialization. 137

Although the revised Officer Personnel Management System formally provided a path to promotion for officers specializing in computer networking, this did not necessarily increase their cultural status. Senior officers continued to argue that people chose to specialize in a functional area simply because they couldn’t succeed in a warfighting branch. 138 Then, in 2006, a new Officer Personnel Management System eliminated the information operations career field, establishing only three broad career areas: maneuver, fire, and effects (previously operations); operations support; and operations sustainment. Most of the functional areas previously in the information operations field, including telecommunications engineering and information systems management, were placed within operations support, reaffirming that even if individuals could advance professionally in these areas, they were playing a support role. 139

The Problem of Defense

By the late 1990s, the services were exploring various forms of computer network operations, but their formal doctrine and tactics, organizational hierarchies, and career structures still framed these activities as warfighting support rather than warfighting in its own right. Nonetheless, computer network operations were increasingly seen as the only “new” aspect of information warfare.

Additionally, as discussed further below, the mid-1990s saw a growing concern about one sense in which computer network operations were crucially different from other methods for information warfare: They depended upon civilian assets that the U.S. military could not control. This reliance made the problem of defense both more urgent and more difficult. In February 1994, the Joint Security Commission, which had been established by the secretary of defense and the director of central intelligence, described “the security of information systems and networks” as “the major security challenge of this decade and possibly the next century,” arguing that “there is insufficient awareness of the grave risks we face in this arena.” The commission noted the challenge of “protecting systems that are connected and depend upon an infrastructure we neither own nor control.” 140 A 1994 Defense Science Board task force echoed these concerns, noting that out of necessity “DoD [the Department of Defense] has tied its information systems to the private/commercial sector and routinely use [sic] INMARSAT, INTELSAT, EUROSAT, etc. Additionally, many DoD users are directly hooked to the INTERNET.” 141 The task force was “persuaded that DoD is currently spending far too little on defensive IW [information warfare], and that the gravity and potential urgency of the problem deserves [sic] redress.” 142

Articles in the trade press at the time also suggest that defense was not a major focus in the early 1990s. An August 1994 Defense Daily article noted that “[a]ll of the services’ information warfare tactics are currently focused more heavily on the offensive mission.” 143 Reporting on an Information Warfare Conference in October 1995, one technology journalist described “Pentagon skeptics who joke that information warfare is just ‘computer security with money.’” 144 As this suggests, computer security — a defensive activity — was seen as something that was different and less important than warfare.

Nonetheless, some military leaders worked to elevate the status of computer network defense. 145 As noted earlier, when Cebrowski became the director of the Joint Staff’s Command, Control, Communications and Computers Directorate in 1994, he established an information warfare division. Cebrowski brought in William Gravell, a captain in the Naval Security Group, to set it up. Gravell was not a technologist — he had entered the Naval Security Group through language training — but he had developed some important concepts in command, control, and communications countermeasures while assigned to the Office of the Chief of Naval Operations in the mid-1980s. There, he had also demonstrated to Cebrowski and others his ability to reduce highly technical subjects into compelling briefings. 146 A part of Gravell’s work, as head of the Joint Staff’s Information Warfare Division, was to persuade both military and private organizations to improve the security of computers and other information systems upon which military operations depended. The division soon commissioned a comprehensive review of laws, policies, and initiatives related to defensive information warfare and produced several educational publications targeted at both the private sector and portions of the defense establishment. 147

As Gravell recalls, while he “was going to military commands and conferences, but also trade associations, conferences, [and] boards of directors,” trying “to drum up support” for defensive information warfare, he quickly concluded that “private sector organizations and their lawyers and stockholders did not want to hear that they were engaged in ‘warfare.’ Such associations threatened, and sometimes even stymied, the collaboration which was needed to secure military networks.” 148 Roger Callahan, a colleague from the National Security Agency, suggested that Gravell instead adopt the term “information assurance.” This term was seeing growing use among computer scientists seeking to broaden conceptions of information security beyond privacy, and the National Security Agency had recently changed the name of its Information Security Directorate to the Information Assurance Directorate. 149 By 1995, the Joint Staff’s Information Warfare Division had been officially renamed the Information Assurance Division. 150

In the Defense Department, information assurance was sometimes treated as synonymous with defensive information warfare. 151 However, “information assurance” could also connote something that went beyond the military, as it was concerned with the vulnerability of critical infrastructure that the military did not own or control. 152 And even within the military, information assurance was sometimes seen as something focused more on technology management than warfighting, as noted below.

Ultimately, elevating the status of computer network defense required more than an information assurance program from the Defense Department’s chief information officer. The path to elevating computer network defense to the level of warfighting went through the Joint Staff’s Operations Directorate.

Despite the efforts of the Joint Staff’s Information Assurance Division, the decentralized procurement and management of information technology posed challenges to information assurance. 153 Recognizing that “the complexity of managing DOD’s [the Department of Defense’s] information assurance efforts had increased due to the proliferation of networks across DOD and that its decentralized information assurance management could not deal with it adequately,” the Information Assurance Task Force, led by the Office of the Assistant Secretary of Defense for Command, Control, Communications and Intelligence and the Joint Staff’s Information Assurance Division, began developing a more comprehensive and integrated approach in 1997. 154 This led to a Defense-Wide Information Assurance Program, which was launched by the assistant secretary of defense for command, control, communications and intelligence in his capacity as the Defense Department’s chief information officer in January 1998. 155

The Defense-Wide Information Assurance Program aimed to combine “centralized oversight with decentralized execution” of information assurance activities. 156 But it was not given the authority or resources needed to fulfill its charter. Although the program was initially approved for between 30 and 34 personnel, by 2001 the greatest number of positions that had ever been filled at one time was 16. The Joint Staff, services, and other defense agencies were all directed to provide staff to the program, but there was no mechanism to enforce these directives, and most of the staff were detailed from the National Security Agency and the Defense Information Systems Agency. In 2001, the Government Accountability Office found that while some Defense Department officials “expressed a need for products and activities” from the Defense-Wide Information Assurance Program, others “cited a lack of DOD [Department of Defense] leadership and support for DIAP [the Defense-Wide Information Assurance Program] and stated that individual components should continue to manage their own IA [Information Assurance] activities without DIAP involvement.” 157

The Need for a Joint Operational Defense

In 1997, the Joint Staff’s annual no-notice interoperability exercise, known as Eligible Receiver, included a computer network intrusion for the first time. The intrusion was proposed by Minihan, who, as noted earlier, had become familiar with the potential impact of computer hacking on military operations as director of the Air Intelligence Agency. However, in subsequent positions as the Air Force’s assistant chief of staff for intelligence and then as the director of the Defense Intelligence Agency, he struggled to persuade others to take computer security seriously. When Minihan became director of the National Security Agency in February 1996, he finally had the chance to demonstrate the problem persuasively by including computer network attack in Eligible Receiver. 158

In June 1997, as part of the exercise, a National Security Agency red team comprised of about 25 personnel successfully broke into the computer systems of the U.S. Pacific Command, the National Military Command Center, and a number of other joint command facilities. Eligible Receiver was set to run for two weeks, with an additional two weeks set aside if necessary, but the National Security Agency red team was so successful that it ended after just four days. 159

The Joint Staff had assigned a new Division for Information Operations to monitor the exercise around the clock and make recommendations. The division was spun off from the Joint Staff’s Operations and Plans Division and was headed by Brig. Gen. John “Soup” Campbell, an Air Force fighter pilot. Campbell recalls that, after a few weeks of gathering observations and recommendations, his group began to brief the Joint Staff’s director of operations, Gen. Peter Pace. It quickly became clear that the recommendations were directed to organizations that “were scattered all over the map” and that no single organization could be given primary responsibility for implementing them. 160 Pace ended the meeting early and sent the briefers off to figure out who should lead the effort to remediate the problems identified by Eligible Receiver.

Representatives of three directorates in the Joint Staff — intelligence; operations; and command, control, communications, and computers —and the Defense Information Systems Agency joined the operations deputies of each of the services in exploring who should be in charge. By November of 1997, the services’ operations deputies were considering several possible organizational structures, including augmenting the Information Operations Response Cell (a group led by the Joint Staff’s Division for Information Operations), or assigning the task to an existing military command or an agency such as the Defense Information Systems Agency or the National Security Agency. 161 However, Campbell recalls “resistance from the Services who didn’t want any outside agency telling them how to run their networks, and having a Combat Support Agency (e.g. DISA [the Defense Information Systems Agency] or NSA [the National Security Agency]) do so was a non-starter.” 162 Campbell and others eventually concluded that they should establish a new task force to direct computer network defense. They also recognized the importance of making sure that the task force would be “doctrinally correct,” so that it would have proper authorities. 163

Efforts to establish the task force were made more urgent by the discovery of new intrusions. On Feb. 3, 1998, monitors at the Air Force’s Information Warfare Center noticed an intrusion at Andrews Air Force base, just outside Washington, D.C. Within a few days, a task force that included members of the Joint Staff’s Information Operations Directorate, the FBI, the Defense Information Systems Agency, and the National Security Agency were investigating. After determining that the hackers had exploited a known vulnerability in its operating systems, known as Sun Solaris 2.4 and 2.6, the operation was dubbed “Solar Sunrise.” 164 Further investigation determined that the hackers were a couple of teenagers in the suburbs of San Francisco who were getting help from an 18-year-old hacker in Israel. By the end of the month, they had all been arrested by the authorities in their respective governments. 165 Nonetheless, the breach demonstrated the ease with which the military’s information systems could be compromised.

Not long after the discovery of Solar Sunrise, Deputy Secretary of Defense John Hamre called a meeting of about 30 people in the Pentagon. He asked the same question that had been looming since Eligible Receiver: Who’s in charge? Recounting the meeting 14 years later, Campbell stated that he couldn’t recall “if I raised my hand or if somebody poked me and I jumped,” but as the director of the Joint Staff’s Information Operations Division (“the J-39 Bubba”), he became the answer to Hamre’s question. 166 Eventually Campbell became the commander of the new Joint Task Force-Computer Network Defense that the Information Operations Division was helping to organize.

By May 1998, two different proposals for the new task force were under consideration: It could be in San Antonio with the Joint Command and Control Warfare Center or it could be located in the Defense Information Systems Agency’s facilities in Washington D.C. 167 At a meeting in May 1998, the services’ deputy secretaries for operations endorsed the San Antonio option. 168 But subsequently, Defense Information Systems Agency Director and Army Lt. Gen. David Kelley made a strong case for locating the new unit at his agency. He offered the new task force use of the agency’s Global Network Operations and Security Center, a sophisticated facility with network monitoring capabilities. This was a “big piece” of why ultimately the Joint Task Force-Computer Network Defense was established there, where it could leverage the agency’s technical expertise. 169

(Continued)

Part 2: Going here.

* * *

mmmm