In remarks at the 2016 AUSA Convention in Washington DC, General Mark A. Milley, Chief of Staff of the Army, outlined the challenging 21st Century strategic environment, where future wars will be fought “on a non-continuous, non-linear battlefield, with little higher command supervision and maximum decentralization.” Crises will unfold rapidly, decision cycles will compress, and response times will narrow. A vital part of the U.S. Army’s readiness in such an environment is its capabilities in cyber defense.
Organized defense of the Cyber domain, with the establishment of both U.S. Cyber Command and Army Cyber Command in 2010, is a relatively recent addition to the Army’s capabilities. Yet, despite the rapidly evolving pace of cybersecurity’s “history,” West Point graduates, instructors and cadets have been at the forefront of the field from the very beginning, providing innovative responses and expert analyses unrivalled by any other institution in the country.
Role of the Military in Cyber Defense
If you can make $500,000 as a senior hacker at the Bank of New York or $50,000 in the Army as a cyber warrior which job do you take and why?
This not-too-hypothetical question was posed by General Keith Alexander ’74 (Retired), former Director of the National Security Agency (NSA) and former Commander, United States Cyber Command.
“The military loses out on that in almost every case—but with the military you can get an education, training, and you get to do stuff in government that you can’t do in commercial life: conduct offensive operations to support national security requirements legally in cyberspace,” he said.
With significantly higher pay offered by private sector for cyber expertise, what draws cadets at West Point to study cyber beyond the opportunity to legally hack? Probably the same reasons that have attracted cadets to West Pont for more than two centuries.
“It fundamentally comes down to service, and ‘Do you want to serve your country?’” said Cadet Lexie Johnson ’18, a member of the West Point Cyber Policy Team, one of two USMA Dean’s Teams that compete in the cyber realm. “I think that’s where you’re going to find distinctions: You’re either doing this job for money or you’re doing it for a greater purpose.”
Major Sang Yim, a cyber instructor in West Point’s Department of Electrical Engineering & Computer Science (EECS) and Officer in Charge of the Special Interest Group for Security, Audit and Control (SIGSAC), a cadet cyber club, said that he finds that camaraderie draws talent to West Point rather than the private sector.
“You’re all on the same team working on the same goal to defend the country,” he said. “In business, you have to beat out the guy next to you, and you’re not going to have that team aspect.”
History Being Made Now
Few would have predicted even 10 years ago that cybersecurity for the nation would become as omnipresent in the public awareness as it is now. But Alexander said that as far back as the late 1990s “we saw people messing around” with a series of cyber attacks by Russians on the U.S. government.
“There was a series of three or four [U.S.] operations to identify the source of the attacks that gave us concern,” he said. “Back then it was more of a niche operation by the NSA to identify the attacks than a broad scale response.”
By 2005, the “niche” NSA operation had significantly grown, and NSA was developing their next generation collection platform, called Trailblazer. The contract on that platform was terminated three days before Alexander took over NSA. Then-Secretary of Defense Donald Rumsfeld charged Alexander to come up with a new platform that would shift defenses from analog to digital. Shortly thereafter came the large-scale 2007 cyber attacks on the Estonian government and banking system amidst tensions with Russia. And then came a 2008 cyber breach predominantly in United States Central Command, spread by thumb drives. This breach eventually led to the creation of U.S. Cyber Command, which became operational under Alexander in 2010.
The 2008 attack marked the beginning of a new kind of threat in warfare: it wasn’t someone simply stealing information, it was someone exploiting and corrupting the U.S. military network with a virus. “We identified the attack on 24 October 2008 and by the next day we had a solution on the network,” said Alexander. “It was then that Secretary [of Defense]Gates decided to bring together the offense and the defense that would become Cyber Command.”
Alexander pulled together a team that included now-General Paul Nakasone, now Rear Admiral T.J. White, now-Colonel Suzanne Nielsen ’90, presently Professor and Head of the Department of Social Sciences at West Point, and Jen Easterly ’90, currently Managing Director at Morgan Stanley and Global Head of the Cybersecurity Fusion Center. Together, they developed the intelligence framework for U.S. Cyber Command and presented the concept to then-Secretary of Defense Robert Gates. “To say they were met with strong resistance would be an understatement. We knew we would need this in 2018, but that wasn’t as apparent in 2008,” observed Brigadier General Jennifer Buckner ’90, who joined the team in 2010.
But U.S. Cyber Command was approved, as was Army Cyber Command, which evolved to include the establishment of the U.S. Army Cyber School at Fort Gordon’s Cyber Center of Excellence. Buckner, the first Cyber School Commandant, helped design the curriculum, and drew upon her West Point education, emphasizing engineering and technology. “We’re teaching them to solve hard problems not by telling them what to do, but by teaching them how to think,” she said.
Laying the Foundations for a Cyber Team
Alexander said he learned Fortran computer coding while he was a cadet at West Point. But while those hands-on programming skills have served him well, he stressed that the team-building skills he learned at the Academy is what helped him to grow as a leader in the cyber realm. “West Point teaches you to figure out what you don’t know, and how to get the right people to work with you,” he said.
Many of the people that Alexander surrounded himself with during the early days of cyber defense would go on to build and lead some of the Army’s and West Point’s key institutions in cybersecurity. Buckner was there when he set up U.S. Cyber Command, and she served as the U.S. Army War College Cyber Fellow at the NSA. She was recently promoted from Deputy Commander, Joint Task Force-Ares to Director of Cyber, G-3/5/7, U.S. Army. She said the field is experiencing tremendous growth. The Army Cyber School graduated its first class in 2016, and, where just three years ago there were only 18 students, today there are nearly 800.
“Education is so important. Our future leaders are the lieutenants and captains, our junior ranks, so developing that talent is important,” Buckner said, adding that she continues to call on the talents at West Point to work on some of the Army’s toughest cyber problems.
The U.S. Army Cyber Branch, established in 2014, first welcomed 15 graduating second lieutenants from the USMA Class of 2015, and saw 20 cadets from the Class of 2018 branch Cyber. At the Academy, cyber education continues to grow and become more interdisciplinary (see “Developing the Cyber Warrior,” sidebar on page 11). All plebes are required to take IT 105 Introduction to Information Technology, a core course introducing cyber concepts, and then may choose to pursue an interest in the field with advanced level courses, clubs or participation in a competitive cyber team. Courses that were once limited to Computer Science, IT or Electrical Engineering majors now welcome economists and foreign language and English majors.
“For the English major in any other school it may not be as critical, but considering our graduates are going to be lieutenants and they’re going to be in the Army using our information systems, we want them to understand cyberspace, because our weakest link right now is the user,” said Lieutenant Colonel W. Clay Moody, Ph.D., Assistant Professor in EECS and a coach for the award-winning Cadet Cyber Competitive Team (C3T).
For cadets who aren’t sure whether cyber is for them, there is a chance to get their feet wet at SIGSAC. The club’s casual atmosphere delves into security issues in many spheres, not just cyber. (They’ve even held lock picking contests.) But the primary focus is on cyber and hacking. The group meets every Monday and is a mix of men and women, some of whom are technically proficient and some who are not.
“There will be people who will be interested in the tech side but don’t get too involved because they’re spending their time in policy,” said Cadet Preston Pritchard ’18, the Cadet in Charge of the group.
Pritchard said that the club is also a good place for students from a variety of backgrounds to begin to meet on the common ground that is cybersecurity. But the two groups that continually overlap are the tech-savvy students and the policy-savvy students. “They’re two very different groups, but they are both equally important,” said Pritchard. “The tech side can’t operate without knowing the law and the policy side can’t operate if they don’t know a bit about tech.”
After competing amongst themselves, the students’ talents begin to emerge. “From there we pick people who are good at what they do,” said Pritchard. “Those people who are good at tech we encourage to try out for the C3T.”
Next year, Moody said, the C3T team will operate as three sub- teams that reflect the real world of cybersecurity: one team will focus on cyber defense, another team will focus on offense, and the third will be a more “full-spectrum” Capture-the-Flag team. In Capture- the-Flag competitions, cadets are authorized to compete on a cyber range, where they can safely engage in hacking and defending. A hacker may be searching for a hidden message that requires them to exploit a vulnerability in the system in order to recover that message, which could be a string of characters representative of a social security number or war plans. Most of the competitions run about 48 hours and occur online. “It’s about understanding the foundations and be willing to dive in and work on it,” said Moody. “To be successful on the teams, you need to be inquisitive.”
Although many competitions take place online, members of the C3T and Cyber Policy Dean’s Competitive Teams were able to travel to the inaugural NSA Cyber Exercise (NCX) for the U.S. Service Academies at Annapolis this year. Cyber policy team members, SIGSAC members, and cadets in cyber-related classes accompanied C3T to the event. After 17 years of the NSA Cyber Defense Exercise (CDX), a weeklong exercise which featured each academy’s teams defending against NSA attacks from their home location, faculty from the military academies and United States Cyber Command joined the NSA in developing and executing a wholly redesigned competition. The NCX features in person head-to-head attack and defend scenarios, as well as policy and forensics scenarios. The benefit of competing in person is the chance to get to know cyber teams from the other academies.
“It’s great because we know each other and we’ll probably get to know each other in our careers,” said Pritchard. “Cyber is a joint effort. If you go down to Fort Meade or Fort Gordon you have Air Force next to Marines next to Navy, and civilians too.”
Cyber Thought Leadership: The IntellectualHome of the Army
Lieutenant General Rhett A. Hernandez ’76 (Retired), currently serves as the West Point Cyber Chair at the Army Cyber Institute at West Point (ACI), an outward-facing research organization that was established in 2012. He was the first Commanding General of U.S. Army Cyber Command upon its activation in 2010. Hernandez said that West Point addresses cyber education not just through electives in computer science and math, but also through policy, law, ethics, cognitive behavior, and even cyber history.
“We need to think about how to increase thought leadership by not necessarily focusing on today’s problems, but by helping the Army and others think about what could be next,” he said. “And to add to the body of knowledge, we need to develop strong partners in the commercial sector, industry, academia, and government.”
Colonel Andrew Hall ’91, Director of the ACI, said the organization encourages collaboration with academic researchers based at universities around the country, where the tenured faculty model complements West Point’s rotating model for instructors who bring in knowledge directly from the field to the Academy. The university professors’ theoretical rigor builds on the West Point faculty’s on- the-ground experience.
“West Point is the intellectual home of the Army. Thought leadership is what the Institute started out on—no one else in the Army has the intellectual freedom to publish in peer-reviewed journals,” said Hall. “We’re trying to expand the talent pool we work with, and to expand knowledge across the entire cyber community.”
Though the ACI works with many partners outside of the Academy, West Point reaps the benefit of having many of its researchers teaching cadets and coaching competitive cyber teams. “We have ACI faculty who teach in eight of the 13 academic departments, covering courses as diverse as Cyber Ethics, Law, History and Policy to Mathematics and Computer Science,” said Hall. “Diversity of thought is key to working in cyber.”
Building on IT: The Power of Interdisciplinary Teams
For today’s cadets majoring in non-IT disciplines, the attraction to cyber is simply part of being a digital native. Few draw hard lines between their discipline and cyber.
Cadet Nolan Hedglin ’18, who as a firstie was majoring in math and physics, said that he and Johnson were part of the first cohort able to take courses that were once limited to computer science majors. He said voices from different disciplines enrich the cybersecurity field. “We bring another perspective to cyber and that perspective will have long term effects on how the culture will shift,” he said.
Both Hedglin and Johnson were part of the West Point Cyber Policy Team, a Dean’s Team (like C3T) coached by Major Patrick J. Bell ’05, a research scientist with the ACI and an Assistant Professor in the Department of Social Sciences. The team took home first place in the Atlantic Council Cyber 9/12 Student Challenge in Geneva in April, and won the Indo-Pacific Cyber 9/12 Student Challenge in Sydney, Australia in September 2017.
“Cyber is intellectual pluralism at its best,” said Johnson, who is majoring in international relations and Russian. “The cyber domain demands pluralism, because the repercussions can affect the economy,politics, and infrastructure,” she said. “We need cyber experts in a variety of realms to predict and understand their sectors.”
The Cyber 9/12 Challenge competition scenario involves briefing an important decision maker like the National Security Advisor on a rapidly unfolding situation such as a cyber attack. Competitors are not looking for a technical solution, though technology is certainly a component. The competitors must respond to immediate needs and make recommendations based on imperfect information.
“Cadet Cyber Policy Team members get to wrestle with a lot of the most pressing issues at play,” said Bell. “The speed with which the media will react to an event today is unprecedented; we’re expecting adversaries to prepare their communication responses before they even initiate actions.” Bell said traditional international relations theories are relevant in the cyber domain, though they may not apply as well as they do with warfare scenarios involving nuclear weapons. But the fact that the established theories are an imperfect fit intrigues Bell and his colleagues, and presents an opportunity to develop new ways of thinking. He added that decisions in the cyber domain must blend computer science skills with policy knowledge in order to best deliver effects.
From the very early days of cyber warfare, traditional command structures and the very language of warfare have been challenged to evolve, since the virtual world of cyberspace encompasses and extends beyond land, air, and sea.
“Culture aside, a lot of what delineates the Army from the Air Force and the Navy in cyber is what we consider to be tip of the spear for that mission, and for the Army it’s the soldier, the individual soldier interacting with humans on a daily basis in theater” said Hedglin.
Buckner agreed, adding that in cyber sometimes the junior ranks represent the tip of the spear, as cyber is a domain they grew up in. “One of the ironies is that, in most branches of the Army, you feel ‘established’ in a higher rank, but in this one, we recognize that our lower ranks are the future,” she said.
Hall noted that the typical Army unit operates under a commander, supporting the infantry commander, at the time and place of the commander’s choosing. He said that cyber warriors need to react more quickly and distinctly than their real-world counterparts. “In cyber, the most important thing we’re doing may be preventing attacks way before a kinetic attack,” he said.
Not only is the command structure evolving with cyber warfare, but so is the language required to direct action. Part of the reason West Point’s Cyber Policy Team took first place in Geneva was because they were best able to translate technical rhetoric into something that civilian policy makers could understand and act upon. “This is an emerging domain and an emerging threat that needs to be translated appropriately and effectively,” said Johnson.
Communicating about cyber events can prove further challenging when the effects of an event can seem elusive in the physical world. The damage is not something one can necessarily see. Even the term “warfare” irks some in the field.
“Talking heads have too often used the phrase ‘cyber warfare’ to describe events like the OPM and Equifax hacks. But is it warfare? Not as I understand it,” said Lieutenant Colonel Michael J. Lanham, Ph.D., Director of the West Point Cyber Research Center, whichocuses on cadet and faculty development in cyber and complements the ACI’s outward focus.
Lanham said he sometimes uses “traditional military operations terms on non-traditional terrain” to help shape discussions about cyber warfare. However, equating cyber attacks to historic battles often proves a weak analogy, he said. He noted that most comparisons come from commentators looking for easy analogies, with several warning of an impending “cyber Pearl Harbor.”
“That analogy breaks down,” he said. “The Pearl Harbor attack was the seminal moment that provoked a full entry of the U.S. into World War II and led to the unconditional defeat of the Axis powers; what we’re experiencing is not that. We are experiencing industrial and national espionage, experiments in sabotage, but not crossing the threshold into warfare yet.”
The hyperbole of a “cyber Pearl Harbor” gives the perception we are waiting for a catastrophic event in the physical realm, like a large chunk of the power grid going down. But the U.S. has already experienced several large scale cyber events that have not galvanized the public in the manner of Pearl Harbor or even 9/11.
“I’ve heard a lot of people say it’s the same warfare in a different domain, but in many ways, this is not the same warfare,” said Bell. “In the Cold War, you could not go in and ... get information on 87 million people in the country and then work to try to manipulate them at a granular level without anticipating any retribution.”
Almost everyone interviewed for this article said the military’s ability to “hack back” attackers remains a strong incentive in recruiting potential cyber soldiers away from the more lucrative private sector. Still, the Army follows very strict legal guidelines and authorities that they adhere to during cyber operations. Hacker training is only conducted on cyber ranges and in controlled environments.
“There’s no right to defend your cyber domain like you can defend your house,” notes Moody. “A lot of the hacking skills you may want to use in the private sector are going to come with handcuffs, but in the Army, the things you can do with those same skills are going to win you medals.”
The ability to hack and defend the nation may attract talent to the Academy and the Army, but all the hacker talent in the nation isn’t going to make an impact without cooperation from the private sector. Hernandez says it’s all about partnerships. “There are all kinds of numbers out there, but many say more than 90 percent of the critical infrastructure, from financial to energy to transport, is all owned by the private sector,” said Hernandez. “In order to better defend the nation, you have to have strong public-private partnerships at all levels—and that’s much easier to say, but harder to do.”
Alexander’s primary concern, as has been voiced by leadership in both the intelligence and defense communities, is forming strong public/private partnerships. “We created our government for the common defense and that includes the private sector,” said Alexander. “We don’t question well enough what the role of government is and what the role of the private sector is.”
Alexander said with the proper oversight the government can defend the private sector while addressing privacy concerns. He added that there’s a “perception problem” of what people think the government will do if it gains access to private data. “Think about how many phone calls, texts, emails, and social media posts you see every day, and multiply that by the number of people in this country,” he said. “No one is out there reading all that. We need to encourage people to get the facts: We’re doing this to protect you.”
A Solid, Ethical Career
When Pritchard was growing up in the small farm town of Ixonia, Wisconsin, his family did not have internet service. “I got into computers by not having internet access, so I turned inwards to the computer,” he said. “Instead of spending time browsing the internet I spent time in the windows operating system, breaking it apart and putting it together again.”
When his family did get the internet, he was able to get many of his burning tech questions answered. He said that as an outdoors person he wanted to branch Infantry when he came to the Academy, and then move on to Ranger School, but his interest in cyber continued to pull him in another direction. “Before, it used to be you could do one or the other, but now you can do both,” he said. “I can still do cyber and I get to serve my country.”
Today, his future in cyber looks secure and wide open. He has recently chosen to branch Cyber, where he’ll be able to hack back. But it’s not what people think, he said. It takes hours of training and supervision before anyone gets approval to respond to a cyber attack. Pritchard said sometimes the standards, which are rooted in law, make cyber warriors feel as though “their hands are tied.” But at the same time, the standards reveal what he and his colleagues are fighting for and who we are as a nation.
“In Russia or China, they can recruit off the street and say, ‘Attack this target,’” he said. “They’re able to do that because they are not held to the ethical standards that we hold ourselves to.” His fellow cadets agreed. “This environment is the most conducive in learning how to ethically hack, and then translate that into future jobs you can do,” said Hedglin, adding, “And the mission itself is extremely rewarding.”