After several years of planning, the Pentagon’s Cyber Command is finally beginning to conduct operations such as tracking adversaries overseas to detect attacks against critical computer networks in the United States, according to a senior defense official.
The Pentagon’s “national mission” cyber teams over the past year have begun monitoring servers used by “high value” adversaries, said the official, alluding to countries such as Iran and China.
When authorized, the national mission teams — the most prominent element of the military’s growing Cyber Command — can block or counter a foreign cyber attack, the official, who was not authorized to speak on the record, said in a recent interview.
But the teams’ focus is “strategic defense of the nation,” not offense, the official said. The command is slightly less than one-third of the way toward its full capacity, with almost 2,000 personnel in place out of a goal of 6,000 by the end of 2016.
Sequestration slowed the effort, but “solid progress” is being made, the official said. The command is led by Adm. Michael S. Rogers, who took up the job in April when he became director of the National Security Agency. It was launched in 2009 under then-NSA Director Keith Alexander.
All told, there will be 13 national mission teams out of a total of 133 teams. Twenty-seven combat mission teams will assist combatant commands around the world. They might, for instance, disrupt an enemy’s computerized air defense systems before an airstrike.
There will be 68 cyber protection teams to help with defense of the department networks, the official said. The remaining 25 teams will provide support to the national and combat mission teams.
The national mission teams will not operate on private sector networks or inside the United States. “The national mission teams are not designed to sit on Wall Street and protect Wall Street’s networks or the power grid’s networks,” he said. “They want to catch an incoming round before it [hits].”
Part of their job is to do reconnaissance work on foreign networks to watch traffic in servers used by adversaries that the military has gained lawful access to, he said.
“We need to be inside the bad guy’s head and network,” he said. “That’s the mission of the national mission teams: to be inside the bad guy’s head and his network.”
Getting inside the bad guy’s network means monitoring the “hop points” or servers commandeered around the world by adversaries to route and disguise their computer traffic, not necessarily hacking into their command and control computers, he said. “Whatever these bad guys are using in order to do their work, that’s what we’re interested in.”
The teams can do that reconnaissance work under a variety of authorities, including intelligence and military, he said. If asked, they could also help the FBI in a criminal investigation, he said.
The national teams will deploy only when there is a strategic attack, or one, he said, that “is going to cause, death, public health and safety issues on a serious magnitude…[something] with significant implications to our national security or to our national economic security.”
Part of the decision-making process is a consideration of the consequences of any action, to include diplomatic blowback and counterstrikes, he said. “We don’t want to make the situation worse by the use of military cyber capabilities,” he said.
In 2012, then-Defense Secretary Leon Panetta pointed to a computer virus that wiped data from tens of thousands of computers at the Saudi Arabian state oil company Aramco and at Qatar’s RasGas as “probably the most destructive attack that the private sector has seen to date.”
The suggestion was that events of that scale would be something that Cyber Command would be expected to defend against should they happen to U.S. companies. Those attacks were attributed by U.S. intelligence to Iran, though officials never publicly stated that.
Much of what the teams are doing today is planning for contingencies. “They have to develop capabilities that can stop, block, neuter and disrupt something that’s serious,” the official said.
In any case, current administration policy is one of restraint, the official stressed.
“If we see something coming at us and we think traditional network defense can handle it, or law enforcement can handle it, you’re not going to see these teams swing into action,” he said. “But you better believe that they’re sitting there ready to go.”