Cyberspace leadership: towards new culture, conduct, and capabilities.War has always been a product of its age. The tools, tactics, and doctrine of how we fight have always evolved along with technology. In this first decade of the twenty-first century, cyberspace has emerged as a global war-fighting domain--a domain that is as critical to ensuring our national security as its companion domains of land, space, sea, and air. Within the Department of Defense (DOD), United States Strategic Command (USSTRATCOM) is the global war fighter for cyberspace. It is the combatant command charged with operating and defending the Global Information Grid (GIG) as well as planning, acting, and--when directed--executing operations to maintain our freedom of action in this domain.
As war-fighting domains, air, land, and sea are largely defined by geography or range of operation. Space and cyberspace, however, are cross-cutting domains, absolutely global in nature and indifferent to physical terrain or lines drawn on a map. Moreover, space and cyberspace are domains in which the United States can expect to be challenged. They are domains that are vital to civil and commercial activities, and are essential to the success of the global economy--but they are also critical to military operations. The global cyberspace domain is where information is moved today; military orders, logistics, and operational effects all depend on cyberspace. Freedom of action in cyberspace is essential to both war fighting and our national security.
Cyberspace, as one of USSTRATCOM's three primary lines of operation (space and strategic deterrence are the other two), is the least mature; yet, it is vitally important. Addressing the cyber threat is no small challenge and demands a new mind-set as we evolve the culture of war fighting in cyberspace, as we shape the conduct we follow in execution of the cyberspace mission, and as we strengthen the technical and manpower capabilities we bring to the cyberspace fight.
If, as the adage states, the past truly is prologue, a look back at lessons learned in the early days of military aviation may provide a compelling paradigm for developing cyberspace capabilities needed to address the challenges of today and tomorrow. How did we develop the capabilities of airpower for national security needs? What did we do right? What did we do wrong? And--the real question for today--how can we apply those lessons learned in the field of airpower to our development of cyber power?
To explore these questions, let's take a trip back in time to a fictional day and a fictional character in 18.93 when 2nd Lieutenant Chilton graduated from the US Military Academy at West Point. He was undoubtedly steeped in lessons learned from the Civil War and in cutting-edge tactics for cavalry, artillery, and defensive fields of fire. He likely spent no time at all thinking about how one might use a new domain of warfare called "air" other than maybe considering the utility of tethered balloons for artillery spotting.
But 10 years later, in 1903, the Wright brothers flew. Even though their initial flight lasted only 59 seconds, it was a watershed event in history; suddenly there was a new domain available for human activity. Then, in 1926, thirty-three years after his commissioning, Chilton found himself in a new kind of military. By then, not only had manned flight been added to the military tool kit in World War I, but also Chilton was thinking about how he was going to fight the next fight in that domain, how important it was to protect that air domain, and how that domain would grow in importance to commerce, transportation, and the economic development of this country.
Now let's fast-forward to reality and look at these milestones from a different perspective. The year is 1976, and 2nd Lt Kevin P Chilton has just been commissioned an Air Force officer, is one year past having turned in his slide rule, and has bought his first HP-35 handheld calculator for $275. The concept of a laptop or a desktop computer is still inconceivable. Yet, 10 years later, in 1986, when I was at the National Aeronautics and Space Administration (NASA), someone came in and put this "thing" in my office. He moved my files out of the way, set a bulky monitor with keyboard on my credenza, shoved another boxy device under my desk, and said, "Here is your computer." It was a "Wright brothers moment" in cyberspace for me.
Now, 33 years later, in 2009, I am dependent upon cyberspace. I'm dependent upon it in my personal life. The country is dependent upon it for our economic way of life. War fighters around the world are dependent upon it to conduct operations, not just in cyberspace but in every other domain. All of this dependence has transpired in only 33 years--faster, in many ways, than the revolution of flight.
In 1991, as I was working at NASA, we proudly upgraded the space shuttle's main computer by doubling its capacity from 128K to 256K. That's the capability we still use today to go to and from orbit in the shuttle--a mere 256K. I dare say we have more capability in our wristwatches today; the pace of change in this arena since the space shuttle first entered service has been absolutely amazing.
Let's continue with the airplane metaphor and go back to World War I for perhaps another helpful tale. In the early days of the war, the German aviators would often fly alongside French aviators, and, at first, they viewed one another as noncombatants. They spent most of their time observing and collecting information on surface activities from the air domain. On occasion they were even known to pass close enough to see into each other's cockpit and would often wave as they went by. It was a rather chivalrous approach to this new domain. As the tradition went, they were enemies, but they would honor the civilities.
But then, as legend has it, one fateful day a German and a French pilot passed each other, and for some reason the German shook his fist at the Frenchman. The next day, when the German approached, he hurled some sort of missile at the French pilot, who became so incensed that he dove at the enemy, drew a small flask of port wine from his pocket, and bounced it off the exhaust manifold of his newfound antagonist.
Though this story may be just legend, something of the sort surely happened to mark the end of pure courtesy in the air domain and the beginning of hostilities. What followed was a dramatic change in three areas. There was a change in the culture of airborne war fighting, in the way we thought about how this new domain fit into the art of warfare. There was also a change; in conduct, in the rules of engagement regarding how we intended to operate in this new domain of air. Finally, there was a dramatic and measurable change in the capabilities in this domain, in the level of investment to develop, employ, and sustain those capabilities.
I would argue that history has repeated itself in the newest domain of military and national security activity. We have moved past the civilities in cyberspace.
United States forces, as well as those of our allies and adversaries, now rely heavily on their computer networks for command and control, intelligence, planning, communications, and conducting operations. But these architectures are vulnerable. In fact, for more than 15 years, the US government and DOD networks have come under increasing pressure from probes and assaults from a diverse range of adversaries, from bored teenagers to criminal organizations to nation-states. Although we have detected illicit activity on our networks for more than 1.5 years and employ resources to offer a comprehensive, multidisciplinary approach to protecting those networks, we need to do more.
All of us--myself included--are making it too easy for potential adversaries to exploit our networks today. Like the World War I aviators, we need a change in our culture, conduct, and capabilities if we are going to advance the state of the art and provide the protection and freedom of action we need in this domain.
The first step we need to take is to develop and to nurture a culture that understands the importance of cyberspace and integrates it into our operational activities at all levels. I know from personal experience how difficult it can be to change that culture. After the technician put that computer on my desk at NASA, I successfully ignored it for about a month. I dusted it on occasion, and I would often gripe about its being in the way of my in-box. Then one day I missed a meeting. I asked the person who had organized the meeting why he didn't tell me about it, and he said, "Well, I sent you an electronic message." (We didn't call them e-mails in those days.) I responded, "Why didn't you just holler at me?" We shared a desk in the same office; I didn't understand why he couldn't have simply spoken to me. Whereas I had not begun the cultural shift into cyberspace, my peer had moved on. What I saw as just a new convenience--sending messages on a computer in lieu of making a phone call or having a face-to-face discussion--this person saw as a new way of life.
In a broader sense, we have developed and reinforced a culture which assumes that the cyber domain (those computers on our desks) is there for convenience. We have not necessarily thought of computers as part of the war-fighting domain. Think about it! When there is a problem with the computer, whom do we call? We call the smart technician and say, "Get down here and fix my darn computer--it's not working," and the technician comes and fixes the machine, and that is usually the end of it. This is not the sufficient level of attention for systems that are mission essential to war fighting today. Problems with the availability, reliability, and security of information in this domain are not just meant for the attention of the brightest technician in our organization. They are a commander's business.
This is the foundation of the cultural shift that we must make. We must now think about this domain, its tools, and its readiness as commanders should--as essential to successful military operations.
When I was a U-2 wing commander, I reviewed the maintenance statistics on my airplanes every day. Why? Because I could not fly if they were not maintained properly and if they were not prepared to operate. Likewise, we need to review the maintenance statistics and the readiness of our cyber networks. We are commanders, and we depend on them. I challenge anyone to claim that he or she is not dependent on cyber networks every day. This is a significant change in mind-set.
Our "flights" through cyberspace are not simply a convenience anymore; they are a necessity. We must recognize that we depend upon this domain and that we need these systems to conduct our fight today and tomorrow. We must recognize that we can fight in this domain, just as an air-to-air fighter can fight in the air domain, and that we can fight through this domain and affect other domains, just as an aircraft can drop a bomb on land and create effects in that domain.
As leaders we must also appreciate the vulnerability of this domain, not just its importance. We have to transition from a culture of convenience to a culture of responsibility. We must recognize that a vulnerability in one system can create a vulnerability in another system on the other side of the world, not just locally.
Every soldier, sailor, airman, and marine is on the front line of cyber warfare every day. Think about those who guard your bases, who stand there at the gate and make sure only the right people come in and keep the wrong people out. In cyberspace that role belongs to anyone who has a computer on his or her desk. That person is part of the front line of defense, whether he or she knows it or not. Changing this culture is absolutely essential, and it is going to take time, focus, and, above all, leadership.
In every other domain and every other system, one of the foremost things we focus on is our people and their training. It is the same; in land warfare, sea warfare, air warfare, special operations, and space operations. We emphasize training because we know that our people, not our tools, are our greatest advantage in any conflict.
I am required to train on cyberspace security once a year. I get a message that blinks on my computer that says, "You are due for Information Assurance training, General Chilton. Get it done by this date." Once a year! During the training, I get to read and study year-old tactics, techniques, and procedures used by an adversary who is modifying them every day, perhaps every hour. We are not training appropriately, and we need to change that.
We also need to implement an effective inspections process for cyberspace. As the commander of an aircraft wing, I expected my higher headquarters to give me an annual operational readiness inspection to en sure that I could carry out the mission I had been given. So I paid attention to maintenance, logistics, and the readiness of my air crews--their ability to fly the mission, do the job, and get back. What did I not pay attention to? The cyberspace tools that I needed to get them off the ground. Today, where are all the tech orders that our people use to maintain airplanes? Are they on paper? Are they on classified networks? No, they are on unclassified networks, and they are on laptop computers or handheld devices that are vulnerable,. Are we worried that an adversary might try to change the tech orders on our maintenance manuals on the flight line? We ought to be.
Is cyberspace essential to current operations? Should we be inspecting the readiness of every organization that relies on cyberspace to conduct its operations? Should commanders care about that? Should they be graded on that? I believe they should.
If an airplane crashes, if a ship runs aground, if a tank goes off the road and rolls inverted into a ditch, what is one of the very first things commanders do? They stand up investigation boards or mishap boards because they want to get at the root cause of the problem and fix it. Commanders study the causes, they develop lessons learned, they promulgate them through training, and they make sure the force learns from the mistakes. Then they determine the right level of accountability.
Do we do that in cyberspace? Do we have the tools to hold people accountable for not following rules and regulations? We do have a tool. It's called the Uniform Code of Military justice. We have all the authority we need, but we cannot get this backwards. We can't hold people accountable if we haven't properly trained and equipped them. We must do that first. We have to properly train, properly equip, inspect readiness, conduct investigations of mishaps when they happen, and then hold people accountable for their behavior.
Many violations occur today in cyberspace and on our military networks--far too many. For some reason, some people feel that the rules don't apply to them. They view compliance with directions that decrease the vulnerability of our networks as an inconvenience. When we don't comply, we can be certain that adversaries will take advantage of our misbehavior and Tack of discipline.
Another necessity of proper conduct in cyberspace is the exercising of centralized command and control, and of decentralized execution. Some form of unified control and oversight is absolutely necessary in this global domain that requires systems to operate in a synchronized and integrated manner to ensure effective defense and mission success.
When I asked last year how many Secret Internet Protocol Router Network (SIPRNET) and Nonsecure Internet Protocol Router Network (NIPRNET) machines were on the DOD network, it took more than 45 days to get the answer--and I'm not sure I got the right answer. Now, if I asked the chief of staff of the Army how many M-16s there were in the Army, I'm certain he could tell me within 48 hours. I know that the chief of staff of the Air Force could tell me how many M-9s there are in the Air Force inventory because every one of them is signed in and signed out. There is 100 percent accountability for those weapons. Yet if we lose control of them, the danger posed extends only within the ballistic range of those weapons.
But we have some unknown number of computers on the GIG that have unknown configurations, are in unknown locations, and are being operated by unknown users. If these "weapons" are misused, they can affect operations on the other side of the world because their "ballistic range" is global.
Finally, we need to improve our capabilities significantly in the cyberspace arena. Our people need better tools, particularly for command and control at the operational level of war. Our operational component commanders who operate, defend, and execute the missions in this domain need tools that allow them to better manage the operation of and the defense of this network at network speeds. We need to operate at machine-to-machine speeds and as near to real time as we can in this domain to stay inside the turning radius of potential adversaries. We need to push software upgrades automatically and to have our computers scanned remotely with the latest antivirus software.
We also need common operating pictures, just like the ones demanded by commanders in every other domain. Today, if we look at our common operating picture in cyberspace, we will find places in the United States that show up as black voids on the map. Why? Because we don't know what is going on in those locations. Usually around many of those black voids are, the fences of some our military installations because we have put up artificial barriers to keep the centralized command and control authority and oversight outside the fence line. The claim is, "It's my network." No, it's not; it's an integral part of the entire network, and a vulnerability in "your network" is a vulnerability to the entire GIG. We need the capability to see the whole picture all at once and take action as needed when threats appear.
I believe that, ultimately, we have to be even faster than network speed if we're going to defend this network appropriately. How do we do that? I'm not suggesting that we defy the laws of physics. We do it by focused, high-tech, all-source intelligence that tries to anticipate threats before they even arrive. We have to be able to anticipate attacks and intrusions and, when we can, preempt those threats before they arrive at our bases, posts, camps, or stations--or at the laptops on our desks.
Lastly, what we desperately need in the capabilities area are people--cyber experts dedicated to and focused on this mission area. The services are great at organizing, training, and equipping air, land, sea, and space domain forces. We need to move forward in organizing, training, and equipping cyber forces to conduct these critical operations for the DOD.
Leaders in government, business, and academia have moved from ruminating about threats in cyberspace to treating them as real and present dangers. We know that we also must make this transition. We have seen government networks probed in the past, and I firmly believe that these intrusions will only continue to increase.
The cost of responding to intrusions has been in the hundreds of millions of dollars. But the costs go beyond dollars and cents and, more critically, include lost and/or exploited information that could be used against us in the future; to inhibit our actions, interdict our operations, or put us in a position to be less effective in the other domains beyond cyberspace.
Our challenge lies in preventing attacks on our networks. It also includes finding ways to interdict attacks after they've been launched. If such attacks are successful, our challenge becomes not only making the adversary stop the attack, but also continuing to operate our networks through the attack.
We already do this in other domains. As I recall from my Air Force training, when a simulated threat of a chemical or biological attack occurred, we went out in our mission-oriented protective posture (MOPP) gear and fixed airplanes, loaded airplanes, and flew airplanes. We conducted operations in a hostile environment. That's what operating under attack in cyberspace is going to be like. We will need to fight through attacks and ensure we can continue to operate in cyberspace in at least an adequate fashion so we can continue to enable and support operations in every other war-fighting domain.
In this era of increasing dependency on cyberspace amid increasing threats to our systems in that domain, it is essential that we make these necessary adjustments in culture, conduct, and capabilities. We do not conduct activities in the new domain of cyberspace for convenience--we conduct them out of necessity. That makes successful operations in cyberspace everyone's business--especially leaders' and commanders' business. The time to act is now.
Gen Kevin P. Chilton, USAF *
* This article is based upon remarks delivered by the author at the inaugural Cyberspace Symposium hosted by United States Strategic Command in Omaha on 7 April 2009.
General Chilton (USAFA; MS, Columbia University) is the commander of United States Strategic Command at Offutt AFB, Nebraska. He assumed command 3 October 2007 and is responsible for the global command and control of US strategic forces to meet decisive national security objectives. The general oversees a broad range of strategic capabilities and options for the president and secretary of defense, which include space operations, cyberspace, and strategic deterrence. General Chilton's career spans three decades, beginning as a distinguished graduate of the US Air Force Academy class of 1976. A Guggenheim fellow, he earned his master's degree in mechanical engineering from Columbia University. He flew operational assignments in the RF-4C and F-15 and is a graduate of the US Air Force test pilot school. General Chilton is a command-rated astronaut and test pilot with more than 5,000 flying hours. He has flown on three space shuttle missions and served as the deputy program manager for operations for the international space station. The general commanded the 9th Reconnaissance Wing and Eighth Air Force, and served on the Air Staff and Joint Staff Prior to assuming his current position, he was the commander of Air Force Space Command. Among his many decorations, General Chilton has been awarded the Legion of Merit, the Defense Distinguished Service Medal, the Distinguished Flying Cross, and the NASA Exceptional Service Medal. At his promotion ceremony in June 2006, he became the first astronaut to reach the rank of four-star general.