Playing From BehindPlaying From Behind

Cyber Command, the military sub-command dedicated to cyber ops, was slated to reach "full operating capability" by October 1, and I can't say I was surprised when it missed that deadline. There's still uncertainty facing Cyber Command's final shape and role, but it begs the question: what's holding it back?Part of the fault rests on pending legislation in Congress and the lack of clear guidance from the White House. The Obama administration is in the midst of a review of whether existing laws should be changed, while at the same time, dozens of cyber bills are sitting in Congress, a number of which would directly impact Cyber Command's roles, responsibilities and authorities. Congressional leaders have previously expressed interest in getting something done this year, but it's looking increasingly uncertain.

"Right now, the White House is leading a discussion on, what are the authorities needed, and how will we do this," Cyber Command's top officer, Gen. Keith Alexander, said last month in an interview with reporters. "We don't want to race into legislation without getting all the pieces down." That said, he added that legislation must be updated, as most existing laws governing cyberspace predate the Internet age.

A chunk of the White House discussions, and of the unsolved questions, revolve around Cyber Command's role in protecting critical infrastructure like power plants and key communications networks. Today, the Department of Homeland Security takes the lead in critical infrastructure protection, and Cyber Command has no explicit role, but Alexander said last month that he's interested in Cyber Command playing a bigger part.

However, whatever the role of external factors in making Cyber Command miss its official launch date, some of the delay has to be the fault of none other than the Department of Defense and Cyber Command itself. As Alexander himself said in written testimony before the House Armed Services Committee in September, the U.S. military "began formally thinking about cyber matters almost 20 years ago," and deemed cyberspace a domain of its own within the last decade, so it's had some time to think this through, regardless of how quickly cyberspace is changing.

As long ago as December 2005, in a strategy document issued by the chairman of the joint chiefs of staff, the DoD placed development of "joint doctrine for all aspects of cyberspace operations" among key strategic priorities. This isn't to say there isn't some DoD-wide doctrine out there and long-existing practices to defend DoD networks, but as of today, the finality of much of the military's cyber doctrine -- rules of engagement, a field manual for cyber warriors, official strategies, etc. -- remains in question.

I'm told by multiple sources that official doctrine has not made much progress in the past year. As a bit of evidence, a DoD official said last November that the Department of Defense would have its Information Assurance Campaign Plan, a military-wide cyber strategy, ready by the end of 2009, but here we are in October 2010, and there's still no sign of it. Meanwhile, the branches themselves are moving forward: the Army, for example, has put out an 80-page cyberspace operations plan that plots its conceptual direction for the next two decades.

Staffing also remains a concern, despite the year Cyber Command has had to draw in the best and brightest from the military, private sector and other federal agencies like the NSA. "The biggest challenge we currently face [is] generating the people we need to do this mission," Alexander told the House Armed Services Committee. "We are pushing on the services to go faster to bring those forces in."

That being said, the Air Force has said it has 32,000 people working in its cyber mission and has 5,900 in its piece of Cyber Command, the 24th Air Force. The Navy's Information Dominance Corps, meanwhile, has 45,000 staff. In addition, a big chunk of cyber professionals work with the government through contractors. Although I'm often told that the true number of talented, highly skilled individuals is much lower, if those Air Force and Navy numbers are correct, it's not entirely clear why Cyber Command is having trouble filling out the 1,000 positions it needs to fill.

As time marches on, so do cyber threats continue to mount. Just as it's vital that Cyber Command gets it right in making sure it has all its ducks in a row, so too is it important that it works hard to get those ducks in a row quickly in order to bring the full, joint force of the DoD's branches to bear in protecting military networks and helping out wherever else Cyber Command may be needed.