The Andrea Mitchell Center for the Study of DemocracyThis essay is adapted from Rebecca Slayton, “What Is a Cyber Warrior? The Emergence of U.S. Military Cyber Expertise, 1967–2018,” Texas National Security Review 4, no 1 (2021): 62-96.
 | By Rebecca Slayton |
On May 4, 2018, U.S. Cyber Command was elevated from a sub-unified command under U.S. Strategic Command, making it America’s 10th unified combatant command. At a ceremony marking this change, Deputy Secretary of Defense Patrick Shanahan described the command’s challenge as strengthening “our arsenal of cyber weapons, cyber shields and cyber warriors.”[1]
Shanahan’s words evoke the image of a traditional warrior, fighting with weapons and a shield. And yet, cyber “warfare” differs dramatically from traditional combat.[2] Cyber warriors typically work at desks, and without substantial physical risk. Furthermore, while missiles, drones, combat aircraft, and other high technology have all changed how militaries fight and what it means to be a warrior, the technologies with which cyber warriors work are not unique to the military.[3] Every major civilian organization today also relies on complex computer networks and experts who defend them. While some cyber warriors attack adversary computer networks, many spend their time focused on defensive work that differs very little, if at all, from that of civilian computer security experts. Indeed, the U.S. Defense Department has leveraged the civilian U.S. National Initiative on Cybersecurity Education workforce framework to build its own cyber workforce.[4] For that matter, the Department of Defense uses civilian contractors for both offensive and defensive cyber operations.
So, how did this field of work come to be recognized as a form of warfare? The pioneers of this new field have argued that the rise of military cyber operations was a necessary response to a series of “wake-up calls” that came in the form of computer network intrusions, by both real adversaries and penetration testers, in the 1990s and 2000s.[5] Journalists and scholars have reinforced this narrative, arguing that technological changes created new risks and necessitated organizational innovations.[6]
While these accounts have made valuable contributions to historical understanding, they are incomplete in two significant ways. First, they largely bracket questions about the origins of technological change, treating the rise of technological vulnerability and threat as an exogenous shock to the U.S. military. But the U.S. military did not simply respond to the new vulnerabilities and threats that attended the rise of computer networking. It also actively drove the development of new technological capabilities as it pursued various functional advantages, such as increased efficiency in logistics systems and operational advantages in network-centric warfighting.[7] The vulnerabilities associated with military computer networking were created not only by flawed commercial technology, but also by practices internal to the Department of Defense. These include the decentralized pursuit of new networking technologies, a lack of strong security standards, and a lack of security training and a security culture among the communications and computing personnel charged with deploying computer systems.[8]
Second, the history of military cyber operations is not just about innovation, but also about the growing importance of mundane maintenance work, such as training users, patching software, and strengthening passwords.[9] Contrary to a substantial body of scholarship on the sources of military innovation, I argue that innovation is not always an unmitigated good.[10] As the Defense Department incorporated innovations in microcomputers and networking into its information systems in the 1980s, its vulnerability to computer network attack grew substantially.[11] These vulnerabilities dramatically increased the need for new kinds of sociotechnical repair and maintenance.
The histories we tell about cyber operations matter, because they shape the status granted to various kinds of work, incentives for doing that work well, and ultimately the technologies that emerge from that work. Today, the vast majority of cyber operations consists of maintaining network security rather than innovating or using new cyber “weapons.” Maintainers mitigate the myriad vulnerabilities that could undermine military networks and the operations that they enable. Yet maintainers are the lowest status workers in cyber operations, and the least likely to be regarded as “warriors.” And evidence suggests that security maintenance has been granted insufficient priority. For example, in 2019, the Defense Department’s inspector general concluded that the Defense Department had not consistently remediated vulnerabilities discovered by cyber red teams, in part because they failed to prioritize remediation and recognize the potential impact of vulnerabilities on the military’s mission.[12]
Nonetheless, the work of maintaining security has been difficult to elevate to the same priority as warfighting. In the 1990s and early 2000s, key leaders in intelligence, communications, and warfighting communities struggled to persuade decision-makers that any computer network operations should be treated as a kind of warfighting, because military culture has historically treated information-related work such as intelligence, computing, and communications as a warfighting support function, something lower in status than warfighting itself.[13] All of the services’ career fields explicitly distinguish between warfighting and warfighting support, and traditional warfighting experience has often been a prerequisite for professional promotion. The most senior commanders lead warfighting rather than warfighting support units, and organizational hierarchies empower warfighting commands over warfighting support.
In this context, elevating the status of cyber expertise entailed challenging organizational hierarchies that made cyber experts subordinate to traditional warfighters. For example, it meant empowering cyber experts and organizations to effectively issue commands to warfighting units, directing them to remediate vulnerabilities in their computer networks. It also involved reorganizing well-established military specializations, such as signals intelligence, electronic warfare, and communications, around cyber infrastructure and operations. Perhaps most importantly, it meant establishing new career paths through which cyber experts might advance to the highest levels of command.
Military leaders made their case for elevating cyber expertise in a variety of ways. For example, they developed concepts of cyber operations that were analogous to well-established concepts of kinetic operations. They also conducted exercises that revealed the potential impact of cyber operations on military warfighting and gathered data that highlighted a steady increase in intrusions that might have gone completely unnoticed if not for the work of cyber experts.
These and related activities succeeded in establishing cyber operations as a type of warfighting, but some kinds of skills, knowledge, and ability were more readily seen as warfighting than others. In particular, threat-focused activities like offensive operations, intrusion detection, and incident response, which were first developed within signals intelligence units, were most easily viewed as warfighting. By contrast, vulnerability-focused activities such as password management, software patching, and other forms of technology maintenance, which were primarily the responsibility of communications units, were slow to be as a kind of warfighting.
Today, the distinction between threat-focused and vulnerability-focused activities can be found in joint doctrine, which outlines three primary missions for cyberspace operations. The first mission, offensive cyber operations, is unique to the military. U.S. law prohibits civilian organizations from conducting offensive cyber operations unless they are operating under military authority. The second mission, defensive cyber operations, responds to threats that have already breached Defense Department networks. Some of these activities, including incident response, intrusion detection, and network monitoring, are very similar to defensive work within major corporations, civilian government, and other non-military organizations.
The third mission, Department of Defense Information Network (DODIN) operations, focuses on mitigating vulnerabilities. It includes “actions taken to secure, configure, operate, extend, maintain, and sustain [Defense Department] cyberspace and to create and preserve the confidentiality, availability, and integrity of the DODIN.” Like defensive cyber operations, these activities are commonplace in non-military organizations. Furthermore, by virtue of their focus on mitigating vulnerabilities rather than attacking adversaries, they have struggled to gain the status of warfighting. In an effort to cast its work as warfighting, Joint Force Headquarters-DODIN describes its mission with the phrase “Fight the DODIN,” not “secure,” “maintain,” or “sustain” the DODIN.[14] Joint doctrine seems to recognize the risk that such operations might be held in lower regard, noting that “although many DODIN operations activities are regularly scheduled events, they cannot be considered routine, since their aggregate effect establishes the framework on which most DOD [Department of Defense] missions ultimately depend.”[15]
Although joint doctrine does not formally prioritize any one of these three missions over the others, the personnel assigned to offensive or defensive cyber operations tend to have greater warfighting status, and thus greater prestige and opportunities, than do personnel assigned to DODIN operations. And yet, DODIN operations are also the first line of defense, without which defensive cyber operations would become impossible. Without a defense of computer networks, the modern military simply could not function with any level of confidence.
The low status accorded to the work of mitigating vulnerabilities itself shapes the technologies with which the military fights. In September 2015, the chairman of the Joint Chiefs of Staff and the secretary of defense launched a Cybersecurity Culture and Compliance Initiative, noting that “roughly 80 percent of incidents in the cyber domain can be traced to three factors: poor user practices, poor network and data management practices, and poor implementation of network architecture.”[16] One month later, the commander of Cyber Command and the Defense Department chief information officer went further by creating a Cybersecurity Discipline Implementation Plan, arguing that Defense Department networks were “not defendable.”[17] They noted “an unacceptable number of unpatched vulnerabilities,” and gave commanders and supervisors responsibility for verifying that “all servers and network infrastructure devices” were compliant with the Information Assurance Vulnerability Alert process. Finally, consistent with Defense Department directives for information assurance training, the Defense Information Systems Agency in 2015 launched the Cyber Awareness Challenge training program to reinforce “best practices” among service members, civilians, and contractors.[18]
However, in 2020, the U.S. Government Accountability Office identified significant shortcomings in the implementation of each of these three programs.[19] These shortcomings partly reflect the sheer difficulty of maintaining security in a complex socio-technical system with legacy equipment. But they also reflect the military’s continued tendency to view maintenance as warfighting support, something lower in status than warfighting itself.
By establishing DODIN operations as a kind of warfighting, along with offensive and defensive cyber operations, the Defense Department has sought to raise the status of vulnerability remediation and those who manage it. But ultimately, vulnerabilities cannot be completely eliminated by even the most expert of cyber forces. Rather, the complete elimination of vulnerabilities would require a transformation of everyday users — individuals who are not cyber experts but nonetheless can compromise systems by careless practices. Recognizing this problem, some officials have sought to frame everyday computer network users as warfighters.
In 2009, the Air Force began advocating the “Rise of the Cyber Wingman” philosophy, outlining 10 principles that all Air Force personnel should observe, and arguing that “every Airman is a defender in cyberspace.”[20] By 2012, the Marines had come to consider “every Marine a cyber warrior” and instituted a cyber security training regimen analogous to its well-known mantra, “every Marine a rifleman.”[21] A recent critical review of Navy cyber security, commissioned by the secretary of the Navy after multiple breaches, concluded that the “workforce is generally uneducated in cybersecurity, largely complacent,” and tends to see cyber security “as an ‘IT issue’ or ‘someone else’s problem.’”[22] As a result, the review explained, “cybersecurity is undervalued, and often used as a bill-payer within programs of record.”[23] It proposed that the Navy inculcate an “Every Sailor a Cyber Sentry” mindset.[24] And a recent article entitled “Every Warrior a Cyber Warrior” argues for improving Army cyber security education because “every U.S. Army soldier must be ready to fight on the digital battlefield.”[25] Whether these metaphors will ultimately be persuasive, however, remains to be seen.
Acknowledgements: I thank many of the early “cyber-warriors” for interviews that informed my research, as well as two anonymous reviewers and the editors of Texas National Security Review for improving the article from which this essay was adapted. This essay is based upon research supported by the National Science Foundation under Grant No. 1553069.
Notes
[1] Jim Garamone, “Cybercom Now a Combatant Command, Nakasone Replaces Rogers,” DOD News, May 4, 2018, https://www.defense.gov/Explore/News/Article/Article/1512994/cybercom-now-a-combatant-command-nakasone-replaces-rogers/.
[2] I am using terms such as “cyber warfare” and “cyber warrior” colloquially. I do not mean to imply that what they do qualifies as “war” as war is understood in international law. The term “cyber warrior” has been used broadly to refer to a wide range of career specializations within the military.
[3] For discussion of the warfighting identity of missileers, see George L. Chapman, "Missileer: The Dawn, Decline, and Reinvigoration of America's Intercontinental Ballistic Missile Operators," master's thesis, Air University, 2017, https://apps.dtic.mil/dtic/tr/fulltext/u2/1045804.pdf. On drones and warfighting, see P. W. Singer, Wired for War: The Robotics Revolution and Conflict in the 21st Century (New York: Penguin Press, 2009) and Hugh Gusterson, Drone: Remote Control Warfare (Cambridge, MA: MIT Press, 2016). Air Force pilots continue to be the butt of jokes implying that they are not tough enough, as compared to marines. For example, see Mark Thompson, "Petraeus Zinger Wounds Air Force Egos," Time, Aug. 21 2009, http://content.time.com/time/nation/article/0,8599,1917841,00.html.
[4] William Newhouse et al., National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, National Institute of Standards and Technology, Publication 800-181, August 2017, https://doi.org/10.6028/NIST.SP.800-181. The framework consists of seven broad functions, 33 areas of work, and 52 work roles. Each of the work roles consists of specific tasks and requires specialized knowledge, skills, and abilities. Altogether, the framework lists 1,007 tasks, 630 kinds of knowledge, 374 kinds of skills, and 176 abilities.
[5] See, for example, “Security in Cyberspace,” Hearings Before the Committee on Governmental Affairs, U.S. Senate, 104th Congress, 2nd Session, 1996 and “Department of Defense Authorization for Appropriations for Fiscal Year 2001 and the Future Years Defense Program, Part 5: Emerging Theats and Capabilities,” Senate Armed Services Committee, 106th Congress, 2nd Session, 2000. Jason Healey, A Fierce Domain: Conflict in Cyberspace, 1986 to 2012, Kindle ed. (Vienna, VA: Cyber Conflict Studies Association, 2013) and Gregory J. Rattray, Strategic Warfare in Cyberspace (Cambridge, MA: MIT Press, 2001).
[6] The most comprehensive account can be found in {White, 2019 #4352}. See also Fred Kaplan, Dark Territory: The Secret History of Cyberwar (New York: Simon & Schuster, 2016); Thomas Rid, Rise of the Machines: A Cybernetic History (New York: W.W. Norton & Company, 2016); Myriam Dunn Cavelty, Cyber-security and Threat Politics: US Efforts to Secure the Information Age (New York: Routledge, 2007); Michael Warner, "Cybersecurity: A Pre-history," Intelligence and National Security 27, no. 5 (2012), https://cyberdefensereview.army.mil/CDR-Content/Articles/Article-View/Article/1136012/notes-on-military-doctrine-for-cyberspace-operations-in-the-united-states-1992/; and "Notes on Military Doctrine for Cyberspace Operations in the United States, 1992-2014," updated Aug. 27, 2015.
[7] The development of the internet through the Defense Advanced Research Projects Agency is the most obvious example of military-driven innovation, but it is by no means an isolated example. The U.S. military’s influence on the computer industry waned in the 1980s as other significant market segments emerged, but it remained the largest U.S. government computer consumer.
[8] This conclusion has been reiterated in numerous reports on military cybersecurity. See, for example, Task Force Report: Resilient Military Systems and the Advanced Cyber Threat, Department of Defense Science Board, 2013, 65, https://nsarchive2.gwu.edu/NSAEBB/NSAEBB424/docs/Cyber-081.pdf; Department of Defense Cybersecurity Culture and Compliance Initiative, Department of Defense, (September 2015), 1, https://dod.defense.gov/Portals/1/Documents/pubs/OSD011517-15-RES-Final.pdf; and A Review and Assessment of the Department of Defense Budget, Strategy, Policy, and Programs for Cyber Operations and U.S. Cyber Command for Fiscal Year 2019, Committee on Armed Services, House of Representatives, 115th Congress, 2nd Session, (2018), 7.
[9] David Edgerton, The Shock of the Old: Technology and Global History Since 1900 (London: Profile Books, 2007); Andrew L. Russell and Lee Vinsel, "After Innovation, Turn to Maintenance," Technology and Culture 59, no. 1 (January 2018): 1–25, https://doi.org/10.1353/tech.2018.0004; and Rebecca Slayton and Brian Clarke, "Trusting Infrastructure: The Emergence of Computer Security Incident Response, 1989-2005," Technology and Culture 61, no. 1 (January 2020): 173–206, https://doi.org/10.1353/tech.2020.0036.
[10] The literature on military innovation is vast. Some key works include the following: Barry R. Posen, The Sources of Military Doctrine: France, Britain, and Germany Between the World Wars (Ithaca, NY: Cornell University Press, 1984); Stephen Peter Rosen, Winning the Next War: Innovation and the Modern Military (Ithaca, NY: Cornell University Press, 1991); Kimberly Martin Zisk, Engaging the Enemy: Organization Theory and Soviet Military Innovation, 1955–1991 (Princeton, NJ: Princeton University Press, 1993); Carl H. Builder, The Masks of War: American Military Styles in Strategy and Analysis (Baltimore, MD: Johns Hopkins University Press, 1989); Dima Adamsky, The Culture of Military Innovation: The Impact of Cultural Factors on the Revolution in Military Affairs in Russia, the US, and Israel (Stanford, CA: Stanford University Press, 2010); Williamson Murray and Allan R. Millett, eds., Military Innovation in the Interwar Period (New York: Cambridge University Press, 1998); and Terry C. Pierce, Warfighting and Disruptive Technologies: Disguising Innovation (New York: Frank Cass, 2004).
[11] For example, the number of Defense Department microcomputers expanded from roughly 500 in 1980 to more than 36,000 in 1985. Terminals to use those computers expanded from roughly 9,000 to nearly 68,000. Federal Government Information Technology: Management, Security, and Congressional Oversight, Office of Technology Assessment, 1986. Most of these computers did not have security features built into them. Additionally, the rise of microcomputers and networking expanded the number of users radically and further decentralized control over networks, which itself increased the problems of security management and contributed to vulnerability.
[12] "Followup Audit on Corrective Actions Taken by DoD Components in Response to DoD Cyber Red Team-Identified Vulnerabilities and Additional Challenges Facing DoD Cyber Red Team Missions (DODIG-2020-067)," Department of Defense, Office of Inspector General, March 13, 2020, https://www.dodig.mil/reports.html/Article/2114391/followup-audit-on-corrective-actions-taken-by-dod-components-in-response-to-dod/.
[13] Several scholars have argued that the cultures of the individual services shape their development and implementation of doctrine. A few key works include Builder, The Masks of War; Jeffrey W. Donnithorne, Four Guardians: A Principled Agent View of American Civil-Military Relations (Baltimore, MD: Johns Hopkins University Press, 2019); and White, “Subcultural Influence on Military Innovation.”
[14] Jeffrey R. Jones, “Defense Department Cyber Requires Speed, Precision and Agility,” Signal, May 1, 2019, https://www.afcea.org/content/defense-department-cyber-requires-speed-precision-and-agility.
[15] “Joint Publication 3-12: Cyberspace Operations,” Joint Chiefs of Staff, June 8, 2018, II-2–II-3. The definition does exclude “actions taken under statutory authority of a chief information officer (CIO) to provision cyberspace for operations, including IT architecture development; establishing standards; or designing, building, or otherwise operationalizing DODIN IT for use by a commander.” See page II-2.
[16] Department of Defense, Department of Defense Cybersecurity Culture and Compliance Initiative, 1.
[17] DOD Cybersecurity Discipline Implementation Plan, Department of Defense, October 2015, 16, https://dodcio.defense.gov/Portals/0/Documents/Cyber/CyberDis-ImpPlan.pdf.
[18] A revised training directive was issued in November 2015: “Information Assurance Workforce Improvement Program, Incorporating Change 4, 11/10/2015,” Assistant Secretary of Defense for Networks and Information Integration/Department of Defense Chief Information Officer, Dec. 19, 2005, https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodm/857001m.pdf. The Cyber Awareness challenge training program is described in, “CYBERSECURITY: DOD Needs to Take Decisive Actions to Improve Cyber Hygiene,” Government Accountability Office, April 13, 2020, https://www.gao.gov/products/GAO-20-241.
[19] Government Accountability Office, “CYBERSECURITY: DOD Needs to Take Decisive Actions to Improve Cyber Hygiene.”
[20] “Rise of the Cyber Wingman,” U.S. Air Force, Nov. 12, 2009, https://www.af.mil/News/Article-Display/Article/118545/rise-of-the-cyber-wingman/.
[21] Statement of Lt. Gen. Richard Mills in, “Digital Warriors: Improving Military Capabilites for Cyber Operations,” House Armed Services Committee, 112th Congress, 2nd Sess., July 25, 2012, 12, https://www.govinfo.gov/content/pkg/CHRG-112hhrg75668/pdf/CHRG-112hhrg75668.pdf.
[22] Cybersecurity Readiness Review, Department of the Navy, March 2019, 12, https://www.wsj.com/public/resources/documents/CyberSecurityReview_03-2019.pdf?mod=article_inline.
[23] Department of the Navy, Cybersecurity Readiness Review, 12.
[24] Department of the Navy, Cybersecurity Readiness Review, 15.
[25] Christopher J. Heatherly and Ian Melendez, "Every Soldier a Cyber Warrior: The Case for Cyber Education in the United States Army," Cyber Defense Review (Spring 2019): 64, https://cyberdefensereview.army.mil/Portals/6/HEATHERLYMELENDEZ_CDR_V4N1.pdf?ver=2019-04-30-105206-983.