This essay is adapted from Rebecca Slayton, “What Is a Cyber Warrior? The Emergence of U.S. Military Cyber Expertise, 1967–2018,” Texas National Security Review 4, no 1 (2021): 62-96.
On May 4, 2018, U.S. Cyber Command was elevated from a sub-unified command under U.S. Strategic Command, making it America’s 10th unified combatant command. At a ceremony marking this change, Deputy Secretary of Defense Patrick Shanahan described the command’s challenge as strengthening “our arsenal of cyber weapons, cyber shields and cyber warriors.”[1]
Shanahan’s words evoke the image of a traditional warrior, fighting with weapons and a shield. And yet, cyber “warfare” differs dramatically from traditional combat.[2] Cyber warriors typically work at desks, and without substantial physical risk. Furthermore, while missiles, drones, combat aircraft, and other high technology have all changed how militaries fight and what it means to be a warrior, the technologies with which cyber warriors work are not unique to the military.[3] Every major civilian organization today also relies on complex computer networks and experts who defend them. While some cyber warriors attack adversary computer networks, many spend their time focused on defensive work that differs very little, if at all, from that of civilian computer security experts. Indeed, the U.S. Defense Department has leveraged the civilian U.S. National Initiative on Cybersecurity Education workforce framework to build its own cyber workforce.[4] For that matter, the Department of Defense uses civilian contractors for both offensive and defensive cyber operations.
So, how did this field of work come to be recognized as a form of warfare? The pioneers of this new field have argued that the rise of military cyber operations was a necessary response to a series of “wake-up calls” that came in the form of computer network intrusions, by both real adversaries and penetration testers, in the 1990s and 2000s.[5] Journalists and scholars have reinforced this narrative, arguing that technological changes created new risks and necessitated organizational innovations.[6]
While these accounts have made valuable contributions to historical understanding, they are incomplete in two significant ways. First, they largely bracket questions about the origins of technological change, treating the rise of technological vulnerability and threat as an exogenous shock to the U.S. military. But the U.S. military did not simply respond to the new vulnerabilities and threats that attended the rise of computer networking. It also actively drove the development of new technological capabilities as it pursued various functional advantages, such as increased efficiency in logistics systems and operational advantages in network-centric warfighting.[7] The vulnerabilities associated with military computer networking were created not only by flawed commercial technology, but also by practices internal to the Department of Defense. These include the decentralized pursuit of new networking technologies, a lack of strong security standards, and a lack of security training and a security culture among the communications and computing personnel charged with deploying computer systems.[8]
Second, the history of military cyber operations is not just about innovation, but also about the growing importance of mundane maintenance work, such as training users, patching software, and strengthening passwords.[9] Contrary to a substantial body of scholarship on the sources of military innovation, I argue that innovation is not always an unmitigated good.[10] As the Defense Department incorporated innovations in microcomputers and networking into its information systems in the 1980s, its vulnerability to computer network attack grew substantially.[11] These vulnerabilities dramatically increased the need for new kinds of sociotechnical repair and maintenance.
The histories we tell about cyber operations matter, because they shape the status granted to various kinds of work, incentives for doing that work well, and ultimately the technologies that emerge from that work. Today, the vast majority of cyber operations consists of maintaining network security rather than innovating or using new cyber “weapons.” Maintainers mitigate the myriad vulnerabilities that could undermine military networks and the operations that they enable. Yet maintainers are the lowest status workers in cyber operations, and the least likely to be regarded as “warriors.” And evidence suggests that security maintenance has been granted insufficient priority. For example, in 2019, the Defense Department’s inspector general concluded that the Defense Department had not consistently remediated vulnerabilities discovered by cyber red teams, in part because they failed to prioritize remediation and recognize the potential impact of vulnerabilities on the military’s mission.[12]
Nonetheless, the work of maintaining security has been difficult to elevate to the same priority as warfighting. In the 1990s and early 2000s, key leaders in intelligence, communications, and warfighting communities struggled to persuade decision-makers that any computer network operations should be treated as a kind of warfighting, because military culture has historically treated information-related work such as intelligence, computing, and communications as a warfighting support function, something lower in status than warfighting itself.[13] All of the services’ career fields explicitly distinguish between warfighting and warfighting support, and traditional warfighting experience has often been a prerequisite for professional promotion. The most senior commanders lead warfighting rather than warfighting support units, and organizational hierarchies empower warfighting commands over warfighting support.
In this context, elevating the status of cyber expertise entailed challenging organizational hierarchies that made cyber experts subordinate to traditional warfighters. For example, it meant empowering cyber experts and organizations to effectively issue commands to warfighting units, directing them to remediate vulnerabilities in their computer networks. It also involved reorganizing well-established military specializations, such as signals intelligence, electronic warfare, and communications, around cyber infrastructure and operations. Perhaps most importantly, it meant establishing new career paths through which cyber experts might advance to the highest levels of command.
Military leaders made their case for elevating cyber expertise in a variety of ways. For example, they developed concepts of cyber operations that were analogous to well-established concepts of kinetic operations. They also conducted exercises that revealed the potential impact of cyber operations on military warfighting and gathered data that highlighted a steady increase in intrusions that might have gone completely unnoticed if not for the work of cyber experts.
These and related activities succeeded in establishing cyber operations as a type of warfighting, but some kinds of skills, knowledge, and ability were more readily seen as warfighting than others. In particular, threat-focused activities like offensive operations, intrusion detection, and incident response, which were first developed within signals intelligence units, were most easily viewed as warfighting. By contrast, vulnerability-focused activities such as password management, software patching, and other forms of technology maintenance, which were primarily the responsibility of communications units, were slow to be as a kind of warfighting.
Today, the distinction between threat-focused and vulnerability-focused activities can be found in joint doctrine, which outlines three primary missions for cyberspace operations. The first mission, offensive cyber operations, is unique to the military. U.S. law prohibits civilian organizations from conducting offensive cyber operations unless they are operating under military authority. The second mission, defensive cyber operations, responds to threats that have already breached Defense Department networks. Some of these activities, including incident response, intrusion detection, and network monitoring, are very similar to defensive work within major corporations, civilian government, and other non-military organizations.
The third mission, Department of Defense Information Network (DODIN) operations, focuses on mitigating vulnerabilities. It includes “actions taken to secure, configure, operate, extend, maintain, and sustain [Defense Department] cyberspace and to create and preserve the confidentiality, availability, and integrity of the DODIN.” Like defensive cyber operations, these activities are commonplace in non-military organizations. Furthermore, by virtue of their focus on mitigating vulnerabilities rather than attacking adversaries, they have struggled to gain the status of warfighting. In an effort to cast its work as warfighting, Joint Force Headquarters-DODIN describes its mission with the phrase “Fight the DODIN,” not “secure,” “maintain,” or “sustain” the DODIN.[14] Joint doctrine seems to recognize the risk that such operations might be held in lower regard, noting that “although many DODIN operations activities are regularly scheduled events, they cannot be considered routine, since their aggregate effect establishes the framework on which most DOD [Department of Defense] missions ultimately depend.”[15]
Although joint doctrine does not formally prioritize any one of these three missions over the others, the personnel assigned to offensive or defensive cyber operations tend to have greater warfighting status, and thus greater prestige and opportunities, than do personnel assigned to DODIN operations. And yet, DODIN operations are also the first line of defense, without which defensive cyber operations would become impossible. Without a defense of computer networks, the modern military simply could not function with any level of confidence.
The low status accorded to the work of mitigating vulnerabilities itself shapes the technologies with which the military fights. In September 2015, the chairman of the Joint Chiefs of Staff and the secretary of defense launched a Cybersecurity Culture and Compliance Initiative, noting that “roughly 80 percent of incidents in the cyber domain can be traced to three factors: poor user practices, poor network and data management practices, and poor implementation of network architecture.”[16] One month later, the commander of Cyber Command and the Defense Department chief information officer went further by creating a Cybersecurity Discipline Implementation Plan, arguing that Defense Department networks were “not defendable.”[17] They noted “an unacceptable number of unpatched vulnerabilities,” and gave commanders and supervisors responsibility for verifying that “all servers and network infrastructure devices” were compliant with the Information Assurance Vulnerability Alert process. Finally, consistent with Defense Department directives for information assurance training, the Defense Information Systems Agency in 2015 launched the Cyber Awareness Challenge training program to reinforce “best practices” among service members, civilians, and contractors.[18]
However, in 2020, the U.S. Government Accountability Office identified significant shortcomings in the implementation of each of these three programs.[19] These shortcomings partly reflect the sheer difficulty of maintaining security in a complex socio-technical system with legacy equipment. But they also reflect the military’s continued tendency to view maintenance as warfighting support, something lower in status than warfighting itself.
By establishing DODIN operations as a kind of warfighting, along with offensive and defensive cyber operations, the Defense Department has sought to raise the status of vulnerability remediation and those who manage it. But ultimately, vulnerabilities cannot be completely eliminated by even the most expert of cyber forces. Rather, the complete elimination of vulnerabilities would require a transformation of everyday users — individuals who are not cyber experts but nonetheless can compromise systems by careless practices. Recognizing this problem, some officials have sought to frame everyday computer network users as warfighters.
In 2009, the Air Force began advocating the “Rise of the Cyber Wingman” philosophy, outlining 10 principles that all Air Force personnel should observe, and arguing that “every Airman is a defender in cyberspace.”[20] By 2012, the Marines had come to consider “every Marine a cyber warrior” and instituted a cyber security training regimen analogous to its well-known mantra, “every Marine a rifleman.”[21] A recent critical review of Navy cyber security, commissioned by the secretary of the Navy after multiple breaches, concluded that the “workforce is generally uneducated in cybersecurity, largely complacent,” and tends to see cyber security “as an ‘IT issue’ or ‘someone else’s problem.’”[22] As a result, the review explained, “cybersecurity is undervalued, and often used as a bill-payer within programs of record.”[23] It proposed that the Navy inculcate an “Every Sailor a Cyber Sentry” mindset.[24] And a recent article entitled “Every Warrior a Cyber Warrior” argues for improving Army cyber security education because “every U.S. Army soldier must be ready to fight on the digital battlefield.”[25] Whether these metaphors will ultimately be persuasive, however, remains to be seen.
Acknowledgements: I thank many of the early “cyber-warriors” for interviews that informed my research, as well as two anonymous reviewers and the editors of Texas National Security Review for improving the article from which this essay was adapted. This essay is based upon research supported by the National Science Foundation under Grant No. 1553069.
