The Mercury News Weekend
Why military should craft a dedicated U.S. cyber force
Two disturbing incidents roiled the cyber seas last week, one foreign and one domestic. They both strengthen the case — which was already convincing, and which I have been making for almost a decade now — for the creation of a U.S. Cyber Force.
The first incident was yet another cyberattack on a NATO member, Albania, by Iran. It was part of an ongoing Iranian campaign to attack Albania, a small Muslim nation of only about 3 million in the Balkans.
The attacks have included zeroing out personal bank accounts, unmasking government and police informants, and degrading command-and-control networks. Iran conducts the attacks because Albania is not prosecuting an anti-Iranian group, the Mujahedeen Khaleq, that has a large presence in Albania.
The attack has raised the issue of whether to invoke NATO's Article 5, which says that an attack on one nation will be regarded as an attack on all. Because the NATO treaty was drafted many decades ago, it does not say whether a cyberattack activates Article 5. But given the evolution in warfare and expansion of cyber operations, such attacks should now fall into that category.
The second incident involved a ransomware attack on the U.S. Marshals Service. A huge amount of sensitive data was compromised, including information on fugitives, high-security individuals and law-enforcement operations. The attack has been designated a “major incident” requiring significant interagency investigation and remediation.
Ironically, last week was also when Jen Easterly, director of the U.S. Cybersecurity and Infrastructure Security Agency, released the National Cybersecurity Strategy, which has been in the works for many months.
When I was Supreme Allied Commander at NATO, the alliance created a small center of excellence in Tallinn, Estonia, to coordinate NATO cyber capabilities. It has since grown in importance. As I watch the level of cyber threat continue to grow exponentially — matching the enormous surge of devices connected to the “internet of things,” which is topping 50 billion — I worry about how to protect America's and Americans' cyber assets.
The U.S. has very competent armed forces defending us 24/7 — the Army, Navy, Marine Corps, Air Force and Space Force within the Department of Defense, and the Coast Guard in the Department of Homeland Security. A U.S. Cyber Force is now also necessary.
The successful creation of the U.S. Space Force three years ago provides a good blueprint for a U.S. Cyber Force. While the force is a tiny fraction of the rest of the Department of Defense, with less than 10,000 uniformed personnel, it operates nearly 100 spacecraft and a complex global network that supports U.S. satellite systems.
Most important, the creation of a U.S. Cyber Force would move America beyond the current “pick-up team” approach to cybersecurity, wherein each of the armed forces has a small number of cyber experts (most of whom rotate in and out of pure cyber jobs).
The creation just over a decade ago of the U.S. Cyber Command has immensely improved America's national security. Located at Fort Meade, Maryland, with the National Security Agency, it is led by a four-star uniformed officer. Many of the veterans of U.S. Cyber Command would form the core of a new U.S. Cyber Force. A Cyber Force would also allow for an independent voice in the councils of the Joint Chiefs of Staff, much as U.S. Space Force's Chief of Space Operations provides.
As the U.S. looks to a future that includes not only great-power cyber competition from Russia and China, but also midlevel cyberattacks from nations such as Iran and North Korea, the time is nigh. The nation should move forward with a dedicated U.S. Cyber Force.