The near-consensus in the US is that the Chinese balloon that it shot down off the coast of South Carolina was spying and collecting sensitive information on US communication systems and radars.
But, the more significant danger than the balloons is China’s growing cyber-attack capabilities, which the US strategic community, including the lawmakers, seems to focus on.
Lawmakers in the Senate and House of Representatives want to address recruitment and retention challenges tied to the Pentagon’s cyber forces within the military software and information technology landscape.
Rep. Mike Gallagher, R-Wis., who chairs the House cyber panel, has discussed the need to counter China.
“The cyber assault on Taiwan has already begun,” he said in a statement the other day. “If we are to prevent Taiwan from suffering the same fate as Ukraine, we must work to ensure US Cyber Forces are efficiently organized and operationally capable of defending our interests in cyberspace.”
Last year, a Senate report showed that while the services spent at least $160 million a year on cyber retention bonuses from fiscal 2017 through fiscal 2021, Pentagon officials “continue to experience challenges retaining qualified cyber personnel.”
Many lawmakers want a cyber institute or cyber warfighting school to help attract talent and increase the workforce to address that issue.
However, it is not only a question of personnel issues; the US cyber policy has been urged to be comprehensive enough to include the development and management of military technologies, including Artificial Intelligence (AI). And here, there seems to be a problem.
US’ Foreign Intelligence Surveillance Act
In what may be considered irony, while lawmakers would like the United States to be safe from cyber-attacks, be it from Russia or China, some of them simultaneously want to be careful about “Privacy and Civil Liberties.”
US National Security Agency (NSA) Director and Head of US Cyber Command Gen. Paul Nakasone has requested that Congress renew Section 702 of the Foreign Intelligence Surveillance Act — a law that provides US intelligence agencies wide-ranging authorities to conduct surveillance of foreign persons located abroad and which civil liberties advocates argue is in desperate need of greater transparency.
Section 702, which Nakasone says to have played a key role in protecting the United States against cyber-attacks, will expire at the end of this year unless Congress renews it. “We have saved lives because of 702,” Nakasone pointed out, adding that “the law has been used to counter ransomware threats, including those against critical infrastructure and a foreign operation trying to steal sensitive US military information.”
It may be noted that Section 702 was designed to conduct surveillance of foreign persons abroad and foil terrorist plots; it also helped in identifying the US victims of foreign intelligence operations and cybercrimes. But privacy advocates want more information about how the law creates appropriate safeguards.
The Privacy and Civil Liberties Oversight Board (PCLOB) was established by Congress in 2004 in response to a recommendation of the 9/11 Commission Report and made an independent agency in 2007. It serves as a watchdog to ensure that the federal government’s national security powers do not trample privacy rights and civil liberties.
On the other hand, the United States Cyber Command (CYBERCOM), created in 2010, is one of the eleven unified combatant commands of the United States Department of Defense (DoD). It unifies the direction of cyberspace operations, strengthens DoD cyberspace capabilities, and integrates and bolsters DoD’s cyber expertise.
In its latest report, CYBERCOM has said that it spent 2022 “strengthening relationships with partners and allies across a range of cyber-related capabilities and development opportunities to help meet challenges” and “conducting a new global cyberspace defensive operation that exercised information and insight-sharing capabilities across our enterprise and with unified action partners globally.”
Importantly, CYBERCOM had revealed that with the consent of Ukraine, its Cyber National Mission Force, deployed its largest-ever hunt forward team before the Russian invasion that initiated a multifaceted assessment of critical Ukrainian systems to identify suspected malicious cyber activity.
“This effort allowed our Ukrainian counterparts to identify and address potential threats on their networks and proactively mitigate any potential adverse effects. When Russia launched what otherwise may have been a crippling cyber-attack in mid-January, Ukrainian cyber professionals, along with the forward hunt team, were able to disrupt or halt the malicious cyber activity before it was able to cause harm”, it says.
However, experts point out the limitations of CYBERCOM, particularly the way it procures and tests new capabilities for cyber operations. It is said that its Joint Cyber Warfighting Architecture (JCWA), created in 2019, continues to lack any dedicated JCWA-level operational test and evaluation.
Such an inadequacy would hamper the Cyber Command’s awareness of current and future capability integration impact on the operational effectiveness, suitability, and survivability of the JCWA, the fiscal 2022 annual report from the Office of the Director, Operational Test and Evaluation (DOT&E) has revealed.
It may be noted that four main programs – the “Persistent Cyber Training Environment” for conducting training and mission rehearsal; “Unified Platform,” considered the centerpiece where data is ingested, analyzed, and shared; “Joint Cyber Command and Control” to command cyber forces and the larger cyber environment, and the “Joint Common Access Platform” – are yet to develop a metric that could assess programs and staffing concerns.
Joint Cyber Warfighting Architecture
Similarly, though the JCWA also includes a category for tools and sensors and is meant to be “an agile framework that will evolve, likening it to a military cyber warfighting platform through which cyber warriors conduct their missions and analysis, similar to how soldiers leverage tanks and pilots rely on airplanes to carry out their missions,” much work remains to be done.
“Each program has different release and deployment schedules, and there are no validated JCWA‑level mission thread requirements or plans for an integrated JCWA-level operational test,” the fiscal 2022 annual report says.
The report has asserted that “each of the programs is developing test and evaluation strategies independent of the JCWA’s, which could lead to inefficiencies and test inadequacies.”
Accordingly, DOT&E has listed four recommendations CYBERCOM should take – immediately resourcing and empowering the Joint Interoperability Test Command to plan, conduct and assess integrated, JCWA-level operational test and evaluation (OT&E); requiring OT&E to inform the JCWA value assessments; establishing a cadence of testing for dedicated OT&E in fiscal 23 to understand how the capability afforded by JCWA is evolving and to ensure it is an effective, suitable, and survivable enabler of cyber operations; and, defining and resourcing the test infrastructure required to support JCWA integration, as well as T&E successfully.
However, according to Col. Ben Ring, director of the JCWA, “We are evolving and beginning some initial direct integration across the different programs. You’re integrating across multiple services, programs, and each of the services — they have different personnel systems and training systems- and trying to bring that together is working; we’re evolving.
“But as you can imagine, it’s taking some time to bring that together. We’re continuously gathering feedback from the force and continuing to evolve, as we are one team to try to achieve a unified mission.”
Besides, the Cyber Command officials argue that they can fasten the integration process with additional funding.
“Due to the additional funding, CYBERCOM can enable the Joint Interoperability Test Command to serve as the JCWA Operational Test Authority. Once JITC is on board, CYBERCOM will continue to work with DOT&E, Service Cyber Components, JCWA program management offices, and other stakeholders to determine when a JCWA-level OT&E event can appropriately be scheduled,” a Cyber Command spokesperson is reported to have said.