Though cybersecurity has been a concern for decades, we have seen an uptick of concern during the last four years. The Obama administration has made the issue a priority. Early in his term, the President gave a speech on the subject and the next month the Secretary of Defense announced the creation of the military’s U.S. Cyber Command, as yet the most significant policy response to the cybersecurity challenges facing the nation. The backdrop to all of this was an increasing discussion of the definition and possibility of “cyberwar” and “cyberwarfare.” In this context, a number of critical observers, including myself, raised concerns about the possible militarization of cyberspace. Others claimed that fears of militarization were unfounded. As we approach either the end of Obama’s first term or the end of his presidency, it is worth revisiting the issue of militarization. Has the United States militarized cyberspace?
At its most basic level, militarizing cyberspace would involve “giv[ing] a military character to” it, “equip[ping][it] with military forces and defenses” and/or “adapt[ing][it] for military use.” Determining the degree of militarization would also hinge upon determining the degree to which the military as an institution is the primary actor in responding to cybersecurity challenges. During the last four years, we have seen all of these occur alongside a growing role for the military in responding to the nation’s cybersecurity challenges. This is despite assurances that the United States was not militarizing cyberspace.
On a number of occassions, civilian and military leaders have assured us that the United States was not militarzing cyberspace and that the military was not taking the lead in responding to cybersecurity challenges. This has at times caused controversy. In the spring of 2010, Senator John McCain (R-AZ) called for a greater role for the Department of Defense in national cybersecurity, a call that the head of USCYBERCOM, Gen. Keith Alexander, seemed to resist.
Several months later, in summer 2010, concerns about possible militarization were raised again when the Wall Street Journal reported on a National Security Agency (NSA) program called “Perfect Citizen.” The program would allegedly involve NSA surveillance meant to detect cyber attacks against private companies and civilian critical infrastructures. Reports that a contractor involved with the program had called it “Big Brother” only added to concerns. In response, the NSA assured us that “Perfect Citizen” was only a research and development project and that the military was not taking over civilian cyber security.
These assurances did not allay concerns about militarization. A year later, in his July 2011 speech introducing the first Department Of Defense Strategy for Operating in Cyberspace, Deputy Secretary of Defense William Lynn III felt the need to address “concerns that cyberspace is at risk of being militarized.” He told his audience, “We have designed our DoD Cyber Strategy to address this concern.” This involved an “emphasis on cyber defenses”–as opposed to offense or retaliation–that was meant to illustrate DoD’s committment “to protecting the peaceful use of cyberspace. […] Indeed, establishing robust cyber defenses no more militarizes cyberspace than having a navy militarizes the ocean.”
The first problem with Lynn’s assurances, however, was that this very same strategy and his speech to introduce it provided one more piece of the militarization puzzle. In his speech, he noted that the new DoD strategy would treat “cyberspace as an operational domain, like land, air, sea, and space. Treating cyberspace as a domain means that the military needs to operate and defend its networks, and to organize, train, and equip our forces to perform cyber missions”–i.e. “giv[ing] a military character to” it, “equip[ping][it] with military forces and defenses” and “adapt[ing][it] for military use.” While assuring listeners that DoD did not intend to militarize cyberspace, he all but used the dictionary definition of “militarize” in describing the intent of the new strategy.
The second problem was that the speech and strategy did not address the other aspects of cyberspace militarization that we knew had already taken place by July 2011. The creation of a dedicated military command certainly constitutes “equip[ping][it] with military forces and defenses.” We also already knew that these military cyber forces would have an offensive as well as defensive mission–i.e. that they were “adapt[ing][cyberspace] for military use.” But as I noted at the time, neither the DoD strategy nor Lynn’s speech addressed the issue of how our military cyber forces would be used offensively, making the strategy both disingenuous as a PR document and incomplete as a strategy document.
Almost one year later still, in June 2012, we learned that even as Lynn and others assured us that the DoD strategy was primarily defensive, the United States had been conducting covert, offensive cyber attacks against Iran. Cyberspace, which our leaders had characterized as a miltiary domain, had been successfully adapted for military use by our dedicated cyber forces. Again, this is the definition of militarization.
But what of the question regarding the military’s role in national cybersecurity? Senator McCain has not been alone in calling for a greater military role. For example, a former Chairman of the Joint Chiefs of Staff has said that the military should be in charge of cybersecurity and should have more of an offensive orientation.
And there are indicators that the military’s role is, in fact, increasing. In August 2012, the Washington Post reported:
The Pentagon has proposed that military cyber-specialists be given permission to take action outside its computer networks to defend critical U.S. computer systems — a move that officials say would set a significant precedent.
The proposed rules would open the door for U.S. defense officials to act outside the confines of military-related computer networks to try to combat cyberattacks on private computers, including those in foreign countries.
What’s more, the Washington Post report indicates that this proposed expansion in the role of military cyber forces in the domestic space “is significantly narrower than what the military originally sought.”
Finally, James Lewis, a leading cybersecurity expert at the Center for Strategic and International Studies, has recently said that an October 2012 speech on cybersecurity by Secretary of Defense Leon Panetta indicates that the Department of Defense is effectively taking over U.S. cyber security.
If the United States has not yet fully militarized cyberspace, it has taken significant steps in that direction. Official policy has characterized it as an operational miltiary domain, has equipped it with military forces, and has adapted it for military use. We hear powerful voices calling for an expanded military role in civilian cybersecurity and see strong indicators that, at minimum, the military will indeed play an increasingly important role, perhaps even the central role in our nation’s cybersecurity.