Source : U.S. Air Force photo/William Belcher
In the wake of burgeoning instances of cyber-attacks on its governmental apparatus, the United States (US) has elevated its Cyber Command (USCYBERCOM) to the status of Unified Combatant Command. The head of the organization will now report directly to the Defence Secretary. The USCYBERCOM was earlier subordinate to the US Strategic Command. The decision, made on August 18, has sent a strong signal to entities and countries inimical to its interests to recalibrate their security calculus.1 The US has faced massive attacks targeting its Office of Personnel Management, healthcare system and other critical infrastructure over the last couple of years. The alleged hacking of the Democratic National Committee’s election campaign during the 2016 Presidential elections is currently a subject of two Congressional investigations.
USCYBERCOM integrates expertise to ensure resilient and reliable information and communications networks. Above all, it counters the wide cross-section of threats in cyberspace from disruptions, intrusions and attacks. As a unified combatant command, CYBERCOM is slated for a larger role, not just in coordinating military-led cyberspace operations, but also in devising the strategy for the changing nature of warfare, enmeshing interoperable cyber forces with the other nine geographic and functional combatant commands. The decision is expected to more effectively address the threats spanning across geographical and functional boundaries of the existing structure of the US armed forces. Also, as a combatant command, USCYBERCOM will ensure integration of cyber operations with all future military plans.
Cyberspace, deemed to be the fifth domain of warfare, has transformed the way armed forces conduct their day-to-day operations, and brought in a paradigm shift at the strategic, doctrinal and tactical levels of warfare.2 The USCYBERCOM was established eight years ago, envisioned to fuse the full spectrum of cyberspace operations of the US Department of Defense (DoD). It was tasked to defend and protect information networks, and most importantly, to conduct full spectrum military cyberspace operations.3 The USCYBERCOM, with its 6,200 of personnel (military, civilian, and contractors) spread across 133 mission teams, has been headed by a four-star rank officer, in a dual-hat arrangement with the National Security Agency (NSA), co-located within a common headquarters at Fort Meade, Maryland.4 While the USCYBERCOM has been elevated to the status of a Unified Combatant Command, reports note that the decision to separate it from the NSA is still under consideration.5
The USCYBERCOM and NSA have been drawing synergy from each other, on the grounds of common technologies, methods, tools and skill-sets for cyber exploitation. They also draw human resources from the common pool of expertise spread across the armed forces, government and the private sector. However, intelligence gathering in cyberspace, and cyber operations in response to an ongoing conflict, are fundamentally different practices. Intelligence gathering entails prolonged and persistent monitoring of targeted information systems and networks, where the intruder stays under the radar to escape detection or avoids raising any alarms.
On the contrary, cyber operation(s), particularly in response to a geopolitical conflict, might necessitate deliberate attribution to demonstrate its capability, expound its intent or even to establish the deterrent effect. Additionally, intelligence gathering and cyber operations execute different mandates. While the NSA, being a signals intelligence agency, has a different mandate and modus operandi, the operational competence of USCYBERCOM will tilt further towards cyber offense, with elevated and honed cyber deterrent capabilities. Irrespective of the outcomes of the decision over the existing dual-hat arrangement however, both the NSA and the USCYBERCOM would continue to have a close working-relationship, given the inherent commonalities among intelligence and military activities in cyberspace.
With the creation of the first operational Cyber Command, the US armed forces had already unequivocally prioritised cyber offence, sending a clear geopolitical message of massive retaliation to any act of aggression in either of the natural or cyber domains. The USCYBERCOM, now ranked equivalent to the US Strategic Command and eight other unified combatant commands, will be better placed and equipped to deter cyber attacks at the first place, and if deterrence fails, then to retaliate or punish the perpetrators.6 Given that the operational mandate of the USCYBERCOM extends to the domains of land, sea, air, space and cyberspace, a conflict in one of these domains could attract a retaliatory punitive response not just in one, but a few or in all of these domains.
The US decision has strategic implications for every nation state with modernised or modernising armed forces. The growing importance of cyberspace in the doctrines and strategies of modern armed forces have raised the stakes for nation states to recalibrate their security calculus, in accordance with these inevitable changes. This decision of a unified combatant cyber command is going to fuel the prevailing vigorous race to prioritise cyber offence at the one end, and raise its deterrence potential on the lines of space and nuclear commands, at the other end. Therefore, the cyber element is slated to play a predominant role in the arithmetic of deterrence. This will also raise the stakes for both China and Russia, both of whom have a steadfast approach to the role of armed forces in cyberspace, definitely inclined towards offence.
India is not immune to these developments either. A Cyber Command for the Indian armed forces, first mooted by the Naresh Chandra Task Force report in 2012, is yet to see the light of the day. The absence of a statutory cyber command not just limits the options but jeopardises the country’s cyber deterrent capability as well. Therefore, there is the need for an appropriate response, both at the strategic and operational levels.
Views expressed are of the author and do not necessarily reflect the views of the IDSA or of the Government of India.