At first, the claim sounds quite bold: to build a sixth branch of the military dedicated specifically to cybersecurity...
and cyberdefense; to build a "West Point of Cyber." But, Andrew Rubin, CEO at Illumio Inc. in Sunnyvale, Calif., said the fundamental idea behind his article was less about the organization and more about the process of training new cybersecurity professionals.
"There is no one left who is denying that we need a professional capability to fight the cyber war," Rubin said. "How do we build the front end of the funnel to train more security professionals that can participate in this fight? The fight is getting bigger every day. The consequences are much more severe every day when we lose, so where are the people coming from that are going to effectively fight for us?"
Michael Assante, former naval intelligence officer, and current co-founder and CSO at Atlanta-based NexDefense Inc., agreed that there needs to be ways to achieve the benefits of Rubin's proposal. However, the thought of creating a wholly new branch of the military would be an organizational nightmare.
Michael Assanteco-founder and CSO at NexDefense
"Implementing a separate branch of the military has been discussed, but that concept runs into immediate hurdles when you consider the importance of integrating cyber deeply into all of the services, and contemplate the energy and time required to establish it," Assante told TechTarget. "Unlike the creation of the U.S. Air Force, you can't readily identify all of the airmen, sailors and soldiers, and carve them out of the existing services to create a new branch. Establishing [a] new branch of service would require a tremendous amount of energy and organization, and would take decades to form. The resulting confusion, overlaps and uncertainty would create a tremendous drag on progress at a critical time."
Rubin noted that training academies like West Point have cybersecurity centers, but he would like to see a more cohesive effort. Rubin said the conversation is already in progress, and the members of the government and military that he has spoken with agree that there needs to be better structure around training cybersecurity professionals.
Assante said the structure has been evolving throughout the various branches of the military since the need arose.
"The implications of cyber in defense [are] far-reaching, and each service has established commands and programs to protect forces while enhancing war fighting abilities in this domain," Assante told TechTarget. "The secretary of defense directed U.S. Strategic Command to establish the U.S. Cyber Command to plan, coordinate, integrate and synchronize cyber-operations. This model ensures the services can support their unique needs, and integrate to perform national missions and support combat commanders."
Rubin was fascinated with the prospect of military veterans trained for cyberdefense and cybersecurity having an easier transition back into the private sector after fulfilling their service duties.
"Unfortunately, one of the downsides of participating in traditional military is that that skill set is not necessarily transferrable when you leave your service. Veterans who do spectacular and heroic things for the country come out the other end of that service, and it's not the smoothest transition path into the commercial world," Rubin said. "Think about this motion and what it looks like in that world. Think about the marketable skills that person has when they exit service. Cyber is one of the highest growth industries, one of the most explicit problems the country faces, and there seems to be an unending stream of jobs for these people."
Rubin asserted that cybersecurity is a problem that requires cooperation between the public and private sector. He compared the relationship to that between a private citizen whose house is burglarized and the expectation that the government will help deal with that situation through the local police force.
"In a very real sense, we look at the public/private marriage as there's a certain set of responsibilities that the government has and a certain set of responsibilities that private industry has," Rubin said. "To date, there hasn't been a completely clear path on where those lines are. But I think to survive in this world going forward, everybody is realizing that we have to have a way for the public and private sectors to work together. There needs to be very clear lines on where one ends and the other one picks up. Some of the ambiguity around it is because this is such a nascent problem, but you're going to see those lines get firmer in the years going forward."
Assante said we have already provided the Department of Homeland Security with the authority to enhance federal cyberdefense, while supporting the public and private sector. He also noted that the National Guard may have a unique and important role to play in this relationship.
"It is important to advance the debate to best understand when cyber matters [cross] over from protection against criminal activity and espionage to a matter of defense," Assante said. "The National Guard is an important instrument that plays a role in both national defense and homeland security as a state-based military force. Its unique position as a shared force comes with authorities that include homeland defense activities, directed solely by the governor of a state or by the governor, with federal funding when approved by the secretary of defense for domestic use; and, when necessary, it can become a part of the federal military force. The National Guard has been exploring and developing its capability to provide for homeland security in the face of cyberthreats."
However, Assante believes that improving cybersecurity and cyberdefense within the federal government and military needs to begin in each branch and agency on a more individual level, because the people who own the systems are ultimately responsible for security.
"Incidents over the last several years have clearly taught us about the importance of having organic cyberdefense capabilities and competence within the targeted organization," Assante said. "Cyberdefense begins with the decisions made by system owners during the design and development process. Individual agencies need to hone cyberdefense teams that can support their missions, while tapping into inter-agency sharing efforts, tools like Einstein and cooperating to conduct investigations that require law enforcement authorities."
Rubin said there are programs in place that can be leveraged in the effort to improve cyberdefense training and build better cybersecurity throughout the government and military, but there needs to be a push to speed up improvements.
"This is not necessarily about inventing a brand new wheel for the sake of inventing it. It is about the call to action that cyber is now absolutely as critical a vector of attack as land, sea or air," Rubin said. "Most people would argue that a devastating attack on something like our financial infrastructure would be as catastrophic as any other form of attack on the country. And, we have to build a motion to protect our cyberinfrastructure."