Despite significant gains in its cybersecurity stature in recent years, the Department of Defense still has a ways to go, particularly in ensuring its cyber forces are adequately trained to take on the most sophisticated threats on day one, according to a top lawmaker.
“There’s so much more progress to be made here, particularly when it comes to training and maintaining our cyber workforce. And within the cyber enterprise specifically, we’re working with [U.S. Cyber Command] and the military services to ensure that the men and women when they show up for duty are going to be able to defend our nation against cyber threats on day one,” Rep. Jim Langevin D-R.I., said in an interview with DefenseScoop.
Langevin — who is the chairman of the House Armed Services Subcommittee on Cyber, Innovative Technologies, and Information Systems and the co-chair of the Congressional Cybersecurity Caucus — is retiring after 21 years in Congress at the end of this session. He is regarded as a highly influential lawmaker concerning cyber policy across the government including the DOD.
Though Langevin has high praise for the work done by Cybercom and its cyber mission force — the roughly 6,200-person, 133-team cadre of cyber warriors that conduct offensive, defensive and support missions for the DOD — he is worried they don’t have the adequate training to ensure they’re fully ready upon entering service.
Unlike in traditional warfighting functions, cyber forces don’t have workup cycles and training events before deploying abroad for a fixed period of time. Typically, military forces will conduct a rotation at a training center to prepare them for deployment. Cyber operators, on the other hand, are in constant contact every day with adversaries in cyberspace.
Congress is exploring ways to “make sure that our men and women are properly trained from day one when they hit the ground running, and we can’t accept a situation in which service members who are responsible for performing critical operations, tasks are not equipped with the foundational or advanced skills that they require,” Langevin said. “More training and better training before they actually are operational with Cyber Command, I think is important.”
He noted that there is typically a limited amount of time for cyber operators on a particular assignment. If half that time is taken to get trained before those forces are operationally capable, then that’s a “poor construct” for training and preparing cyber warriors on day one.
“We need to change the current construct and we’re working on that,” Langevin said.
Additionally, Langevin said he’d like to see continued emphasis on partnerships with partners and allies in cyberspace. Most if not all of the challenges the U.S. faces are the same as others around the globe, he explained.
“I think we also need to look at international partnerships with our partners and allies and how we collectively work most closely together to defend our cyber networks to defend our respective nations,” he said. “Collectively, this is not just a U.S. challenge or problem, protecting countries in cyberspace, it’s really an international one. Working closely with partners and allies is really important going forward.”
The so-called hunt forward operations conducted by Cybercom, in which forces physically deploy to other nations at their request to hunt for cyber threats on their networks, improve the trust between the U.S. and foreign partners, the congressman noted.
“The hunt forward operations that Cyber Command is conducting with our allies and our partners helps us to better understand and disrupt malicious actors. I think they also increase trust at an operations level between the U.S. and its partners and its great capacity building exercises when we’re collaborating like this,” Langevin said.
These operations not only improve the trust and security of partners and their networks but also bolster security at home as malware strains and adversary tactics can be shared domestically with system owners.
Langevin has spoken glowingly about them in the past.
“Working with our partners and allies ahead of time in hunt-forward operations that we’re involved with, I believe that that has helped us significantly to be prepared for pushback against Russia in the war in Ukraine,” Langevin said at DefenseScoop’s DefenseTalks conference in September. “I think [that’s] a significant reason why we haven’t seen more effective cyber operations on the part of Russia both in Ukraine and maybe any blowback we might have experienced here in the United States.”
Langevin noted that in addition to DOD, Congress has made significant strides in its understanding of and focus on cybersecurity issues.
“I think we’ve made significant progress over the years that I’ve been in Congress on cyber. We no longer have to debate whether we will fight wars in cyberspace. Cyberspace is clearly now a recognized domain of warfare where our service members and civilians are engaged with our adversaries on a daily basis,” he said. “When I was first elected, there certainly wasn’t a combatant command dedicated to cyberspace operations or a subcommittee for cyber or even the mention of the word cyber in the entire [National Defense Authorization Act] — I was first elected in 2000, going back that far.”
Langevin said his subcommittee didn’t even exist five years ago and in the four years he’s served as chairman of the panel, it has put more than 220 provisions of cyber legislation into law. After this year’s NDAA, that number will be close to 300.
One thing Langevin would like to see in the future is a select committee on cybersecurity. Currently, there are many committees that touch cyber, creating jurisdictional issues and turf battles. So he believes a single committee focused solely on cyber issues would help alleviate that and create greater synergy across the government.
Appropriations committees would still be in charge of funds, but just like the Church Committee led to the creation of the select committees on intelligence that now oversee policies and oversight of the intelligence community, Langevin sees a select cyber committee serving the same purpose.
While he doesn’t see it happening in the immediate term, he hopes it won’t take a catastrophic event to create it.
“Unfortunately, it might take a catastrophic event in cyber to galvanize and really force the issue of creating a full cyber select committee. I hope it doesn’t come to that, but as we saw with 9/11, I don’t think you’d ever see the reorganization of the government and the creation of the Department of Homeland Security and the Homeland Security Committee were it not for that catastrophic event of 9/11,” Langevin said.