Following are additional questions and answers from an interview with Gen. James E. Cartwright, commander of the Strategic Command, that appeared in the January/February 2007 issue of DEFENSE SYSTEMS.

DEFENSE SYSTEMS: How big of an issue is cybersecurity?
CARTWRIGHT: The issue for the department over the last year has been to build an organization that finds the right balance between offensive and defensive cyber capabilities.

Historically, a balance between offense and defense is where you want to be. For America, we have historically chosen to build an offense that was layered and pushed off of our shores in order to solve problems before they became problems at home.

Cybersecurity today, Cartwright’s rendition of it, is you log on to your laptop. You probably have a firewall or something and you put information on it. If somebody gets into your computer with a worm or a virus, it usually gets detected for you, and you’re one of hundreds or thousands that are infected and you wait two to six weeks for Microsoft to give you a patch. Meantime, everything that was on your laptop is now exposed to the world and vulnerable. And if what’s on your laptop is a competitive edge, you’re giving up your competitive edge for that period of time.

Industry has now included that in their calculus of profit and advantage. But there comes a point at which you cannot afford to only defend and wait two to six weeks for a patch. You’re giving up too much competitive edge or resources, and until you’re willing to push outside of your computer to a larger interface and collective defense, you’ve now reduced the cost of losing your competitive edge and you keep making a business case. The problem right now is that we’re on the “Whack a Mole” side of this game. A virus pops up, we smack it, and then over two to six weeks deploy a patch and accept the cost of the loss. At some point, you can’t accept that loss anymore. That’s when you have to turn to a new strategy. That strategy could be to deploy capability farther from your boundaries.

For DOD, we have four armed services, and that’s just a small part of it but they are the major contributors, and inside those services they have thousands of networks. None was visible to the services.

Not one was configured in a way that you would say, gosh, if this virus affected me here, how would I know who else it affects? We had no visibility. So we began getting the services to clean up these issues. Then we realized that the Defense perimeter has to be farther out, so JTF-GNO (Joint Task Force for Global Network Operations) was put in place to say anything that is .mil really needs be collectively defended so that we don’t give up our competitive edge. We must become more responsive so that we detect problems before they become problems. That is our ultimate goal: to fix things in real time. We’re not anywhere near there yet. We’re still dealing with four completely different systems and eventually we have to integrate them. They don’t have to be the same, but you must have the visibility so that the implication of a problem here is understood over there.

DEFENSE SYSTEMS: What power does JTF-GNO have? Do the services listen to it?
CARTWRIGHT: That was the whole issue. That was what STRATCOM took on with JTF-GNO, and when you start something like this bureaucracies tend to mandate.

I like the Disney principle a little bit more. Build a compelling argument—if you’ve got a line at your ride then build/scale it up. If nobody lines up at your ride, kill it. GNO was put together that way. We showed compelling reasons to any customer why GNO could defend their networks better than they could. Then we said what you really ought to do is organize your network this way. We’ll show you how to add value—so what they have done over the past two years is add value in a compelling way that doesn’t mandate that anybody has to come on board. Once the customer sees the value, they will move toward a behavior (what kind of behavior?). You can write all the rules and regulations you want to afterward, which is what they’re actually doing now. They’re starting to say, OK, what’s the next rule if we demonstrate to everybody that if we put this in place it’ll make a big difference, and that’s the way GNO sold itself.

Navy Rear Adm. Betsy Hight (deputy director of JTF-GNO) is an incredibly capable officer and has a way of explaining to people and showing them value and then having them come solicit her organization’s help rather than the other way around. And as a person and as a command, I prefer to go show value and then let people go write the rules rather than write the rules and say you must do what STRATCOM tells you. The other way around—here is something that’s really valuable, would you sign up for this? Would you wait in line, would you subscribe to me? If you will, then I think I’ve found the niche and I’m going to push at it and then I’ll make the ride as big as the line gets. So that’s the way JTF-GNO has moved.

But what we’re trying to do now is understand the limits of technology as it exists today, the limits of culture, and how exclusive are you willing to let people be? How much of it should be done with a firewall on your computer and how much of it do you want to have done in the larger domains at our coastlines, at our interfaces with the rest of the Internet world, etc.?

DEFENSE SYSTEMS: What are your thoughts regarding the current shape and structure of the military services?
CARTWRIGHT: There are a couple of different ways to approach this. The first is the skills and the tools that we give to the people have to enable them to operate in a much more diverse world. The good news is that most of it comes through IT-type things and most of the soldiers, sailors, airmen and Marines are very comfortable and enabled in that environment. They still have needs, but are very effective in doing that.

What you see from the constructs that we call the Future Combat Systems for the Army—distributed operations I think is the term that is the Marines are starting to use; and in the Navy its swarm—we’re really moving toward things that talk about surge and disaggregated activities that are widely separated but are then filed down. It means, that with either land forces or sea power, as the threat is diminished, your tentacles get farther and farther out. As the threat increases, you draw them in and aggregate the capabilities as appropriate for the threat. And so you move from a very dispersed mindset to a more aggregated mindset over time. Let’s take Future Combat Systems in the Army. What you’re looking to do is to quickly mask fires and capabilities for a problem and then disperse them as soon as the problem is over, then back out and move into the tentacles.

What you’re looking for is that cultural awareness, that one-on-one interface with somebody that gives you the greatest understanding of each other’s problems. And you want as much of that as possible. But as the threat starts to rise, you start to pull back and build your defensive perimeters, your layering, and your capabilities and then the Army, the Marines and the Air Force are all starting to move in a direction because they have to cover so much more territory. So you’ve got to train now and find the skill sets and the technologies that allow you to do that as a military. That’s the challenge.

Another challenge is that, to an extent, manpower has been a commodity that, particularly when we had a conscription force, was almost treated as free. Now, people who pay the bills would never think of it that way, but you looked at it as if, OK, my pay is assumed, now I need to build a tank or a ship. The reality of an all-volunteer force is that you’re looking for a slightly older force. I don’t mean that as a pejorative, but a force that’s got a little more experience in the supervisory ranks; a force that’s better educated—and as you do that, the cost of people becomes a driver and it’s not assumed as free.

And then you have all of these diversity pressures, diversity of the threat, the larger area you’ve got to cover, and now you’re paying a premium for your manpower, too. So how do these tensions resolve themselves for the service chiefs as they try to build a force for the combatant commanders to deploy? I think those are the tensions that are out there for the services. They are going to have to work their way through health care costs, education costs, the ability to retain these quality people longer; all these add to the expense of an individual that your operations and maintenance resources would start to drain off your modernization resources.

I’m not a service chief. But from my eyes, that’s what I see.

purchase reprint

link to this page