As cyber operations have increased in scope and credibility their integration into wider military operations has developed organically. The organisations that design and deliver cyber capability have similarly evolved over time rather than being designed from first principles. This agile approach has served a purpose, but we have now reached a level of maturity where a well-conceived structure and governance model would bring substantial advantage. However, meeting this challenge will mean overcoming a conundrum that lies at the heart of all military cyber structures.
Operating Defence communications networks is something that we have done well for many years. Like most other organisations, the UK military maintains a network operating centre, which acts as a hub from which global networks are managed. Also in common with many large organisations the MOD has a security operating centre that is responsible for preventing and reacting to cyber attacks. It is evidently desirable that these organisations are conceptually (and physically) very close to each other. It would be nonsensical if those who operate our networks and those who conduct defensive cyber operations on our own networks weren’t in the same business space; they are two sides of the same coin.
If we now consider cyber’s contribution to Full Spectrum Effects operations then it is immediately apparent that all elements of cyber operations must be considered in tandem during the planning process. PROTECT is just as much a mission verb as DISRUPT, and for a plan to be successful both offensive actions and defensive actions must be considered simultaneously. This concept is well established in military planning; it is inadvisable to go on the offensive unless you start from a well-established and secure base. Offensive cyber operations and defensive cyber operations must also be conceptually close; they are two sides of the same coin.
The structural problem is that there is no three-sided coin – defensive cyber operations cannot easily be bedfellows with both offensive cyber and network operations concurrently. In the UK our organisational model has evolved to structurally separate network management and military operations. This has had the effect of splitting defensive cyber operations in two so that routine defending sits with network management whilst defensive cyber planning is considered operationally as part of Full Spectrum Effects planning alongside all offensive options. This solution works, but it is inelegant and inefficient. The division of defensive cyber operations makes a unified defence more challenging to achieve than it could be.
It may be that there is no perfect solution to this; certainly none of our international partners have found the ideal solution. However as we consider designing the next generation cyber enterprise it is important that we give this structural challenge all due consideration so that our future operating model is as efficient as it can be.