In June 2009, the Department of Defense created US Cyber Command to address the rapid recognition among military brass that the computer systems they used were increasingly vulnerable to cyberattacks.
Possibly the world’s most powerful cybersecurity command, Cybercom took some rather unconventional means to get up and running — including the use of Hollywood-style cartoon storyboards to sell it to stakeholders and a whole lot of “I’m sorry” Starbucks gift cards.
Since its establishment, Cybercom, which was sub-unified under the US Strategic Command, has emerged as a pivotal hub for US military operations, with the goal of safeguarding national security from foreign adversarial threats. Operating under a “dual-hat” structure, its commander also serves as the head of the National Security Agency (NSA).
Appearing together for this first time in public at the 2024 RSA Conference, the so-called “Four Horsemen of Cyber” — the key architects behind the plan to form the command — shared their personal journeys of turning the concept of Cybercom into a reality.
Cybercom’s complicated origins
Cybercom was born of the need to create a data mining system for the NSA during the Iraq and Afghanistan conflicts in 2007. It culminated in the elevation of Cybercom to a full and independent unified combatant command in 2017.
“It’s an important story,” said Paul Nakasone, who until recently was the head of Cybercom and the NSA and was recently named founding director of the Institute for National Defense and Global Security at Vanderbilt University.
“It’s 2008, and the Department of Defense realizes that there is malware on both unclassified and classified networks. These are the warfighting networks that we’re using for US Central Command. So, the ideas that [former NSA chief] Keith Alexander [had] in terms of where do we need to go as a Department of Defense with cyber forces start to take place,” Nakasone said.
To grasp the scope of the problem, “it was very, very senior people asking very, very basic questions like, well, how many computers are impacted or where did it come from? Or what do we do about it?” he said.
“We could not answer the question of how many computers were on the SIPRNet [the secret component of the Defense Information Systems Network],” said Lt. Gen. S.L. Davis, the inspector general of the Department of the Air Force. “So, there were those basic questions. I think there was a realization that we didn’t really understand the system as well as we should.”
For commanders, this was obvious, “and everyone woke up relying on this network — four stars [generals], senior civilians,” said retired US Navy Vice Admiral T.J. White, now nonresident senior fellow of the Atlantic Council’s Scowcroft Center for Strategy and Security. “That’s unsettling in the minimum.”
Making the NSA relevant to combat troops on the ground
Jen Easterly, the director of the Cybersecurity and Infrastructure Security Agency (CISA), said Alexander “really wanted to take NSA from behind the green door and make us relevant to the warfighter.”
NSA officers, military and civilian, were deployed into the field to support combat teams with cryptologic support teams. “And this is what Paul was doing. He was training those teams and deploying them out,” Easterly said.
The other thing they were asked to work on was implementing this capability in the form of the data mining system Real-Time Regional Gateway (RT-RG) used in Iran and Afghanistan.
The gateway was intended to take all the communications in the theater that insurgents in particular were using to plan and operationalize attacks. That included satellite or cellphone communications and reporting from troops on the ground. These would be integrated, enriched, and correlated to illuminate terrorist networks “not in days or weeks but in hours and minutes.”
“It sparked a lot of energy around how we actually support the troops on the ground” and saved lives, Easterly said, “but it also brought home the lessons to a combatant commander, to General Petraeus at the time, how important cyber and communications were becoming.”
Using cartoons to sell the idea of Cybercom
Moving Cyber Command from concept to reality happened rapidly but was no easy feat.
“The first task was just really combining these two existing organizations [the defense-oriented Joint Task Force-Global Network Operations and relevant offense operations] that would grow over time and become a much larger task that would become building us Cybercom,” Davis said.
Educating the top brass and policymakers was one hurdle the team faced in a relatively early cybersecurity era. “I remember seeing a lot of superiors and high-ranking folks who would never read their email — in fact, they’d get it printed and then read it. And you had to begin with just level-setting on the education in terms of what this is all about,” Davis said.
“We started with a narrative, and we said, ‘Let’s educate senior members of the Department of Defense and anyone else,’” Nakasone said. “We came up with what was functionally known as the cyber storyboard. And it was literally a story that we took senior folks from the Department of Defense and other elements of our government through in terms of what we wanted to do.”
“We had occasion in early stages to go to California, come to Hollywood, talk to the movie industry,” White said. When they asked how writers and producers would build a narrative, they were introduced to the concept of the storyboard.
“So that’s what we tried to do, and we had some incredible talent. It was very, very dynamic. I think probably 100-plus versions of that brief were given over 100 times in probably a nine-month period,” White said.
“Literally telling it at the basic level using cartoons actually helped them to really understand it,” Davis said. “I think it was one of the big keys to our success.”
Soothing ruffled feathers with Starbucks cards
Another hurdle the team had to overcome was institutional mistrust. “There were naysayers and NSA felt as though Cybercom was going to eat us,” Nakasone said.
At the same time, “everyone at Cybercom thought that NSA was going to eat up Cybercom and take it over. So, there was distrust on both sides,” Davis added.
“When you go to the combatant commands, they’re, of course, worried that you’re standing up a new combatant command with separate authorities, and how will that work? A big part of our outreach was going to those combatant commands and talking about how Cybercom would support them as opposed to how Cybercom would be supported. And I think that was key,” Davis said.
“The interest in cyber was across the board,” Nakasone said. “Everyone wanted to see what these folks were doing and what are you creating.”
“So, we thought we’d have a little gathering of 30 people, and there were 90 people in this room, and NSA protocols were overwhelmed, and someone then says, ‘They just let these people in without checking their clearances,’” Nakasone said. “Well, you can imagine that was gasoline on the fire. And so, it was a very, very interesting day.”
“T.J. [White] and I went to the protocol office and brought a lot of Starbucks gift cards” as an apology for overcrowding the meeting and running afoul of NSA clearance policies, Easterly said.
Creating the ‘dual-hat’ structure won the day
Easterly pointed out that one of the things the group was “trying to get across was how important it was to build this new combatant command on [NSA’s] cryptologic platform, which was something that was super different.”
“And that led to the dual-hat structure where the director of NSA was also the commander of US Cybercom,” Easterly said. “Part of the cyber storyboard had to bring in all of these exquisite NSA capabilities that were so key to being successful in cyberspace, both defensively and offensively.”
“And that’s where we brought in some fantastic NSA people to brief on technical capabilities, to brief on computer network operations and hunting capabilities and defensive stuff,” she added. “I think that was the secret sauce.”
Nakasone said, “Clearly, this was the piece that was different. We said, ‘Hey, this is how we’re going to hunt in the future, and this is how we’re going to use data in the future, and this is how we’re going to look at the way the intelligence community has done intelligence operations on that.’”
Easterly said that the Four Horsemen of Cyber successfully took Cybercom from conception to reality in about 15 months. “I don’t recall a lot of days off, maybe Christmas and New Year’s,” she said.