MARFORCYBER: Marines Fight in a New Domain
New Marine Corps commands typically involve specific battlefield weapons, systems, or capabilities, from ship-based expeditionary units to aviation to special operations. But MARFORCYBER, the newest USMC command that stood up in January 2010, takes the Corps into a unique new battle domain – cyberspace.
The Marine Corps Forces Cyberspace Command (MARFORCYBER) is one of four service components of the equally new joint U.S. Cyber Command (USCYBERCOM), along with the Navy Fleet Cyber Command/10th Fleet, the Army Cyber Command (ARCYBER)/2nd Army, and the Air Forces Cyber Command (AFCYBER)/24th Air Force.
According to its mission statement, USCYBERCOM was established in May 2010 to “plan, coordinate, integrate, synchronize and conduct activities to direct the operations and defense of specified Department of Defense [DoD] information networks and prepare to – and when directed – conduct full spectrum military cyberspace operations in order to enable actions in all domains, ensure U.S./Allied freedom of action in cyberspace and deny the same to our adversaries.”
Lt. Gen. George Flynn, then-deputy commandant commanding the Marine Corps Combat Development Command, was dual-hatted as the first head of MARFORCYBER. He summed up the Marine role as ensuring defense of the Corps and DoD “cyber turf.” “The cyberspace domain is the newest and possibly the most complicated we must now dominate. If we are to be dominant on land, at sea, and in the air, we must be dominant in cyber,” he said.
Col. Steve Zotti, chief of staff for the new Marine command, said every aspect of military, government, industry, academia, and personal life worldwide has become so dependent on the Internet and other computer networks that they have become a major strategic target for terrorists and potential nation-state adversaries.
“In 2008-09, it became apparent cyber had become an operational domain requiring specialized focus, but there was not a command doing that,” he explained. “There were organizations and people throughout the services focusing on aspects of it, but no one command focusing specifically on cyber as a new operational or warfighting command. In addition, a number of state and non-state actors were developing weapons and tools – we were very vulnerable to and needed both a defensive and offensive capability beyond what we had.
“Each service component will have similar responsibilities, not tethered to any one mission set or area. USCYBERCOM will provide support to various COCOMs [combatant commanders] to coordinate, deconflict, and organize cyber ops; how that will be done is yet to be determined. One of the challenges is that cyber, by its very nature, is a global domain, so you need some level of standardization, but also the ability to tailor TTPs [tactics, techniques, and procedures] to specific regions and threats, although traditional boundaries do not necessarily apply.”
The Marine command will be the smallest of the service components, with fewer than 300 uniformed and civilian personnel at full operational capability, compared to 1,000 for the Army, for example, and 600 for the Navy. But Marines assigned to MARFORCYBER will still be riflemen first and not Hollywood-style “geeks” with only computer skills.
“A Marine is a Marine – and the value of a Marine is his discipline, work ethic, and culture. While there will be some associated skills for cyber, they will remain Marines first, cyber warriors second,” Zotti said. “But there also are career tracks that keep you progressing along specific areas and we will manage cyber the same way. The value of cyber ops to the Corps is how well it is integrated at the lowest tactical level.
“Cyber has to be heavily integrated with all warfighting functions because all are critically dependent on cyber for speed, precision, and lethality. So our success in the future is based on how well we can integrate it, not on creating a stand-alone capacity. It’s no different than any other aspect of warfare. In any staff, you will have different people with different levels of knowledge and skill; the important part is how you put together not just the IT-specific skill sets, but command skills as well.”
Protecting computer networks that have become intrinsically integrated into both garrison and critical warfighting tasks has become as important to the ability of Marines and other warfighters to survive and win on the battlefield as armor, tanks, aircraft, and reliable communications. Flynn, who left his Marine commands in July to become director, J-7 (Operational Plans and Joint Force Development) for the Joint Chiefs of Staff, saw the creation of both MARFORCYBER and USCYBERCOM as natural evolutions in 21st century military operations.
“Cyber is an emerging, man-made environment that we learn more about every day, so yesterday’s cyber domain is different from today’s,” he said. “It is something that is evolving over time and we will have to learn within the cyber world, in both our personal and professional lives. Keeping the networks operating safely and securely will be a key task in the future, which is why you are seeing this evolution in both the civilian and military establishments.
“We are trying to understand this new environment that came up with the Age of Computers and all we now do in that domain, how much of our daily lives depends on it and how much of that has been carried over to the military, where many of our current capabilities are due to our ability to network so effectively. One of the reasons the Marine Corps felt we needed to be part of Cyber Command was we saw this as something that was occurring now that would continue to evolve in the future and an area where we need to have expertise in order to operate effectively.”
Pentagon officials have told Congress the .mil network is probed as often as 250,000 times an hour by both amateur and professional hackers around the globe, looking for weaknesses, ways to gain entry, or even take control of military websites and Internet-connected databases and systems. Of even greater concern is the possible exposure of military networks, especially in battle theaters, to expertly designed viruses capable of shutting down or redirecting combat computers and systems.
The world witnessed the most sophisticated such attack yet in 2010 when a virus called Stuxnet – origin still unknown – attacked and destroyed specific computers at specific nuclear development sites in Iran. Referred to as the world’s first precision-guided digital munition, Stuxnet also is seen as the opening shot in a new kind of warfare, a new kind of WMD – a “weapon of mass disruption.” Flynn said it is difficult to talk too specifically about such threats for security reasons.
“But the threat is real and comes in many different facets,” he continued. “And we have to defend the network against those probes to keep it operating effectively. To speculate on how large that might be, however, really would not be responsible for me to do right now.
“I’m not sure I would characterize it as cyber warfare, only that this is an environment we have to operate in and protect. We have to maintain our ability to use computer networks and the cyber environment to enable all the things we do in the future.”
Others, however, have no problem with calling it cyber warfare, especially China, which has made becoming the world’s dominant cyber warfare power in the next two decades public policy for its military. Indeed, as other nations find it increasingly difficult to keep up with U.S. technological advances in fifth-generation fighters, stealth, globally commanded precision-guided weapons, etc., they are putting more money and effort into cyber weapons that could negate those advantages before they can even be employed.
As a result, USCYBERCOM and its service components are committed to defending both the national and military computer network architecture, providing information assurance to COCOMs and moving toward what Zotti calls “active defense – proactive hunting in and outside those networks.” That means being able “to provide, operate, and defend [U.S.] networks through offensive operations” when and where necessary.
“Cyber planners will be fused into cyber cells to provide expertise and the ability to advise on and conduct cyber ops as the MAGTF [Marine Air-Ground Task Force] requires,” he said. “Internet security is just one aspect of the domain; defensive operations are only one part of what we will be doing. We are not limited to cybersecurity, but will provide a full spectrum of network defense, offense, and so on to meet the COCOMs’ requirements.
“Broadly, the cyber domain is very competitive and with the proliferation and democratization of technology, you have a wide spectrum – from individual activists with high skill sets and tools to ideological motivations to nation-states. So there is a broad spectrum of threats the nation and military services must be concerned about and have the ability to defend our networks and conduct offensive and exploitation operations as required.”
There are a number of difficulties unique to doing battle in cyberspace, from quickly responding to new, never-before-seen methods of attack to identifying the capabilities of potential cyber adversaries and even the identities of real attackers. At the same time, overreacting before anything happens can do as much harm as failing to prepare.
“We have critical vulnerabilities, but there remain many ways and systems to communicate. So we don’t want to give the enemy incredible plus-ups; everything has a limit on its ability to inflict harm,” Zotti warned. “One of the active defense pieces is how to conduct counter-cyber ops to determine who is attacking and from where. That’s a critical piece, but attribution is very difficult, which gives the enemy – whatever type of enemy – freedom of maneuver.
“MARFORCYBER is the physical manifestation of the Corps’ commitment to providing skills and capabilities to the MAGTF, the joint force, and our allies. It’s a growth industry and a very competitive environment. Marines throughout the Corps have a lot of work to do because, just as with any other type of warfare, the end state is yet to be determined.”
In these early days, little more than a year after both USCYBERCOM and MARFORCYBER stood up, part of that effort is identifying future cyber warriors and ensuring they receive the proper training and equipment – both of which are likely to change far more quickly and radically than any other combat domain. Even so, both Flynn and Zotti believe the standard approach to recruiting, military occupational specialty (MOS) designations, and career progression will remain relatively unchanged.
“Luckily for us, the same attributes apply to everyone seeking to join the Corps. They need to be technologically savvy, which is required to survive, but today’s young people are, by and large, cyber natives – they’ve grown up with this technology,” Zotti noted. “For special skills, like hacking, you must be very adaptive. But in terms of the full spectrum of cyber, that is something the current generation has grown up with in terms of the interface of technology to systems to people.
“Coming into the Corps, officer or enlisted, they go to Marine schools and get different levels of training as they progress. We are currently working very hard with C4 [Command, Control, Communications and Computers], which is responsible for the O6 [communication], to give people training and operational experience as we work toward integrating them into the MEUs [Marine Expeditionary Units], MEF [Marine Expeditionary Force], MAGTF, etc.”
A number of existing MOSs primarily associated with cyberspace and computer operations will be consolidated within MARFORCYBER, although some will be redesignated, such as MOS 0650 (network operations and systems) limited duty officers (LDOs), who will become 0605 (cyber network operations) LDOs. Such changes are more than bureaucratic designations ; the new 0605s will bring in critical experience in cyberspace information technology (IT), doctrine, TTPs, and other skills needed to support the nation’s cyber warfare capabilities in a permanent, integrated domain.
“Going to MARFORCYBER is one command element level for those people who could conduct cyber ops, so cyber planning is a key component. If they are going into defensive ops, there are O6-related skills,” Zotti said. “Prior to the new command, MCNOSC [Marine Corps Network Operations and Security Center] existed to provide and operate networks for the Marine Corps – SPR, NPR [secure and non-secure packet radio], and associated top secret networks. That is now OPCOM [Operational Command] to MARFORCYBER.
“There were other units associated with the Marine Cryptologic Support Battalion [MCSB], which worked with the net warfare entity associated with NSA [National Security Agency] and DSA [Defense Security Agency]. The MCSB Marines were aligned with those organizations, conducting active defense and some kinds of offensive operations.”
Others brought into the new command were more general experts in planning, communications, and intelligence, along with specialists from the Marine Corps Network Operations Center and Marine support and radio battalions. As with the now 5-year-old Marine Forces Special Operations Command (MARSOC), decisions are still being made on whether and how to create a specific career track for cyber warriors, even as existing MOSs are expanded and new ones created.
“We may look at some MOS designations, at what the structure should look like, but there’s really no new skill sets we weren’t already doing. We haven’t created any new specialties, just increased the capacity of those that exist and where they should be put in both the operational forces and support commands to work in this new environment,” Flynn said. “You will find cyber Marines on the staffs of the MAGTF to facilitate traditional military operations enabled by the use of networks and also on joint and service staffs, providing expertise consistent with their MOS.
“In the Force Structure Review [see Flynn Q&A elsewhere in this issue], we identified an increase for the skill sets that will be needed in cyber ops – about 260 or so additional Marines to support our service network, man the component staff, and provide the appropriate amount of manpower to meet joint requirements. All the service components are coming into this on an equal status in terms of what they have to do to operate and secure their future networks. The major difference is the size of the force each service brings to USCYBERCOM.”
MARFORCYBER is expected to provide about 10 percent of that requirement, in line with Marine Corps contributions to other joint force commands.
Because a cyber attack can occur anywhere, any time, literally at the speed of light, cyber warriors must maintain a constant, yet adaptable, level of cyber situational awareness. As a result, evolving doctrine requires these Marines not only collect and analyze network data – Marine Corps, joint force, allied, and potential adversary – but also develop the TTPs required to determine the source of an attack, conduct dynamic cyber defense, assess network vulnerabilities, help develop and evaluate threat-based security systems, take offensive as well as defensive action, as needed – and ensure the U.S. military can continue to fight and win even if a cyber attack takes down its technological advantages.
“[Deputy Secretary of Defense William] Lynn and [Vice Chairman of the Joint Chiefs of Staff Gen. James] Cartwright have said cyberwar will be more characteristic of future war than not. Even as we bring MARFORCYBER and USCYBERCOM online, others, from China to Brazil – and especially in Europe – are creating organizations similar to our command organization,” Zotti concluded. “But the extent to which cyber may replace other forms of warfare is yet to be determined.
“I think, in the 21st century, there will be no one superpower with the means to dominate any battlefield – it will always be a combination of weapons you can bring to bear. There will still be human factors, aviation, long-distance strike – even hand-to-hand combat – every time we think we’ll be dealing with high-tech warfare. We may have to operate in a degraded status, which we will have to prepare for, but we are critically dependent on cyber technology and so must protect those even as we find ways to operate them in a degraded state.”
This article first appeared in Marine Corps Outlook: 2011-2012 Edition.