[TheRecord] Emerging from uncertainty, DOD cyber war college looks to navigate the future

Jim Langevin wanted to put the Pentagon on notice.

In April last year the Rhode Island Democrat and a bipartisan group of lawmakers sent a letter to Defense Department leaders that pointedly urged them not to move ahead with a plan to shutter the National Defense University’s College of Information and Cyberspace. 

The missive was followed by heated meetings between Capitol Hill and NDU leadership where members and staffers warned against a scheme that would strip the college — which had existed in some form since the 1960s — of its full-degree and various certificate programs and turn any remaining cyber-related courses into electives under the university’s other components. Nonetheless, the push to close the school had continued.

A few months later, Langevin, the chair of the House Armed Services Committee’s cyber subpanel, was about to speak at a virtual event hosted by NDU and attended by representatives from three national commissions.

The first question for him was about the need for better federal workforce development. He saw an opening.

“There’s an irony that this esteemed group has been brought together by the CIC … at a time when CIC’s existence is threatened,” Langevin began, adding he had been “confounded” by the department’s “seeming determination to shut down the nation’s only graduate level school” dedicated to digital warfighting.

“It’d be appropriate to mention and it be clear: Congress created CIC and Congress fully supports it,” he said. 

He then vowed to introduce an amendment to the annual defense policy bill that would put a stranglehold on the university’s funding if the cyber war college was closed.

“I’m not going to allow the nation to lose this inestimable resource.”

Observers say the brief, off-the-cuff remarks changed the course of a debate that had rumbled around the Pentagon and across the university’s D.C. campus for years, lifting it above inside-the-Beltway machinations and exposing the tug-of-war over the school and its mission to a global audience.

Days after Langevin’s remarks, NDU’s president sent an email to senior staff and faculty announcing the university’s “transformation” efforts — including mothballing CIC — had been put on hold.

“ON THE FORWARD AND LEADING EDGE OF EDUCATING”

CIC was established in 1964 as the Department of Defense Computer Institute. It was founded after the Government Accountability Office issued over 100 reports on shoddy computer use in the federal government at the same time defense projects increasingly employed the new-fangled machines, according to the institute’s first director.

In 1981 it was incorporated into NDU, which is located at Fort McNair in the heart of Washington, D.C., and reports to the Chairman of the Joint Chiefs of Staff. The school underwent another moniker change a few years later, to the Information Resources Management College, and a 2011 rebranding as the “iCollege” before it was given its current title by Congress in 2017 — part of a growing, government-wide recognition of the importance of cyberwarfare, particularly with the rise of U.S. Cyber Command.

Rep. Jim Langevin and others speak at a CIC-hosted event in 2019. IMAGE: NATIONAL DEFENSE UNIVERSITY

Most military branches boast schools that teach cyber operations but typically the offerings are service-specific or focus on the technical aspects of the topic, the circuitry and wiring. The cyber war college enrolls members from every armed service, civilians from the Pentagon and other federal agencies, as well as international students. Some of its courses are taught at the top secret level, the highest tier of classified information. 

The school touts itself as providing a strategic, big-picture education that examines multiple facets of cyber — including law, economics and planning — to ensure its graduate-level programs for the next echelon of general and flag officers aren’t just academically rigorous but also operationally relevant to the digital domain.

“The college really has always sought to be on the forward and leading edge of educating; particularly as it relates to information, cyberspace, technology, emerging technology,” said Dr. Cassandra Lewis, CIC acting chancellor and dean of faculty and academic programs.

“We need leaders who are educated on how to think about this domain, how to consider actions from a strategic level and the implications on decision-making,” added Lewis, who originally joined the school 13 years ago.

The importance of such an education within the U.S. national security apparatus has grown in recent years, with everyone from the commander-in-chief to policymakers warning that cyberwarfare will be a major national and economic security challenge of the 21st Century. 

In July, President Joe Biden warned that if the U.S. wound up in a “real shooting war” with a “major power” it could be the result of a significant cyberattack on the country, highlighting what Washington views as growing threats posed by Russia and China.

Near-peer adversaries, and allies like Israel, have invested heavily in developing digital training for their militaries over the last decade, according to James Lewis, a cyber policy expert at the Center for Strategic and International Studies.

“Everybody’s” military cyber budgets are “going up,” he told The Record. “It’s like helicopters. You can’t be a self-respecting military if you don’t have a helicopter. So everybody’s getting cyber.”

Figures for such spending are often closely-held, like in China where even mentioning the aggregate number is considered illegally leaking a state secret and ends up in jail time. That said, Beijing, Moscow and Tehran all boast thousands of personnel in their cyber efforts. “That tells you the budget has to be at a certain level,” Lewis said.

“This is part of having a military now,” he added, noting that the number of countries that admit to having offensive cyber capabilities has risen from to more than a dozen over the last ten years.

As for the U.S., it has become “better at cybersecurity because we’re learning at least what we need to do and what the threats are,” said Gary Brown, an associate dean at CIC. “Now, we just have to work on getting better at doing what we need to do and addressing those threats … we’ve barely scratched the surface on how we need to respond.”

Brown, who previously served as Cyber Command’s first senior legal counsel and instructed at the Marine Corps University, came to the college in the fall of 2018 to teach future DoD leaders about operations law and policy in cyberspace.

“I just really clicked” with the school’s mission, he told The Record.

The college’s full-time, 10-month program awards a Master of Science degree in “government information leadership,” though that is expected to be changed to “strategic information and cyberspace studies” with Congressional support.

Historically, CIC has been one the biggest of the university’s five schools in terms of sheer number of students, thanks to its part-time, remote masters program that at its height in 2017 enrolled 1,400 pupils. Its graduate certificates, unlike technical certifications, are like bite-sized, mini-masters degrees in leadership for CIOs, CISOs and CFOs, as well as IT program management and data analytics.

Cmdr. Wilson Vorndick was selected in 2020 by the Navy Reserves as one of only two officers to attend the 10-month full-time program.

“My background is logistics. I’m a Supply Corps officer, so a little unique, but what’s really important is that  … zeros and ones are being traded everywhere,” he said. “Even in the defense industrial base, this is something that we’re very keen on and we’re paying more close attention to than previously.”

A LAST-MINUTE AMENDMENT

Rumors about the future of the cyber war college had swirled for years, according to many accounts. 

However, most of that talk was part of broader discussions about NDU, nicknamed “The Chairman’s University,” and its educational role within the sprawling department during an era of flat or shrinking defense budgets. An actual, concrete effort began to take shape in 2019, though, after Mark Esper became former President Donald Trump’s second Defense secretary.  

As Army secretary, Esper had put the service through a budgeting process drill, dubbed “night court,” that freed up billions by cutting a number of legacy programs and funneling that money into modernization projects meant to counter China and Russia. Now DoD chief, Esper wanted to replicate the process. He kicked off a department-wide examination to find opportunities for savings ahead of the fiscal 2021 budget request.

The NDU front office was soon flooded with requests, or “taskings,” to explore ways to reduce overhead, according to two sources familiar with them. They ranged from the broad (What would the cost savings be if the entirety of NDU was eliminated?) to the specific (What would the impact be if certain offices were reduced by X percent?).

Eventually, the university was asked for, and submitted, a finding to Esper’s office that detailed how much money could be recouped if the cyberspace college, and the College of International Security Affairs, were closed and their curriculum folded into NDU’s three remaining schools.

The idea to disestablish the college, shed its requirements, distill its courses and programs into two elective concentrations — one focused on information and the other on cyber — and sprinkle the faculty throughout the rest of university received tacit approval from Esper’s team when it adjusted the NDU budget.

Ultimately, the university gave back millions to the department and waited for a formal directive from the Pentagon to begin implementation of the plan.

A hiring freeze, which had been in place since around the departure of the school’s last chancellor in 2018, would be maintained. The college was instructed not to accept any students into its part-time program. Those already enrolled would be allowed to graduate; the number of students would plummet from over a thousand to a few hundred. Students were still accepted into the smaller, full-time program since there was the potential to transfer it to another NDU college.

The decision also meant the renewal of agreements to partner and advertise CIC’s programs were hampered.

“We had a long-standing relationship with the State Department in our CIO [leadership] program. They thought that we were going away, so they moved on,” Dr. Cassandra Lewis said during an interview in her office.

Morale dropped. The uncertainty led to churn among the faculty; some opted to retire early, others accepted offers in the private sector.

“It’s one thing to go down with the ship if you’re actually in combat in the Navy. You don’t want to go down with the ship when you’re just being reorganized out of a job,” joked Brown, who left for a job at federal contractor CACI.

Beyond the real world implications, those affected by the decision split into two schools of thought when trying to understand what had taken place and who was ultimately responsible. The first blamed then-NDU President Vice Adm. Fritz Roegge and chief operating officer Robert Kane for driving the push to close. The other camp contends that the pair were simply carrying out orders from Esper’s office and that his team of political appointees are culpable.

Esper and Roegge did not respond to interview requests. Kane declined to speak to The Record.

The College of Information and Cyberspace was renamed in 2017 from “iCollege.” IMAGE: NATIONAL DEFENSE UNIVERSITY

Lewis said she has heard so many different stories about the idea’s origin that at this point “it almost doesn’t matter” who was responsible.

Faculty members went through “every emotion that you can conceive of … from frustration to anger to just confusion about why this was happening when we recognize how critical our work is for cyber and cybersecurity and national security, and yes, in a real way, global security,” she said.

Meanwhile, congressional offices felt they had been lied to by leaders at NDU and the department. They also found it incomprehensible that the Pentagon, which had seen cyber explode in importance as online threats multiplied exponentially in recent years, would shut down the college.

Langevin said in an August interview that the idea of closing CIC as a cost-saving measure was, in his view, “the absolute definition of pennywise and pound foolish” and that his improvised remarks during the June 2020 virtual event were meant to signal the issue was “not going away, not if I had anything to do with it.”

In a statement, an NDU spokesperson said the university “works through the chain of command and does not engage Congress independently.”

Still, the department’s stubbornness after the bipartisan missive that warned DoD to leave the college alone provided the impetus for Langevin to hitch an amendment to the fiscal 2021 National Defense Authorization Act — which dictates policy and handles myriad other issues for the military services — that spelled out the lawmaker’s stance in no uncertain terms.

The provision said the Pentagon could not “eliminate, divest, downsize, reorganize, or seek to reduce” the number of CIC students or else NDU would be barred from spending more than 60 percent of its budget.

The prescriptive language would be enshrined into law in January.

“A BEST-KEPT SECRET”

The main players in the drama have left.

Trump announced in a tweet that Esper had been “terminated,” just days after the 2020 election was called in favor of Biden. Roegge cycled out of the NDU presidency roughly a month after the NDAA was signed into law. Kane retired around the same time. The Pentagon’s comptroller returned $1.4 million to NDU’s budget for fiscal year 2021 and $5 million for the coming fiscal year, which begins on October 1.

In addition to the strident language introduced by Langevin, the bill also called for the creation of a cross-department working group that included members of NDU and CIC to dig into how the college fit into the vast defense enterprise and its role in educating the cyber workforce. The examination found that there is “demand” for the degrees and certificates produced by the school and that it should remain part of the university.

That report to Congress was “really a tremendous leap forward,” according to Lewis. “A lot of the linkages about how CIC educates the cyber workforce and really our role was not clearly understood” previously.

The study also “garnered us a degree of support from across the department, because quite frankly, we were a best-kept secret, in my mind, for far too long,” Lewis joked.

However, it also called for a follow-on study, which will be carried out by the Rand Corporation.

“Honestly, I’m confident enough in the college that I think any objective review of the facts and the requirements would yield some kind of an answer other than, ‘We need to zero this organization out,’” said Thomas Wingfield, who joined CIC’s staff in 2016 and was its acting chancellor before leaving to become the Pentagon’s top civilian for cyberspace policy three years later.

Wingfield, who recently joined Rand as a senior researcher, told The Record he wouldn’t be involved in the next study because of his previous advocacy for CIC within the halls of the Pentagon. But he believes the college is “safe” for now and predicted it would grow.

Indeed, the school held the convocation for its full-time program in August, with 49 students graduating. The class size is expected to grow by another 10 to 15 students next year.

“We don’t have as many cyber experts as we need; people able to pull together everything at the senior strategic level. It’s a critical shortfall and this school builds that,” according to Wingfield, who asked the question that spurred Langevin’s comments.

CIC and its work also received high-profile public endorsements earlier this year.

“I’m a big believer in that college and I have hired many of the graduates from that program and have employed them and I actually seek them out,” Marine Corps Lt. Gen. Dennis Crall, the Joint Staff’s CIO, told the Senate Armed Services Committee’s Personnel subpanel in April. 

The college turns out “many, many good graduates, many of whom work for me as well,” added then-acting DoD CIO John Sherman, who Biden nominated to last week to permanently fill the role.

“We think it should be sustained and continue to work.”

Sen. Kirsten Gillibrand (D-N.Y.), the subpanel’s chair, said: “Now more than ever we need every resource available to bring together and grow our military’s knowledge base on cyber issues. We really should not miss an opportunity to impart that knowledge on the military’s rising leaders.”

Today, the entire university and CIC are strategizing over how to hire faculty and staff as quickly, and as much, as possible. This summer the school advertised its chancellor post for the first time since the last official chancellor departed in 2018. It also is looking to recover from the faculty brain-drain that occurred during the era of budget uncertainty.

Brown, Cyber Command’s first legal chief, decided to return to the college after “several” colleagues sent him the NDAA language.

He described the relationship between CIC and NDU today as “super positive,” stressing that even when the school’s future looked bleak, relations between the two camps remained “professional.”

Lewis said she has already had “frank” discussions with new NDU president Air Force Lt. Gen. Michael Plehn about the future of both institutions.

She said the university’s new path recognizes that “all of the component colleges of NDU have a unique role to play in standing up leaders who have a degree of expertise in cyberspace and information, in resource management, in national security strategy.”

She added NDU leadership has spoken to general officers and stakeholders across the massive department and found they support the vision that there can be “distinct colleges with distinct mission sets.”

Vorndick said students, already enduring the logistics of remote learning due to the coronavirus pandemic, had no idea what was going on behind the scenes.

“Ignorance is bliss,” joked Vorndick, who is now serving as a senior fellow at CIC.

In a statement, Plehn said NDU is committed to educating and developing joint warfighters and national security professionals into strategic thinkers and leaders” who can face the “complexity and uncertainty of the current and future national and global security environment.” 

“We know success is rooted in effectively combining all instruments of national and international power across all domains of air, land, sea, space, and cyberspace,” he added.

As for Langevin, he said there will be no language regarding the college or NDU in this year’s defense policy roadmap, as an amendment or otherwise.

The longtime cybersecurity advocate said the U.S. “should be doing everything possible to prepare our war fighters to dominate” the digital domain. “This means educating everyone about the basics and developing specialists who know the virtual terrain like the back of their hands. This means everything, the new recruits and the ensigns, all the way up to the four star generals and admirals.”

Langevin said there was a reason the congressionally-chartered Cyberspace Solarium Commission, on which he played a key part, chose to host its strategy session there last year.

“We look at it as the research agenda, the economics of politics, and the strategy of competition in cyberspace can only be supported at an institution, or by an institution, with a clear agenda that can attract talent,” he told The Record. 

“CIC, I believe, is uniquely situated for that.”

The post Emerging from uncertainty, DOD cyber war college looks to navigate the future appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

Daily NCSC-FI news followup 2021-03-13

Protecting on-premises Exchange Servers against recent attacks www.microsoft.com/security/blog/2021/03/12/protecting-on-premises-exchange-servers-against-recent-attacks/ For the past few weeks, Microsoft and others in the security industry have seen an increase in attacks against on-premises Exchange servers. The target of these attacks is a type of email server most often used by small and medium-sized businesses, although larger organizations with on-premises Exchange […]

Read More

[ZDNet] Microsoft warns: These attackers can go from first contact to launching ransomware in just 48 hours

All posts, ZDNet

Human operators make BazaCall malware harder than usual to detect malicious email. The group sometimes installs nasty Ryuk ransomware. Source: Read More (Latest topics for ZDNet in Security)

Read More

[SANS ISC] Easy Access to the NIST RDS Database, (Sat, Jun 19th)

All posts, Sans-ISC

When you’re facing some suspicious files while performing forensic investigations or analyzing malware components, it’s always interesting to know these files are legit or malicious/modified. One of the key sources to verify hashes is provided by NIST and is called the NSLR project (“National Software Reference Library”)[1]. They build “Reference Data Set” (RDS) of information that can be […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.