By Gary Warner

Vincent R. Stewart, Lieutenant General, U.S. Marine Corps was promoted into the position of Director of the Defense Intelligence Agency. While our friend and colleague Lt. General Ronald Burgess (ret.), now at Auburn University here in Alabama, certainly understood and respected the importance of the cyber domain, General Stewart represents the first time we have a true cyber warrior at the helm of the DIA. Immediately prior to his appointment as Director of the DIA, General Stewart served as the commander of the Marine Force Cyber Command (described at the end of this blog post.) General Stewart was director of Marine Intelligence from 2009 to 2013, rising through the ranks in a long and distinguished career that began with humble beginnings in Jamaica and includes many decorations for valor and leadership.

Worldwide Threat Assessment – Cyber

dia1On February 3, 2015, Lt. General Stewart delivered his first Worldwide Threat Assessment to the Senate Armed Services Committee. (Transcript here). So what did our new DIA Cyber Warrior leader have to say about Cyber threats?

The briefing began, appropriately, with a status of Iraq and Afghanistan, focusing on terrorist threats from ISIL, al-Qa’ida, and the Taliban. After that he touched on certain other “violent extremist organizations” and concluded with a region-by-region and global threat summary.

In his discussion of ISIL, al-Qa’ida, and the Taliban, no technology or internet discussion was featured. Expanding beyond Iraq, AQAP (Al-Qa’ida in the Arabian Peninsula) was said to be focused on commercial aviation targeted with innovative explosions. AQIM (Al-Qa’ida in Lands of the Islamic Mahgreb) is mostly focused on kidnapping and attacks against allies. The Al-Nusrah Front and the Khorasan group were said to be focused on providing personnel and training in Syria, but with an interest in targeting western interests. IRGC-QF (Islamic Revolutionary Guard Corps-Quds Force) and Lebanese Hizballah were described a “instruments of Iran’s foreign policy and its ability to project power in Iraq, Syria, and beyond.” Boko Haram was described as having the potential to expand beyond Nigeria to become a “significan regional crisis.”

Cyber Operations

The first mention of cyber comes with regard to Russia, mentioning that Russian actions against Kyiv included “the use of propaganda and information operations, cyberspace operations, covert agents, …”While the other regional assessments did not include cyber individually, cyber was brought up in the concluding portion of the remarks in the section labeled “Global Threats.”

General Stewart’s points on the lack of consensus about the status of cyber attacks was especially telling. The “big bullets” from the cyber portion of the talk seem to be:

  • aggressive attacks against DoD and allied defense networks
  • increased cyber-espionage against DoD and Defense Contractor networks
  • concerns about supply chain vulnerabilities
  • increased use of cyber operations in regional conflicts
  • a lack of international “norms of behavior” in cyberspace
  • freedom of action, especially by Iran and North Korea, to conduct peacetime cyber offensive attacks on western interests without fear of reprisal
  • the use of the Internet by non-state actors for Communication, Propaganda, Fundraising, and Recruitment

Below I quote the General’s remarks on cyber in full:

The global cyber threat environment presents numerous persistent challenges to the security and integrity of DoD networks and information. Threat actors now demonstrate an increased ability and willingness to conduct aggressive cyberspace operations — including both service disruptions and espionage — against U.S. and allied defense information networks. Similarly, we note with increasing concern recent destructive cyber actions against U.S. private-sector networks demonstrating capabilities that could hold U.S. government and defense networks at risk. For 2015, we expect espionage against U.S government defense and defense contractor networks to continue largely unabated, while destructive network attack capabilities continue to develop and proliferate worldwide. We are also concerned about the threat to the integrity of the U.S. defense procurement networks posed by supply chain vulnerabilities from counterfeit and sub-quality components.

Threat actors increasingly are willing to incorporate cyber options into regional and global power projection capabilities. The absence of universally accepted and enforceable norms of behavior in cyberspace contributes to this situation. In response, states worldwide are forming “cyber command” organizations and developing national capabilities. Similarly, cyberspace operations are playing increasingly important roles in regional conflicts — for example, in eastern Ukraine — where online network disruptions, espionage, disinformation and propaganda activities are now integral to the conflict.

Iran and North Korea now consider disruptive and destructive cyberspace operations a valid instrument of statecraft, including during what the U.S. considers peacetime. These states likely view cyberspace operations as an effective means of imposing costs on their adversaries while limiting the likelihood of damaging reprisals.

Non-state actors often express the desire to conduct malicious cyber attacks, but likely lack the capability to conduct high-level cyber operations. However, non-state actors, such as Hizballah, AQAP, and ISIL will continue during the next year to effectively use the Internet for communication, propaganda, fundraising and recruitment.


dia2In January, General Stewart passed control of the U.S. Marine Corps Forces Cyber Command (MARFORCYBER) to Major General Daniel J. O’Donohue. (A somewhat dated biography of General O’Donohue is available from the Armed Services Committee)

The command, established in October 2009, was complemented by the Navy’s U.S. Tenth Fleet Cyber Command. According to the Marine Corps’ “Concepts and Programs” document, the mission of MARFORCYBER is to “plan, coordinate, integrate, synchronize, and direct full spectrum Marine Corps cyberspace operations. This includes Department of Defense (DoD) Global Information Grid (GIG) operations, defensive cyber operations, and when directed, planning and executing offensive cyberspace operations. These operations support the Marine Air Ground Task Force (MAGTF), joint, and combined cyberspace requirements that enable freedom of action across all warfighting domains and deny the same to adversarial forces.”

MARFORCYBER has two sub-units, Marine Corps Network Operations and Security Center (MCNOSC), which defends the Marine’s own network, and Company L, Marine Cryptologic Support Battalion (MCSB), which plans and executes offensive cyberspace operations.
( Marine Corps Concepts and Programs 2013_1.pdf, PDF page 42)

Gary Warner is the Director of Research in Computer Forensics at the University of Alabama at Birmingham (UAB). He is also the co-founder and Chief Technologist for Malcovery Security.

This piece was originally posted on the CyberCrime and Doing Time blog.