Where do you think Cyber Security belongs?

Where Cyber Security belongs depends upon how it is defined and visualized. These are important things that should be critically thought about along with DOTMLPF (doctrine, organization, training development, material, leader development, personnel, facilities) considerations. Some historical examples.
- Tank. The tank was introduced in 1917. The British and French saw the tank as an infantry support vehicle and thus developed their DOTMLPF to support this vision. The Germans saw the tank as an independent vehicle and thus developed their DOTMLPF to support this vision. End result: the Germans kicked the British and French butts within six weeks in May 1940 even though the British and French had more tanks and their tanks were better (more powerful and heavily defended but less mobile).
- Airplane. The plane was first seen in 1904 and used in WWI. The Germans created a separate Air Force but saw the purpose of that Air Force to be tactical (support the Army). This is one reason why the Germans were not able to set proper air conditions for the invasion of Great Britain during the Battle of the Blitz. The Americans kept the Air Force as part of the Army (Army Air Corps) during WWII but created both strategic and tactical capability. The Air Force split from the Army in 1947. End result: The US was able to set tactical and strategic air conditions for the invasions of Europe, Germany, and Japan.
- Machine guns. Originally heavy and immobile thus Machine Gun Battalions were created in WWI. Eventually became lighter and more mobile which allowed for infusion into all elements at the platoon level.
- Cyber Security. Short answer is that I do not yet know where Cyber Security belongs but I know the methodology I will use to answer that question were I passionate about it to pursue it. Cyber security includes many different elements including but not limited to: offensive capability, defensive capability, engineering aspects (physical structures), IT aspects, private and public implications, etc.

To see real time Cyber attacks, try: http://map.ipviking.com

I think it is an emerging new area that fits in either on it's own, in IT or in traditional security just depending on the size, scope and mission of the organization. It is hard to be the master of all things. A large IT based firm would likely have a separate cyber security dept in addition to a traditional security dept. A very small company might have their IT dept handle it. A company with no "in house" IT would likely have their traditional security handle it.

I think it should be its own entity: Land, Sea, Air, Cyber.

I think the Cyber realm should have different PT, HT/WT, Test Scores, Mandatory Training, etc for their realm. This would enable us to bring in people that might not be the most physically fit for combat operations but are mentally fit for cyber operations.

There has got to be a meme for a new military service out there called the "Cyber Force"... It is comprised almost entirely of pimple ridden former basement dwellers...

All joking aside, Cyber Security and Information System Security are a large piece that do not only fit within one service. The use of the information domain as a weapon has been around for much longer than the advent of the cyber space. Exact details of which I wish I could speak to.

Each one of our weapon systems, whether they are controlled by the Army, Air Force, Navy or USMC will have a need for protection from intrusion and a quick method of detection that go far beyond inserting a "device" on a network. Compromising NIPRNet is as easy as someone opening up their Gmaill, or other free email account message and clicking on a link. It has happened before and it will happen again.

In short, cyber security belongs right where it is; as a component of each of the service's cyber security and information system security plans. Perhaps even standing up their own command dedicated solely towards Information System security protection and cyber attack. An example of this would be the Air Force's Cyber Command.

I could see a Cyber Command structure that is very similar in concept to the IC (Intelligence Community).

As a signal NCO, I can easily see the 25D fitting in with our structure as a signal corps. However, the 35 series would fall up under the intel community. I see overlap and it would make the most sense to group them with the others.

One of the questions that need to be answered is at what level does cyber security need to be applied? I would postulate that it needs to be applied all through from company level and up. In garrison, the existing G6/NIST structure would work with oversight and training down to the individual service member. However, with our current distributed deployment posture where Companies might find themselves on isolated FOBs/COBs then the coverage needs to be there also. Social engineering and OPSEC threats dont stop when you leave garrison.

The simple answer, at the desktop/laptop/mobile device of EVERY Soldier, Sailor, Marine, Airman, Government Civilian, and Contractor that access any and all systems. That said, we need to get into the mindset that security has to be part of the build plan and not an after thought. How many people have physical access to your device? Until we can get buy-in from the USERS of the systems, security in the cyber realm will be a dream and this is one area where just one person who is careless can be party to a network compromise.

Ask yourself this question, how many of you have stepped away for "just a second" and left your computer logged in and not locked? Be honest, this isn't a graded exam (yet). How long does it take to craft an all-hands e-mail? What about exposing your's or someone else's PII?

SSG-

Excellent website.

Personally I don't think there's a right or wrong way of looking at it. It really just comes down what the military has a whole wants. Enforcing a decision by pulling rank would get something done, but culture is a hard thing to weed out and cyber warfare is just becoming accepted.

I like the one members description of a cyber community like the IC. There will have to be many cells within each of the services and probably units that will address different functions, deal with certain threats and have various tactics at their disposal. Tactical options should be at a lower level while more strategic responses are elevated. Which raises the question of who is only authorized to be defensive and who can actually respond with countermeasures. Domestically it should be homeland security with the NSA. Overseas it should be the military in my opinion.