How Cyber Command has ‘built and rebuilt’ its strategy around cyberspace operations
Kurt Sanger joined U.S. Cyber Command by “happenstance.”
After arriving at Marine Corps Forces Cyberspace Command in 2014 as a top attorney, he was asked to create a service post on the top digital warfighting unit’s legal team.
The slot was created, but soon vacated, and Sanger was asked to take it.
“It was really complete happenstance, but I ended up having helped create the position that I ended up filling.”
After 23 years in the Marine Corps, Sanger retired last month as the command’s deputy general counsel. The Record spoke with Sanger, now a cybersecurity board advisor for companies Cowbell and Batten, about his time at CYBERCOM, how the processes around cyber operations have changed, and what the future should hold for the U.S. in cyberspace.
The interview has been edited for length and clarity.
The Record: What always gave you the biggest headache when you served at Cyber Command?
Kurt Sanger: The military is used to doing business a certain way and has standard operating procedures that are standard because they work. And we have terminology that is developed over hundreds of years of the U.S. military that can be applied in multiple different situations, and it creates a shorthand that allows all our service members to work together more quickly.
Cyberspace operations, for the most part, don't fit into those things that I grew up with. No one grew up with cyberspace operations that were at the leadership level when I got there.
Finding a new way and a creative way to think about a new type of operation that potentially had the same level of strategic impact as other types of military operations that didn't create the same levels of violence or lethality — it takes some getting used to.
We may have unnecessarily restrained ourselves because we beamed everything that was a military capability under that paradigm of what we do is really reserved for armed conflict. But as we discovered, and as our adversaries introduced to us, there are ways to use the cyberspace domain, to do things below the level of armed conflict, that have strategic impact.
"As we discovered, and as our adversaries introduced to us, there are ways to use the cyberspace domain, to do things below the level of armed conflict, that have strategic impact."
— Kurt Sanger
TR: When did the rigor for cyber operations begin to truly develop?
KS: In 2016, [with] the Islamic State operations we conducted that year. That was my first introduction to offensive operations in the way that is similar to the way we run them today.
Issues we had thought of in an academic or theoretical sense prior to 2016, they became real. Practical things we realized we needed, that we had never really anticipated — such as certain types of manpower, resources or equipment, resources, those sorts of things.
It all became relevant because we were actually executing in an operational environment. That was really the first time we started putting meat on the bones.
TR: Was there a sense of building the plane while flying it?
KS: The plane is, to this day, being built and rebuilt based on the lessons learned and the successes and failures of cyberspace operations. Not just our own but what we learn from others’ cyberspace operations. And it’s also rebuilt every time there’s a new administration or a senior leader is changed.
TR: CYBERCOM has been given new authorities, adopted new strategies and taken on missions like election security and ransomware. Is it too much, too soon for the military’s second youngest combatant command?
KS: Every military unit, generally, the United States has ever had, they always have too much to do.
There's not a lot of redundancy, in terms of expertise and capacity in the Department of Defense, because all of us are working nearly at full strength. And that's no different for Cyber Command. It's only different because it's new.
Those authorities and those responsibilities are a product of what the global situation demands. It's not Congress giving us more to do because they think they've given us the money to do it. It's Congress giving us more to do because they think the country needs it for its defense.
TR: Looking back on your time at the unit, is there an issue or an area you wish you achieved more on?
KS: The executive branch has not caught on to the importance of working with the private sector in cyberspace yet.
There needs to be a greater level of information sharing at the very least. At some points, there's going to need to be operational coordination, if not, combined operations. The Microsofts and the Googles and the Apples and the bigger firms, they may need to synchronize with the FBI or Cyber Command or some other branch in the government.
"The plane is, to this day, being built and rebuilt based on the lessons learned and the successes and failures of cyberspace operations."
— Kurt Sanger
That’s hard to do.
The level of private sector control over cyberspace and involvement with cyberspace should make the government think twice about what it restrains and what it shares based on classification.
TR: Hasn’t Russia’s invasion of Ukraine accelerated that, though?
KS: We should take advantage of what we've learned over the last 10 months to continue to deepen the relationships with the private sector, and the government ultimately in some cases needs to think of itself not only as a defender of the country, a securer of the country or law enforcer, lawmaker and regulator — it also needs to think of itself as a fellow network owner.
TR: What does the government need to do better going forward?
KS: Other organizations — like Homeland Security, State and Treasury departments — we work with and whose equities we help protect, need to be resourced appropriately by Congress in order to support cyberspace operations in the same way Cyber Command and NSA are.
Most federal organizations don't have an ops center that can turn on a dime the way Cyber Command and any number of other DoD organizations can.
If Cyber Command is going to consult with, or seek support from any one of those organizations, in order for them to be able to provide that support they need to be resourced to work at the operational pace their military counterparts do.
Nobody else should be expected to be prepared for that operational pace unless Congress enables it with the right resources.
It would be better for America and for the U.S. government if all organizations with equities in cyberspace were as capable of moving that quickly, and getting all their stakeholders and making all their fully informed decisions at a pace that would support what cyberthreats demand.
Martin Matishak
is the senior cybersecurity reporter for The Record. Prior to joining Recorded Future News in 2021, he spent more than five years at Politico, where he covered digital and national security developments across Capitol Hill, the Pentagon and the U.S. intelligence community. He previously was a reporter at The Hill, National Journal Group and Inside Washington Publishers.