Would you send a unit to war without adequate, organic protection from the threats it’s most likely to face? On its surface, the answer seems obvious. But when it comes to cyber threats, every Army battalion is effectively in this situation, reliant on external defenses, with little visibility on how or when these defenses are employed to protect it.
The US military represents a target-rich environment for evolving cyber threat actors intent on, for instance, extracting sensitive personally identifiable information, standard operating procedures, deployment plans, and technological data. A majority of cyber assets, however, operate from within the confines of higher-echelon units, removed from the kinetic happenings of battle. While this organization is effective in centralizing cybersecurity for operational and strategic prevention and response purposes, current Department of Defense structure leaves tactical-level units like Army battalions vulnerable to the tactical effects of cyber warfare. Remedying this vulnerability requires creative organizational solutions, developed and implemented before such efforts are too late. One simple idea? Push cyber expertise down to this level.
The Army can address the systemic lack of tactical cyber threat intelligence by integrating cyber professionals into S2 shops—organic battalion staff intelligence sections. These sections traditionally serve to inform all-source intelligence requirements for battlefield commanders alongside other staff planning and garrison duties. S2 leaders are often knowledgeable in the deployment and analysis of a range of intelligence disciplines—including human, signal, and geospatial intelligence—but cyber threat intelligence is a specialization left for higher-level commands. Adding just one service member who is skilled in identifying indicators of compromise and adversarial tactics, techniques, and procedures into battalion intelligence sections can prove invaluable during tactical and operational decision-making.
Today’s real-world conflicts illustrate how executing defensive cyber capabilities at low levels of warfighting is necessary in preventing malicious activities. During the ongoing Russo-Ukrainian War, for example, cyber warfare has arguably been Russia’s biggest military successes, as state-sponsored actors affiliated with Russia’s military intelligence agency continue to successfully target various layers of cyberspace to disrupt Ukrainian operations. For example, the exploitation of Delta, a Ukrainian software designed to synchronize intelligence and targeting, illustrates how cyber intrusions increasingly represent significant threats to tactical forces.
For the US Army, adding organic cyber personnel into battalion intelligence staff sections would represent a crucial step toward safeguarding against attacks that higher-level echelons cannot observe or mitigate in the field. For instance, Russia’s hacking of Delta was initiated through phishing of military email accounts belonging to Ukrainian soldiers, disrupting shared situational awareness, battle tracking, and command and control. Phishing allows cyber actors initial access into vulnerable systems to install malware via a single click of a malicious link inside an email. This attack vector can bypass deliberate defenses of brigade cyber teams, introducing crippling vulnerabilities at the service member level. When targeted by malicious phishing or other attack vectors such as credential harvesting, battalion tactical operations centers, counterfire cells, and command nodes can be degraded instantly. The United States employs troop-monitoring technologies similar to Ukraine’s Delta software, including the Joint Battle Command Platform and Advanced Field Artillery Tactical Data System, depicting how key takeaways from ongoing conflicts must inform the deliberate evolution of cyber intelligence structuring in the US Army—and across the Department of Defense—to protect critical warfighting capabilities.
The largest challenge of dispersing cyber experts to battalions is, of course, logistical. The Army would require creative policies to meet the manpower demand. For example, United States Army Cyber Command has 16,500 personnel, but many of these are civilian employees and contractors. And the uniformed personnel in the command are already gainfully employed, working on a wide variety of cyber mission sets. Adding an additional cyber threat intelligence analyst, noncommissioned officer, or officer to each battalion would be impossible without recruiting and training more cyber professionals. And yet, there are solutions. The Army could expand incentivization efforts to recruit cyber service members, seek voluntary branch transfers from current warfighters, or address vulnerabilities through triage. Certainly, not every battalion requires organic cyber defense capabilities to make measurable progress toward reducing vulnerability at the tactical level. The Army could start reorganization by enhancing intelligence sections of battalions that represent the most likely threats of state-sponsored targeting. For example, to protect indirect fire and maneuver, cyber threat intelligence could be integrated into combat arms battalions first. Likewise, the threat picture of deployed units is inherently greater than commands in garrison. As such, the Army could attach cyber experts to deploying units during ramp-up training cycles and while overseas to enhance tactical prevention, mitigation, and response efforts of the Army’s most vulnerable organizations.
After appropriate reorganizational steps are initiated, integrating cyber threat intelligence into battalion S2 shops would be a streamlined process. Critics might argue that integrating cyber threat analysts at the battalion level would disrupt existing intelligence teams or that S2 shops might not have the knowledge necessary to make use of the capability, but there is little basis for either claim. Cyber threat intelligence analysts are best informed through both classified and unclassified means—just like their all-source counterparts. Moreover, many cyber analyst tools are openly available online, and even in communications-degraded environments, experts can still harden vulnerabilities without an internet connection. Furthermore, battalion staff sections are accustomed to integrating and overseeing diverse, complementary capabilities. For example, leaders within battalion communications sections oversee radio, information technology, and network solutions, which would be all but impossible for officers in charge to fully deploy without leveraging in-house expertise. Intelligence shop heads can likewise manage cyber threat intelligence by synchronizing organic cyber expertise with knowledge of existing systems and all-source personnel.
A major restructuring of Army cyber capabilities will not occur quickly. However, time is not on the Army’s side, as cyber threats evolve and vulnerabilities grow. Just one catastrophic intrusion can alter the tide of battle in any conflict defined by interconnected technological systems. The time to act is now, and the Army should deliberately investigate adopting new cyber threat intelligence capabilities at lower operational levels before it is too late.
Jacob Scheidemann is a current cyber threat intelligence analyst and intelligence management graduate student. A prior active duty Army officer with previous intelligence leadership roles in INDOPACOM and CENTCOM, Jake is also a routine contributor of national intelligence writing to platforms including the Military Times.
The views expressed are those of the author and do not reflect the official position of the United States Military Academy, Department of the Army, or Department of Defense.
Image credit: Edric Thompson, US Army