When most all military officials talk about the cyber domain, they
don’t focus so much on profound technological advancements and
cutting-edge capabilities, but, rather, on the people.
The Defense Department created U.S. Cyber Command in 2009 as a
sub-unified service under the Strategic Command as a means of better
enabling cyber operations. Within this structure, the force sought to
build a Cyber Mission Force to fill the ranks in a variety of capacities
as they relate to operations in cyberspace. The goal is to fill 133
teams consisting of 6,200 personnel with an operational capacity by
2018.
“By the end of 2016, all the teams will be in place and at initial
operating capability. And by the end of 2018, we expect all those teams
to be at full operational capability,” Air Force Lt. Gen. James
McLaughlin, deputy commander of Cyber Command, told an audience at the Center for Strategic and International Studies in October.
The 133 teams will consist of 68 cyber protection teams focused on
DOD’s number one mission— defense of the network—13 national mission
teams to help defend the nation’s critical infrastructure, 27 combat
mission teams aligned with the combatant commanders and assist in their
planning, and 25 support teams that can be called upon, with another
2,000 service members in the reserves.
“2016 will also be a big year from us because it’s an inflection
point for us,” Adm. Michael Rogers, commander of Cyber Command, told and
audience at the Atlantic Council in January. The first few years of the
organization’s short five-year history was spent on generating capacity
and capability with the cyber mission force, he said. “In 2016, as I
tell our team, you can tell we’re at the tipping point now. The capacity
and capability is starting to come online. You look at some of the
things we’ve done on the defensive side, you look at some of the things
that we’re doing looking in terms of a broader spectrum of capability,
and the hard work of the last few years is really starting to pay off.”
Building the force
“We’re about half way through that build process right now. We have got to get it finished by September the 30th of 2018, is our goal,” Rogers told an audience
at the RSA conference this week. “When I look at the data—and I review
this every quarter, I just looked at the data about two weeks ago—we’re
right now postulating that if nothing changes, 93 percent of the force
will be delivered on time. So I’ve got to figure out in the next two
years how we’re going to get that remaining seven percent on time.
Because the goal is 100 percent of those 6,200 individuals and 133 teams
on station, fully trained, ready to operate in a very demanding
environment, and to do that by 30 September 2018.”
The build has been arduous, as the teams have had to carry out
operations as they are built. “What’s happening right as we create them
is we’re already using them,” Army Maj. Gen. Paul Nakasone, commander of
the Cyber National Mission Force, said at CSIS.
Each service branch has a commitment to contribute to the overall 133
teams under their individual cyber divisions; 13 from the Marine Corps,
41 from the Army, 39 from the Air Force and 40 from the Navy.
The Army currently has 33 of its 41 teams, an improvement from 2013, when the service only had two, while the Air Force bolstered its cyber mission force by roughly 40 percent last year.
The question of “manning” new cyber teams was a challenge. Robert
Naething, deputy to the commanding general of the Fifth Army, offered
anecdotal insight into the manning question as it pertains to the first
cyber protection brigade being built at Fort Gordon, Ga., home of the
Army Cyber Center of Excellence. “As we were looking at this manning,
you typically bring a soldier in, you teach him how to be a tanker or
something, but you say ‘no, this is a high level skill.’ So do we have
to go out there and somehow recruit a bunch of Ph.Ds. out of MIT? Well,
how do you do that, how do you pay for them, how do you keep them busy
and what do you bring them in as?” he said at a webinar
hosted by Defense One. “And so that was really not very tenable. So, as
we were trying to figure out how do you man the Army cyber units,
really the only immediate solution was to reach out to the Army to see
the soldiers we already had…and try and build it initial capacity. And
the phenomenon that took us off guard is, actually, there’s incredible
capacity out there within our soldiers that we didn’t expect to
find.”
Attracting and training talent
The military has engaged in several initiatives to ensure that the
new cyber mission force and the next generation’s cyber warriors are
properly equipped. The services have taken to opening hackathons,
exercises and cyber ranges for a variety of training and evaluation
purposes. For instance, the Army announced last summer the establishment
of a Cyber Battle Ground
that will be open to all units and will reduce the time and costs of
training cyber warriors. It provides a realistic environment for testing
skills learned and reinforced in a classroom setting.
Air Force and Army Reserve cadets in the Advanced Cyber Education
program at the Air Force Institute of Technology last summer took part
in a competitive hackfest
described as the closest thing to hand-to-hand cyber combat.
Participants were forced to think outside the box in competitions
involving the construction and defense of enterprise networks while
attacking opponents.
The Air Force has taken several steps toward attracting uniformed
members into its cyber ranks. According to a spokesperson with the 24th
Air Force, these programs include the “Stripes for Certification”
program, which provides opportunities to enlist at higher grades when
entering the service with cyber-related certifications, selective
reenlistment bonus programs and the Cyberspace Warfare Operations career
track for officers to provide qualified cyberspace officers proper
growth opportunities.
The Air Force is also standing up a cyber proving ground, which was announced in October. A fresh factsheet published on the new Benjamin Foulois Cyber Proving Ground website depicts
a center of “multi-disciplinary teams from the operational,
acquisitions, intelligence, test, and developer communities to rapidly
explore potential solutions to meet cyber operational needs” and
“identify, enable, and accelerate implementation of innovative concepts
and technologies to improve Air Force cyberspace operational
capability.”
Simulated exercises, however, are going only so far. A recent report submitted
to Congress concluded that cyber exercises did not include the full
force of possible attacks. “Exercise authorities seldom permitted cyber
attacks from being conducted to the full extent that an advanced
adversary would likely employ during conflict, so actual data on the
scope and duration of cyber attacks are limited,” the director of the
Defense Department’s office of Operational Test & Evaluation
discovered. The report concluded that combatant commanders’ reluctance
to permit realistic cyber effects during training is due to requirements
to achieve several other training objectives during exercises. The
report recommended that combatant commanders make serious preparations
to conduct critical missions in cyber-contested environments as well as
perform periodic operational demonstrations involving operational units,
network defenders and cyber protection team elements in order to ensure
mission success.
“[O]ne result of conducting the exercise with severe constraints on
the opposing force’s cyber operations is that the brigade will not be
training against a full-on cyber threat—and thus will get no practice
operating in a severely compromised cyber environment,” Herb Lin, a
cybersecurity expert at Stanford University’s Hoover Institution wrote
in a blog post,
regarding a recent exercise in Hawaii. “I can’t help but wonder: Would
the cyber-induced collapse of expensive exercises motivate senior
decision makers to pay more attention to operating in compromised
battlefield environments?”
Ensuring the force is equipped with basic cyber hygiene is also a
major priority. “If [DOD] gave you a weapon, you must ensure that that
weapon is appropriately treated, appropriately used, always secured.
That is pounded into our culture,” Rogers said recently
at the Atlantic Council, comparing cyber hygiene to weapons training in
the physical world. “You have constant responsibility of the security
of that weapon…And you don’t ever forget that. We need to do the exact
same thing in the cyber realm.”
Even the most impenetrable network firewalls are susceptible to human
error. “[T]he biggest weak links are the many operators that we have in
that cyber domain that don’t exercise good cyber hygiene,” Adm. Paul
Zukunft, commandant of the Coast Guard, said at CSIS. One click on a phishing email can send a flood of intruders into a network.
Recruiting the next generation of cyber warriors
As the Cyber Mission Force gears up, other initiatives put forth by
the Defense Department to train the next generation of cyber warriors
have been in place for a few years. The strategy to recruit and train
the next generation can be compared to the collegiate football pipeline.
“We really have to start at middle school,” Gary Wang, Deputy Chief
Information Officer of the Army said in September.
College coaches “go down to the middle school, they knock on the
parent’s house, they go, ‘Hey, your kid has potential to be the middle
linebacker for blah blah blah’ and they kind of get them all excited …
That’s the approach we have to take with our future cyber warriors.”
The National Security Agency has several such programs, given its
decades of operation in signals intelligence and information assurance,
as well as close proximity to the Cyber Command, with which they share
the same director. The initiatives offered by the NSA include partnerships with colleges applying on-the-job training toward bachelor’s degrees and the National Centers of Academic Excellence for cyber operations. Also, the annual Cyber Defense Exercise pits students from the service academies against each other to build and defend networks against simulated intrusions.
NSA also has partnered with the National Science Foundation to create “GenCyber”
summer camps at universities to expose middle school and high school
aged students to cyber problem-solving. “You missed the boat if you’re
waiting ‘til folks are coming out of college and think you’re going to
turn them into a cyber warrior,” Wang said at a Defense Systems event in
September. “Your best cyber warriors are already starting at age 11 and
12,” he said, adding that some school districts are mandating computer
programming at the elementary school level.
The Navy and Air Force have also gone to lengths to reach out to
local communities assisting with cyber training and STEM programs for
youth, such as the Navy “cyberthons"
and the Air Force Association's “CyberPatriot” STEM initiative,
described by an Air Force spokesperson as “Airmen mentor[ing] cyber
teams as part of a nationwide competition involving nearly 20,000 high
school, middle and elementary school students.”
“Technology alone isn’t going to get us there. Don’t ever forget the
human dimension in all of this. It often gets overlooked to me,” Rogers
told the audience at RSA. “And that human dimension goes from how do
you build a workforce that’s agile and capable of working in this space,
to how do you make sure your users are intelligent and smart and
knowledgeable about the choices they make. But don’t ever forget the
human dimension.
Defensesystems