One of the observations most oft discussed surrounding the cyber domain is how fast it moves. So fast, evidently, that the Defense Department is outpacing itself.
“We are outrunning our headlights,” Lt. Gen. Paul Nakasone, commander of Army Cyber Command, said during a keynote presentation at the CyCon U.S. conference in Washington Nov. 7. “We’re learning so much, whether or not it’s with our forces, with our doctrine, with our strategy; we are well forward of where we thought we would ever be.”
Nakasone referenced the progress DoD has made in the past seven years in this domain, namely the stand up of a cadre of dedicated cyber warriors and the employment of such forces. This has manifested itself in Cyber Command’s cyber mission force, the roughly 6,200 person, 133 team force of offensive, defensive and support teams made up of personnel from the service cyber component commands, which Nakasone described as a gamechanger.
That is the capability DoD built over the past seven years, Nakasone said, adding it’s a capability that they’ve employed defensively and offensively, as well referencing the fight against the Islamic State group, the most public of offensive cyber efforts executed by the U.S.
“What have we learned?” Nakasone asked, “a tremendous amount.” This includes lessons pertaining to:
- Force structure;
- Force employment;
- Command and control of forces;
- The ability to bring capabilities to the forefront;
- How to take defensive teams and ensure they are informed by offensive teams; and
- How to take intelligence either from the private sector or the government to empower a team.
Regarding offensive and defensive personnel, Cyber Command has worked to train each cyber warrior to the same joint standards.
“The first thing you want to do is be careful about saying it’s one or the other. I do think that there’s a benefit and an advantage ... that one might inform the other,” Rear Adm. T.J. White, commander of the Cyber National Mission Force at Cyber Command, said during a panel at the INSA National Security and Intelligence Summit in Washington Sept. 6. “There’s a lot that we’ve learned in anticipating what you might have to do on the offense by understanding very, very well what is going on with the defense.”
Creating a cyber warrior class, the Department of Defense and Cyber Command sought offensive and defensive forces trained to the same joint standards, allowing them the ability to switch roles and to better understand each other.
Others have also noted lessons learned regarding force employment through operational lessons, especially on the defensive side where they can spilt defensive teams – made up of 39 individuals – eschewing the need to send everyone toward a problem.
“One of the things we found with practical experience is we can actually deploy in smaller sub elements, use reach-back capability, the power of data analytics; we don’t necessarily have to deploy everyone,” Adm. Michael Rogers, the commander of CYBERCOM, told the House Armed Services Committee in May. “We can actually work in a much more tailored, focus[ed] way optimized for the particular network challenge that we’re working. We’re actually working through some things using this on the Pacific at the moment.”
Elaborating on this notion, Brig. Gen. Maria Barrett, deputy of operations J-3 at CYBERCOM, has noted that this construct allows for greater agility.
“You would send a smaller group forward and then do whatever analytic work or analysis you need to do back at home base, be it Fort Gordon or San Antonio or Hawaii or reach back and do some of that work there,” she said. “That kind of facilitates us being a little bit more agile and quick.”
Cyber Command has also expounded on these operational lessons and taking them to training and validation exercises. “From that lesson, our branch at Cyber Command has said now that we’ve seen that lesson at an exercise, let’s bring in the mission force experts and figure out how we craft our doctrine to reflect operations,” said an exercise leader at Cyber Command’s annual Cyber Flag told C4ISRNET. “There’s real traction that happens from these lessons learned.”
The command, however, is not necessarily looking to re-evaluate the makeup of teams. Despite the large nature of CPTs, even if a subset of that team can deploy to a problem, depending on the nature or difficulty, the entire team might be needed later.
Cyber Command has also looked at evaluating their tools and kits with plans to roll out standardized tool kits.
Nakasone added that doctrine, strategy and training of forces is being rewritten today. In fact, DoD is working its third cyber strategy.
Members of the Senate Armed Services Committee chastised the Defense Department’s witness given that after several years of working the problem, the answer to how the department may respond to actors or incidents is essentially: it depends.
“That’s why I would tell you that even with the tremendous work we’ve done within our department, we’re running faster than our headlights because we are learning so much,” Nakasone said.