After several years of employment, officials believe now is the time to make adjustments to the Department of Defense cyberwarriors’ training and teams.
“We’re at a point in our maturity with the cyber mission force that it is time to go back in and review a couple of different things,” Maj. Gen. John Morrison, the commander of the Army Cyber Center of Excellence, told Fifth Domain during an interview in August.
There is broad consensus across the force that training needs to be re-evaluated.
Lt. Gen. Stephen Fogarty, commander of Army Cyber Command, also told Fifth Domain in an August interview that U.S. Cyber Command’s commander has directed a review of the way forces are trained.
“The training model [that] got us to where we built the force, is that the model that is optimal for the future operating force now?” he said. “As we’re reviewing training, we’ve got to review the operational construct because we think operations drives everything else: are the teams sized right, are the work roles right, is the training right to deliver the operational requirement that we’ve been tasked to provide?”
Fogarty said the force has received feedback from the combatant commands cyber forces support. Other current and former officials have acknowledged that it’s normal for DoD, as a learning organization, to take lessons learned and make adjustments to forces and employment.
On the training front, Morrison said there is an examination to see if training cyber warriors can be improved.
He said that Fort Gordon — the home of the Army Cyber School, which serves as the Army’s second phase or intermediary training after forces graduate the first phase at a joint training facility in Pensacola, Florida — only trained officers last year.
Fort Gordon now trains enlisted, warrant officer and officer, which has become the joint standard.
Morrison also said the Army is working with the Defense Digital Service to evaluate how it can improve training for phase one in Pensacola, known as the Joint Cyber Analytics Course, or JCAC. JCAC is essentially the basic cyber training for joint forces that have no prior experience in cyber.
Morrison said they ran a pilot that took the 27-week JCAC course and put it into a new methodology so they could conduct it at Fort Gordon in roughly 12 weeks. Morrison added that this might have to extend to 14 weeks, but there will be another pilot in the fall.
Cyber students at Fort Gordon told Fifth Domain that there was some redundancy and overlap in courseware from phase one to phase two.
The recommendations from the pilot will be sent to Cyber Command as something that could be come a joint standard, Morrison said.
Employment and team structure
Prior to his retirement, former Cyber Command commander Adm. Michael Rogers told lawmakers he’d like to “retool” the structure of the cyber mission force as it was built on a construct that is almost eight years old and can take advantage of lessons learned in that period, something current commander Gen. Paul Nakasone has indicated he’d like to do as well.
Rogers told Congress at the time that he didn’t want to change the structure while the teams were building. Now that they have reached what’s known as full operational capability, the time may be ripe for reevaluation.
Fogarty, who most recently served as chief of staff at Cyber Command, said during this period the command would tailor and task organize in order to meet missions.
“We’re always going to have the ability to task organize or tailor but we think we’re at a point now we know enough that it’s time for the next evolution of this. That’s what we’re trying to figure out, exactly what that looks like,” he said.
Some in the cyber community have indicated in the past that more intelligence personnel could be needed to help better inform operators of targets and context, as well as more tool developers — the initial force was very operator heavy, relying heavily on National Security Agency personnel for tools initially.
Others have suggested that rather than the current force design where teams only do offense and defense, despite cyberwarriors being trained in both prior to being assigned to specific teams, cyberwarriors could be tasked to do both.
“Right now we have teams that look at defense, we have teams that look at offense — almost like a football team. Maybe a better concept is we set up like a hockey team or a basketball team where everybody plays both ways at the same time,” Ignatius Liberto, chief of staff at Cyber Command’s operational global defense arm Joint Force Headquarters-DoD Information Networks, told Fifth Domain in May.
Others agree that there should be more of mix in the team structure.
“I wish we did more of the mix because … I find that people are passionate about a specific technology area and regardless whether they’re applied on the offensive or the defense they’re going to be pretty good at that because that’s what they’re passionate about and that’s what they research on their own time or practice at home,” Capt. Stephen Rogacki, aide-de-camp to the commandant at the Army Cyber School, told Fifth Domain during an August visit to Fort Gordon.
Rogacki previously served on an offensive cyber team.
He added that, from a commander perspective, this approach might allow for greater talent management allowing them to potentially create tech or regionally aligned teams with personnel that are talented and passionate about certain technologies.
This way, whether the problem is offensive or defensive — which often technology can be dual use in cyberspace — commanders can assign personnel based on a specific technology sector or regional threat, then those personnel will be assigned to that mission as opposed having a team that just does offense and they can’t do defense.
Michael Burke, technical director for the Cyber National Mission Force, which protects the nation from cyberattacks of significant consequences, told Fifth Domain in September at the Billington Cybersecurity Summit that organizations have a choice to organize on mission and matrix in function or organize on function and matrix in mission. Generally, the cyber teams organized on mission and matrixed function, he said, adding it’s a balance.
Burke, speaking from the CNMF perspective, which is a headquarters element, said the CNMF has a good idea of what they need in terms of skillsets from the services that supply the cyberwarriors based upon employing forces for multiple years now.
“If you think about eight years ago, I don’t need the same sort of person eight years ago in cybersecurity [I need now],” he said.
Rather than having an indicator of compromise, a patch to fix it or some other type of executable, Burke said now the game has shifted heavily toward behavior.