U.S. Army commanders are coming to grips with the need to more robustly defend their tactical networks from intrusions from highly sophisticated enemies.
A pilot program at the National Training Center at Fort Irwin in California integrates cyber planners and tactical cyber operators with brigade combat teams doing their rotations through the center as part of their normal brigade training. For the sake of the pilot, a defensive cyber planner is embedded with the brigade staff to help coordinate with the brigade’s organic network operators. The planner acts as a liaison with the brigade between remote defensive capability provided by the cyber protection brigade.
But now exercise officials are choosing to keep those working to defend the network in a remote location, as opposed to on the ground as in previous rotations.
“If we can do this from remote, we don’t need to burden the brigade with additional logistical resources and it gives them that additional reach back with additional bodies if they need it,” Matt Funk, the exercise planner, told Fifth Domain. “So far that’s been working very well.”
Army Cyber Command’s pilot program experimenting with tactical cyber capabilities is known as the Cyber and Electromagnetic Activities Support to Corps and Below. Officials with those teams are looking at the right formula for defensive cyber support to brigades during future operations. At the beginning of the most recent rotation, the brigade put sensors on the network to allow them to monitor remotely.
The operational community is also beginning to take this approach, as the Army looks to overhaul its tactical network. Army leaders have said they are working with the brigade on where to place sensors in order to be able to provide remote support in the future.
“We test their ability to identify a threat, report the threat and mitigate the threat. Those are the three things they need to be able to do when they leave here,” said Capt. Ryan Carnahan, team lead for the cyber opposing force. “We present them opportunities to see that and then to strengthen their reporting.”
The opposing force can dial up or down the attacks depending on the scenario or how the brigade is performing on any given day.
Unlike other cyber-specific exercises for cyber forces, Carnahan explained the opposing force attacks are incremental. While a threat might be identified very quickly, it might be a much longer process to mitigate it. As such, after action reviews are only conducted at the end of the rotation.
The opposing force will brief the network defenders on the avenues they took to compromise the network and the ways they maneuvered.
“I’ll present that back to them so they can see … from our perspective, as the emulated threat, how they did,” Carnahan said. “We’ll go over that at the end so they can get a holistic image.”