In an outfitted trailer at Fort Gordon in February, an Army instructor kicked off the first day of cyber class for enlisted students with an innocuous question: What do you hope to learn?
Some students said they hoped to learn about virtual private networks. Others didn’t have a clear answer. But one student, who previously served on a defensive cyber team and was now enrolled for formal training, answered that he wanted to learn how cyber teams used to operate.
It was a joke, poking fun at how the fast-moving cyber domain can make classroom education quickly feel dated. And this reply provoked a chuckle from the instructor, but also offered a valuable opportunity to reflect.
Ten years ago, the U.S. military had few examples of cyber operations to teach the next generation. U.S. Cyber Command was just a year into its existence. The number of cyberwarriors was significantly smaller.
But today students can learn from over a decade’s worth of cyber operations. Cyber Command is a unified combatant command, with the highest profile in its existence, and the cyber mission force is at its largest. With operational lessons in hand and an evolving cyber domain at play, how the Department of Defense trains — and teaches — cyber operations is changing quickly.
For the Army, nowhere are these changes more evident than at the service’s cyber school.
Based in Augusta, Georgia, Fort Gordon is becoming a regional cyber hub for the military. Army Cyber Command is moving its headquarters there in 2020 and with it will come a flurry of investments from government and private sector cybersecurity groups, including a $100 million taxpayer-funded cybersecurity center to be built in downtown Augusta.
While the Army finishes building the permanent home for the schoolhouse, students work out of classroom trailers that resemble high school computer labs. Earlier this year, Fifth Domain sat in on classes at Fort Gordon and saw first-hand how the Army’s cyber school is transforming.
The service is trying to instill a new culture in its students, one that better fits cyber operations, and is leaning on new approaches to help students adjust to this fast-moving domain. At the same time, the Army faces a balancing act in training its cadre of cyberwarriors with a mix of DoD’s requirements, which remain in flux, as well as new Army-specific requirements to train cyber/electronic warfare in information warfare.
Defense Department leaders have said cyberwarfare can change the dynamics of conflict going forward, and instilling the right mindset is critical to success in that environment.
“We don’t train people to tasks,” Capt. Chris Apsey, the deputy director of Cyber Common Technical Core, told Fifth Domain. “We train people on how to solve problems.”
Training Army cyber students
When soldiers first arrive at Fort Gordon, they enter the Cyber Common Technical Core. This is “supposed to be their technical leveler,” said Maj. Chase Hasbrouck, CCTC course manager.
“If you can complete that course, you should be roughly at the level of somebody who has multiple years experience in networking operating systems and security concepts.”
Today, the course is made up of three blocks with each covering a different core competency. The Army is working on a new version of the class for later in the year. But updating the curriculum can be difficult.
For example, Cyber Command’s cyber-protection teams operate differently now than they did years ago. However, Cyber Command leaders are still working to figure out the standards the services must teach to. Until then, the schoolhouse continues to teach the old model because that is the official doctrine. This means students are learning one way to conduct operations, just not the way cyber forces are doing it today.
Hasbrouck said students are taught the specifics of their work role once they get to their unit.
Given the relative youth of the DoD’s cyber force, the true experts are still operators. While these experts are still in the field, it doesn’t mean students can’t benefit from them.
“We currently have a memorandum of agreement under development with the schoolhouse where instructors will now have an opportunity to come over and shadow forces conducting operations so that they can also gain a little more context on actual instruction,” Lt. Col. Michael Smith, an operations officer on the Cyber Protection Brigade, told Fifth Domain.
The intent, Smith added, is that the best operators will then be reassigned as instructors in the future.
Changing Army culture
Perhaps more important than even the coursework is the culture that surrounds cyber operations. The staff at Fort Gordon are trying to change the predominant culture in the service that trains soldiers to rely on a checklist for completing tasks.
In cyberspace, this will not cut it.
“We want you to get the right answer and we’re not particularly concerned about how you got it as long as you get there,” Hasbrouck said.
As a result, the Army is trying to teach its cyberwarriors to be more freeform thinkers.
“Step 1, do this; if that doesn’t work, step 2, do this other thing. That very transactional, follow the [training manual] to do whatever you’ve got to do — that doesn’t apply to cyber whatsoever,” Aspey said.
In a cyber operation, teams are usually given a task to achieve a certain effect, but how they accomplish it is up to them.
“It requires a forward-thinking problem solver,” Apsey said. “Part of our charge at the school is to break that old model because we know it doesn’t work.”
As a result, the cyber school is trying to break out of the model of teaching students PowerPoint presentations with quizzes at the end that are merely regurgitating the material from the slides.
As an example, they point to the school’s basic officers’ leaders networking course. This class would have been unheard of a few years ago, leaders explained, because it requires assigning principles to students to research on their own, not spoon-fed material in class.
With ever-improving cyber defense and fewer obvious backdoors in network protocols, cyber forces will need to combine critical thinking with a knowledge of how operating systems work in order to complete their objectives.
The need for specialization?
Currently, cyber forces are trained to a joint standard learning, both the offensive and defensive tenets of cyber. This means they can perform both tasks once assigned to the operational force. There is a debate within the school, however, concerning how specialized forces should be in the future.
“Twenty years ago, all you needed was somebody who was a computer expert. Ten years ago, all you needed was somebody who was a computer security expect. Five years ago, you did have to specialize in a various domain of security, but then you could still keep it to a few broad divisions,” Hasbrouck said.
“Today, you have to really dig down deep to get to the various specializations.”
Within this push, cyber officials said there may now need to be a greater delineation between offensive and defensive operators.
“We’re already seeing that now when it comes to the split between offensive cyber and defensive cyber, where we rotate people from offensive cyber to defense and defense to offense. There’s a very long learning curve to get them spun up to where they need to be,” Hasbrouck said.
Moreover, Apsey noted that it’s not that cyberwarriors can’t do both, but the switch is not an easy transition.
Some officials have described cyber forces in the future who would be like hockey players, who simultaneously play both offense and defense. This differs from the current arrangement, which is more like football players, who only play one side of the ball.
“I wish we did more of the mix, because I find that people are often passionate about a specific technology area and — regardless of whether they’re applied on the offensive or the defense — they’re going to be pretty good at that because that’s what they’re passionate about and that’s what they research on their own time or practice at home,” a former cyberwarrior told Fifth Domain.
“While there are specific technology areas that may be more useful on the defensive side or the offensive side, the technology areas traverse both.”
The former cyberwarrior added that this specialization could allow for greater talent management, as well. Commanders could create technology or regionally aligned teams knowing that certain team members are stronger at certain tasks and passionate them. Regardless of whether they’ve done “offense” or “defense,” they’ll be useful if they understand the technology.
Using technology to teach
One tool the Army is using to keep the curriculum current to the operational world is a virtual module students and personnel can access all over the world called Virtual Training Area, or VTA.
The tool is a conglomeration of open-source technologies that Army users can access around the world on the open internet, not the closed DoD network, to access course prep materials, courses themselves or even to log curriculum changes.
“The schoolhouse actually has a webservice application that’s up where any [cyber] soldier in the force can make a recommendation on a curriculum change based off of what they’re seeing in the field. Think about how powerful that is,” said Maj. Gen. John Morrison, the cyber school’s most recent commandant and now the chief of staff at U.S. Cyber Command.
“We’ve been given really broad latitude to change curriculum based off operational need,” he continued.
“The commandant has the authority to — if a requirement comes in from the field or if we’re teaching something that isn’t quite what the latest tactic, technique or procedure is — change it almost on the spot.”
The VTA has the added benefit of tracking both courseware and students over time.
“It gives us really good visibility [to see] various changes across the school,” Aspey said.
“Ten years from now — when we have all this data about how people did and what worked and what didn’t work — we can make better decisions about how to create courseware in the future.”
To help bolster students’ critical thinking skills, the Army cyber school is also turning to a series of game-like exercises that provide a more interactive way for cyberwarriors to learn.
Fifth Domain witnessed competitive quizzes, as well as capture-the-flag-type games. This approach creates a more dynamic environment for the students, but it also allows the school to identify which students are skilled at specific topics.
That information can be stored in a database and serve as a talent management tool. Ideally, this data will be used to choose specific operators for a mission based on their strengths.
In one course, students logged into a commercial client to access a quiz that was formatted like TV game show “Who Wants to be a Millionaire” with four multiple-choice questions. The students had 30 seconds to answer each question and, when the question was presented, students could watch on the main television screen at the front of the class how many people chose each multiple-choice option. A leaderboard ranked each student based on correct answers.
In another course, enlisted students participated in an exercise that can take about three days to complete.
One student Fifth Domain observed completing this activity had to find a description of a certain code within a series of script. Initially, the student couldn’t identify the description in the script and went to Google to search for help.
If one command didn’t garner any descriptions, then the student needed to run another. This tested the students on what computer commands are available and what would be useful.
During the same class later in the day, students in small groups gave presentations to the entire class teaching their assigned topics.
It was far different than how students learned a decade ago and, leaders hope, a path to cyber success to come.