Defensive cyber intelligence is beginning to mature and take shape within Cyber Command and their subordinate defensive units and maneuver forces.

“On the defensive side, [intelligence] was a little bit harder stretch,” Rear Adm. Kathleen Creighton, deputy commander of Joint Force Headquarters-DoD Information Networks, Cyber Command’s operational defensive arm charged with defending the global network, said. “[Defense has] been a little bit slower to mature.”

There’s been an understanding across the board within the last two years that offense and defense have to work together, said Creighton, speaking at an event hosted by Defense Systems Nov. 14

There’s now much more teaming across the mission sets, with the best defenders being those who have worked in offensive and the best offensive folks are those who understand the defense. All members of Cyber Command’s cyber mission force ― the 6,200 person, 133 team cyber maneuver force that conducts offense, defense and intelligence/support ― are trained to the same joint standards.

This helps each team member better understand all aspects of the cyber mission.

When the cyber mission force was first stood up, Creighton said, the offense was better postured for intelligence in terms of identifying who the threat actors are. However, defensive teams require requisite intelligence to better inform their defensive missions, to understand what actors they might be facing and what their patterns inside the network might be.

Among several intelligence fusion cells stood up within JFHQ-DoDIN, one that was recently established sought to create better coordination for prioritizing defensive resources.

The reason for this particular fusion cell was in response to a gap between the integration of operations and intelligence inside JFHQ-DoDIN.

Creighton noted in her previous role as the senior officer for cyber defense/command and control and the director of the joint cyber center at Pacific Command, they saw the need for defensive cyberspace intelligence: intelligence support to defensive cyberspace operations.

Cyber protection teams within Central Command’s area of responsibility developed a cyber threat prioritization model in response to forces becoming bogged down in preparatory intelligence for defensive operations, resulting in teams only conducting two missions a year.

“The model came to be mainly because our cyber protection teams ... the ones that are assigned for Central Command [from Cyber Command] … were asked to speed up their [intelligence preparation of the environment] development process because the analysts were taking so long developing IPE because the threat space is really big,” Marlene Kovacic, a cyberspace branch senior intelligence analyst at CENTCOM and defensive cyber operations team lead, said at the DoDIIS Worldwide Conference in August. “The CPTs were limited to one, maybe two missions a year, which is not really using the CPTs efficiently.”

Intelligence support to cyber defense is difficult, she added.

Others have also explained the critical need for intelligence to CPTs.

“Intelligence support to cyber … this is a huge gap, we are making progress, but ultimately what we want to have happen here is [cyber protection team operation] ... driven by intelligence,” Navy Lt. John Allen, the lead cyber defense force planner with U.S. Cyber Command, said during a June conference. “We’re going to get the most return on investment from our teams if we’re posturing them where we think the adversary will be at based on intelligence and information, instead of being so reactive.”

In an ideal construct, Allen said it would be mandated that cyber support teams and national support teams provide intelligence to all of the teams.

Creighton added that they’ve had to do some partnering in network defense to harness the right folks working with Cyber Command, NSA, the service cyber components, the combatant commands and the intelligence capabilities that are within the cyber protection teams.

“There’s an acknowledgement that offense and defense have to work together not just on the ops side but on the intel side,” she told Fifth Domain following her speech. “There’s a group of intel folks just focused on the threat actors and what they’re doing but then the same thing from a defensive point of view. As we learn their capabilities, then the defenders have to understand what those are so they can best defend.”