While the Department of Defense’s overall cyber force is relatively new, the offensive side draws from a legacy that reaches back decades and has roots in the intelligence community. The defensive side, however, is working to put together procedures and tactics for protecting DoD networks and weapon systems on a global scale.

But a milestone is on the horizon.

Cyber Command’s defensive operational arm – Joint Force Headquarters-DoD Information Networks, or JFHQ-DoDIN, which provides global defense, command and control and synchronization of the DoDIN – is slated to reach full operational capability this month, its deputy commander said.

“We’ve submitted our paperwork, we’re just waiting for Cyber Command’s approval,” Rear Adm. Kathleen Creighton said during a panel discussion at an AFCEA DC hosted lunch Jan. 11.

This designation is “a recognition that we’re able to perform the basic tasks that we’re laid out to perform as the Joint Force Headquarters,” she said. “We’ve been able to show through exercises and other world events that we’ve been able to perform our mission of secure, operate and defend.”

As JFHQ-DoDIN celebrates its third anniversary, Creighton said leaders there are moving from a heavy contractor footprint to a more balanced mix of government and contractor. Additionally, they’re taking all the steps new organizations take. This includes the development of a campaign plan. She explained to Fifth Domain following the panel that this is a strategic, high level five-year plan for how they perform their secure, operate and defend the DoDIN in support of CYBERCOM.

This plan follows the approval of another strategic document approved by Cyber Command last year serving as “the “first planning effort to fully address JFHQ-DODIN’s mission to secure, operate, and defend the DoDIN.” Prior to that point, officials maintained when different incidents have occurred across the DoDIN, DoD and CYBERCOM was essentially playing whack-a-mole.

Similarly, Creighton noted that leaders there are trying to mature the tactics, doctrine and employment of their defensive forces.

When cyber protection teams first started coming online – the defensive cyber mission force teams that act as quick reaction forces, of which JFHQ-DoDIN has six – often times “who ever raised their hand” received a CPT to put on some terrain because they were just starting out and just developing their capabilities, Creighton said at an event in November. “Now we recognize high demand, low density force needs to be apportioned like that, so we’re maturing that process.”

Industry officials have said developing these tactics is likely more acute on the defensive side as opposed to the offensive side.

Creighton told Fifth Domain defensive doctrine and tactics are being worked as a community from Cyber Command down.

“When you grow forces by service they’re going to be unique and that’s probably good in some ways because you get best of breed, you develop areas you’re strong in. So we’re able to take advantage of that, because we have all the flavors of CPTs,” she said, drawing reference to the fact each of the four services provide CPTs to the joint force.

“We’re able to create that dream team by being able to task organize and use best of breed,” she added. “I think any kind of force you just build that’s just reaching FOC, you’re going to continue to mature, you’re going to, the force that we have today is probably going to look a lot different in five years.”

Threat intelligence

Creighton, in her limited public appearances since becoming the deputy commander in August, has stressed the importance and gap in intelligence on the defensive cyber side.

“As we’re becoming FOC, we really recognize that the intel piece on the defense side is not where it is on the offensive side,” she said.

“What we realized is we need a lot more intelligence support, so we need more intelligence people, so we’re figuring out what kind of people we need,” Lt. Gen. Alan Lynn, who retires early next month, has said.

Intelligence support to cyber defense is difficult, Marlene Kovacic, a cyberspace branch senior intelligence analyst at Central Command and defensive cyber operations team lead, said over the summer. She discussed how CPTs in CENTCOM developed a cyberthreat prioritization intelligence driven analytical matrix to speed up the number of defensive missions CPTs performed.