During a congressional hearing in March, one House member well-versed in cyberwarfare issued an unusual — and understated — criticism of U.S. Cyber Command and the Pentagon’s broader cyber organization.

“Standards and capabilities have yet to be defined and understood across each of the services,” Rep. Elise Stefanik, R-N.Y., said in an opening statement. “Relationships and responsibilities are still being worked out between Cyber Command, regional combatant commanders, and each of the services.”

Despite being established almost 10 years ago, Cyber Command and formal Department of Defense cyber operations are still relatively new. The command’s cadre of cyberwarriors — the 133 teams that perform cyber missions — reached what the military calls full operational capability in May 2018 and the services are continuing to build out headquarters organizations used to plan, conduct and synchronize cyber operations and teams.

Hill staffers for at least the past year have been concerned with how the command and its mission forces are maturing, including how forces are used. Their questions highlight how little the broader cyber community understands how the military deploys cyber teams.

The comments in March have, to date, been some of the most public manifestation of members’ concerns, which continue today and can be boiled down to a simply question: who does what?

In last year’s annual defense policy bill, the House Armed Services Committee tasked the nonpartisan Government Accountability Office to deliver a report on the DoD’s cyber operations. The report is expected to include discussion of the roles and responsibilities of cyber organizations to command-and-control relationships, Joseph Kirschbaum, director of defense capabilities and management at GAO, told Fifth Domain.

“We continue to be concerned about the clarity and feasibility of command-and-control arrangements between [Cyber Command] and the other combatant commands,” he said. “It’s fair to say there [are] still some question about how clear the command-and-control relationships are between CYBERCOM and the combatant commands.”

Stefanik’s office, as well as the House Armed Services Committee minority staff, did not respond to multiple requests for comment.

One House aide, however, noted that members are more concerned with oversight of the Cyber National Mission Force, which defends the nation against malicious cyber actors daily, as opposed to the cyber forces in the regional combatant commands, because outside of the Middle East there aren’t many ongoing cyber or physical operations abroad. As part of defending the nation, the Cyber National Mission Force conducts “defensive” operations that take place off the DoD’s networks. Officials have said these are the same actions taken by offensive cyber teams. For example, they target enemy malware that might be used against the United States.

How the Department of Defense got here

Following the creation of Cyber Command and cyber forces, Pentagon leaders realized they needed relationships between cyber entities.

New documents made available through the Freedom of Information Act shed light on how Cyber Command’s leaders initially wanted to build organizations that would handle offensive cyber operations and help combatant commands.

Individual services do not have their own offensive teams. Instead, these teams work through several organizations, each formally known as Joint Force Headquarters-Cyber, which in turn provide planning, targeting, intelligence and cyber capabilities to the combatant commands to which they’re assigned. The heads of the four service cyber components also lead their respective JFHQ-C. These organizations oversee combat mission teams and combat support teams.

Here’s the difference between the two: combat mission teams perform cyberattack, cyber intelligence, surveillance and reconnaissance and cyber operational preparation of the battlefield. Combat support teams conduct intelligence, mission planning and other necessary support work for combat mission teams. Both teams fall under combatant commands and not the national mission teams, which are focused on thwarting malicious cyber activity against the homeland.

The documents describe that Pentagon leaders envisioned a limited capability at first.

A March 2013 order explained that these organizations should be ready for war no later than Sept. 30, 2013. A subsequent presentation from October 2013 outlined the mission essential tasks the headquarters elements should perform. These include:

  • Exercising command and control of all cyber mission forces supporting combatant commands.
  • Planning and directing cyber intelligence, surveillance and reconnaissance, operational preparation of the environment, cyberattack.
  • Coordinating, synchronizing and de-conflicting cyber operations of cyber mission forces with other cyber teams operating in the same networks.

Ensuing orders from Cyber Command continued to change the criteria and the deadlines for what’s known as full operational capability. To reach this designation, the organizations needed to demonstrate proficiency in mission essential tasks and participate in an exercise.

Where are the services today?

What’s become increasingly clear through reporting and in testimony is that each of the services is following a different approach to create these command-and-control entities.

The Army decided to create a separate component and devoted specific assignments and personnel to its organization. The Army’s JFHQ-C is currently fully staffed and fully operationally capable, according to a spokesman.

Some of the other services decided to dual hat staffers, meaning workers hold the same job for their respective service cyber components and corresponding JFHQ-Cs.

Marine Corps Forces Cyberspace Command has since created a standalone organization with a one-star general leading it, similar to the Army’s approach. This was done mainly because the command is now responsible for the global anti-ISIS and counterterror mission in cyber, a spokeswoman said. It will take a few years, however, to get all the uniformed personnel for the JFHQ-C in place.

The Navy is working to fully staff up and build out its JFHQ-C, according to a spokesman.

On the Air Force side, while declining to offer specifics, a spokeswoman said JFHQ-C Air Force’s focus remains on readiness.

While the Army is the only one to publicly acknowledge it has reached the formal designation for staffing, what happens when these organizations don’t have the personnel they need?

A former official told Fifth Domain that not having enough people adds an extra layer of risk, and that those teams may struggle to effectively plan and conduct operations.

Making strides toward greater command and control

Cyber Command has taken steps in recent years to help improve the coordination between teams and better integrate them into the battle plans of combatant commanders.

In 2017, leaders required that each of the services create local cyber planning cells that would work with the various combatant command staffs.

These cells, known as cyber operations-integrated planning elements, will be small teams designed to improve coordination. However, the services must still devote the personnel to staff them. These teams are slated for full operational capability in 2022.

Cyber Command’s leader has testified to Congress twice this year that cyber is becoming more ingrained with the combatant commands and cited the planning cells as an example.

“We are very, very appreciative of the work that has been done and approved by this committee to build cyberspace operational-integrated planning elements at each of our combatant commands,” Gen. Paul Nakasone, Cyber Command commander and director of the National Security Agency, told the Senate Armed Services Committee in February.

Similarly, Nakasone told the House Armed Services Committee in March that operations in the Middle East, as well as work with European Command involving operations to deter Russia during the 2018 midterm election, benefited from the inclusion of these planning cells.

To that end, Cyber Command recently conducted a global exercise that sought to test the relationships of cyber forces across geographic boundaries. These planning cells were part of the exercise, which was called Cyber Lightning.

“It definitely helps to relay situational awareness information to the combatant command staff and, reversely, the combatant command staff information to the Joint Force Headquarters so that the Joint Force Headquarters understands the combatant command’s goals and objectives and scheme of maneuver,” Col. William Hill, director of plans for Air Forces Cyber, told Fifth Domain.

Top officials at Cyber Command applauded that effort.

“It’s not a question. We can operate really closely with multiple combatant commands simultaneously in a space … that really spans beyond geographic boundaries,” Maj. Gen. Timothy Haugh, commander of the Cyber National Mission Force, told reporters May 7.

Cyber Command has three primary organizations at its headquarters that are responsible for cyber operations: Joint Force Headquarters-Cyber, which support geographic and functional combatant commands; the Cyber National Mission Force; and Joint Force Headquarters-DoD Information Networks, responsible for global defense of DoD networks.

The command must keep track of these operations to ensure these forces aren’t bumping into each other in cyberspace. For example, a team supporting European Command against a threat from Russia and a team from the cyber national mission force could simultaneously work against a foreign team that’s preparing to attack U.S. critical infrastructure.

Today, this coordination is mainly taking place at Cyber Command’s Integrated Cyber Center/Joint Operations Center (ICC/JOC).

“Our job is now to provide the global view and to make global command and control decisions or to provide the data so that Gen. Nakasone can make those global decisions,” Maj. Gen. Charles Moore, director of operations at Cyber Command, told reporters at the ICC/JOC in May. “We have to be able to look globally at the picture that we’re seeing, we have to be able to see what the enemy is doing, we have to know where our forces are positioned and then obviously we want to be able to put our forces in the best position so that we can drive enemy activity as opposed to being in reactive mode.”

One cell is tasked with specifically deconflicting Cyber Command’s global offensive cyber operations missions, Col. Joy Kaczor, director of current operations at Cyber Command, told reporters.

This next bit of clarity on relationships and command and control will likely come with GAO’s report on DoD’s operating procedures.

Kirschbaum explained that the report, commissioned by Congress, will likely not be released to the public and could be finished in the summer-fall period of this year.