U.S. Cyber Command trained its new operating concept persistent engagement for the first time in a recent Department of Defense exercise.

Cyber Flag 2019, which took place during June and is Cyber Command’s premier tactical exercise was the first opportunity to train "according to the new organizational construct and evaluate or assess their performance against a new mission essential tasks that come with persistent engagement,” Coast Guard Rear Adm. John Mauger, director of exercises and training at Cyber Command, told reporters during a telephone interview July 17.

Cyber Command’s new operating concept, persistent engagement, aims to meet adversaries below the threshold of armed conflict daily as a way to combat their behavior. Defend forward, a subset of the concept, posits that is best to fight adversaries in networks as far from the United States as possible.

The new concept has led to changes within the force and new tasks.

“It really drove a change in how we organize and how we train and exercise the force,” he said. “We had to reorganize the force and we established new tasks and new skills and capabilities that we needed to have. We’ve been driving that into the force over the past year. Cyber Flag 19 was the first opportunity for us to through this exercise series to evaluate the teams according to those new organizational constructs and according to those new mission essential tasks.”

The force has been discussing the need to reevaluate and change the structure of some of its teams based upon operational lessons. However, some officials had noted as recently as May that no substantial changes have been made to team structure.

Without going into much detail, Mauger said that on the defensive side, leaders are now refining the roles of cyber protection teams. He explained that under the old model, cyber protection teams were organized under five squads that performed tasks in mission protection, cyber threat emulation, counter-infiltration, cyber support and cyber readiness.

Some of these roles, such as mission protection, are better served by local IT personnel. Now, Mauger said leaders want cyber protection teams to hunt high-end adversaries who can skillfully maneuver through a network.

Cyber protection teams are now organized under three squads.

Partnerships

One of the other tenets of persistent engagement, and a top priority of Cyber Command head Gen. Paul Nakasone, is partnerships. This includes domestic partnerships between the interagency, state and local government and the private sector as well as international partnerships.

While foreign partners have long participated in Cyber Flag, 2019 marked the first year in which there were integrated teams consisting of foreign militaries and members of the U.S. cyber mission force.

Mauger provided one example of a team from the U.S. Marines and the United Kingdom.

“They fought through the same virtual network environment that the other teams were working in but because they were integrated [and] because they were having to work together, it forced them to get to the next level of details and some really important observations and learning on how to command and control, how to share intelligence, how best to plan these operations,” he said. “There were a number of opportunities for them to learn best practices from one another and drive those into a joint combined team.”

Protecting ‘operational’ systems

A relatively new focus for Cyber Flag has been the introduction of operational technology networks, or industrial control system (ICS)/supervisory control and data acquisition (SCADA) networks.

Mauger said Cyber Command introduced these types of networks last year. The 2018 event also marked the first year since at least 2013 that Cyber Command did not release any information on Cyber Flag.

Traditionally, DoD’s cyber forces have focused on IP-based networks, but now cyber leaders across the Defense Department have emphasized operational technology networks.

“It’s really critical that our forces not only know how to operate and hunt on regular IT networks or information technology networks or business networks, but they also know how to hunt and detect and maneuver against adversary activity in operational networks,” Mauger said.

If called upon by the Department of Homeland Security to help defend or respond to an incident on critical infrastructure – typically operational systems – Defense Department personnel will have to know how these networks work. This is often quite different than standard business networks.

Mauger said over the past year, Cyber Command worked closely with national labs to develop a robust virtual ICS/SCADA model and focus on teams’ ability to hunt for adversary activity on those networks.