When it comes to information technology systems, the Marines have a few adages: they fight on one network, and the discussion starts from the fighting hole to the flagpole given the expeditionary nature of the force.
As such, they need capable cyber defenders that can hunt and mitigate vulnerabilities on the expeditionary network. While the service has a dedicated cyber warrior cadre in Marine Corps Forces Cyberspace Command (including three dedicated cyber defense teams for Marine-specific tasks such as providing remote cyber capabilities), these personnel are mostly focused on the joint fight through Cyber Command.
Now, the service is in the process of standing up forward-deployed defensive cyber teams outside the MARFORCYBER cyber protection team construct.
“We understand that our [Marine Air Ground Task Forces], specifically our [Marine Expeditionary Forces], our war fighting center points, did not have the ability to provide an online presence to defend the networks they take out with them,” Brig. Gen. Dennis Crall, director of C4 and CIO, said during a keynote presentation Oct. 23 at the annual MilCom conference in Baltimore, Maryland, hosted by AFCEA.
“We fight one network, but we have those presences segmented in a few places. The MEFs didn’t have the prowess to baseline themselves to hunt on those networks and provide the level of remediation necessary for us to continue the fight.”
He said these defensive cyberspace operations-internal defense measures (DCO-IDM) teams are being stood up right now, telling Fifth Domain following his speech that the eventual plan is to make these teams forward-deployed.
“So, really it’s about hunting on our network no matter where those network are,” he told Fifth Domain.
Traditionally, military officials have described DCO-IDM as specific actions taken in response to either intelligence, a threat or an incident, as opposed to operations that are executed daily as part of running a network.
Crall also explained that they are taking some of their communicators within the 0688 and 0689 military occupational specialty (MOS) sets and building data warriors by combining them with what Cyber Command is pursuing “to bring this composite team of experts to ensure we can get after what that MEF commander’s priorities are.”
The service has sought to modernize its communication and information systems occupational field.
“This is the first occupational field that’s taken the 21st century reality and moving out by modernizing our training approach,” Lt. Col. Pete Schiefelbein, the comms officer for Marine Corps Training and Education Command, said during a presentation at the Cyber Pavilion of the Association of the U.S. Army’s annual conference regarding this new 06xx MOS.
These teams will be totally separate from MARFORCYBER, likely using different toolsets yet leveraging some of the same training. Cyber protection teams that Cyber Command has stood up through each of the service cyber component commands act as quick reaction forces responding to severe network incidents.
These new DCO-IDM teams appear to mirror the construct of Cyber Command’s defensive operational arm — Joint Force Headquarters-DoD Information Networks, which conducts global command and control and synchronization for defense of the DoDIN employing its own DCO-IDM teams in conjunction with traditional network operators.
Schiefelbein also described how the Marines are trying to get after how to employ cyber protection teams like a maneuver element.
“That DCO-IDM team is supposed to have some of the prowess inherently in it,” Crall said when asked how the service is getting at using forces in cyberspace in this manner.
“But you also have, as you ratchet up this spectrum with what [Maj.] Gen. [Lori] Reynolds [commander of MARFORCYBER] fields at MARFORCYBER, those CPTs and even eventually the [cyber mission teams] that we’re allowed based on authorities,” he added, referencing the offensive cyber teams MARFORCYBER produces and employs through Cyber Command specifically for Special Operations Command through Joint Force Headquarters-Cyber.
Another component to maneuvering in cyberspace is that hunt teams can’t just perform the same tactics, techniques and procedures because adversaries will adapt.
“You can’t just go out and hunt. We don’t have enough teams to go out and patrol on a daily basis. We have to be very smart of where we’re going on patrol and also what software we use when we go on patrol,” Gregg Kendrick, executive director of MARFORCYBER, said at an AFCEA-hosted event at the beginning of October.
“If you go on patrol everyday in the same pattern with the same weapon system, the adversary figures it out really quick … Between our service CPTs, the national CPTs, the National Security Agency and any other forces that are generated, there needs to be a distributed weapon system and missions that comes along with that.”
“The MEF is going to fight with those assets and if we actually take a step down, the eyes and ears are building through our school houses now as our data marine is coming right out of our school house,” Crall added.
“If you think of it as pyramid, we’re flooding the bottom end of that with individual with basic training and they’re going to sharpen that training up to the top where what we consider our ninja warrior, those [offensive cyber operations] marines with those special skill sets and authorities.”