U.S. Cyber Command is in the throes of entering its next era.
Evolving in fits and starts from its stand up in 2009, the young command has seen the creation of its cyber warrior cadre — the cyber mission force — been fully elevated as a unified combatant command and achieved the full manning and training of its cyber force. Now it is working to equip and maintain the readiness of its organization.
Top Department of Defense officials provided senators details on the developments of DoD cyber during a Sept. 26 joint Armed Services Committee subcommittee hearing.
“We’ve shifted a little bit from building capacity, how we think about personnel and training to the capabilities,” Lt. Gen. Vincent Stewart, Cyber Command’s deputy commander, told senators.
This comes on the heels of the release of the Department of Defense’s cyber strategy, which outlines an aggressive approach to combat adversaries and requirements needed to do so, such as agile capabilities.
In his written statement to the committee, Stewart noted that previous metrics used in the command’s earlier days, such as the number of people on teams and their training, will not be sufficient to provide a holistic readiness picture.
“The sustained readiness approach we are developing merges capability metrics with capacity metrics to provide a more complete readiness picture,” he wrote.
Readiness of teams will depend on more than just personnel number, but their ability to plan, develop access, report and maneuver in cyberspace, hold targets at risk and deliver capabilities based on assigned missions, Lt. Gen. Stephen Fogarty, commander of Army Cyber Command, explained to the committee in written testimony.
Officials and experts were always careful to note that the full operational capability of the cyber mission force, achieved in May, was not an end state, but rather just a staffing measure and much work was still to be done.
Stewart also provided more details regarding shake-ups to the cyber teams — an eventuality long been discussed following the full operational capability designation.
When the Cyber Mission Force (CMF) was first conceptualized in 2013, they started with a number and structure that was the best guess of how the force would operate in this space, Stewart said. Some have also noted that the structure was based on successful National Security Agency cyber operations.
However, given the dynamic nature of cyberspace, based on lessons learned, there might need to be a shake-up.
Stewart said they might not need as many interactive on-net operators, or IONs, on the teams. Interactive On-Net Operators (IONs) are part of the offensive cyber workforce conducting network reconnaissance and vulnerability analyses to develop plans and strategies using cyber tools.
Such a change to the team structure would change training requirements and all the workforce to be more creative, Stewart said.
Officials have previously indicated they’ve learned through operations that defensive teams don’t all have to deploy to a problem; rather, they can conduct split-based operations allowing for greater efficiencies.
Fogarty, who most recently served as chief of staff at Cyber Command, told Fifth Domain during an August interview that the command would tailor and task organize during the CMF build process in order to meet missions.
“We’re always going to have the ability to task organize or tailor, but we think we’re at a point now we know enough that it’s time for the next evolution of this. That’s what we’re trying to figure out, exactly what that looks like,” he said.
There’s still a lot of work left to overcome
Despite recent gains and milestones, the command still has a lot of work to do in getting its force structure right, as well as obtaining the right equipment and getting to a point in which it can operate fully independent of its parent organization, the NSA.
“Shortfalls are not limited to traditional readiness measures of equipment and training. Indeed, a great deal of the department’s cyber readiness issues revolve around the shortage of skilled, cyber-capable personnel,” Sen. Mike Rounds, R-S.D., the Cybersecurity Subcommittee chairman said.
Rounds noted that the committee continues to be concerned about a hollow cyber force that is adequately staffed and equipped. In particular, he mentioned that Cyber Command needs an indigenous capability, without over-reliance on the NSA.
Rounds noted that the Army, in particular, faces significant gaps needing around 15 offensive operators. The Army has typically sent these operators to the NSA’s remote operator training course, called Remote Interactive Operator Training, or RIOT, with about half failing. RIOT trains personnel requisite skills, albeit on NSA, not DoD infrastructure.
Fogarty said that through lessons learned not all IONs have to be RIOT qualified, opting to send them to the military (Title 10) operators course that allows them to operate on the Army’s Title 10 infrastructure.
Developing a standardized Title 10 infrastructure that all the services can link to separate from the NSA’s intelligence infrastructure is a key hurdle to be able to operate independently and separate from the agency.
In fact, the Washington Post reported that in a recent assessment submitted by Gen. Paul Nakasone — Cyber Command’s chief, who also leads the NSA — Cyber Command still needs intelligence support from the NSA and thus should not separate at this time.
Fogarty noted that after observing IONs operating on the Title 10 infrastructure, they can identify the best folks to go on to RIOT.
Moreover, this approach allows the Army to help fully get off the NSA platform and be more independent.