Practice makes perfect. For America's cyber teams, the last stage of their validation and certification to achieving full operational capability occurs at the annual Cyber Guard and Cyber Flag training exercises.
While Cyber Guard games whole-of-nation defense in a simulated disaster. Cyber Flag is "a joint and combined military exercise focused on training and validating the Cyber Mission Force's capabilities and readiness to execute all phases of conflict across defensive and offensive capabilities of USCYBERCOM's assigned mission area responsibilities in support of Combatant Commands," according to U.S. Cyber Command.
Coast Guard Rear Adm. David Dermanelian, director of exercises and training with CYBERCOM J7, detailed for C4ISRNET the four primary training objectives at Cyber Flag this year during an exclusive walk-through of the exercise:
- Identify how the military can include cyber effects in an operation.
- Determine if teams can identify characteristics of the terrain — either in an offensive or defensive environment, depending on the team's mission set.
- Find out how teams react when critical infrastructure is compromised.
- Identify how the military can share information with partners and allies.
This year, 12 teams from the cyber mission force participated in order to reach full operational capability, but there were 19 teams at the event. This runs the gamut of Cyber Commands’ capabilities to include defensive cyber-protection teams to analytical- and intelligence-focused support teams to offensive-minded national-mission and combat-mission teams, the latter of which are allocated to combatant commands to get after commander’s objectives.
The exercise, now in its seventh year, is "not a game environment where there is a winner and a loser," Dermanelian said. "It’s really about adjusting the training value to get the maximum out of training for each of the teams."
With that in mind, officials told C4ISRNET that there are 19 mini exercises or operations taking place for each of the teams. The ultimate goal for the teams is ensuring they have been given all the opportunities to demonstrate their proficiency as required — an exam of sorts.
Rather than playing part of a major war game or campaign plan, the exercise is very tactical. Dermanelian equated some of the events to wrestling practice where a coach places wrestlers on their back, has opponents prepare to pin them and has them fight it out when the coach says: "Begin."
The cyber equivalent is when the real, live opposing force takes control of critical intrastate, and cyber protection teams must react. "How do I fight out of this really bad situation?" Dermanelian said.
There is a global scene-setter who carefully choreographs scenarios. U.S. Pacific Command personnel might participate in a scenario in the South China Sea, or U.S. European Command in the Baltics, Dermanelian explained. But mostly these scenarios provide context to operators at the micro-tactical level.
"If you were to distill a storyline down to a task order [that] was given [for] a team to deploy ... to do this mission — that’s what we’re doing," said Col. Michael Frymire, Cyber Guard and Cyber Flag exercise director for CYBERCOM.
Or, for example, a base commander has a command-and-control system that needs to work 100 percent of the time, and maybe the commander had some reports that there had been some bad guys in the area, so cyber forces will work to maintain the integrity of that system.
One of the things that sets this exercise apart from others is a real, live, thinking opposing force, or OPFOR, rather than automated injects. Moreover, exercise planners and assessors evaluate how teams are doing toward their validation. The planners are the brain of the exercise and can dial up or down the intensity of the injects depending on how teams are performing.
While teams are tested to the point of failure, which is where learning occurs, thus making this an unfair fight for friendly, or blue, forces by design, officials noted they don’t want negative training to occur. Teams are pushed as hard as they can so when they are on a mission, they have the experience. This is done through intense training. "We compress what these guys might do over a month into six days," an exercise leader said.
The OPFOR, for its part, is made up of 100 aggressors from 38 different professional organizations across the military, U.S. government, coalition partners and commercial industry, the OPFOR mission commander told C4ISRNET on condition of anonymity. OPFOR team members are also hand-picked to ensure they have the skills necessary to provide the right level of training.
They emulate tactics, techniques and procedures from an amalgam of actors ranging from nation-states to hacktivists to provide as realistic an environment as possible. There are "bad guys" playing the same terrain as blue forces.
Another real-world factor added in this year based on previous year’s feedback was the addition of a cybersecurity service provider, or CSSP. These are the mission owners — the local system administrators that defend their networks. Cyber protection teams, as quick-reaction forces that respond to incidents, must work with these CSSPs in the event of an incident.
Teams that are tasked to defend a bases’ network will have to work with the mission owner like they would if they were deployed to that location to defend that base. There is a local network defender cell that does the wrench turning on the network with which they also must.
"If I get tasked to go support a mission owner, no matter who it is, they’re not going to give me the keys to the kingdom," an exercise participant told C4ISRNET. "I’m going to have to go through the local defender, their network owner to get my recommended changes."
"Really, I don’t want the keys to the kingdom. I wouldn’t want to become their system administrator," a blue team lead said. "Eventually, I’ve got to leave" their network.
For the cyber protection teams, this is a new environment into which they're entering, another blue team lead said. They look to the local administrators to see what normal on their network might mean or what might be anomalous behavior.
The CSSPs, moreover, don’t have to act on the recommendations of cyber protection teams.
Offensive teams such as national mission teams and combat mission teams are also being assessed at Cyber Flag, but their mission set is different and highly tailored. Officials declined to offer significant details.
Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.