Cyber Command leverages acquisition model of special operations group
By Mark Pomerleau
This is Part IV of a four-part series exploring what U.S. Cyber Command will need to operate on its own, separate from the National Security Agency.
The Capabilities Development Group is overseeing U.S. Cyber Command’s limited acquisition authority recently provided by Congress.
"The Command generally lacks NSA’s authorities in acquiring the tools for such initiatives, but Congress recently authorized USCYBERCOM acquisition authority for up to $75 million each year through the end of FY2021 to rapidly deliver acquisition solutions for ‘cyber operations-peculiar’ capabilities," Adm. Michael Rogers, the head of CYBERCOM, wrote in congressional testimony in May 2017. "We look forward to reporting to the Committee soon on how we are executing this authority."
Congressional aides have noted that this acquisition model was taken from U.S. Special Operations Command, describing it as a crawl, walk, then run. SOCOM enjoys rapid acquisition authority, which CYBERCOM eventually could get to but must first prove itself.
The Capabilities Development Group's three-pronged mission includes planing and synchronizing capability development for the joint cyber force; developing capabilities in order to reduce risk or meet urgent operational needs; and maintaining CYBERCOM’s technical baseline. The group has many different subsections, such as identifying and pulling current resources or government off-the-shelf tools that are already available and in use to assist various elements or subordinate commands, such as the armed forces cyber components.
For example, the mission integration component ingests requirements from subordinate CYBERCOM elements along with the command's headquarters, and then identifies capabilities that will potentially meet those requirements or work to get a capability developed and integrated, according to Justin Ball, the technical director at the Department of Defense Information Network Operations and Defensive Planning Division under CYBERCOM.
Ball spoke to C4ISRNET at the Defensive Cyber Operations Symposium in Baltimore, Maryland, on June 15.
The acquisition authority was an important step considering the rapid and evolving nature of the cyber domain. Complicating matters, funding often comes collectively from the individual services, whose cyber components feed into the 133 cyber mission force teams at CYBERCOM.
The secretary of the Air Force position serves as the combatant command support agent, or CCSA, for U.S. Strategic Command and CYBERCOM, which is a sub-unified combatant command under Strategic Command.
The Secretary of Defense has established policy and assigned responsibilities for the administrative and logistical support of combatant command headquarters as well as subordinate unified command headquarters through this CCSA construct, according to information provided to C4ISRNET via a CYBERCOM spokesman.
The Air Force provides funding to certain CYBERCOM resources, to include the military cyber operations platform as referenced in Part II.
In many respects, CYBERCOM has been equated to SOCOM in the way its forces — considered high-demand, low-density — are allocated and how it makes purchases.
Michael Hayden, former director of the NSA and the CIA, recently told C4ISRNET in an interview that in order to develop a CYBERCOM of the future, one that is a fully unified combatant command and separate from the NSA, there must be a major force program 12 as SOCOM is MFP-11.
According to a DoD webpage, "In the context of the Future Years Defense Program (FYDP), a MFP is an aggregation of program elements that reflects a force or support mission of DoD and contains the resources necessary to achieve an objective or plan. It reflects fiscal time-phasing of mission objectives to be accomplished and the means proposed for their accomplishment."
Despite the acquisition authorities Congress granted CYBERCOM, it has yet to use them. "There are some specific technical and oversight and control things I have to make sure are in place, before we start spending the money … that will be finished in the next month or so," Rogers told the House Armed Services Committee in late May.
Rogers said the command thought SOCOM offered a good model for acquisition, even hiring two former SOCOM officials to help shepherd the command through this initial process.
Rogers has himself wrestled with the way CYBERCOM develops its offensive tools. The military typically turns to industry for conventional weaponry; but to date, almost all U.S. offensive cyber weapons have been internally developed, he said in February.
Rogers, who specifically said he spoke for himself rather than the government, questioned the sustainability of internal development and whether this route neglects access to private sector-made capabilities. "I’m still trying to work my way through that intellectually," he said.
In the cyber domain, many cyber tools must be specifically tailored to get after a specific exploit. Vice Adm. Michael Gilday, commander of U.S. Fleet Cyber Command/U.S. 10th Fleet, also noted in February that potential tools brought forth from the private sector might need to be "tinkered" because the military could be interested in customization.
This is a reality acknowledged by the Defense Science Board in a recent report on cyber deterrence. "Unlike precision-guided munitions, cyber weapons cannot be bought and deployed on a delivery system (or placed in a storage site) with confidence that they will work when needed," the report asserted. "A highly talented cadre of cyber warriors must work together closely with intelligence specialists and technologists in a highly classified environment. And because target systems and software can change, sometimes unexpectedly and at a moment chosen by the adversary, a quick reaction capability with flexible acquisition authorities will be essential."
The board recommended the establishment of a small and temporary task force, or so-called tiger team, on acquisition. This team would develop options and recommendations for improved and accelerated acquisition of scalable offensive cyber capabilities.
Following the NSA-CYBERCOM split, the latter will require its own tools and infrastructure to perform its Title 10 war-fighting duties, which are different — albeit similar — to the former's Title 50 espionage mission. The bottom line is that for the divorce to be a success, it must be done in a way where each organization's mission is not degraded.
As CYBERCOM continues to gain in capacity and capability, the split will become more inevitable and necessary. As many involved in the original stand up of this structure have articulated, the co-location was never intended to be permanent.
About Mark Pomerleau
Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.