U.S. Cyber Command is still a relatively young organization. It was stood up in 2009, and while the organization reached full operational capability in 2010, its workforce isn't slated to hit this mark until September 2018.
As such, the command is learning lessons from training exercises and operations pertaining to its structure, the structure of its teams, how to deploy teams and how to conduct operations.
During an exclusive walk-through of CYBERCOM's annual Cyber Flag exercise, the simulation's leaders told C4ISRNET that they identified specific, applicable lessons at last year's Cyber Flag pertaining to the way defensive teams are deployed to problem sets.
[An exclusive peek inside Cyber Command's premiere annual exercise]
Top leaders from CYBERCOM have recently indicated they've discovered it's not always necessary to deploy the entirety of a cyber protection team, or CPT.
"One of the things we found with practical experience is we can actually deploy in smaller sub elements, use reach-back capability, the power of data analytics; we don't necessarily have to deploy everyone," Adm. Michael Rogers, the commander of CYBERCOM, told the House Armed Services Committee in May. "We can actually work in a much more tailored, focus[ed] way optimized for the particular network challenge that we're working. We're actually working through some things using this on the Pacific at the moment."
[What defense leaders (are now willing to) tell us about offensive cyber ops]
"You would send a smaller group forward and then do whatever analytic work or analysis you need to do back at home base, be it Fort Gordon or San Antonio or Hawaii or reach back and do some of that work there," Brig. Gen. Maria Barrett, deputy of operations J-3 at CYBERCOM, said during a keynote address in early June. "That kind of facilitates us being a little bit more agile and quick."
"From that lesson, our branch at Cyber Command has said now that we've seen that lesson at an exercise, let's bring in the mission force experts and figure out how we craft our doctrine to reflect operations," said an exercise leader, who like most leaders and participants to which C4ISRNET spoke would only comment on condition of anonymity. "There's real traction that happens from these lessons learned."
The command, however, is not necessarily looking to re-evaluate the makeup of teams. Despite the large nature of CPTs, which are typically made up of 39 personnel, even if a subset of that team can deploy to a problem, depending on the nature or difficulty, the entire team might be needed later.
"You need the full cadre of folks to be able to crate those small reaction forces, and then should they have to go on a full 24/7 mission where there are constant shift changes, you're going to need that whole body," an exercise lead told C4ISRNET.
A forward element might go out and start working on a mission and determine the whole team is needed to do the mission, the exercise lead continued. Or, the official added, the team might do a lot of reach-back, saying: " ' Here, take this, help me figure it out,' and they have that connection."
The official noted the model might not be wrong, but what's being learned though these exercises is employing it the best way possible.
Teams also bring real kits to this exercise, something they haven't done too much prior, one of the exercise leads said.
One kit currently used by CPTs — the Deployable Mission Support System, which consists of laptops, passive and active sensors, and analytic capability provided via either government or commercial off-the-shelf, or free and open software — is being re-evaluated by the command, Barrett said, because the kit's requirements document was published in January 2016 before most of the CPTs had reached full operational capability.
Every service has a different type of kit, despite CYBERCOM producing a standard requirements document that all of kits must meet standard baseline requirements, Navy Lt. John Allen, CYBERCOM J35 Department of Defense Information Network operations CPT engagement lead, said during a June conference.
What exists today are four types of kits, each usually with its own specific suite of tools that all meet the requirements, which does present some interoperability challenges, but the command is working toward rectifying those, Allen said.
[Cyber Command reevaluating defensive cyber tools]
Based upon ongoing operations and field studies, Barrett acknowledged that this needed to be revisited.
As practice makes perfect, a Cyber Flag exercise lead said one of the critical lessons brought back to leadership involved one of the hardest things they do in real-world missions: the logistics of getting people and kits from one place to another. This is something they actually have to do at Cyber Flag, too, the exercise lead explained. That ends up being a real lesson because of the paperwork and asset movement involved, which may sound mundane but has real consequences if not done correctly, C4ISRNET was told.
Additional lessons provided to leadership helped identify gaps and policy that can feed and inform higher levels as well as discern some of the decisions that can be made to push down to the teams to enable operations, another exercise lead noted.
So what's next for Cyber Flag once the cyber mission force reaches full operational capability in 2018?
There were "some heated discussions about that just the other day because we have to adjust to meet not just certification but readiness," one exercise lead said.
The model is different, the official continued, when doing certification and giving the teams tests to evaluate performance as opposed to being able to provide them readiness training so they're constantly ready and able to demonstrate performance.
While everybody today is essentially treated the same, they are looking at ways for some folks to perform certification and others to execute collaborative training. "We're trying to figure that out," the official said.
Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.