WASHINGTON — U.S. Cyber Command’s vision for developing its core cyber platforms and capabilities lacks clear goals and guidance, according to an audit by the Government Accountability Office.
The audit was directed by Congress — which has also expressed concern — and released Nov. 19. The government watchdog examined Cyber Command’s Joint Cyber Warfighting Architecture, which was created by the command to guide its capabilities.
JCWA was broken up into five elements: common firing platforms for a comprehensive suite of cyber tools; Unified Platform that will integrate and analyze data from offensive and defensive operations with partners; joint command-and-control mechanisms for situational awareness and battle management; sensors that support defense of the network and drive operational decisions; and the Persistent Cyber Training Environment, which will provide individual and collective training as well as mission rehearsal.
Cyber Command was granted limited acquisition authority but still relies on the armed services to act as executive agents for major programs, meaning many major acquisition efforts for systems within the JCWA spread across services to provide for the joint cyber mission force.
Cyber Command has been heavily reliant on the tools, personnel and infrastructure of the National Security Agency, and the two organizations are co-located. But the command is building out its own standalone military cyber systems separate from the intelligence platforms used by the NSA for intelligence-gathering purposes, which is distinct from military goals.
The GAO noted that the Department of Defense created this architecture to harmonize cyber capabilities, though command officials explained to GAO auditors that JCWA is merely a loose architecture to provide an idea to bring acquisitions together and steer requirements and investment decisions.
GAO’s audit relied on interviews with officials and unclassified materials, and it took place from October 2019 to November 2020.
Key among its findings was the fact that Cyber Command has not defined goals for the JCWA that would describe how current and future systems would interoperate.
“The absence of goals is contrary to leading practices we identified in our prior work, which call for program goals to clearly define desired program outcomes,” GAO said. “Clearly defined goals explain the purposes of a program and the results an organization intends to achieve. Goals also provide the basis for developing performance measures that help organizations demonstrate progress. By defining JCWA goals, DOD can describe overall system objectives, relationships, and dependencies of its JCWA programs and then develop performance measures to track progress of the JCWA systems as whole.”
The absence of interoperability goals, the audit concluded, could lead to a lack of consistent practices and standards, such as data-tagging standards, across several programs.
Interoperability for the cyber programs across the Command’s joint cyber teams is critical. As C4ISRNET previously reported, Unified Platform is considered the centerpiece of the JCWA in which data is ingested and disseminated. That data is used to make decisions for planning and operations and feeds into other mission platforms and sensors.
One of the dangers involved in not having goals or common data standards across the disparate programs, GAO said, is Unified Platform might be unable to fully operate using other systems’ data, leading to cyber forces potentially lacking anticipated capabilities to conduct operations. Unified Platform relies on many systems, such as the various Big Data Platforms that collect information in different formats.
GAO noted that program officials said they discuss standards informally in a “coalition of the willing.” While program officials from various programs to include Unified Platform, Joint Cyber Command and Control, and the Persistent Cyber Training Environment share feedback and user data on a regular basis, these efforts between them is “largely ad hoc and does not systematically address broader data sharing or interoperability questions,” the watchdog found.
Command officials told GAO that goal development was delayed by operational challenges and strategic changes. Since its inception, Cyber Command has been building its force and capabilities while simultaneously employing them in a highly dynamic environment. That dynamic environment requires forces and programs to be flexible, unlike traditional war-fighting domains or systems such as planes or tanks that are used decades after they are designed and built.
GAO also found that Cyber Command had not defined roles and responsibilities to manage the JCWA. C4ISRNET previously reported the Command created a JCWA integration office, which GAO said was established to address challenges associated with defining and implementing the concepts within the architecture. The office will help develop guidance to integrate programs in a more holistic and interoperable construct, officials told GAO.
Additionally, officials said a new JCWA capabilities management office will work with the integration office to identify and align requirements across systems based on needs.
Cyber Command officials also told GAO in November that they are making progress toward defining roles and responsibilities.
The DoD and Cyber Command have held details about its programs close to their vest. GAO outlined four specific programs associated with JCWA that Cyber Command and the services as executive agents are procuring for cyberwarriors.
The first is Unified Platform, which is the data management and integration centerpiece. The Air Force is serving as the executive agent for the program.
Joint Cyber Command and Control is considered the decision-making platform. The Air Force is also the executive agent for this program. It aims to provide joint commanders enhanced situational awareness and battle management for cyber forces and missions. The GAO noted the program has not yet formally entered into the acquisition life cycle yet. Program officials told GAO that the effort has sustained and delivered multiple systems, but that the majority of the system development efforts will begin in fiscal 2021. It has relied on other programs such as Project IKE, a prototype under development by the Air Force and the Strategic Capabilities Office that will allow forces to plan and visualize that cyber environment.
The Persistent Cyber Training Environment provides critical space for forces to train as perform mission rehearsals. The Army is running the program for the DoD. The Army delivered a second iteration of the platform to Cyber Command in October. The DoD has said it started to integrate with Unified Platform and elements of Joint Cyber Command and Control.
The Joint Common Access Platform provides “mission enablement,” according to GAO. The Army is also the lead for this program. The platform will allow cyber operators to connect to their target and to deliver the effect beyond friendly firewalls.
GAO also provided brief details on the cyber tools and sensors used in operations and for situational awareness. The watchdog reported that the services and Cyber Command are responsible for procuring these to meet mission needs.
Recommendations and reactions
GAO had two recommendations for the DoD and Cyber Command:
- The defense secretary should direct the head of Cyber Command to define and document JCWA goals for interoperability to help synchronize acquisition efforts;
- And further develop the JCWA governance structure by defining and documenting roles and responsibilities of the integration and management office.
Accordingly, the Pentagon concurred with GAO’s first recommendation concerning goals, but partially concurred with the second. The department noted that Cyber Command plans to further develop the JCWA governance with stakeholders and then ensure JCWA material solution integration and architecture goals are addressed.
Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.