From 2013 to mid-2018, U.S. Cyber Command built its cyber mission force — the 133-team, roughly 6,200-person cadre of personnel that conduct cyber operations. Following the build out of those teams, Cyber Command asserted that the focus would shift to readiness, or maintaining the teams and ensuring they remained fully capable of performing missions.

Now the Department of Defense has taken a critical step with its cyber teams by establishing metrics that define work roles and readiness, a top official said Jan. 9.

“We now have a signed document from the secretary that defines what a cyber operating force is,” Maj. Gen. Dennis Crall, deputy principal cyber adviser and senior military adviser for cyber policy, said at an AFCEA hosted lunch.

And these metrics are “big wins,” Crall said.

Crall said that — unlike in the air, ground and maritime space — processes for defining and understanding readiness and concrete work roles, especially for defensive cyber teams known as cyber protection teams, did not exist prior. Cyber, despite being around for over 20 years, is still a relatively new discipline within the military for which the force, capabilities, processes and authorities are still evolving.

“We have for the first time defined what a cyber protection team is. We know what the work roles are. We know exactly what those teams’ mission are … [and] how to evaluate them,” he said.

Doctrine for defensive cyber has been constantly evolving since DoD formalized cyber operations, though officials note the department has continued to struggle with what defensive cyber should look like. Why defensive cyber lags behind offensive in many cases is due mainly to the fact they had to create the defensive framework from scratch, unlike with cyber offense, where there was a template from years of National Security Agency operations.

Additionally, through lessons learned in operations, cyber protection teams operate differently now than they did years ago. Cyber Command is still working to figure out the standards the services must teach to, meaning schoolhouses teach the old model because that is the official doctrine and students are learning one way to conduct operations before learning a different method once they get to their unit.

Crall told Fifth Domain following his remarks how the document signed begins to address how these teams should look.

“Exactly what these individuals do, how we report readiness, at what level and what those readiness metrics look like by team build,” he said. “There’s a level of execution and then reconstitution where teams will go after a certain level of execution, they’ll go back to a building phase … Looking at standardized ways and what’s the basic element of a team. What does that look like and what readiness levels would you expect.”

Reconstitution is the action of getting teams back to full readiness levels following deployments and operations.

Officials have explained in the past that cyber protection teams, which are 39 person teams, don’t all have to deploy at once. This allows them to not only be more efficient in splitting up resources, but it allows parts of the team to reconstitute and conduct training while the other portion is engaged in operations, thus creating a more ready force. This is similar to how other military forces operate, such as fighter squadrons.

Crall added that now the team definitions for cyber protection teams are done, the next piece is capacity.

“We know that we can provide a repeatable deployment of these individuals and their associated equipment set, how many of them do you need,” Crall said.

Crall also said that while the tools and equipment used by cyber protection teams were also agreed upon, there is still some flexibility for the teams to use certain equipment based on certain conditions.

Congress in its most recent annual defense policy bill directed the Pentagon to brief members on the abilities of the force to conduct cyber operations based on capability, capacity of personnel, equipment, training and equipment condition.

Next in line for similar definition are the offensive and support teams within the cyber mission force.

Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.

More In