Intelligence drives operations. The same can be said for quick-reaction cyber forces when responding to an incident.

"Intelligence support to cyber … this is a huge gap, we are making progress, but ultimately what we want to have happen here is [cyber-protection team operation] ... driven by intelligence," Navy Lt. John Allen, the lead cyber defense force planner with U.S. Cyber Command, said at the Defensive Cyber Operations Symposium in Baltimore, Maryland, on June 15. "We're going to get the most return on investment from our teams if we're posturing them where we think the adversary will be at based on intelligence and information, instead of being so reactive."

Cyber protection teams, or CPT, are one of several teams that make up the cyber mission force for CYBERCOM. CPTs consist of 39 individuals and defend priority Pentagon networks and systems against threats.

There currently is no plan to change the structure of these teams to marry intelligence-oriented teams or intelligence cells within them, which CYBERCOM calls cyber support teams.

Allen said that outside of the cyber national mission force, which defends the U.S. against strategic cyberattacks, none of the other teams have an established process for intel.

"The way the cyber national mission force is organized, having … mission teams, support teams and CPTs, that is an ideal construct for doing full-spectrum operations," Brig. Gen. Maria Barrett, deputy of operations J-3 at CYBERCOM, said at an early June keynote address hosted by AFCEA's Northern Virginia Chapter.

According to Allen, CYBERCOM two years ago offered guidance for operational commanders so CSTs or national support teams could receive intelligence support. This was only a guidance and not a mandate, Allen said, adding: "That's the problem we ran into, was that without adjusting the work roles for those CSTs, a lot of the operational commanders weren't willing to place those additional tasks on those teams without that piece being there."

In an ideal construct, Allen said it would be mandated that CSTs and national support teams provide intelligence to all of the teams. "In my personal opinion, I think that's the easiest way forward," he said. "There needs to be buy-in for all parties, though, and additional resourcing for those teams to get at that. There's a built-in process there for sharing other higher classification intelligence — they've already got a built-in process for sanitizing it, etc., etc,. and then pushing it out to those particular teams."

He also noted there is a coordinated way forward between CYBERCOM's J2, which is in charge of intelligence, and Joint Force Headquarters-Department of Defense Information Networks' J2 to try to get at that problem. JFHQ-DoDIN is the operational arm of CYBERCOM in charge of operating, maintaining, sustaining and defending the Pentagon's information networks.

JFHQ-DoDIN, for much of the same reasons mentioned above — namely a gap in intelligence — established an internal intelligence fusion cell, putting intel personnel right next to a technical person so they form a "level of translation right there on the spot," Col. Cleophus Thomas, the director of operations J3 at JFHQ-DoDIN, said at the same conference.

Cyber defense vs. cyber operations

JFHQ-DoDIN performs two primary missions: DoDIN operations — operations are executed daily as part of running a network — and defensive cyber operations/internal — specific actions taken in response to either intelligence, a threat or an incident.

JFHQ-DoDIN primarily synchronizes defensive forces across the DoD, working 24/7 year-round on internal DoD network-related items, whereas CPTs can be viewed or characterized as special operations forces quickly responding to solve problems, Thomas told Fifth Domain. CPTs were tasked after the Joint Chiefs email breach in 2015.

"So something that's going on like a WannaCrypt [malware attack] and it's inside the network and I need to quickly secure, defend and restore communications to that particular unit, I send a CPT," Thomas said. "We're task-organizing cyber defensive forces. We own six DoDIN CPTs, and those six DoDIN CPTs are aligned to key areas throughout the Department of Defense Information Network."

DoDIN operations can also be construed as classic IT work, while the work CPTs perform are cyber operations.

Allen noted that they want to figure out how to better employ the high-demand, low-density asset that is a CPT. "We want to drive the request for support away from requesting a CPT to requesting: 'Hey, what's the capability that you're looking for? what's the effect you're trying to generate?' " he said.

He also explained that CYBERCOM recently refined the methodology for which it performs operations, not moving away from the 39-man team construct but rather looking to give the operational commanders additional flexibility to task-organize as they see fit to accomplish a particular mission.

"The idea here is for a quick-strike team to show up on site, take care of that particular op and then get out," he said, adding that there's an effort to build guidance to drive away the use of a CPT as a long-term, on-site force.

Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.

More In Cyber