This is part one of a series exploring the differences between military cyber forces, capabilities, mission sets and needs.
The Defense Department is posturing itself to fight and win wars and conflicts in all domains, especially cyberspace. At the top level, DoD, along with the contributions of the services, is continuing to build out the cyber mission force that makes up U.S. Cyber Command, focused on strategic and joint force commander problem sets.
In addition to their CMF contributions, the services are working to stand up their own cyber forces to get at service-specific, organic mission sets.
The cyber mission force consists of 133 teams and 6,200 persons, which include: 13 National Mission Teams that defend the nation; 68 cyber protection teams that work to defend DoD networks; 27 combat mission teams that provide support to combatant commanders and generate effects in support of operational plans and contingencies, and; 25 support teams that provide analytic and planning support to the national mission teams.
Of the 133 CMF teams, the Army provides 41, the Navy provides 40, the Air Force provides 39 and the Marine Corps provides 13.
According to a briefing by Col. Robert “Chipper” Cole, director of Air Forces Cyber (forward) late last year, national mission teams are made up of 64 individuals and are typically aligned to a malicious cyber actor, meaning they are often in “red space.” This allows them to get a feel of the state actors they’re aligned to and get indications of warning before they act to allow other forces to set up their defenses. These teams are also posturing themselves to hold that threat at risk, he said.
National support teams, composed of 39 individuals, are linguists and analysts who support the mission teams, he said. These teams serve in an intelligence role, providing analytical and planning support to the national mission and combat mission teams.
Combat mission teams and combat support teams, Cole described as “offensive cyber operations to achieve or directly support combatant commander objectives.” These teams are aligned toward combatant commander’s campaign objectives, but are no longer under the operational control of the combatant commanders he said. The secretary of defense at the time changed this operational control giving it to Adm. Rogers, Cole said.
Cyber protection teams serve as a “quick-strike team to show up on site, take care of that particular op and then get out,” Col. Cleophus Thomas, director of operations J3 at JFHQ-DoD Information Networks, said in June. These teams are not meant to be a long-term, on-site force.
For the most part, the CMF serves the objectives of combatant command commanders and joint force commanders. “I always tell our team that much of our success will be defined by others, not by us. That’s the way it should be,” CYBERCOM commander Adm. Michael Rogers said during congressional testimony in May. “We spend a lot of time aligning our capability to meet combatant commander requirements. Working with them for what the priority for how those capabilities should be applied. I want them to set the priority, not me, I have an opinion and we’ll partner together.”
For the CMF contributions, the individual services are responsible for manning, training and quipping the teams. Additionally, the services also retain a small portion of the cyber protection teams they produce to task how they see fit.
These could be organic missions related to each specific service such as protecting the recently deployed Terminal High Altitude Area Defense, or THADD in South Korea by the Army. From the Air Force’s perspective, they could be assigned to specific Air Force mission sets to include large missions such as tanker air lift or smaller missions such as aiding installations might be seeing strange cyber activity, director of Air Force cyber strategy, Maj. Gen. Patrick Higby, told Fifth Domain in a recent interview.
The Air Force retains seven CPTs in the CMF. The Marines, by contrast retain three CPTs of the eight CPTs they provide to the CMF.
The services, however, don’t have offensive teams at their disposal as offensive roles and responsibilities are still held at the highest levels of government, but can be delegated down. “If we’re looking to employ an offensive cyber capability it’s through U.S. Cyber Command,” Brig. Gen. Kevin Kennedy, director, Cyberspace Operations and Warfighting Integration, told Fifth Domain in February. Kennedy emphasized that the offensive authorities rest with Cyber Command, noting that force is employed through the joint force command and combatant commanders. If an air component commander was looking to have a supporting effort from cyber, they would work through the joint cyber center — which exists at each global combatant command — to get that capability, he continued.
One of the design constructs in the creation of Cyber Command was that it would act as an integrator and coordinator of cyber activities, namely offensive cyber activities, as to properly deconflict operations and prevent individual services from tripping over each other in cyberspace.
“I’m trying to make the argument with the services, what we need to do is … I think something along the order of a third should stay with us [CYBERCOM], the rest we should look how do we put them elsewhere within the cyber enterprise to build the cyber level of expertise across the department,” Adm. Michael Rogers, the commander of Cyber Command, told the Senate Armed Services Committee in May.
“One of the challenges if you’re a service, you have a wide spectrum of cyber requirements beyond what Cyber Command is responsible for,” he added.
The Army’s 17s MOS is their cyber MOS and that could be offensive cyber or defensive cyber, Mike Monteleone, acting deputy director of Space and Terrestrial Communications Directorate at the Communications-Electronics Research, Development and Engineering Center, or CERDEC, told Fifth Domain during an interview at their headquarters at Aberdeen Proving Ground. Those 17 series are not in the brigade, he added, noting the brigade has signal soldiers doing that work: that’s the 25D and 255S.
The Army was the first of the services to stand up an individual cyber branch. In written testimony to a Senate Armed Services Subcommittee in late May, Army Cyber Command Commander Lt. Gen. Paul Nakasone said the “Cyber Center of Excellence (Cyber CoE) graduated its first class of Cyber Branch Lieutenants in May 2016; its first class of Cyber Warrant Officers in March 2017; and began training its first class of new cyber enlisted recruits also in March 2017.”
Moreover, the Cyber CoE trained a total of 582 Cyber Branch Soldiers during FY16 and is scheduled to train another 1,200 Soldiers in FY17, bringing the total number of Army cyber force to 2,331 soldiers with career fields that include Cyberspace and Electronic Warfare operations that breaks down to 557 officers, 305 warrant officers and 1,469 enlisted. Officials have noted that in 2018 the electronic warfare force, or 29 series career field, will become 17s, the career field that is the baseline of cyber.
Nakasone also said in his testimony that the Army’s Cyber Protection Brigade, (CPB) and cyber protection teams “conduct critical active defense of the DoDIN. The CPB’s ability to conduct active recon for advanced persistent threats distinguishes them from the functions of a [cybersecurity service provider] that is dedicated to protecting our network against known threats … The CPB also helps protect and defend the Army’s critical infrastructure and support both national requirements and Joint and Army commanders around the globe. The Brigade includes 900 Soldiers and Civilians who make up 20 Active Component Cyber Protection Teams.”
In the Air Force, 17D’s, specific code for cyber, could have a diverse experience throughout a 20 year career from working on a joint staff to being in charge of “cable dogs,” which are airmen that run outside cable plan on military installations to limit latency, Higby said.
Currently, Higby added, 20 percent of active Air Force officers are assigned to 24th Air Force (AFCYBER) while the other 80 percent are assigned across a wide variety of mission sets; everything form being in a combatant commander’s staff, to working in the J6 directorate or information directorate to working at the base level comm squadron. It’s really a wide variety from everything to traditional IT all the way up through cyber implications for war planning when working on a combatant commander staff, he said.
The Marine Corps are also following the Army in establishing a cyber MOS making these personnel 17 series “x” based on their more specified cyber role. The Marines are looking to maintain their cyber warriors for the duration of their careers.
“What we’re talking about doing is retain the talent we train. If they come to cyber, they’re going to stay in cyber,” said Maj. Gen. Lori Reynolds, commander of Marine Corps Forces Cyberspace Command. “Similar to [Marine Corps Special Operations Command] once you get all that training, you want to reap that investment for the fullness of their career.”
Reynolds noted that the training of these personnel won’t change — Cyber Command sets out joint standards for how all CMF personnel are trained — but this move is really focused on how the Marines retain cyber warriors on the force and they’re used across the Marine Corps.
The Navy lists one of their “cyber” rates for enlisted sailors as Cryptologic Technician — Networks (CTN). These operators perform a variety of tasks to include defensive cyber operations, digital forensics analysis, exploitation analysis and cyber planning, among others, and are assigned to computer networking system departments and divisions.
Additionally, the Navy also has Information Systems Technicians (IT) perform “cyber” tasks, to include operating and maintaining Navy global satellite telecommunications systems, mainframe computers, local and wide area networks as well as micro-computer systems used in the fleet.
The series continues at Here’s how cyber service component mission sets differ from CYBERCOM.
Correction: The original posting misstated the number of Marine Corps Cyber Protection Teams. The story has been corrected.
Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.