Without solid training options, mysterious Cyber Command remains a work in progress
By Andrew Tilghman
U.S. Navy Petty Officer 1st Class Joel Melendez, Naval Network Warfare Command information systems analysis, U.S. Air Force Staff Sgt. Rogerick Montgomery, U.S. Cyber Command network analysis, and U.S. Army Staff Sgt. Jacob Harding, 780th Military Intelligence Brigade cyber systems analysis, analyze an exercise scenario during Cyber Flag 13-1, Nov. 8, 2012, at Nellis Air Force Base, Nev. Cyber Flag strategically focuses on exercising the command's mission of operating and defending the Department of Defense networks across the full spectrum of operations against a realistic adversary in a virtual environment. (U.S. Air Force photo by Senior Airman Matthew Lancaster)
The military's demand for cyber capabilities is soaring. Defensive and offensive operations, including those targeting the Islamic State group, are occurring with greater frequency. There's talk of elevating U.S. Cyber Command's profile within the Defense Department. And yet six years after its creation, the organization U.S. Cyber Command does not have an essential " training environment for" to practice large-scale exercises and to systematically evaluate the readiness of its force, military officials say.
Unlike other major military components, the mysterious CYBERCOM, which is headquartered at Fort Meade in Maryland, does not have a permanent interconnected "range" for units to practice new tactics, test new weaponry and fight hypothetical "red team" enemies in exercises designed to simulate real-world conflict. It's CyberCom officials are working to build one, officials say, suggesting — without offering much detail — that they're looking to engineer a high-level range, known as a persistent training environment, which is a network of facilities that replicates the military command-and-control systems and allows for simulation training for large units to train with potentially catastrophic cyber weapons. Meanwhile, But to date the details remain unclear, and the definition of unit-level readiness remains a work in progress. CyberCom’s units are not yet submitting data into the Pentagon’s classified network for tracking readiness across the force, the Defense Readiness Reporting System, defense officials say.
"We don’t have — but we need — an exercise environment where you do rehearsals, go against adversary networks, and figure out ways to better protect your own," said retired Air Force Maj. Gen. Jim Keffer, a retired Air Force major general who last served as a CYBERCOM's chief of staff in 2015. "For individual training, I think we’re really good. But the team training, the force-on-force training, that is primarily limited by a lack of a persistent training environment." he said.
Unquestionably, As the demand for cyber capabilities soars is soaring, CYBERCOM's profile is on the rise. The military's cyber and CyberCom's force has begun conducting defensive and offensive operations, including those targeting the Islamic state group. There's serious talk of upgrading the organization to a unified combatant command, a move that would make it one of the most powerful entities within the U.S. military Defense Department. But has the four-star command matured enough to make such a leap?
In a statement to Military Times, CYBERCOM acknowledged that without a persistent training environment, its mission teams can only "train periodically" at major annual exercises and other events. The command is "identifying gaps and prioritizing our investments," it states according to the statement.
Training for cyber war bears similarities to the preparations that must be made for more familiar is not unlike kinetic operations. Keffer noted pointed to the example of the Navy SEALs' operation to kill Osama bin Laden. Before the 2011 raid, the SEALs built a full-scale model of bin Laden's compound in Abbatabad, Pakistan, to train for that specific mission. "If Cyber Command is about to do an operation," he said, "they’ll want to go through it a couple of times. Just like the SEALs did before they went into Abbottabad, they built a replica compound and they exercised in that. ... That is how you get mission success." Keffer said.
A But a senior defense official familiar with CyberCom's operations said that's difficult today without a better training infrastructure. "Can we do our mission? Yes, we can do our mission," the official said, speaking on the condition of anonymity in order to speak candidly about the command's procedures. "But we want to make sure that with any scenario for a mission that we undertake, that we have taken a very, very hard look and make sure our teams are at the top of their game." the said one senior defense official familiar with CyberCom's operations. The requested anonymity to talk about the command's internal training procedures.
Created in 2010, CYBERCOM has spent considerable time and resources establishing several years building its bureaucratic foundation. More recently, it the command has focused on manpower, and standing up a cyber-mission force of 6,200 active-duty specialists cyber warriors, organized in 133 teams.
Progress has been slower than initially hoped, however. The original target date for standing up those cyber mission force teams was the end of 2016, but that deadline has been was later pushed out to 2018. So far, about half of those teams, 68, have reached what the military calls "initial operational capability," and as many as 100 teams are currently conducting missions to meet the soaring demand for offensive and defensive cyber capabilities, defense officials say. Creating a sophisticated training environment has become is a top priority. It will and would allow cyber personnel warriors to can move beyond their individual training and certifications into team-based work focused training on more real-world scenarios that integrate cyber tactics with the military’s traditional "kinetic" capabilities.
The next step in CYBERCOM's evolution is to develop team-based training focused on real-world scenarios that integrate cyber tactics with traditional capabilities.
Photo Credit: Senior Airman Kenneth Norman/Air Force
"In collective training we are still in our infancy," said Eric Bassel, a director for SANS, a Maryland-based company that provides software-based training environments for the Army and Air Force cyber training programs. Today, he said, "the exercises tend to fall short in many dimensions, as they do not integrate well into the bigger picture, lack realistic target environments, and do not allow commanders to select from both kinetic and non-kinetic options to achieve a mission." Bassel said.
Adm. Mike Rogers, the head of U.S. Cyber Command, has testified on Capitol Hill in March and said developing better training facilities is a top concern, telling Congress in March that "while our training is improving we need a persistent training environment, which the department is continuing to develop, ... to gain necessary operational skills and to sustain readiness across the force." Rogers said.
Last year, CYBERCOM received $15 million last year to begin building the training network and an additional $5 million for this year. With that money, the command revamped its initial training system "to provide greater capacity for individual and collective training," according to the statement from CyberCom. But much a lot of its progress so far remains on paper. The command has started to "create an "assessment manual" to assist in team certification" and "develop a "concept document" for a Joint National Cyber [Opposing Force] capability," according to the command's statement.
Private sector advances
Creating this a high-level training environment for cyberwarfare is a challenge. Beyond a storehouse of powerful computers, it requires a secure network that replicates military communications systems but is not connected to the internet. Training on an true internet connection would risk releasing classified — or even catastrophic — code-based weaponry out into the public realm.) In addition, a high-level range will needs a staff to run exercises, a curriculum that is constantly updated, and experts to manage the events and provide feedback to the participants.
But unlike some of the military’s other activities, it’s not rocket science. The private sector has begun creating cyber ranges, and traditional defense contractors are providing the Defense Department with some key support. One example is Raytheon’s Cyber Operations and Development Evaluation Center. The CODE Center, as its known, opened in 2011, and is located on the third floor of a suburban office tower in northern Virginia. It and can provide some of the elements CYBERCOM is seeking looking for.
"On a range like this, you can emulate an environment that might look like an air operations center. It might look like an aircraft carrier. I might look like a deployed brigade," said Bill Leigher, a retired Navy rear admiral who is now runs the CODE Center as Raytheon’s director of government cyber solutions. "... You Within the range, you can emulate that environment and bring a cyber-protection team and say ‘OK here is a scenario. This is what an adversary cyber attacker is trying to do — go practice defending." Leigher, a retired Navy rear admiral, said in a recent interview.
One scenario, for example, might involve a carrier strike group and an enemy force that has tunneled into a ship's on-board network, seizing and seized control of a missile system’s targeting and launch systems. "If you penetrated that, you would be able to control the weapons system remotely — that’s a pretty scary thing," he said. A training drill might focus on "how do you reclaim complete control over your your systems?? That is a petty realistic scenario."
The CODE Center is a complex of rooms packed with computer terminals for trainees linked to operations rooms where the staff orchestrate the group exercises. It also features a loading dock and facility to connect the training network to real military equipment. The For example, the Army could park a truck-mounted Patriot missile system and wire it into the training network for a specific exercise.
Soldiers start up generators prior to a simulated firing of a Patriot missile system in Bahrain.
Photo Credit: Staff Sgt. Anthony Taylor/Army
Its The CODE Center serves clients that include the individual military services, civilian government agencies and some foreign governments. U.S. CYBERCOM officials say the command does not train on non-governmental facilities.
Leigher said a major challenge for the Defense Department is not just assembling a facility but identifying and agreeing on the nature of the underlying curriculum. "It's really a cultural thing, figuring out what we need to train to," he said. "How do I go think about what the skills and competencies that an Army cyber guy needs if he's embedded in a combat infantry brigade? Part of it is understanding what it really is you need to train to. And the truth is nobody has ever really done that before."
The Pentagon’s bureaucracy is working on that. In May, its "We are stabling the criteria upon which we will base readiness," the senior defense official said. On May 19, an "initial capability development document" for the persistent training environment was approved by the Defense Department’s C4/Cyber Functional Control Board approved a document detailing what it wants to achieve, CYBERCOM officials said.
Cyber troops warriors often use the same language as other military professionals and refer to "platforms" that provide intrusion capabilities to launch "payloads," which are software-based devices that execute certain effects on their targets. Some can be highly sophisticated attacks like the "Stuxtnet" worm in 2010 that infiltrated the mechanical systems of an Iranian nuclear facility and caused catastrophic malfunctions.
Other tactics are less dramatic but could have a vital impact on the battlefield by disrupting an the enemy's ability to communicate, coordinate, command and control its force. That can involve jamming the enemy’s ability to communicate online communications at key moments in a battle. It could mean intercepting email that provides intelligence. It might insert into enemy systems fake command orders to confuse the adversary's rank-and-file fighters. Sabotaging an enemy force’s ability to pay its troops could also have a strategic value.
Some cyber-attacks must be executed discreetly, for example secretly changing names and numbers in the enemy's electronic documents in a way that sabotages their own decision-making or manipulates their actions. To practice those tactics, the persistent training environment will require a closed and secure network permanently connecting a host of military facilities — in effect, a mini independent internet.
It will require replicating both the U.S. military’s own networks as well as the communications systems used by the enemy. For a peer enemy, that might require building a mock-up of Chinese submarine communications and weapons systems. For a more low-tech adversary like the Islamic State, it means understanding the social media, email and personnel computer operating systems.
What's over the horizon
Up until a couple of years ago, the annual Cyber Guard exercise involved a lot of basic training. "I saw teams that would come with individuals that were spending the entire week there doing individual, fundamental skills. Really what you would consider individual training," said the senior defense official. "Now in the two years since, we have individual training but also teams that are coming together and doing collective training. That is so important." the defense official said.
Last year, for the 2015 Cyber Flag exercise, military officials had to constructed a makeshift network to create a virtual environment for hosting the event that included both military and civilian cyber experts at Nellis Air Force Base in Nevada.
"It was very risky, the way we did it, because that's all we had," Keffer recalled. "We had equipment, we'd put it in a couple of trucks and we'd truck it out to, say, Nellis in this case. And we'd set it up and we crossed our fingers and hoped everything worked because about 1,000 people are coming to play. ... After the exercise we take it back down — a very risky process."
Cyber personnel warriors get some training on the service level. But that focuses primarily on individual training, not teamwork. "It's basic training, it’s being able to put my M-14 together in the dark, laying on my back in the mud. It’s not maneuvering while I’m under fire," Leigher said. Collective training will fall to CYBERCOM the CyberCom.
Lawmakers are talking about upgrading it to a full combatant command that answers directly to the commander in chief. "What I’m getting as a sub-combatant commander is a trained individual whom I can look at and says ‘How do I do the collective training?" the senior defense official said. Currently, the services' individual training facilities and those at CYBERCOM headquarters CyberCom’s Fort Meade are not linked with a secure connection, so they cannot participate in the same online activities from long distances. "The command is working on that, too, toward an overall structure were already moving out in how do I connect all these centers?" the defense official said. This year's, the annual Cyber Guard exercise will be held at a training center in Suffolk, Virginia. But that facility falls short of what CYBERCOM needs for the long run, the defense official added.
A Sea Sparrow missile is launched from the amphibious assault ship Boxer during a Composite Training Unit Exercise off the California coast.
Photo Credit: Mass Communications Specialist 2nd Class Kenan O'Connor/Navy
Once CYBERCOM determines After CyberCom figures out how to train collectively, it will eventually bring their scenarios into the traditional military's traditional training environment — for example an Army brigade-level exercise at Fort Irwin, for example, a Navy carrier battle group’s "COMPTUEX," or an Air Force Red Flag exercise.
But that remains a vision over the horizon. "You need a place where you can combine kinetic ops with non-kinetic ops," Bassel said. "I don’t think anybody has gotten that far." He compared the challenges of training for cyber warfare to those that emerged in the 1980s for electronic warfare that emerged in the 1980s. If an enemy "red team" force used electronic warfare effectively, the exercise would end and start over, making it difficult to train under real-world circumstances at the large national training centers.
"We really never got down to fighting electronic warfare scenarios. And my guess is we're going to do the exact same thing with cyber," Bassel said. "They are going to do a cyber-attack and shut everyone down. Then the commanders will come down and say 'OK, you got us. Now can we have our toys back?"
About Andrew Tilghman
Andrew Tilghman is the executive editor for Military Times. He is a former Military Times Pentagon reporter and served as a Middle East correspondent for the Stars and Stripes. Before covering the military, he worked as a reporter for the Houston Chronicle in Texas, the Albany Times Union in New York and The Associated Press in Milwaukee.