Cyber Defense Review

Maximizing Flexibility: Mitigating Institutionalized Risk in the Cyber Mission Force

By MAJ Ryan Tate | June 28, 2016

Leaders increasingly focus on the growing risk to national security in cyberspace. Today, there is little need to describe the dynamic and unpredictable nature of cyberspace, a wide and growing threat landscape, and rapidly evolving threat capabilities and tactics. Despite tremendous resources dedicated to securing cyberspace, threats always seem to find a way. In corporate board rooms, cybersecurity means accepting this reality and taking internal defensive measures to mitigate material risk.[1] But the private sector is not defenseless: the DoD established US Cyber Command (USCYBERCOM) and its Service components as part of a full Doctrine, Organization, Training, Materiel, Leadership & Education, Personnel, and Facilities (DOTMLPF) solution for full spectrum cyberspace operations. The country deserves nothing less, but the dynamic nature of cyberspace uniquely challenges DOTMLPF development because of its premise on accurately assessing future capabilities requirements – a major challenge for cyberspace!

Acknowledging that capabilities evolve rapidly in cyberspace, the Commander of USCYBERCOM (CDRUSCYBERCOM) describes the imperative to maintain maximum flexibility of capabilities.[2] However, USCYBERCOM’s DOTMLPF solution – the Cyber Mission Force (CMF)[3] – is composed of individual work roles, team constructs, and employment concepts that are highly standardized for all Services, and narrowly focus on specific missions. Highly standardizing the CMF suppresses the unique strengths and diversity of capabilities inherent in the Services. Narrowly focusing individuals and organizations reduces Combatant and Joint Force Commanders’ future capabilities deployment options. Ultimately, a highly standardized and mission-focused CMF degrades the flexibility necessary to mitigate risks of the unknown in future cyberspace operations. This is analogous to an investment portfolio that lacks diversity of assets and therefore risks complete bankruptcy if the market takes an unexpected turn. We must redesign the CMF to maximize flexibility in order to best provide for the unknown future capabilities requirements of cyberspace operations.

It is time to transition from a standardized joint construct for the CMF to one that capitalizes on the unique strengths and agility of more diverse, Service-designed teams. CMF teams must be capable of both offensive and defensive cyberspace operations in order to rapidly transition between missions, task-organize, and surge to counter a rapidly evolving threat. I begin with a brief review of the current CMF design, then challenge the assumptions of the current build, identify an important first principle (flexibility), and outline a design that maximizes capabilities options in future cyberspace operations.

Fundamentally, the CMF is organized into Offensive Cyberspace Operations (OCO) and Defensive Cyberspace Operations (DCO) teams. OCO teams consist of leadership/planning, analysis & production, and operations elements. DCO teams include leadership/planning, mission protection, threat emulation, hunt, readiness, and support components. USCYBERCOM’s Cyber Forces Concept of Employment (CFCOE)[4] and Concept of Operations (CONOPS)[5] documents formally describe each team’s mission set and sub-elements with associated functions. CMF team structures resemble signals intelligence and cybersecurity organizations (e.g. incident response teams) that have successfully performed similar functions for CIOs and the IC. The CIO and IC communities are where CMF individual work roles and training requirements largely originated (e.g. DODD 8570 and DODI 3305.09).

To prepare for highly technical operations, USCYBERCOM has identified numerous individual roles. The Joint Cyberspace Training & Certification Standards (JCT&CS) details a host of work roles based on function, qualification tasks, and supporting Knowledge, Skills, and Abilities (KSAs). Clearly defined sets of tasks and KSAs, with some overlap, distinguish positions within OCO and DCO sub-elements while establishing qualification and prescribed “pipeline” training requirements for each. USCYBERCOM, National Security Agency (NSA), and the Services work tirelessly to provide the latest training available. As documented in its CFCOE, CONOPS, and JCT&CS, USCYBERCOM has essentially established a CMF construct such that all Services have a common understanding of cyber work roles and their required training as well as the organization and function of teams designed for OCO or DCO missions.

USCYBERCOM’s seminal work defining CMF teams and work roles has produced the CMF as we know it today, but this work has become an obstacle to agility. The current prescription for the CMF propelled the Services to the leading edge of cyberspace operations and established a shared understanding of “cyber” teams and work roles built on the model of existing organizations. However, the pre-existing models were designed for Title 40 (IT management) and Title 50 (Intelligence) and not for the unique Title 10 military mission of the CMF. Military organizations are traditionally designed with the agility to rapidly task-organize and transition between diverse mission sets (e.g. shift from defending key terrain to attacking an enemy force) to combat an active adversary and rapidly changing battlefield conditions. Those characteristics do not accurately describe the CMF in its current state and yet they arguably should be what differentiates the CMF from its predecessors. It is time to redefine the CMF for its unique military mission of full spectrum cyberspace operations in an unpredictable domain. The CMF must organize to maintain maximum flexibility of its capabilities rather incrementally expand upon another organization’s structure, function, and training. Further, the current standardized build and individual training will do little more than ensure the CMF is fully prepared to solve the well-defined problems of the recent past. It is time to reconsider the design of the CMF.

USCYBERCOM radically changed DoD’s role in cyberspace (i.e. military operations in and through cyberspace), but consists of teams grown incrementally from existing organizations rather than designed based on the first principles of its mission. The function and structure of OCO teams reflect origins in signals intelligence, while DCO teams still resemble the IT and cybersecurity community. Neither team reflects the traditional design common to the Services of an operations team that conducts both attack and defense to defeat moving, thinking enemy organizations. Departure from traditional operations design was not a calculated DOTMLPF decision, but rather a matter of expediency (and bureaucratic resistance to change).[6] The incremental adaptation of traditionally intelligence and IT/cybersecurity teams and work roles is evident in current pipeline training requirements, which are still largely prescribed by intelligence and CIO channels. Great thinkers like Aristotle and Descartes have emphasized identifying first principles[7] to solve hard problems. Designing the CMF is arguably a hard problem. But rather than starting with the first principles of full spectrum cyberspace operations, the CMF design is based on pre-existing designs for similar but clearly different challenges. Design by incremental change rather than based on first principles has introduced unnecessary risk into the CMF.

The nature of cyberspace increases risk to traditional force design. Through the Joint Capabilities Integration and Development System (JCIDS), DoD mitigates risks in future conflict by assessing capability gaps and then developing full DOTMLPF solutions (e.g. the CMF).[8] But the first step of CMF design necessitates the invalid assumption that one can predict with reasonable certainty what commanders will need the CMF to do in future conflict. If a primary challenge in cyberspace operations is keeping pace with rapidly changing technology, threats, and TTPs, then building teams for specific capabilities amplifies the risk of capability gaps. A CMF without maximum flexibility risks limited capabilities and options for joint force commanders. Guiding documents for the CMF nonetheless prescribe specific individual KSAs, purpose-built teams, and capability focused sub-elements.

Standardized, mission-focused team structure and prescribed, specialized work role training institutionalizes an inflexible force. A CMF consisting of roughly half OCO and half DCO teams is unable to surge or prioritize either mission. Currently, DCO teams are restrained from performing OCO by policy, training, culture, and organization. The same applies to OCO teams. Further, the narrow, specialized work role training on teams degrades tactical agility and each team’s ability to build comprehensive situational understanding (i.e. insight into both attack and defense). Training should instead provide foundational skills focused on problem solving, research, and cognitive skills that transfer well to multiple tasks (and any conceivable mission).[9] CMF design must reflect first principles.

An essential first principle of cyberspace operations – absent from the current CMF design – is maximum flexibility for the application of capabilities. Admiral Michael Rogers describes flexibility in his CDRUSCYBERCOM vision and guidance:

Our constructs must provide maximum flexibility for application of our capabilities … ensuring a depth of knowledge and unique capabilities across our workforce, making them ready … to execute the widest possible range of missions. We will act to preserve and extend America’s cyber advantage so that the joint force can operate globally with speed, flexibility, and persistence … The only certain feature of this environment is uncertainty, which makes agility a necessity.[10]

Admiral Rogers envisions an agile force ready for the widest possible range of missions in future cyberspace. In contrast, approximately half the CMF is designed incapable of OCO while the other half is incapable of DCO. Personnel on every team are specialized for a particular subset of one mission or the other. Advocates of the current CMF structure will cite recent successes as proof that OCO and DCO teams with prescribed work roles are an effective way to conduct full spectrum cyberspace operations. Besides the adage that past success bears no guarantee for future success, members of the CMF can just as readily cite a host of challenges for every success. Purpose-built teams are inherently inflexible. USCYBERCOM documents emphasize that teams will task-organize and deploy based on the mission, but a footnote is not flexibility. A redesign of the CMF for the first principle of maximum flexibility is essential to mitigating risk in an unpredictable operating environment. The CMF must be able to rapidly re-purpose teams and their individuals for any mission.

A maximally flexible CMF team is one based on the lessons of force-on-force conflict that our Services have established over time in the air, land, space, and sea domains. CMF teams should follow the model of Army maneuver forces, but that does not mean they cannot specialize. Army maneuver forces often have unique capabilities (e.g. a mechanized infantry company), but are not dedicated to offense or defense. Army units train to conduct both offense and defense, and it makes them more capable at both missions. This permits commanders to use a unit for either mission and to rapidly re-task it when conflict changes. Moreover, a unit in close contact with an attacking force is usually best positioned to rapidly initiate a counter-offensive and often uniquely positioned to identify exactly when that transition should occur. There are legitimate reasons that CMF functions are segregated, but few US government organizations have authority to truly pursue a threat, conducting offense and defense across the full spectrum of cyberspace operations. The CMF could provide this niche capability. A CMF team capable of offense and defense provides more options to CDRUSCYBERCOM and joint force commanders. More generally trained (but still highly technical) individuals perceive events with a larger context and collectively provide maximum tactical options for team leaders.[11] As the commander of US Army Cyber Command, Lieutenant General Edward Cardon, often says, “we do not train offensive infantrymen or defensive infantrymen, we train infantrymen.”

The incremental build of the CMF has created an inflexible workforce that risks future cyberspace capability gaps. Until future cyberspace operations become reasonably predictable, the CMF must maintain maximum flexibility in both team and individual capabilities. To mitigate the risk of an unknown future, USCYBERCOM should design the CMF based on the first principle of maximum flexibility as CDRUSCYBERCOM described. The CMF must operate like the maneuver forces of the Services. Likewise, individuals on those teams must have more flexible capabilities. This does not mean that teams or individuals do not specialize; it means the CMF should train and operate more like operational teams.

 

Notes

[1] Common theme at RSA Conference, San Francisco, CA, March, 2016.

[2] Michael Rogers, Beyond the Build: Delivering Outcomes through Cyberspace, Commander’s Vision and Guidance for US Cyber Command, June 3, 2015, 4, 6.

[3] The author assumes readers have familiarity with the Cyber Mission Force. Readers unfamiliar may begin here: http://www.defense.gov/News/Special-Reports/0415_Cyber-Strategy

[4] US Cyber Command, Cyber Force Concept of Operations & Employment, version 4.1, 22 July 2014.

[5] US Cyber Command, Cyber Protection Team (CPT) Concept of Operations, version 18.1, 12 February 2015.

[6] Based on the author’s discussions and observations at numerous OUSD P&R, USCYBERCOM J7, CyTAC working groups, Cryptologic Training Council, and other joint conferences focused on CMF training July 2014- May 2016.

[7] First principles are the basic propositions in a field to which experts would unanimously agree compose the foundations for all other work.

[8] Chairman, US Joint Chiefs of Staff.  Joint Capabilities Integration and Development System (JCIDS).  CJSCI 3170.011, January 23, 2015, para A-3.

[9] Readers are encouraged to review the US Army Cyber School Training Strategy (2016) for an in-depth analysis of individual training philosophy for the CMF.

[10] Michael Rogers, Beyond the Build, 6, 8, 11.

[11] Readers are encouraged to review the US Army Cyber (17 series) career management field for further analysis of a balanced and technical CMF individual.



US Army Comments Policy
If you wish to comment, use the text box below. Army reserves the right to modify this policy at any time.

This is a moderated forum. That means all comments will be reviewed before posting. In addition, we expect that participants will treat each other, as well as our agency and our employees, with respect. We will not post comments that contain abusive or vulgar language, spam, hate speech, personal attacks, violate EEO policy, are offensive to other or similar content. We will not post comments that are spam, are clearly "off topic", promote services or products, infringe copyright protected material, or contain any links that don't contribute to the discussion. Comments that make unsupported accusations will also not be posted. The Army and the Army alone will make a determination as to which comments will be posted. Any references to commercial entities, products, services, or other non-governmental organizations or individuals that remain on the site are provided solely for the information of individuals using this page. These references are not intended to reflect the opinion of the Army, DoD, the United States, or its officers or employees concerning the significance, priority, or importance to be given the referenced entity, product, service, or organization. Such references are not an official or personal endorsement of any product, person, or service, and may not be quoted or reproduced for the purpose of stating or implying Army endorsement or approval of any product, person, or service.

Any comments that report criminal activity including: suicidal behaviour or sexual assault will be reported to appropriate authorities including OSI. This forum is not:

  • This forum is not to be used to report criminal activity. If you have information for law enforcement, please contact OSI or your local police agency.
  • Do not submit unsolicited proposals, or other business ideas or inquiries to this forum. This site is not to be used for contracting or commercial business.
  • This forum may not be used for the submission of any claim, demand, informal or formal complaint, or any other form of legal and/or administrative notice or process, or for the exhaustion of any legal and/or administrative remedy.

Army does not guarantee or warrant that any information posted by individuals on this forum is correct, and disclaims any liability for any loss or damage resulting from reliance on any such information. Army may not be able to verify, does not warrant or guarantee, and assumes no liability for anything posted on this website by any other person. Army does not endorse, support or otherwise promote any private or commercial entity or the information, products or services contained on those websites that may be reached through links on our website.

Members of the media are asked to send questions to the public affairs through their normal channels and to refrain from submitting questions here as comments. Reporter questions will not be posted. We recognize that the Web is a 24/7 medium, and your comments are welcome at any time. However, given the need to manage federal resources, moderating and posting of comments will occur during regular business hours Monday through Friday. Comments submitted after hours or on weekends will be read and posted as early as possible; in most cases, this means the next business day.

For the benefit of robust discussion, we ask that comments remain "on-topic." This means that comments will be posted only as it relates to the topic that is being discussed within the blog post. The views expressed on the site by non-federal commentators do not necessarily reflect the official views of the Army or the Federal Government.

To protect your own privacy and the privacy of others, please do not include personally identifiable information, such as name, Social Security number, DoD ID number, OSI Case number, phone numbers or email addresses in the body of your comment. If you do voluntarily include personally identifiable information in your comment, such as your name, that comment may or may not be posted on the page. If your comment is posted, your name will not be redacted or removed. In no circumstances will comments be posted that contain Social Security numbers, DoD ID numbers, OSI case numbers, addresses, email address or phone numbers. The default for the posting of comments is "anonymous", but if you opt not to, any information, including your login name, may be displayed on our site.

Thank you for taking the time to read this comment policy. We encourage your participation in our discussion and look forward to an active exchange of ideas.