Cyber Defense Review

Maximizing Flexibility: Mitigating Institutionalized Risk in the Cyber Mission Force

By MAJ Ryan Tate | June 28, 2016

Leaders increasingly focus on the growing risk to national security in cyberspace. Today, there is little need to describe the dynamic and unpredictable nature of cyberspace, a wide and growing threat landscape, and rapidly evolving threat capabilities and tactics. Despite tremendous resources dedicated to securing cyberspace, threats always seem to find a way. In corporate board rooms, cybersecurity means accepting this reality and taking internal defensive measures to mitigate material risk.[1] But the private sector is not defenseless: the DoD established US Cyber Command (USCYBERCOM) and its Service components as part of a full Doctrine, Organization, Training, Materiel, Leadership & Education, Personnel, and Facilities (DOTMLPF) solution for full spectrum cyberspace operations. The country deserves nothing less, but the dynamic nature of cyberspace uniquely challenges DOTMLPF development because of its premise on accurately assessing future capabilities requirements – a major challenge for cyberspace!

Acknowledging that capabilities evolve rapidly in cyberspace, the Commander of USCYBERCOM (CDRUSCYBERCOM) describes the imperative to maintain maximum flexibility of capabilities.[2] However, USCYBERCOM’s DOTMLPF solution – the Cyber Mission Force (CMF)[3] – is composed of individual work roles, team constructs, and employment concepts that are highly standardized for all Services, and narrowly focus on specific missions. Highly standardizing the CMF suppresses the unique strengths and diversity of capabilities inherent in the Services. Narrowly focusing individuals and organizations reduces Combatant and Joint Force Commanders’ future capabilities deployment options. Ultimately, a highly standardized and mission-focused CMF degrades the flexibility necessary to mitigate risks of the unknown in future cyberspace operations. This is analogous to an investment portfolio that lacks diversity of assets and therefore risks complete bankruptcy if the market takes an unexpected turn. We must redesign the CMF to maximize flexibility in order to best provide for the unknown future capabilities requirements of cyberspace operations.

It is time to transition from a standardized joint construct for the CMF to one that capitalizes on the unique strengths and agility of more diverse, Service-designed teams. CMF teams must be capable of both offensive and defensive cyberspace operations in order to rapidly transition between missions, task-organize, and surge to counter a rapidly evolving threat. I begin with a brief review of the current CMF design, then challenge the assumptions of the current build, identify an important first principle (flexibility), and outline a design that maximizes capabilities options in future cyberspace operations.

Fundamentally, the CMF is organized into Offensive Cyberspace Operations (OCO) and Defensive Cyberspace Operations (DCO) teams. OCO teams consist of leadership/planning, analysis & production, and operations elements. DCO teams include leadership/planning, mission protection, threat emulation, hunt, readiness, and support components. USCYBERCOM’s Cyber Forces Concept of Employment (CFCOE)[4] and Concept of Operations (CONOPS)[5] documents formally describe each team’s mission set and sub-elements with associated functions. CMF team structures resemble signals intelligence and cybersecurity organizations (e.g. incident response teams) that have successfully performed similar functions for CIOs and the IC. The CIO and IC communities are where CMF individual work roles and training requirements largely originated (e.g. DODD 8570 and DODI 3305.09).

To prepare for highly technical operations, USCYBERCOM has identified numerous individual roles. The Joint Cyberspace Training & Certification Standards (JCT&CS) details a host of work roles based on function, qualification tasks, and supporting Knowledge, Skills, and Abilities (KSAs). Clearly defined sets of tasks and KSAs, with some overlap, distinguish positions within OCO and DCO sub-elements while establishing qualification and prescribed “pipeline” training requirements for each. USCYBERCOM, National Security Agency (NSA), and the Services work tirelessly to provide the latest training available. As documented in its CFCOE, CONOPS, and JCT&CS, USCYBERCOM has essentially established a CMF construct such that all Services have a common understanding of cyber work roles and their required training as well as the organization and function of teams designed for OCO or DCO missions.

USCYBERCOM’s seminal work defining CMF teams and work roles has produced the CMF as we know it today, but this work has become an obstacle to agility. The current prescription for the CMF propelled the Services to the leading edge of cyberspace operations and established a shared understanding of “cyber” teams and work roles built on the model of existing organizations. However, the pre-existing models were designed for Title 40 (IT management) and Title 50 (Intelligence) and not for the unique Title 10 military mission of the CMF. Military organizations are traditionally designed with the agility to rapidly task-organize and transition between diverse mission sets (e.g. shift from defending key terrain to attacking an enemy force) to combat an active adversary and rapidly changing battlefield conditions. Those characteristics do not accurately describe the CMF in its current state and yet they arguably should be what differentiates the CMF from its predecessors. It is time to redefine the CMF for its unique military mission of full spectrum cyberspace operations in an unpredictable domain. The CMF must organize to maintain maximum flexibility of its capabilities rather incrementally expand upon another organization’s structure, function, and training. Further, the current standardized build and individual training will do little more than ensure the CMF is fully prepared to solve the well-defined problems of the recent past. It is time to reconsider the design of the CMF.

USCYBERCOM radically changed DoD’s role in cyberspace (i.e. military operations in and through cyberspace), but consists of teams grown incrementally from existing organizations rather than designed based on the first principles of its mission. The function and structure of OCO teams reflect origins in signals intelligence, while DCO teams still resemble the IT and cybersecurity community. Neither team reflects the traditional design common to the Services of an operations team that conducts both attack and defense to defeat moving, thinking enemy organizations. Departure from traditional operations design was not a calculated DOTMLPF decision, but rather a matter of expediency (and bureaucratic resistance to change).[6] The incremental adaptation of traditionally intelligence and IT/cybersecurity teams and work roles is evident in current pipeline training requirements, which are still largely prescribed by intelligence and CIO channels. Great thinkers like Aristotle and Descartes have emphasized identifying first principles[7] to solve hard problems. Designing the CMF is arguably a hard problem. But rather than starting with the first principles of full spectrum cyberspace operations, the CMF design is based on pre-existing designs for similar but clearly different challenges. Design by incremental change rather than based on first principles has introduced unnecessary risk into the CMF.

The nature of cyberspace increases risk to traditional force design. Through the Joint Capabilities Integration and Development System (JCIDS), DoD mitigates risks in future conflict by assessing capability gaps and then developing full DOTMLPF solutions (e.g. the CMF).[8] But the first step of CMF design necessitates the invalid assumption that one can predict with reasonable certainty what commanders will need the CMF to do in future conflict. If a primary challenge in cyberspace operations is keeping pace with rapidly changing technology, threats, and TTPs, then building teams for specific capabilities amplifies the risk of capability gaps. A CMF without maximum flexibility risks limited capabilities and options for joint force commanders. Guiding documents for the CMF nonetheless prescribe specific individual KSAs, purpose-built teams, and capability focused sub-elements.

Standardized, mission-focused team structure and prescribed, specialized work role training institutionalizes an inflexible force. A CMF consisting of roughly half OCO and half DCO teams is unable to surge or prioritize either mission. Currently, DCO teams are restrained from performing OCO by policy, training, culture, and organization. The same applies to OCO teams. Further, the narrow, specialized work role training on teams degrades tactical agility and each team’s ability to build comprehensive situational understanding (i.e. insight into both attack and defense). Training should instead provide foundational skills focused on problem solving, research, and cognitive skills that transfer well to multiple tasks (and any conceivable mission).[9] CMF design must reflect first principles.

An essential first principle of cyberspace operations – absent from the current CMF design – is maximum flexibility for the application of capabilities. Admiral Michael Rogers describes flexibility in his CDRUSCYBERCOM vision and guidance:

Our constructs must provide maximum flexibility for application of our capabilities … ensuring a depth of knowledge and unique capabilities across our workforce, making them ready … to execute the widest possible range of missions. We will act to preserve and extend America’s cyber advantage so that the joint force can operate globally with speed, flexibility, and persistence … The only certain feature of this environment is uncertainty, which makes agility a necessity.[10]

Admiral Rogers envisions an agile force ready for the widest possible range of missions in future cyberspace. In contrast, approximately half the CMF is designed incapable of OCO while the other half is incapable of DCO. Personnel on every team are specialized for a particular subset of one mission or the other. Advocates of the current CMF structure will cite recent successes as proof that OCO and DCO teams with prescribed work roles are an effective way to conduct full spectrum cyberspace operations. Besides the adage that past success bears no guarantee for future success, members of the CMF can just as readily cite a host of challenges for every success. Purpose-built teams are inherently inflexible. USCYBERCOM documents emphasize that teams will task-organize and deploy based on the mission, but a footnote is not flexibility. A redesign of the CMF for the first principle of maximum flexibility is essential to mitigating risk in an unpredictable operating environment. The CMF must be able to rapidly re-purpose teams and their individuals for any mission.

A maximally flexible CMF team is one based on the lessons of force-on-force conflict that our Services have established over time in the air, land, space, and sea domains. CMF teams should follow the model of Army maneuver forces, but that does not mean they cannot specialize. Army maneuver forces often have unique capabilities (e.g. a mechanized infantry company), but are not dedicated to offense or defense. Army units train to conduct both offense and defense, and it makes them more capable at both missions. This permits commanders to use a unit for either mission and to rapidly re-task it when conflict changes. Moreover, a unit in close contact with an attacking force is usually best positioned to rapidly initiate a counter-offensive and often uniquely positioned to identify exactly when that transition should occur. There are legitimate reasons that CMF functions are segregated, but few US government organizations have authority to truly pursue a threat, conducting offense and defense across the full spectrum of cyberspace operations. The CMF could provide this niche capability. A CMF team capable of offense and defense provides more options to CDRUSCYBERCOM and joint force commanders. More generally trained (but still highly technical) individuals perceive events with a larger context and collectively provide maximum tactical options for team leaders.[11] As the commander of US Army Cyber Command, Lieutenant General Edward Cardon, often says, “we do not train offensive infantrymen or defensive infantrymen, we train infantrymen.”

The incremental build of the CMF has created an inflexible workforce that risks future cyberspace capability gaps. Until future cyberspace operations become reasonably predictable, the CMF must maintain maximum flexibility in both team and individual capabilities. To mitigate the risk of an unknown future, USCYBERCOM should design the CMF based on the first principle of maximum flexibility as CDRUSCYBERCOM described. The CMF must operate like the maneuver forces of the Services. Likewise, individuals on those teams must have more flexible capabilities. This does not mean that teams or individuals do not specialize; it means the CMF should train and operate more like operational teams.

 

Notes

[1] Common theme at RSA Conference, San Francisco, CA, March, 2016.

[2] Michael Rogers, Beyond the Build: Delivering Outcomes through Cyberspace, Commander’s Vision and Guidance for US Cyber Command, June 3, 2015, 4, 6.

[3] The author assumes readers have familiarity with the Cyber Mission Force. Readers unfamiliar may begin here: http://www.defense.gov/News/Special-Reports/0415_Cyber-Strategy

[4] US Cyber Command, Cyber Force Concept of Operations & Employment, version 4.1, 22 July 2014.

[5] US Cyber Command, Cyber Protection Team (CPT) Concept of Operations, version 18.1, 12 February 2015.

[6] Based on the author’s discussions and observations at numerous OUSD P&R, USCYBERCOM J7, CyTAC working groups, Cryptologic Training Council, and other joint conferences focused on CMF training July 2014- May 2016.

[7] First principles are the basic propositions in a field to which experts would unanimously agree compose the foundations for all other work.

[8] Chairman, US Joint Chiefs of Staff.  Joint Capabilities Integration and Development System (JCIDS).  CJSCI 3170.011, January 23, 2015, para A-3.

[9] Readers are encouraged to review the US Army Cyber School Training Strategy (2016) for an in-depth analysis of individual training philosophy for the CMF.

[10] Michael Rogers, Beyond the Build, 6, 8, 11.

[11] Readers are encouraged to review the US Army Cyber (17 series) career management field for further analysis of a balanced and technical CMF individual.