7 June 2016

*Without solid training options, mysterious Cyber Command remains a work in progress

June 5, 2016

The military's demand for cyber capabilities is soaring. Defensive and offensive operations, including those targeting the Islamic State group, are occurring with greater frequency. There's talk of elevating U.S. Cyber Command's profile within the Defense Department. And yet six years after its creation, the organization does not have a training environment for large-scale exercises and to evaluate the readiness of its force.

Unlike other major military components, the mysterious CYBERCOM, which is headquartered at Fort Meade in Maryland, does not have a permanent interconnected range for units to practice new tactics, test new weaponry and fight hypothetical enemies in exercises designed to simulate real-world conflict. It's working to build one, officials say, suggesting — without offering much detail — that they're looking to engineer a network of facilities that replicates command-and-control systems and allows for large units to train with potentially catastrophic cyber weapons. Meanwhile, the definition of unit-level readiness remains a work in progress.

“We don’t have — but we need — an exercise environment where you do rehearsals, go against adversary networks, and figure out ways to better protect your own,” said Jim Keffer, a retired Air Force major general who served as a CYBERCOM's chief of staff in 2015. “For individual training, I think we’re really good. But the team training, the force-on-force training, that is primarily limited by a lack of a persistent training environment.”

Unquestionably, CYBERCOM's profile is on the rise. There's serious talk of upgrading the organization to a unified combatant command, a move that would make it one of the most powerful entities within the U.S. military. But has the four-star command matured enough to make such a leap?

In a statement to Military Times, CYBERCOM acknowledged that without a training environment, its mission teams can only “train periodically” at major annual exercises and other events. The command is “identifying gaps and prioritizing our investments,” it states.

Training for cyber war bears similarities to the preparations that must be made for more familiar kinetic operations. Keffer noted the Navy SEALs' operation to kill Osama bin Laden. Before the 2011 raid, the SEALs built a full-scale model of bin Laden's compound in Abbatabad, Pakistan, to train for that specific mission. “If Cyber Command is about to do an operation," he said, "they’ll want to go through it a couple of times. Just like the SEALs did before they went into Abbottabad. ... That is how you get mission success.”

A senior defense official familiar with CyberCom's operations said that's difficult without a better training infrastructure. “Can we do our mission? Yes, we can do our mission," the official said, speaking on the condition of anonymity in order to speak candidly about the command's procedures. "But we want to make sure that with any scenario for a mission we undertake, we have taken a very, very hard look and make sure our teams are at the top of their game.”

Created in 2010, CYBERCOM has spent considerable time and resources establishing its bureaucratic foundation. More recently, it has focused on manpower, standing up a cyber-mission force of 6,200 active-duty specialists organized in 133 teams.

Progress has been slower than hoped, however. The target date for standing up those teams was the end of 2016, but that deadline has been pushed out to 2018. So far, about half of those teams, 68, have reached what the military calls “initial operational capability,” and as many as 100 teams are currently conducting missions to meet the demand for offensive and defensive cyber capabilities, defense officials say. Creating a sophisticated training environment has become a top priority. It will allow cyber personnel to move beyond individual training and certifications into team-based work focused on real-world scenarios that integrate cyber tactics with the military’s traditional “kinetic” capabilities.

The next step in CYBERCOM's evolution is to develop team-based training focused on real-world scenarios that integrate cyber tactics with traditional capabilities. (Photo: Senior Airman Kenneth Norman/Air Force)

“In collective training we are still in our infancy,” said Eric Bassel, a director for SANS, a Maryland-based company that provides software-based training environments for the Army and Air Force cyber programs. Today, he said, "the exercises tend to fall short in many dimensions, as they do not integrate well into the bigger picture, lack realistic target environments, and do not allow commanders to select from both kinetic and non-kinetic options to achieve a mission.”

Adm. Mike Rogers, the head of U.S. Cyber Command, has said developing better training facilities is a concern, telling Congress in March that “while our training is improving we need a persistent training environment ... to gain necessary operational skills and to sustain readiness across the force.”

CYBERCOM received $15 million last year to begin building the training network and an additional $5 million for this year. But much of its progress so far remains on paper. The command has started to create an "assessment manual" to assist in team certification and a "concept document" for a Joint National Cyber Opposing Force capability, according to the command's statement.
Private sector advances

Creating this training environment is a challenge. Beyond a storehouse of powerful computers, it requires a secure network that replicates military communications systems but is not connected to the internet. Training on an internet connection would risk releasing classified — or even catastrophic — code-based weaponry into the public realm. In addition, a range will need staff to run exercises, a curriculum that is constantly updated, and experts to manage the events and provide feedback to the participants.

The private sector has begun creating cyber ranges, and traditional defense contractors are providing the Defense Department with some support. One example is Raytheon’s Cyber Operations and Development Evaluation Center. The CODE Center, as its known, opened in 2011, and is located on the third floor of a suburban office tower in northern Virginia. It can provide some of the elements CYBERCOM is seeking.

“On a range like this, you can emulate an environment that might look like an air operations center. It might look like an aircraft carrier. I might look like a deployed brigade,” said Bill Leigher, a retired rear admiral who runs the CODE Center as Raytheon’s director of government cyber solutions. “... You can bring a cyber-protection team and say ‘OK here is a scenario. This is what an adversary cyber attacker is trying to do — go practice defending.”

One scenario might involve a carrier strike group and an enemy force that has tunneled into a ship's on-board network, seizing control of a missile system’s targeting and launch systems. “If you penetrated that, you would be able to control the weapons system remotely — that’s a pretty scary thing,” he said. A training drill might focus on "how do you reclaim complete control over your systems? That is a petty realistic scenario.”

The CODE Center is a complex of rooms packed with computer terminals for trainees linked to operations rooms where the staff orchestrate the group exercises. It also features a loading dock and facility to connect the training network to real military equipment. The Army could park a truck-mounted Patriot missile system and wire it into the training network for a specific exercise.

Soldiers start up generators prior to a simulated firing of a Patriot missile system in Bahrain. (Photo: Staff Sgt. Anthony Taylor/Army)

Its clients include the individual military services, civilian government agencies and some foreign governments. U.S. CYBERCOM officials say the command does not train on non-governmental facilities.

Leigher said a major challenge for the Defense Department is not just assembling a facility but identifying and agreeing on the nature of the underlying curriculum. “It’s really a cultural thing, figuring out what we need to train to,” he said. “How do I go think about what the skills and competencies that an Army cyber guy needs if he’s embedded in a combat infantry brigade? Part of it is understanding what it really is you need to train to. And the truth is nobody has ever really done that before.”

The Pentagon is working on that. In May, its, C4/Cyber Functional Control Board approved a document detailing what it wants to achieve, CYBERCOM officials said.
Offensive tactics

Cyber troops often use the same language as other military professionals and refer to “platforms” that provide intrusion capabilities to launch “payloads,” which are software-based devices that execute certain effects on their targets. Some can be highly sophisticated attacks like the “Stuxtnet” worm in 2010 that infiltrated the mechanical systems of an Iranian nuclear facility and caused catastrophic malfunctions.

Other tactics are less dramatic but could have a vital impact on the battlefield by disrupting an enemy's ability to communicate, coordinate, command and control its force. That can involve jamming online communications at key moments in a battle. It could mean intercepting email that provides intelligence. It might insert into enemy systems fake command orders to confuse the adversary's rank-and-file fighters. Sabotaging an enemy force’s ability to pay its troops could also have a strategic value.

Some cyber-attacks must be executed discreetly, for example secretly changing names and numbers in the enemy’s electronic documents in a way that sabotages their own decision-making or manipulates their actions. To practice those tactics, the persistent training environment will require a closed and secure network permanently connecting a host of military facilities — in effect, a mini independent internet.

It will require replicating both the U.S. military’s own networks as well as the communications systems used by the enemy. For a peer enemy, that might require building a mock of Chinese submarine communications and weapons systems. For a more low-tech adversary like the Islamic State, it means understanding the social media, email and personnel computer operating systems.
What's over the horizon

Up until a couple of years ago, the annual Cyber Guard exercise involved a lot of basic training. “I saw teams that would come with individuals that were spending the entire week there doing individual, fundamental skills. Really what you would consider individual training,” said the senior defense official. “Now in the two years since, we have individual training but also teams that are coming together and doing collective training. That is so important.”

Last year, for the 2015 Cyber Flag exercise, military officials had to construct a makeshift network to create a virtual environment for hosting the event that included both military and civilian cyber experts at Nellis Air Force Base in Nevada.

“It was very risky, the way we did it, because that’s all we had,” Keffer recalled. “We had equipment, we'd put it in a couple of trucks and we'd truck it out to, say, Nellis in this case. And we'd set it up and we crossed our fingers and hoped everything worked because about 1,000 people are coming to play. ... After the exercise we take it back down — a very risky process.”

Cyber personnel get some training on the service level. But that focuses primarily on individual training, not teamwork. “It's basic training, it’s being able to put my M-14 together in the dark, laying on my back in the mud. It’s not maneuvering while I’m under fire,” Leigher said. Collective training will fall to CYBERCOM.

Currently, the services' individual training facilities and those at CYBERCOM headquarters are not linked with a secure connection, so they cannot participate in the same online activities from long distances. The command is working on that, too, the defense official said. This year's Cyber Guard exercise will be held at a training center in Suffolk, Virginia. But that facility falls short of what CYBERCOM needs for the long run, the official added.

A Sea Sparrow missile is launched from the amphibious assault ship Boxer during a Composite Training Unit Exercise off the California coast. (Photo: Mass Communications Specialist 2nd Class Kenan O'Connor/Navy)

Once CYBERCOM determines how to train collectively, it will eventually bring scenarios into the military's traditional training environment — an Army brigade-level exercise at Fort Irwin, for example, a Navy carrier battle group’s “COMPTUEX,” or an Air Force Red Flag exercise.

But that remains a vision over the horizon. “You need a place where you can combine kinetic ops with non-kinetic ops,” Bassel said. “I don’t think anybody has gotten that far.” He compared the challenges of training for cyber warfare to those that emerged in the 1980s for electronic warfare. If an enemy “red team” force used electronic warfare effectively, the exercise would end and start over, making it difficult to train under real-world circumstances at large national training centers.

“We really never got down to fighting electronic warfare scenarios. And my guess is we’re going to do the exact same thing with cyber,” Bassel said. “They are going to do a cyber-attack and shut everyone down. Then the commanders will come down and say ‘OK, you got us. Now can we have our toys back?”

No comments: