28 November 2019

Cyberwarriors lack planning tools. That could change.

By: Mark Pomerleau 



Cyber warriors still don't have a robust cyber planning tool that spans across all services and teams within U.S. Cyber Command. The Air Force and Strategic Capabilities Office is continuing DARPA's work to change that. 

For six years, the Defense Advanced Research Projects Agency worked on a program known as Plan X to help commanders plan and conduct cyber operations.

The goal was for leaders to see the cyber environment just as they would the physical world.

Now, the Air Force and the Pentagon’s Strategic Capabilities Office are continuing the program and have renamed it Project IKE. The move was first reported by Inside Cybersecurity.

“The Strategic Capabilities Office has continued the work begun by DARPA with the aim of maturing Project IKE technology for eventual operational use,” a Department of Defense spokesman told Fifth Domain. “Project IKE is an artificial intelligence-enabled tool which will provide a new way for cyber forces to understand the common operating picture.”

In addition, as part of that progress, the Air Force Research Lab awarded Two Six Labs a contract in July worth $95 million.

The program is expected to factor into a larger initiative known as the Joint Cyber Command and Control, which is in its nascent stages and already behind schedule. In addition, because of its emphasis on planning, IKE could serve as the foundation for this new command and control system for the military’s cyber teams.

While leaders have released few details about IKE or JCC2 — cyber officials in the military rarely discuss the tools of their trade — the contract offers clues about the broader infrastructure Cyber Command is building and the gear cyberwarriors need.

Since it was created in 2009, Cyber Command has largely relied upon the intelligence infrastructure of the National Security Agency. While the tools the Army uses to fight, for example, are well known — think the Stryker Combat Vehicle, the Apache helicopter or blue force tracker — it is less clear what types of systems or infrastructure the military’s cyberwarriors use. This picture is coming into focus.

Industry and government sources told Fifth Domain how Cyber Command’s views on these programs has evolved. Years ago, military leaders preferred a vaguely defined scope of work that encompassed all of Cyber Command’s capabilities and development priorities. Now, the sources said, officials prefer a more refined framework within specific lines of effort.

Consider Unified Platform, which was often described as a system to plan cyber operations, serve as a home to tools, act as a platform to launch effects and serve as a way to ingest data.

But because of a lack of clarity about how cyber weapons will work together, that program was often conflated within the national security community with the Military Cyber Operations Platform, said Lt. Gen. Stephen Fogarty, the head of Army Cyber Command. Fogarty previously served as chief of staff at Cyber Command.

While MCOP can be thought of as an umbrella, Unified Platform should be viewed as one component that’s enveloped by that strategy. MCOP had been described as the sum of portfolios and capabilities within Cyber Command’s capabilities directorate.

“What I think we’ve got to ensure is we don’t make [Unified Platform] so large that it just becomes unsustainable ... this very bloated program,” Fogarty said.

As a result, Cyber Command leaders refined the concept for Unified Platform. Officials now describe the program as consolidating the spread of big data tools used by Cyber Command and its subordinate organizations. These platforms provide storage, analytic and some visualization tools regarding information flowing in and out. The setup it allows forces to share information more easily, to analyze data being pulled in and to build tools that can be used across the service cyber components.

In the meantime, Cyber Command leaders rebranded MCOP as the Joint Cyber Warfighting Architecture (JCWA) serving as the overarching strategy to help guide development, shape programs and prevent the services from building their own one-off tools that don’t play well with others. The architecture also offers better oversight of the cyber arsenal.

“We’re still going to keep Unified Platform as the centerpiece, this data center, the data structure at the center of all that. So it’s really MCOP and JCWA are the same,” George Franz, former director of operations at Cyber Command, told Fifth Domain in a July interview.

No cyber planning tool

One of the five pillars of the new architecture is joint command and control.

Cyber leaders have had some command and control capabilities in the past with a program called Centropy. Centropy is described in DoD budget documents as a “Cyber C2 system that provides oversight and management of operational readiness.” In other words, the tool provided commanders the status and health of cyber teams so they could have better oversight of who’s available to conduct missions.

However, details are scarce and any mention of the program and its ongoing work disappears from budget documents after fiscal year 2019.

Project IKE will offer officials the ability to plan, launch and command operations and forces, something they don’t fully have now.

“IKE will provide cyber command and control and situational awareness across the whole of DoD’s Cyber Mission Force,” a Pentagon spokesman said. “The objective of IKE is to develop automated artificial intelligence/machine learning techniques to assist human understanding of the cyber battlespace, support development of cyber warfare strategies and measure and model battle damage assessment.”

The goal for Plan X, IKE’s predecessor, was to create a system in which the service cyber components could operate under a single planning construct, Frank Pound, Plan X’s program manager at DARPA, told Fifth Domain.

One way Plan X could help was by automatically generating network maps because visualizing the cyber environment is a difficult problem for military leaders and teams given the flood of data from governments and private entities.

In the past, maps of enemy networks were drawn up by hand. This was problematic because it was a time intensive task and because cyberspace changes so rapidly that once a map is drawn and finished, the network may have changed.

Worse, during a morning brief at one cyber exercise, Pound remembered a service member who leaned on a whiteboard in which the team had mapped out a network and accidentally rubbed off half the drawing. That was the only copy forces had of the network.

“We have to do something better than this. That was an eye opener,” Pound recalled.

Moreover, without this type of tool, forces won’t be able to respond to threats in a timely manner.

Still, the idea of fully integrating the information the military collects is a distant vision.

“How do you take classified information, meld it with unclassified information, meld it with proprietary information from commercial partners and then send that information back out as appropriate to be helpful in each of those different sectors. If you’re going to bring all that information into the space, you need some sort of integrating cyber picture,” retired Lt. Gen. Vincent Stewart said in late 2018 while he was the deputy commander of Cyber Command.

“And guess what ladies and gentlemen? We haven’t got an integrated cyber picture. If we don’t have an integrated cyber picture and you’re moving at milliseconds, guess what, you’re reacting at that point. I’ve got to have a mechanism where we’re bringing all the of the data in … merging all of that with machine learning and artificial intelligence and sending it back out to the appropriate audiences at the right proprietary level, at the right classification level so they can take action on this.”

Joint cyber command and control

Sources with knowledge of the program have said that IKE will serve as a foundational capability for the new command and control system. Others have said IKE’s development has delayed that system.

The program, as described by fiscal year 2020 budget documents, will provide joint commanders at the theater level enhanced situational awareness and battle management for cyber forces and missions.

“JCC2 establishes congressionally directed focal point to provide integrated JCC2 solutions to all echelons for execution of cyberspace operations to enable and accelerate planning/collaboration between Cyber Mission Forces and Combatant Commands,” the documents read. “It will integrate Cyber C2 with Joint, Coalition and inter-agency C2 to enhance multi-domain operations, reduce planning time, improve decision quality and speed resulting in a shorter kill chain. Capabilities will be developed to address the Cyber Mission Forces used to conduct cyber operations.”

In the most recent budget documents, the Air Force planned to spend $11 million in research and development funds in fiscal year 2020 on the program and about $12 million each year through 2024. However, the documents note that the program has yet to go before a critical panel at the Pentagon for approval of initial requirements.

To date, at least one contract has been awarded associated with JCC2. Enlighten IT Consulting won a contract in mid-March for “Threat Awareness and Sharing Concept (TASC)” effort, according to an Air Force spokesman.

The TASC is “a year-long prototype activity focused on expanding cyber threat data sharing automation and visualization. This prototype award is but one of several parallel R&D efforts focused on further informing global Combatant Commanders on the heartbeat of cyber operations,” the spokesman said.

No comments: