29 January 2020

What new documents reveal about Cyber Command’s biggest operation

Mark Pomerleau

New documents provide insight into the growing pains U.S. Cyber Command faced in building a force while simultaneously conducting operations.

The documents, which were released as part of a Freedom of Information Act request from the National Security Archive at George Washington University and later shared with journalists, are a series of internal briefings and lessons from the Defense Department’s most complex cyber operation at the time, Operation Glowing Symphony.

That operation was part of the larger counter-ISIS operations — Joint Task Force-Ares — but specifically targeted ISIS’s media and online operations, taking out infrastructure and preventing ISIS members from communicating and posting propaganda.

While Cyber Command described the operation, which took place in November of 2016, as a victory in the sense that it “successfully contested [ISIS] in the information domain,” the documents demonstrate the extent to which the command was still learning how to conduct operations and the exact steps to follow.


“Process maturation is something they pull out a lot. Obviously, as CYBERCOM was standing up, it was pulling together plans for how they were going to operate. They actually hadn’t operated that much,” Michael Martelle, cyber vault fellow at the National Security Archive, told reporters. “A lot of these frameworks were formed in theory. Now they go to try them out in practice.”

Cyber Command leaders have stressed in public remarks for years that the command was building its force while operating. But the extent of those operations has been limited. Officials in recent years have explained that the command didn’t undertake many offensive operations. One official said last year he could count on less than two fingers the number of operations, Cyber Command conducted in the last decade or so. One member of Congress said DoD didn’t conduct an offensive cyber operation in five years.

But when they were in action, in this case with Operation Glowing Symphony, Martelle said the documents show cyber leaders did not anticipate the amount of data they would access.

“They actually weren’t prepared for the amount of data they were pulling off of ISIS servers … CYBERCOM was not set up for an operation of this magnitude from day one,” he said. “They had to learn on the fly, they had to acquire on the fly, they had to grow on the fly.”

The documents note that Cyber Command’s capability development group, is “developing USCYBERCOM data storage solutions.”

The capabilities develop group, now known as the J9, serves as the advanced concepts and technology directorate and worked to plan and synchronizing cyber capability development and developed capabilities to meet urgent operational needs.

Experts had noted that in the past the CDG/J9 had been stressed in recent years by a limited staff and burdened by developing tools for operational needs, namely Joint Task Force-Ares.

Another example of potential growing pains the documents point to was the fact that updates to operations checklists were not made available readily to the team.

Finally, the documents note that authorities and processes the command was operating under that the time were restrictive in some cases.

“Absent of significant policy changes from [the office of the secretary of defense], USCYBERCOM is limited in its ability to challenge ISIS [redacted]. As a result, USCYBERCOM has [redacted] to achieve our objectives,” the executive summary of a 120-day assessment of Operation Glowing Symphony says.

Those authorities and processes have been streamlined by the executive branch and Congress in recent years.

The command wants to support its J9 advanced concepts and technology directorate.

Commanders now follow a process that defaults toward action, Maj. Gen. Dennis Crall, deputy principal cyber adviser and senior military adviser for cyber policy, said during an event Jan. 9. He explained the updated process provides continuity, tempo, pace and timing.

Ultimately, Martelle noted that the real importance behind Operation Glowing Symphony is that Cyber Command used the experience from those events and Joint Task Force-Ares more broadly as a template for future operations.

Cyber Command’s top official, Gen. Paul Nakasone, who was also led Joint Task Force-Ares, has noted that the task force laid the foundation for the Russia Small Group, which was created to combat election interference in the 2018 midterms.

“This concept of a task force lives on. A lot of that thinking came from what we were doing in 2016,” he told NPR.

That task force has now evolved to be more all encompassing covering election threats more broadly.

No comments: