This report fulfills the requirement contained in the National Defense Authorization Act (NDAA) for Fiscal Year 2014, Section 933 “Mission Analysis for Cyber Operations of the Department of Defense (DoD).” The Department undertook an accelerated but deliberate process to conduct the analysis, the outcomes of which are contained in this report. The analysis addressed each sub-section of the statute and was fully vetted across the Department. The results of this analysis reflect the Department’s current view of its requirements for successful conduct of cyberspace operations, leveraging a Total Force solution. As cyberspace capabilities, force structure, and command and control (C2) constructs evolve, the Department will conduct periodic reviews of its cyberspace requirements and adjust them as necessary.
To complete this comprehensive analysis, the Office of the Secretary of Defense (OSD) conducted a number of consultations with key stakeholders to ensure a transparent process. OSD Cyber Policy solicited input from the Reserve Forces Policy Board, the State Adjutants General, the National Guard Bureau (NGB), the Guard Senior Leadership Council, the Department of Homeland Security (DHS), and States, through the Council of Governors (CoG). Through these engagements, the Services, OSD, the Joint Staff, the National Guard Bureau, U.S. Cyber Command (USCYBERCOM), DHS, and the States provided the data and analysis that form the backbone of this report. This report reflects the Department’s current view, and is expected to change as circumstances require. The findings reflect the assessment done to date.
First, the Department assesses there can be advantages to using reserve component (RC) resources for Cyber Mission Force (CMF) missions, such as providing load sharing with active duty forces, providing available surge capacity if authorized to activate, and maintain DoD-trained forces to defend national critical infrastructure, if authorized. Several factors should be considered when determining the CMF force structure and the mix within the Total Force. These factors include whether the position is military essential, peacetime and wartime demands, deployment frequency and duration, speed of response, unit readiness for specific mission sets, and costs.
To that end, there are five key recommended ways forward for the Department as it considers the future of DoD cyber operations, discussed in detail in the “Department’s Assessment” section.
1. National Guard personnel could focus on coordinate, train, advise, and assist (C/TAA) support roles when directed by their Governor or Adjutant General if in State active duty status or, if authorized by DoD, in Title 32, U.S. Code, status.
2. The Services’ proposed plans to integrate approximately 2,000 RC personnel into the cyber force structure adequately addresses the opportunity for surge support and additional Service Cyber Protection Team (CPT) support in the near-term.
3. Cyber forces require consideration of a persistent training environment.
4. Because there is no command and control over National Guard cyber forces in Title 32 or State active duty status, policies and processes must be clarified to ensure unity of effort by DoD forces and State National Guard forces.
5. The Military Departments/Services may require additional flexibility in civilian hiring authorities.
Although the Department assesses these are the right steps to date, it recognizes that additional analysis is necessary, and will reassess and adjust in Fiscal Year 2016 and in other future budget submissions, once the CMF is well on its way to being fully manned, trained, and equipped to ensure that we have the most effective workforce to conduct DoD cyber operations.
Cyber is a dynamic domain, and, therefore, additional research needs to be completed to determine a number of elements directed in the reporting requirements, including better understanding civilian requirements, understanding the exact equipping needs of the CMF, and the appropriateness of hiring on a temporary basis part-time, non-dual status technicians. It is expected the Department’s assessment will mature, and the approach will adapt as this operational domain matures, our forces become operational, and the threat landscape evolves.
In 2014, the Director of National Intelligence identified cyber threats first among the strategic threat to the United States, surpassing terrorism. Hostile actors use cyberspace as an asymmetric capability to strike the U.S. homeland and U.S. interests, directly and indirectly. Globally important critical infrastructure is vulnerable to cyber attacks and malicious cyber activity, placing military missions and economic systems at risk. Hostile actors engage in espionage in cyberspace by stealing defense-related intellectual property and trade secrets.
Some nations target U.S. partners with the intent to attack networks and to manipulate command and control and logistics data, which could adversely affect the U.S. military’s ability to mobilize its forces in the event of a contingency, and then could amplify the effects through propaganda and information control. They also steal information unrelated to national security, such as proprietary economic and commercial information, which is then provided to competing companies in their countries.
The Department of Defense (DoD) is developing cyber forces to ensure and enhance military capabilities in all domains, provide cyber options for the President, and to defend the nation against cyber attacks and cyber adversaries.
Policies, Oversight, and Relationships
Policy & Doctrine: Since establishing U.S. Cyber Command (USCYBERCOM) in 2010, the Department has developed policy and doctrine to determine how to operate in cyberspace, including Joint Publication 3-12, “Cyberspace Operations,” and the 2011 Department of Defense Strategy for Operating in Cyberspace (DSOC).
In 2012, the Secretary of Defense approved the Cyber Mission Force (CMF) concept, dedicating resources to establish cyber teams in support of defending DoD networks, degrading adversary cyber capabilities, and supporting defense of national critical infrastructure. Since then, the Department has developed the “Cyber Force Concept of Operations and Employment” (CFCOE), a comprehensive, evolving, document defining CMF teams’ roles, functions, and operational processes. The knowledge, skills, and abilities required for each cyber mission force work role (i.e., position) were defined in the “Joint Cyberspace Training and Certification Standards” (JCT&CS). The ability to assess individual and team readiness using a common set of joint tasks, conditions, and standards for all cyber mission team positions were defined in the “Cyber Mission Force Joint Training and Readiness Manual” (T&R Manual). To improve the quality, sufficiency, and efficiency of training, the Cyber Training Advisory Council (CyTAC) was established. Tri-chaired by representatives from USCYBERCOM, the Office of the Under Secretary of Defense for Personnel and Readiness (OUSD(P&R)), and the DoD Chief Information Officer (CIO), and in coordination with the Military Departments/Services, the CyTAC identifies, reviews, and assesses training requirements and standards for evaluation. It also addresses gaps between current and future cyberspace training capabilities. In addition, the DoD Enterprise Cyber Range Environment (DECRE) is a governance structure construct that synchronizes efforts to promote effective and efficient utilization of security, operationally realistic and technical representative replications of the cyberspace domain.
In response to Section 932 of the National Defense Authorization Act (NDSS) for Fiscal Year 2014, the Secretary of Defense designated the Assistant Secretary of Defense for Global Strategic Affairs as the principal cyber advisor (PCA). In coordination with the Chairman of the Joint Chiefs of Staff (CJCS), the Combatant Commanders, and USCYBERCOM, the PCA will serve as the principal advisor to the Secretary on policies related to the CMF. In response to the Fiscal Year 2011 NDAA, Section 933, the Department established the Cyber Investment Management Board to facilitate alignment of Department cyber activities across science and technology (S&T), requirements, acquisition, development, test and evaluation (T&E), and sustainment. As an advisory board to key senior level Department decision-making bodies, the CIMB serves to ensure cyber investments are effectively planned, executed, and coordinated across the Department. The CIMB has met twelve times since its inception and has provided senior DoD leaders with an in-depth understanding of the Department’s existing requiremetns baseline and current and planned investments in capabilities for cyberspace operations. To inform this process further, the Department recently established the DoD Cyber Operational Capabilities Board (COCB) to provide Combatant Commanders a forum to inject operational requirements into the acquisition process.
Federal Cybersecurity Partnerships: DoD is one component of the Federal cybersecurity team that addresses cyber threats to the United States. The Federal cybersecurity team includes:
-Department of Homeland Security (DHS): protects against, mitigates, investigates, and recovers from domestic cybersecurity incidents;
-Department of Justice (DoJ): investigates, attributes, disrupts, and prosecutes cybercrimes and domestic national security incidents; and
-Department of Defense (DoD): defends the nation from attack, secures national security and military systems, and protects information on Defense Industrial Base (DIB) systems.
State-Federal Partnerships: The Council of Governors (CoG), a bipartisan body of ten governors, was established by the President in 2010 for the purpose of further strengthening the partnership between the Federal and State governments to protect the United States and its people and property. The CoG exchanges views, information, and provides advice to the Secretary of Defense, Secretary of Homeland Security, and other senior Federal officials on matters regarding the National Guard, homeland defense, civil support, and synchronization and integration of State and Federal military activities within the United States. In February 2013, the CoG, on behalf of State Governors, and the Department approved the “State-Federal Consultative Process for Programming and Budgetary Proposals Affecting the National Guard,” which established a sustained process to meet, confer, and exchange views and information in advance of the DoD determining programming and budgetary requirement priorities. This Consultative Process provides ways for Governors, through the Council of Governors and the Chief of the National Guard Bureau, to provide the States’ assessments and requirements to DoD. The process also enables DoD to understand States’ requirements more fully and to include these requirements for consideration in DoD’s Planning, Programming, Budgeting, and Execution process. In July 2014, the CoG, DHS, and DoD approved the “Joint Action Plan for State-Federal Unity of Effort on Cybersecurity.” This Joint Action Plan is a commitment by the States, DHS, and DoD to work together to improve the nation’s cybersecurity posture. It establishes a framework to guide State-Federal discussions in areas such as information sharing, operational coordination, and incident response. Similarly, the National Guard (NG) continues to play an important role bridging the gap between State and Federal governments as an established and trusted ally of both communities.
The strength of the NG derives from its roots in local communities. National Guard personnel are often community leaders who have direct connections with local industries and government officials and serve as the face of the DoD to our citizens. They are trusted members of communities who put on the uniform in times of natural disaster, as well as answering the call to duty for wartime missions. These community ties contribute to DoD integrating best practices from the business, public, and private sectors into defense training and operations, and through its cybersecurity partnerships, Federal training, and operations. Integration of the National Guard is a critical enabler that has allowed the U.S. Government to ensure our Nation can rapidly respond to any threat, foreign or domestic, and achieve the goals set forth by our Federal and State leaders. The National Guard’s community presence and engagement of National Guard members in their civilian capacities in public and private sector organizations that are critical to continuity of operations at all levels of government and key private sector organizations make the National Guard uniquely able to contribute to a “whole of Government” and “whole of Nation” approach to securing U.S. cyberspace.
Allies and Partners: As directed by the President’s International Strategy for Cyberspace in 2011, the Department works with allies and partners to expand situational awareness and shared warning systems, enhance cooperation in times of peace and crisis, and enable self-defense in cyberspace. Such partnerships bolster collective deterrence capabilities and strengthen the ability to defend the United States against cyber actors.
Private Sector Partnerships: The Department relies on the private sector to protect sensitive data related to DoD military operations across all domains (i.e., air, land, sea, space, and cyberspace). In collaboration with DHS, DoD fosters mutually beneficial partnerships with Defense Industrial Base companies through the DIB Cyber Security / Information Assurance (CS/IA) Program. This voluntary program helps protect DoD information residing on, or passing through, DIB company systems by facilitating information sharing between participating companies and DoD, as well as among fellow participants. As an optional component to the DIB CS/IA program, DoD developed the DIB Enhanced Cybersecurity Services (ECS), which furnishes classified cyber threat and technical information either to a DIB company or to the company’s commercial service provider to counter malicious cyber activity in order to improve industry’s ability to protect sensitive information related to DoD military operations.
DoD needs the ability to maintain our advantage in cyberspace, and thus, across the other four domains, by conducting cyberspace operations and supporting military operations worldwide, supporting Combatant Commanders as they plan and execute military missions, and countering cyber attacks and malicious cyber activity against the United States. Therefore, USCYBERCOM was created to centralize new and expanded cyberspace forces and capabilities under one command.
U.S. Strategic Command (USSTRATCOM): Defense against cyber threats requires the Department to strengthen its understanding of the complexities (capability and intent) of adversaries and risks to our systems to build resilience into our national critical infrastructure. The Unified Command Plan (UCP) assigns USSTRATCOM responsibility for synchronizing planning for cyberspace operations, in coordination with other combatant commands, the Services, and, as directed, other appropriate U.S. Government departments and agencies. These roles, however, have been delegated to its sub-unified command, USCYBERCOM.
U.S. Cyber Command (USCYBERCOM): USCYBERCOM has three primary missions. These missions are carried out, in part, by the Cyber Mission Force (CMF):
1. Secure, operate, and defend DoD networks;
2. Defend the Nation in cyberspace; and
3. Support Combatant Command (CCMD) full spectrum operations in cyberspace.
In December 2012, the Department approved a plan to establish a new cyber force resourced from all of the Services and NSA aligned to these three missions. Implementation of the approved CMF plan is underway with progress measured and reported on a quarterly basis.
Cyber Mission Force: The CMF is composed of three sets of forces aligned to achieve USCYBERCOM’s three primary missions. Those sets are the Cyber National Mission Force, Cyber Combat Mission Force, and Cyber Protection Force. Once fully manned, trained, and equipped in FY 2018, these 133 teams comprising the CMF will execute the three primary missions with approximately 6,200 military and civilian personnel (see Figures 1, 2, and 3 in the classified annex).
Cyber National Mission Force: The National Mission Force consists of 13 National Mission Teams (NMTs), supplemented by 8 National Support Teams (NSTs) (also called Direct Support Teams), which are designed to defend the Nation against strategic cyber attacks on U.S. interests. The NMTs are a counter-cyber force to stop cyber attacks and malicious cyber activity of significant consequence against the Nation.
Combat Mission Force: The Combat Mission Force consists of 27 Combat Mission Teams (CMTs) focused on individual CCMDs requirements with the support of 17 Combat Support Teams (CSTs). The CMTs are designed to support CCMDs in carrying out approved operational plans and contingency operations with integrated cyber effects.
Cyber Protection Force: The Cyber Protection Force consists of 68 Cyber Protection Teams (CPTs). The CPTs are further divided into four mission areas: National, DoD Information Networks (DoDIN), Combatant Command (CCMD) support, and Service support. All CPT units are focused on actions internal to the defended network, which primarily is within the DoDIN unless they are separately authorized to defend non-DoD networks. The core capabilities of these teams are mission protection, discover and counter infiltration, cyber threat emulation, cyber readiness, and cyber support. These teams integrate and synchronize cybersecurity functions such as assessments of network vulnerabilities, penetration testing, remediation of vulnerabilities, and hunting on networks for adversary activity. CPTs will protect the most critical Service, CCMD, and national security networks (when authorized), as well as the Department of Defense Information Networks (DoDIN), supplementing their defenses. Additionally, CPTs will share malicious signatures and other indicators with interagency partners and appropriate critical infrastructure entities. There will be 18 national CPTs – six CPTs assigned to protect and defend the DoDIN, 24 CPTs for Service networks, and 20 CPTs for CCMD networks. The 18 national CPTs will work closely with the NMTs to understand specific adversary tactics, techniques, and procedures and capabilities to develop mitigation techniques (see Figure 2 in classified annex for detailed graphic).