Training Cyber Warriors

Chuck Weirauch overviews the situation and discusses USCYBERCOM training issues with J7 Col. George Lamont.

In 2013, the Obama Administration alleged China, Russia and Iran had hacked into US government and defense contractor computer systems. Cyber attacks continue. There is every indication that they are on the increase, with literally millions of attempts by hackers to disrupt military and civilian operations almost every day around the world. What could be the next Cold War, the cyber war, is already upon us with the potential to cause more strategic and economic damage and chaos throughout the world than any "hot" war in the past.

In response to this growing threat to US national security, the $1.1 trillion US 2014 Fiscal Year Budget recently approved by Congress and signed by President Obama reportedly appropriates $13 billion of the Department of Defense's $487 billion allocation to cyber security. While this amount is spread among all of the country's national security agencies and each military service's cyber operations, it is notable that the US Cyber Command (USCYBERCOM) will receive $447 million in FY 2014, more than double its 2013 funding of $191 million.

With the DoD declaring that cyber attacks are a top security threat, USCYBERCOM is anticipating rapid growth, predicting an increase in its workforce from the current 900 employees to 4,900 by 2016. In addition, each US military service expects to significantly expand its cyber security workforce by that time as well.

Mission focus

The core of the USCYBERCOM mission is to defend DoD information networks against cyber attacks. In addition to defensive operations, however, the Command also plans and conducts offensive "full-spectrum military cyberspace operations in order to enable actions in all domains, ensure US and Allied freedom of action in cyberspace and deny the same to adversaries."

According to the Command's Web site, USCYBERCOM's mission includes "unify the direction of DoD cyberspace operations, strengthen DoD cyberspace capabilities, and integrate and bolster DoD's cyber expertise." USCYBERCOM is also tasked with designing the DoD cyber force structure, along with the development of training requirements and certification standards for the US service cyber elements, These service elements include the Army Cyber Command (ARCYBER); the Air Force Cyber Command (AFCYBER); the Navy's Fleet Cyber Command (FLTCYBERCOM) and Marine Forces Cyber Command (MARFORCYBER). All of these elements conduct training programs for their own cyber warfare personnel.

Cyber Training and Exercise Environments

Cyber security experts point out that the simulation of cyber warfare is critical to decision-makers in developing strategies and tactics for offensive and defensive operations, and essential for cyber warfare training. After several months of initial individual and simulated Internet team training, US cyber warriors throughout the DoD and other government security agencies can participate in networked live joint training exercises known as Cyber Flags. These annual events are planned and coordinated by USCYBERCOM. The goal of the exercises is to deter and/or defeat a cyber attack against a DoD installation, while developing both offensive and defensive strategies and tactics to combat new types of threats.

These exercises are conducted on military service networks, one of which is the Air Force's Simulator Training Exercise (SIMTEX) range at Scott Air Force Base in Illinois. During Cyber Flag 1-13, the SIMTEX Range Global Internet (RGI) capability was employed to provide a realistic World Wide Web framework that allows for training in an environment similar to the live Internet. When conducting training via the RGI feature, users experience the same environment as if they were on the real Internet, including social media sites. The Air Force frequently uses SIMTEX for the training of its own cyber security personnel.

USCYBERCOM Training

Colonel George H. Lamont, US Air Force. Image Credits: US DoD

To gain an insight as to the overall USCYBERCOM training effort, MS&T interviewed Air Force Col. George Lamont, who has been its Director, Exercise and Training (J7) since that Command became operational in 2010. Col. Lamont is responsible for planning, direction and execution of operational training, exercises and other events to maintain, assess and certify USCYBERCOM force readiness. Colonel Lamont works with Combatant Commands, DoD components, United States government agencies and private industry to develop, manage, schedule, and conduct individual, staff and collective joint training events as directed by the Commander.

MS&T: How much of a role does simulation-based courseware play in cyber warfare training?

Our current focus is using simulation-based technology for collective training; however, we are looking to leverage this technology to accelerate individual training opportunities as well. Because most training is done on closed networks, it is necessary to simulate network activity to make the training environment more realistic. At times, we also use simulated malware as a means to meet training objectives without unnecessarily risking the operational environment.

MS&T: Please describe the training curricula for cyber warfare personnel in terms of personnel qualifications, length of courses and areas of emphasis.

We maintain joint "common" training standards so that all of our cyberspace professionals have the same baseline of skills necessary to operate in this complex domain. Our technical tradecraft requires skills to perform tasks in information technology/ information assurance (IT/IA), certified ethical hacking (CEH), testing and evaluation, Network Defense (to include skills like auditing, incident response, infrastructure support), server administration, engineering, technical support, knowledge management, and information security.

Initial training for our cyber service members takes several months on average; that's just to get started. To be qualified at the advanced level in a joint operational environment can take several additional months depending on the particular job. We have developed the joint cyber training standards, in order for services to leverage existing solutions and develop new ones to grow required skill sets to conduct our missions. We also developed a four-phase training model to assist in meeting that goal of common individual and collective training standards for the Cyber Mission Forces:

Phase I - Feeder Courses: Individual feeder courses are based on Service cyber skill-producing training which generates initial Army Military Occupation Specialty (MOS), Air Force Specialty Code (AFSC), Navy Rating, and Marine MOS

Phase II - Foundation Training: Foundation training is designed around particular mission force work categories and common position skills training. Joint Qualification Requirements (JQR) and On-the-Job Training (OJT) provide team members mission specific knowledge and skills. In addition to individual training in Phase I and Phase II, mission specific staff/element training is interspersed in order to support the assigned team's specific mission.

Phase III - Collective: Sub-element and Team mission essential task standards are verified and validated though "mini-events", team certification events, and Cyber War Games.

Phase IV - Sustainment: Sustainment ensures training objectives in the established pipeline courses and OJT activities remain current. Sustainment requires all refresh training and certification requirements to be identified. Sustainment also helps inform mission teams career development paths. The final objective of sustainment is to advise the command on mission team readiness through assessment activities.

MS&T: What emphasis is placed over individual and team-based training?

Individual and team training are both critical to develop the technical skills needed to operate and defend DoD networks, support combatant commanders and defend the nation in cyberspace against foreign adversaries. Our cyber professionals are constantly learning, as this domain and technology are ever changing. Through direct engagement with subject matter experts across the force, we are able to identify perceived gaps, work with training providers to develop solutions, and continually improve both individual and collective training capabilities. One of the ways we have to identify collective training gaps is through exercises, such as Cyber Flag, an annual joint, interagency exercise conducted at Nellis Air Force Base.

MS&T: I have heard that in cyber warfare, a good offense is often the best defense. At what stage in training do personnel engage in exercises where they can demonstrate this strategy, and how do you train for it?

All individuals share foundational knowledge in computer network defense. Some dive deeper than others depending on the work we expect them to do, but all have a common appreciation for network defense challenges. Individuals engage in exercises to develop and demonstrate both defensive and offensive (in the form of Red Teams) abilities once all individual training is complete and they've joined a team.

MS&T: What team training exercises are scheduled for 2014, and how will they be integrated into the training curricula?

USCYBERCOM wrapped up its third-annual Cyber Flag exercise Nov. 8 at Nellis Air Force Base, Nev. The 11-day exercise integrated cyber professionals from across the Department of Defense to test their knowledge and skills against a realistic adversary on a closed network.

Joint, combined, and interagency forces fused cyber defense and offense skills across the full spectrum of operations. These forces applied new and developing tactics, techniques, and procedures (TTPs) for the Cyber Mission Force (CMF) and coalition teams, which will ultimately enable cyberspace operators to rapidly detect, assess, mitigate, and respond in real time to cyber threats to DoD networks.

Cyber Flag 14-1 participants, analyze an exercise scenario in the red flag building Nov. 5, 2013, at Nellis Air Force Base, Nev. Cyber Flag strategically focuses on exercising the command's mission of operating and defending the Department of Defense networks across the full spectrum of operations against a real

We have built a series of command exercises developed to evaluate our teams across the cyber continuum. The Cyber Knight series is used to exercise individual teams and certify their aligned mission execution. Cyber Guard is an annual opportunity to hone our ability to execute the broader ‘defend the nation’ mission with our inter-agency partners. Cyber Flag is our capstone annual event, in which we exercise a regional conflict with full-spectrum cyberspace operations combined with the ongoing ‘defend the nation’ mission. Each exercise has a different scope and purpose, yet allows the lessons learned from each to build upon and inform the next event in the continuum. We have a rigorous schedule for 2014, which will require multiple series in order to meet our training objectives.

MS&T: What types of technology are employed, will be employed in cyber warfare training or are considered to be or proven to be the most effective? Here I am asking about the use of game-based technology, virtual worlds, online courseware, debriefing tools, etc and any research or upcoming initiatives in this area.

One of the most important tools we use in training is the cyber range. The cyber range allows many participants to operate on a closed network and assess how their actions affect the network in real time.

MS&T: Are there are there any initiatives that integrate the concept of live, virtual and constructive (LVC) training?

While we are thinking about LVC concepts and continuing to evolve our training curriculum, our current focus is on training the Cyber Mission Force to the joint standards using tools already at our disposal.

MS&T: What do you consider to be some of the most vital challenges for cyber warfare training?

The biggest challenge in training is not necessarily training the force, but effective recruitment, retention, and employment to fully develop specialized expertise. With more targeted recruiting, we welcome members to the team with an already strong foundation. With a personnel model that enables competition with industry for talent, we stand a better chance of retaining the expertise we build.

There are some initiatives within the Services to potentially provide incentives for retention, and they are working on creating career paths dedicated to this mission area so our cyber warriors are competitive for promotions and awards with their peers from other areas. By growing and retaining these forces, which will eventually enter cyberspace leadership positions, we will have the professional, knowledgeable and capable force we need.

MS&T: How does and can the M&S training industry assist Cyber Command in its mission?

We work with industry in numerous ways to include our exercises as mentioned earlier (and particularly Cyber Guard, during which we have active industry participation). We also collaborate with industry along with academia and other partners to explore new and innovative ideas to improve content delivery, quality, and retention of training in this demanding and dynamic domain. This is certainly an area where modeling and simulation can assist.