By Lt. Col. Jason A. Dickinson, PhDDecember 4, 2016
CAMP ARIFJAN, Kuwait-- Today's world operates in an ever-increasingly complex and rapidly changing, electronic environment. Cyberspace remains the U.S. military's most difficult domain to protect. The enemy can operate within it from anywhere in the world, and in cyberspace it is nearly impossible to gain and maintain dominance. The U.S. Army's Chief Information Officer, Lt. Gen. Robert Ferrell, addressed this complex dilemma while describing how to shape the network for future operations:
"The Army must continue to seek and evaluate emerging technologies in order to constantly modernize our network and maintain our technological edge. One development the military must closely watch is the growing availability of ever-increasing data processing power and faster transmission speed at lower cost. This trend not only creates an easily accessible information-rich environment, but also gives resource-poor states, criminal organizations and even individuals access to capabilities traditionally monopolized by advanced countries. The pace of innovation in information technology is increasing the pace of operations, and our adversaries' ability to influence our operating environment."
A missing key link to protecting against adversaries is the production of timely intelligence reports on cyber threats. The Theater-Defensive Cyberspace Operational Intelligence Support (T-DCOIS) provides a solution to that very problem. It began as a U.S. Army Intelligence and Security Command's (INSCOM) pilot program in October 2015, and has since rapidly evolved into a large focus of the utmost priority for intelligence operations, garnering major support from the U.S. Army Cyber Command (ARCYBER). The T-DCOIS incorporates a required balance between two fields that are both essential to achieve success in a complex task. Intelligence professionals exercise intuition, recognize patterns of behavior, and view situations through many different lenses as they possess a thorough understanding of the cultural norms in which they work. These Soldiers incorporate the art of analyzing cyber threats to produce useful reports. Network professionals are endowed with the technical skills to incorporate the necessary science in tracking the adversaries' activities within the cyber domain. Through their unique skill sets, the enemies' capabilities, techniques, and procedures can be measured and codified. This brings together the essential team of professionals to gather data and analyze it, producing the reports on cyber threats and relieving the issue of a major intelligence gap.
The T-DCOIS concept is simple. It places intelligence professionals and their systems' analytical tools and information report sharing capabilities within the cyber operations domain. Network data is delivered to this team from a crew of cyber technical experts. Research and information are leveraged from multiple intelligence sources in a cycle of requests for information and answers. Finished intelligence production occurs based on threat activity analysis and the adversary's intent. The team then assesses attribution for the cyber-attack and is able to create an overall assessment of the enemies' capabilities. This process theoretically shapes future network defensive and offensive operations. However, the greatest challenge to effectively fusing intelligence with cyber operations remains countering one's desire to fit adversaries in neat, little diagrams in a similar manner to conventional warfare versus Asymmetrical. Understanding the process, while keeping a readily adaptive freedom of maneuver, is needed to maximize a team of teams. In fact, retired Army Gen. Stanley McChrystal, authored the book, "Team of Teams," conceptualizing this very idea within the special operations community.
There are no doubts among senior leaders that the military still faces large gaps in successfully maneuvering in cyberspace. While the Department of Defense works diligently to collect and train the most agile operators in the world, it misses the mark due to its recruitment issues in attracting the necessary workforce. Emerging technologies and threats drive the necessity to improve force capabilities. Unfortunately, there remains a negative perception amongst needed professionals, who may not want to wear a uniform to work, or receive a reduction in pay compared to what one can potentially earn as a civilian information technology (IT) professional.
Additionally, training those who have the requisite knowledge within our ranks is not as easy as it would seem. There is a language barrier of sorts between "geek speak" and intelligence writing. The Army has developed courses in the field of intelligence currently being provided to signal Soldiers. In-turn, IT certificate accreditation is offered for intelligence professionals. This two-way educational training, benefits the force greatly, and serves as the foundation for the T-DCOIS. A small group of binary speaking intelligence professionals, together with their Defensive Cyber Operations (DCO) colleagues, are beginning to forge the way in identifying adversaries, who hope to gain access to valuable information or disrupt military operations.
The team generally consists of four to six intelligence analysts, paired with 12 or more network defense IT professionals which make up the DCO, and in some cases is augmented with Army Reservists. The 513th Theater Intelligence Brigade's motto, "Strong Partners!" rings true as the brigade supplied soldiers for training without hesitation and deployed them to theater, supporting the stand-up of the T-DCOIS. The 513th's swift actions resulted in a rapid operational timeline, as the Southwest Asia Cyber Center (SWACC) T-DCOIS' initial operating capability was reached nearly two months ahead of schedule. The 335th Signal Command Theater Provisional also aided to this commitment by allowing its G-2 to head the team until additional employees could be brought on for mission sustainment.
Thus far, the T-DCOIS' success in conducting cyber operations has come from providing common training in both intelligence and signal fields from Project Foundry and the ARCENT Signal University. Additionally, communication between the Defensive Cyber Operations Directorate (DCOD) and the T-DCOIS workforce is crucial. These arts and science professionals work together, side-by-side to maintain that vital communication and produce accurate reports. The cycle of the DCOD recognizing malicious or suspicious activity, allows the T-DCOIS to execute intelligence reporting with the goal of gleaning enemy attribution and intent.
There are various actions that go into securing DOD networks as well, such as regular standardization and modernization arrangements. The ultimate goal is to provide the most strategic network possible across all echelons and formations, to allow for faster, better-informed, decision-making by maneuver commanders, without sacrificing the security of this information.
The Commanding General of the 335th Signal Command Theater Provisional, Brig. Gen. Stephen Hager, verbalized the importance of defending the network with the most-enhanced, available technology:
"The 335th Signal Command Theater Provisional has always been customer-focused. To remain so, we need to be able to modernize the communications infrastructure and test it at a more rapid pace for implementation. This enables our ability to better refine data sets for intel folks to analyze, without looking through false positives of irrelevant data sets. The T-DCOIS adds important capabilities to our security and when paired with infrastructure improvements, such as the Joint Regional Security Stack (JRSS), the command gets closer to its overall goal of reducing our soldier footprint abroad while maintaining a secure network."
JRSS presents an important change to how traffic flows across military networks and is a large step forward in achieving a global network. It converts complex trafficking paths throughout cyberspace to a more efficient, streamlined process while also maximizing passive and active security features. For further explanation, it is similar to an analogy of motor vehicles traveling on numerous, jammed-packed highways; then converting these vehicles over to a faster interstate system with high occupancy vehicles (HOV) lanes. The traffic can also be prioritized and secured with additional features like state troopers and highway patrolmen. This is a drastic change to the DOD network's current traffic flow, where requests pass through multiple security features that are often redundant and create incessant traffic jams.
The cyber domain brings many benefits to the warfighter, but with its added value and advantages comes multiple opportunities for high-consequential risk. In today's operating environment, necessary strides must be taken if the DOD and its military organizations are to remain fully functional in a more efficient and secure network environment. Collaborating efforts between the U.S. Army's signal and intelligence communities are achieving sizable feats in securing the DOD network and protecting the American public with our Team of Teams.
INSCOM Deputy Commanding General, Brig. Gen. Robert Michnowicz, precisely summed up the T-DCOIS cyber efforts while conducting a leaders' professional development session to soldiers of the 335th Signal Command Theater Provisional in Kuwait:
"At the end of the day, cyberspace is a component of maneuver space. We need to take and maintain the initiative, supporting the Army core competency of combined arms maneuver in the cyber environment. Only in this way can we leverage cyber and intel to provide targeting capabilities, and achieve lethal and non-lethal effects against our adversaries. Semper en hostes! (always into the enemy)."
Steady improvements are being made to the T-DCOIS at a very rapid pace. Although the teams are not perfect, their results are getting better every day. Together, through continued partnerships, these teams will not only keep the DOD network secure, but will ultimately provide an advantage in cyber operations.