1 / 4 Show Caption + Hide Caption – Soldiers with the 780th Military Intelligence Brigade conduct cyberspace operations during a training rotation at the National Training Center at Fort Irwin, California, in January 2016. The Fort Meade, Maryland-based 780th was one of several cyber o... (Photo Credit: U.S. Army) VIEW ORIGINAL
2 / 4 Show Caption + Hide Caption – DARPA's PlanX program is working to help military cyber operators visualize the cyber battlespace and perform missions there based on an established cyber framework and a common operating picture. PlanX engineers are developing platforms that DOD wil... (Photo Credit: U.S. Army) VIEW ORIGINAL
3 / 4 Show Caption + Hide Caption – Army Cyber Protection Team members use PlanX at a recent surge week, one of the development methods used to create and improve the system. First used by software and system developers in Silicon Valley, surge weeks are designed to gather user feedbac... (Photo Credit: U.S. Army) VIEW ORIGINAL
4 / 4 Show Caption + Hide Caption – By incorporating information like this screenshot, which shows a view of the battlespace and the status of executed COAs, PlanX allows warfighters to plan and conduct cyber missions based on the defense of key cyber components such as mail and file s... (Photo Credit: U.S. Army) VIEW ORIGINAL

Portraying maneuver warfare in the cyber domain is a difficult thing to do. After all, how can you show maneuver in cyberspace? There are no tangible flanks to defend, no rivers to cross and no visible military camps to target or avoid. But cyberspace presents our forces with vulnerabilities that nonetheless are critical to protect.

Providing Soldiers with a common operating picture (COP) in cyberspace is imperative to planning, integrating and executing cyber operations. This so-called cyber COP must display the status of weapons, provide situational awareness of friendly and enemy cyber activity, enable command and control of cyber effects and allow collaboration between commanders. Until recently, this picture was not only tough to portray--it didn't exist.

Now, by merging computer science with military science, the cyber COP is becoming viable through a battle management system known as PlanX. With PlanX, commanders can see the cyber terrain much the same way they would view a battlefield and synchronize cyberspace effects with key related warfighting functions such as fires, intelligence, signal, information operations and electronic warfare.

The Defense Advanced Research Projects Agency (DARPA) developed the PlanX platform and plans to transition it to the Army in the next fiscal year. The platform and accompanying strategy aim for balance between equipping the cyber force with off-the-shelf capabilities to satisfy immediate operational needs and knowing that some capabilities will need to push the envelope so the Army is not buying yesterday's technology to meet current and emerging threats. Unlike the myriad individual tools the cyber force has been fielded to date, PlanX lays a common foundation that captures the essence of the military decision-making process and equips operators with the tools needed to view cyber terrain, reason about cyber activity and fight with cyber capabilities.


As the Army prepares to operate in a contested, multidomain arena that combines land, air, sea, space and cyber, PlanX crosses an important threshold in making cyber operational at the tactical level. For the acquisition community, it also serves as a new approach to attaining emerging cyber capabilities that are needed quickly.

In developing PlanX, DARPA worked closely with the U.S. Army Cyber Protection Brigade, Army Cyber Command (ARCYBER), the assistant secretary of the Army for acquisition, logistics and technology, and multiple program executive offices to ensure that the capability met operational needs for the Army's cyber force. But unlike the existing tools in the Cyber Protection Brigade arsenal, which are used mainly for specific functions such as surveying and securing, PlanX lays an integrated foundation for executing, collaborating, planning and managing a wide range of operational cyber activities. It also integrates cyber into the fighting mindset by making it easier for Soldiers to visualize networks as key terrain they are charged to protect.

To provide a common foundation and operational platform, PlanX integrates new and existing cyber tools, and enables collaboration across multiple teams operating simultaneously. Tools are selected automatically based on mission-specific plans--a vital time-saving capability in the cyber realm, where vulnerabilities can be exploited within seconds. The tools then are deployed to monitor, survey and map target networks to detect disruptions and irregularities, and determine whether those anomalies are malicious.

Think of it as defending an Army unit out in the field. Just as a stray dog could break a perimeter with no malicious intent, network disruptions can also be just that: a glitch. With PlanX, the cyber force will have a common operating picture of information--portrayed through standardized icons, intuitive graphics and symbols--to illustrate network irregularities and relationships, allowing Soldiers to determine the nature of the threat and act accordingly. Perhaps even more powerful, PlanX promotes a shared understanding of cyberspace by "baselining" the networks so cyber protection teams can quickly visualize and identify anomalies. "Baselining" cyber terrain, or determining which critical assets to defend, is no different from establishing the engagement area for any defensive operation.

This visualization component is also a key driver in ensuring that the capability is embraced by not only the most skilled, experienced cyber Soldiers, but by other operators as well. To make PlanX as intuitive as possible, DARPA developers sought to abstract and automate burdensome or complex tasks and functions. It also conducted training and war-gaming to enable rehearsals in virtual ranges while measuring performance and evaluating actions, so that commanders, operators and analysts can collaborate and make informed risk decisions. Focus areas within the ranges include mission rehearsal, operator training and malware analysis, which are used to test the simulations and understand the results.


While PlanX is turning heads due to its capability alone, it also is being closely studied by acquisition officials, including those in the Army Rapid Capabilities Office, who believe it could serve as a model for quickly prototyping and transitioning emerging technologies. Stood up in August 2016, the Rapid Capabilities Office is focused on rapid prototyping and initial equipping of capabilities, targeting the areas of cyber, electronic warfare, survivability and positioning, navigation and timing, as well as other high-priority projects designed to enable Army operations in contested environments. The office is watching how parts of the technology could possibly be delivered as a prototype or initial build, which could mature over time through incremental improvements delivered in partnership with the Army's acquisition and science and technology communities.

Rare among military acquisition projects, PlanX fully embraced innovative development methods straight out of Silicon Valley. Take, for example, the surge weeks, "user jury" type events that spur a constant and rapid cycle of improvement. The process follows a six-week rotation, kicked off when DARPA takes the latest software build of PlanX to the Cyber Protection Brigade so commanders and operators can use and experiment with it. Their feedback informs future development sprints of PlanX by identifying and prioritizing feature requirements, which are then incorporated into the development schedule and demonstrated during the next surge week. The first three surge weeks produced almost 300 feature requests and identified bugs that brought refinements to PlanX components, including the COP, battle tracking methods, force management and threat overlays.

This quick and continuous interaction between DARPA, serving as the developers, and the Cyber Protection Brigade, serving as the operators, is known in the computer gaming community as DevOps, a mashup of the terms "software development" and "information technology operations." In the gaming world, if the operators or customers aren't happy or if the product is not intuitive to operate, the game is not getting played and the online reviews are largely negative. This constant feedback pushes game developers--and other cutting-edge companies such as Facebook--to change code daily. Sometimes, the user is unaware of those changes. Other times, the changes are announced as an upgrade. Either way, DevOps represents constant and rapid change based on steady interaction with operators.

DARPA is also spreading this mindset in the Army development community by conducting regular PlanX App Boot Camps, where software engineers demonstrate the ease of building and integrating tools within the PlanX system. Also, recognizing that PlanX is an operational tool that will need to work in a system-of-systems environment, DARPA participated in Cyber Guard and Cyber Flag, annual exercises aimed at dealing with cyber threats, and Hackathon, a weeklong exercise held in Arlington, Virginia, to learn how to detect unfriendly network intrusions, for additional feedback on PlanX. Not stopping there, DARPA also brought in third-party red teams to hack the software, giving a fresh set of eyes the opportunity to find new vulnerabilities.


With a planned transition in September to the Program Executive Office for Enterprise Information Systems' (PEO EIS) Project Manager for Installation Information Infrastructure Communications and Capabilities (PM I3C2), PlanX will soon graduate from prototype to program. It will be part of the Army's Defensive Cyber Operations Mission Planning solution, which provides an application-based, scalable, secure warfighting capability to support cyberspace operations, mission command and planning at the global, regional and local levels.

The transition represents a significant milestone for the Army. PlanX was built with a "DARPA hard"--or extremely difficult to achieve--hypothesis: to determine if a system could abstract and interact with cyberspace in such a way that users could apply the military science of maneuver-centric warfare to cyber operations. Now, with only a few months remaining before the program transitions to the acquisition arena, the Army is set to gain a system that could serve as its baseline mission command system for cyberspace operations.

Technology maturity will be key to the success of the PlanX transition, and PM I3C2 has been engaged in the program since its beginning. An initial technology readiness level assessment was conducted with Carnegie Mellon University in the first quarter of FY17, and PM I3C2 will continue to assess the technology throughout the next several months with key stakeholders by leveraging developmental and operational assessments to ensure that the technology is ready for transition to production and deployment.

Another critical aspect of the transition is requirements planning and documentation. Recognizing that the development of information systems is quite different from that of a major weapon system, the Army is using the proven Information Technology (IT) Box approach for its defensive cyber operations capability requirements. This construct provides the flexibility needed to meet the challenges of cyber. The IT Box breaks down the information system initial capabilities document into deliverable increments, based on requirements definition packages, and uses periodic capability drop documents to make changes to a baseline product. This approach allows the Army to adjust and upgrade PlanX and related capabilities more quickly to keep pace with evolving technologies and threats.


Army Cyber Protection Team members use PlanX at a recent surge week, one of the development methods used to create and improve the system. First used by software and system developers in Silicon Valley, surge weeks are designed to gather user feedback about system functionality. That feedback is used to identify and prioritize new requirements, which then are incorporated into the development schedule and demonstrated during the next surge week. (U.S. Army photo)


With global threats changing rapidly, the Army recognizes the need for increased readiness in cyberspace, including across DOD's Cyber Mission Force. PlanX supports several of Army Cyber Command's operational priorities for designing, building, delivering and integrating capabilities for the future fight. Going forward, PlanX will likely inform future offensive cyber operations capabilities as well.

At the same time, PlanX shows how Army acquisition can balance initial capability to satisfy requirements while also laying the groundwork to adopt emerging technologies quickly. Industry already does this, and the Army's broader cyber community is watching and listening. With DARPA's agility setting the stage for further improvements at PEO EIS, tomorrow's Soldiers could have a cyber COP and common foundation that is just as familiar as physical terrain--and corresponding capabilities to defend, fight and win on this newest field of battle.

This article is scheduled to be published in the April -- June 2017 issue of Army AL&T Magazine.

Related Links:

U.S. Army Acquisition Support Center

"X Marks the Spot" on USAASC

Rapid Capabilities Office

U.S. Army Cyber Protection Brigade, Army Cyber Command (ARCYBER)

Defense Advanced Research Projects Agency (DARPA)

Program Executive Office for Enterprise Information Systems' (PEO EIS)