30+ Years of Freedom of Information Action

Preparing for Computer Network Operations: USCYBERCOM Documents Trace Path to Operational Cyber Force

Published: May 3, 2019

Edited by Michael Martelle

For more information, contact:
202-994-7000 or nsarchiv@gwu.edu

Evolution of Cyber Mission Force and Joint Force Headquarters – Cyber portrayed in annual orders to build the force

Declassified documents give insight into USCYBERCOM Mission Essential Tasks and Operational Processes

Briefing slide reveals impact of 2013 government shutdown on USCYBERCOM training and development

US Military Cyberspace Tasking Cycle adapted from air operations; cyber operations adhere to joint targeting doctrine

OIG Report suggests development process outpaced strategic planning

Preparing for Computer Network Operations: USCYBERCOM Documents Trace Path to Operational Cyber Force

Our present understanding of how USCYBERCOM conducts operations in cyberspace comes either through anecdotal examples such as JTF-ARES/OPERATION GLOWING SYMPHONY or through broad doctrine as communicated in publications like JP 3-12 Cyberspace Operations. Little has been revealed about processes linking broad doctrine and strategy to tactical operations. Today the National Security Archive publishes a collection of documents obtained via FOIA declassification regarding the process of building the Cyber Mission Force and Joint Force Headquarters – Cyber under USCYBERCOM. These documents trace the development of the US military’s first acknowledged offensive cyber force, outline the mission's essential tasks and key operational processes USCYBERCOM elements are required to master, discuss the impact of US government shutdowns on the USCYBERCOM training process, and demonstrate the doctrinal roots of cyberspace tasking and targeting in fire support and airpower doctrine.

In May of 2018 USCYBERCOM announced that all 133 Cyber Mission Force (CMF) teams had reached Full Operational Capability (FOC), a major milestone in the history of the combatant command, after two years earlier announcing Initial Operational Capability (IOC).

The CMF consists of three types of teams. The defensive component of USCYBERCOM’s mission is performed by the Cyber National Mission Force, tasked with protecting civilian networks and infrastructure, and the Cyber Protection Force which defends Department of Defense networks. Offensive operations, under the direction of a service-specific Joint Force Headquarters – Cyberspace (JFHQ-C) in support of combatant commanders, are conducted by the Cyber Combat Mission Force.

JP 3-12: Cyberspace Operations (2018)

 

In March of 2013 the first task order (TASKORD) was issued with instructions for developing the CMF teams through the end of fiscal year (FY) 2013. This document, designated TASKORD 13-0244 [Document 1], ordered the service components to begin the process of building the teams, provided guidance for their integration, and designated the requirements for IOC (4.B.1) and FOC (4.B.2) thresholds.

Two months after TASKORD 13-0244 was issued, a fragmentary order (FRAGORD) was issued to modify and add sections related to service component assignments and command and control. Service cyber components received updated interim assignments to support combatant commands: Army Cyber was tasked to CENTCOM, AFRICOM, and NORTHCOM; Air Force Cyber to STRATCOM and EUCOM; Navy Cyber to PACOM and SOUTHCOM; and Marine Cyber to SOCOM. TASKORD 13-0244 was followed by TASKORD 13-0747 [Document 4] for FY 2014, which set as a desired end state the first fully operationally capable CMF teams. TASKORD 15-0124 [Document 7] for FY 2015 and FY 2016 orders the training of a further 34 and 28 teams, respectively.

In late October 2013 the USCYBERCOM component commanders convened for a series of update briefings [Document 5]. A CMF training timeline in the presentation showed the phases of the build, staff, and individual training sessions, and key milestones:

 

Challenges in the training process were discussed, including funding, retention, and the defining of standards:

 

 

The meeting also featured an assessment of the October 2013 government shutdown’s role in delaying Cyber Mission Force training:

 

In October of 2013 the Deputy Commander of USCYBERCOM, Marine Lieutenant General Jon Davis, issued a memorandum [Document 3] to the commanders of the service cyberspace components which defined the IOC threshold for each JFHQ-C. Referencing the 2013 edition of JP 3-12 and a slide presentation on JFHQ-C certification [Document 2], the memorandum states that a JFHQ-C which has reached IOC is able to “execute the six mission essential tasks with associated mission critical functions” and “integrate with the seven critical US Cyber Command (USCYBERCOM) operational processes.”

 

Mission Essential Tasks:

 

  1. Exercise C2 (command and control) of all attached CMF (Cyber Mission Force) ISO (in support of) CCMD (combatant commander) mission.
  2. Exercise SIGINT (signals intelligence) Authorities, Mission Delegation and Intelligence Oversight (to include SIGINT IO and auditing) of all attached CMF (Cyber Mission Force) ISO (in support of) CCMD (combatant commander) mission.
  3. Plan and direct Cyber ISR (intelligence, surveillance, reconnaissance), Cyber OPE (operational preparation of the environment) Cyber Attack and – when directed – Cyber Defense actions to accomplish CCMD (combatant commander) specified missions, and BPT (be prepared to) conduct crisis action planning and CO (cyber operations) in response to global threats.
  4. Coordinate, integrate, synchronize and de-conflict CO (cyber operations) of attached CMF (cyber mission force) with other JFHQ-C, NMF-HQ and USCC, operating in the same networks, at the tactical level, to maximize operational effectiveness. Coordinate as required with NSA Cryptologic Center Commanders.
  5. Conduct intelligence operations; including managing CMF (cyber mission force) intelligence requirements and the collection, production and dissemination of intelligence.
  6. Coordinate JFHQ-C support functions for attached and for co-located CMF with USCC, NSA, service and functional components; direct CMF training, exercise, and readiness requirements.

Operational Processes:

 

  1. Cyberspace Tasking Cycle (Modified Air Tasking Cycle)
  2. Cyberspace Effects Request Form
  3. *REDACTED*
  4. Planning Teams
  5. Operational Priorities and Intelligence Collection Priorities
  6. Joint Targeting Cycle
  7. Operations Synchronization

That the Cyberspace Tasking Cycle was adapted from the Air Tasking Cycle confirms previous analysis by The National Security Archive drawn from USCYBERCOM’s campaign against ISIS that processes used by the US military for cyberspace operations are rooted in kinetic operations.

After reaching IOC, a JFHQ-C went through a series of increasingly complex exercises and levels of training before receiving FOC certification in a manner very similar to the CMF training process.

 

The following details from the JFHQ-C Certification presentation [Document 2] shed light on USCYBERCOM standard operating procedures for offensive cyber under each mission essential task and operational process, providing details on how Cyber Mission Force teams conduct operations in cyberspace.

 

Planning and Directing Cyber Intelligence, Surveillance and Reconnaissance, Operational Preparation of the Environment, Cyber Attack, and Cyber Defense

 

Mission Essential Task (MET) 3 covers computer network operations in support of combatant commanders and all functions in support of this task

 

The Cyberspace Tasking Cycle

 

An adaptation of the Air Tasking Cycle, the Cyberspace Tasking Cycle links objectives, planning, action, and outcome assessment in a formalized series of steps.

 

Targeting

 

 

The Joint Targeting Cycle is the process by which the US Military selects targets for individual action. These slides reveal how targets are developed, how they are selected, and what goes into a Cyberspace Strike Package, the product presented to a commander before deciding whether to execute a mission in cyberspace.

 

Despite the development plans presented in the documents above, a Department of Defense Inspector General report [Document 8] produced in November of 2015 identified several shortfalls in USCYBERCOM’s unified strategy and approach for developing capabilities. While some concerns from a 2011 GAO report had been addressed, “Service Components continued to use Component-specific approaches and strategies to develop offensive capabilities that aligned to traditional Component-specific mission areas rather than unify capability development to support the CMTs. This occurred because USCYBERCOM did not have appropriate authorities to effectively oversee and direct offensive capability development.”

The overall development of the CMF teams was also found to lack central guidance, as there was no established framework for doctrine, organization, training, materiel, leadership and education, personnel, facilities, and policy (DOTMLPF-P) guiding the process. A Marine Corps official interviewed by the IG reported that the rush to build and field CMF teams took priority over developing a guiding DOTMLPF-P framework, suggesting the rush to build the CMF was not without consequence.

While security researchers studying relatively transparent “conventional” military bodies have made significant contributions in the fields of operational art, tactics, organizational behavior, and the utility of military force, similar contributions to the field of cyber operations have been limited by secrecy. These declassified USCYBERCOM documents are an important view into the operating processes of a military’s cyber operations arm.

 

The documents