WASHINGTON — U.S. Cyber Command is using its annual training exercise this week to codify best practices for defensive cyber teams.
Cyber Flag, the command’s premier annual training event, is happening on the heels of Cyber Command’s budget request that proposes adding more teams and potentially altering their composition to adapt to a rapidly changing threat landscape.
For the first time, the exercise will help identify characteristics of successful cyber protection teams, which conduct defensive cyberspace operations.
This year’s exercise, Cyber Flag 21-2, includes over 430 individuals from 17 teams from the U.S., UK, Canada, National Guard, House of Representatives and U.S. Postal Service and is taking place across eight time zones. The event uses the Persistent Cyber Training Environment — an online client that allows Cyber Command warriors to log on from anywhere for training and mission rehearsal.
The exercise was set in the Pacific region at a fictitious allied logistics support depot where teams had to contend with attacks from two adversaries: One was more advanced and focused on denial and disruption, while the other was less sophisticated and focused on theft of intellectual property and personally identifiable information.
In the past, Cyber Command used the exercise to validate teams, but as the threat has evolved, leaders wanted to test concepts and codify new team structures to optimize success.
“We’re continuously evaluating the proficiency of our force. We’re evaluating where the gaps are. We’re evaluating the new TTPs [tactics, techniques and procedures] that the adversary presents,” Coast Guard Rear Adm. Christopher Bartz, chief of exercises and training at Cyber Command, told reporters June 22. “We are evolving our training at the speed that the adversary is evolving their TTPs.”
The exercise will allow Cyber Command, which sets general standards across all the services for cyber teams’ training and the equipment they use, to extract best practices and spread those through the cyberspace community, officials explained.
Bartz equated the effort to other constructs within the military, such as aviation stand teams that go to various units and communicate best practices through the broader aviation community.
With broader domestic participation, officials said they can observe how others conduct defensive cyber operations, contributing to a more holistic governmentwide approach for national security and defense.
Also for the first time this year, teams competed against each other with an overall winner to be selected at the conclusion of the exercise June 25. Assessors will observe how teams identify threats and the techniques defenders use to eject threats from the network or deny further compromise.
In written testimony to Congress this year, Gen. Paul Nakasone, commander of Cyber Command, outlined one of the command’s top priorities: realigning cyber protection teams.
“USCYBERCOM is working with the combatant commands to ensure they have dependable defensive support for their missions while we retain forces to deal with global challenges to the DoDIN [Department of Defense Information Network],” he wrote.
Expanded scope
Cyber Command’s expanded use of PCTE allowed the exercise to grow significantly. The range itself was five times larger than last year, the first year Cyber Command used the platform for its largest exercise.
The PCTE team even established a custom help desk for Cyber Flag — capable of assisting with everything from forgotten passwords to major engineering fixes.
The team applies lessons from the exercise to future events and versions of the platform. For example, the team improved the chat function in the platform after users found it hard to use last year, and they’re awaiting feedback.
The platform and program team have grown to be able to support thousands of activities daily, even last week supporting two major exercises simultaneously: Cyber Flag and Cyber Yankee, a National Guard-focused exercise that took place in New England.
The platform supported the cyber operations kit for UK operators during Cyber Flag, making their experience more realistic. “We want the experience of our foreign allies to be just as valuable and meaningful as any other CMF [cyber mission force] user on PCTE,” said W. Cory Bogler, lead PCTE operations engineer for Product Manager Cyber Resiliency & Training in the Army Program Executive Office Simulation, Training and Instrumentation.
Officials from the PCTE team said the next Cyber Flag — Cyber Flag 21-3 in October — will include participation from all the Five Eyes intelligence alliance nations: the U.S., UK, Canada, Australia and New Zealand.
Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.