BALTIMORE, Md. — After designing its initial warfighting platform – strung together with disparate systems from each of the services – U.S. Cyber Command is looking to build out the next generation.
The Joint Cyber Warfighting Architecture (JCWA) was designed in 2019 to get a better handle on the capabilities, platforms and programs the command was designing, and set priorities for the Department of Defense as well as the industry partners that would be building them. When Cybercom was first created, it relied heavily on intelligence personnel, infrastructure platforms and tradecraft to build its enterprise. But just like the Army needs tanks and the Air Force needs planes to conduct missions, cyber troops need their own military-specific cyber platforms separate from the National Security Agency, which conducts foreign intelligence.
The JCWA encompasses several components that are built by each of the services on behalf of the joint cyber mission force. The service provide them to Cybercom to conduct cyber operations, as executive agents. Now, JCWA is thought of as a platform in and of itself to conduct military cyber ops.
As initially laid out, it included four main programs: the Persistent Cyber Training Environment for conducting training and mission rehearsal, which is managed by the Army; Unified Platform — considered the centerpiece where data is ingested, analyzed and shared — which is managed by the Air Force; Joint Cyber Command and Control to command cyber forces and the larger cyber environment, which is managed by the Air Force; and the Joint Common Access Platform for executing offensive operations, which is managed by the Army. It also included a category for tools and sensors.
Most recently, the Army was awarded as the executive agent for the Joint Development Environment, a space to rapidly develop and test cyber tools.
Last summer, the Department of Defense decided to take a look at JCWA and determine how well Cybercom was postured to use the platform the services were contributing to and building for it.
“We did an in-depth review of the platform, compared to what the operational needs were … [and] we found some pretty significant deficiencies in the architecture,” Michael Clark, director for cyber acquisition and technology at Cybercom, said at the AFCEA TechNet Cyber conference Thursday. “We know that platform does not meet our mission needs.”
He referred to JCWA in its current state as a confederation of capabilities that aren’t integrated into a true warfighting platform.
Now that Cybercom and its units are maturing, it needs an integrated platform that the joint cyber mission force can use.
“There is an effort that we’re leading right now and is beginning to look at what we call JCWA 2.0, or what I want to re-nomenclature as the cyber operations integrated weapons platform,” Clark said. “We don’t fight architectures, we fight weapons platforms. That is going to be a fundamental reengineering and rewickering, rethinking of how the architecture must support the warfighter [and] what that platform is.”
He added the concept of operations and strategy for what a JCWA 2.0 looks like is currently going through staffing at Cybercom.
Part of that maturity has been the command’s evolution in incrementally gaining acquisition authority, and now oversight, over the requirements for its systems.
Congress granted Cybercom $75 million in acquisition authority just seven years ago in a crawl, walk, run methodology to ensure the command didn’t bite off more than it could chew — but only for a five-year period. Now, beginning in fiscal 2024, Congress has granted the command enhanced budget authority, meaning it has greater oversight over the dollars involved in the capabilities and platforms the services were building on its behalf prior. There is also now a single integrated requirements process where Cybercom has control to direct the full acquisition and direction of programs. This is significant given there are currently four different requirements processes under the weapons platform, Clark said, which inhibits prioritization.
Despite the command assuming budget control officially in October — and having set its first budget this year — Clark said in the immediate term, things won’t be much different, citing the mantra “don’t break good.”
“For the next couple years, we’re going to continue to do what we’re doing today — don’t break good — while we take the time to better understand the environment as we move forward,” Clark said. “What’s being done today is generally good enough and we’re not going to upset the applecart by changing how we do acquisitions or radically changing our investing.”
The $3.2 billion Cybercom assumed will be pumped back to the services in the near term. The command will reimburse the services’ program offices for the work they continue to perform on major platforms, but those offices will report up to Cybercom as opposed to their service-specific program executive offices or chains of command.
“I’ll pay the Air Force now — and now that we have the money — to do the acquisition for me. But the strategy in terms of requirements and what the warfighter needs and whether or not we’re getting what we are paying for, will be managed by the command,” Clark said. “We’re going to manage the process, we’re going to manage the requirements, we’re going to drive the standards. But I’m still going to execute most of the acquisition by, with and through the service program offices.”
Building an acquisition portfolio
While the services will continue to perform acquisition work on the major platforms, Cybercom will simultaneously be building out its own acquisition arm through a new program executive office.
Clark said he wants that PEO to be stood up by fiscal 2025, acknowledging that might be aspirational given the biggest hurdle is getting the people to build out that office.
In fiscal 2027, the hope is to negotiate with the services to fully transition acquisition responsibility from their program executive offices that manage those capabilities, to Cybercom.
This fiscal year, Clark said he’ll begin establishing a program management office for a joint cyber weapons portfolio. As an example of the command continuing to work with the services, Clark explained the Air Force is building this office on his behalf.
“It’s my program office, but I am reimbursing the Air Force to get the talent that I need to be able to make that program office scale,” he said.
While the mantra right now is “don’t break good,” Clark said the five-year budget planning process beginning in fiscal 2025 is already working on what JCWA 2.0 looks like and what areas the command can budget for to make significant changes.
One area is managing data.
There are “obvious efficiencies there that can be gained if we figure out a better way to manage the data that we have today,” he said. “The department over the next few years is going to be investing a lot of money to be able to improve our ability to create the outcomes against the challenges we all know we’re going to have by, let’s say, 2027. Fundamentally to that problem is data. Fundamental to the problem in terms of what we need to build is: How do I create a data analytic environment, again at the speed of operational relevance, that creates the model so they can operate at speed?”
Clark cited the example of Unified Platform — considered the centerpiece of JCWA where data is ingested, analyzed and shared — noting there currently is not a way for it to share data from the services as envisioned.
“It’s a federation of Army, Navy, Air Force, DISA, NSA, soon to be Space [Force] probably, SOCOM and the command. And there’s no reciprocity between them in terms of interoperability,” he said. For example, “I can’t do a query, take Log4j, and be able to sit at [Joint Force Headquarters-DOD Information Network] and do a query and understand: Have any of the services’ sensors detected Log4j? I can’t do that today because of the way we have architected the big data clouds.”
Log4j is commonly used to log security information. Last year, a major vulnerability was discovered within it.
Ultimately, Cybercom must be more flexible in the future and adapt faster given adversaries can now turn exploits in hours, not weeks.
“Looking back just two or three years ago, when a new vulnerability was identified in Microsoft Office or Microsoft Windows or Linux, that we probably had six months to a year to posture the DODIN to be able to defend ourselves against that,” Clark said. “Today, it’s hours. Today, our adversaries are taking advantage of large language models [like] ChatGPT and can field an exploit and throw it against the DOD within hours. How do we begin operating, defending ourselves in that kind of environment? But then also, how do we begin taking advantage of that kind of technology to better posture us to achieve the outcomes the nation wants us to be able to achieve against our adversaries?”
Clark noted to stay competitive, the command must fundamentally change its acquisition approach.
“We’re going to have to fundamentally rethink how the platform operates, how we build the sort of capabilities into the platform, and to enable a DevSecOps agile-like construct to be able to drive capabilities at the speed of cyber operational relevance in the warfighters’ hands,” he said.