Five years in, a look at how Cybercom and NSA’s Integrated Cyber Center improved coordination of operations
Five years ago this month, U.S. Cyber Command and the National Security Agency cut the ribbon on a new advanced building designed to better coordinate cyber operations across a range of partners and improve command-and-control and deconfliction of cyber forces operating around the globe.
The $500 million Integrated Cyber Center and Joint Operations Center (ICC/JOC) is Cybercom’s first dedicated building that integrates the military, intelligence community, other federal agencies and international partners. It was unveiled in extraordinary fashion by hosting the Cybercom and NSA director change-of-command ceremony — which simultaneously was the activation event for Cybercom as a unified combatant command — along with a ribbon-cutting ceremony.
A dedicated operations floor is flanked on either side by a dedicated space for Cybercom and NSA. Both operate under different authorities within the U.S. government despite sharing the same boss, a four-star general.
It is designed to better synchronize, coordinate and de-conflict cyber ops by putting everyone under the same roof and often, side by side.
For Cybercom, the ICC/JOC is where the director of operations, J3, is housed and where they oversee all cyber forces across the globe to coordinate and deconflict operations.
The ICC/JOC “was my key command-and-control node to link together the other federal cyber centers as well as our components and in some aspects, because it’s co-located with an NSA element, the [intelligence community] can stay linked up,” Lt. Gen. Kevin Kennedy, who is currently the commander of 16th Air Force and was the Cybercom J3 from July 2020 to July 2022, told DefenseScoop. “It was a vital capability that we use to ensure unity of effort and command-and-control of the cyber forces underneath [Cybercom commander and NSA director] Gen. [Paul] Nakasone’s command.”
Previously, current and past officials explained, the ops centers for Cybercom, NSA and others were physically separated by a door. Sources explained the disorder of personnel running back and forth between facilities to share insights or gain more information.
“The NSA was in an ops center and Cyber Command was in a separate ops center and literally they were separated by a [sensitive compartmented information facility] door, but it might as well have been being a world apart,” Maj. Gen. Paul Stanton, who is currently the commander of the Army Cyber Center of Excellence and formerly the deputy director for operations J3 at Cybercom from October 2018 to November 2020, told DefenseScoop in an interview.
Former officials noted it was impossible to get all the right people in the same room given space constraints, which also severely hindered collaboration.
“Even when we had folks in the JOC, it just wasn’t big enough, we didn’t have all the players in the JOC that we wanted to have,” George Franz, who retired in 2017 as the director of operations J3 for Cybercom — the last J3 to not be in the new ICC/JOC — told DefenseScoop. “Just the physical limitations on the facility, you couldn’t have that beehive, that organism that is constantly communicating, collaborating. It just wasn’t physically possible, even when we tried and folks were personally working well together, the environment just wasn’t physically conducive to the kind of collaboration we knew we needed.”
Franz explained that even in the primitive days of Cybercom dating back to 2011 — a year or so after it was officially created — top officials were discussing designs for an ICC and JOC with visions of where personnel would sit and how to maximize collaboration.
One of the main refrains in the U.S. government with regard to cyber is that it’s the ultimate team sport. Officials have lauded the so-called dual-hat relationship between NSA and Cybercom, which allows the military to benefit from the unique intelligence insights and resources of NSA, leading to faster decision-making and operational outcomes.
“At the NSA and U.S. Cyber Command we always say that cyber is the ultimate team sport and the ICC is really a reflection of that belief,” Charles Moore, who was the Cybercom J3 from June 2017 to August 2020 and retired as Cybercom’s deputy commander in 2022, told DefenseScoop. “In the era of digital convergence, we realized we have to work together, across the government, with our friends and allies and the private sector, to effective deal with many malicious actors that threaten the nation.”
Moore, who had a unique perspective as being the only J3 to work under both the old process and in the new ICC/JOC, said the facility is a manifestation of what the National Defense Strategy describes as integrated deterrence and building partnerships.
Current and former officials described how important it was to have a variety of players under the same roof — from other federal agencies to international partners, which right now just includes Five Eyes nations, an intelligence alliance between Australia, Canada, New Zealand, the United Kingdom and the U.S. Additionally, the creation of and inclusion of the NSA’s Cybersecurity Directorate — which was established to increase collaboration with and improve the cybersecurity of industry — was a key step in improving the overall coordination and cybersecurity of the nation.
“We have invited our interagency partners, like DHS and the FBI, along with our closest allies to join us in the command center. These partners are not just seeing Cyber Command and NSA’s information, they have direct conduits to information coming from their systems, from their organizations and countries. This allows for real-time data sharing and an overall unity of effort which eliminates a lot of potential confusion, duplication of effort, helps establish clear roles and responsibilities, and allows us to operate with speed and agility,” Moore said.
The proximity of everyone created a synergistic environment where officials explained they could gain insights not previously possible, enabling the speed and agility needed in cyberspace.
“Simple proximity, simply being in the same facility broke down a significant barrier for information-sharing amongst the professionals that are on the ops floor. That was an initial very transformational aspect. The original designers of the facility got it right to say, ‘Everyone is on this floor,’” Stanton said. “It truly was transformational because we gain insights that we absolutely would never’ve had.”
According to a Cybercom spokesperson, several changes were made to the center almost immediately upon opening. They included combining the watch floor with NSA National Cyber Security Operations Center (NCSOC) partners, the stand up the Operations Enabling Cell in 2018 that brought in representatives from most of the other Federal Cyber Centers and Intelligence Community for rapid sharing of information, a Logistics Operations Cell to track and coordinate movements of deployed Cybercom personnel as teams move around the world in support of combatant command requirements.
For Franz, the facility is also a manifestation of the maturity of Cybercom, which is still growing up in some ways as a relatively new organization within the government and continues to blossom by taking advantage of new authorities — both for operations and acquisition — as well as new force growth.
“They’re so much better to share information, in both directions. Now that Cybercom has actually grown in capacity and you’ve got Cyber National Mission teams going forward … capacity wise, five years ago, we wouldn’t necessarily [have] been able to do that,” he said. “The biggest part of that is the cultural change and how Cyber Command has gotten more mature and how NSA as it’s gotten more used to working with Cyber Command as they’ve grown, it’s the relationship and the communication and the collaboration supported by great physical facilities and networks and things.”
Current and former officials described how the facility promotes crosstalk and collaboration among everyone on the operations floor. While previously personnel might have been physically separated by doors or spread around the National Capital Region, now, they are sitting side-by-side looking at the same feeds and drawing their own insights to be shared.
“It was aspirational during my tenure to actually automate the datasets and be able to share them, but each one of the representatives had a console on the floor that tied into their respective datasets. While we weren’t co-mingling the data at that point in time, we were absolutely being able to benefit from an analyst saying, ‘Hey, here’s what I saw when I looked into my system, how does that relate to what you saw in your system?’” Stanton said of his time at the J3.
For others, the ability to simply talk has proved extremely beneficial.
“The fact is that it’s just having operators sit beside each other – 80% of the collaboration and crosstalk is just what folks are hearing in daily operations and they’re looking at something, they’re seeing something and being able to turn immediately to a partner and say, ‘Hey, what do you think about this?’ That’s the way that operations have to be done,” Franz, who now is cybersecurity lead for Accenture Federal Services, said. “That’s happening now and I think, again, it’s helped by the facility.”
Franz added that the increased collaboration also forces improvement, meaning with increased transparency of everyone sharing the same pictures and feeds, it invites scrutiny.
“As you show a big picture and you’re sharing it, when folks say, ‘Well, wait a minute, that information doesn’t look right. Is that information exactly correct, is that accurate, is it timely?’ The more people that see the information and can dig in and say, ‘Well, wait a minute, that’s not exactly right, we need to improve that,’” Franz said. “With transparency, you get that really good second-checking data and making sure that the picture you’re showing everyone is accurate — and that in and of itself drives improvement in collaboration just to continue to make things better.”
Current and former officials also discussed how command-and-control of cyber forces — as well as the integration of cyber with other capabilities — has improved under the new ICC/JOC.
“It has also helped integrate that my maritime operations center is fully linked with Cyber Command, Space Command at the connective networked level,” retired Vice Adm. Ross Myers, then the commander Fleet Cyber Command/10th Fleet, told DefenseScoop in an interview in 2022. “We have better connectivity and yes, the ICC/JOC has been instrumental in keeping that connective network.”
The cyber environment is extremely crowded in general. But the military has a variety of forces operating in it as well, all with specific missions and objectives. There are offensive teams supporting combatant commands, offensive teams designed to defend the nation that are aligned against specific nation-state threats, defensive teams for combatant commands, and defensive teams that support the operation and maintenance of the Department of Defense Information Network (DODIN).
Cybercom told DefenseScoop that overall, it has significantly improved situational awareness of all ongoing efforts in the cyber domain and found ways to continue to streamline the command and control of forces in coordination with partner efforts. This was done through building new positions on the floor to assist will whole of government coordination and deconfliction. Eventually, Cybercom delegated much of the defensive mission to JFHQ-DoDIN, according to a spokesperson. It also increased the presence of knowledge managers and public affairs officers to provide better management of information flow internal and external to the center as well as to track reflections of cyber operations.
Deconflicting these operations and commanding and controlling forces is critical for success.
“You could very rapidly deconflict and elevate issues that needed to be elevated or resolve them at the appropriate level,” Stanton said.
Previously, sources explained they didn’t even possess the tools to be able to see friendly forces in cyberspace or understand readiness levels of teams. Now, new tools that are displayed through a common operational picture provide commanders — and particularly the Cybercom J3 — a clearer understanding of the environment and their forces.
“Prior to moving into the ICC, I can tell you it was extremely challenging to properly see our forces and the status of their ongoing operations. Knowing, at any given time, our force readiness status, their operational status, and even what forces we had in reserve, was extremely challenging. All those things were being done in a very manual fashion,” Moore said. “The command center gave us the opportunity to fully realize and develop tools, like [Joint Cyber Command and Control], that allowed us to properly perform all of those functions, for the first time, with speed and precision.”
Joint Cyber Command and Control (JCC2), is aimed at providing improved situational awareness, battle management, and information about cyber forces’ readiness levels for operations across the globe. According to fiscal 2024 budget documents, the program provides a “congressionally directed focal point to provide integrated C2 solutions to all echelons for execution of cyberspace operations to enable and accelerate planning/collaboration between Cyber Mission Forces (CMF) and Combatant Commands,” as well as integrating with joint, coalition and interagency command-and-control to enhance multi-domain operations, reduce planning time, improve decision quality and speed — resulting in a shorter kill chain.
Cybercom discovered through these efforts that it also needed to improve and update the tools it used for command and control of forces that provide situational awareness to commanders, the spokesperson said. Moreover, the ICC helped play a role in shaping the requirements for Cybercom’s Joint Cyberspace Warfighting Architecture (JCWA), which was designed to get a better handle on the capabilities, platforms and programs the command is designing, and set priorities for the DOD as well as industry partners that would be building them. While it encompasses several components, it is now thought of as a platform in and of itself to conduct military cyber operations.
Officials have also said JCC2 will be a key capability for cyber’s overall contribution to the Pentagon’s new way of warfare called Joint All-Domain Command and Control (JADC2). JADC2 envisions how systems across the entire battlespace from all services and partners are networked and connected to provide the right data to commanders for better and faster decision-making. JCC2, officials have said, will seek to provide the cyber overlay on top of the air, land, sea and space picture to provide a comprehensive, all-domain view for joint commanders.
Ultimately, without the ICC/JOC, officials believe the military as well as the nation would be worse off in cyberspace.
“I can’t imagine performing all of the operations we have conducted over the past five years without the benefits inherent in the Integrated Cyber Center. We simply wouldn’t be in the same place in terms of achieving cyber superiority and defending the nation,” Moore said.
This story has been updated with comments from U.S. Cyber Command.
