Pentagon’s network defense command improving readiness of cyber defenders

BALTIMORE — As the Pentagon’s network defense organization matures, it is seeking to expand how it evaluates the readiness of its cyber defense forces and training to all defenders, not just typical cyber operators.

Joint Force Headquarters-Department of Defense Information Network, which was created in 2015 and is the subordinate headquarters under U.S. Cyber Command responsible for protecting and defending the Pentagon’s network globally, earlier this year unveiled new readiness metrics for its forces operating on the network, shifting from compliance to operational readiness.

At issue was the notion that the old model was very checklist-based and forces’ readiness was outdated immediately following those checklists. But the shift to the new model, officials have explained previously, allows organizations to be more flexible, agile and responsive to threats in a highly dynamic yet unpredictable environment because it is risk-informed for “defensive cyber operations-internal defense measures,” the specific actions taken on the network in response to either intelligence, a threat or an incident.

There are roughly 300,000 people in the overall DODIN operations force from defenders and system administrations to cybersecurity service providers. Setting metrics for how they’re trained to operate on the network – which is in contact with live adversaries trying to probe it every day – and measuring their readiness is of utmost importance.

Shifting to risk-based metrics is helping the command focus attention where it is needed to secure a particular space and better identify the risks of those missions, given that each mission will be a bit different.

“If we can be risk-based versus just checklist-based, that’s when we’re really going to defend against an adversary,” Brig. Gen. Heather Blackwell, deputy commander of JFHQ-DODIN, told DefenseScoop in an interview at the AFCEA TechNet Cyber conference in Baltimore on June 26.

This approach was driven by JFHQ-DODIN Commander Lt. Gen. Robert Skinner, Blackwell explained.  

“Credit goes to Gen. Skinner. Because remember, he was in my position as the [first] deputy commander for Joint Force Headquarters-DODIN … and then came back as the commander. He knew, he understood where we need to take this,” Blackwell said. “During his last three years, he really set a vision for the team. Every time we go on the ops floor, [we ask] are we more or less of a risk than we were yesterday? He gave the team that vision and to focus away from compliance and focus in on risk.”

Skinner said there have been some bumps in implementing the new system, which is to be expected, but the end goal is continuous assessment.

 “The things that really matter — identity: How are you protecting privileged users? Privileged capabilities: How are you doing on your forward-facing assets? How are you doing on cross-domain? … What really defines the readiness of your cyber domain and your cyber posture for your organization?” Skinner said during a presentation at the conference. “But remember, this is just an episodic environment right now … The goal is to really get to understanding at any one time what the risk is and then have a conversation with that mission owner because it’s a shared risk. Mission owner and – Gen. [Timothy] Haugh, as U.S. Cyber Command commander – both own that risk. It’s that conversation between the two, usually through the service cyber components and JFHQ-DODIN, to understand that piece of the risk.”

Training cyber security providers

As JFHQ-DODIN continued to mature as a relatively young organization and improve the readiness and training of its force, in mid-2023 it unveiled new readiness requirements for its forces.

While Cybercom has focused heavily on the training of the cyber mission force — the teams each service provides to Cybercom to conduct offensive and defensive cyber operations — the command has turned its attention to cybersecurity service providers (CSSPs) for the first time. CSSPs are essentially the local defenders and maintainers of a network at any given organization or installation.

Officials are trying to leverage existing metrics and standards that exist rather than develop them from the ground up.

“There’s the DCWF, which is the DOD Cyber [Workforce] Framework, for work roles. Those work roles apply not only to offense, but also to defense. Let’s use the same great work that’s already been done with Cyber Command on the offense and say, ‘OK, you applied it to that work role, OK, now I want you to apply to the work role that applies to all of our system administrators,’” Blackwell said. “Let’s not reinvent the wheel. Let’s just put defense now as part of your pipeline and move it forward. It can be done, if we just make the effort to do it.”

The command now has readiness metrics for every CSSP that JFHQ-DODIN certifies. Roughly a month ago, for the first time, the command reported those metrics to Gen. Haugh.

The metrics now allow the command to be able to advocate for certain things they’re seeing within the metrics such as the need for data analytics, Blackwell said.

However, she acknowledged that they’re not where they’d like to be in terms of training CSSPs. But it’s not an issue of needing more authorities.

“Cybercom already has Joint Force Trainer; we just need to step into that space and start to identify the training gaps that exist, use Cyber Command’s … authorities and start to mandate some of those training standards. That’s the next evolution,” Blackwell said.