At 10th anniversary, Pentagon’s network defense arm looks to evolve how it fights

FORT MEADE, Md. — Following a new framework signed in September 2024, the Pentagon’s network defense command is looking to change how it fights to better protect Department of Defense networks from increasing adversary intrusions.

Gen. Timothy Haugh, commander of U.S. Cyber Command, signed the DOD Information Network (DODIN) command operation framework execution order last year, which oriented the battlespace and now aligns DODIN areas of operation to commanders and directors.

The DODIN is a federated network of networks with 46 DODIN areas of operation comprising each service, agency and field activity, as opposed to a singular monolithic enterprise network for the entire DOD. For Joint Force Headquarters-DODIN — created in 2015 as a subordinate headquarters under Cybercom to protect and defend the Pentagon’s networks globally — defending that terrain is challenging as local organizations own many of those segments.

The execution order reflects a “transformation moment” in the command’s history as it seeks to improve the speed and organization with which the headquarters command can defend the battlespace.

“What this does is it transitions the DODIN’s responsibilities from attempting to independently manage 3.5 million endpoints to fighting in, with and through DODIN area of operations that have effective leaders,” Lt. Gen. Paul Stanton, commander of JFHQ-DODIN, told a group of reporters this week. “It gives us the ability to operate at speed and scale because we’re unlocking the totality of the force that can operate with our authorities. The numbers differ anywhere from [250,000] to 300,000 personnel that operate on, in, with, through and defend the DODIN. We’re unlocking the potential of all of that force. That’s huge.”

JFHQ-DODIN is celebrating its 10th anniversary on Wednesday, and officials want to use that opportunity to stress that the organization has and continues to mature in the face of increasing threats to DOD systems and intrusions on commercial networks.  

“We come from humble beginnings, about 90 folks that were burdened with an incredible task of operating and defending the entire Department of Defense Information Network to a robust command that’s postured to see ourselves effectively, to respond at speed and scale in ways that we had not done previously,” Stanton said. “We see ourselves at an inflection point. The fact that we are 10 years in just gives us an opportunity to put a mark in the sand and say we are ready now to downshift and accelerate into the operations of the future.”

Stanton, who is also dual-hatted as the director of the Defense Information Systems Agency, explained that this new approach comes with several implications for how to effectively defend the DODIN. It requires a greater understanding of the doctrine, readiness and training of defenders, more greatly leveraging data in different ways to better understand the network, and holding commanders and directors accountable.

In 2023, Cybercom outlined mission essential tasks for cybersecurity service providers (CSSPs) under the DODIN, with a forthcoming readiness and training model. This was the first time Cybercom focused on these personnel, having historically focused on standards for the cyber mission force. This was an important step as it began to move these mission owners from simple compliance- and checklist-based entities to taking more of a warfighting posture to defend.

“Historically, we’ve said, if you have a cybersecurity service provider, then you’re meeting your obligation to defend the network. That’s not a mission context, that is a compliance-based checklist approach to providing a modicum of security. That is not … context-aware, effective defense in the cyber domain,” Stanton said.

It also portends to free up JFHQ-DODIN’s cyber protection teams to get back to their original intent of hunting for adversaries and maneuvering on the network.

Stanton noted that the readiness and training standards are still being developed.

Imposing cost with context

Stanton explained the command and department are “exhausted” by the whack-a-mole nature of cyber defense.

So, he has charged the headquarters to impose costs on adversaries that seek to compromise DOD systems. From a defensive perspective, that means preventing intrusions by prioritizing where adversaries might be targeting, adding: “If it’s easy for the enemy to gain access into our environment and to achieve effects, shame on us.”

Enemies are attacking networks for a specific purpose and relying on intelligence to provide what they might be interested in can help prioritize what to defend.

“If we prioritize and make it really hard for the enemies to gain access to the things that they’re interested in, that we are also interested in, we start to make it hard on the enemy,” Stanton said. “While that’s an indirect imposition of cost, if they have to spend months, years or even decide that that objective is not worth their time or energy because they’re simply not going to gain access to it, then we start shifting that cost curve.”

Providing the context of those attacks can also better posture commanders and directors, along with the CSSPs, to be more effective in their cyber defense, he said.

On the flip side, Stanton noted they want to be able to rapidly transition from defense to offense or vice versa.

“How do we take the observations from our defense, where we gain and maintain contact with our enemies, and hand those insights to the appropriate forces that can conduct offensive missions,” he said.

As one of Cybercom’s headquarters elements, JFHQ-DODIN is tied into the other elements that operate outside of U.S. networks that are collecting intelligence, preparing the battlespace and performing offensive operations.

Stanton said the relationship between the offensive components – the Cyber National Mission Force, which is responsible for defending the nation in cyberspace, and the various Joint Force Headquarters-Cyber commands, responsible for conducting offensive operations on behalf of combatant commands – is better than he’s ever seen it in the past.

Meetings involving the operations staff always have CNMF representation as well as participants from the other service cyber components, he said.

Maturing the headquarters

As JFHQ-DODIN has sought to mature from 90 personnel to a full-fledged headquarters, it has sought to move beyond current operations to focus on other aspects a traditional organization requires.

That means building out a future operations cell and a strategy cell, budgeting, and determining what is ahead.

“You have to build out your training and readiness. Very different than sitting at the desk, but thinking about, what are my knowledge, skills and abilities that I require of each of the work roles and how do I build that into an effective training plan and then execute training,” Stanton said. “How do we, as a command and a headquarters, effectively participate in tier-one exercises that are led by the Department of Defense? J5, J7, J3, future ops, these are the sorts of evolutionary steps that the command is on the path to maturation.”

The headquarters also needs to start thinking five-to-ten years ahead from a budgeting and resourcing perspective, what’s known in the DOD as the Program Objective Memorandum process.

Moreover, the headquarters is being elevated to a sub-unified command under Cybercom. The fiscal year 2025 policy bill, signed by President Biden into law on Dec. 23, directed such elevation; however, it did not provide specifics on how to do so or what that means.

Cybercom elevated CNMF to a sub-unified command in December 2022. Lawmakers wanted a similar sub-unified element for the defensive command alongside the offensive command.

Stanton said his organization is currently in the early stages of mission analysis for what elevation means and plans to use some of the resident Cybercom experience from CNMF’s elevation to inform its own process.

The direction to elevate is “acknowledgment from Congress of the sustained higher priority of the defensive cyber operation mission set,” Stanton said, adding that “the good news is this discussion about fundamental change of how we fight in and through DODIN areas of operation, a requirement for the Joint Force Headquarters to set conditions through enabling functions.”

As JFHQ-DODIN looks toward its tenth year and beyond, Stanton noted there is a lot of work that still needs to be done. But there are “very clear signal signals from our leadership and Congress in order to drive defensive cyber operations to new heights.”