Preparing for Computer Network Operations: USCYBERCOM Documents Trace Path to Operational Cyber Force
Evolution of Cyber Mission Force and Joint Force Headquarters – Cyber portrayed in annual orders to build the force
Declassified documents give insight into USCYBERCOM Mission Essential Tasks and Operational Processes
Briefing slide reveals impact of 2013 government shutdown on USCYBERCOM training and development
US Military Cyberspace Tasking Cycle adapted from air operations; cyber operations adhere to joint targeting doctrine
OIG Report suggests development process outpaced strategic planning
Our present understanding of how USCYBERCOM conducts operations in cyberspace comes either through anecdotal examples such as JTF-ARES/OPERATION GLOWING SYMPHONY or through broad doctrine as communicated in publications like JP 3-12 Cyberspace Operations. Little has been revealed about processes linking broad doctrine and strategy to tactical operations. Today the National Security Archive publishes a collection of documents obtained via FOIA declassification regarding the process of building the Cyber Mission Force and Joint Force Headquarters – Cyber under USCYBERCOM. These documents trace the development of the US military’s first acknowledged offensive cyber force, outline the mission’s essential tasks and key operational processes USCYBERCOM elements are required to master, discuss the impact of US government shutdowns on the USCYBERCOM training process, and demonstrate the doctrinal roots of cyberspace tasking and targeting in fire support and airpower doctrine.
In May of 2018 USCYBERCOM announced that all 133 Cyber Mission Force (CMF) teams had reached Full Operational Capability (FOC), a major milestone in the history of the combatant command, after two years earlier announcing Initial Operational Capability (IOC).
The CMF consists of three types of teams. The defensive component of USCYBERCOM’s mission is performed by the Cyber National Mission Force, tasked with protecting civilian networks and infrastructure, and the Cyber Protection Force which defends Department of Defense networks. Offensive operations, under the direction of a service-specific Joint Force Headquarters – Cyberspace (JFHQ-C) in support of combatant commanders, are conducted by the Cyber Combat Mission Force.
JP 3-12: Cyberspace Operations (2018)
In March of 2013 the first task order (TASKORD) was issued with instructions for developing the CMF teams through the end of fiscal year (FY) 2013. This document, designated TASKORD 13-0244 [Document 1], ordered the service components to begin the process of building the teams, provided guidance for their integration, and designated the requirements for IOC (4.B.1) and FOC (4.B.2) thresholds.
Two months after TASKORD 13-0244 was issued, a fragmentary order (FRAGORD) was issued to modify and add sections related to service component assignments and command and control. Service cyber components received updated interim assignments to support combatant commands: Army Cyber was tasked to CENTCOM, AFRICOM, and NORTHCOM; Air Force Cyber to STRATCOM and EUCOM; Navy Cyber to PACOM and SOUTHCOM; and Marine Cyber to SOCOM. TASKORD 13-0244 was followed by TASKORD 13-0747 [Document 4] for FY 2014, which set as a desired end state the first fully operationally capable CMF teams. TASKORD 15-0124 [Document 7] for FY 2015 and FY 2016 orders the training of a further 34 and 28 teams, respectively.
In late October 2013 the USCYBERCOM component commanders convened for a series of update briefings [Document 5]. A CMF training timeline in the presentation showed the phases of the build, staff, and individual training sessions, and key milestones:
RELATED CONTENT: Five People Captured and 19 Sought for Attacks on the Electric Grid
Challenges in the training process were discussed, including funding, retention, and the defining of standards:
The meeting also featured an assessment of the October 2013 government shutdown’s role in delaying Cyber Mission Force training:
In October of 2013 the Deputy Commander of USCYBERCOM, Marine Lieutenant General Jon Davis, issued a memorandum [Document 3] to the commanders of the service cyberspace components which defined the IOC threshold for each JFHQ-C. Referencing the 2013 edition of JP 3-12 and a slide presentation on JFHQ-C certification [Document 2], the memorandum states that a JFHQ-C which has reached IOC is able to “execute the six mission essential tasks with associated mission critical functions” and “integrate with the seven critical US Cyber Command (USCYBERCOM) operational processes.”
Mission Essential Tasks:
- Exercise C2 (command and control) of all attached CMF (Cyber Mission Force) ISO (in support of) CCMD (combatant commander) mission.
- Exercise SIGINT (signals intelligence) Authorities, Mission Delegation and Intelligence Oversight (to include SIGINT IO and auditing) of all attached CMF (Cyber Mission Force) ISO (in support of) CCMD (combatant commander) mission.
- Plan and direct Cyber ISR (intelligence, surveillance, reconnaissance), Cyber OPE (operational preparation of the environment) Cyber Attack and – when directed – Cyber Defense actions to accomplish CCMD (combatant commander) specified missions, and BPT (be prepared to) conduct crisis action planning and CO (cyber operations) in response to global threats.
- Coordinate, integrate, synchronize and de-conflict CO (cyber operations) of attached CMF (cyber mission force) with other JFHQ-C, NMF-HQ and USCC, operating in the same networks, at the tactical level, to maximize operational effectiveness. Coordinate as required with NSA Cryptologic Center Commanders.
- Conduct intelligence operations; including managing CMF (cyber mission force) intelligence requirements and the collection, production and dissemination of intelligence.
- Coordinate JFHQ-C support functions for attached and for co-located CMF with USCC, NSA, service and functional components; direct CMF training, exercise, and readiness requirements.
Operational Processes:
- Cyberspace Tasking Cycle (Modified Air Tasking Cycle)
- Cyberspace Effects Request Form
- *REDACTED*
- Planning Teams
- Operational Priorities and Intelligence Collection Priorities
- Joint Targeting Cycle
- Operations Synchronization
That the Cyberspace Tasking Cycle was adapted from the Air Tasking Cycle confirms previous analysis by The National Security Archive drawn from USCYBERCOM’s campaign against ISIS that processes used by the US military for cyberspace operations are rooted in kinetic operations.
After reaching IOC, a JFHQ-C went through a series of increasingly complex exercises and levels of training before receiving FOC certification in a manner very similar to the CMF training process.
The following details from the JFHQ-C Certification presentation [Document 2] shed light on USCYBERCOM standard operating procedures for offensive cyber under each mission essential task and operational process, providing details on how Cyber Mission Force teams conduct operations in cyberspace.
Planning and Directing Cyber Intelligence, Surveillance and Reconnaissance, Operational Preparation of the Environment, Cyber Attack, and Cyber Defense
The Cyberspace Tasking Cycle
Targeting
The Joint Targeting Cycle is the process by which the US Military selects targets for individual action. These slides reveal how targets are developed, how they are selected, and what goes into a Cyberspace Strike Package, the product presented to a commander before deciding whether to execute a mission in cyberspace.
Despite the development plans presented in the documents above, a Department of Defense Inspector General report [Document 8] produced in November of 2015 identified several shortfalls in USCYBERCOM’s unified strategy and approach for developing capabilities. While some concerns from a 2011 GAO report had been addressed, “Service Components continued to use Component-specific approaches and strategies to develop offensive capabilities that aligned to traditional Component-specific mission areas rather than unify capability development to support the CMTs. This occurred because USCYBERCOM did not have appropriate authorities to effectively oversee and direct offensive capability development.”
The overall development of the CMF teams was also found to lack central guidance, as there was no established framework for doctrine, organization, training, materiel, leadership and education, personnel, facilities, and policy (DOTMLPF-P) guiding the process. A Marine Corps official interviewed by the IG reported that the rush to build and field CMF teams took priority over developing a guiding DOTMLPF-P framework, suggesting the rush to build the CMF was not without consequence.
While security researchers studying relatively transparent “conventional” military bodies have made significant contributions in the fields of operational art, tactics, organizational behavior, and the utility of military force, similar contributions to the field of cyber operations have been limited by secrecy. These declassified USCYBERCOM documents are an important view into the operating processes of a military’s cyber operations arm.
THE DOCUMENTS
Document 1A
USCYBERCOM, “TASKORD 13-0244: Establishment and Presentation of Cyber Mission Force (CMF) Teams in Fiscal Year (FY) 2013”, March 6 2013. Secret.
2013-03-06
Source:Â FOIA
Document 1B
USCYBERCOM, “FRAGORD-01 to USCYBERCOM TASKORD 13-0244: Establishment and Presentation of Cyber Mission Force (CMF) Teams in Fiscal Year (FY) 2013,” March 13, 2013. Secret.
2013-03-13
Source:Â FOIA
Document 1C
USCYBERCOM, “CMF Work Role Conditions,” March 5, 2013. Secret.
2013-03-05
Source:Â FOIA
Document 2
USCYBERCOM, “JFHQ-C Certification: Framework to Operationalize the JFHQ”, October 2013. Top Secret.
2013-10-00
Source:Â FOIA
Document 3
US Department of Defense Memorandum, “Subject: Initial Operational Capability (IOC) Designation of Joint Force Headquarters Cyber (JFHQ-C)”, October 3 2013. Unclassified.
2013-10-03
Source:Â FOIA
Document 4A
USCYBERCOM, “TASKORD 13-0747: Establishment and Presentation of Cyber Mission Force (CMF) Teams in Fiscal Year (FY) 2014”, October 11 2013. Secret.
2013-10-11
Source:Â FOIA
Document 4B
USCYBERCOM, “FRAGORD-01 to USCYBERCOM TASKORD 13-0747, Establishment and Presentation of Cyber Mission Force (CMF) Teams in Fiscal Year (FY) 2014,” October 31, 2013. Unclassified.
2013-10-31
Source:Â FOIA
Document 4C
USCYBERCOM, “FRAGORD-02 to USCYBERMCOM TASKORD 13-0747 and FRAGORD-01, Establishment and Presentation of Cyber Mission Force (CMF) Teams in Fiscal Year (FY) 2014,” January 29, 2014. Secret.
2014-01-29
Source:Â FOIA
Document 4D
USCYBERCOM, “USCYBERCOM FRAGORD-03 to TASKORD 13-0747, Establishment and Presentation of Cyber Mission Force (CMF) Teams in Fiscal Year (FY) 2014,” May 31, 2014. Unclassified.
2014-05-31
Source:Â FOIA
Document 4E
USCYBERCOM, “USCYBERCOM FRAGORD-04 to TASKORD 13-0747, Establishment and Presentation of Cyber Mission Force (CMF) Teams in Fiscal Year (FY) 2014,” June 04, 2014. Unclassified.
2014-06-05
Source:Â FOIA
Document 4F
USCYBERCOM, “FRAGORD-05 to USCYBERCOM TASKORD 13-0747, Establishment and Presentation of Cyber Mission Force (CMF) Teams in Fiscal Year (FY) 2014,” June 25, 2014. Unclassified.
2014-06-25
Source:Â FOIA
Document 4G
USCYBERCOM, “FRAGORD-06 to USCYBERCOM TASKORD 13-0747, Establishment and Presentation of Cyber Mission Force (CMF) Teams in Fiscal Year (FY) 2014,” March 9, 2015. Secret.
2015-03-09
Source:Â FOIA
Document 5
USCYBERCOM, “Cyber Mission Force Training & Cyber Flag Update”, October 22 2013. Unclassified.
2013-10-22
Source:Â FOIA
Document 6
USCYBERCOM, “TASKORD 14-0061: USCYBERCOM Operational Processes”, March 14 2014. Unclassified.
2014-03-14
Source:Â FOIA
Document 7
USCYBERCOM, “TASKORD 15-0124: Establishment and Presentation of Cyber Mission Force (CMF) Teams in Fiscal Year (FY) 2015 and FY 2016”, August 17 2015. Secret.
2015-08-17
Source:Â FOIA
Document 8
Department of Defense Inspector General, “Combat Mission Teams and Cyber Protection Teams Lacked Adequate Capabilities and Facilities to Perform Missions”, November 24 2015. Secret.
2015-11-24
Source:Â FOIA Reading Room
