Basic training enters unfamiliar territory in cyberspace
For roughly a century, the U.S. military has fought on land, by sea and in the air. For the most part, the domains have been tangible and the boundaries defined. Now a new domain is emerging: cyber warfare. And although online operations overlap the traditional physical arena, the cyber domain is mostly intangible, with battles waged over networks with no obvious borders and against faceless foes.
To meet the threats and operational demands of this unfamiliar territory, the U.S. military is embracing new models and agendas for training its troops.
“Treating cyberspace as a domain means that the military needs to operate and defend its networks and to organize, train and equip our forces to perform cyber missions,” then-Deputy Defense Secretary William Lynn said in July.
Efforts range from mandatory cyber education for those in the lowest ranks to elite training for new, highly specialized careers in network defense. The transition is eased somewhat for a generation that is well-versed in the technologies of the Information Age.
Under the umbrella of the U.S. Cyber Command, launched in May 2010, the Air Force, Army, Marine Corps and Navy have all made progress in preparing troops for cyber conflict. Collaboration among the services and with the private sector, rather than the services each having their own training, is helping the military incorporate best practices and the latest tools into cyber training. Through those partnerships, the services are building on their collective knowledge and sharing classrooms — sometimes even while students are physically seated thousands of miles apart.
The efforts are already paying off. The U.S. Naval Academy's class of 2013 will have three times the number of computer science and IT majors that the class of 2011 did.
But it’s still early in the game. It can be tricky assessing the effectiveness of the new training programs. And given the breakneck speed at which cybersecurity threats evolve, the Defense Department must shed its reputation for taking a long time to implement changes and acquire new equipment and services.
“The cyber environment we face is dynamic,” Lynn said. “As such, our strategy must be dynamic as well.”
New training basics
Leaders in the military training community recognize that balance is crucial to a layered, holistic network defense. Likewise, cyber training must recognize the need for different levels of instruction, specialization and approaches.
“Everyone on the network is a cyber warrior of some sort,” said retired Lt. Gen. Peter Cuviello, former Army CIO and now director of network-enabled operational support at Deloitte Consulting. “The services need to focus not just on training but the education that goes along with it. Training is the science. Education is the art.”
The idea of balancing training and education isn’t new to the military, but it’s playing a crucial role as the services evolve their approach to meet cyber needs.
In the military, each of the services operates its own branch-specific training and education. For the cyber domain, some schools focus on basic training, with others dedicated to intermediate and advanced training.
One of the most comprehensive basic programs is taking place at the Naval Academy, where cyber knowledge is being weaved into the lowest-level instruction, beginning with a mandatory course for freshmen that was instituted in the current academic year. That primer will be followed by a second mandatory course two years later.
“What we’re doing that’s different is cyber education for every midshipman,” said Capt. Steven “Doc” Simon, director of the academy’s new Center for Cyber Security Studies. “Cybersecurity impacts so much of what we do that it’s critically important to understand for the mission and the decision-making process.”
The academy’s courses include hands-on technical training that teaches how systems work, where their vulnerabilities are, how those weaknesses are exploited and how to minimize exploitation. Midshipmen are also learning the basics of Web design and coding, knowledge that is sorely needed despite the fact that this is a class of sailors coming of age with Facebook and YouTube.
“It’s an accurate assumption that they’re good with social media…but they didn’t understand what went on behind the curtain,” Simon said. “It’s one thing to be a good end user, but it’s another to understand how technology works and utilize that knowledge to make decisions.”
So-called cyber hygiene is also a key component of training in the Marine Corps, where Marines at all echelons must take yearly courses to supplement their knowledge.
“All Marines go through information assurance and personally identifiable information security awareness training,” said Lt. Col. Jeffrey Lipson, Central Command regional team lead at the Marine Forces Cyber Command. “It reinforces to every single Marine, from private to general, that security is [paramount] and that it’s up to the individual.”
Marines are required to take professional military education throughout their careers, and now the Marine Corps is embedding cyber education and training into the curriculum, said Capt. Steven Grabowski, a training officer at Marine Forces Cyber Command.
“All Marines are getting at least some exposure to cyber,” Grabowski said. “It’s institutionalized throughout the Marine Corps.”
Smashing the academic silos
As part of the military’s new model of training, the notion of schoolhouses in the traditional sense is being broken wide open with the growing collaboration among the services and industry. It’s becoming increasingly common for members of one service to be in another's classroom or for members of more than one service to be in a class that’s hosted by the private sector.
The SANS Institute is one industry partner that is blazing a trail in military cyber training. Perhaps the most prominent example is the Air Force’s use of the institute's NetWars, an online attack and cyber defense competition that the Air Force has adapted to train students and assess their readiness for cyber combat.
“Here was a product already built that satisfied about 85 to 90 percent of our requirements,” said Skip Runyan, technical adviser for the 39th Information Operations Squadron. “We worked with SANS as a partner to be flexible in a way that we could take that existing framework they provide and make it work for our needs, not as a tournament-type environment but more as a student assessment.”
Although the skills, subject matter and training space are new, the Air Force’s training approach with NetWars isn’t actually a departure from existing training doctrine, said Lt. Col. Brian Denman, the 39th Information Operations Squadron's commander.
“We’ve replicated [the Air Force training] model in the cyber world by creating the different cyber ranges and hands-on areas where [students] can refine their techniques in a controlled maneuver space,” said Denman, who added that troops from the other military branches have also participated in the Air Force training.
The Army is also using innovative programs and partnering with industry to train its men and women and those from other services. However, the Army is doing it in a way that represents a shift away from its traditional approach in order to meet a rapidly evolving and elusive threat.
“When you look at the normal Army training processes and policies, we’ve got bulletproof procedures to ensure that a program of instruction is complete, it’s supportable and ready for implementation,” said Chief Warrant Officer Todd Boudreau, proponent manager at the Army Signal Regiment. “That takes a long time to analyze and set up. When applied to the cyber threat, it’s a procedure that takes five to 10 times longer to implement than the lifetime of the threat that it’s supposed to train against.”
Boudreau said the Army has partnered with technology companies, including Microsoft, Cisco Systems and NetApp, to get product training and certifications to its soldiers. The service’s groundbreaking, six-month course for cyber defense warrant officers, which launched in 2009, has been so successful that the Army is now planning to develop another program for enlisted soldiers. Troops from the other services are also taking part in training from the Army’s Signal Center of Excellence.
The Army’s partnerships with industry and across the services have propelled its training courses to the forefront of military cyber preparation.
“It not only gives our students a fuller, more dynamic understanding of what they’re about to do, it also extends and deepens our partnerships and relationships out in the field,” Boudreau said. “There’s an interdependence and interoperability fostered by creating this melded community.”
Cybersecurity experts point out that it can be just as difficult to measure the success of training as it is to quantify cyber defense. In other words, how does one measure the impact of an event that didn’t happen?
The science might be tough to nail down, but each of the services is finding ways to gauge their troops’ progress. Virtually all the training programs’ metrics hinge on communication and feedback among current students, graduates and the officers who oversee them. Most programs are also putting students to the test in operational environments — often in the same ways they’d assess progress in other disciplines.
The Air Force puts strict parameters on gauging its graduates’ capabilities: Airmen must be effective on the job within 15 days of arrival at their post-training unit, Denman said.
“That’s really how we measure success, by working with the units that are receiving our graduates to make sure they’re able to be put to work in a minimal amount of time,” Denman said. “That 15-day target is our window.”
Integration speed is also a key metric for the Navy, which tracks how long it takes sailors to get through their training programs and how well they do in their assignments, said Capt. Danelle Barrett, commander of the Naval Computer and Telecommunications Area Master Station Atlantic.
“If we find that it takes them longer than anticipated...we go back and look at where in the process or in a module there may need to be a piece fixed or added,” Barrett said.
Navy officials also analyze the effectiveness of different forms and mixes of instructional techniques. For example, Barrett said students who are in combined training — with traditional classroom and computer-based programs supplemented by hands-on and boot camp exercises — have the highest pass rates.
Boudreau said the Army uses tools that offer a standard metric, such as commercial certifications and professional exams, and communicates with organizations where soldiers are placed to ensure they’re performing adequately.
In December, cyber soldiers will face a new test: participating in the Army’s Network Integration Evaluation at Fort Bliss, where students will be incorporated into brigade combat teams to assess how and where they fit in operationally. Trainees will also be getting their hands on futuristic equipment.
“We’re trying to stay as proactive as possible by putting people not only where they’re being used for the mission today, but to get them in positions where they have the ability to see those things that are going to be available tomorrow,” Boudreau said.
Shared goal, different strategies
Each of the services has been asked by the Cyber Command to supply cyber warriors, but it’s impossible to determine if one is doing it better than the other.
“I don’t know that you can point to any one service and say, ‘They’ve got it and everyone else is wrong,’” Boudreau said. “Cookie-cutter approaches for a cyber defender won’t really work.… There are a great deal of similarities between the services, but operationally, the uses of our infrastructure, platforms and programs have significant differences.”
Indeed, there are many differences in the services’ approaches, whether it’s the Air Force’s incremental training, the Navy’s separate levels of cryptologist and IT specialist ratings, the Marine Corps’ elite defenders of network operations and security centers, or the Army’s high-level cyber officers.
Training commitments also vary. Some courses are as short as two weeks, some as long as a year. Regardless of the level of training, all the officials recognized the need for constant improvement.
“The best programs don’t think of cyber as an event,” said Alan Paller, director of research at the SANS Institute. “The best programs weave together training and career paths. The hunger for these people who are well-trained is so great that they’ll constantly be in high demand.”
Although no one has perfected the science of training or the art of education, there is a sense of optimism because there’s still time to sharpen cyber skills.
“We are now 100 years into military aviation, whereas with cyber, we only have 20 years of collective experience,” Lynn said last year. “Essentially, in the cyber world, it’s 1929. We are still in the era of dirigibles and biplanes.”
Much work remains to make the cyber domain safer, but Lynn and other officials believe that with the advent of the Cyber Command and the launch of new training programs, DOD is well on its way.