Pages

29 July 2019

What happened at the military’s biggest cyber training exercise to date

By: Mark Pomerleau   

When soldiers are preparing to deploy, they head to the Army’s National Training Center at Fort Irwin in California. There, they can replicate an entire campaign during a two-week rotation against a world class force.

But in the cyber world, no such training environment exists. That means cyber forces train in ad hoc cyber ranges and are limited by the number of teams that can dial in. Moreover, there is no space to rehearse for an upcoming mission.

The Persistent Cyber Training Environment (PCTE), managed by the Army, seeks to change all of that. PCTE is an online client in which members of U.S. Cyber Command’s cyber mission force can log on from anywhere in the world for training, either of individuals or of groups, and to rehearse missions.

Working through the agile development process, the Army is not sure what the finial vision for the persistent cyber training environment will look like.

In June, the program underwent its biggest test to date, working with cyber warriors from across several time zones during an exercise created by the Navy, to get the system ready for primetime.

Making sense of Cyber Forge

The genesis for the June exercise, called Cyber Forge, comes from a simple fact: Navy leaders were looking for a better way to train their cyber teams.

"The pipelines that are provided at the time do not meet the demands that we need in order to keep the sailors up to speed in the cyber realm,” Chief Petty Officer Clayton Henry, told Fifth Domain during a visit to the exercise.

In addition, the current methods and tools available are inefficient, officials said.

“I wanted a better way to train my team,” said Jeff Tucker, who is part of Navy Cyber Defense Activity 64, which houses several defensive cyber teams, and designed the Cyber Forge scenario, told Fifth Domain.

To date, most cyber training exercises were a version of playing capture the flag.

“Capture the flag, [is] basically just a question-based type thing. You really have to lead teams down a path, there’s really no set path on how you do it right or wrong. While that’s nice, that’s not an effective way to train people,” Tucker said.

Navy leaders thought there could be a mutually beneficial relationship if they linked up with the PCTE team. The operational community needs to train and the PCTE team needs operational users to continue to test its prototype. As a result, officials extended invitations to Cyber Forge to the entire joint force, not just the Navy, to help test the scalability of PCTE.

“I wanted to be able to expand it out to affect more teams because my team isn’t the only one that needs extra training.,” Tucker said. “That’s how it grew.”

Cyber Forge was a created as a template inside the PCTE platform and could then be downloaded by other teams across the Department of Defense. Teams from the Army, Air Force and Navy — six teams of 10 to 15 people each — spread from Maryland, Georgia, Texas and Hawaii, participated.

The event focused on defensive cyber operations and involved teams hunting on a network to drive out an actor and then delivering a remediation plan to the network owner.

The exercise was a significant expansion from previous exercises with the PCTE .

“It’s testing it at a scale and scope that we haven’t done,” Amit Kapadia, product manager of Cyber Resiliency and Training and chief engineer at Army Program Executive Office Simulation, Training and Instrumentation, told Fifth Domain. “There’s about 150 different virtual machines times six different individual games going on so we’re gradually increasing the size and scope of this.”

Cyber teams are beginning to use a new training environment that will allow staffers to rehearse for specific missions.

Cyber leaders had used PCTE for two previous offensive cyber exercises — Cyber Anvil in February and Cyber Valhalla in March — but both were smaller events.

With Cyber Forge, Kapadia said the team looked to learn how the system performed over several time zones. Others on the operational side noted that they’re learning how to run a distributed white cell, a team of administrators which essentially runs the overall scenario dialing up or down the difficulty. Ideally, cyber teams hope to have teams dial in from all over the world for training.

“[One of the] lessons learned already is [that] distributed white cell is hard,” Henry said.

“It’s hard to relay information and it’s hard to relay not only information but intent. Everybody will perceive something differently,” Henry added. “It’s really easy to walk over to the teams, see what the team is doing … But if he’s over in Georgia, I have to hope he answers his phone or he sees me on Slack … If he doesn’t understand my question … that’s just a pertinent example of how a distributed white cell works.”

This experience from participating in an exercise is critical for the program office.

“This is huge because the platform providers [and] the program office will see what works and what doesn’t work and we can take that feedback and roll into the next sprint,” Lee Rossey, chief technology officer of SimSpace, one of the PCTE contractors, told Fifth Domain.

Personnel from the operational community were generally pleased working with the PCTE team for Cyber Forge.

“No one was expecting a flawless operation but we are pretty close to having almost no issues,” Tucker said. “For the most part, we are able to provide a pretty realistic simulated environment for the teams to work how they see fit … I couldn’t be happier with the way PCTE is going … the way I see it is it could easily be our primary tool to train our personnel and assess our personnel in the future.”

Officials noted it will be many months until PCTE is ready to can be used for a major Tier I exercise such as Cyber Flag, which is Cyber Command’s premier annual exercise, but the goal is to eventually reach that threshold.

However, many in the contracting and cyber community are concerned about how the eventual PCTE platform will scale around the world given that the prototype has been run by smaller companies without experience integrating large programs akin to major prime contractors.

“That’s why we want to do these events,” Kapadia said. ”Why we are in this prototyping stage is to be able to know that each of these events that we’re taking on … we’re getting to that next level of scalability,”

Lt. Col. Thomas Monaghan, product manager of cyber resiliency and training at PEO STRI, told Fifth Domain there is no correct answer to the scalabilty question, acknowledging this is the first time a program like this has been done. “We’re taking small scale events and figuring, okay, this is what the materiel solution management looks like, this is what the operational management looks like … and [we] adjust fire for the next mission.”

We’re going to need a bigger boat

For a joint program that is going to span all services, the Army’s program office is going to need a bigger contract vehicle going forward for PCTE allowing for more money and a wider range of services.

The PCTE team held an industry day June 11, when they briefed a new contract vehicle for the program called Cyber Training, Readiness, Integration, Delivery and Enterprise Technology, or TRIDENT.

“What that means is we can do stuff, like when cyber mission forces say ‘we need to go after this type of training event, this type of content,’ we have the vehicle to do that,” Monaghan said. “It’s more of an everything contract instead of a little niche … it allows us to do so much more instead of this little [contract]… figure out an OTA, figure out this.”

Monaghan said the contract vehicle is valued at almost $1 billion dollars, one of the biggest contracts the program office has ever awarded.

Where is PCTE headed?

Many at Cyber Forge described the current iteration and future version of the PCTE platform as an on-demand interface with modules that teams can click on depending on what they want to practice. Additionally, there’s the option for organizations to create their own exercise or range within the platform, like the Navy did for Cyber Forge, or to choose from an existing template inside.

According to budget documents, the PCTE program plans to spend more than $400 million on the program in the next five years.

The program still has a way to go in terms of integrating new capabilities. In the prototype phase, the Army has conducted a series of cyber innovation challenges (CICs), which are awards to layer new technologies onto the platform.

The third challenge was awarded in February to Metova Federal, ManTech and SimSpace Corp. to work on the white cell exercise control. SimSpace will also work on a technical management dashboard. These capabilities were too new to be featured in Cyber Forge.

Similar to the Apple app store, the program office has instituted a standard for companies to provide new solutions or applications so long as they meet certain security requirements.

After the vendor awards a series of monthly sprints will incrementally add capabilities and technology to the platform. Rossey explained that monthly sprints occur with users providing feedback. He added another major update to the platform is scheduled for August with more monthly updates planned.

All of this is leading up to what personnel are calling the PCTE 1.0, or the official version of the program, slated for release in January.

PCTE is also making cyber more joint

Officials said events like Cyber Forge also allow for personnel from the program community, contracting community, academic community and operational community to get together and hash out big picture issues associated with cyber training and cyber issues across the joint force.

Since PCTE is a joint program to be used by all the services cyber mission force personnel under Cyber Command, the program has to take into account stake holders and teams from across the services.

One of the sessions observed at Cyber Forge focused on building content for what are known as Joint Qualification Requirements (JQR). JQRs are essentially the checklists personnel in DoD need to know to qualify to use a particular weapon system, cyber or not. For cyber, this could be the defensive kits teams deploy with when responding to a breach.

Participants said they wanted to include the requirements in the training environment for all the cyber weapon systems, a change that would allow cyberwarriors to log in to train on their specific weapon system.

By having this discussion, officials said it also helps Cyber Command look at the capabilities they have and standardize them across the force.

No comments:

Post a Comment