2018 Army Signal Conference

March 8 2018

Springfield, VA

This briefing is: UNCLASSIFIED

Ronald W.

PontiusDeputy to the

Commanding

General

Ronald W. PontiusDeputy to the Commanding General

U.S. Army Cyber Command & Second Army

UNCLASSIFIED

UNCLASSIFIED

What is “Cyber” Full Spectrum Cyberspace Operations

DoD Information Network (DoDIN) Ops

• Provide effective C4IM services support

• Facilitate aggressive network defense

• Network Convergence and Modernization

Defensive Cyberspace Ops (DCO)

• Identify and protect Mission Relevant Cyber Terrain

• Clear and Harden Efforts (Analysis and Response – pre-incident)

Offensive Cyberspace Ops (OCO)

• Transition current efforts to more global lines

• Support selected Combatant Commands

Cyber-Persona

Logical

Physical

Individual

Information

Physical Network

Cyber Identity

Geographic Component

Manmade, global domain, integrated into all other domains

Used and controlled by diverse private and public entities

Domestic, Informational, Military & Economic

considerations

3 distinct but interrelated layers contribute to complexity

Public, Commercial, and Adversarial network components

UNCLASSIFIED

UNCLASSIFIED

Command Overview

• Global Presence, 24x7

• 19,000+ Personnel

• Directs and Conducts

Integrated:

– Cyberspace

Operations (DoDIN

Ops, DCO and OCO)

– Information

Operations

– Electronic Warfare

Cyber Overview

UNCLASSIFIED

UNCLASSIFIED

Where we are today

• Operations: Provide C4IM services and defend against our adversaries 24/7

• DODIN Ops, Defensive Ops, Offensive Ops, Information Operations, and Electronic Warfare

• Training: Cyber Center of Excellence is training all cohorts

• Officer, Enlisted, Warrant, Civilians – Active, Guard, Reserve

• Research: Army Cyber Institute is national resource for interdisciplinary research, advice and education in cyber domain

The Army

Cyber

Enterprise

Army Cyber

Command

Army Cyber

InstituteDAMO-CY

Cyber Center

of Excellence

UNCLASSIFIED

UNCLASSIFIED

DODIN Readiness

• Converging and Standardizing improves delivery of C4IM capabilities and reduces our attack surface

• Moving to WIN10 improves security – and readiness of the network

• NETMOD improves the effectiveness and resilience of the DODIN

• Improve our ability to see our selves (situational understanding)• Endpoint Management and Endpoint Security

• Cyber Analytics and Cyber Awareness Dashboard

How it’s

measured

• Cyber Security

Scorecard

• Command Cyber

Readiness

Inspections

• Quality and cost of

C4IM Capabilities to

Army and Joint

organizations

Improved readiness and resiliency through an overarching security

architecture and a standardized / modernized network

UNCLASSIFIED

UNCLASSIFIED

CEMA Support to Corps and Below (CSCB)

3/25 IBCT (JRTC)

MAY 2015

Objective: Integrate

DODIN OPs and

OCO

Outcome:

Conducted OCO

ISO maneuver

operations

2-2 SBCT

(NTC)

JAN 2016

Objective: Enable 2-

2 to integrate cyber

effects at NTC

Outcome:

-OCO & C-ISR ISO

ULO

-Disrupted adversary

C2 and social media

75th Ranger Reg

JUN 2015

Objective: Educate

the RSTB in OCO

Outcome:

COTS effects with

infrax deployed to

enable wireless

reconnaissance

1/82 BCT

(JRTC)

NOV 2015

Objective: Support

1/82 with DCO

Outcome:

BCT’s organic MTOE

defenders have

increased ability to

secure network

NIE 16.1

SEP/OCT 2015

Objective:

Integration of DCO

reach support

Outcome:

Executed reach

support utilizing

NIKSUN IDS

1/1 ABCT

(NTC)

AUG 2016

Objective: Provide 1/1

with full spectrum ECT

(CO/IO/EW)

Outcome:

-Effective SOF integration

-OSINT support to cyber

exploited

2/1 ABCT

(NTC)

MAY 2017

Objective:

-Full spectrum ECT

-Enable Reach

-Mass effects at decisive

point

Outcome:

-Conducted OCO & C-

ISR ISO ULO

-Disrupted adversary C2

and social media

1/4 SBCT

(NTC)

JUN 2017

Objective:

-ECT(-) / Reach ISO

R&S rotation

-Defend network

-ID enemy C2

Outcome:

-Successfully executed

remote OCO/DCO

-Successfully integrated

TRIP

Over the past 2+ years the CSCB Pilot has developed an innovative concept

for the structure and opportunities to employ Cyberspace Electromagnetic

Activities (CEMA) effects at the tactical level.

TRIP and WCCO involvement continues to evolve through each rotation

At its core, CSCB sought to answer the

following questions:

1) Is CEMA relevant to a tactical

commander’s operations?

2) If yes, then how does it integrate

into tactical operations?

3) What structure best supports

tactical CEMA?

UNCLASSIFIED

UNCLASSIFIED

Cyber Mission Force (CMF) Readiness

• Status: 41 teams on mission conducting OCO and DCO in support of Army and Joint Force Commanders

• USAR and ARNG are building CPT capacity. Planned FOC is 2023• ARNG – 11 CPTs

• USAR – 10 CPTs

Readiness Components

Facility: New Ops and HQ facility at Gordon on track of 2020 occupation

Platform: Fielding new operational platform to both CCOE and CMF

Development: Ability to do capability development is up and running improving our responsive ness to Combatant Commander need

How it’s

measuredAll of the Army’s 41 Active Component CMF Teams are FOC and on

mission today – Continuing to build capacity in USAR and ARNGCMF

National Mission Force (7)

• National Mission Team

(NMT) – 64 PAX

• National Support Team

(NST) – 39 PAX

Combat Mission Force (14)

• Combat Mission Team

(CMT) – 64 PAX

• Combat Support Team

(CST) – 39 PAX

Cyber Protection Team

(CPT) (20)

• CPT – 39 PAX

UNCLASSIFIED

UNCLASSIFIED

Talent Management

• Coordinated and developed with NETCOM the Consolidated Hiring Cell supporting all NETCOM Civilian Hiring actions

• Reviewed and updated regulations: Recruitment, Relocation, and Retention Incentives; Foreign Overseas Tour Extension and Statutory Return Rights; Position Classification; and Civilian Hiring Process

• Contracting with two civilian headhunter companies to attract new talent - - a groundbreaking approach for Government that leverages industry’s best practices

Momentum

• 1 Feb 2018: 32 Direct

Hires, 16 Merit

Announcements, 22

Referral Lists, and 18

Job Offers

• Reduced NETCOM

personnel effected

by the 5 year rule –

placed 37 personnel

against CONUS

NETCOM positions

Support ARCYBER’s and NETCOM’s mission through improvement of

access to critical talent and expedited hiring of civilians

UNCLASSIFIED

UNCLASSIFIED

Leveraging Partnerships

• Defense Digital Service • Bug Bounty Program

• Cyber School Training Pilot

• Tiger Teams

• DIUX• Endpoint Threat Detection Analytics

• Machine Learning

• Cyber Acquisition Task Force• TRADOC Capability Manager (TCM) Cyber

• PEO EIS, C3T, IEW&S and STRI

We are leveraging partner capabilities to deliver solution we couldn’t have on our own!

UNCLASSIFIED

UNCLASSIFIED

10

Defensive Cyber Operations (DCO)Requirements Strategy

Supporting Documents MS B/C Documents

GIG IA ICD

06 Mar 06

Net-Enabled MC ICD

27 Dec 11

JIE ICD

17 Jul 14

Big data

15 Jan 14

DCO-I

31Jan 14

Web Scanning

15 Jan 14

ICDs

LWN ICD

30 Jul 14

ONSs

CPT Support

15 Aug 14

1. Cyber Analytics

2. Garrison DCO Platform

3. Deployable DCO System

4. DCO Tool Suite

5. Tactical DCO Infrastructure

6. DCO Mission Planning

7. User Activity Monitoring

(Insider Threat)

8. Forensics/Malware

9. Advanced Sensors

10. Threat Discovery/ Counter-

Infiltration

11. Threat Emulation

Requirements Definition

Packages/Capability Drops• Actively predict and hunt

• Outmaneuver adversaries

• Achieve survivability & security

enhancement

• Conduct site exploitation and

forensic analysis

• Conduct DCO mission planning

and protection

• Conduct mission assurance

actions to dynamically re-

establish, re-secure, re-route,

reconstitute, or isolate

• Evaluate the defensive posture

thru vulnerability assessments &

threat emulation

DCO IS ICD

MS A Document

DC

O M

an

eu

ver

Baseli

ne

Using rapid development process to deliver capabilities faster.

UNCLASSIFIED//FOUO

UNCLASSIFIED//FOUO 11

Capability delivery must keep pace with changing technology & evolving cyber adversaries, TTPs

DEVELOP, ASSESS, DEPLOY, LEARN, ITERATE

DCO Capability Delivery Model:

– Requirements: Broad RDPs, CDs informed by operations and accounts for technology and adversary changes

RDPs approved by ARB

CDs approved by ARCYBER CG/CCOE CG in collaboration with ASA(ALT)

– Acquisition: Tailorable, incremental model

Evolve existing operational prototypes

Rapid capability delivery

Spiral development, quick turns

– Testing: Series of incremental, discrete evaluations of Capabilities and any associated risk– Underpinned by CFT construct with “DevOps”: tight coupling between Ops, Development, and Testing

Defensive Cyber Operations (DCO)Evolutionary Capability Delivery Model

UNCLASSIFIED

UNCLASSIFIED

12

Mutually supporting capabilities operating on an integrated, standardized Infrastructure

Defensive Cyber Operations (DCO)Outmaneuvering and Engaging the Adversary

UNCLASSIFIED

UNCLASSIFIED

Way Ahead

• Acquisition • Limited Acquisition Authority

• Other Transaction Authority

• Future Transformational Technology• Artificial Intelligence / Machine Leaning

• Supply Chain Risk Management

Our processes need to be able to move at the speed of cyber

UNCLASSIFIED

UNCLASSIFIED

Conclusion

• Continual Efforts to improve DODIN Readiness and Resiliency• Convergence, WIN10, NetMod

• The Active Army’s Contribution to the Cyber Mission Force is Full Operational Capability (FOC)

• 41 teams on mission

• Helping to Build Capacity in USAR and ARNG• 21 more teams FOC by 2023

• Talent Management Efforts Are Paying Off