Marine Corps builds tactical cyber force to help with growing threats
With limited resources and increasing threats, experts at U.S. Cyber Command cannot conduct operations for everyone and protect everything.
As a result, the Marine Corps is spreading expertise and resources from high-end cyber warriors to the fleet as it builds prowess in the domain, with new cyber-focused careers for Marines and first-time tactical cyber forces.
The shift is a big one because presidential rules permitted only remote operations from Cyber Command for many years.
Streamlined authorities have paved the way for more operations from Cyber Command. Maturing cyber operations, authorities and doctrine are giving way to expanding the aperture to the tactical space, to include adopting new ways to conduct cyber operations, such as using electronic warfare methods. But tactical unit commanders need planners who understand the ins and outs of the domain and how to plug into the larger Cyber Command enterprise.
On the offensive side, the Marine Corps Forces Cyberspace Command — the service cyber component to Cyber Command — is sharing its knowledge with Marines who work in the field, training them to use computer systems and access certain capabilities to achieve their missions.
Defensively, MARFORCYBER is aligning its specialized defensive cyber teams to specific Marine Expeditionary Forces, while also working to translate cyber threats to the fleet.
MARFORCYBER acts as the connective tissue between deployed fleet forces and Joint Force Headquarters-Cyber, the subordinate entities beneath Cyber Command led by each of the service cyber component commanders. These headquarters provide planning, targeting, intelligence and cyber capabilities to the combatant commands to which they’re assigned, conducting the actual operations for Cyber Command.
Going on the offensive
As the Marine Corps builds its cyber workforce within the fleet, these personnel need to know what resources and capabilities they could use as they deploy around the world. They are learning basic skills like how to call for help from Cyber Command.
MARFORCYBER’s Littoral Operations Cyber Cell serves as this resource center for the fleet. For example, a unit deploying to the Pacific will need to know how to plug into Joint Force Headquarters-Cyber Fleet Cyber as opposed to Joint Force Headquarters-Cyber Air Force, which covers cyber operations in Europe. Orders might change for a unit, and forces that deploy to a different theater need to know whom to contact and how available cyber resources might shift.
“It’s all about helping the 1700 cyber guys in the force … plugging them into the matrix and giving them the resources that they can build the cyber community the right way,” Capt. Neal McGaughey, a cyberspace warfare development officer at MARFORCYBER’s Littoral Operations Cyber Cell, told C4ISRNET.
The Marine Corps a few years ago created a new cyber career field — dubbed 17XX — in its effort to build out a larger cyber enterprise across its fleet, beyond its responsibilities to Cyber Command. One role is a cyberspace planner, which exists at various echelons and commands, such as the Marine Corps Force level and the Marine Corps Expeditionary Unit.
MARFORCYBER is helping the fleet plug into the larger cyber enterprise. (Lance Cpl. Jose Villalobosrocha/U.S. Marine Corps)
For the Littoral Operations Cyber Center, this means familiarizing the cyberspace planners with certain resources before deployment. One such resource is the emerging cyber planning elements at the combatant commands. These cells are forward extensions of the Joint Force Headquarters-Cyber and exist in the planning section of the combatant command to better understand battle rhythms and to bake cyber capabilities into operational plans from the beginning.
Familiarity with these structures is important for the Marine Corps planners so they understand that they can call upon certain cyber capabilities and know where to get them.
“We’re having a lot of success because we’re educating some people who are brand new to the community just on the construct of the enterprise,” McGaughey said.
With guidance from the Littoral Operations Cyber Center, cyberspace planners in the fleet are now doing situation reports, which can be passed around the larger cyber enterprise, including joint units and Cyber Command, to advertise what capabilities smaller Marine Corps units possess and what they might need.
The reports not only help to educate the broader community but also provide a library of sorts that the Marine Corps can reference to see if a particular set of gear or operations succeeded, allowing them to adjust in the future.
Beyond those planning operations at the staff level, the new tactical units will conduct cyber operations under the larger umbrella of what the Marine Corps calls operations in the information environment.
These forces, dubbed the Marine Expeditionary Force (MEF) Information Groups (MIG), will encompass a bevy of information-related capabilities to include cyber, electronic warfare, intelligence and information operations.
These forces will work as both the primary planners and advocates for MEF commanders within the information environment, as well as deploy their capabilities on the ground alongside other Marines at the tip of the spear.
On the cyber front, given that tactical operations and authorities are still emerging, these forces are looking for expertise from MARFORCYBER regarding tactics and capabilities.
While cyber operations at the top Cyber Command level are inherently joint, that joint-nature begins to dissipate at the lower levels within the services that are creating their own tactical forces. However, MARFORCYBER, given its relationship with Cyber Command, is looking to push as much capability as it can — even if it comes from another service — down to these new tactical forces, McGaughey said.
Rather than functioning simply as a tactical extension of MARFORCYBER, McGaughey said leaders view the MIGs as providing more cyber reach for the force.
“Where I see the MIGs coming up, they’re going to be extra capacity for the cyber mission enterprise, they’re going to be able to help with planning, and then they’re going to be able to deliver effects and capabilities on behalf of JFHQ-Cs in the future,” he said.
Cyber Command forces will someday be able to control tactical sensors in the field from remote sanctuary positions, but strong relationships must exist between the tactical and remote forces to understand each other’s battle rhythms, McGaughey explained.
“What we’re trying to do is get them trained up certified, get their name into that battle rhythm and showing the capabilities, so when the time comes that you can remote C2 [command and control] these sensors and enable a cyber operation, you’re already trained” to their mission set, he said.
He pointed out one example: II MIG, which is focused on the European theater, is traveling to San Antonio early next year to try to forge a relationship with Air Forces Cyber/Joint Force Headquarters-Cyber Air Force, which is responsible for cyber operations in European Command.
“Whenever they deploy, now they can actually say, ‘Hey, we’re going to go into theater and now we can deploy that capability for you,’” McGaughey said of what the MIG can do for Joint Force Headquarters-Cyber.
More broadly, the military is looking to merge cyber with other aforementioned capabilities within the information environment, and McGaughey described how MARFORCYBER is aiding these forces within the larger domain and taking an agnostic approach to capabilities and effects.
MARFORCYBER, given its close proximity to Cyber Command, takes capabilities from the joint world — including Military Information Support Operations, or psychological operations, and capabilities Cyber Command has — and broadcasts them to the fleet to use, so long as members possess the proper authorities, he noted.
With the shift toward information environment operations, McGaughey said the Marine Corps is looking beyond simply cyber or electronic warfare capabilities, taking a broader view encompassing information packages.
“I am not going to ignore that and only focus on OCO [offensive cyber operations] exploits or cyber exploits or capabilities. We are going to push that information out there as soon as we can,” he said of the Cyber Command MISO capability, as well as broader information capabilities across the joint force that tactical forces can use.
On the defensive end, MARFORCYBER decided to align some cyber protection teams to specific MEFs to better integrate them with their battle processes to be more proactive against cyber threats.
Cyber protection teams (CPTs), defensive teams that each service provides Cyber Command, function as cyber SWAT teams that respond to local network breaches. While the services don’t own the offensive teams they provide to Cyber Command, each service retains a select few cyber protection teams to use how they choose.
This emerging relationship fosters a better cyber defense posture by embedding these high-end teams with units permanently, as opposed to them periodically jumping in to provide support.
“By aligning them to a particular MEF, it builds the impetus to start to learn those plans that those MEFs are assigned to backwards and forwards in order to best support them,” Lt. Col. Ryan Barnes, operations officer for the Marine Corps Cyberspace Warfare Group within MARFORCYBER, told C4ISRNET.
Cyber protection teams are being aligned to each MEF. (Marine Corps)
Those top cyber protection teams will understand the MEFs’ needs for a particular plan, and the MEFs know what information they need to provide to get the best support, Barnes said. “It’s kind of a symbiotic relationship.”
The Marines are still working out much of these relationships and concepts, but the alignment to specific MEFs is a departure from the way the Corps conducted business in the past.
Upon first hearing about cyber protection teams, Barnes — as a prior artilleryman — thought the concept sounded like an artillery liaison team, which is an artillery battery’s forward element that embeds maneuver units and provides expertise and assistance.
Additionally, Barnes thinks of cyber protection teams as scout sniper teams conducting reconnaissance and identifying problems ahead of time. This seeks to foster a more proactive approach rather than reactive, he said.
Declining to offer specifics for security purposes, he provided a hypothetical example in which cyber protection teams might go forward and examine the communications and network infrastructure in an area where their unit doesn’t have a presence. They would identify vulnerabilities or challenges to the commander, allowing the incoming unit to harden its communications systems before plugging into the infrastructure.
The force, however, is still ironing out some of the delineation of responsibilities between various defensive cyber elements. These include the cyber protection teams, local unit defenders at installations or specific units, and new defensive cyber operations-internal defense measures (DCO-IDM) companies the Marine Corps is creating. These tactically focused cyber teams will defend critical digital assets at the tip of the spear, existing within the MIGs.
Barnes tasked the three cyber protection leads across each MEF to become the “best friend” of the DCO-IDM company commander to learn responsibilities and divisions of labor.
The key is sharing expertise gained from years of conducting operations and from threat information that flows from the close linkage between MARFORCYBER and other top cyber elements, including the National Security Agency.
For example, teams might share tips on what vulnerabilities to scan for when setting up a tactical environmental network, which isn’t always as mature as those in garrison, Lt. Col. James Sheasley, current operations officer for MARFORCYBER, said in an interview. There’s almost more urgency to harden the network in the tactical space, because the teams build systems that may not have been online in a while to receive critical updates.
Barnes is waiting on after-action report from a recent II MEF exercise to see exactly what efficiencies the force identified. For another event in December called Dynamic Response, the unit is evaluating how quickly cyber protection teams can deploy with gear, Barnes said.