A venue for the Army to test emerging concepts along with other services, Project Convergence Capstone 5 served as a “critical test bed” for the service’s in-development electronic warfare capabilities, according to a spokesperson from Army Cyber Command. During the event, the Army sought to not only focus on rapid generation and deployment of effects in contested environments, but also streamline the process of target identification, develop countermeasures to adversary capabilities and deliver them across multiple electronic warfare systems at speeds required for large-scale combat operations.

The advanced modern state of electronic warfare involves a constant cat-and-mouse game between friendly forces and adversaries. Each side aims to jam or deny the other’s access to spectrum for communications or other systems, while also seeking to geolocate forces based on electronic emissions and enable freedom of maneuver for themselves.

The Army, along with the other services, has been preparing for large-scale combat operations of the future that take place over greater distances with sophisticated adversaries, a departure from the war on terrorism that was more regionally focused and fought against technologically inferior enemies.

As such, the Army and its counterparts have sought to rebuild much of their electronic warfare prowess they divested after the Cold War. The Army has been on a decade-plus journey to reinvigorate electronic warfare and build out an arsenal of capabilities.

While that effort has seen fits and starts, the Army is currently prioritizing a new EW architecture to allow for the rapid collection, dissemination and reprogramming of signals in the field at the speed of war.  

ARCYBER’s participation in Project Convergence consisted of several partner and subordinate organizations, such as the Army Cyber Technology Innovation Center Lab, where ARCYBER tests new technologies; the 11th Cyber Battalion, which conducts tactical, on-the-ground cyber operations (mostly through radio-frequency effects), electronic warfare and information operations; the Army Cyber Center of Excellence; the Army Reprogramming Analysis Team; Project Manager Electronic Warfare and Cyber; Project Manager Cyber and Space; the Army Cyber Institute; the C5ISR Center’s Research and Technology Integration Directorate; and the All-Domain Sensing Cross-Functional Team.

The experiment primarily focused on electromagnetic support activities, like sensing the environment to detect and intercept signals, specifically by refining data flows, processes and standards for EW systems. It sought to improve electromagnetic support characterization through detector modifications.

Forces used the Terrestrial Layer System Manpack, the first official program in decades to provide a dismounted electronic attack capability that soldiers can use to conduct direction finding with limited jamming on-the-move, as well as a commercial system and modified commercial software-defined radios.

While the primary focus was on electromagnetic support, Project Convergence aimed to refine processes and standards that support the other main EW domains: electronic attack, primarily through jamming, and electronic protection efforts aimed at safeguarding against jamming. Units also tested the process of requesting, developing, and deploying electronic attack payloads, achieving a turnaround time of less than 24 hours.

Central to the experimentation and continued building out of EW capabilities is the development and implementation of what the Army calls modular mission payloads and a responsive EW reprogramming ecosystem. These modular mission payloads are a different approach to capabilities, moving from platform-centric to payload-centric, meaning effects can be employed over multiple platforms with little to no integration by operators.

The ecosystem will provide rapid generation and deployment of modular mission payloads across several platforms for precise and timely non-kinetic effects, according to the ARCYBER spokesperson.

Enhancing the responsiveness of electromagnetic spectrum systems and using modular mission payloads, the Army seeks to achieve rapid effects generation and delivery at scale, which will significantly improve its ability to dominate the electromagnetic spectrum and achieve operational objectives in dynamic environments, they added.

ARCYBER also sought to demonstrate the end-to-end process of developing and deploying electronic warfare effects from a central repository to units at the frontlines using a common framework to interface with multiple EW systems to deliver targeted electronic fires.

The Army also sought to further test out processes within its Radio Frequency Data Pilot, an effort to determine what it needs to be able to rapidly reprogram systems on the battlefield.

The RF Data Pilot team successfully demonstrated the ability to rapidly sense EW targets on the battlefield, share the data with the Army Warfighting Mission Area System, and pass the information to the Rapid Effects Generation Enterprise.

The Rapid Effects Generation Enterprise developed a new modular technique in a few days that was loaded on multiple EW systems, equipping them with a new capability to automatically characterize and classify an anomalous signal they didn’t possess previously.

When a signal is discovered that isn’t in a unit’s library of known capabilities, it previously could take several months to process and classify it to develop a countermeasure. The U.S. military is seeking a reprogramming enterprise that can do that work in hours and, some cases, at the tip of the spear on the battlefield as opposed to sending the signal back to a static, remote location.

“The RF Data Pilot program has provided valuable insights and data, further solidifying the direction of our non-kinetic effects development. We’ve gained a clearer understanding of the necessary data standards and identified potential policy recommendations to enhance these capabilities,” Lt. Gen. Maria Barrett, commander of Army Cyber Command, said in a statement. “This progress allows us to move forward with confidence and refine our approach to achieving the speed and scale required for [large scale combat operations]. The pilot program’s findings affirm our trajectory and provide a strong foundation for continued development and implementation.”

The experimentation at Project Convergence demonstrating the speed of integration and technique generation is a significant milestone in the Army’s ability to build greater situational awareness in the electromagnetic spectrum, according to the spokesperson.

Following the event over the next several months, the pilot team will continue to build on the successes demonstrated.

The Army will also continue refining the electronic warfare reprogramming ecosystem and integrating the modular mission payload framework.

Cyber Quest 25 will be the next big opportunity for industry to demonstrate capabilities to rapidly assess, develop, and deliver EW effects to multiple systems in a realistic operational environment.

The post Army evaluates several evolving electronic warfare concepts at Project Convergence appeared first on DefenseScoop.

In late February, the Army Force Structure Transformation (ARSTRUC) plan directed the activation of two more so-called expeditionary cyber and electromagnetic activities teams (ECTs) in the 11^th Cyber Battalion — a total of 90 authorizations — rounding out that battalion and an additional 390 authorizations for ECTs to begin building the 12^th Cyber Battalion, Lt. Gen. Maria Barrett, commander of Army Cyber Command, said in an interview with DefenseScoop.  

“We’re doubling down on what the expeditionary [Cyberspace and Electromagnetic Activities] teams have been doing to date. I think that is a good sign,” Barrett said.

The battalion provides tactical, on-the-ground cyber operations (mostly through radio-frequency effects), electronic warfare and information operations. The unit consists of four companies with over 300 personnel total and five ECTs — scalable formations designed to augment units upon request.

They’re expected to maneuver with units, plan tactical operations for commanders and conduct operations on the ground.

The decision to expand the teams — and the overall concept — comes after what initially began as a pilot effort over six years ago to test how the Army could integrate tactical cyber and electronic warfare effects for brigades on the ground without having to rely upon the remote, strategic resources of U.S. Cyber Command, which are not only in high demand but, at the time of the pilot, limited in authorities to conduct operations.

According to Army Cyber, based on lessons learned over the last five years, the command has refined the operational concept of the ECTs to account for Army doctrinal and organizational changes, now accounting for employment in competition as well as crisis and contingency scenarios. That feedback has included real-world operations — such as when, in the run-up to Russia’s invasion of Ukraine in 2022, an ECT was sent forward to Europe to support the Army’s regional theater headquarters to provide subject matter expertise in electronic warfare, information operations, and defensive cyber and offensive cyber planning — lessons learned from Ukraine and other regions, over two dozen combat training center rotations, multiple Warfighter and theater-level exercises, and the Project Convergence experimentation series. As the ECTs continue to mature, ARCYBER will refine their concepts of operations to provide better support and consequential effects to commanders, according to a spokesperson.

Integration with Special Operations Forces and space forces is one of several operational use cases for the ECTs. Going forward, most use cases — particularly in conflict — for the ECTs will involve their placement with conventional combined arms formations to provide specialized EW and cyberspace effects against operational and tactical targets at corps and below, the spokesperson added. Other use cases could involve integration with space and special operations forces under what the Army dubs the modern triad, a play on the nuclear triad consisting of the combination of space, special operations and cyber to create a deterrent effect greater than the sum of its parts.

The Army continues to experiment with the concept and how those forces can augment or support the operations of a division, including Summit Strike, a first-of-its-kind home station training event for 10^th Mountain Division to test and train multidomain operations and capabilities that took place Nov. 19-21.

11^th Cyber Battalion participated in the event to better understand how it fits into a division fight and what targets it can assist to create effects against and provide tactics they can bring back for their own training objectives in the future.  

“11^th Cyber is a tactical cyber unit and that is a first-of-its-kind ability or effect that the Army has to call on. There’s a lot of question on how that unit would actually come and like support a division,” said Capt. Sean Thorpe, 10^th Mountain Division CEMA officer in charge for 10^th Mountain Division. “11^th Cyber is able to gain access to certain unique enemy capabilities that are always on the high payoff target list for a division. Things that we want to destroy, so that way the enemy isn’t able to use those so they can support their maneuver units. 11th Cyber gives us the unique capability of providing access to those things so that we can provide cyber effects.”

The Army is examining appropriate command relationships to ensure that Army Cyber can employ trained ECTs with appropriate intelligence and authorities in support of theater Army missions for joint force commanders throughout the competition continuum, according to a spokesperson.

When the new battalion comes online, Barrett noted it will likely be a carbon copy of what the 11^th currently does. The Army is examining holistically how it does electronic warfare, what that looks like at the edge and what kind of capabilities it needs. Similarly, it is taking a look at whether it needs to make any adjustments in the new battalion, but those are all pre-decisional.  

Building information forces

Barrett said that from Army Cyber’s perspective, the ARSTRUC’s directions came in two buckets: to finish building the first cyber battalion and building the Theater Information Advantage Detachment. The latter is one of three organizations being developed by the Army to synchronize information capabilities at the theater level: one in the Pacific, one in Europe and another that Army Cyber is focusing on transregional threats.

As part of all these builds, the ARSTRUC is sunsetting 1^st Information Operations Command, which provides information operations support and training.

“Taking the success of realizing that we do need information operations. We need to understand this environment. Commanders need to integrate information advantage as part of their scheme of maneuver, both in campaigning and in conflict, and have those forces ready to go and not small teams being deployed out as 1st IO was doing,” Barrett said. “Instead of [that capability] just being focused on the information operations disciplines, we’re now complementing them with, it’s cyber, it’s IO, it’s EW, it’s fires. Bringing all of those competencies together to create this just really composite effects in the theaters or, as we take a look at global from an Army Cyber TIAD standpoint, transregional challenges in the information environment.”

The post Army building a new expeditionary cyber battalion appeared first on DefenseScoop.

Since the creation of the cyber mission force — the teams each military service is responsible for providing a set number to Cybercom to employ for operations — over 10 years ago, personnel often wouldn’t get all the training they would need at their schoolhouse prior to arriving at their operational units. Rather, digital warriors would get additional on-the-job training upon arriving at their unit. This was a contributing factor to readiness issues that have plagued the cyber mission force across all the services.

Recently, however, Cybercom’s commander, Gen. Timothy Haugh, has noted marked improvements in readiness levels.

Army Cyber Command is trying to move that training to the left as part of its efforts to improve the preparedness of the forces it provides to Cybercom.

“Some of the other things that Gen. Haugh has been talking about, like training to the left, so that more of the soldiers in the CMF when they come out of the schoolhouse don’t require as much or any additional training in order to perform their work role,” Lt. Gen. Maria Barrett, commander of ARCYBER, said in an interview. “The Army, a while ago, aligned its coursework to do … all of the 1000-level tasks and as many of the 2000-level tasks as it could in order to do that. It just didn’t make any sense where we have the majority of the cyber forces in the CMF, why would we insert unique service requirements into the schoolhouse training? First take care of the joint requirements. There is a very strong alignment between the curriculum in the [Cyber Center of Excellence] and the requirements that Cyber Command has put out.”

Operational commanders who receive personnel from the services have to balance their operations with managing the workload directed at training, which is a difficult task, Barrett noted. They don’t want to focus so much on individual training, but rather, the collective training of their respective teams as a unit. She said going forward, they want to spend as little time as possible focusing on the individual training at the operational command and focus more on collective training or developing proficiency beyond basic.

Barrett explained that there are many factors that go into readiness and remedies for deficiencies, noting there is no “silver bullet.”

“There’s the schoolhouse to be considered, there’s the advanced training, there’s the number of ops that we do, there’s the number of trainers to sign off on the training. A whole bunch of things go into the readiness picture,” she said.

Army Cyber is continuing other efforts to improve the preparedness of its forces, some of which were initiated under Paul Nakasone, the previous Cybercom commander, according to Barrett.

Those include special pay for military personnel and civilians, something Haugh has lauded previously, and retention bonuses. Barrett explained that direct hiring authorities with Cyber Excepted Service have also improved readiness.

The Army will be doing five-year tours for cyber mission force members and enablers that perform intelligence, fires, or any other support for those teams.

“If your training pipeline, or some of the unique aspects of doing that discipline in cyber is a one to two years of training and certification, now we get three to four years on the backside of developing proficiency in those disciplines. I think that would be a huge win,” Barrett said.

This leads to deep proficiency in the work roles, something Haugh has talked about realizing for the force.

“It isn’t just about having a particular fill rate, or having people trained at a basic level. We need people at a senior and master level in order to really face the challenges that we think we’d be faced with in the future,” Barrett said.

Army Cyber is looking to instill these readiness fixes, all while continuing to build more teams. In the fiscal 2022 budget, Cybercom proposed and was eventually approved for a phased approach to add 14 additional teams beyond the original 133, adding teams for the first time since the cyber mission force was created. The Army is building four teams over a five-year period and has already seen two such teams achieve initial operating capability. Those teams are now supporting the cyber mission force, marking a significant milestone in enhancing the command’s cyber capabilities, according to an ARCYBER spokesperson.

“That’s a little bit of the challenge of increasing readiness across the rest of the CMF while you’re also growing teams, is we’ve been able to balance that, because that’s very difficult to increase your readiness while you’re growing at the same time. But the teams are on schedule in terms of where we expected them to be from an IOC and [full operating capability] standpoint,” Barrett said.

Regarding the employment of her cyber teams, Barrett declined to offer any specifics regarding operations in the Middle East, but she said they’ve been busy since Oct. 7, 2023, when Hamas’ attack on Israel ramped up tensions and conflicts in the region.

Forces under Cybercom are employed for operations through what’s known as Joint Force Headquarters-Cyber. Each service cyber component commander is also the commander of a Joint Force Headquarters-Cyber and is responsible for operations for assigned combatant commands. For example, JFHQ-C Army is responsible for operations in U.S. Northern Command, Africa Command and Central Command, which covers the Middle East.

Hamas’ attack last year set off a new round of turmoil in the volatile region, which has included an all-out Israeli assault against the militant group and its backers such as Iran and its proxies to include Hezbollah in Lebanon. Additionally, the Houthis — a group backed by Tehran that has controlled portions of Yemen, including the capital, since 2014 — have been attacking U.S. military and commercial ships transiting the Red Sea.

“I do think the volatility of the region is something that we continue to keep our eye on. It is incumbent upon us to deliver both Gen. Haugh and [Central Command commander] Gen. [Michael] Kurilla as many options as possible to kind of try to reset that region. That’s first and foremost, I think. That’s what we’re trying to do is give them options where we can perhaps deescalate, make it more safe to transit the Red Sea,” Barrett said. “That’s what we’ve been really focused on doing.”

The post Army Cyber making moves to improve readiness appeared first on DefenseScoop.

The tool, dubbed Panoptic Junction or PJ, is part of the Defense Department’s solution to fulfill a key directive in President Joe Biden’s watershed artificial intelligence executive order that, among many tasks, directed the secretary of defense to develop plans for, conduct and complete an operational pilot to “identify, develop, test, evaluate and deploy AI capabilities, such as large-language models, to aid in the discovery and remediation of vulnerabilities in critical United States Government software, systems, and networks.”

Cybercom is leading that effort on behalf of the DOD and, in working with Army Cyber Command, designated its Panoptic Junction tool to fulfill that directive.

Following a months-long prototyping effort, it was determined that the tool effectively detected malicious traffic, according to Lt. Gen. Maria Barrett, commander of Army Cyber Command.

“We determined that any missed detections were either unsuccessful attacks or behaviors that could be categorized as benign,” she said in an interview.

Following those favorable prototype results, PJ will enter into a 12-month pilot for Cybercom taking observations from the prototype and focusing on improved integration, usability, system performance, enhanced analytics and false positive reduction, she added.

PJ’s primary goal is to enhance the detection of anomalous and malicious cyber activity — including living off the land — through scalable and continuous monitoring. It is seen as a significant step towards more effective digital security.

Living-off-the-land techniques have come into sharp focus with the May 2023 disclosure of a Chinese actor called Volt Typhoon. That threat has been found to have penetrated U.S. critical infrastructure systems at an unprecedented scale — over a year later, the government is still finding remnants — signaling a paradigm shift in China’s cyber actions.

PJ uses AI-driven, programmatic access to Enterprise Mission Assurance Support Service (EMASS), the platform for authorizing IT systems, and threat intelligence to identify what risks most apply to a specific enclave’s architecture. It delivers those priorities to a second set of AI-driven functions to conduct event log analysis and identify anomalies or malicious activity. PJ is novel in that it uses artificial intelligence to link EMASS with continuous cybersecurity monitoring tools.

Cybercom officials have lauded PJ in the past, describing it as effective, fast and agile.

“ARCYBER is piloting an AI, machine learning platform that will enable scalable, continuous security monitoring of networks and platforms. It analyzes system compliance, threat intelligence and streaming cyber event data, which will enable advanced detection of adversary activity, malware and anomalies at speeds that human analysts would not come close to,” Morgan Adamski, executive director of Cybercom, said at the CyberTalks conference in October. “But not only is it fast, it’s agile. It is rapidly taking the pulse of networks and assimilating threat information simultaneously, protecting networks in real time … It’s increased efficiencies in operations and maintenance. It’s improved our ability to identify risk and detect adversary activity. It’s … provided real -time hardening recommendations and improved the technical ability of our force.”

The post Army Cyber AI monitoring tool moves to 12-month pilot appeared first on DefenseScoop.

The capability, known as Panoptic Junction, is part of an effort undertaken by Army Cyber Command, a service component command of Cybercom.

“ARCYBER is piloting an AI, machine learning platform that will enable scalable, continuous security monitoring of networks and platforms. It analyzes system compliance, threat intelligence and streaming cyber event data, which will enable advanced detection of adversary activity, malware and anomalies at speeds that human analysts would not come close to. But not only is it fast, it’s agile. It is rapidly taking the pulse of networks and assimilating threat information simultaneously, protecting networks in real time. And it is performing these security assessments in the lens of what is most applicable to the specific architecture” that it’s supporting, Morgan Adamski, executive director of Cybercom, said Wednesday at CyberTalks.

A series of assessments kicked off in April.

Adamski told DefenseScoop that officials have already seen “a lot of great successes” with the technology.

“It’s increased efficiencies in operations and maintenance. It’s improved our ability to identify risk and detect adversary activity. It’s … provided real -time hardening recommendations and improved the technical ability of our force,” she said on the sidelines of the conference.

“Part of the purpose of creating these pilots is to test out the efficiency of it and then determine whether or not it’s applicable to that enterprise-wide approach, which shows a lot of promise,” Adamski added. “Our hope is that we’ll continue to see good things come out of it and then we can make that determination, and then we can roll it into the larger enterprise funding aspect of it.”

Cybercom stood up its AI Task Force within the Cyber National Mission Force a few months ago. The CNMF is a sub-unified command under Cybercom made up of 39 joint teams and thought to have the DOD’s most talented cyber operators.

The task force intends to explore applications within the context of operational execution, in real time, and allow AI capabilities to be employed for immediate use in 90-day windows, according to Adamski.

“We came to find that we needed operational use cases, real-world practice of how we wanted to leverage AI so that we can learn and better inform our way forward,” she said during her keynote at the conference.

The Department of Defense Information Network (DODIN) is massive, with more than 3 million users globally on any given day. And it frequently comes under digital attack, Adamski noted.

AI technology is seen as a solution for quickly analyzing potential threats to the network and rapidly deploying defenses.

The task force is keeping an eye on a number of efforts across the enterprise, such as Panoptic Junction.

“The Cyber National Mission Force oversees the AI Task Force, and the AI Task Force is responsible for seeing all of these pilot activities across the cyber mission force. So it can be specific to the Cyber National Mission Force, but it also can be specific to the cyber components,” Adamski explained, adding that the task force is responsible for “herding and capturing all the great things happening across the [services’] cyber components,” including ARCYBER.

Members of the task force, which is still small right now, have high technical skills, she noted.

“We are building that team as quickly as possible, and we’re also partnering with [federally funded research-and-development centers], research labs, private sector. So we’re looking to augment that technical talent as quickly as possible,” Adamski told DefenseScoop.

The post Cybercom seeing successes with Panoptic Junction artificial intelligence capability appeared first on DefenseScoop.

The unit is one of three such organizations in the service. Officials recently approved growth for the TIADs, which are 65-person teams focused on synchronizing information capabilities at the theater level. While the U.S. Army Pacific and the U.S. Army Europe and Africa TIADs will be focused on their respective regions, Army Cyber’s will be trans-regional.

“While the two geographic TIADs are going to be focused as they should down and in within their respective theaters, the trans-regional focus of the ARCYBER TIAD is going to be threat focused. Specifically, we’re going to be focused on those priority adversary threats as they’re articulated in the national defense strategy,” Aaron Pearce, director of the TIAD at Army Cyber, said at the annual AUSA conference. “We’re going to look at those trans-regionally — so not just how is a threat impacting the Pacific, but how is that same actor acting halfway across the world or multiple places in the globe at the same time to have the effects that they want to achieve their military objectives?”

Pearce explained that Army Cyber is well-prepared for this mission given the unique authorities it possess for cyber and information, along with its over 10-year history conducting operations as part of U.S. Cyber Command for the joint force.

Through those ops and support, Army Cyber has had to coordinate and deconflict with service component commanders, geographic combatant commanders, multiple interagency partners and multinational partners.

“Not only do you have to do all of that coordination, but the authority structure in cyberspace operations is very fractured. No one commander has all of the authorities needed to do cyberspace operations, plus an influence operation, plus a physical maneuver, combined with all of those things to achieve an effect on the battlefield,” he said. “We have to work together and use a complicated, fused authority structure to do those cyberspace operations and we’re going to have to do the same thing in information. We think we’re incredibly well-postured as ARCYBER to work through this as part of the campaign of learning to figure out how much of this can we actually do.”

These organizations will be present in the day-to-day competition with adversaries, providing commanders opportunities to create information effects while protecting against opponents’ information warfare effects. Then, if scenarios escalate, they can serve as a springboard to help plan and conduct operations or effects for commanders with their own resident capabilities, or attach specialized units such as Army Cyber’s expeditionary cyber teams, which are scalable formations that are designed to augment units upon request with the ability to maneuver with forces and provide offensive cyber capabilities, EW and information advantage functions.

All of those capabilities provides a toolset that a commander can use to understand what they’re facing in the information sphere and develop effects to blunt them or enable information objectives as part of a larger scheme of maneuver.

Last year, the Army enshrined information advantage as official doctrine, meaning all commanders must take its tenets — enable, protect, inform, influence and attack — into consideration. The next step, officials believe, is making information a part of maneuver, much like the Marine Corps has done.

“The pace of information effects and technologies is increasing, and we need to stop thinking in terms of using information as we fight, using it for targeting, using it for planning,” Pearce said. “Information has to be a component of the commander’s scheme of maneuver and scheme of fires. And that’s what the Army’s information advantage transformation construct and doctrine really tells them.”

The TIADs can help commanders in this area by identifying malign influence threats targeting Army forces and then potentially using offensive operations to blunt them. Or, in a purely offensive manner, Pearce said the TIAD could help a commander implement a reveal-and-conceal plan for their capabilities, with the intent of throwing the adversary off balance in terms of decision-making and possibly delay a decision by an adversary to use military force.

As the TIADs are still coming online — with Army Pacific’s being the first to activate in October 2025 followed by Army Cyber — the service is continuing to experiment and learn how they’ll be employed. One example is how to work with the other service cyber components within Cybercom to leverage their authorities to conduct offensive cyber operations, considering certain services are responsible for planning and conducting cyber ops on behalf of certain assigned combatant commands (for example, Army Cyber Command conducts cyber operations on behalf of Central Command and Africa Command).

“I think this is one of the areas where the TIAD will become an advantage. What my observation has been … it is very difficult to then work your way into the battle rhythm with the CoCom, especially where some of those authorities lie. If you’re thinking about information authorities, unless they’re delegated down to the Army element, you’re asking for permission and you’re pushing that CONOP there. If you’re looking for cyber authorities, it’s going up to Cyber Command, but the timing in tempo is at the choice of a geographic commander,” Lt. Gen. Maria Barrett, commander of Army Cyber, said. “What I think the TIAD is going to enable us to do, though, is really help with integrating those type of effects and work that communication. And this still is from an experimentation standpoint.”

The after-action reports from experimentation indicated each commander of their geographic region wanted to employ TIADs and their capabilities slightly differently, such as through a theaters fires element or another staff section. This was also apparent when the Army established the Multi-Domain Task Forces in the Pacific and Europe, where each commander chose how to wield them specifically.

“I think we’re just going to have to let some of this play out,” Barrett said. “It’s not only going to be there from the joint standpoint. I think there’s also a great opportunity here to really understand and work with partners in this space. Because I’m going to tell you, partners know more about their information environment than we do. It may be that we’re bringing in some capabilities that maybe they don’t have and we can tell things and then come up with something that is effective for them.”

The post Army Cyber’s new unit focused on information threats to commanders, troops across the globe appeared first on DefenseScoop.

With new forces and organizations beginning to take shape, the service is determining how it can apply military power across the spectrum of hostilities.

“The information dimension is a place [where] we are in a persistent conflict right now … It is going to be crucially important to us — how do we think through how to apply military power across the spectrum of conflict?” Lt. Gen. Maria Barrett, commander of Army Cyber Command, said during a presentation at an Association of the United States Army event on Tuesday. “We might reserve this discussion to, oh it’s just to conflict or just to crisis. But in fact, the competition space, this is where it’s happening now. If you think you’re going to deliver options to a commander, insights to a commander about the information dimension and you are not looking at it in the competition phase, whatever you are delivering in crisis and conflict probably will fall short. You need to be prepared to be operating across that spectrum.”

One reason it’s important to stay engaged is that the barrier to entry is very low in the information space, Barrett noted. Technologies and mediums such as social media make it easy for unsophisticated actors or tactics to have an impact. However, those tactics can be enhanced by ever-advancing capabilities that are becoming more prevalent.

“What happens when you have a very capable adversary that can make the investment in artificial intelligence, and what does that then do to the information dimension?” she said. “I think these are serious considerations for all of us and the fact that this particular dimension, again, activities will happen across the spectrum of conflict, below the threshold of war, it’s important for us to consider what is our role.”

Officials across the U.S. military, not just the Army, have been talking about the need to be present in this competition phase, short of armed conflict, for a few years. While the Pentagon has historically taken a binary approach of war or peace, adversaries have seen conflict as a fluid continuum. In recent years, they have sought to exploit the information space to achieve their objectives without using traditional military capabilities.

Officials said some of this isn’t all that unfamiliar and it boils down to being able to map the environment with commercially available information ahead of time while keeping in place protections for U.S. persons.

“Commercially available information, publicly available information — those are areas where you can start to get a sense of what the information environment looks like, how the adversary uses it, what kind of tools they use. It’s actually something that you can start to map,” Barrett told reporters following the event. “Something that is actually in our wheelhouse to do is mapping networks. I do think this is something that will come easier to us in terms of mapping data.”

This includes being able to understand target audiences, what languages they speak, how they communicate, what social media platforms they use, and whether they’re pro or anti-U.S. or they support or oppose certain actors or other nations.

Officials also explained that if forces want to put a concept or an operation forward for approval, the work needs to be done on the front end to be able to determine how it will be carried out based on the intelligence and what’s known.

“If you go to a geographic combatant commander and say, ‘I want to conduct information operations,’ you’ll walk right back out of the headquarters having achieved nothing,” Maj. Gen. Paul Stanton, commander of the Cyber Center of Excellence, said at the AUSA event. “In contrast, if you’ve done your planning, you’ve done your homework and you walk in and say, ‘Here is the very specific objective that I am attempting to achieve, this is how it nests into my campaign plan that supports your campaign plan as the geographic combatant commander,’ that’s a fundamentally different conversation.”

New forces

The planning and expertise to be able to enable these operations comes from the Army’s Theater Information Advantage Detachments, 65-person teams focused on synchronizing information capabilities at the theater level.

The Army recently approved the force structure for three such organizations: one in the Pacific, one in Europe and a transregional one with Army Cyber Command.

Officials explained they will be doing the day-to-day business of setting the conditions and informing commanders of the information environment.

“This is all for the purpose of enabling commanders to visualize and decide and again synchronize these effects that they could have in this dimension much better than they can today,” Barrett said.

Those TIADs will be taking what might be abstract to something concrete.

“The TIAD has to do all detailed planning, they have to do the data collection, they have to get the approvals in order to execute mission, and then they have to do the appropriate assessment of effectiveness after the fact,” Stanton told reporters.

He noted that while not there yet, the detachments are likely headed towards collaborating more with international partners in their regions to share information on potential threats.

One of the main reasons this type of formation must exist at the theater Army level, is because that’s where many of the authorities exist and coordination between other nations’ militaries and diplomatic officials occurs at the theater level.

“We need to develop the right very detailed plan and walk that forward through the interagency and other governmental organizations for the right approval to say, ‘OK, in this particular case, based off of the specifics that you described, we should establish an information-sharing agreement with the host nation because of dependencies on the execution of our mission on their operating environment.’ I absolutely believe that there’s space for that conversation [but] we’re not doing it currently,” Stanton said.

The post To be ready for conflict, Army leader urges focus on information space in ‘competition’ appeared first on DefenseScoop.

That role was previously undertaken by the Air Force, but under the congressionally mandated change, those 350 or so Air Force civilians will now be Army civilians working on behalf of Cybercom.

All combatant commands require a combatant command support agent since they are joint organizations that encompass rotating uniformed staff from all services. These entities are responsible for administrative and logistical support of the headquarters and any subordinate unified commands, which includes professional, technical, administrative, logistical and/or base operating support that is performed in or provided directly to the headquarters of a combatant command to perform the headquarters assigned mission effectively, according to Department of Defense Directive 5100.03.

For example, the Army is also the support agent for European Command.

Officials noted that the primary footprint for Cybercom is at Fort Meade, an Army installation, and not everything will change.

“Think of the transfer like this: It’s like your phone service switched from Verizon to AT&T, but your number stayed the same. At the end of the day, you still work for U.S. CYBERCOM, only now you’re affiliated with the best Army in the world,” Jeffrey Jones, deputy to the commanding general at Army Cyber Command, said in a statement.

A Cybercom spokesperson noted that the civilian employees changing services will maintain their current positions and pay grades, but the Army will now assume responsibility of their administration for Cybercom to include things such as time off, identification cards or polygraphs, to name a few.

In his posture statement to Congress in April, Cybercom commander Gen. Timothy Haugh said the Army’s “military and civilian leaders have been superb in managing this transition and making sure our civilians experience this as a seamless and transparent process.”

The post Army assumes support agent role for US Cyber Command appeared first on DefenseScoop.

That October 2023 EO, among many tasks, directed the secretary of defense to develop plans for, conduct and complete an operational pilot to “identify, develop, test, evaluate and deploy AI capabilities, such as large-language models, to aid in the discovery and remediation of vulnerabilities in critical United States Government software, systems, and networks.”

U.S. Cyber Command is leading that effort on behalf of the DOD and, in working with Army Cyber Command, designated its Panoptic Junction tool to fulfill that directive, officials from both organizations said.

PJ, as the tool is referred to, was initially developed in response to Army Cyber Command leader Lt. Gen. Maria Barrett’s early 2023 guidance to reduce complexity for the workforce, find ways to automate away tasks that are hard to get right and do that at scale, according to an Army Cyber Command spokesperson.

The command assembled a “tiger team” of cyberspace operations, artificial intelligence and machine learning experts from across the Army to analyze how to do that across the sprawling cyber mission space. That team eventually determined that automating key parts of the continuous monitoring process to enable detection of “living off the land” — a tactic where an actor uses legitimate tools organic to the systems for malicious purposes — would help the most while enabling the authorizers, system owners and cybersecurity service providers to have a continuously updated, common view of any given system’s current level of vulnerability, according to the spokesperson.

The effort was a partnership between the Army Cyber Command Technology and Innovation Center Lab, industry and Cybercom.

Upon evaluating PJ, Cybercom determined it would be a good fit for its response to Biden’s executive order.

“We leveraged our limited acquisition and laboratories and teamed up with an industry partner to develop a prototype,” Barrett said May 15 during the distinguished visitors day at Cyber Yankee 24, a National Guard exercise. “Our industry partner was able to develop this prototype for a very reasonable amount because they are using off-the-shelf AI systems … The key part of that last statement is this then means that future opportunities for industry partners to build and share critical analytics can be rapidly deployed.”

Booz Allen Hamilton is responsible for building the tool, according to Army Cyber Command, while the C5ISR Center is the “tool champion” and recipient.

According to Army Cyber Command — which stressed Cybercom is leading the overall project for the executive order and it will work through them on this effort — PJ is a prototype platform that, once productized, will revolutionize security monitoring of IT systems.

PJ’s primary goal is to enhance the detection of anomalous and malicious cyber activity — including living off the land — through scalable and continuous monitoring. It is seen as a significant step towards more effective digital security.

Living-off-the-land techniques have come into sharp focus with the May 2023 disclosure of a Chinese actor called Volt Typhoon. That threat has been found to have penetrated U.S. critical infrastructure systems at an unprecedented scale — over a year later, the government is still finding remnants — signaling a paradigm shift in China’s cyber actions.

While typically focused on espionage and intellectual property theft, Volt Typhoon has shifted the dynamic by now targeting critical infrastructure for the purpose of disrupting these services at the time and place of its choosing.

“Open-source reporting talks about this actor out of China who has access to our critical infrastructure and some of our key capabilities. Why? Not just for foreign intelligence collection, but to be able to do a couple of things: to foment terror within societal panic; to be able to deny our capability, our ability to surge or maneuver or fight in the time and place of our choosing; but also to gain a military advantage for China,” Maj. Gen. Lorna Mahlock, commander of the Cyber National Mission Force, Cybercom’s elite sub-unified command tasked with defending the nation from significant digital threats, said in April.

Several officials across the U.S. government have noted that there is no valid intelligence reason to be lurking in critical infrastructure systems such as water or power.

The PJ effort was started before Volt Typhoon was disclosed and living-off-the-land activities were not its original purpose. However, the working group adjusted PJ’s focus to include these techniques, shifting its test and assessment criteria to focus on Volt Typhoon-like behaviors in one of the two critical assessment scenarios, the Army Cyber Command spokesperson said.

The tool uses AI-driven, programmatic access to Enterprise Mission Assurance Support Service (EMASS), the platform for authorizing IT systems, and threat intelligence to identify what risks most apply to a specific enclave’s architecture. It delivers those priorities to a second set of AI-driven functions to conduct event log analysis and identify anomalies or malicious activity, the spokesperson said. PJ is novel in that it uses artificial intelligence to link EMASS with continuous cybersecurity monitoring tools.

“The Army requires the ability to continuously monitor ever-increasing numbers of IT systems to enable faster detection of malicious activity, rapid response, and comprehensive Vuln Management while reducing complexity for people,” they added.

Multiple assessment iterations kicked off in April and a final prototype is expected to be delivered in July.

The post DOD using Army tool to fulfill directive under AI executive order appeared first on DefenseScoop.

“If we were to go back to 10 years when we started this, there were a lot of challenges working through what to do in this space. You have eliminated the gaps where law or policy or public private partnerships have stretched,” Lt. Gen. Maria Barrett, commander of Army Cyber Command, said May 15 during the distinguished visitors day at Cyber Yankee 24, which ran from May 6-17 at Joint Base Cape Cod.

Cyber Yankee, now in its 10^th year, is a one-of-a-kind exercise that acts as a dry run of sorts in which members of the Guard in the six New England states work side by side with the private sector, utilities and other entities to protect critical infrastructure — which include operational technology and industrial control systems — in a simulated attack.

Barrett noted that the exercises year after year have incrementally worked to take down barriers, further partnerships, and illuminate ideas, gaps and areas to change policies.

“Among the things that keep me awake at night is the resilience of our critical infrastructure, and particularly operational technology and industrial control systems, both on military installations and in the homeland,” Barrett said.

The Guard is a critical resource for states and localities as the first responders to cyber incidents that affect critical infrastructure, which are becoming more rampant from attacks on pipelines and water systems.

“We have to be ready and our governors when the bad day happens, the first response local, and it’s going to be state and the governors are going to say, ‘What do I have? What resources do I have here in the state before the federal government gets here? What can we do now?’” Lt. Col. Tim Hunt of the Massachusetts National Guard and Cyber Yankee exercise director, told visitors. “One of those resources is the National Guard, so we have to be ready for this. That’s why Cyber Yankee [is important] and that’s why we’re here.”

The event simulated cyberattacks stemming from an unknown actor against critical infrastructure across all of the New England states, with the governors mobilizing the Guard to respond.

The goal is to build relationships with utility companies so that in the event of a real-world incident, there is trust among responders as the Guard will have to operate inside utility networks. These exercises lay the groundwork for the utilities to understand what the Guard can do and vice versa, helping illustrate that Guard members aren’t trying to go places within the network where they’re not supposed to be.

While the exercise had five fake utility companies, members of real utility companies served as role players of the CIOs at the fictional companies.

The exercise is of interest to the active duty component and Army Cyber Command given that it runs the largest portion of DOD’s network.

Army Cyber Command is also responsible for cyber operations within the Northern Command area of responsibility, which includes the U.S. homeland.

Of particular interest now is the Chinese actor Volt Typhoon, which was discovered inside U.S. critical infrastructure using a technique in the cybersecurity world dubbed “living off the land,” which means it’s using legitimate tools organic to the systems for malicious purposes.

What has particularly scared officials regarding Volt Typhoon is the paradigm shift of Chinese actors moving from espionage and intellectual property theft to holding critical infrastructure at risk.

“I would be remiss if I didn’t mention the biggest thing to hit the cybersecurity landscape since you all gathered for Cyber Yankee a year ago, and that is what we are seeing happening [with] Volt Typhoon,” Barrett said.

“What got everyone’s attention is the seeming paradigm shift from cyber exploitation and traditional military targets or industry targets for foreign intelligence or espionage … to a new set of targets — aviation, water, energy, transportation. In other words, our critical infrastructure,” she added, noting that this actor will just sit and lurk with the purpose of disrupting these services at the time and place of its choosing.

In fact, there was a simulated actor within the exercise to replicate, as close as possible, Volt Typhoon.

At its initial instantiation, U.S. Cyber Command and its subordinate units, such as Army Cyber Command, were focused on Internet Protocol-based networks. However, Army Cyber Command in particular in recent years has worked to get more into the operational technology and ICS space.

Events like Yankee Cyber “inform what we’re doing at Army Cyber … [and] the mission that consumes easily 80% of my time, resources and people is operating and defending the Army’s portion of the DOD Information Network. The Army’s network is 1.2 million people spread across 288 posts, camps and stations. It is the DOD’s biggest network if you count both on premises and cloud,” Barrett said. “We are converging these networks, not just to get efficiencies … but really to substantially improve our resilience against an advanced persistent threat like Volt Typhoon.”

Army Cyber Command also must set the theater for the combatant commands it supports, meaning it must enable them to transition swiftly from crisis to conflict should deterrence fail.

Army Cyber Command has additionally placed a greater emphasis on hunting methodology in order to identify living-off-the-land techniques. Barrett noted that recently, following Russian cyber events, it had two of its high-end defensively oriented cyber protection teams focused on industrial control systems.

More broadly, the command’s cyber protection brigade is working more closely others to defend hydroelectric power plants and supply depots, with specializing training to defend industrial control systems.

This work is building toward the recent decision that Army Cyber Command is the organization in charge of the Army’s operational technology. Officials are in the process of providing how it will do that to senior leadership.

“This will enable us to move from the episodic CPT engagements on critical infrastructure to something that is more enduring, [with] continuous monitoring that is absolutely necessary in order [stay ahead of] a persistent threat,” Barrett said.

She noted that when U.S. Cyber Command was first created, it was focused primarily on nation-state threats. However, digital threats are much more pervasive now with both nation-state and independent actors executing ransomware attacks.

State Partnership Program

This was the first year in which international partners participated in Cyber Yankee.

The State Partnership Program was started at the conclusion of the Cold War and pairs state National Guard units with other nations’ militaries.

Cyber Yankee 24 saw participation from the Bahamas, Cyprus, El Salvador, Israel, Japan, Kenya, Latvia, Montenegro, Paraguay and Uruguay.  

Additionally, outside of the New England states, members from the Michigan, New Jersey and Maryland Guard units participated. This was also the first year that members of the Space Force joined in the event.

“We think that’s really great because when we go on engagements in these countries and we’re talking about cyber, some of the things that they’re most interested in is the United States, what we call whole of government. And really with this it’s expanded to kind of whole nation because we’re doing public and private,” Hunt said during a media engagement May 8. “They’re really interested in that how we worked with the military, with the Department of Homeland Security, with our private industry, how we work together in this industry, or in this field of cyber. That’s something that our foreign partners are really interested in learning about. And … we’re really interested in learning about how do they do things in their country or what has been their experience — because learning from each other is really the key of the State Partnership Program.”

The program was lauded for the role it played in helping Ukrainians counter Russia’s invasion of their country, based on the support and training that troops had received. The benefit, officials have said, is that relationships and trust are built and maintained long before crisis or conflict occurs.

“It all starts with … Lt. Smith and a lieutenant from Kenya or whatever country meeting each other in person, breaking bread together, training together and just getting to know each other,” Hunt said. “In 10 years, when those two officers are now majors or lieutenant colonels, they know each other, they have a relationship and they have trust.”

He noted that cyber knows no bounds and what happens overseas will likely affect the continental U.S. and vice versa. Working together and learning from each other is mutually beneficial and makes each partner stronger.

The post Army Cyber Command taking key lessons on critical infrastructure defense at National Guard exercise appeared first on DefenseScoop.