Training Cyberspace Maneuver
The principle of maneuver in military operations has dominated strategic military thinking for over two thousand years. Foundational to the understanding of maneuver theory is the concept of warfighting domains, the fundamental environments in which military forces engage in warfare. As the development of ships heralded the introduction of the ocean as a warfighting domain, maneuver theory evolved to incorporate the employment of naval forces. Likewise, the development of aviation necessitated the inclusion of the atmosphere as a warfighting domain and brought about the consideration of aerial assets into maneuver thinking. Space followed, presenting a highly technical domain to be considered within the context of military operations. Maneuver theory has now evolved to consider the first man-and-machine-made domain, in which cyberspace, as an artificial information domain, overlaps, intersects, and engages with the four other warfighting domains. The unique nature of the cyberspace warfighting domain presents a host of distinct challenges and considerations to maneuver thinking, requiring a change to the approach of training maneuver warfare principles for military cyberspace leaders.
The Cyberspace Domain
The term cyberspace describes the globally interconnected system of computer networks and devices that utilize electronics and the electromagnetic spectrum to store, transmit, and modify data across networked systems.1 A more specific military definition of cyberspace describes an asymmetric domain “in which signals hold at risk intelligent systems.”2 Cyberspace includes the globally spanning network of networks that form the Internet, and also encompasses the physical nodes and infrastructure upon which data transmission occurs. As an artificial warfighting domain, cyberspace is particularly reliant on physical assets present in the other domains to produce effects that impact both the cyberspace domain and the other four warfighting domains.3 Conversely, the ability of friendly forces to achieve freedom of maneuver in other domains is highly dependent on capabilities reliant on the cyberspace domain, considered the “sinew of maneuver across all domains.”4
The United States military categorizes three layers to the cyberspace domain: physical, logical network, and cyber-persona.5 The physical layer encompasses the network nodes, transmission infrastructure, and other attached devices that reside in physical locations across the other four warfighting domains. In this context, cyberspace extends to include a user’s laptop at a cafe, commercial satellites providing GPS services, airborne military command-and-control systems, and undersea transmission cables. The logical network layer of cyberspace contains the information transmission architecture that is logically abstracted from the physical infrastructure. This layer describes the relationship between the point of access to a web-based service and the actual location of the service itself, such as a Web-facing server hosting data located at multiple server facilities. Lastly, the cyber-persona layer represents an additional layer of abstraction upon the logical layer, using the rules of the logical network layer to describe the digital manifestation of a single entity in cyberspace. A single cyber-persona may, in this way, represent an individual, a corporation, or a series of individuals.6 Likewise, one physical individual or entity may have more than one cyber-persona associated with them.7 The inherent complexity of many-to-many relationships related to the concept of cyber-personas, as well as the abstraction of physical cyberspace components from their logical representations, produces a complicated and globally-reaching technical domain in which attribution, situational awareness, and freedom of maneuver are very difficult to obtain.
The defining characteristics of the cyberspace domain introduce a series of distinct considerations for applying traditional warfare thinking to cyberspace operations. Cyberspace actions occur at machine speed, often over enormous physical distances, and can happen in parallel against a series of targets from many different attackers.8 Operations in cyberspace depend heavily upon technical capabilities in a rapidly evolving and changing sector of technology, and are often impossible to attribute to specific entities even after an operation has been discovered and defended against.9 Targets of cyberspace operations can range from a single workstation to thousands of servers storing data on millions of citizens. A single actor can wield a disproportionate amount of influence in cyberspace by leveraging an undiscovered technological vulnerability against a corporation or nation-state.10 Considered together, the unique aspects of the cyberspace domain create a fundamentally different battlespace, and one that necessitates the consideration of a distinct branch of maneuver theory.
Traditional maneuver warfare involves the movement of military forces and application of supporting fires to provide a tactical military advantage in a warfighting situation.11 With the lack of physical forces maneuvering in a kinetic sense, maneuver warfare in the context of cyberspace is better defined as the application of military forces to a specific point of attack or defense.12 Military forces, in this context, includes the software, operators, and hardware utilized in an offensive or defensive cyberspace operation. However, the concept of supporting fire from non-proximate elements and the actual movement of forces do not accurately describe the maneuver action of cyberspace operations. Rather than maneuver forces to achieve a position of advantage, it is normally the environment itself that is manipulated in cyberspace operations.13 The addition of a series of firewalls on a network as a part of a defensive cyber operation, for instance, dramatically alters the logical “terrain map” of that system, and would require an attacker to conduct additional offensive actions to maneuver through the target network. Whereas traditional maneuver warfare is more akin to playing chess, in which pieces are maneuvered around a set piece of terrain, cyberspace maneuver is better analogized by the Chinese game of Go, where the act of placing pieces shapes the terrain of the playing area. This line of thinking has spawned categorical divisions of cyberspace terrain into “blue space” belonging to friendly forces, “red space” belonging to hostile forces, or “grey space” belonging to neither side.14
Cyberspace maneuver actions can generally be classified as either offensive cyberspace actions or defensive cyberspace actions. Offensive cyberspace maneuver actions are intended to achieve denial, degradation, disruption, destruction, or manipulation of a target through the employment of cyberspace capabilities.15 These offensive effects produced through cyberspace maneuver activities are generally categorized as exploitative, positioning, or influencing actions.16 While kinetic maneuver actions may be intended to produce similar effects in the offense, the manner by which these effects are produced in cyberspace does not always have a direct analog in traditional maneuver theory.17 For example, comparing distributed denial-of-service attacks to aerial bombardment, while similar in resultant effect, is a problematic analogy for understanding the method of producing a denial of service condition from a distributed-point source.18
Defensive cyberspace actions, which resemble traditional maneuver actions to a slightly greater degree, describe maneuvers that protect, secure, rebuild and recover, or survey friendly networks. These end state effects are accomplished through operations generally categorized as perimeter defense, deceptive defense, or moving target defense actions.19 Moving target defense is arguably the single form of cyberspace maneuver that bears the least similarity to traditional maneuver actions, producing rapid changes to the environment enabled by highly technical means.20 Moreover, unlike conventional defensive maneuver, cyberspace maneuver is forced to contend with point-source-progressive attacks that are self-replicating and capable of continuing an offensive without human intervention.21
Just as the forms of offensive and defensive maneuver in cyberspace differ from their kinetic counterparts, the process of targeting in cyberspace is also dissimilar to targeting in the other domains. In traditional maneuver warfare, targets consist of enemy personnel, facilities, equipment, and organizations. Cyberspace targets, however, consist primarily of virtual targets, representing entities that exist in the cyberspace domain and must be targeted in a manner that accounts for the characteristics of the domain itself.22 Cyberspace targeting has the distinct advantage of being able to extend much further back into an adversary’s kill chain than targeting by traditional kinetic assets.23 Rather than targeting an enemy system after it has been employed, cyberspace targeting can impact the construction, development, and even research of combat systems, denying or subverting their eventual usage.24
The manner in which military forces attack and defend in the cyberspace domain is a reflection of the evolution of maneuver theory to account for the artificial, globally-reaching fifth warfighting domain. In this domain, destroying a server farm may not produce an equivalent impact on an adversary as manipulating or degrading the actual data stored on that server. Power projection platforms and weapon systems are no longer strictly physical assets, and the value of offensive capabilities must be balanced against the considerations of customer protection and responsible disclosure.25 Cyberspace effects are far-reaching, and capabilities employed by a single rogue actor have the potential to disable critical functions on a nation-state scale. As the military continually seeks to adapt its approach to maneuvering intelligently in the cyberspace domain, it must also do the same with its practice of training cyberspace maneuver leaders.
Training Maneuver in Cyberspace
The refrain of the cyber arms race thus far has been a repeated echo for the need for technically capable leaders in the cyberspace domain, both in the private sector and in uniformed service. The 2018 Cyber Security Ventures job report predicts a shortage of over 3.5 million cybersecurity professionals in the global workforce by 2021, with nearly 300,000 unfilled positions in the United States of as 2018.26 This critical talent shortfall magnifies the military’s daunting challenge of recruiting and retaining technical personnel in the cyberspace domain, resulting in Cyber forces being deployed while undermanned and under-equipped.27 Currently unable to match private-sector salaries for cybersecurity experts and unwilling to change recruitment standards for physical fitness, criminal history, and illegal substance usage, the Army continues to explore alternative means of meeting recruitment goals.28 However, the Army’s production of cyberspace personnel is bottlenecked not only by the ability to recruit them, but also by the capability to properly train them.
Currently, the Army’s approach to training officers in cyberspace maneuver has been to assess personnel with technical backgrounds from traditional commissioning sources into the Cyber branch.29 After commissioning, Cyber officers are trained in maneuver warfare principles common to every branch, then given additional technical training in cybersecurity-related disciplines through certification programs and technical modules.30 Currently, the majority of the Army’s Cyber Basic Officer Leader Course is dedicated to the task of ensuring that non-technical personnel have acquired the requisite baseline technical knowledge for competence in the branch. Rather than significantly lengthening initial entry training for all cyber operations officers, personnel without technical backgrounds should be afforded the opportunity to attend a pre-BOLC course designed to provide a baseline of technical skill.31 Likewise, personnel with technically distinct skill sets suitable for serving in highly specialized technical roles should be identified earlier in the accessions process and trained accordingly.32
The consequence of taking a “one size fits all” approach to cyberspace operations training is that the task of developing skill in applying technical knowledge to maneuver within the cyberspace domain is largely left unaddressed. There is a fundamental difference between maneuvering in the cyberspace domain and maneuvering in the other four domains.33 Just as training in one does not provide competency in the other, merely possessing an advanced technical degree does not provide the requisite training in the principles of cyberspace operations.34 This plug-and-play strategy of taking personnel with technical degrees, training them in maneuver theory, then expecting them to independently bridge the gap between traditional maneuver and cyberspace maneuver is ill-suited to developing intelligent cyberspace maneuver leaders.35 The Cyber Mission Force requires leaders who are trained on maneuvering in and through cyberspace, capable of directing employment of technical capabilities to produce desired effects in support of the commander’s objectives. The critical unaddressed need here is not just for technical leaders, but for technical maneuverists, as “maneuver competence is a key factor that contributes to the culture of the Cyber branch.”36 The Army Cyber community must look to shift its training focus from ensuring a consistent baseline of individual technical competency to training Cyber leaders in maneuver competence and operational tactics.
An additional drawback to the Army’s current approach to training Cyber personnel is the excessive length of the training pipeline for both officers and enlisted Soldiers. Enlisted personnel complete ten weeks of Basic Combat Training, 25 weeks of the Joint Cyber Analyst Course at Corry Station, FL, then an additional 20 weeks of Advanced Individual Training at Fort Gordon, GA for a total pipeline length of 55 weeks.37 The Cyber training pipeline for officers, as previously discussed, is currently 39 weeks in length.38 Both of these training programs require a fully adjudicated Top Secret clearance in order to complete final training requirements, resulting in a large percentage of personnel remaining in a holdover status for significantly longer than the programmed course length.
The current problem does not require a revolutionary change to the accessions and training process or a radically different approach to recruiting qualified personnel. The Army has already established an accessions pipeline for identifying future Cyber officers through USMA’s Cyber Leader Development Program and NSA’s Centers of Academic Excellence in Cybersecurity Program.39 The obstacle of properly training and developing successful leaders amidst a high-tempo operating environment to meet high levels of demand is not dissimilar to the challenge faced by the nascent Special Forces branch during the 1970’s and 1980’s.40 A heightened degree of autonomy over institutional training associated with having an established command in USSOCOM, allowed for Special Forces to maintain an agile, relevant, and challenging training pipeline for their operators. An Army-commissioned study by RAND found that USCYBERCOM “needs a joint organizational center to foster a genuine institutional and organizational community. A home of this kind will help promote doctrine, standardized training, and the institutionalization of processes and training,” much in the same way that USSOCOM functions with its subordinate service componentents.41 With its elevation to a full combatant command, USCYBERCOM ought to be given similar authority over the Cyber workforce training pipeline.42
Providing a heightened degree of authority over training and organization would allow for greater integration between the operational force and the training units, placing greater emphasis on the operational aspect of domain knowledge. This would also allow for greater flexibility in determining completion requirements for entry-level training, accounting for academic background and professional experience, potentially shortening the amount of time required to produce fully-trained personnel. In addition to increasing the throughput of trained cyberspace professionals to the operational force, a more individualized approach to pipeline training more efficiently capitalizes on talent management, identified by senior Army leaders as being a critical component of building a more effective Cyber workforce. “Cyber poses an existential threat to our existence. They’ve got to get [talent management] right.” said Michael Colarusso, a senior research analyst with the Army’s Office of Economic and Manpower Analysis.43 A more streamlined production of Army Cyber leaders who possess operational skill, in addition to technical expertise, will increase the effectiveness and lethality of Cyber formations conducting both offensive and defensive missions worldwide.
Analysis and Conclusions
As the nature of conflict in the cyberspace domain continues to evolve, understanding and applying the principles of maneuver warfare in cyberspace will continue to increase in importance. It is crucial that military leaders continue to recognize the fundamental differences associated with a globally-reaching technological domain that continues to evolve and expand. These unique characteristics contribute to a domain in which the principles of kinetic maneuver theory do not always have direct correlations and are not always applicable in similar ways.
Consequently, the approach to training cyberspace operations leaders must reflect the understanding that principles of cyberspace maneuver do not always parallel traditional maneuver theory. Technical expertise and maneuver competence are equally important for cyberspace operations leaders, and the Cyber Mission Force continues to have a critical need for officers proficient in both. The current model employed by the Army to train its leaders in cyberspace operations should be reexamined to ensure that training efforts are aligned to apply talent management more efficiently across the workforce. USCYBERCOM ought to be given greater authority over institutional training to better account for leaders’ academic backgrounds, and to provide an increased focus on maneuver competence informed by real-world experience.
In an increasingly technologically dependent and interconnected world, hostile actors around the world will continue to leverage the anonymity and asymmetry of cyberspace to challenge the interests of the United States at home and abroad. Therefore, it will continue to remain critically important to properly train and prepare cyberspace leaders to meet these challenges through intelligent maneuver in the cyberspace domain.
- Joint Publication 3-12: Cyberspace Operations, 3
- Dr. Kamal T. Jabbour, “50 Cyber Questions Every Airman Can Answer”
- Sean Brandes, “The Newest Warfighting Domain: Cyberspace”, 90-91
- Nakasone and Lewis, p. 18. “Cyberspace in Multi-Domain Battle”. The authors also classify the network, and its physical nodes, as the power projection platform for forces in the cyberspace domain.
- Joint Publication 3-12, 3-5
- Scott D. Applegate, “The Principle of Maneuver in Cyber Operations”, part of the 2012 International Conference on Cyber Conflict.
- Aaron F. Brantly, “The Decision to Attack: Military and Intelligence Decision Making in Cyberspace”, 79
- Applegate’s work synthesizes seven key aspects of cyberspace maneuver: speed, operational reach, access and control, dynamic evolution, stealth and limited attribution, non-serial and distributed, and rapid concentration.
- Joint Publication 3-0: Joint Operations, 33
- Applegate, 186
- Dr. Kamal Jabbour, “The Science and Technology of Cyber Operations”, 11
- Joint Publication 3-12: Cyberspace Operations, II-3 - 5
- Applegate, 188-191
- Rob Schrier, “Demonstrating Value and Use of Language - Normalizing Cyber as a Warfighting Domain”
- Applegate, 190. The author additionally identifies the counterattack as an additional form of defensive maneuver, which differs in principle from the current organizational model of the US Cyber Mission Forces, designating teams as either defensive or offensive units. The proposition of designating Cyber units agnostic of mission type merits serious future consideration.
- In its most common form, address space randomization, a friendly network’s logical terrain is constantly manipulated in order to complicate enemy ease of access. A current example of this may be one of the greatest pleonasms in the modern Army, Raytheon’s Morphing Network Assets To Restrict Adversarial Reconnaissance, or MORPHINATOR.
- Aaron F. Brantly, “Strategic Cyber Maneuver”
- Joint Publication 3-60: Joint Targeting, I-1 and C-7
- LCDR Don E. Barber et al, “Cyberspace Operations Planning”, pp. 5-6 The authors provide an excellent example for understanding the ability of cyberspace targeting to undermine an adversary’s kill chain by describing the potential targeting of an airfield by subverting a fuel tank with malware.
- Jason Healey, “A Fierce Domain: Conflict in Cyberspace, 1986 to 2012”, 77
- Statistics derived from job report located at: https://cybersecurityventures.com/jobs/
- ADM Michael Rogers, Before the Senate Committee on Armed Services, May 9, 2017
- Jon R. Anderson, “Military Aims to Maintain Its Cyber Mission Force Roster”, GovTech Works, October 9, 2017
- One notable exception to this policy is the direct commissioning program, currently in its pilot phase. In 2017, ARCYBER announced the first program to begin direct commissioning civilians with critically needed cyber-related skills as officers at the grade of O-2. Reference arcyber.army.mil
- Cyber Basic Officer Leader Course curriculum link: http://stayarmyreserve.army.mil/cmo/BranchWebsite/Cyber/CyberSchoolCurricula.pdf
- Maj. David J. Ortiz, USAFR, “Selecting Qualified Airmen for the Cyber Mission Force: The Pitfalls of Hiring Operational ‘Analysts’”, 2016. Maj. Ortiz provides a very insightful summary of his work in identifying enlisted personnel for Cyber work role training, highlighting the correlation between relevant prior experience and success in the training pipeline.
- One such course is the Joint Cyber Analysis Course, currently a 120-day training module included as a part of the 17C MOS pipeline. Link: https://wss.apan.org/1752/Lists/CyberspaceOperationsCatalog
- Applegate, 186
- LTC Justin Considine and CPT Blake Rhoades, “How to Grow a Capable Cyber Officer”
- Information on the 17C Cyber Operations Specialist pipeline referenced from https://www.goarmy.com/reserve/jobs/browse/computers-and-technology/cyber-operations-specialist.html
- Information on the 17A Cyber Operations Officer pipeline referenced from: https://www.goarmy.com/reserve/jobs/browse/computers-and-technology/cyber-operations-officer.html
- More details on the CLDP and CAE programs can be referenced at http://cyber.army.mil/Cyber-Community/CLDP/ and ttps://www.nsa.gov/resources/educators/centers-academic-excellence/
- Christopher Paul et al, “The Other Quiet Professionals”. While the study focuses on the need to radically modernize the acquisition process for cyberspace capabilities, it also addresses the problems associated with institutional training and organizational authorities.
- Ibid., 45