Army training centers incorporating cyberthreats into exercises at brigade level
GRAFENWÖHR, Germany— The 2nd Cavalry Regiment has faced a litany of simulated threats during a massive force-on-force exercise here, from tanks to assault helicopters and even drones.
A more insidious threat popped into the unit’s email inboxes.
Soldiers with U.S. Army Europe’s 5th Signal Command sent a mock phishing scam to staff in the regiment’s tactical operations center, an effort to simulate the injection of a piece of malware onto a network that, under the training scenario, was neck-deep in operations.
“It was created to look like someone that they know,” said Chief Warrant Officer 2 Daniel Crandall, who ran the scenario for 5th Signal. “And it was telling them they must click this link to take care of a financial affair — basically, you click this, you get money.”
Though it may sound simple, the exercise marks a relatively new aspect of Army training. Following militarywide emphasis on cyber as a domain, Army training centers are steadily incorporating cyberthreats into exercises at the brigade level and above, even pairing cyber opposition forces with counterparts on land.
The exercise in Germany is part of the Army’s new Decisive Action Training Environment recently run across the Army’s major training centers, including Fort Irwin, Calif., and Fort Polk, La. Each version incorporates a cyber aspect.
“What you will see over time evolving is cyberspace becoming more mainstream in all our training avenues across the Army,” said Patrick Manners, a development director for Army Cyber Command.
The focus of current training is threefold: Protecting sensitive networks, responding to an attack and working without network abilities.
Some of those skills have been stressed before. The concept of “information assurance,” or the ability to keep a network clean from sloppy habits such as unauthorized devices, has been a major Army talking-point in recent years.
Yet it remains a challenge in practice, even under good intentions, experts say. A flash drive or CD discovered on an enemy, for example, could be an intelligence trove — or a vector for crippling a network.
“It is possible to introduce threats, even to a network that is isolated, through introducing media, through taking advantage of a soldier’s curiosity,” explained Christopher Cox, deputy signals director at the National Training Center at Fort Irwin.
Trainers are also looking for the proper response once a threat is identified. In particular, they want to break command habits of treating network malfunctions as a technical issue alone. Army doctrine now calls for the intelligence, operations and signal staff officers to collaborate when issues arise.
“All too often, the tendency was to say, ‘IT guys, fix this problem,’ without engaging the other element,” Cox said.
Bringing in intelligence and operations emphasizes that cyber is a domain like any other — air, sea, land, space — said Manners, and must be treated that way.
Finally, trainers and commanders say they want soldiers to know how to survive if a cyberattack compromises their network. With applications such as GPS, communications and coordinated fire all heavily dependent on technology, the stakes of any loss are high.
“What happens when they have no network?” said Brig. Gen. Bruce Crawford, 5th Signal commander. “How do they react? How do they react if I shut down the entire network in the TOC? There’s no digital maps, there’s no GPS, there’s no nothing. What do you do?”
Last summer, Army Cyber Command created a cyber opposition force battalion to test such questions. The 2nd Battalion, 1st Information Operations Command became operational in March, when it participated in its first rotation at the national training center, according to its commander, Lt. Col. Donald Bray.
That battalion is also in its first rotation at Fort Polk, and it plans to coordinate with Army trainers in Germany for a training rotation next year, Bray said. The battalion works with the regular opposition force at a training center, trying to accomplish their goals in a cyber domain, Bray said.
“We’re really there to emulate what cyberwarfare would look like to the training unit,” said Bray.
Like most interviewed for this story, Bray declined to disclose specific threats being tested or avenues of training. Information assurance is part of it, he said, but some cyber injects are more aggressive. Most important is learning the architecture and gaps within the network, he said. “You have to understand the baseline of your network first and your operating environment.”
In Europe, Crawford has led the development of a training model for the theater’s units over the past year. One aim is to move away from what he describes as a kind of inspect-report-fix model of compliance and instead force units to understand their end of the network enough to self-monitor progress toward standards, self-diagnose their shortfalls and then make their own fixes, Crawford said.
“I want to enable the unit to fix itself,” he said.
The 2nd Cav training rotation offers the first real test of that model. Trainers know what they’re looking for, said Maj. James Snyder, chief of intelligence and security at the Joint Multinational Simulation Center, which is part of the training command working with 5th Signal on the effort.
“What we really hope to see is the increased awareness for threats that are out there, and everyone from user up through operations center understanding what their roles are for recognizing it, responding to it, restoring normal operations and then how they report it,” Snyder said.
U.S. Army Europe commander Lt. Gen. Mark Hertling lauded the progress of the new model in the run-up to the exercise.
“Although our current initiative is still in its infancy, my sense is we are nesting closely with evolving joint and service cyber training doctrine,” Hertling wrote in an email.
Such training models lay a foundation for future cyber operations, said Manners, the Army Cyber Command development director. He imagines a kind of warfare where even tactical commands need to penetrate foreign networks to achieve their missions.
“We would envision our brigades being the first echelons moving into an area, and they’re going to have to figure out how to get into that space,” Manners said. “They’re going to have to get the means to get access.”
Compared with that vision, Crandall’s recent phishing simulation against the 2nd Cav may sound provincial. Not so, say Manners and others. Phishing scams can deliver malware to sensitive networks, and they can deliver sensitive information to the enemy.
In Crandall’s case, the exercise only delivered a message. After several soldiers clicked on the link unaware of its maliciousness, command staff went into action, disconnecting computers and huddling together to plan the next step.
“That was a great win for us,” Crandall said. “So many times, it stops in front of the signal guy.”