Cyber Workforce Development Trained and Ready Cyber Teams Mr. Michael Hudson J72, Training & Readiness Division Chief U.S. Cyber Command 27 June 2013 Updated 19 Apr

Overview Issues/Challenges USCYBERCOM Missions and Operations UNCLASSIFIED Overview Issues/Challenges USCYBERCOM Missions and Operations Requirements to Operate in Cyberspace Cyberspace Operations J7 Vision/Mission Technical Workforce Challenges Joint Training System Joint Mission Essential Tasks Workforce Management Workforce Framework Training Spectrum Example of Individual Certification Example of Cyber Training Venues Summary Questions Our perspective on requirements for today and tomorrow’s cyberspace workforce is shaped by the joint warfighter’s mission requirements. As the joint warfighter responsible for cyberspace, the mission of USCYBERCOM is to 1.) Operate and Defend, and 2.) Prepare, and 3). when directed, conduct full spectrum MILITARY cyberspace operations. [Describe the 3 Lines of Operations.] Currently, most of the command’s effort is focused on the OPERATE and DEFEND mission, with a small, dedicated effort planning for full-spectrum military operations. We need to build education and training strategies that as agile, capable, multi-tasking, and dynamic as the workforce we are building. Key to this will be creating the right standards, leveraging support from academic institutions in both curriculum delivery and research, and bringing together the thought leadership to tackle the difficult problems that these goals will present. Ultimately, we need the right people in the right places, with the right skills, doing the right things, at the right time. UNCLASSIFIED

Issues/Challenges THE CHALLENGE THE COMPETITION UNCLASSIFIED Issues/Challenges THE CHALLENGE We are currently preparing students for jobs that don’t yet exist, using technologies that haven’t been invented in order to solve problems we don’t even know are problems yet The U.S. Department of Labor estimates that today’s learner will have 10-14 jobs by the age of 38 THE COMPETITION China will soon become the #1 English speaking country in the world 25% of India's population with the highest IQs is greater than the total population of the U.S. The top 10 highest demand jobs in 2010 did not exist in 2004 THE FUTURE WORKFORCE – GENERATION Y Multitasking Optimistic outlook – self-confident High expectations – questioning Technical savvy Job hoppers – career progression less important than personal pursuits Huge potential for miscommunication, low morale, and poor productivity in generational workforce Twitter is currently seeing about 50 million tweets per day. That is approximately 600 tweets per second….. UNCLASSIFIED

USCYBERCOM Missions and Operations UNCLASSIFIED USCYBERCOM Missions and Operations USCYBERCOM Mission: USCYBERCOM plans, coordinates, integrates, synchronizes and conducts activities to: direct the operations and defense of specified Department of Defense information networks and; prepare to, and when directed, conduct full spectrum military cyberspace operations in order to enable actions in all domains, ensure US/Allied freedom of action in cyberspace and deny the same to our adversaries. Defend the Nation Operate and Defend DoD Information Networks (DODIN) CCMD Support Mission Areas Cyber National Mission Force Cyber Protection Force Cyber Combat Mission Force Cyber Mission Force USCYBERCOM has three operational focus areas: Defend the Nation, Combatant Command Support, and DoD Information Networks (DODIN) Defense. These are distinct from the command’s three lines of operations – DODIN Operations, Defensive Cyber Operations (DCO) and Offensive Cyber Operations (OCO). However, each of the lines of operation runs through each focus area. For instance, in supporting a combatant commander, USCYBERCOM is responsible for operating global networks, defending those networks and possibly conducting offensive cyber operations using those networks into adversary cyberspace. USCYBERCOM will address these three operational focus area with the Cyber Mission Forces, organized into Cyber National Mission Forces, Cyber Combat Mission Forces and Cyber Protection Forces. USCYBERCOM will use Cyber National Mission Forces (CNMF) in the first focus area – Defend that Nation. These CNMFs will defend the nation by executing See-Block-Maneuver tactics to deny adversary objectives against our Nation’s critical infrastructure. Further, the CNMF, if authorized, will strike in cyberspace to destroy adversary capability to continue attacks against our critical infrastructure. Cyber Combat Mission Forces (CCMF) are aligned with CCMD requirements to meet objectives in the CCMD Support focus area. USCYBERCOM has been supporting CCMDs with cyber planning via the Cyber Support Elements (CSEs) and Liaison Officers. CCMFs will strengthen our existing level of contribution by conducting target development in support of CCMD operations plans and, when authorized, assisting in the delivery of cyber effects against CCMD prioritized targets. The teams will also assess cyber tool delivery and effectiveness. USCYBERCOM will use Cyber Protection Forces (CPF) to accomplish the third focus area – DODIN Defense. These forces will have capabilities similar to existing red, blue, green, white and hunt teams. 3 Lines of Operations - Running Throughout the Mission Areas DODIN Operations Defensive Cyber Operations (DCO) Offensive Cyber Operations (OCO) Lines of Operation UNCLASSIFIED

Virtual Single Network UNCLASSIFIED Requirements to operate in cyberspace Share Access Operational Environment Connect Virtual Single Network Operate & Defend Govern Defensible Architecture Trained & Ready Cyber Teams Operational Concept Authority to Act in Defense of the Nation Suggested script: Authorities to Act: the members of Team Cyber must know their roles in cyberspace, and be able to execute the authorities that they have. Operational Construct: in addition to the authorities, the members of Team Cyber must have the procedures, policies, and capabilities needed to perform their roles. This includes when and how to communicate with other members of the Team. Global Situational Awareness: analysts and decision makers across Team Cyber need to understand events in cyberspace in a way that’s relevant to their missions and decisions. The members of Team Cyber must be able to communicate timely and relevant information with one another. Defensible Architecture: DoD networks must be able to support remote maintenance and defense, including automated self-defense, intrusion detection, and mitigation. Trained and Ready Forces: the right number of people, with the right skills, experience, team and individual training, and assessment and certification. Nothing will get done on the other four requirements without the right people doing them. Global Situational Awareness UNCLASSIFIED

(U) What it Takes to do Cyber Operations UNCLASSIFIED (U) What it Takes to do Cyber Operations Develop Crypto Attribute Attacks Defensive Response Identify Attacks Attack Targets Harden US Networks Assess Effects Produce Intelligence Identify Targets Target Process & Store Data Develop Intelligence Linguists Collect Data Network Operators Deploy Capabilities Defeat Encryption Operations in cyberspace directed at adversarial targets are complex are require a wide range of processes (identified in the yellow boxes surrounding the target); people (identified in the surrounding boxes toward the bottom of the slide); and organizations (identified at the outer edges of the slide). Intelligence Analysts Capabilities Developers Accesses Cryptanalysts Net Warfare Planners Access Enablers Network Analysts Cyberspace Operations: Intelligence Community, Military, Foreign Partners, Industry UNCLASSIFIED

UNCLASSIFIED J7 Vision/Mission (U) Develop agile, flexible training to prepare world-class, fully capable cyber forces for the present and future, through focused common standards, training engagements, and career training management for individual through collective training and education to support the Command’s cyberspace operations missions. (U) Individual training (U) Advise recruiting and assessment qualification standards (U) Advise Service School and Branch Qualification Training (U) Develop certification for advancing roles and responsibilities (U) Information Assurance Workforce Improvement Plan (U) Joint Individual Training (U) Joint Work Roles and Responsibilities (U) Advise and engage continuing education (U) Joint Professional Military Education (U) Public/Private University System (Defense Universities, Public/Private Institutions) (U) Collective Training (U) Training and Certification Events (e.g., Cyber Flag) (U) Cyber-focused Exercises (e.g., Bulwark Defender) (U) Retention 7 UNCLASSIFIED

Technical Workforce Challenges UNCLASSIFIED Technical Workforce Challenges Future Workforce Population Trending Down Future STEM Graduates Trending Down So in our efforts to understand the demands on our future workforce – through understanding the missions and future priorities of the joint warfighter, coupled with the unique challenges of finding, educating and retaining the workforce that is able to accomplish those missions if further challenged Given current population studies and projected economic growth, the work force is shrinking. There are concerns that there simply won’t be enough people to do the work that needs to be done. There is a downward trend in STEM graduates. So as the labor pool shrinks, the percentage of STEM graduates shrinks as well as the overall raw numbers of graduates This is a huge challenge – one that we have to start thinking about now and not wait until it’s too late I would pose the following questions for thought: What are the real drivers? What we doing about those? How do we get the right intellectual capital engaged in understanding these problems and crafting solutions? What are the real drivers influencing the trend lines? What are some of the solutions? How can we leverage the brain trust looking at these problems? 8 UNCLASSIFIED

Joint Training System (JTS)* UNCLASSIFIED Phase 1. REQUIREMENTS Joint Mission Essential Tasks Missions/Orders/Strategy/Policy Work Roles/Standards Phase 4. ASSESSMENT Phase 2. PLANS Joint Training Information Management System Defense Readiness Reporting System Lesson Learned Joint Training Plan Training and Readiness Manual Joint Cyberspace Training and Certification Standards Joint Exercise Life Cycle Plan Evaluate Prepare Execute Phase 3. EXECUTION Combatant Command Tier 1 Exercises Cyber Flag, Cyber Guard, Cyber Knight Cyber Wargame *CJCSM 3500.03, Joint Training Manual “It is important…to assign responsibility for the JTS across all disciplines within your staff. The processes of JMETL development, of determining training objectives, and of developing the Joint Training Plan all require the skill and corporate knowledge of many people.’” Joint Training System Primer UNCLASSIFIED

Joint Mission Essential Tasks UNCLASSIFIED JMET Development A JMET describes the essential tasks for a joint commander and includes associated conditions and measurable standards JMETs are identified by reviewing plans and OPORDS for executing a mission JMETs are identified using the UJTL as a common language An essential task is defined as one where the mission has a high probability of failure if it is not accomplished successfully. UNCLASSIFIED

JMETL Development Process UNCLASSIFIED UNCLASSIFIED JMETL Development Process Conduct Mission Analysis to Determine Specified & Implied Tasks Select Mission Tasks from Universal Joint Task List (UJTL) Determine Essential Tasks from Mission Tasks Identify Responsible Organizations Describe Conditions Establish Standards Identify Supporting, Command and Linked Tasks Commander Approves JMETL The methodology for constructing the JMETL, when properly conducted, ensures that joint training is requirements-based, trains the force the way they intend to operate and is focused on essential tasks that accomplish theater missions. UNCLASSIFIED UNCLASSIFIED

Methodology JMET CAPACITY RESOURCES ABILITY TTP KSA PROCESS MAP UNCLASSIFIED Methodology Identify Mission Conditions Define Objectives (Capacity and Capability) Identify Intermediate Objectives Identify Output and Standards Identify Dependencies and Constraints JMET Identify Resource Conditions Identify Processes and Metrics Identify Process Dependencies Identify cross-linkages TTP CAPACITY RESOURCES ABILITY KSA Map workrole to process Verify appropriate KSAs Identify Individual Productivity Standards and Metrics PROCESS MAP UNCLASSIFIED

Workforce Management – Demand Analysis UNCLASSIFIED Workforce Management – Demand Analysis (U) Projected Need (U) Strategy/Mission Analysis (U) Evolving Workforce Mission Requirements (U) Current/Projected Force Readiness (U) Workforce Management (U) Needs (U) Capability (U) Capacity (U) Integration? (U) Workforce KSAs to Meet Projected Need (U) New/modified KSAs required; delete non-essential work roles/functions (U) Consolidation of work roles/functions (U) Demand Analysis (U) Projected Need (U) Workforce KSAs to Meet Projected Need (U) Staffing Patterns (U) Training Pipeline Requirements (U) Staffing Patterns (U) Number of personnel required to perform evolving mission (U) Organization functional review (U) Training Pipeline Requirements (U) Required training (U) Training throughput/billets (U) Training resources The right number of people with the right skills, experience, and competencies in the right places at the right time. UNCLASSIFIED

Workforce Framework Development UNCLASSIFIED Workforce Framework Development Framework Categories The Framework organizes cybersecurity into seven high-level categories, each comprised of several specialty areas. CND Operate & Maintain Systems Security Analyst Network Infrastructure Specialist Knowledge / Content Manager Server Administrator Technical Support Specialist Network Operations Manager Data Administrator Provision: Design & Build Systems Architect Systems Developer Software Engineer IA Compliance Agent Systems Requirements Planner Defend CND Analyst CND Infrastructure Support Specialist CND Incident Responder CND Auditor CND Manager CND Forensics Analyst Cyber security Analyst/Information Security Professional UNCLASSIFIED

NICE Framework Securely Provision UNCLASSIFIED NICE Framework Securely Provision Specialty areas concerned with conceptualizing, designing, and building secure IT systems. Operate and Maintain Specialty areas responsible for providing the support, administration, and maintenance necessary to ensure effective and efficient IT system performance and security. Protect and Defend Specialty area responsible for the identification, analysis and mitigation of threats to IT systems and networks. Investigate Specialty areas responsible for the investigation of cyber events or crimes which occur within IT Systems and networks. Operate and Collect Specialty areas responsible for the highly specialized and largely classified collection of cybersecurity information that may be used to develop intelligence. Analyze Specialty area responsible for highly specialized and largely classified review and evaluation of incoming cybersecurity information. Support Specialty areas that provide critical support so that others may effectively conduct their cybersecurity work. UNCLASSIFIED

Training Spectrum Collective Training Collective Training UNCLASSIFIED Training Spectrum JMETs Cyberspace Exercise Staff/Unit Certification Collective Training Cyber Flag Training Collective Training Joint Individual Training Service Career Training IAWIP DoDIN Ops DCO OCO Gap/Refresher Training Retention and Career Feedback Process Joint Cyberspace Training and Certification Standards Sustain Cyber Warrior Career Professional and Continuing Education Certification Levels Individual Training Gap/Refresher Training (U) Joint Cyberspace Training and Certification Standards (JCT&CS). This operational view presents an overarching framework for training for the current and future cyberspace workforce over their careers. On the left is the Joint Cyberspace Training and Certification Standards that advise nearly aspect of individual force training and education. These standards inform curriculum, certification, and other standards used to effectively train forces to meet the ever-evolving warfighter demands of the cyberspace domain. (U) Assessment and Recruiting. Key career training development is the initial assessment and recruiting done to identify the best candidates possible to support the cyberspace mission. The JCT&E will provide key insights into the preliminary knowledge, skills, and abilities needed to ensure success. Service recruiting efforts will be advised of these standards and special screening techniques and evaluations will be developed to identify candidates with the most potential. (U) Service School Qualification Training. For both enlisted and officers, basic entry training for their respective skills are provided currently by the Services. For many cryptologic skills today that instruction is provided through JCAC at Corry Station in Florida. As a backdrop, the JCT&E will provide guidance in curriculum development, advising the Services on the KSAs with metrics to ensure success for those assigned to joint cyberspace work roles. (U) Professional and Continuing Education. Once the basic schooling is completed, Service military and civilians will continue to work to sharpen skills and capabilities through professional and continuing education. For the Joint community, this will include Joint Individual training and for IA professionals, training and certification is completed in compliance with prevailing DoD policy. Again, the JCT&CS provides a broad framework to inform joint and Service training for cyberspace KSAs. (U) Retention. An aggressive and effective retention and career feedback process is permeated throughout the careers of the cyberspace workforce. Constant inputs to training value, curriculum development, and career utilization will be used to advise senior leadership on job satisfaction and how well training enables the workforce to be successful in their assignments. Key to the success of this program is the agility at which the JCT&CS can be modified and those changes permeated through professional and continuing education to keep the DoD cyberspace workforce in the forefront globally. (U) Collective Training. Even with a robust individual training program, individuals fight as crews, staffs, and organizations. The training spectrum also includes an aggressive collective training program that trains, certifies, and then exercises the future cyberspace workforce. Training and certification standards are contained in the JCT&CS and methods and modes will be developed to measure the ability of crews, staffs, and organizations to meet the demands of fighting and winning in the cyberspace domain. Ultimately, this training is tested in cyberspace exercise events that focus on cyberspace operations with objectives that tie back to Joint Mission Essential Tasks. Create Cyber Warrior Service School and Qualification Training Assessment and Recruiting UNCLASSIFIED

Example of Individual Certification UNCLASSIFIED Evaluation Objective Practical Exam Subjective/Objective Review Board Subjective 1 2 3 Standardized, High-Stakes, Scored Knowledge Based Remediation Requirements Identified Task Based Scenario Based Tailorable Virtual / Live Persistent Training Environment Paper-Based and Interview / Panel Leadership Documentation and Compliance Oversight Additional Information Annual re-certification requirement to ensure / verify perishable skills UNCLASSIFIED

Developing Cyber Warriors UNCLASSIFIED Developing Cyber Warriors OPERATING AS A TEAM Build on individual joint training Rehearsal of concept Role familiarization Integrate and synchronize shared capability responsibilities UNCLASSIFIED

Example Cyber Training Venues UNCLASSIFIED Example Cyber Training Venues Service Hosted Training Venues for Cyberspace Operations USA Signal Center of Excellence, Fort Gordon, GA Information Assurance Training Center – FT Gordon, GA Computer Network Defense Course – FT McCoy, WI Basic Computer Network Operations Planners Course (BCNOPC) – FT Belvoir, VA USN Center for Information Dominance, Corry Station, FL Joint Network Attack Course (JNAC) Naval Postgraduate School, Monterey, CA USAF Air Force Institute of Technology, Wright-Patterson AFB, Dayton, OH Center for Cyberspace Research USMC Marine Air Ground Task Force Training Command, 29 Palms, CA Other Training Venues for Cyberspace Operations NSA/ADET College of Cryptology Center for Computer Network Operations, Cyber Security and Information Assurance Department of Defense DoD Cyber Crime Training Academy, Linthicum, MD Technology Track Responders Track Network Investigations Track Intrusions Track Forensics Track The Information Assurance Training Center, Fort Detrick, MD The Information Assurance Training Center, Lewis-McCord, WA The Information Security Center, Fort Bragg, NC Universities/Colleges University of Maryland University College Various cyber certifications and undergraduate/graduate level degrees University of Dayton Post Graduate program in Cyber Security Management University of Maryland Baltimore County Private Sector NG Cyber Warrior Course Security Awareness and Certification Accreditation Courses (U) Each of these courses provide a current foundation in requisite Information Assurance (IA) and Computer Network Operation Skills. In addition to the Service Schools, Joint Service Schools, Agency, University and Business partner efforts, there remains an extensive opportunity for potential Cyber training. Over 100 Community Colleges, Universities, Department of Homeland Security Center for Academic Excellence courses; the Navel Post Graduate School, and several others are getting developed or have been developed. UNCLASSIFIED

Summary The integrated USCYBERCOM strategy for training includes: UNCLASSIFIED Summary The integrated USCYBERCOM strategy for training includes: Individual training through the development of a cradle-to-grave training and career progression model that ensures individuals are professionally developed to assume greater roles and responsibilities to meet the demands of the command’s three Lines of Operation Collective training through the development of crew, staff, and unit level training that encompasses tactical, operational, and strategic levels of cyberspace warfare while supporting and ensuring relevant collective training events are realistic, instrumented, and agile Development of a Common Training Standards Program that develop requirements, provide guidance for individual and collective training, and track and assess the nation’s cyberspace force readiness 20 UNCLASSIFIED

UNCLASSIFIED Questions? UNCLASSIFIED

UNCLASSIFIED Back-ups UNCLASSIFIED

Training / Workforce Development Unclassified Training / Workforce Development Ensuring Interoperability Establish interoperable cyber training standards (common, core Knowledge, Skills, & Abilities) Validate training requirements (1) Align, synchronize, improve, and evaluate the integration and interoperability of cyber forces through exercises and collective training (1) Advocate for combatant command training requirements to include DOTMLPF, materiel, and enabling capabilities (2) Examine DoD exercises, wargames, and experiments related to cyber operations to determine potential efficiencies, establish guidelines, and incorporate lessons learned. (2) Training & Instruction of Assigned Forces Integrate command training requirements into DoD training and education programs (1) Certify, monitor, and assess DoD cyber training programs (1) Standardize core cyber training across DoD (1) Design and conduct strategic & national level exercises, wargames, and table top exercises (1) Enable CCDR to focus training on capability shortfalls to address current and future threats (2) Manage academic and community outreach programs to private and public institutions (3) Workforce Readiness (incl. non-assigned) Monitor the health of the DoD cyber force (2) Identify, coordinate, maintain cyber-related JMETL/UJTL to ensure readiness (incl non-asg’d forces) (3) Develop training and evaluation activities to determine readiness (1) Monitor DRRS and provide assistance in mitigating readiness issues (2) Develop Doctrine Develop and maintain joint cyber doctrine and concepts (3) Ensure training and training strategies are consistent with current and emerging cyber doctrine (1) Act as lead agent for joint cyber publications as designated by Joint Staff J7 (1) Ensure Service cyber doctrine is consistent with joint doctrine (3) Promotes a common definition of “cyber force” and descriptions of cyber tasks (2) Monitor Promotions, PME, etc Inform the Service process of promotions (3) Identify cyber career milestones recommended for promotion (2) Identify, advocate, and develop cyber PME required for promotion (2) Advocate the investment of cyber human capital (1) Unclassified