The Evolution of USCYBERCOM – TTG

New Thinking Taking Root 

The essays in this volume describe ways in which U.S. Cyber Command (USCYBERCOM) has evolved over the decade since Secretary of Defense Robert Gates directed its establishment in June 2009. Its current commander, Gen. Paul Nakasone, divides the history of the command into overlapping chapters, or “acts.” Act 1 was standing up the command in May 2010. Act 2 was the team-building phase. In 2012, the Department of Defense (DOD) began building 133 teams – 6,187 people, both military and civilian. Over the ensuing four years, the Cyber Mission Force increased its capacity and capability, reaching full operational capability in 2018. During act 3, those teams were employed. While still building the force in 2016, Joint Task Force–Ares supported U.S. Central Command and U.S. Special Operations Command by conducting operations to defeat ISIS in virtual space. In 2018, the Russia Small Group, a USCYBERCOM partnership with the National Security Agency, in coordination with other members of the interagency community, assisted in securing the 2018 midterm elections.

These organizational and operational milestones have been accompanied by an equally important “conceptual” transformation, characterized by General Nakasone in his 2019 Joint Force Quarterly article as a pivot from a “response force” to a “persistence force.” The commander writes, “USCYBERCOM initially focused on defending DOD networks[,]… executing counterterrorism operations, planning to support conventional forces in crisis scenarios, and maintaining capacity to respond to an attack of significant consequence against our critical infrastructure.” The response force concept, holding forces in reserve for war or responding to attacks after the fact, proved to be no match for increasingly capable adversaries operating continuously below the threshold of armed conflict against our critical infrastructure, government networks, defense industries, and academia. “A persistence force has a much higher chance of disrupting adversary plots and protecting Americans, compared with a force that is confined to sporadic reconnaissance” and episodic engagement.  (US Naval War College)


This is from a chapter in a Naval War College publication entitled “Ten Years In: Implementing Strategic Approaches to Cyberspace.” This particular chapter is by Emily O. Goldman called “The Cyber Paradigm Shift.” These two paragraphs capture the evolution of USCYBERCOM quite nicely. I will add that there is no Cyber Force as a new service to accompany this functional combatant command although the idea has been bandied about for decades. Like other combatant commands, it has service components as shown in the organizational chart above. CYBERCOM’s largest and central component is JFHQ-DODIN (Joint Force Headquarters-Department of Defense Information Network) comprised of all DoD computer networks, some 15,000 networks, their infrastructure and the quarter million personnel (military, civilian and contractor) who run those networks. In essence, this is CYBERCOM’s AOR. This grew from DISA (Defense Information Systems Agency) as it was known in my day.

The final component of CYBERCOM is the Cyber National Mission Force consisting of 133 Cyber Mission Force Teams. These teams are what I would consider the maneuver units of CYBERCOM. The following is from an ARCYBER fact sheet:


The Cyber National Mission Force plans and conducts cyber operations aimed at disrupting adversaries. The group works against specific nation-state threats and aims to engage those enemies as a means of preventing cyber intrusions. It is often described as having Cyber Command’s best operators.

The Cyber National Mission Force is considered one of the leading groups at Cyber Command in carrying out Nakasone’s philosophy of “persistent engagement.” This approach recognizes that cyber forces must be in constant contact in cyberspace with competitors day to day. A key pillar to that concept is what defense officials are calling “defending forward,” which involves operating outside U.S. networks to face threats as far away from the United States as possible.  (ARCYBER)


These teams are trained, equipped and maintained by the services. They appear to be platoon size elements of military and civilian personnel. I don’t know if they also have contractors assigned to these teams. Although this is a new concept to me that came about after my retirement, I see how the idea evolved. I created and ran a HUMINT collection detachment that combined clandestine collection, linguistic and technical skills to conduct long term collection operations online. We were a military, civilian and contractor mix from both DIA and NSA in near daily contact with analysts from DIA, NSA and FBI. We provided direct support to JTF-CND (Joint Task Force – Computer Network Defense) which operated under SPACECOM. While JTF-CND had numerous surveillance capabilities trying to detect attacks on our systems, we were the only reconnaissance element available to them at the time. We operated in the wild to identify threats and threat actors before, during and after attacks on our systems. We operated in cyber no man’s land and behind enemy lines… over the long haul. I believe we were a, but not the only, precursor to Nakasone’s concept of persistent engagement. My detachment operated under intelligence authorities and restrictions. These cyber mission teams operate under Title 10 authorities. My guess is that their guiding authorities will in many ways mirror those of JSOC forces. 

This cyber national mission force is a very different approach than the creation of the Space Force. One similarity will be that both forces will be comprised of a large number of specially skilled civilians, perhaps even the preponderance of personnel. Time will tell if it works. Contributing to future success is the service’s creation of officer, warrant and enlisted cyber career fields. I’m sure the highest aspiration of uniformed members of these career fields is to be assigned to these cyber mission force teams. 


More reading: (The full Naval War College publication)—COL-Craft_Fight-the-DODIN_approved-Final.ashx   (A short, but informative, PowerPoint briefing on JFHQ-DODIN)  (Contains a brief discussion of evolving of cyber resourcing concepts and authorities)

This entry was posted in The Military Art, TTG. Bookmark the permalink.

21 Responses to The Evolution of USCYBERCOM – TTG

  1. Avatar turcopolier says:

    Excellent. I presume that none of this is classified.

  2. pl,
    You presume right. I was damned careful.

  3. Avatar Escarlata says:

    Y, todo esto, lo dirige entonces ahora Avril? ahem..a dual citizen…security…my ass…
    Then, there is this lumbrera…la nueva adquisición…
    One wonders whether someone vvwith a bit of a brain realizes all these people with neither preparation nor merits at all, who are out there only to grab funds are largely contributing to destroy your soft, but also hard, power…
    The number of Russian-bots will grow guess…but he has run out of UK granpas and grannies to blame due the Coronavirus…Who will be next?
    Good luck!

  4. Escarlata,
    Avril Haines is not a dual citizen. She was born and bred in NYC. Taking up her mother’s Jewish faith does not make her a dual citizen any more than being Roman Catholic makes me an Italian or Spaniard. That’s not very enlightened of you, carida mia. Haines has plenty to answer for surrounding her involvement in hiding CIA torture, but she is American. Also, as DNI she doesn’t have any control over CYBERCOM. That’s under the Sec Def’s purview.

  5. Avatar scott s. says:

    Good to read. My wife was something of a pioneer. After tours at Naval Security Group and a DCA field activity in the bowels of the Pentagon (Command and Control Tech Center) someone had the idea that the World Wide Military Command and Control System computers could be tied together in a “computer network”. She got orders to NATO HQ SHAPE in Mons in a newly created job — Network Security Officer. (Gen Al Haig was the commander at the time). She got to learn about things like the care and feeding of the IMPs from Leonard Kleinrock. (Back then in the USN, joint tours were considered “women’s work”.)

  6. Avatar TonyL says:

    Thanks TTG,
    In my 40-plus-year career, from time to time I had a sense that somewhere there was an effort of “HUMINT collection detachment that combined clandestine collection, linguistic and technical skills to conduct long term collection operations online”.
    Attribution is always the hardest thing to do in Cyber. Without HUMINT collection such as your detachment, all cyber forensics are just incomplete analysis.

  7. Avatar Jose says:

    TTG, weren’t they suppose to get smaller and more nimble?
    This looks like a typical bureaucracy just waiting to get hacked.

  8. Jose,
    The networks are massive. There is no question about that. That’s reflected in the quarter million personnel needed to run the DoD networks. The cyber mission force teams are small and nimble in direct contrast to the size of those networks and all those worldwide networks in which they operate. Have you ever been inside just one data center? I’ve been in many. They are huge with thousands of servers, routers and switches connected by hundreds of miles of copper and fiber cabling. Just one data center is incredibly complex and ther are thousands of them throughout the world.

  9. Avatar Leith says:

    Thanks for this TTG. I do have a couple of dumb questions. My apologies if I missed seeing the answer in the provided links.
    What about a cyber service component for Space Force? Hell, even the superbowl honor guard had a flag bearer out there carrying a Space Force flag along with the other services. I’m assuming a Space Force Cyber Command exists even though the header pic does not show them and the links provided did not specifically mention one. Probably the link is pre-Space Force?
    Any insight into favored universities for recruiting into CyberCOM, a la the Yale/CIA connection in the old days?
    And outside of contractors which you mentioned, I kind of wanted to ask about CyberCOM front companies. Like in the old days when Air America and Brewster Jennings were fronts for the CIA. And Aeroflot was a front for the KGB. But never mind, don’t answer that!
    Regarding APTs, does USCyberCom have its own list of persistent threats and does not exclusively use FireEye’s list? If so are they, or at least some of them, published at an unclassified level?

  10. Avatar Jose says:

    TTG, it’s cold in there…lol

  11. Jose,
    Damned cold. Noisy, too. It’s the one place that drowns out my tinnitus. Still, once I learned to keep a folding camp chair inside my cabinets, I grew to truly enjoy my time in those data centers. Kind of like Willy Wonka’s chocolate factory.

  12. Leith,
    When I wrote this I thought about a Space Force component to CYBERCOM. I’m sure there will eventually be one and they will eventually provide cyber mission force teams like the other services. It’ll just take a while. They’re still at the early stages of standing up and defining themselves.
    I don’t know of any favored universities for CYBERCOM recruiting. I imagine they would be setting up booths in any technical university. In my experience, the real stars were not university graduates. They were naturally talented, self taught, learned OTJ and kept up on certification tests. A lot of them eventually find their ways into one of the FireEye type firms or a Cisco or Equinix like tech firm.
    I also doubt CYBERCOM deals in front companies. Remember, this is DoD, not IC. But I’m sure they work with the FireEye, Cisco and Equinix industries on a regular basis.
    I doubt CYBERCOM uses a FireEye list of APTs. NSA and JTF-CND never did when I was in the business. Back then, related intrusions were given their own codenames like MOONLIGHT MAZE or TITAN RAIN. NSA and CYBERCOM surely have their own shared list of APTs.

  13. Avatar David Habakkuk says:

    The whole ‘cyber’ dimension is one about which I am regrettably ignorant.
    Some questions:
    1. Quite how far does the increasing dependence of modern societies, including modern militaries, on ‘information technology’, coupled with the very dramatic developments in this, make it possible to use ‘cyber’ methods as offensive weapons – both in war and in peace?
    What are the ‘worst case scenarios’? Is it likely to be possible, either already or in the forseeable future, to use such methods to stop a modern society, or simply large elements of its military, functioning effectively?
    2. Insofar as it is possible, what can be said about the emerging balance between ‘offense’ and ‘defence’?
    In relation to ‘missile defence’, it has seemed reasonable to assume that, short of major scientific breakthroughs, which are inherently unpredictable, ‘asymetric’ responses can generally negate its effectiveness at much lower cost than is required to develop measures that can negate them.
    In relation to some forms of ‘cyber’ attacks, how far can one make systems resilient against them, how far is one going to end up relying on a version of ‘deterrence’ – the ability to retaliate in kind?
    2. There are, obviously, different issues relating to the possible uses of such methods in an actual war, and in peacetime. In the latter, a major problem appears to relate to difficulties of attribution: as is evident from the ‘SolarWinds’ incident.
    How far can these be solved, how far is the problem that responsibility can be disguised likely to remain with us?
    And how far is the latter problem compounded by what appears to be an excessive readiness in some quarters, very visible in relation to ‘SolarWinds’, to ‘round up the usual suspects?’
    Back in October 2018, in a piece here entitled ‘Loops of Lies re “SIGINT”’, I discussed the way in which patently dishonest claims about intercepted communications, clearly involved the production of deliberate disinformation by organisations responsible, in the U.K., U.S., and Israel, had been used in three incidents.
    These were the attempt to use the ‘false flag’ sarin attack at Ghouta to inveigle both our countries into destroying the ‘Assad régime in August 2013, the supposed attempted assassination of Sergei and Yulia Skripal with ‘Novichok’ in March 2018, and the murder of Jamal Khashoggi in October of the same year.
    (See .)
    How far is the clear involvement of people in ‘cyber’ in ‘information operations’ liable to compromise their ability to perform other functions?
    3. In developing ‘cyber’ capabilities, what are the relevant advantages and disadvantages of different countries, and kinds of society?
    I have watched, with some interest, the results of the annual ‘International Collegiate Programming Contest’ headquartered at Baylor University.
    (See .)
    How far what these suggest about the availability of top-class programming skills is relevant to the ‘cyber’ capabilities of states seems to me an interesting issue.
    The question of how far, in the ability to develop ‘cyber’ capabilities, the production of university graduates is relevant, as distinct from more ‘self-taught’ people, is obviously highly relevant here.
    However, for what it is worth, in recent years American universities have performed rather poorly in these contests, as compared with ones from the former Soviet space, and Asia.
    In the most recent contest, in 2019, MIT did manage to make second place, the best result for a U.S. university for a very considerable time.
    The presence of Russian universities was a bit weaker than has been normal in recent years, but they still managed to field the winner, and two others in the top twelve.
    The mainland Chinese presence was also weaker than it has been, but I was interested to see that the ‘Kim Chaek University of Technology’ in Pyongyang achieved a ‘silver’, and the ‘Sharif University of Technology’ in Tehran, a ‘bronze.’
    I would imagine the Iranians will be attempting to develop ‘cyber’ capabilities, against a range of adversaries, the Israelis and Saudis among others, to complement the precision missile capabilities on which they have been concentrating. What indications do we have about how successful they have been and are likely to be?
    4. Also relevant here are quite complex issues to do with the advantages, and disadvantages, of size in bureaucracies to do with ‘national security’ issues. And then, one comes back here to the question of what skills, and education, are important.
    The successes in ‘SIGINT’ which were crucial to British victory in two world wars can be largely traced back to ‘Room 40’ in the Admiralty in the first of them.
    These were based largely on effective recruiting of civilians, some academics, but also all kinds of talented eccentrics from a wide range of backgrounds: key figures had backgrounds in stockbroking, publishing, or indeed as a clergyman, and already, university educated women began to play a role. (They were crucial at Bletchley Park.)
    By 1937-8 however the then head of the ‘Government Code and Cipher School’, Alastair Denniston, had realised that the ‘mechanisation’ of encryption, with the Enigma machines, could only be countered by fundamental theoretical breakthroughs.
    As a result, his visits to ‘high tables’ in Oxford and Cambridge in 1937-8, which led on to the recruitment of a number of very brilliant mathematicians, who developed the pioneering work of Polish cryptographers.
    (See .)
    Part of this process was that very brilliant ‘pure’ mathematicians, like Alan Turing and his key collaborator Jack Good (born Isidore Jacob Gudak), became interesting in finding new solutions to practical problems, leading in turn to intellectual innovations whose consequences are with us today.
    So ‘Bayesian statistics’, which continues as I understand to be central to ‘SIGINT’, and has had expanding applications in many other fields, involved turning the common ‘pure mathematics’ habit of starting with axioms on its head.
    Instead, methods were developed to make possible very rapid testing of alternative possible hypotheses in relation to a mass of evidence.
    5. So, one comes back to the question of how far the development of ‘cyber’ capabilities is doing to depend upon the ingenuity of ‘hackers’ and others, many of the best of whom do indeed seem to be people who are largely self-taught enthusiasts, and how far on the kind of fundamental intellectual breakthroughs which need formal expertise.
    In turn, that question may be related to ones about the ambiguous effects of large bureaucratic organisations. It would certainly be impossible to conduct effective cyber today on the small scale of the Bletchley Park which Turing and Good joined. But large bureaucracies are not necessarily favourable to intellectual innovation – and can have other problems.
    And finally, there are questions to do with motivation. The people responsible for breaking ‘Enigma’, in different ways – which means Denniston, as much as those he recruited – were motivated by the sense they were confronting an ‘existential threat’, as well as intellectual fascination with the problems involved.
    What was not relevant in the British case, at that time, but may be very relevant elsewhere, is that a sense of ‘existential threat’ can also make very brilliant people ready to work for ‘régimes’ about which they have very deep reservations, and indeed, may even dislike and despise.

  14. Avatar jerseycityjoan says:

    I support all of this but I honestly don’t see how we can protect ourselves enough to be safe in the cyber world. Technology keeps changing and more things are tied to computers and the Internet. As the years go on the bad actors of this world will become more and more able to do more terrible things to the rest of us. The incident at the water company this week showed that hackers can kill people remotely. It didn’t happen but it could have. That was a town of I think around 15,000. No reason you couldn’t try the same thing in NYC.
    I would not be surprised if that town got rid of remote access to the water company controls but not using computers is ultimately no answer.
    And we here in the US are able to defend ourselves far better than people in most other countries in the world.
    I don’t know what the answer is in the future.

  15. Avatar Leith says:

    TTG – Any comment on the hack at the Oldsmar water plant that Joan mentioned?
    I would guess defending against these kind of hacks are more the responsibility of CISA at DHS rather than CyberCOM. But it seems to me that CyberCOM expertise is needed. At least in tracking down the hacker.
    Or am I overreacting?

  16. David Habakkuk,
    As we increasingly put everything we do on the internet, from communications to basic services and everyday mundane functions, we increase our vulnerability to all manner of cyber attacks, disruptions and just plain surveillance. That includes our military. I’m sure you’ve heard of our military reliance on satellite communications. Even our aircraft are fly by wire or more accurately, fly by lines of code. All that’s subject to cyber attack. Every person and every soldier in a modern technological society seem to find it necessary to be tethered to an always on smart phone 24/7. All that’s subject to attack.
    I suppose the worst case scenario is a widespread and persistent power outage followed by a widespread communications outage. Fortunately a solution is at hand. Resiliency is being developed by implementing non-connected and non-computer driven backups for basic societal functions like power plants, water treatment and pumping facilities, medical facilities and many others. I know this is being done on the national level. Our military is also learning, or relearning, to operate without ubiquitous connectivity. All these work arounds aren’t as efficient as what we’ve become accustomed to and they could be downright annoying, especially to those young enough not to have experienced life without the internet. My assessment is that we are not all doomed to die in a cyber Armageddon.
    In the cyber world, I think the balance between offense and defense is always tilted in favor of the offense. Successful attacks can be small and cheap. The choice of vulnerable targets is practically limitless. However to carry out an attack that cascades into something devastating is not as easy as it’s often made out to be. That’s where an effective incidence response comes to the rescue. It’s an integral part of system resiliency. Resiliency and redundancy work.
    One flawed approach is to think that intrusion detection at a network’s edge is the ultimate answer. Our Einstein intrusion detection system (IDS) was designed to spot and eventually stop attacks on our government information systems. It’s a Maginot Line mentality. It did nothing to stop the Solar Wind intrusions. IDS is only effective if it is a part of an all approach cyber security plan. On a national level that includes NSA’s aggressive SIGINT collection and CYBERCOM’s even more aggressive “persistence force.” We just have to ensure our legal structure can keep up with NSA and CYBERCOM.
    CYBERCOM and NSA share many techniques and rely on each other in the performance of their missions. That’s why they are currently colocated and General Nakasone is dual hatted as CINC USCYBERCOM and DIRNSA. I do believe they will eventually separate. They are also both involved in detecting and disrupting enemy information operations as well as cyber espionage and cyber attacks. They are now much better at determining attribution than we were two decades ago. Back then we did rely almost exclusively on after the fact forensics on targeted computers and networks. Today, that’s only a beginning. We now often go after the attackers with HUMINT and cyber penetrations. We identify individual perpetrators and their infrastructure. We often watch them work on their own infrastructure. Look at the information presented in the indictment of the GRU 12. Compare that with what CrowdStrike presented. It’s night and day.
    I don’t think any type of society has an advantage in developing cyber talent. Certainly a strong system of technological universities is a plus, but not a guarantee. One observation I might offer is how computer science or cybernetics was taught in the 80s and 90s in the SU/FSU and Eastern Bloc countries. The first two years of computer programming were taught on a blackboard and was done on the Assembler and machine language level. These students learned to think like a computer chip before they started to program actual computers in Fortran. That level of understanding coupled with an insufficient number of jobs in the field led to the first boom in computer hacking and virus coding. It was an exciting time to be on FIDONet. Perhaps that legacy persists in that region, but I don’t know if any country teaches computer science like that these days. Perhaps North Korea.
    An indication of Chinese seriousness in this field was their concerted effort to hire most of the world’s experts in the field of algebraic geometry. This field is key to advances in artificial intelligence and machine learning. That’s probably an indication of their determination to dominate in the cyber field. It matches their determination to compete in space.
    Israel and Iran are already engaged in a cyber war. It’s not all out war. Both sides show some restraint in their attacks. It’s almost a digital version of counting coup. Maybe they have evolved into a MAD deterrence for now. However, this high level of constant competition have made both countries major players in cyberwarfare.
    I hope this answered some of your questions. I’m sure I missed something.

  17. Leith and jerseycityjoan,
    That attack on the Oldsmar water plant was potentially devastating, but it ended with no real danger to the public. I chalk that up to resiliency and redundancy. The system was designed so that humans spotted the problem before it could cause real damage and it was easily rectified. I hope the city is now asking themselves whether the plant has to be connected to the internet at all.
    This is a CISA and FBI concern at this point rather than anything CYBERCOM should get involved in, at least for now.

  18. Avatar TonyL says:

    “how computer science or cybernetics was taught in the 80s and 90s in the SU/FSU and Eastern Bloc countries. The first two years of computer programming were taught on a blackboard and was done on the Assembler and machine language level. These students learned to think like a computer chip before they started to program actual computers in Fortran”
    Yes, we did have that same method here in many US Universities and Colleges. At least in California, where I learned how to write self-modifying code in Asembler during my freshman year in the 70’s, and built compilers and neural networks in the 80’s.
    One thing is quite important in my opinion is an in-depth understanding of compilers and operating systems, that we taugh in 2nd and 3rd year Computer Science. Oftenly, the knowledge translated into skills in building viruses, worms, and other malwares.
    However, I do agreed that talented hackers don’t need formal educations.

  19. Avatar Escarlata says:

    Yeah, probably I should have researched better, but, after reading weeks ago a report on most of Biden´s cabinet being populated by people who, in one way or the other were Jews, I assumed, as this is what I have understood is mostly the case in the US altely, they were all dual citizens…
    Anyway, may be the most dangerous from Avril is not whether she is dual citizen or not, now that you say she is not, but what for the population of the US, and the world, means that she took part as “expert” in the Event201 pandemic exercise, in which also participated Bill Gates and Klaus Schwab…
    I have the fatal impression that while we are pushed to believe and prepare tools to combat eventual “cyber” attacks coming from Russia and China, what we are pushed to neglect is the real danger coming from any corner of our own countries on the very real cyberóffensive on attacks on the very human being…
    This is where I spend my time researching instead of Avril´s genetics:
    P.S: se dice querida mía…
    Yo, también te quiero….

  20. Avatar Escarlata says:

    On cybercommands, it´s good to recall history…
    René Carmille, el hacker que saboteó el Holocausto nazi

  21. Avatar Escarlata says:

    Also super interesting, TTG…
    La empresa suiza Terra Quantum AG descubre debilidades que cuestionan la supuesta inviolabilidad de la criptograma cuántica

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.