APPENDIX F – MILITARY TESTIMONIALS | Cybersecurity Research

APPENDIX F – MILITARY TESTIMONIALS

APPENDIX F – MILITARY TESTIMONIALS

F.1. 3rd Infantry Division (3ID)

Force projection is the movement of personnel and equipment from one location to the next in direct support of defined operational objectives. In the contextual framework of JV, participating members of the cyber community work to enable military commanders in the accomplishment of their objectives while being obstructed by numerous cascading obstructions.

As members of the Savannah-area community, 3ID is dependent upon government and private partners in the area to accomplish day-to-day operations and fort-to-port movement. Soldiers and civilians that work on Fort Stewart are also citizens of the Savannah area community. In this way, JV demonstrates that adversarial activities in cyberspace can have impacts across the community and affect operational and strategic objectives. JV contributed to a shared understanding of these dependencies among 3ID and Fort Stewart movement planners and emergency managers.

Broadly, 3ID uses stationary networks on Fort Stewart for day-to-day operations—either strategic networks owned by 7th Signal Command or home-station mission command networks owned by 3ID. 3ID also has deployable network capabilities from the Warfighter Information Network-Tactical line of capabilities. 3ID protects the tactical network with Cyber Network Defense and Network Operations Security Center tools.

The primary lesson 3ID learned in JV is dependency analysis, also known as cyberspace terrain analysis, leads to better risk awareness. A general dependency analysis helps understand how information systems enable the division to accomplish its mission and how an adversary might affect that mission. Cyberspace terrain analysis describes the division’s cyberspace terrain with links between information systems, networks, staff processes, and operations. 3ID is incorporating this type of dependency analysis in preparation for Army Warfighter Exercise 21-3.⁴⁵

3ID’s Force Projection Posture: The rest of the discussion uses these four phases of force projection:

Phase 1: Predeployment Activities—Predeployment activities are training, day-to-day operations, equipment staging, and movement coordination.
Phase 2: Fort-to-Port Movement—Fort-to-port movement is the movement of 3ID equipment from Fort Stewart to the port of Savannah and embarkation on vessels.
Phase 3: Port-to-Port Movement—Port-to-port movement is the movement of 3ID equipment from port of Savannah to some distant port.
Phase 4: Port-to-Assembly Area—Port-to-assembly area is the disembarkation and movement to a precombat staging area.

⁴⁵ U.S. Army Combined Arms Center, “The Warfighter Exercise” (PowerPoint presentation, Mission Command Training Program Orientation, Fort Leavenworth, Kansas, October 16, 2017), https://usacac.army.mil/sites/default/files/documents/cact/mctp/The%20Warfighter%20Exercise.pdf; and U.S. Army, “America’s First Corps Completes WFX 20-3,” U.S. Army (website), February 13, 2020, https://www.army.mil/article/232744/americas_first_corps_completes_wfx_20_3.

The scope of JV, with respect to 3ID’s mission, is the second phase—the narrow window of an armored brigade combat team’s movement between Fort Stewart and the port of Savannah. 3ID trains and deploys a lethal armor division as part of a joint force. Much of the movement associated with this mission is outsourced to other entities, especially in phases 2 and 3. The division transportation officer and his or her staff coordinate with SDDC and the local Army Field Support Battalion to plan and execute movements. This coordination is largely done using garrison unclassified networks and SDDC’s ICODES. Additional coordination uses unclassified enterprise email and Voice over Internet Protocol.

In a tactical operation, 3ID defends the networks it owns that enable the mission, but phases 2 and 3 are not enabled by 3ID-owned cyberspace. In phase 4 and beyond, 3ID would employ tactical networks that might very well be vulnerable and under threat. 3ID would be responsible for mitigating these risks with assets it owns. 3ID does not have the authority nor the capacity to assist non-3ID entities in cyberspace. In essence, 3ID would be impacted by cyberattacks against civilian infrastructure during phases 2 and 3, but could not directly defend against these types of attacks.

In contrast, in phase 4, 3ID would employ mostly tactical networks in the port-to-assembly area movement and still be quite dependent on civilian infrastructure in friendly terrain. For instance, contracted carriers may be used for some equipment, but that coordination would be much less outsourced (i.e., contracted from the division instead of SDDC). In this case, 3ID would defend its cyber terrain against direct cyberattack while also staying aware of threats against civilian cyber terrain. JV showed 3ID the importance of understanding these sorts of dependencies from a risk analysis perspective.

Adjusting Analysis Frameworks and Other Lessons Learned: The primary lesson 3ID took away from JV is the complexity of dependencies. 3ID’s goal in cyber defense strategy is to develop a prioritized defended asset list and prepare to rapidly assess the impacts of a cyberattack on its mission. 3ID uses three frameworks to describe cyberspace terrain: Joint Publication 3-12 cyberspace layers; Army Doctrine Publication 3-0’s operational framework; and Army Protection Plan, Army Regulation 525-2’s Mission Essential Function (MEF).⁴⁶

Joint Publication 3-12, Cyberspace Operations, describes cyberspaces terrain in three layers: (1) persona layer contains the mission, commander’s guidance, operational lines of operations and effort, and other artifacts that describe the operational framework; (2) the logical layer is the software and protocols that information networks and systems use to communicate; and (3) the physical layer is the set of devices and communication medium that make up information networks. Describing the cyberspace terrain at 3ID during a mission means describing the components of the information networks and systems (physical); how they are connected (physical, logical); how they process and pass information (logical); and how personnel and activities use the information to accomplish the mission (persona).

During the JV 3.0 exercise, 3ID found it helpful to use additional frameworks to further describe the cyberspace layers to show how the cyberspace terrain enables and affects the division’s mission. The operational framework, described in ADP 3.0, Unified Land Operations, describes an area of operations

⁴⁶ Joint Chiefs of Staff, Cyberspace Operations, Joint Publication 3-12 (Washington, DC: Joint Chiefs of Staff, February 5, 2013); Department of the Army, Unified Land Operations, Army Doctrine Publication 3-0 (Washington, DC: Department of the Army, October 2017); and Headquarters, Department of the Army, The Army Protection Program, Army Regulation 525-2 (Washington, DC: Headquarters, Department of the Army, December 8, 2014).

with deep, close, support, and consolidation areas; the decisive, shaping, and sustaining operations; and main and effort. The operational framework is a natural way to describe each layer of cyberspace terrain aligned with the operation, but it has limited ability in prioritizing cyber defense assets.

The MEF from Army Regulation 525-2, The Army Protection Program, describes generalized activities at the division headquarters. Discretely linking information systems in the logical and physical layers to MEFs enables more intuitive prioritization of defense assets. Prioritizing MEFs also sequences the systems that support them, further supporting a more holistic understanding of how cyberattacks affect a given MEF.

In the JV 3.0 exercise, one such specified MEF for 3ID was “coordinate movement.” Supported information systems included unclassified garrison workstations, networks, and ICODES software. This MEF persisted between all operational phases because the division needed to coordinate its movement throughout the scenario. However, even with “coordinate movement” remaining a priority in phases 1 and 2, these systems were outside 3ID’s defended list. As a result, JV 3.0 demonstrated that an adversary can also effectively impact division MEFs indirectly through cyber avenues of approach.

F.2. Military Surface Deployment and Distribution Command (SDDC)

For SDDC and United States Transportation Command (USTRANSCOM), force projection is integral to global port readiness. The command’s support to surface force projection is its ability to project power anywhere in the world.

This power projection starts in the continental United States and depends on traditional transportation methods that connect ports and strategic locations. It is a large system that relies significantly upon the support of its local partners.

To assess readiness, USTRANSCOM reviews its capacity to manage power competition and the cargo demands and access vulnerabilities that its most strategic ports face. Most recently, this review of the United States’ force projection includes cyber activity that could limit the country’s ability to operate. With a congested cyberspace domain, adversaries frequently attempt to degrade U.S. force projection, making cyber missions a top priority. USTRANSCOM drafted a Cyber Domain Mission Assurance Strategy to outline its actions to increase cybersecurity and incorporate cyber protection in its force projection goals and objectives. This directly helps its Joint Deployment and Distribution Enterprise mission,⁴⁷ which ensures USTRANSCOM’s ability to expand its use of seaports in the United States and abroad.

To align with USTRANSCOM’s cyber domain mission assurance strategy and Joint Deployment and Distribution Enterprise, SDDC’s strategic readiness for port diversification includes maintaining global deployment networks, mobility capacity, and the global command and control necessary to respond immediately with forces. SDDC assesses its strategic readiness by identifying and using mission-critical seaports for brigade-sized deployments in preparation for large-scale combat operations around the world. Exercising this domain across all combatant commands allows SDDC to practice its ability to swiftly dispatch forces anywhere in the world and establishes relationships with allies and partners well before a crisis. JV provided an opportunity to put pressure on SDDC’s systems and readiness.

⁴⁷ Joint Chiefs of Staff, Distribution Operations, Joint Publication 4-09 (Washington, DC: Joint Chiefs of Staff, February 5, 2010).

SDDC Force Projection during JV 3.0

During the exercises, SDDC’s Surface Operations Center was in charge of managing force projection for the port/port operations and federal sectors during JV. At the beginning of the exercise, the scenario involved aggressive actions taken by a geopolitical adversary of the United States. To respond to these actions, the U.S. government ordered deployment of brigade combat teams to Europe and sent combat troops, defense systems, and other equipment to support U.S. allies abroad. Then, SDDC began its involvement, starting with coordination to move vehicles and equipment from the local forts to ports in Charleston and Savannah. The Surface Operations Center battle captain led the team as they monitored all major departing and arriving cargo movements at every port.

SDDC’s global network capabilities were tested heavily during the exercises, with Emotet-infected ship cargo manifests, malfunctioning major rail switching stations, and rampant phishing attempts. For example, during turn 4, SDDC’s ICODES system was glitching, showing inaccurate manifests. In this scenario, SDDC recommended contacting the ICODES program manager to determine whether the system is affected at the host location and alert the ICODES team to begin solving the corruption problem with ICODES and other utility OT systems. In the meantime, SDDC started to track cargo manually.

SDDC’s most pertinent recommendation throughout both Savannah and Charleston’s exercises was to change locations for rapid deployment of equipment and move all cargo and port operations to another port. In particular, during the turn 7 inject, trucks began to stop on their own volition, interstates were being shut down, and Port Authorities had suspended port operations along the Eastern Seaboard because of cyberattacks. During the turn 7 scenario, SDDC stated that, if necessary, it would deploy reserve components and work with state authorities and the National Guard to use rapid port opening elements, transportation units, and wrecker and maintenance units for stranded cargo loads. In addition, SDDC reserve components would provide support measures to help move cargo from the interstate to the port using commercial trailers or otherwise transload all cargo. SDDC would communicate with the 597th and 598th Transportation Brigades, the Joint Chiefs of Staff’s Director for Operations, and other receiving units to provide cargo status updates and any delays.

Lessons Learned from JV 3.0

Through completing the JV exercise, the battle captain gained a greater awareness of the effects that cyber incidents have on one port. SDDC also determined that the most successful incident responses resulted from each sector having prepared emergency response protocols outlined for most of the situations that occurred during the exercise and instances in which coordination between the different sectors and agencies had been developed prior to the exercise. Essentially, a whole-of-community approach among all sectors becomes critical in situations like those in JV.

The battalion commander also suggested adding JV to the SDDC commander’s course. The battalion commander said an exercise like JV would add value for the leaders of transportation brigades, bring awareness to important port assets, and provide specific challenges that are not addressed in other brigade commander training courses.

Also, more exercises like JV will allow SDDC to analyze further the impact of a cyberattack against critical force projection infrastructure and test the strength of its cyber incident response plan. With SDDC having recently migrated 100 percent of its surface transportation business systems into its cloud system, digital modernization and cyber mission assurance have become more important than ever in SDDC’s mission, port diversification efforts, and force projection readiness.

Other findings by SDDC included the following:

Rail
- » For rail input, SDDC used four trains with 50 cars per train totaling 600 pieces delivered over a period of 1 week.
- » Only 2 days’ worth of data were analyzed, so two trains that were notionally scheduled over the 2 days of JV exercises were projected to deliver 240 pieces. One train being delayed or stopped prevented 120 pieces of cargo from making it to the port.
Commercial line haul
- » One hundred to 150 trucks that were notionally scheduled over the Defender 2020 exercise were divided to meet the 2-day JV exercise scenario, so 20 trucks a day being delayed or stopped prevented 100 pieces of cargo from making it to the port.
Military convoy
- » The military convoy from Fort Stewart consisted of 20 serials / 1,200 pieces, roughly equaling 60 pieces per serial. This would result in 60 pieces of cargo being delayed or stopped on its way to the port.
Summary of impacts
- » Two hundred eighty pieces would have been delayed, stopped, or not made it to the port over the 2-day period. In addition, two trains and an unknown number of military convoys would have been stopped, and several line haul moves would have occurred.