The Army continues to build the role and capabilities of its defensive-focused cyber operations teams with a greater focus on combating adversarial network infiltration in real-time with new mobile kits.

Lt. Gen. Paul Nakasone, commander of Army Cyber Command, views his defense operations-focused Cyber Protection Brigade as critical to protecting the network against intrusions. He pointed to the 20 sub-unit Cyber Protection Teams (CPTs) as the frontline for utilizing the latest capabilities to carry out threat-specific operations.

AUSA 17 media roundtable with commander of Army Cyber Command LTG. Paul Nakasone and cyber operations forces. Photo: Matthew Beinart.
AUSA 17 media roundtable with commander of Army Cyber Command LTG. Paul Nakasone and cyber operations forces. Photo: Matthew Beinart.

“If you’re going to say what’s different about a Cyber Protection Team, at the end of the day they hunt for adversaries. They are looking for someone that does not want to be found in our network. That’s a core skill that we train in our Cyber Protection Teams,” said Nakasone during a media roundtable event at the Association of the United States Army conference Wednesday.

The Army has 20 CPTs, consisting of 80 percent military and 20 percent civilian personnel. Plans are in place for 21 reserve CPTs, eleven in the National Guard and 10 in the Army Reserve, according to Nakasone.

Maj. Josh Rykowski leads one of the Army network-focused CPTs, and views his team’s defensive efforts as a non-stop mission.

“The adversary is out there. There’s definitely a wide range of missions for us to conduct,” said Rykowski.

Army CPTs pointed to their mobile network defense kits as the key tool for adaptive network protection efforts following the mission analysis period. Prior to reaching a command post or Army unit, Rykowski’s team can reconfigure elements of its mobile kit to best separate out and defend against affected components of the network.

“We can set those capabilities up ahead of time, so we can hit the ground running,” said Rykowski. “We always go into a mission with the mindset that the network has been exploited in some type of fashion, and so it’s not safe to operate on there. While we do connect our kit directly to the network, we have defenses within the kit to be able to go ahead and ensure that we are solid and don’t get exploited if the adversary is still in the network.”

CPTs utilize network assessment and host forensics equipment to identify network vulnerabilities, and deploy kit servers outfitted with sensors to defend against adversary activity.

“We help units analyze anomalous behaviors on the networks to understand what is going wrong and if it’s misconfiguration or a specific threat that we’re hunting for,” Sean Eyre, the network defense dead for Rykowski’s CPT, said during the roundtable.

The defense kits are standardized across Army Cyber Command, and utilize server stacks to provide significant storage capacity and substantial computing power.

Nakasone also praised his command’s Military Intelligence Brigade’s work in developing Army components ability to make more informed decisions on how to protect their area of the network.

Army cyber efforts remain focused on early detection of threats and established relationships with commanders through training to foster greater communication on cyber mission sets, according to 1st Lt. Alvaro Luna, a cyber operator with the 780th Military Intelligence Brigade.

“The one thing we found critically essential is the early integration,” Luna said. “So 180 days before we even do training, the planner primarily integrates with that commander. They handle the staff, they group the decision-making process. In that first initial sit-down, they kind of understand what we can do. Then the second time we go out and we do another exercise with them that’s actually on their territory, and from there they can actually see the effects that we do.”