1 2 Table of Contents History 5 STRATCOM Commanders 11 JTF-CND/CNO/GNO Commanders 15 JTF Deputy Commanders 21 JMUAs 26 Rowlett Awards 29 Omaha Trophy 30 3 4 JTF-GNO History - The Early Years of Cyber Defense One of the advantages of today’s growing of these solutions had drawbacks that a technology is the ability to use computer Joint Task Force would not. The problem networks to command, coordinate, and with DISA assuming the role of defense of control a majority of the information need- the DoD network was its limited influence ed to conduct military operations. How- over the various commands. As an agency, ever, with the increased use and depen- it did not fit into the chain of command dence on computer technology to access and left the problem of who was in charge this information, it has become essential and responsible for making decisions. The to ensure the security of the information problem with assigning the mission to a stored on these networks. Otherwise, COCOM was determining which COCOM those looking to disrupt public and private could best assume that responsibility. Be- interests would have the power to do so by cause of the time necessary to resolve the invading the systems, affecting their use, many issues, the Secretary of Defense cre- or causing damage by copying, destroying ated a temporary solution. or changing vital information. With this in On 23 July 1998, the Joint Chiefs of mind, the Secretary of Defense sought a Staff’s “tank” directed that a Joint Task way to “…coordinate and direct the defense Force for Computer Network Defense of DoD computer systems and computer (CND) be established. By creating the JTF- networks…in conjunction with the Combat- CND, the Joint Chiefs established an orga- ant Commands, Services, and Agencies nizational structure with principles consis- (CC/S/A).” tent with “Joint” doctrine. Additionally, the The realization of the necessity of such JTF construct provided authorities for uni- an organization came as a result of exercis- fied action as well as an operational chain es and real world events in 1997 and 1998. of command. Most of all, it was an answer Exercise ELIGIBLE RECEIVER simulated an to the question of “Who’s in charge?” As attack on the defense information infra- all JTF’s it would have a specific mission structure by agents from the National Se- with limited objectives. However, it was curity Agency (NSA) in June 1997 pointed clear that sooner or later a more perma- out two key points. First, it demonstrated nent organization would need to be estab- the vulnerabilities in the DoD network, lished and placed under the command of and second, it showed that no one was in one of the COCOM. charge of defending the department’s net- Once the decision was made to create works. Therefore, in October 1997, Presi- the JTF-CND, it was necessary to decide dent Clinton issued Presidential Decision where to establish it and do so as quickly Directive 63, which made infrastructure as possible. On 11 August 1998, it was protection a national security priority and announced the JTF-CND would stand up in tasked DoD to develop a compliance plan. the Washington DC area and be a compo- A second event demonstrating the need nent of DISA. This was done mainly due to for action occurred in February 1998 when the established resources available through a real-world attack was made on DoD sys- DISA, that included its 24/7 Global Opera- tems. This incident not only demonstrated tions and Security Center (GOSC). Ad- the vulnerability of the DoD’s networks, it ditionally, by creating the JTF-CND within further illustrated what had already been the vicinity of Washington DC, it provided demonstrated during Exercise ELIGIBLE access to key leadership and also made it RECEIVER the troubling fact that once easier to coordinate with various agencies, again no one took charge. including the Defense Intelligence Agency The creation of a Joint Task Force was (DIA), National Infrastructure Protec- not the only possible solution; the Defense tion Center (NIPC), and National Security Information Systems Agency (DISA) or one Agency (NSA). Quickly a working group of the Combatant Commands (COCOMs) was formed in order to begin the develop- could assume this mission. However, each ment of a charter, a Concept of Operations 5 (CONOPS), and Program Budget Decision on 30 December 1998, one day ahead (PBD). Once approved, the funding and of the pre-determined IOC date and 30 staffing for the JTF-CND could begin. days after the Charter was signed by the The working group developed 11 mission SECDEF. Its first action was to send a organizational functions and established message throughout the DOD network that the staff would consist of 24 people declaring its mission and goals. From this according to traditional joint staff elements point on, there would always be someone (J1 – J8). in charge of defending the DoD networks. Perhaps the biggest challenge laid out For the next 10 months the fledgling orga- for the working group was to develop an nization went about the tasks of CONOPS approved CONOPS for how the JTF-CND development and establishing its battle would conduct its mission. This was espe- rhythm. On 1 October 1999 the JTF-CND cially difficult because the JTF-CND would attained FOC. Utilizing members from be performing a unique mission to DoD active duty military, reserves, and other which did not fall under any of the tradi- agencies, the JTF-CND became more and tional “Joint” doctrine plans. Additionally, more engaged in defending the Depart- since the JTF-CND would report directly ment’s computer networks. Besides con- to the Joint Chiefs and then the Secretary ducting 24/7 watch operations, the JTF- of Defense, it lacked the structure typical CND had a strong intelligence group, and of organizations underneath COCOMs or led the Department in preparation for any Agencies. Yet despite those difficulties and Year Two Thousand (Y2K) problems that others, both the CONOPS and the JTF-CND might occur at the turn of the millennia. Charter were approved by the Secretary of Also in October 1999, JTF-CND was Defense on 4 December 1998, the infant placed under the command of USSPACE- organization began to take shape. COM. Although SPACECOM is headquar- tered in Colorado Springs, the JTF-CND stayed in Washington, DC where it worked in coordination with DISA monitoring and defending the DOD network. During this period, in addition to monitoring Y2K prep- aration activities, the JTF-CND conducted elevated network defense during U.S. participation in NATO’s Balkan operations and hacking attempts originating within the areas of China, Russia, India, Pakistan, Is- rael, and Palestine. In Mid 2000, command of the JTF-CND passed to MG J. David Bryan, USA, who also became Vice Director of DISA. JTF-CND (COMPUTER NETWORK JTF-CNO (COMPUTER NETWORK DEFENSE) January 1999 – October OPERATIONS) October 2000 – June 2000 2004 Once the charter was signed, Major Gen- In the early months of 2000, SecDef eral John Campbell, USAF, was assigned as decided to combine the Computer Network the first Commander JTF-CND. He im- Attack (CNA) mission with the Computer mediately began staffing with personnel Network Defense (CND) mission and re- from the various Services and agencies name the JTF-CND to JTF-CNO (Computer while establishing Tactics, Techniques, and Network Operations) effective on 1 April, Procedure (TTPs). This was done using the 2001. Under this new mandate, JTF-CNO limited people assigned who were at the immediately began efforts to operational- same time performing the daily mission ize the mission space throughout DoD, of defending the Department’s computer while providing direct support to all the network systems. COCOM Commanders. JTF-CNO became The JTF-CND officially began operations the lead organization for Net Defense and 6 the Federal Computer Incident Response Center (FedCIRC), the National Commu- nication System (NCS), and numerous private sector organizations. Intelligence was recognized as a criti- cal component of the Task Force’s mission success during this period. This rapidly maturing component of the command dra- matically expanded from one of narrowly focused intelligence research that sup- ported computer network defensive opera- tions to a dynamic time-sensitive mission encompassing support to both computer network defense and computer network attack. It was during this period that a 24/7 intelligence watch was added to the watch floor to provide real-time intelligence and threat analysis. These watch-standers assumed new responsibilities for computer network intrusion indicators and attempt warnings as an Associate Member of the developed critical CNA concepts including Defense Intelligence Warning System. This command and control for CNA, authority expanded the JTF’s reporting mission to to execute CNA, and cyber tool weaponiza- include time-sensitive reporting of foreign tion. An early challenge for the JTF-CNO threats to DoD’s computer systems. JTF- dealt with increasing awareness throughout CNO also facilitated the development of DoD of the promises and pitfalls of com- partnerships with the National Intelligence puter network attack. Meanwhile, JTF-CNO Community agencies, enabling unprec- also provided direct support to over 15 ex- edented sharing of computer network ercises and real world operations conduct- technical intelligence, and provided an ed by the various Combatant Commands. integrated intelligence analysis and target JTF-CNO’s proactive leadership and guid- development capability for CNA planning in ance in the CNA warfare area during those support of COCOM Operations. early years resulted in dramatic progress Once again the command grappled with towards DoD’s ability to fully integrate CNA the development of a expanded CONOPS and Information Operations into its overall for Computer Network Operations (CNO).