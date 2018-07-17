The increasingly sharpened focus on cyber-warfare capabilities across the world’s militaries underlines that the sector is important – and that both defense departments and political leaders are willing to allocate significant resources to the sector. But one area where there still seems to be a gap between reality and institutional understanding is that of cyber training.

The U.S. defense department’s chief weapons tester, the Director of Operational Test and Evaluation, has consistently warned of the problems the U.S. military may be creating for itself by its inability to include realistic and representative cyberattacks as part of large combined exercises. It is understandable why these do not generally happen: commanders tasked with running a weeks-long exercise involving hundreds of personnel will be reluctant to find that the comms network goes down on the morning of the first day after the cyber red team carries out a successful attack.

As a result, military cyber exercises today tend to involve cyber warriors only. But a failure to train the whole force will lead to inadequate preparation for a future conflict, in which adversaries are certain to deploy cyber effects – which can cause significant impact for minimal risk and cost – often and early.

“We need to be looking at combined operations that include cyber and physical, and we need to be looking at training environments that do it all,” says Martin Hill. “We need to make sure we don’t do it with the cyber stuff happening over here and the physical stuff happening over there and some of the people talking to each other occasionally. It needs to be part of a combined, planned operation, so that you know what you’re defending against and what the risks are.”

Hill is a corporal in the UK Army reserves and has been an intelligence analyst within the British military for eight years. In civilian life he works as an information-systems architect, so is well placed to analyze the structures that militaries need to put in place if they are to be able to train in cyber defense effectively.

“You need to know what your weak spots are, so you can allocate resources – whether it’s to the PR end of things, or whether it’s the cyberattacks that need to go alongside your physical attacks,” he said during a panel discussion at the military training and simulation conference, ITEC, held in May in Stuttgart. “That’s going to require the right kind of training beforehand, so that we build the right vocabularies – because people who work with maps don’t work very well with cyber; people who work in cyber don’t work very well with maps. There’s all kinds of sorts of things that we need to thrash out, but we don’t have very much time – because lots of nations and groups are already doing this very well. And this is something we’re quite far behind on.”

The U.S. Army is looking to address this through a project being run by its Program Executive Office for Simulation, Training and Instrumentation. Initial contracts for prototype components of an overarching system – the Persistent Cyber Training Environment (PCTE) – were awarded in January, though a complete solution is still some way off.

“You’ve got to train like you fight, and in cyber it’s really hard,” Bruce Caulkins, a former U.S. Army colonel who is now program director for modeling and simulation of behavioral cybersecurity at the University of Central Florida, told the same ITEC audience. “Things like the PCTE will be important, because it means you’ll be able to have an always-on cyber-training environment.”

Industry has a role to play in conceptualizing and delivering appropriate solutions. Part of the problem may be that established providers of military training will need time to reconfigure themselves to provide this – be that by partnering with IT companies to acquire specialist cyber skills, or simply in understanding how their military customers wish to operate in what remains a new and somewhat confusing domain.

“Training cyber professionals to enable them to fight the cyber war means you’re taking network engineers and training them to think like analysts, and having analysts think more like network engineers,” says Gene Colabatistto, president of training specialist CAE’s defense and security division. “At the moment, we don’t do that. We are looking, as part of our business, and in particular as a training company, at the cyber environment as another domain we would like to actually be training operators in – but we don’t do that today.”