Give a Cyber Edge to the Warfighters

By Captain Ramberto Torruella, U.S. Navy

The Japanese task force surprised two separate groups of Allied cruisers—sinking three and damaging a fourth so heavily that she later had to be scuttled. More than 1,000 sailors lost their lives—so much for the advantage of having radar.3

Just two months later, however, Rear Admiral Norman Scott’s task force mauled a similarly sized Japanese force during the second round of surface action around Savo Island. What made the difference? Scott’s fighting spirit and command ability molded a cohesive fighting force. Scott drilled his ships in using radar to fix the enemy and accurately direct gunfire. More important, he developed an effective tactical doctrine that gave his commanders the freedom to use their radars to pursue individual targets. His commanders developed methods to gather and disseminate radar information from across the force to create a shared situational awareness. In short, Scott established a command-and-control doctrine that took advantage of the new technology and gave his force a tactical edge.4

And Then There Was CWC

The Navy learned its lessons well from the actions around Savo. Not long after the campaign, operations research analysts determined that the ships that performed the best in the Solomon’s Campaign were those that successfully merged information from their radar, navigation, and gunfire plots.5 By 1943, the combat information center (CIC) was born. Tested successfully during the Gilbert Islands Campaign, the concept became the standard around the fleet, with ships of all classes being retrofitted or designed with spaces for a CIC. 6,7 By 1945, at Okinawa, when the Imperial Japanese Navy threw hundreds of suicide planes at the ships supporting the campaign, CICs allowed ships to fight off the kamikazes, direct aircraft strikes ashore, and coordinate naval gunfire support.8

By the early 1970s, ship CICs could handle even more information. Ships became multi-mission platforms no longer built for a single purpose. Ship and task force commanders had several warfare priorities competing for their attention. Enter the composite warfare commander (CWC) concept championed by Admiral Thomas Hayward.9 The CWC concept allows a commander to simultaneously coordinate the actions in time and space of many competing missions by giving designated authorities to mini warlords called warfare commanders. The officer in tactical command (OTC) sets mission priorities and designates rules of engagement, but the warfare commanders generally have the authority to conduct the day-to-day warfighting business. The OTC can limit action either through a veto (command by negation) or through direct control.

The implementation of CICs brought disparate ship inputs together to create a more effective situational awareness for the ship’s commander. The CWC allowed multiple ships to synchronize multiple effects in time and space to achieve a task force commander’s objectives. Both innovations contributed greatly to the way the Navy fights today.

What do the operational forces want the cyber community to do for them? It is not hard to see similarities between the current use of cyberspace and the employment of shipboard radars early in World War II. At the beginning of the war, few commanders understood how to employ radar in combat. Today, few commanders understand cyberspace effects and how they can be used tactically. Radar did not become effective until after the development of the CIC—a place to fuse information into a coherent picture that enhanced situational awareness and command and control. The hard-learned lessons from Savo Island have not yet been realized in cyberspace, where situational awareness is ad hoc. Finally, the CWC concept made use of CICs by giving warfare commanders specified authorities to engage an enemy without direct control from the OTC.

Today, command and control in cyberspace is centralized under Commander, 10th Fleet—far different from the other numbered fleet commanders. While 10th Fleet units have a supporting relationship to the other numbered fleets, only the network operations units are co-located with the numbered fleets. Even more concerning, units tasked with cyberspace defense share their responsibilities across two or more cyber task forces. Imagine the antiair warfare commander sharing undersea warfare responsibilities with the sea combat commander. From the numbered fleets’ perspectives, the cyberspace chain of command can seem murky and remote. A reasonable question for the other numbered fleet commanders to ask would be, “Is this the command-and-control relationship that will help me defeat a peer adversary?”

Can the lessons from Savo Island be applied to the cyber community? Can the Navy build a good, clear command-and-control structure that allows operational commanders to synchronize effects in cyberspace with operations in the physical domain?

How Did We Get Here?

When 10th Fleet was organized, it brought together many types of units from across the information warfare domain, often ingesting command-and-control processes that developed over decades. The 10th Fleet arranged these units into standing forces organized along five broad categories: network operations and defense, information operations, service cryptologic component operations, fleet and theater operations, and research and development (see Figure 1).10 Units brought into the network operations and defense category evolved their command-and-control arrangements under two critical environmental pressures: the need to be efficient and the need to keep secrets.

Network operations, known doctrinally as Department of Defense information network (DODIN) operations, grew out of the hundreds of individual networks operated by the Navy in the late 1990s. At that time it was nearly impossible for the Navy to determine how much it spent on information technology because each network had its own support staff and budget, and each network owner tracked expenditures under different budget lines.11 In addition, there was little compatibility across different networks, limited ability to collaborate, inconsistent logistical support, inconsistent security architectures, and—with nearly 1,000 independent gateways—no way to monitor the health and security of the network enterprise. The upside of this “wild west” of network environments was that local commanders had a great deal of flexibility about how to employ their networks, but the costs to the Navy in time, energy, and resources were significant.12

Beginning in the year 2000 with the creation of the Navy Marine Corps Intranet (NMCI), the Navy started consolidating its networks into a small number of core enterprise intranets. While initial implementation was fraught with problems and growing pains, execution improved over time. Control of network operations moved from individual local network providers to regionally operated network operations centers (NOCs) located at either a Naval Computer & Telecommunications Area Master Station (NCTAMS) or at one of the smaller Naval Computer and Telecommunications Stations (NCTS) supporting the numbered fleet commanders. The effort was successful in driving down costs and improving security and interoperability, but came at the cost of local flexibility and centralized control.

Network defense, also known doctrinally as defensive cyberspace operations (DCO), started with a five-person Navy Computer Incident Response Team (NAVCIRT) in the Information Warfare Defensive Division of the Fleet Information Warfare Center (FIWC) in October 1995.13 By 2003, it had grown to 250 personnel and had become the operations department of FIWC. In 2006, NAVCIRT separated from FIWC and became the Navy Cyber Defense Operations Command (NCDOC) under the Network Warfare Command.14 While this command has grown more than tenfold, it remains small relative to its responsibility to monitor the network defense of the entire Navy enterprise. To do this, NCDOC installs and maintains the Navy’s network sensor grid but farms out the data analysis to the Navy Information Operations Commands that perform other types of communications intelligence operations in support of the numbered fleets. In short, NCDOC runs the sensor grid while fleet NIOCs read the alerts.

Cyber protection teams (CPTs) support network defense for internal defensive measures, and national mission teams (NMTs) provide response actions—both are controlled centrally by Commander, 10th Fleet.15 The 10th Fleet also has control over the Navy’s cyber mission teams that conduct offensive cyberspace operations (OCO) and project power in and through cyberspace. OCO grew up in the shadowy world of communications intelligence, where every tool used to listen to adversaries’ communications and learn about their operations is considered a trade secret—including the tools used to infiltrate and exploit an adversary’s network. These sources and methods are held close to stay viable for as long as possible.

The 10th Fleet has organized all these forces into standing task forces: the 1010 task forces (NCTAMS and NCTS units) conduct network operations; the 1020 task forces (NCDOC) monitor the networks for attack; and the 1040, 1050, 1060, 1070, and 1080 task forces (NIOCs) analyze the data. This schema works because of the hard work and professionalism of the people supporting those commands, but there are inherent weaknesses. First, with responsibilities spread across four different organizations (NCDOC, NIOC, CPT, and NMT), the command-and-control structure for cyberspace defense seems unclear, at least from other numbered fleet commanders’ perspectives. Most cyberspace defensive units are located remotely from the numbered fleets they support and from the network operation centers. Numbered fleets have no control over their own networks, even those of their afloat units.

There are many reasons to be worried about who controls a network. If the priorities of the supported commander come into conflict with the priorities of the operational commander, the operational commander will win. From the 10th Fleet’s point of view, this makes sense—to protect the rest of the Navy’s and DoD’s networks, it may be necessary to take action on a fleet commander’s network that will put that commander’s network connectivity at risk. Navy and DoD networks are globally interconnected after all, and risks on one are a risk to all. The concern is that a numbered fleet commander will have operations in the physical domains that rely on network connectivity. Cutting off connectivity may put lives and missions at risk. Another concern is that analysis and control are now geographically separated from the scene of the action. Will the Navy be able to maintain control as an adversary begins to interdict communications? What efficiencies does the Navy lose by not having all defensive cyberspace operations collocated in the same region? Do the lessons of Savo need to be learned again?


CWC in Cyberspace

There is no panacea, but one possible solution to address these concerns would be to operationalize cyberspace command and control along lines similar to the CWC concept. An NCTS or NCTAMS commander could be placed under tactical control of a numbered fleet commander as an information warfare (IW) task force commander, with specified authorities for action on the network—in defense of it and perhaps even with limited authorities to counterattack adversaries on or through the network. An IW task force would subsume an NCTS command, and would have to be enlarged to include the network-monitoring and analysis tasks currently performed by NCDOC and the associated NIOCs. The IW task force would remain under operational control of the 10th Fleet, but would take day-to-day direction for network operations and defense from the numbered fleet commander—just like any other task force—and would coordinate offensive actions in conjunction with the geographic combatant command’s cyber center.

The numbered fleets would have to establish a fleet cyber center (FCC) to coordinate and control cyberspace operations in their regions. The director of communications (N6), director of information warfare (N39), and the joint interface control officer (JICO) could merge to be a part of the FCC or become subordinate to it. In some fleets, the IW task force commander and the FCC director may be the same person operating two staffs.

Give the Fleet What It Wants

The Navy needs a cyber community that gives warfighters a tactical edge—not just with high-tech tools and cyber effects, but with an effective command-and-control structure to deliver effects synchronized in time and space with kinetic effects in the physical domains. The Navy needs network operators who understand their environment, network defenders who are free to maneuver the network without permission from a remote commander, and network attackers who understand how their operations may impact operations in the physical domain or blow back in the cyberspace domain. Delivering this tactical edge can occur only if cyberspace command and control is closely aligned with operational commanders, pushed down to the lowest possible level, with the appropriate designated authorities, to allow fleet commanders to synchronize operations in the cyber and physical domains. In short, the lessons of Savo Island must be applied to cyberspace.

Editor’s Note: This essay won second prize in the 2017 USNI Cyber Essay Contest, sponsored with DXC Technology.

. K. T. Compton, “Mission to Tokyo,” The Technology Review, vol. 48, no. 2 (1945), 45.

2. J. D. Hornfischer, Neptune’s Inferno: The U.S. Navy at Guadalcanal (New York: Bantam Books, 2012), 63.

3. Ibid., 89.

4. Ibid., 135–144).

5. Department of the Navy, Naval History and Heritage Command, “ CIC (Combat Information Center) Yesterday and Today ."

6. S. C. Tucker, World War II at Sea: An Encyclopedia, (Santa Barbara: ABC-CLIO, 2011), 667.

7. L. D. Woods, A History of Tactical Communications Techniques, (Orlando, FL: Martin-Marietta, 1965).

8. Tucker, World War II at Sea, 667.

9. T. Pierce, Warfighting and Disruptive Technologies: Disguising Innovation, (London: Routeledge, 2004), Section 18.

10. U.S. Tenth Fleet Standing Forces .

11. K. L. Jordan, The NMCI Experience and Lessons Learned: The Consolidation of Networks by Outsourcing, (Washington, DC: Center for Technology and National Security Policy, 2007), 2.

12. Ibid.

13. Navy Cyber Defense Operations Command Public Affairs, “Navy Cyber Defense Operations Command Celebrates Past, Present, Future,” .

14. Ibid.

15. B. T. Williams, “The Joint Force Commander’s Guide to Cyberspace Operations,” Joint Forces Quarterly, 2nd Quarter 2014 (73), 12–19.

Captain Torruella is the Director of Command, Control, Communications, Computers and Network Operations for Commander, Naval Forces Europe, Naval Forces Africa, and Sixth Fleet. He enlisted in the Navy in 1986 and graduated from the U.S. Naval Academy in 1992. He served as a submarine officer until 2005, when he transitioned to the Information Professional community.





Conferences and Events

WEST 2019

Wed, 2019-02-13 - Fri, 2019-02-15

Sharpening the Competitive Edge: Are We Ready to Compete, Deter, and Win Globally? Wednesday, 13 February - Friday, 15 February...

2019 U.S. Naval Institute Member Event

Why Become a Member of the U.S. Naval Institute?

As an independent forum for over 140 years, the Naval Institute has been nurturing creative thinkers who responsibly raise their voices on matters relating to national defense.

Become a Member Renew Membership