Vice Admiral Marshall Lytle, Director, Command, Control, Communications and Computer/Cyber, Joint Staff, "Statement before Senate Armed Services Subcommittee on Cybersecurity," May 23, 2017.
National Security Archive
Vice Admiral Lytze’s 2017 Senate briefing reveals how the Pentagon turned cyber from a patch‑and‑pray problem into a structured warfighting domain.
Source: Vice Admiral Marshall Lytle, Director, Command, Control, Communications and Computer/Cyber, Joint Staff, "Statement before Senate Armed Services Subcommittee on Cybersecurity," May 23, 2017. Date: May 23, 2017 Archive: Senate Armed Services Committee.
Editorial Analysis
Original analysis by the DriftSeas editorial desk. The complete primary-source document, transcribed from the National Security Archive scan, appears in full below.
A Joint Staff Briefing at a Turning Point
Vice Admiral Marshall Lytle’s May 23, 2017 appearance before the Senate Armed Services Subcommittee on Cybersecurity was not a routine testimony; it was the first high‑level, unclassified accounting of the Department of Defense’s newly‑codified cyber warfighting structure. The hearing took place just months after the 2016 presidential election and amid a wave of public alarm over Russian‑linked cyber intrusions, the WannaCry ransomware outbreak, and the Pentagon’s own admission that its networks were “highly vulnerable.” In that climate, lawmakers demanded a clear picture of how the military intended to move from a patch‑and‑pray posture to a disciplined, domain‑focused force.
Lytle, as director of the Joint Staff’s Command, Control, Communications, and Computers/Cyber (C4/Cyber) directorate, was the senior military official charged with translating the National Defense Strategy’s call to treat cyberspace as an operational domain into concrete organization, training, and resourcing decisions. His statement therefore serves as a snapshot of the institutional response to a strategic shift that began in 2011, when Secretary of Defense Robert Gates declared cyberspace a distinct warfighting domain. By 2017 the Department had built the Cyber Mission Force (CMF), a 133‑team “maneuver force” under U.S. Cyber Command, and was embedding “fixed force defenders” across service networks. Lytle’s testimony outlines three missions—defend DoD networks, defend the nation on a case‑by‑case basis, and support combat operations—mirroring the tripartite framework of the National Defense Strategy.
From Strategy to Structure
The document reveals how the Joint Staff positioned itself as the nexus between policy and execution. Lytle repeatedly emphasizes coordination with the Principal Cyber Advisor, the Office of the Secretary of Defense, and the combatant commands, underscoring a newly‑layered bureaucracy designed to prevent the stovepiping that had hampered earlier cyber initiatives. His reference to “readiness tracking of joint cyber forces” signals the first systematic effort to apply traditional force‑generation metrics—manpower, training cycles, equipment readiness—to a domain previously measured in ad‑hoc incident response.
What the testimony does not spell out, because of classification, is the size and scope of the offensive toolkit. The brief acknowledgment that “offensive components are important and are coupled with our defensive forces” hints at the burgeoning integration of kinetic and non‑kinetic effects that would later define operations such as the 2018 “Operation Glowing Symphony” against Iranian missile networks. The omission is itself telling: by 2017 the administration was already wary of public scrutiny over cyber strikes, a concern that would shape the Pentagon’s later “cyber attribution” policies.
Actors and Implications
Beyond Lytze, the hearing featured Chairman Sen. John Rounds and Ranking Member Sen. Bill Nelson, both veterans of the post‑9/11 security overhaul. Their questions—focused on manpower, training pipelines, and inter‑agency coordination—reflected congressional anxiety that the DoD’s cyber ambitions might outpace its ability to recruit and retain technically skilled personnel. Lytze’s answers, stressing the CMF’s growth and the establishment of tiered defenses such as the Joint Regional Security Stacks, reveal a confidence that the Joint Staff could now “secure networks against attack and recover quickly.”
The broader episode belongs to the early‑stage institutionalization of cyber power in the United States. The 2017 hearing cemented the Joint Staff’s role as the architect of a unified cyber command structure, a role that would later be formalized in the 2018 National Defense Authorization Act’s creation of the U.S. Cyber Command as a unified combatant command. The testimony also foreshadows the 2020‑2021 push to integrate cyber forces directly into joint planning cycles, a shift that has since altered how the services allocate budget to cyber talent versus traditional platforms.
Legacy
Lytze’s statement is a primary source that bridges policy rhetoric and operational reality. It confirms that by mid‑2017 the DoD had moved beyond ad‑hoc cyber response teams to a layered force architecture—fixed defenders, a maneuver CMF, and a defense‑in‑depth network stack—aligned with the three missions articulated in the National Defense Strategy. The emphasis on “defensible cyber terrain” anticipates today’s focus on supply‑chain security and zero‑trust architectures. Moreover, the testimony’s careful avoidance of offensive details underscores a long‑standing tension between transparency and strategic secrecy that continues to shape congressional oversight of cyber operations.
In sum, Vice Admiral Lytze’s 2017 briefing is more than a procedural record; it is a window onto the moment the United States formally embraced cyber as a warfighting domain, set up the bureaucratic scaffolding to support it, and began wrestling with the political implications of a force capable of both defending the nation and projecting power across the digital battlefield.
1 STATEMENT OF 2 VICE ADMIRAL MARSHALL LYTLE 3 DIRECTOR COMMAND, CONTROL, COMMUNICATIONS 4 AND COMPUTERS/CYBER, JOINT STAFF 5 BEFORE THE SENATE ARMED SERVICES 6 SUBCOMMITTEE ON CYBERSECURITY 7 MAY 23, 2017 8
1
9 INTRODUCTION 10 Chairman Rounds, Ranking Member Nelson, and Members of the 11 Subcommittee, thank you for inviting us to discuss the Joint Force's efforts in 12 cyberspace. I appreciate the opportunity to explain the progress made to improve 13 America's cyber defense posture. 14 I will focus my comments on three primary missions in cyberspace and 15 describe the current approach to strengthening the cyber warfighting capabilities 16 of the Joint Force. Toward that end, I will describe the state of our ongoing 17 efforts to man, train, and equip the Cyber Mission Force, as well as the Joint 18 organizations needed to Command and Control them. Finally, while I cannot 19 discuss particulars in an unclassified statement, I will broadly describe the cyber 20 capabilities needed to support both offensive and defensive teams. 21 JOINT STAFF ROLE 22 As part of my duties as the Director for Command, Control, 23 Communications and Computers/Cyber, I work with our Joint Staff Operations, 24 Planning and Resourcing leaders to integrate strategic cyberspace matters, 25 including synchronization with national strategies, readiness tracking of joint 26 cyber forces, and development of capabilities and concepts to support the 27 Chairman's decision making. We work closely with the Principal Cyber Advisor, 28 the Office of the Secretary of Defense staff and the Services to assess, address 29 and advocate for the Combatant Commands' cyber mission requirements and 30 priorities in support of the National Defense Strategy. 31 PRIMARY MISSIONS IN CYBERSPACE 32 The Joint Force executes the Defense Department's three primary cyber 33 missions in support of the National Defense Strategy. The Joint Force defends 34 the Department's networks, systems, and information. The United States 35 military's dependence on cyberspace for operations led the Secretary of Defense
2
36 in 2011 to declare cyberspace an operational domain for purposes of organizing, 37 training, and equipping United States military forces. The Joint Force must be 38 able to secure networks against attack and recover quickly if security measures 39 fail. To this end, network defense operations are conducted on an ongoing basis 40 to securely operate the Department of Defense Information Networks. When 41 indications of hostile activity are detected within networks, the Joint Force has 42 capabilities to react, recover and return the networks and systems to a secure 43 posture. Accordingly, network defense operations on Department’s networks 44 constitute the vast majority of the Joint Force’s efforts in cyberspace. 45 In addition to protecting Defense Department networks, the Joint Force 46 must be prepared to defend the United States and its interests against 47 cyberattacks of significant consequence when directed by the President or his 48 national security team. This second cyber mission is performed on a case-by- 49 case for significant cyber events that may include loss of life, significant damage 50 to property, serious adverse United States foreign policy consequences, or 51 serious economic impact on the United States. 52 Third, when directed by the President or the Secretary of Defense, the 53 Joint Force must provide integrated cyber capabilities to support military 54 operations and contingency plans. Examples include cyber operations that 55 disrupt and adversary’s military related networks or infrastructure in order to 56 terminate an ongoing conflict on United States terms, or to disrupt an adversary’s 57 military systems to prevent the use of force against United States interests. 58 United States Cyber Command, in coordination with other United States 59 Government agencies, may be directed to conduct cyber operations to deter or 60 defeat strategic threats in other domains. These primary missions are 61 underpinned by three main cyberspace capability elements used to assess 62 Combatant Commands’ ability to execute their operational plans.
3
63 ELEMENTS OF CYBERSPACE CAPABILITY 64 This statement will not include information about offensive force or 65 capability due to its classification, however, offensive components are important 66 and are coupled with our defensive forces and capabilities to achieve maximum 67 effects. 68 Cyber forces, cyber defenses and defensible cyber terrain are the three 69 main elements that determine the Joint Force's our ability to achieve the primary 70 cyber missions. Together, these elements factor into our ability to prevail against 71 determined and capable nation-state cyber threat actors. 72 Of the cyber forces, the first line of defense -- "fixed force defenders" -- 73 that operate and defend assigned network enclaves and associated defenses. 74 Sometimes referred to as "cyber enterprise defense forces", they are composed 75 of military cyber units that form the backbone of secure network operations. 76 They include Service and Agency Network Operations and Security Centers, 77 Cyber Security Service Providers, and Cyber Incident Response Teams, among 78 others. 79 The Cyber Mission Force (CMF) is the Joint Force's "maneuver force" in 80 cyberspace. The CMF is composed of 133 teams with objectives that directly 81 align to the Department's three cyber missions. These tactical teams are 82 command and controlled by a planning and execution structure led by United 83 States Cyber Command through its subordinate Joint Force Headquarters. 84 The second capability element, dedicated cyber defenses, are arrayed in 85 a defense-in-depth posture with a focused level of tiered defenses including the 86 Department's Internet Access Point defense suites, the Joint Regional Security 87 Stacks, and Service and Agency network security boundaries at the 88 organizational and installation levels. These tiered defenses comprise our 89 primary defense against external threats in cyberspace.
4
90 The final main element of the Department's cyberspace capabilities is 91 defensible cyber terrain. The nature of cyberspace means that individual end- 92 user machines are directly susceptible to compromise, and that a single 93 compromise can quickly proliferate laterally to other machines. This inside threat 94 coupled with the human factor introduced by users necessitates the protection of 95 all networked systems to a specified minimum level of cybersecurity. Over the 96 past year, the Department made significant gains in hardening our systems 97 under the Department Cybersecurity Scorecard effort. Coupled with increased 98 end point security, we must continue to train all personnel until they have a 99 working knowledge of cybersecurity practices, and hold leaders accountable for 100 instilling a culture of cybersecurity discipline. 101 Further improving the defensibility of cyber terrain involves systematically 102 identifying "Mission Relevant Cyberspace Terrain" and obtaining situational 103 awareness of that terrain in support of critical missions. Executing the DoD 104 Cyber Strategy line of effort on mission assurance, the Joint Staff led a 105 Department-wide initiative to bring together expert planners from the cyber 106 defense and mission assurance communities to forge and codify a new approach 107 to identifying the key cyber terrain that underpins the Joint Force's critical 108 missions. This approach was vetted and refined during exercises. A formal 109 Planning Order was sent out to all Combatant Commands last month toward that 110 end, the culmination of 18 months of effort. 111 As the senior Joint Staff cyber leader, my main focus is on the manning, 112 training and equipping of the cyber force. The remainder of my statement will 113 focus on the successes and unique challenges faced in building and maintaining 114 the world's premiere cyber force. 115 CYBER FORCES 116 The Joint Force's ability to man the cyber force is predicated on the
5
117 assumption that the force is a net exporter of cyber talent. Much like pilots, air 118 traffic controllers and other highly technical military specialties, the Joint Force 119 does not compete with industry, but rather is focused on building training 120 programs and strategies to grow talent, leverage Reserve Component expertise, 121 and retain adequate numbers of seasoned cyber operators to meet the growing 122 demands in cyberspace. By anchoring our personnel strategies in net production 123 vice competition, in addition to leveraging direct hires and native talent, we will be 124 better able to produce adequate numbers of cyber experts while enhancing the 125 collective cyber defense posture of our Nation. 126 Developing a training program for cyber operators resembles the challenge 127 faced in training pilots and aircrew to operate the world's most advanced aircraft, 128 maintaining their skills on the latest aircraft systems, and sustaining their 129 numbers to ensure a constant sufficiency of motivated and technically excellent 130 personnel. Creating a "pipeline" in the United States military's air components 131 took many years. I am unsurprised by the challenges encountered while 132 constructing the training and personnel pipeline for the Cyber Mission Force. 133 The Joint Force completed the Cyber Mission Force Training Transition Plan 134 in January of this year. The plan introduced a joint training model and addresses 135 the Cyber Mission Force Reserve Component training demand. As part of this 136 effort a training funding shortfall was identified, and the Joint Staff is working with 137 the Office of the Secretary of Defense to mitigate this shortfall. 138 The make-up of the cyber force is unique in warfighting because one-third of 139 its composition is civilian. This poses a unique recruiting and retention 140 challenge. We appreciate the committee's focus on this unique challenge and 141 Congress' efforts to improve our ability to address this issue with Section 1107 of 142 the FY16 National Defense Authorization Act. The Department of Defense Chief 143 Information Officer's office is pursuing a permanent fix via the implementation of
6
144 the Department's Cyber Excepted Service program. 145 Equally important to manning and training the Cyber Mission Force is 146 evolving from the narrowly focused Service platforms employed by cyber 147 operators to a standardized joint capability that equips the force effectively and 148 efficiently with integration into existing planning and force development 149 constructs. The framework for equipping the Cyber Mission Force for both 150 defensive and offensive missions is built upon a family of interoperable systems 151 from which the Cyber Mission Force can operate and synchronize operations. 152 The Joint Force is conducting an Analysis of Alternatives to determine how best 153 to equip the Cyber Mission Force with Title 10 mission platforms. 154 The Cyber Mission Force – all 133 teams -- met their Initial Operating 155 Capability milestone in Oct 2016. All teams are also on track to meet their Full 156 Operating Capability milestone by Oct 2018. More than half of the teams have 157 already met their Full Operating Capability milestone and all 133 teams are 158 actively performing their assigned missions defending DOD networks, protecting 159 weapons platforms, and defending critical infrastructure. Despite these 160 successes, there are still significant readiness challenges that impact the cyber 161 force. Joint training standards have been published and instituted standardized 162 readiness reporting in the Defense Readiness Reporting System in order to track 163 and address these challenges. This nascent tracking capability is beginning to 164 identify trends that will help us better shape Service policy and resourcing 165 requirements in the future. 166 Each Service is working their unique cyber manpower challenges as part 167 of their man, train and equip responsibilities. They have learned and adapted 168 over the past four years, instituting a number of personnel policy changes to 169 ensure the success of the Cyber Mission Force and its associated cyber tactical 170 headquarters. For example, all of the Services are leveraging their Reserve
7
171 Components to augment Cyber Mission Force teams, either in whole or in part, 172 while adding Federal, State and local cyber surge capacity allowing the nation to 173 collectively respond to major threat activity in cyber. 174 The Navy and Marine Corps continue to utilize individual augmentees to 175 fill gaps in their active duty Cyber Mission Force teams and are looking at other 176 ways to utilize their Reserve Components to address critical skillsets and 177 shortages. Also, the Air Force utilizes its reserve component to present 3 full 178 teams to the Cyber Mission Force as part of their total force contribution. Behind 179 these 3 “full-time equivalent” teams are 15 rotating reserve teams comprised of 180 Air Force Reserve and Air National Guard members that provide 12 teams of 181 surge capacity in addition to the 3 full time teams required by United States 182 Cyber Command. Finally, the Army Reserve Component began building an 183 additional 21 teams to augment the original 133 Cyber Mission Force teams as 184 well. Once fully built, the reserve Component will be providing approximately a 185 fifth of the total Cyber Mission Force surge capacity of 166 teams. The build and 186 training plan for these additional Reserve Component forces is included in the 187 Cyber Mission Force Training Transition Plan referenced earlier should you wish 188 further details. 189 The Cyber Mission Force continues to grow and mature, as does the 190 increasing need to Command and Control and synchronize the global efforts of 191 this complex and geographically dispersed warfighting capability. The Joint Staff 192 recently completed a revised Command and Control model that streamlines the 193 command relationships and synchronizes actions in support of Combatant 194 Command campaigns. This model, coupled with manpower assessments 195 performed by a team of joint manpower experts last summer and fall, informed a 196 Joint Manpower Validation effort completed last month. The Department is 197 currently working with the Services to review resourcing requirements for the
8
198 future. 199 CONCLUSION 200 Thank you again, Mr. Chairman, Ranking Member Nelson, and Members of 201 the Committee for the opportunity to provide this statement. I am grateful for the 202 Committee's oversight and your support for our men and woman in uniform.
9
NATIONAL SECURITY ARCHIVE
National Security Archive, Suite 701, Gelman Library, The George Washington University, 2130 H Street, NW, Washington, D.C., 20037, Phone: 202/994-7000, Fax: 202/994-7005, nsarchiv@gwu.edu