United States Cyber Command, "Cyber Flag 12-1," 2011. Unclassified.
National Security Archive
A 2011 briefing reveals how USCYBERCOM forged the first joint, force‑on‑force cyber war game, reshaping America’s approach to digital battlefields.
Source: United States Cyber Command, "Cyber Flag 12-1," 2011. Unclassified. Date: Jan 1, 2011 Archive: Defense Technical Information Center
Editorial Analysis
Original analysis by the DriftSeas editorial desk. The complete primary-source document, transcribed from the National Security Archive scan, appears in full below.
The Birth of a Joint Cyber War Game
In early 2011 the United States Cyber Command (USCYBERCOM) released an unclassified briefing titled Cyber Flag 12-1. Far from a routine training notice, the document marks the first fully joint, force‑on‑force cyber exercise that deliberately blended offensive and defensive missions in a simulated environment. Its timing is crucial: USCYBERCOM had been established only a year earlier, in 2010, amid a rapid escalation of state‑level cyber activity—from the 2007 cyber‑espionage campaign attributed to China’s Unit 61398 to the 2009 Iranian attacks on U.S. banks. The Pentagon recognized that existing service‑specific cyber drills were fragmented and that a unified command structure needed a proving ground where doctrine, command‑and‑control (C2) concepts, and emerging tactics could be stress‑tested against a “thinking” adversary.
The brief’s mission statement—“fusing attack and defense across the full spectrum of operations against a realistic and thinking enemy in a virtual environment”—reveals an early acknowledgment that cyber conflict would not be a one‑sided affair. By insisting on a “dynamic joint cyber training environment,” USCYBERCOM signaled its intent to move beyond the traditional red‑team/blue‑team paradigm toward a fluid battlefield where the same operators might switch roles, mirroring the ambiguity of real‑world cyber engagements.
Institutional Actors and the Architecture of Power
The document lists a dense hierarchy of participating entities: USSTRATCOM, the Combatant Command, USCYBERCOM’s National Cyber Operations, and service‑level cyber components such as ARCYBER (Army), FLTCYBER (Fleet), MARFORCYBER (Marine), and 24 AF/AFCYBER (Air Force). This mosaic illustrates how USCYBERCOM was positioned as a joint “hub” that coordinated disparate service cyber forces while still respecting the chain of command of each component. The inclusion of the Defense Information Systems Agency’s (DISA) TNOSC and the reference to “attached USCYBERCOM forces” underscores the inter‑agency cooperation that would become a hallmark of U.S. cyber strategy.
Notably, the brief mentions “integration of other government agency equities (NSA, DHS, etc.) and allies” as a future goal. At the time, the NSA’s Tailored Access Operations (TAO) and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) were still solidifying their cyber roles. By projecting a “whole‑of‑government” approach, the document anticipates the later establishment of the Cybersecurity and Infrastructure Security Agency (CISA) in 2018 and the expansion of the Cyber National Mission Force (CNMF) within USCYBERCOM.
What the Brief Says Between the Lines
While the agenda reads like a logistical checklist—travel, briefings, mission planning—the emphasis on “Face‑to‑Face Mass In‑Brief and Debrief” and “building esprit de corps” hints at a cultural challenge: forging a shared identity among cyber warriors who had previously operated in isolated service silos. The promise of an “unencumbered” network where “no exercise network is ‘off‑limits’” reveals an awareness that realistic training required freedom from the safety constraints that typically hampered live‑fire exercises. This freedom, however, also raised legal and policy questions about authority to conduct offensive cyber operations, even in a simulated setting—a debate that would later surface in the 2013 “Cyber Command” re‑chartering and the 2015 Cybersecurity Act.
The schedule’s “DV Day” (likely “Designated Vulnerability” or “De‑confliction Verification”) and the repeated “Post‑Mission Analysis” slots indicate an early commitment to iterative learning, a practice that would evolve into the current “red‑team/blue‑team/purple‑team” methodology now standard in cyber ranges worldwide.
Legacy and Continuing Relevance
Cyber Flag 12‑1 laid the groundwork for an annual joint exercise that persists today, now known simply as “Cyber Flag.” The exercise has expanded to include allied nations, commercial partners, and a broader set of mission sets—ranging from election security to industrial control system defense. Its early focus on integrating C2 constructs foreshadowed the development of the Joint Cyber Planning Process (JCPP) and the formalization of cyber mission orders that mirror kinetic operations.
The brief also serves as a snapshot of a moment when the United States shifted from treating cyber as an ancillary support function to recognizing it as a distinct warfighting domain. By institutionalizing joint training, USCYBERCOM signaled to both allies and adversaries that the United States possessed not only defensive resilience but also an organized offensive capability ready to be rehearsed and refined.
In the broader arc of 21st‑century security, Cyber Flag 12‑1 is more than a training flyer; it is a strategic artifact that captures the Pentagon’s first systematic attempt to operationalize cyber power. Its emphasis on jointness, realism, and continuous learning continues to shape how the United States prepares for—and, if necessary, wages—future cyber conflicts.
UNCLASSIFIED//FOUO UNITED STATES CYBER COMMAND Cyber Flag 12-1 The overall classification of this brief is: UNCLASSIFIED UNCLASSIFIED
UNCLASSIFIED
Cyber Flag
Mission Cyber Flag is a joint cyberspace training exercise fusing attack and defense across the full spectrum of operations against a realistic and thinking enemy in a virtual environment.
Objectives
- Provide a dynamic joint cyber training environment
- Integrate offensive and defensive cyberspace operations
- Exercise USCYBERCOM C2 construct
- Leverage and operationalize ongoing planning efforts
UNCLASSIFIED 2
UNCLASSIFIED Cyber Flag - Attributes
- Tactically focused training exercise with operational C2 utilizing realistic virtual environments
- Assumes necessary authorities, inter-agency coordination, deconfliction
- Allows for force-on-force offensive and defensive maneuvers
- Allows for dynamic OPFOR utilizing adversary TTP
- Aggressors – moving beyond Red Teams
- Conducted on a cyber range with Face-to-Face Mass In-Brief and Debrief
- Secure, repeatable, controllable, and measurable environment
- Focused on debriefs to capture lessons learned and adjust TTPs and CONOPs
- Face-to-Face in order to build esprit de corps and unity of effort for cyber forces
- Unencumbered by real-world Service/COCOM training constraints/safety restrictions
- No exercise network is “off-limits”
UNCLASSIFIED 3
UNCLASSIFIED Cyber Flag – Schedule
| Travel | Academics | Planning | Day 1 | Day 2 | Day 3 | Day 4 | Wrap up | Travel | |
|---|---|---|---|---|---|---|---|---|---|
| 0600 | DV Day | ||||||||
| 0700 | Travel Day | Security In-Processing | Mission Planning/ Range Fam | Mission Prep | Mission Prep | Mission Prep | Mission Prep | Travel Day | |
| 0800 | Opening Remarks | Mass Brief | Mass Brief | Mass Brief | Mass Brief | Lessons Learned | |||
| 0900 | Security Brief Local Area Brief | Mission | Mission | Mission | Mission | Security Out-Brief Closing Remarks | |||
| 1000 | Academics | Cyber Seniors Hotwash | |||||||
| 1100 | Academics | ||||||||
| 1200 | Cyber Flag Staff Wrap-Up | ||||||||
| 1300 | Academics | ||||||||
| 1400 | Facility Tours White Cell Coord | Post-Mission Analysis | Post-Mission Analysis | Post-Mission Analysis | Post-Mission Analysis | ||||
| 1500 | |||||||||
| 1600 | Cyber Flag Mixer | Mass Debrief | Mass Debrief | Mass Debrief | Mass Debrief | ||||
| 1700 | Mission Planning | Mission Planning | Mission Planning | OIC Interviews | |||||
| 1800 | DV Day | ||||||||
| 1900 |
Event Key Admin Academics Planning Brief Mission
UNCLASSIFIED 4
UNCLASSIFIED
Cyber Flag – Future
Cyber Flag will become an annual joint cyber training event continually striving to sharpen the skills of Cyber Forces
Blue Forces
- Service specific “Flag-like” events in preparation for Joint Cyber Flag
- Explore “whole of government” approaches to cyber challenges through integration of other government agency equities (NSA, DHS, etc.) and allies
- Evaluate cyber role in OPLANs and conduct mission rehearsals
Cyber Ranges
- Leverage new technologies and expand existing range architecture to create an easily configurable Joint training and experimentation environment
- Enable virtual secure enclave operations to be executed during future Cyber Flag events as well as Service and COCOM major exercises
- Optimize and normalize range prioritization and scheduling
UNCLASSIFIED 5
UNCLASSIFIED//FOUO UNITED STATES CYBER COMMAND Cyber Flag 12-1 Questions? The overall classification of this brief is: UNCLASSIFIED UNCLASSIFIED
UNCLASSIFIED Cyber Flag C2 Construct
White Cell
USSTRATCOM Combatant Command USCYBERCOM National Cyber Ops ARCYBER FLTCYBER MARFORCYBER 24 AF/ AFCYBER Blue Players Joint Cyber Component Command DISA TNOSC Attached USCYBERCOM Forces Base / Station / Garrison AR FLT MAR AF Joint Components
COCOM OPCON TACON ADCON Supporting/ Supported
UNCLASSIFIED 7
NATIONAL SECURITY ARCHIVE
National Security Archive, Suite 701, Gelman Library, The George Washington University, 2130 H Street, NW, Washington, D.C., 20037, Phone: 202/994-7000, Fax: 202/994-7005, nsarchiv@gwu.edu