CYBERCOM defensive cyber arm adds intel/ops fusion cell

U.S. Cyber Command’s defense cyber arm, Joint Force Headquarters-Department of Defense Information Networks, has stood up an intelligence and operations fusion cell aimed at creating better coordination for prioritizing defensive resources.

JFHQ-DoDIN, which conducts global command and control and synchronization for defense of the DoDIN, needs better intelligence associated with the network and particular mission sets to help drive operations, according to Col. Cleophus Thomas, the director of operations J3 at JFHQ-DoDIN, who spoke Wednesday during a panel at the Defensive Cyber Operations Symposium in Baltimore, Maryland.

Thomas said he put intel personnel right next to a technical person so they form a “level of translation right there on the spot.”

The reason for the fusion cell, Thomas told Fifth Domain following the panel, was in response to a gap between the integration of operations and intelligence inside JFHQ-DoDIN.

JFHQ-DoDIN’s commander has previously hit on similar themes. “What we realized is we need a lot more intelligence support, so we need more intelligence people, so we’re figuring out what kind of people we need,” Lt. Gen. Alan Lynn, who also leads the Defense Information Systems Agency, said at the annual C4ISRNET Conference.

This intel/ops fusion cell reaches out to the National Security Agency, the Defense Intelligence Agency and other intel agencies, Thomas told Fifth Domain, to bring back information that allows them to look at it from an operational standpoint and fuse that information together to get ahead of the adversary.

This intelligence information enables JFHQ-DoDIN to help prioritize and coordinate resources before a potential incident takes place.

As Lt. Col. Patrick Daniel, who formerly served as deputy director of strategy and plans at JFHQ-DoDIN, explained last year, the difference between DoDIN operations and defensive cyber operations/internal defensive measures (JFHQ-DoDIN’s two mission areas) are that DoDIN operations are executed daily as part of running a network, while DCO-IDM are specific actions taken in response to either intelligence, a threat or an incident.

Intelligence might say that a certain adversary will attempt to exploit a version of software on a web server, indicating forces need to focus more resources toward that portion of the network, he said.