The origins and evolution of DC3

  • Published
  • By Jeff Specht
  • DoD Cyber Crime Center Executive Director

For those not familiar with the Office of Special Investigations linkages to the Department of Defense Cyber Crime Center (DC3), and for those with limited visibility on the evolution of DC3 over its roughly 22-year history, this article speaks to that foundational relationship, DC3’s capabilities to amplify effects for the broad range of customers it’s charged to support, and several ongoing mission adaptations to elevate support for its founding Defense Criminal Investigative Organization (DCIO) and Military Department Counterintelligence Organization (MDCO) stakeholders.

DC3 was officially activated Oct. 1, 2001; however, its origins date back to February 1998, when then-Deputy Secretary of Defense John Hamre issued the Defense Reform Initiative Directive #27, directing the Air Force to establish a joint Defense Department computer forensics laboratory and training program.

The Secretary of the Air Force, as DoD Executive Agent, designated the OSI Commander as overall program manager for both activities, placing OSI at the helm in establishing the Defense Computer Forensics Laboratory (DCFL), later renamed the Cyber Forensics Laboratory (CFL), and the Defense Computer Investigations Training Academy (DCITA), later renamed the Cyber Training Academy (CTA) to reflect the expanded training mission captured below.

Since its origins in 1998, DC3’s capabilities and services have expanded and evolved to meet not only the changing needs of its founding DCIO and MDCO stakeholders, but those of the DoD at large, to include:

  • Expanded digital and multi-media (D/MM) forensics requirements in support of the Document and Media Exploitation (DOMEX) mission, aircraft mishap inquiries, support responsive to defense counsel requirements, the examination of personal effects of our fallen prior to family release to minimize the unintentional spillage of sensitive or classified information, malware submissions from multiple stakeholders, and wide array of other DoD-wide D/MM forensics requirements
  • Expanded cyber training needs in support of not only the DCIOs and MDCOs, but those of U.S. Cyber Command and the Services, to include Cyber Protection Team (CPT) and Mission Defense Team (MDT) training needs, as well as related training in support of key ally mission partners
  • The 2002 establishment of the Defense Cyber Crime Institute (DCCI), later renamed Technical Solutions Development (TSD), as an in-house capability to develop new or tailor existing tools to meet the specific requirements of the DoD digital forensic examiner and cyber intrusion analyst communities
  • The 2008 designation of DC3 as one of only seven Federal Cyber Centers, charged with the identification of cybersecurity best practices, the collaborative establishment of shared architectures to enable elevated Whole of Government information sharing, and contributions and participation in national-level cyber incident exercises
  • The 2008 establishment of the DC3 Analytical Group (AG) to enable focused technical analyses based on CFL and mission partner cyber forensics (forensics-enabled analytics) to support cyber investigations and operations of DoD LE/CI entities, U.S. Cyber Command, and heightened collaboration with the FBI and Department of Homeland Security.
  • The 2008 establishment of the DoD CIO-led Defense Industrial Base (DIB) Cybersecurity Program and the associated DC3-led Defense Department-DIB Collaborative Information Sharing Environment (DCISE) to help defense contractors safeguard Defense Department information
  • The 2016 establishment of the DC3-led Defense Department Vulnerability Disclosure Program (VDP), the DoD focal point for crowd-sourced vulnerability reporting and interacting with private citizen cybersecurity researchers, popularly referred to as “white hat” or ethical hackers

Throughout those many evolutions of the DC3 mission, its available resources expanded from its originating HQ OSI Operating Location-D footprint of roughly 14 personnel, to a present day footprint of roughly 450 military, civilian and contractor personnel.  Further, DC3 is host to multiple embedded liaisons from key mission partners, including the Naval Criminal Investigative Service, U.S. Army Military Intelligence, the National Security Agency, U.S. Cyber Command, four distinct Damage Assessment Management Offices (Office of the Secretary of Defense and the three Military Departments), a Joint Acquisition Protection & Exploitation Cell, and an Air Force Life Cycle Management Center element. DC3 also maintains enduring partnerships with the FBI, the National Media Exploitation Center, and other core mission partners via embedded DC3 liaisons.

While DC3’s expanded mission as a ‘whole of DoD’ technical center presents occasional challenges relative to the competing interests of its varied stakeholders, the synergies inherent in DC3’s six lines of effort, combined with the common interests of those same many stakeholders, present an exciting range of capabilities and opportunities for DC3 to revitalize its support to its founding DCIO and MDCO stakeholders. In fact, a confluence of changing DoD priorities, technological evolutions, and DCIO/MDCO requirements make 2020 a year ripe for strengthened ties.

In February 2020, DC3 opened the doors to its new training facility in Hanover, Md., (just north of Ft. Meade).  CTA’s new training facility has ten state of the art classrooms, each with a 20-student capacity; more than double its past capacity. The new training facility has a simulated Network Operations Center (NOC), which will facilitate team validation exercises, course capstone events, etc.  Five of the classrooms will be wholly dedicated to DCIO/MDCO training needs, to include evolved course offerings specific to Internet of Things devices, dark web and cyptocurrency, and other DCIO/MDCO prioritized requirements.

DC3 is also actively engaged with the Defense Cyber Operations Panel to assess the viability and value of joint regional Digital/Multi Media (D/MM) forensics labs to better align and integrate DC3 specialized capabilities with OSI’s evolving Digital Forensic Consultant (DFC) footprint, as well as similar fielded D/MM forensics capabilities within NCIS, the Army Criminal Investigation Division, and the Defense Criminal Investigative Service. With the growing complexities in D/MM forensics tied to locked devices, encryption, app-based data, cloud storage, Internet of Things devices, the dark web, malware and intrusions, etc, elevated teaming and more rapid access to D/MM forensics expertise is a growing imperative.

From a common tools perspective, DC3 is actively engaged with Office of the Under Secretary of Defense for Intelligence and Security, the MDCOs, and other stakeholders to assess current and future D/MM forensics and analytic tools, shared architectures, and common data standards to better synchronize network sensor strategies, collections, and exploitation of the resulting data to better protect Defense Department equities and national security interests. This effort is taking place under an umbrella initiative branded ‘CI PED,’ (Counterintelligence Processing, Exploitation and Dissemination) with initial, exploratory funding set to begin in fiscal 2021.

DC3, in partnership with the Assistant Secretary of the Air Force for Acquisition, is actively engaged with the OSD Strategic Capabilities Office (SCO) responsive to the Air Force’s 2019 designation as Executive Agent and transition partner for the SCO-developed StormSystem suite of tools.

StormSystem creates believable electronic files in a variety of formats that appear authentic, but contain machine-contrived data to obfuscate targeted users. The StormSystem products will facilitate countermeasures against cyber theft by raising the cost (in time and funding) of adversary actors and creating analytical penalties to the intended consumer. The intent is to delay an adversary's “time to market” for stolen technologies and “poison the well” for cyber thieves. StormSystem will provide a suite of capabilities available to DoD users, U.S. and allied government mission partners, vetted Defense Industrial Base (DIB) partners, and other select non-government users, with the ability to stage obscured files at-scale on relevant networks in support of a variety of use cases.

These are just a handful of the ongoing efforts to revitalize DC3’s focus on capitalizing on its evolved capabilities to better support and amplify the investigative and operational effects for its core DCIO/MDCO stakeholders.  The evolution of DC3 will certainly continue throughout 2020 and the years to come.