9 February 2016

The United States and Cyberspace: Military Organization, Policies, and Activities


National Security Archive Electronic Briefing Book No. 539
Edited by Jeffrey T. Richelson
Posted - January 20, 2016
April 26, 2013

June 19, 2009

March 11, 2005

By Jeffrey T. Richelson


INTRODUCTION

Washington, D.C., January 20, 2016 - U.S. military activities in cyberspace have been surprisingly widespread over the years, occurring mainly out of the public eye. Given the sensitivity of many of their operations, this is understandable to a point, but as the number of reported and unreported attacks on military and civilian infrastructure increases – along with the stakes – there is a corresponding public interest in how the Pentagon (and the U.S. government in general) has responded in the past and is preparing for future eventualities. Today, the National Security Archive is posting 27 documents that help illuminate various aspects of U.S. military operations in cyberspace. These materials are part of a unique and expanding educational resource of previously classified or difficult-to-obtain documentation the Archive is collecting and cataloguing on the critical issue of cyber security.


Today’s posting, including a number of records acquired through the Freedom of Information Act, can be grouped into six areas: the language of cyberspace, vision and strategy, military cyber organization, activities and responsibilities, computer network defense, and intelligence operations in cyberspace. Highlights include:
The terminology of cyberspace (Document 1, Document 10)
The creation and responsibilities of the U.S. Cyber Command (Document 6, Document 8)
The role of the Cyber Command and other military cyber organizations in Operation Gladiator Shield – defense of the Global Information Grid (Document 12)
The Joint Chiefs of Staff-mandated process for computer network defense activities (Document 2)
The Department of Defense strategy for counterintelligence in cyberspace (Document 3)
DoD policy, responsibilities, and procedures with regard to human intelligence operations in cyberspace (Document 19)
ESSAY
The United States and Cyberspace: Military Organization, Policies, and Activities

By Jeffrey T. Richelson

The United States military has been operating in cyberspace for decades. It has faced attacks by hackers trying to break into Defense Department computer systems, been authorized to conduct offensive cyber operations, and recognized the need to confront the impact of cyberspace on human intelligence and counterintelligence operations. As with the civilian sector of the U.S. government, the focus on cyberspace has increased dramatically in recent years – as illustrated by the increasing production of documents concerning the subject.

Those documents have sought to define the multitude of terms associated with cyberspace activities, set out visions and strategies for operating in cyberspace, and create and define the missions of military cyber organizations. Other documents describe the activities and responsibilities associated with cyber missions – including computer network defense and intelligence.

Cover page of “Navy Cyber Power 2020,” (Document 16)

The Language of Cyberspace
A number of Defense Department publications have sought to provide readers with extensive accounts of the definitions associated with cyberspace operations – to establish a common language for the discipline. In 2009, the U.S. Strategic Command (STRATCOM) – the parent command of the U.S. Cyber Command – produced The Cyber Warfare Lexicon (Document 1), which in addition to containing approximately 50 definitions of cyber terms, contained 15 discussions on cyberspace operations – including “weapons outcomes: a differentiation,” “delivery considerations,” and “when things go wrong.” The next year, the Joints Chief of Staff issued its own document, the Joint Terminology for Cyberspace Operations (Document 10), which also provided 16 pages of definitions of cyber terms. In his cover letter announcing the issuance of the joint terminology, James Cartwright, vice chairman of the Joint Chiefs, noted that the document had been produced due to the “inadequacy of current terminology to describe our [cyber operations] capabilities and missions.”

Vision and Strategy Documents

Vision and strategy documents are a routine product of both civilian and government agencies. Cyberspace vision and strategy documents include those produced by the Defense Department (Document 25), Cyber Command (Document 27), Air Force headquarters (Document 17), the Air Force Space Command (Document 4, Document 7), the Navy (Document 16), and the Coast Guard (Document 26).

The DoD Cyber Strategy (Document 25) identifies five strategic goals, including building and maintaining forces and capabilities to conduct cyberspace operations, a variety of ‘implementation objectives’ for each strategic goal, and steps believed necessary to manage the department’s cyber strategy – including an end-to-end assessment of the department’s cyber capabilities. The U.S. Cyber Command’s vision statement (Document 27) focuses on the commander’s intent (including strengthening partnerships with the National Security Agency and the Intelligence Community as well as the Defense Department). It goes on to specify “imperatives” (such as integrating cyberspace operations in support of joint force operations), and “enablers”(including “acquisition agility”) to permit satisfying the identified imperatives or objectives.

The Air Force Space Command’s cyberspace strategy documents include its 2009 The United States Air Force Blueprint for Cyberspace Operations (Document 4), which notes presidential guidance, joint guidance, the Air Force concept of cyberspace operations, and operational responsiveness, among other topics. A more recent strategy document is the June 2015 United States Coast Guard Cyber Strategy (Document 26), which specifies three strategic priorities (defending cyberspace, enabling operations, and protecting infrastructure), and seven measures aimed at “long-term success.”

Logo for the U.S. Cyber Command

Military Cyber Organization

The increased focus on cyber operations by the Defense Department and military services has led to the establishment of one or more cyber organizations within DoD and each of the military services. Thus, in 2009, the secretary of defense directed STRATCOM to establish, as a subordinate command, a U.S. Cyber Command. 1 In May 2010, STRATCOM announced (Document 6) that the Cyber Command had achieved an initial operational responsibility and described its responsibilities, organization, and command relationships. Then, in September, STRATCOM’s commander informed the secretary of defense (Document 8) that the command had reached full operational capability, and stated the command’s six key missions (one of which is partially classified).

Subordinate to the Cyber Command are its component commands. The U.S. Army Cyber Command was established less than two weeks after the U.S. Cyber Command was declared fully operational via an Army General Order (Document 9), which specified some of its responsibilities and authorities over other Army organizations. Refinement of the Army organization for cyber operations took place in February 2011, when the secretary of the Army signed a directive (Document 11) assigning control of an information operations command to the Army Cyber Command.

The Navy’s cyber command, the Fleet Cyber Command/U.S. Tenth Fleet, was already in existence by April 2010, when the command’s technical director presented a briefing (Document 5) that provided information and graphics concerning the command’s mission, organization, authorities, command and control relationships, and global operations. The briefing also showed that the Navy’s cyber unit, unlike the other service cyber commands, was also responsible for managing the Navy’s signals intelligence operations, via the Navy Information Operations Command detachments.

The Air Force did not establish a separate command for cyber operations, but assigned responsibility to the Air Force Space Command through the 24 th Air Force. [2] But cyber-related operations were not the sole responsibility of the Space Command. In 2012, the commander of the Air Force Intelligence, Surveillance, and Reconnaissance Agency (now the 25 th Air Force), established a Cyber Division in his agency. The commander’s one-page memorandum (Document 13) explained that the division was to provide a “greater focus” on cyber issues and identified six functions – including intelligence, surveillance, and reconnaissance support to offensive and defensive cyber operations.

The Ohio National Guard Computer Network Defense Team conducts cyberdefense operations during exercise Cyber Shield 2015. (Source: Staff Sgt. George Davis, U.S. Army National Guard)

Activities and Responsibilities

One of the defensive activities undertaken by the U.S. Cyber Command was the subject of a 2011 operations order for Operation Gladiator Shield (Document 12), whose purpose was to direct the Department of Defense and its mission partners to “secure, operate and defend the critical mission elements of the DoD Global Information Grid” – described by the National Security Agency as “the globally interconnected, end-to-end set of information capabilities for collecting, processing, storing, disseminating, and managing information on demand to warfighters, policy makers, and support personnel.” [3] The order provides a concept of operations as well as specifying the tasks of relevant DoD organizations, including the U.S. Cyber Command and its components, NSA, the Defense Intelligence Agency, and other units.

Several additional Defense Department and military service documents focus on cyberspace operations rather than individual components, although they often also specify the responsibilities of specific organizations. Thus, a 2012 Air Force policy directive (Document 15) on cyberspace operations discussed the responsibilities of Air Staff components, the Air Force Space Command, legal units, and other organizations. The following year, the Joint Chiefs issued what was, initially, a restricted publication (Document 18) on cyberspace operations which covered cyberspace operations, including those related to national intelligence, authorities, roles, as well as planning and coordination – including with regard to U.S. government and international/multinational organizations.

Department of Defense cybersecurity activity is the focus of the 2014 instruction (Document 23), 59 pages in length, that states department policy, defines the responsibilities of 15 different organizations (including the Defense Information Systems Agency, the Defense Security Service, and the National Security Agency) and 21 different procedures – including risk management, cyberspace defense, and identity assurance. It also lists 132 U.S. government documents ((a) through (eb)) relevant to DoD cybersecurity organization and activities.

Computer Network Defense

One consequence of the attacks on Defense Department computers systems over the last several decades has been a new emphasis on computer network defense. Part of that focus is the delineation of responsibilities within each organization for protecting its computer systems, reporting incidents, and responding to incidents – as illustrated by a July 2013 instruction (Document 20) issued by the Northern Command and NORAD. 

How incidents should be handled was the subject of a much longer JCS document, a 176-page manual (Document 2) issued in 2009. An diagrammatic overview of the manual shows its seven different enclosures, which cover subjects from incident handling methodology to incident analysis to incident response and beyond. In each case, there are a multitude of subordinate components. Thus, computer forensic analysis, network analysis, and the examination of legal issues are just three of ten components of the incident analysis process.

Admiral Michael S. Rogers, USN, Commander, U.S. Cyber Command (Source: National Security Agency and U.S. Navy)

Human Intelligence and Counterintelligence

Since Defense Department human intelligence operations may extend into cyberspace, with operators adopting a cyber persona, the department issued a Secret instruction (Document 19) on HUMINT activities in cyberspace, heavily redacted in its declassified form, that specifies the responsibilities of different DoD components – including the undersecretary of defense for intelligence, the National Security Agency, the Defense Intelligence Agency, and the Cyber Command.

Counterintelligence operations were also the subject of a DoD directive as well as an August 2009 strategy document (Document 3). [4] The latter document contained two key parts – one identified mission objectives (outcomes), the other named enterprise objectives (capabilities). One mission objective is neutralizing foreign cyber intelligence activities that had attacked U.S. and Defense Department interests while enterprise objectives included achieving “unity of effort in cyberspace.”
NOTES

[1] Robert M. Gates, Memorandum to Secretaries of the Military Departments, Subject: Establishment of a Subordinate Unified U.S. Cyber Command Under U.S. Strategic Command for Military Cyberspace Operations, June 23, 2009. See Jeffrey T. Richelson, National Security Archive Electronic Briefing Book #424, Cyberspace and U.S. National Security , April 26, 2013, Document 29.

[2] U.S. Air Force, Fact Sheet, “Air Force Space Command,” August 2015, www.afspc.af.mil .

[3] “Global Information Grid,” www.nsa.gov/programs/global_information_grid/ , accessed December 28, 2015.

[4] Department of Defense, DoD Instruction S-5240.23, Subject: Counterintelligence (CI) Activities in Cyberspace, December 13, 2010. See Richelson, National Security Archive Electronic Briefing Book #424, Cyberspace and U.S. National Security , Document 41.
DOCUMENTS

U.S. Strategic Command, The Cyber Warfare Lexicon: A Language to Support the Development, Testing, Planning and Employment of Cyber Weapons and Other Modern Warfare Capabilities, January 5, 2009. Unclassified/For Official Use Only.
Document Source: https://publicintelligence.net/cyber-warfare-lexicon

In addition to providing a series of definitions concerning cyber activities, this document also contains a series of discussions on aspects of cyberspace operations. 

Chairman, Joint Chiefs of Staff, CJCSM 6510.01A, Information Assurance (IA) and Computer Network Defense (CND) Volume I (Incident Handling Program), June 24, 2009. Unclassified.
Document Source: Editor's collection

This 176-page manual covers a variety of aspects of computer incident handling - including the overall incident handling program, methodology, reporting, analysis, response, tools, and collaboration with other strategic communities.

Department of Defense, The Department of Defense Strategy for Counterintelligence in Cyberspace, August 28, 2009. Unclassified/For Official Use Only.
Document Source: https://cyberwarfare.nl

This document notes that "a new operational environment has emerged as evidenced by the increasing frequency and destructiveness of attacks and exploits launched against the United States through cyberspace." The central aspects of the strategy are the definition of mission objectives (e.g. neutralizing intelligence activities targeting U.S. and DoD interests in cyberspace) and enterprise objectives (e.g. achieving unity of effort in cyberspace). 

Air Force Space Command, The United States Air Force Blueprint for Cyberspace, November 2, 2009, Unclassified.
Document Source: www.ncsi-va.org

The Air Force Space Command is the lead U.S. Air Force organization for cyberspace operations. The Command's blueprint reports on presidential guidance, joint guidance, Air Force intent, the Commander's guidance, the Air Force concept of cyberspace operations, integration of capabilities, operational responsiveness, and cyberspace culture. 

Dr. Starnes Walker, Technical Director/CTO Fleet Cyber Command, U.S. Fleet Cyber Command, U.S. Tenth Fleet, April 2010. Unclassified.
Document Source: https://cryptome.org

These briefing slides, presented by the U.S. Fleet Cyber Command's technical director, provide information on the command's mission, organization, and authorities, Navy cyberspace command and control relationships, global operations, as well as cyber initiatives and challenges. 

U.S. Strategic Command, USCYBERCOM Announcement Message, May 21, 2010. Unclassified/For Official Use Only.
Document Source: U.S. Strategic Command Freedom of Information Act Release

This message notifies recipients that the U.S. Strategic Command has established a subordinate command, the U.S. Cyber Command, with initial operational capability as of May 21, 2010. It also specifies the mission of the new command, its responsibilities, organization, and command relationships. 

Air Force Space Command, Functional Concept for Cyberspace Operations, June 14, 2010. Unclassified.
Document Source: https://info.publicintelligence.net/USAF-CyberspaceOpsConcept.pdf

This document provides, inter alia, an overview, discussion of the missions and desired effects, necessary and enabling capabilities, and command relationships of USAF cyberspace operations. 

Kevin P. Chilton, U.S. Strategic Command, Memorandum for the Secretary of Defense, Subject: Full Operational Capability (FOC) of U.S. Cyber Command (USCYBERCOM), September 21, 2010. Secret.
Document Source: U.S. Strategic Command Freedom of Information Act Release

This memo from the head of the U.S. Strategic Command, the parent command of the U.S. Cyber Command, recommends that the latter, established that May (Document 6), be declared fully operational. It also summarizes the Cyber Command's six key missions, including one that is partially classified.

Department of the Army, GO 2010-26, "Establishment of the United States Army Cyber Command," October 1, 2010. Unclassified.
Document Source: Editor's Collection

This order established the Army Cyber Command, and specifies some of its responsibilities and its authority over other Army organizations. 

James E. Cartwright, Memorandum, Subject: Joint Terminology for Cyberspace Operations, November 2010, Unclassified.
Document Source: https://publicintelligence.net/dod-joint-cyber-terms

As with Document 1, this publication provides a series of definitions concerning different aspects of cyberspace activities. 

John M. McHugh, Secretary of the Army, Memorandum, Subject: Army Directive 2011-03 (Change of Operational Control for 1st Information Operations Command (Land) and Direction for U.S. Army Cyber Command to Conduct the Information Operations Missions for the Army), February 2, 2011. Unclassified.
Document Source: www.apd.army.mil/pdffiles/ad2011-03.pdf

This directive further refines Army organization and authorities concerning Army cyber and information operations. 

United States Cyber Command, USCYBERCOM Operations Order (OPORD) 11-002, Operational Gladiator Shield (OGS), May 19, 2011. Secret/Rel to USA, FVEY.
Document Source: U.S. Strategic Command Freedom of Information Act Release

The purpose of this heavily redacted operations order is to guide and direct "the Department of Defense (DoD) and, as authorized, designated missions partners for cyberspace operations to secure, operate and defend the critical mission elements of the DoD Global Information Grid." It provides a concept of operations, and specifies tasks for the relevant DoD components - CYBERCOM headquarters, CYBERCOM service components (e.g. the U.S. Fleet Cyber Command), combatant commands, the military services, the National Security Agency, Defense Intelligence Agency, and other entities. 

Robert P. Otto, Commander, Air Force Intelligence, Surveillance and Reconnaissance Agency, Memorandum for HQ AF ISR Agency/A1-9, FM, IG, JA, ZG, Subject: Establishment of AF ISR Cyber Division, May 24, 2012. Unclassified.
Document Source: 25th Air Force Freedom of Information Act Release

This one-page memo announces the creation of the Air Force ISR Agency's Cyber Division to provide a "greater focus" on cyber issues by the agency's staff. It also specifies six functions to be performed by the division, including intelligence, surveillance, and reconnaissance support to both offensive and defensive cyber operations. 

Maj. Gen. Earl Matthews, U.S. Air Force, Cyberspace Operations: HAF Cyber Matrix and Force Development, June 27, 2012. Unclassified.
Document Source: Editor's Collection

These briefing slides describe the organization of the Air Staff cyber operations directorate and the functions of its components. 

U.S. Air Force, Air Force Policy Directive 10-17, Cyberspace Operations, July 31, 2012, Unclassified.
Document Source: www.e-publishing.af.mil

This directive identifies responsibilities for Air Force cyberspace operations of different organizations - including Air Staff components, the Air Force Space Command, legal units, the Air Materiel Command, and other organizations. 

U.S. Navy, Navy Cyber Power 2020, November 2012. Unclassified.
Document Source: www.publicnavy.mil

This document provides a strategic assessment of cyber issues - identifying threats, key trends, and current challenges - as well as specifying the "way ahead," which includes integrated operations, an optimized cyber workforce, technology innovation, as well as PPBE (planning, programming, budget, and execution), and acquisition reform. 

Chief Scientist, United States Air Force, AF/ST TR 12-01, Cyber Vision 2025: United States Air Force Cyberspace Science and Technology Vision 2012-2025, December 13, 2012.
Document Source: www.defenseinnovationmarketplace.mil/resources/AF_Cyber_Vision_2025.pdf

This document describes Air Force objectives and plans for achieving them with regard to the application of science and technology to cyberspace activities.

Joint Chiefs of Staff, Joint Publication 3-12 (R), Cyberspace Operations, February 3, 2013. Unclassified.
Document Source: www.dtic.mil/doctrine/new-pubs/jp3-12R.pdf

This formerly restricted publication discusses cyberspace (including national intelligence) operations; authorities, roles, and responsibilities (including legal considerations); and planning and coordination (including inter-organizational and multinational considerations). 

Department of Defense Instruction S-3325.10, Subject: Human Intelligence (HUMINT) Activities in Cyberspace, June 6, 2013. Secret/Noforn.
Document Source: Department of Defense Freedom of Information Act Release

This heavily redacted instruction discusses DoD policy for conducting human intelligence operations in cyberspace. It also defines the responsibilities of Defense Department components (including the undersecretary of defense for intelligence, the National Security Agency, and Defense Intelligence Agency), as well as procedures. 

U.S. Northern Command, NORAD/USNORTHCOM Instruction 33-141, Information Assurance/Computer Network Defense, July 16, 2013. Unclassified.
Document Source: www.northcom.mil

This instruction notes that "NORAD and USNORTHCOM information and information systems incur higher risks due to mission requirements to share information with our partners" and goes on to define the roles and responsibilities of Northern Command components with regard to information assurance and computer network defense.

Secretary of the Air Force, Air Force Instruction 10-1701, "Command and Control (C2) for Cyberspace Operations," March 5, 2014. Unclassified.
Document Source: www.e-publishing.af.mil

This instruction implements Air Force Policy Directive 10-17 (Document 15) and provides a specific guide for the command and control of Air Force cyber activities, including the Air Force cyber orders flow process. It defines the roles and responsibilities of different Air Force components and a glossary. 

John M. McHugh, Secretary of the Army, General Orders No. 2014-02, Affirmation of Secretary of the Army Commitment to Unity of Effort: Designation of U.S. Army Cyber Command as an Army Force Component Headquarters: Reactivation of Second Army and Designation as a Direct Reporting Unit; Disestablishment of the U.S. Army Network Enterprise Technology Command/9th Signal Command (Army) as a Direct Reporting Unit and Reassignment to Second Arm; Designation of General Court-Martial Convening Authorities, March 6, 2014. Unclassified.
Document Source: www.apd.army.mil/pdffiles/go1402.pdf

This document further refines the Army's organization (Document 9, Document 11) for the conduct of cyber operations. 

Department of Defense Instruction 8500.01, Subject: Cybersecurity, March 14, 2014. Unclassified.
Document Source: www.dtic.mil/whs/directives

This 59-page DoD directive covers two key aspects of the department's cybersecurity effort - the responsibilities of 15 different organizations (including the Defense Information Systems Agency, the Defense Security Service, and the National Security Agency) and 21 different procedures (including risk management, cyberspace defense, and identity assurance). 

National Guard Bureau, National Guard Bureau Cyber Mission Analysis Assessment, September 29, 2014. Unclassified/For Official Use Only.
Document Source: https://publicintelligence.net/ng-cyber-mission-analysis

This report is a response to a Congressional requirement for the National Guard Bureau to prepare an assessment of the possibility for "successfully integrating the National Guard into the Department of Defense's (DoD) Cyber Mission Force (CMF)." 

Department of Defense, The DOD Cyber Strategy, April 17, 2015. Unclassified.
Document Source: www.defense.gov

The two main components of this strategy document are the identification of five strategic goals (including establishing forces and capabilities to conduct cyberspace operations and the ability to defend against disruptive or destructive cyber attacks) and the implementation objectives associated with the strategic goals. 

U.S. Coast Guard, United States Coast Guard Cyber Strategy, June 2015. Unclassified.
Document Source: www.uscg.mil/seniorleadership/DOCS/cyber.pdf

This document identifies the three key elements of the Coast Guard cyber strategy - defending cyberspace, enabling Coast Guard operations (including intelligence and law enforcement operations), and protecting infrastructure (including critical maritime infrastructure and the Maritime Transportation System). 

U.S. Cyber Command, Beyond the Build: Delivering Outcomes through Cyberspace - The Commander's Vision and Guidance for US Cyber Command, June 3, 2015. Unclassified.
Document Source: www.defense.gov

This vision document identifies key objectives for the U.S. Cyber Command (including integrating cyberspace operations in support of joint force operations), and identifies the "enablers" that are expected to allow achievement of those objectives.

No comments: