SECRECY NEWS
from the FAS Project on Government Secrecy
Volume 2014, Issue No. 70
October 22, 2014

Secrecy News Blog: http://fas.org/blogs/secrecy/

OFFENSIVE CYBER OPERATIONS IN US MILITARY DOCTRINE

A newly disclosed Department of Defense doctrinal publication acknowledges the reality of offensive cyberspace operations, and provides a military perspective on their utility and their hazards.

Attacks in cyberspace can be used "to degrade, disrupt, or destroy access to, operation of, or availability of a target by a specified level for a specified time." Or they can be used "to control or change the adversary's information, information systems, and/or networks in a manner that supports the commander's objectives."

However, any offensive cyber operations (OCO) must be predicated on "careful consideration of projected effects" and "appropriate consideration of nonmilitary factors such as foreign policy implications."

"The growing reliance on cyberspace around the globe requires carefully controlling OCO, requiring national level approval," according to "Cyberspace Operations," Joint Publication 3-12(R).

That publication was first issued by the Joint Chiefs of Staff as a SECRET document in February 2013 (as JP 3-12, without the R). But this week it was reissued as a public document. It is unclear whether the public document has been redacted or modified for release.

The discussion of "offensive cyberspace operations" in the original, classified version of JP 3-12 led to adoption of that term in the official DoD lexicon for the first time in March 2013, where it has remained through the latest edition.

Offensive cyberspace operations (OCO) are "intended to project power by the application of force in and through cyberspace. OCO will be authorized like offensive operations in the physical domains, via an execute order (EXORD)."

The DoD document is fairly candid about the challenges and limitations of cyberspace operations.

"Activities in cyberspace by a sophisticated adversary may be difficult to detect" and to attribute to their source. Yet such detection and attribution capabilities are "critical" for enabling offensive and defensive cyberspace operations.

By the same token, "first-order effects of [US cyberspace operations] are often subtle, and assessment of second- and third-order effects can be difficult," requiring "significant intelligence capabilities and collection efforts" to evaluate.

Not only that, but US cyberspace operations "could potentially compromise intelligence collection activities. An IGL [Intelligence Gain/Loss] assessment is required prior to executing a CO to the maximum extent practicable."

In any event, offensive cyber operations are to be used discriminatingly. "Military attacks will be directed only at military targets. Only a military target is a lawful object of direct attack." But military targets are defined broadly as "those objects whose total or partial destruction, capture, or neutralization offers a direct and concrete military advantage."

Meanwhile, there are persistent vulnerabilities inherent in DoD information systems, DoD said. "Many critical [US] legacy systems are not built to be easily modified or patched. As a result, many of the risks incurred across DOD are introduced via unpatched (and effectively unpatchable) systems on the DODIN [DoD Information Network]."

The risks are increased because "DOD classified and unclassified networks are targeted by myriad actions, from foreign nations to malicious insiders."

"Insider threats are one of the most significant threats to the joint force," the DoD document said. "Whether malicious insiders are committing espionage, making a political statement, or expressing personal disgruntlement, the consequences for DOD, and national security, can be devastating."

Overall, "Developments in cyberspace provide the means for the US military, its allies, and partner nations to gain and maintain a strategic, continuing advantage," the Cyberspace Operations publication said.

But "access to the Internet provides adversaries the capability to compromise the integrity of US critical infrastructures in direct and indirect ways."

These features represent "a paradox within cyberspace: the prosperity and security of our nation have been significantly enhanced by our use of cyberspace, yet these same developments have led to increased vulnerabilities...."


NEW AUTHORIZATION FOR USE OF MILITARY FORCE?, MORE FROM CRS

New publications from the Congressional Research Service that Congress has withheld from online public disclosure include the following.

A New Authorization for Use of Military Force Against the Islamic State: Comparison of Current Proposals in Brief, October 21, 2014:

U.S. Citizens Kidnapped by the Islamic State, CRS Insights, October 17, 2014:

Smartphone Data Encryption: A Renewed Boundary for Law Enforcement?, CRS Insights, October 17, 2014:

******************************

Secrecy News is written by Steven Aftergood and published by the Federation of American Scientists.

The Secrecy News blog is at:
      http://fas.org/blogs/secrecy/

To SUBSCRIBE to Secrecy News, go to:
     http://fas.org/sgp/news/secrecy/subscribe.html

To UNSUBSCRIBE, go to:
      http://fas.org/sgp/news/secrecy/unsubscribe.html

OR email your request to saftergood@fas.org

Secrecy News is archived at:
      http://www.fas.org/sgp/news/secrecy/index.html

SUPPORT the FAS Project on Government Secrecy with a donation here:
      https://fas.org/join/