Offensive Cyber Operations in US Military Doctrine
A newly disclosed Department of Defense doctrinal publication acknowledges the reality of offensive cyberspace operations, and provides a military perspective on their utility and their hazards.
Attacks in cyberspace can be used “to degrade, disrupt, or destroy access to, operation of, or availability of a target by a specified level for a specified time.” Or they can be used “to control or change the adversary’s information, information systems, and/or networks in a manner that supports the commander’s objectives.”
However, any offensive cyber operations (OCO) must be predicated on “careful consideration of projected effects” and “appropriate consideration of nonmilitary factors such as foreign policy implications.”
“The growing reliance on cyberspace around the globe requires carefully controlling OCO, requiring national level approval,” according to the newly disclosed Cyberspace Operations, Joint Publication 3-12(R).
That publication was first issued by the Joint Chiefs of Staff as a SECRET document in February 2013 (as JP 3-12, without the R). But this week it was reissued as a public document. It is unclear whether the public document has been redacted or modified for release.
The discussion of “offensive cyberspace operations” in the original, classified version of JP 3-12 led to adoption of that term in the official DoD lexicon for the first time in March 2013, where it has remained through the latest edition.
Offensive cyberspace operations (OCO) are “intended to project power by the application of force in and through cyberspace. OCO will be authorized like offensive operations in the physical domains, via an execute order (EXORD).”
The DoD document is fairly candid about the challenges and limitations of cyberspace operations.
“Activities in cyberspace by a sophisticated adversary may be difficult to detect” and to attribute to their source. Yet such detection and attribution capabilities are “critical” for enabling offensive and defensive cyberspace operations.
By the same token, “first-order effects of [US cyberspace operations] are often subtle, and assessment of second- and third-order effects can be difficult,” requiring “significant intelligence capabilities and collection efforts” to evaluate.
Not only that, but US cyberspace operations “could potentially compromise intelligence collection activities. An IGL [Intelligence Gain/Loss] assessment is required prior to executing a CO to the maximum extent practicable.”
In any event, offensive cyber operations are to be used discriminatingly. “Military attacks will be directed only at military targets. Only a military target is a lawful object of direct attack.” But military targets are defined broadly as “those objects whose total or partial destruction, capture, or neutralization offers a direct and concrete military advantage.”
Meanwhile, there are persistent vulnerabilities inherent in DoD information systems, DoD said. “Many critical [US] legacy systems are not built to be easily modified or patched. As a result, many of the risks incurred across DOD are introduced via unpatched (and effectively unpatchable) systems on the DODIN [DoD Information Network].”
The risks are increased because “DOD classified and unclassified networks are targeted by myriad actions, from foreign nations to malicious insiders.”
“Insider threats are one of the most significant threats to the joint force,” the DoD document said. “Whether malicious insiders are committing espionage, making a political statement, or expressing personal disgruntlement, the consequences for DOD, and national security, can be devastating.”
Overall, “Developments in cyberspace provide the means for the US military, its allies, and partner nations to gain and maintain a strategic, continuing advantage,” the Cyberspace Operations publication said.
But “access to the Internet provides adversaries the capability to compromise the integrity of US critical infrastructures in direct and indirect ways.”
These features represent “a paradox within cyberspace: the prosperity and security of our nation have been significantly enhanced by our use of cyberspace, yet these same developments have led to increased vulnerabilities….”
Investing in interventions behind the walls is not just a matter of improving conditions for incarcerated individuals—it is a public safety and economic imperative. By reducing recidivism through education and family contact, we can improve reentry outcomes and save billions in taxpayer dollars.
The U.S. government should establish a public-private National Exposome Project (NEP) to generate benchmark human exposure levels for the ~80,000 chemicals to which Americans are regularly exposed.
The federal government spends billions every year on wildfire suppression and recovery. Despite this, the size and intensity of fires continues to grow, increasing costs to human health, property, and the economy as a whole.
To respond and maintain U.S. global leadership, USAID should transition to heavily favor a Fixed-Price model to enhance the United States’ ability to compete globally and deliver impact at scale.