Offensive Cyber Operations in US Military Doctrine

A newly disclosed Department of Defense doctrinal publication acknowledges the reality of offensive cyberspace operations, and provides a military perspective on their utility and their hazards.

Attacks in cyberspace can be used “to degrade, disrupt, or destroy access to, operation of, or availability of a target by a specified level for a specified time.” Or they can be used “to control or change the adversary’s information, information systems, and/or networks in a manner that supports the commander’s objectives.”

However, any offensive cyber operations (OCO) must be predicated on “careful consideration of projected effects” and “appropriate consideration of nonmilitary factors such as foreign policy implications.”

“The growing reliance on cyberspace around the globe requires carefully controlling OCO, requiring national level approval,” according to the newly disclosed Cyberspace Operations, Joint Publication 3-12(R).

That publication was first issued by the Joint Chiefs of Staff as a SECRET document in February 2013 (as JP 3-12, without the R). But this week it was reissued as a public document. It is unclear whether the public document has been redacted or modified for release.

The discussion of “offensive cyberspace operations” in the original, classified version of JP 3-12 led to adoption of that term in the official DoD lexicon for the first time in March 2013, where it has remained through the latest edition.

Offensive cyberspace operations (OCO) are “intended to project power by the application of force in and through cyberspace. OCO will be authorized like offensive operations in the physical domains, via an execute order (EXORD).”

The DoD document is fairly candid about the challenges and limitations of cyberspace operations.

“Activities in cyberspace by a sophisticated adversary may be difficult to detect” and to attribute to their source. Yet such detection and attribution capabilities are “critical” for enabling offensive and defensive cyberspace operations.

By the same token, “first-order effects of [US cyberspace operations] are often subtle, and assessment of second- and third-order effects can be difficult,” requiring “significant intelligence capabilities and collection efforts” to evaluate.

Not only that, but US cyberspace operations “could potentially compromise intelligence collection activities. An IGL [Intelligence Gain/Loss] assessment is required prior to executing a CO to the maximum extent practicable.”

In any event, offensive cyber operations are to be used discriminatingly. “Military attacks will be directed only at military targets. Only a military target is a lawful object of direct attack.” But military targets are defined broadly as “those objects whose total or partial destruction, capture, or neutralization offers a direct and concrete military advantage.”

Meanwhile, there are persistent vulnerabilities inherent in DoD information systems, DoD said. “Many critical [US] legacy systems are not built to be easily modified or patched. As a result, many of the risks incurred across DOD are introduced via unpatched (and effectively unpatchable) systems on the DODIN [DoD Information Network].”

The risks are increased because “DOD classified and unclassified networks are targeted by myriad actions, from foreign nations to malicious insiders.”

“Insider threats are one of the most significant threats to the joint force,” the DoD document said.  “Whether malicious insiders are committing espionage, making a political statement, or expressing personal disgruntlement, the consequences for DOD, and national security, can be devastating.”

Overall, “Developments in cyberspace provide the means for the US military, its allies, and partner nations to gain and maintain a strategic, continuing advantage,” the Cyberspace Operations publication said.

But “access to the Internet provides adversaries the capability to compromise the integrity of US critical infrastructures in direct and indirect ways.”

These features represent “a paradox within cyberspace: the prosperity and security of our nation have been significantly enhanced by our use of cyberspace, yet these same developments have led to increased vulnerabilities….”

Insider Threat Program Advances, Slowly

Nearly two years after President Obama issued a National Insider Threat Policy “to strengthen the protection and safeguarding of classified information” against espionage or unauthorized disclosure, the effort is still at an early stage of development.

Only last week, the U.S. Air Force finally issued a directive to implement the 2012 Obama policy. (AF Instruction 16-1402, Insider Threat Program Management). And even now it speaks prospectively of what the program “will” do rather than what it has done or is doing.

The new Air Force Instruction follows similar guidance issued last year by the Army and the Navy.

The Air Force Insider Threat Program includes several intended focus areas, including continuous evaluation of personnel, auditing of government computer networks, and procedures for reporting anomalous behavior.

“Procedures must be in place that support continuous evaluation of personnel to assess their reliability and trustworthiness,” the AF Instruction says.

Such continuous evaluation procedures may eventually sweep broadly over many domains of public and private information, but they are not yet in place.

“There are a number of ongoing pilot studies to assess the feasibility of select automated records checks and the utility of publicly available electronic information, to include social media sites, in the personnel security process,” said Brian Prioletti of the Office of the Director of National Intelligence in testimony before the House Homeland Security Committee last November.

The Air Force directive also encourages reporting of unusual behavior by potential insider threats.

“Insider threat actors typically exhibit concerning behavior,” the directive says. But this is not self-evidently true in all cases, and the directive does not provide examples of “concerning behavior.”

A Department of Defense training module recently identified expressions of “unhappiness with U.S. foreign policy” as a potential threat indicator, the Huffington Post reported last week. (“Pentagon Training Still Says Dissent Is A Threat ‘Indicator'” by Matt Sledge, August 4.) If so, that criterion would not narrow the field very much.

The “CORRECT Act” (HR5240) that was introduced last month by Rep. Bennie Thompson and Sen. Ron Wyden would require any insider threat program to meet certain standards of fairness and employee protection, and “to preserve the rights and confidentiality of whistleblowers.”

That message may have been partially internalized already. The terms “civil liberties” and “whistleblowers” are each mentioned four times in the eight-page Air Force Instruction.

Identity Intelligence and Special Operations

“Identity intelligence” is a relatively new intelligence construct that refers to the analysis and use of personal information, including biometric and forensic data among others, to identify intelligence targets of interest and to deny them anonymity.

The term began to appear a few years ago and was included, for example, in a 2012 Defense Intelligence Agency briefing package. Since then it has quickly propagated throughout U.S. military and intelligence operations.

Identity intelligence (or I2) was included for the first time in published U.S. military doctrine in the October 2013 edition of Joint Publication (JP) 2-0 on Joint Intelligence, which elaborated on the concept. Identity intelligence is used, JP 2-0 said, “to discover the existence of unknown potential threat actors by connecting individuals to other persons, places, events, or materials, analyzing patterns of life, and characterizing their level of potential threats to US interests.”

(“Identity intelligence” also appeared in an undated Top Secret document that was disclosed by Edward Snowden and published in excerpted form by the New York Times on May 31, 2014.)

Most recently, an updated U.S. Department of Defense publication on special operations noted this month that “Identity intelligence products enable real-time decisions in special operations worldwide.”

The new DoD doctrine on Special Operations — Joint Publication 3-05, dated 16 July 2014 — includes further discussion of identity intelligence (I2) in the special operations context:

“I2 is the collection, analysis, exploitation, and management of identity attributes and associated technologies and processes. The identification process utilizes biometrics-enabled intelligence (BEI), forensics-enabled intelligence (FEI), information obtained through document and media exploitation (DOMEX), and combat information and intelligence to identify a person or members of a group.”

“I2 fuses identity attributes (biological, biographical, behavioral, and reputational information related to individuals) and other information and intelligence associated with those attributes collected across all intelligence disciplines….”

“USSOCOM [US Special Operations Command] exploits biometric, forensic, document and media data collections and integrates the data with all-source intelligence to locate and track unattributed identities across multiple or disparate instances. Intelligence collections are processed through the appropriate DOD and interagency databases, exploited to produce intelligence, and then disseminated to deployed SOF and throughout the interagency. I2 products enable real-time decisions in special operations worldwide.”

*    *    *

Identity intelligence aside, the new Joint Publication 3-05 provides an informative account of the role of special operations, along with some notable changes from previous special operations doctrine.

“Special operations require unique modes of employment, tactics, techniques, procedures, and equipment. They are often conducted in hostile, denied, or politically and/or diplomatically sensitive environments, and are characterized by one or more of the following: time-sensitivity, clandestine or covert nature, low visibility, work with or through indigenous forces, greater requirements for regional orientation and cultural expertise, and a higher degree of risk,” JP 3-05 says.

The previous edition of this publication (dated 2011) had identified 11 core activities for special operations: direct action, special reconnaissance, counterproliferation of weapons of mass destruction, counterterrorism, unconventional warfare, foreign internal defense, security force assistance, counterinsurgency, information operations (IO), military information support operations (MISO), and civil affairs operations.

The new edition adds a 12th mission that up to now had not been considered a core activity: hostage rescue and recovery.

“Hostage rescue and recovery operations are sensitive crisis response missions in response to terrorist threats and incidents. Offensive operations in support of hostage rescue and recovery can include the recapture of US facilities, installations, and sensitive material overseas,” the new JP 3-05 states.

Army Doctrine on Geospatial Engineering

Those who are involved (or merely interested) in the field of geospatial intelligence will want to know about a new Army doctrinal publication on the subject.

“Geospatial intelligence is the exploitation and analysis of imagery and geospatial information to describe, assess, and visually depict physical features and geographically referenced activities on the earth. Geospatial intelligence consists of imagery, imagery intelligence, and geospatial information.”

The new publication provides a comprehensive introduction to the theory and practice of the field. See Geospatial Engineering, ATP 3-34.80, June 2014 (very large pdf).

Army Directive Prohibits Retaliation for Reporting a Crime

The Secretary of the Army last week issued a directive specifying that retaliating against someone for reporting a crime is itself a crime.

“No Soldier may retaliate against a victim, an alleged victim or another member of the Armed Forces based on that individual’s report of a criminal offense,” the new Directive states. See Prohibition of Retaliation Against Soldiers for Reporting a Criminal Offense, Army Directive 2014-20, June 19, 2014.

Prohibited forms of retaliation include adverse personnel actions and ostracism, as well as “acts of cruelty, oppression or maltreatment.”

The directive implements a requirement that was enacted by Congress in the 2014 defense authorization act (section 1709) as part of a legislative response to instances of sexual assault in the military.

US Army Reflections on the Value of Military History

Far from being a subject of merely antiquarian interest, military history is an essential tool for training of soldiers and for institutional accountability, according to newly updated Army doctrine.

But only if it is done right.

In Military History Operations (ATP 1-20, June 2014), the Army discusses what military history is for, its development over time, and the proper way to produce it. Some excerpts:

“The history of Army operations and activities is not documented or written for public affairs purposes. It is not shaped to reflect particular viewpoints, programmatic goals, or institutional agendas. In the past, military organizations and commands exaggerated achievements of individuals, units, or systems while downplaying setbacks. Army field historians guard against these instances and ensure that historical documents, reports, and official histories reflect a full accounting of operations or institutional developments as they occur. Anything less is a disservice to the Soldiers and Army civilians whose actions are documented, those who must learn from them, and to the integrity of the Army as a whole.”

“History cannot be fabricated. Any fabrication corrupts tradition, professional education, and tradition. The integrity and standing of Army history, gained over nearly a century of recognized excellence, can be permanently damaged. The Army is best served by the careful and unbiased recording and analysis of the past. To prevent any potential damages from occurring, the collection, research, and writing of Army history is based on impartiality, objectivity, and accuracy.”

“Historical writing is clear, concise, organized, and to the point. Some historians fail to communicate well. They confuse rather than clarify, are wordy rather than concise, and hide main ideas rather than getting to the point. Good writers communicate in plain English and choose words with care to convey meaning. They avoid trite or vague phrases; stale figures of speech; jargon; acronyms; and pompous, high-sounding, and self-conscious literary language. Historical narratives are in active voice, use strong nouns and verbs, and include short vignettes to illustrate points or enliven the narrative. However, they should not embellish or glorify events or offer judgments of individuals or actions. The narrative recounts events as each one occurred.”

The new doctrine instructs Army historians to maintain awareness of captured enemy documents, and encourages them to seek out non-traditional and unofficial historical resources (like the private video and photographic images that were recently the subject of a classification complaint):

“Both official and unofficial photographs and video imagery enhances historical document collections and [are] included in historical document collections. Combat camera teams and public affairs photographers take official photographs and video imagery and provide copies to command and unit historians or military history detachments (MHD). Additionally, many Soldiers carry digital cameras, video recorders, or mobile phones with cameras and video capabilities. The field historian searches for unofficial photographs and videos of potential historical value. This search includes accessing social media sites, personal blogs, and photo-sharing sites.”

“Military history does not produce solutions for problems and does not guarantee success on the battlefield. An approach with these goals leads to frustration and biased or inaccurate history. Rather, military history affords an understanding of the dynamics to shape the present and [provides] soldiers the perspective of viewing current and future problems with ideas of how similar challenges were confronted in the past.”

“If history rarely provides concrete answers, it offers insight and understanding. It promotes how to think and not what to think,” the Army publication said.

DoD Ops in a C4ISR-Denied Environment, and More

The Department of Defense prepares and trains for military operations in environments in which communications and surveillance are denied or obstructed, a new report to Congress says.

Combatant commanders “spend many man-hours… developing frameworks and procedures for using alternative methods, diversifying communications paths and media, and pursuing the ability to use distributed operations in a denied environment.”

The issue was summarily addressed in a mandatory report to Congress on “Joint Strategy for Readiness and Training in a Command, Control, Communications, Computers, Intelligence, Surveillance, and Reconnaissance (C4ISR) Denied Environment.” The brief, unclassified report was transmitted to Congress in February 2014 and released under the Freedom of Information Act this week.

Somewhat relatedly, a declassified 1971 memorandum from the National Reconnaissance Office addressed the subject of “avoidance of coorbital intercept,” or anti-anti-satellite operations.

The subject was highly sensitive at the time. “Any action on our part which demonstrates the possibility that we possess the ability to evade a coorbital intercept… is potentially compromising of the great efficacy of U.S. satellite collection capability in this area.”

Unrelatedly, but notably, the Federal Judicial Center has published a compilation of “protective orders” that were issued by courts in national security criminal cases, including espionage trials and leak cases, over the past 15 years.  See National Security Prosecutions: Protective Orders, April 2014.


Army Updates Counterinsurgency Doctrine

“Without accurate and predictive intelligence, it is often better to not act than to act.”

That note of prudence and restraint recurs throughout the newly revised U.S. Army Field Manual 3-24 on “Insurgencies and Countering Insurgencies” that was published this month.

The new manual replaces the celebrated 2006 edition of FM 3-24 (then simply entitled “Counterinsurgency”) associated with Gen. David Petraeus, who coordinated its development.  That earlier manual may have been the most popular and widely read U.S. military doctrinal publication ever released.

The new edition builds upon rather than rescinds its predecessor. Some of the changes are subtle, extending even to the definition of “insurgency.”

The 2006 edition defined insurgency as “An organized movement aimed at the overthrow of a constituted government through the use of subversion and armed conflict.” In the new edition, insurgency now means “The organized use of subversion and violence to seize, nullify, or challenge political control of a region.” The reference to a government has been removed in the new definition, and insurgency is conceived as a tactic rather than a movement.

To a lay reader, the new Field Manual presents a becoming modesty about the utility of violent action, along with a sensitivity to the specifics of every conflict, and an alertness to ethical norms and legal requirements. A few excerpts:

“The conclusion of any counterinsurgency effort is primarily dependent on the host nation and the people who reside in that nation. Ultimately, every society has to provide solutions to its own problems. As such, one of the Army and Marine Corps’ primary roles in counterinsurgency is to enable the host nation.”

“The general rule for the use of force for the counterinsurgents is ‘do not create more enemies than you eliminate with your action’.”

“Effective counterinsurgency commanders tell the truth; they refuse to give projections; and they do not promise more than can be provided.”

“Although most well-led and well-trained U.S. military personnel perform their duties honorably and lawfully, some will commit various crimes, including violations of the law of war…. All reportable incidents committed by or against U.S. personnel, enemy persons, or any other individual must be reported promptly, investigated thoroughly, and, where appropriate, remedied by corrective action.”

Remarkably, the Army invited external input in 2011 from the public (or at least from “practitioners, scholars, and agency partners”) in the development of the revised Field Manual.

The new manual, like the previous one, has drawn criticism in some quarters for emphasizing the role of soft power at the expense of lethality and traditional warfighting.

“The 2014 FM hurtles down the wrong track,” wrote former Reagan defense official Bing West. “It offers no advice about resolve, cohesion, morale, ferocity, trust and victory…. If we cannot put our enemies six feet in the ground and infuse that same fierce, implacable, winning spirit into the host nation forces, friendly persuasion and development aid will be seen by our enemies as weakness and fecklessness,” he wrote in Small Wars Journal on May 14.

But perhaps the severest criticism of U.S. counterinsurgency doctrine derives from actual record of counterinsurgency programs. The continuing violence and instability in Iraq and Afghanistan would seem to indicate that existing counterinsurgency doctrine is either misconceived or that, for whatever reason, it cannot be effectively implemented.

Army Views Emerging Intelligence Technologies

“Emerging Intelligence Technologies” is the theme of the latest issue of the U.S. Army’s Military Intelligence Professional Bulletin (MIPB), January-March 2014.

“Rapid technology developments in response to urgent wartime requirements have brought the intelligence community (IC) some tremendous new capabilities. Advancement in the areas of biometrics, battlefield forensics, miniaturization, SIGINT terminal guidance, DCGS-A, and distributed processing have been vital to the success of Military Intelligence (MI) and the Army,” wrote Maj. Gen. Robert P. Ashley.

“This issue of MIPB looks at several of these capabilities and their integration into our formations.”

The new Bulletin was obtained under the Freedom of Information Act.

U.S. Military Given Secret “Execute Order” on Cyber Operations

Last June, the Chairman of the Joint Chiefs of Staff issued a classified “execute order” to authorize and initiate a military operation.

The nature, scope and duration of the military operation could not immediately be determined — even the title of the order is classified — but it evidently pertains to the conduct of military cyberspace activities.

The existence of the previously undisclosed execute order was revealed last week in a new Air Force Instruction.

“Classified processes governing C2 [command and control] of AF [Air Force] offensive and defensive cyberspace operations conducted by AF Cyber Mission Forces are addressed in a classified CJCS [Chairman, Joint Chiefs of Staff] Execute Order (title classified) issued on 21 Jun 13,” said Air Force Instruction 10-1701, entitled “Command and Control (C2) for Cyberspace Operations,” dated 5 March 2014.

An execute order goes beyond planning or preparation for conflict, and represents the commencement of a military operation.

The formal definition of an execute order (or EXORD) is “an order issued by the Chairman of the Joint Chiefs of Staff, at the direction of the Secretary of Defense, to implement a decision by the President to initiate military operations,” according to the official Department of Defense Dictionary of Military and Associated Terms (JP 1-02).

“Execution begins when the President decides to use a military option to resolve a crisis,” according to Joint Publication 5-0 on Joint Operation Planning. “Only the President or SecDef can authorize the CJCS to issue an execute order (EXORD).

“Execution continues until the operation is terminated or the mission is accomplished.”

“The CJCS-published EXORD defines the unnamed day on which operations commence or are scheduled to commence (D-day) and the specific time an operation begins (H-hour) and directs execution of the OPORD [operation order].”

“The CJCS’s EXORD is a record communication that authorizes execution of the COA [course of action] approved by the President or SecDef and detailed in the supported commander’s OPORD,” explained JP 5-0.

In response to questions from the Senate Armed Services Committee, Vice Adm. Michael S. Rogers, the nominee for Commander, US Cyber Command (and Director, NSA), said that “Geographic combatant commanders already have authority to direct and execute certain Defensive Cyberspace Operations (DCO) within their own networks.”

Judging from the new Air Force Instruction, however, the June 2013 execute order extends to offensive cyberspace operations as well.

All or most execute orders naturally start out as classified documents. But sooner or later, they are declassified.

A March 2011 execute order for Libya Contingency Operations can be seen here.

A January 1991 execute order for Operation Desert Storm, incongruously signed “Warm Regards, Colin Powell,” is here.

A rare reference to another currently classified execute order appeared in a paper published in Joint Force Quarterly (issue 69, April 2013, p. 53): “In compliance with the guidelines outlined in the Global Response Force Execute Order, JCSE [Joint Communications Support Element] maintains an alert-postured force that can deploy and have its communications packages fully operational within hours of notification for an emerging requirement.” That execute order dates from September 2012, and is classified Secret.

The Senate Armed Services Committee asked Adm. Rogers whether there was a need for greater transparency concerning “the nature of cyber warfare, and the balance between offensive and defensive capabilities.”

Adm. Rogers replied: “I believe the recent disclosures of a large portion of our intelligence and military operational history may provide us with [an] opportunity to engage both the American public and our international partners in discussion of the balance of offense and defense, the nature of cyber warfare, norms of accepted and unacceptable behavior in cyberspace, and so forth.”

“As cyberspace matures as a warfighting domain, I believe our classification policies will also evolve to support growing domestic and international partnerships and relationships,” Adm. Rogers wrote.