DoD Cyber Operations, and More from CRS

A new report from the Congressional Research Service presents an introduction to U.S. military operations in cyberspace and the thorny policy issues that arise from them.

“This report presents an overview of the threat landscape in cyberspace, including the types of offensive weapons available, the targets they are designed to attack, and the types of actors carrying out the attacks. It presents a picture of what kinds of offensive and defensive tools exist and a brief overview of recent attacks. The report then describes the current status of U.S. capabilities, and the national and international authorities under which the U.S. Department of Defense carries out cyber operations.”

The Department of Defense requested $5.1 billion for “cybersecurity” in 2015, the CRS report noted. Cybersecurity here includes funding for cyberspace operations, information assurance, U.S. Cyber Command, the National Cybersecurity Initiative, and related functions. See Cyber Operations in DoD Policy and Plans: Issues for Congress, January 5, 2015.

(The CRS report includes only a capsule summary description of the Stuxnet episode.  A fuller account is presented in Kim Zetter’s gripping book Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon.)

Other noteworthy new and updated CRS reports that Congress has withheld from online public distribution include the following.

State Sponsors of Acts of International Terrorism–Legislative Parameters: In Brief, December 24, 2014

The President’s Immigration Accountability Executive Action of November 20, 2014: Overview and Issues, January 8, 2015

Proposed Retirement of A-10 Aircraft: Background in Brief, January 5, 2015

American War and Military Operations Casualties: Lists and Statistics, January 2, 2015

A Shift in the International Security Environment: Potential Implications for Defense–Issues for Congress, December 31, 2014

Secret Sessions of the House and Senate: Authority, Confidentiality, and Frequency, December 30, 2014

Navy Littoral Combat Ship (LCS) Program: Background and Issues for Congress, December 24, 2014

Navy Shipboard Lasers for Surface, Air and Missile Defense: Background and Issues for Congress, December 23, 2014

Definitions of “Inherently Governmental Function” in Federal Procurement Law and Guidance, December 23, 2014

Congressional Careers: Service Tenure and Patterns of Member Service, 1789-2015, January 3, 2015

The Congressional Research Service has never been more frequently cited or more influential in informing public discourse than it is today, as its publications are increasingly shared with the public in violation of official policy.

But budget cuts and congressional dysfunction seem to have bred discontent among some staff members, judging from an article by former CRS analyst Kevin R. Kosar.

“Thanks to growing pressure from a hyper-partisan Congress, my ability to write clearly and forthrightly about the problems of government–and possible solutions–was limited. And even when we did find time and space to do serious research, lawmakers ignored our work or trashed us if our findings ran contrary to their beliefs. When no legislation is likely to move through the system, there’s simply not much market for the work the CRS, at its best, can do,” he wrote. See “Why I Quit the Congressional Research Service,” Washington Monthly, January/February 2015.

Offensive Cyber Operations in US Military Doctrine

A newly disclosed Department of Defense doctrinal publication acknowledges the reality of offensive cyberspace operations, and provides a military perspective on their utility and their hazards.

Attacks in cyberspace can be used “to degrade, disrupt, or destroy access to, operation of, or availability of a target by a specified level for a specified time.” Or they can be used “to control or change the adversary’s information, information systems, and/or networks in a manner that supports the commander’s objectives.”

However, any offensive cyber operations (OCO) must be predicated on “careful consideration of projected effects” and “appropriate consideration of nonmilitary factors such as foreign policy implications.”

“The growing reliance on cyberspace around the globe requires carefully controlling OCO, requiring national level approval,” according to the newly disclosed Cyberspace Operations, Joint Publication 3-12(R).

That publication was first issued by the Joint Chiefs of Staff as a SECRET document in February 2013 (as JP 3-12, without the R). But this week it was reissued as a public document. It is unclear whether the public document has been redacted or modified for release.

The discussion of “offensive cyberspace operations” in the original, classified version of JP 3-12 led to adoption of that term in the official DoD lexicon for the first time in March 2013, where it has remained through the latest edition.

Offensive cyberspace operations (OCO) are “intended to project power by the application of force in and through cyberspace. OCO will be authorized like offensive operations in the physical domains, via an execute order (EXORD).”

The DoD document is fairly candid about the challenges and limitations of cyberspace operations.

“Activities in cyberspace by a sophisticated adversary may be difficult to detect” and to attribute to their source. Yet such detection and attribution capabilities are “critical” for enabling offensive and defensive cyberspace operations.

By the same token, “first-order effects of [US cyberspace operations] are often subtle, and assessment of second- and third-order effects can be difficult,” requiring “significant intelligence capabilities and collection efforts” to evaluate.

Not only that, but US cyberspace operations “could potentially compromise intelligence collection activities. An IGL [Intelligence Gain/Loss] assessment is required prior to executing a CO to the maximum extent practicable.”

In any event, offensive cyber operations are to be used discriminatingly. “Military attacks will be directed only at military targets. Only a military target is a lawful object of direct attack.” But military targets are defined broadly as “those objects whose total or partial destruction, capture, or neutralization offers a direct and concrete military advantage.”

Meanwhile, there are persistent vulnerabilities inherent in DoD information systems, DoD said. “Many critical [US] legacy systems are not built to be easily modified or patched. As a result, many of the risks incurred across DOD are introduced via unpatched (and effectively unpatchable) systems on the DODIN [DoD Information Network].”

The risks are increased because “DOD classified and unclassified networks are targeted by myriad actions, from foreign nations to malicious insiders.”

“Insider threats are one of the most significant threats to the joint force,” the DoD document said.  “Whether malicious insiders are committing espionage, making a political statement, or expressing personal disgruntlement, the consequences for DOD, and national security, can be devastating.”

Overall, “Developments in cyberspace provide the means for the US military, its allies, and partner nations to gain and maintain a strategic, continuing advantage,” the Cyberspace Operations publication said.

But “access to the Internet provides adversaries the capability to compromise the integrity of US critical infrastructures in direct and indirect ways.”

These features represent “a paradox within cyberspace: the prosperity and security of our nation have been significantly enhanced by our use of cyberspace, yet these same developments have led to increased vulnerabilities….”

NSA Releases NSPD-54 on Cybersecurity Policy

In January 2008, the Bush Administration issued the Top Secret National Security Presidential Directive 54 on Cybersecurity Policy which “establishes United States policy, strategy, guidelines, and implementation actions to secure cyberspace.”

Despite its relevance to a central public policy issue, both the Bush and Obama Administrations had refused to release the Directive.

But last week, in response to a five-year Freedom of Information Act effort by the Electronic Privacy Information Center, the National Security Agency released a lightly redacted version of the document, most of which had been unclassified all along.

“This Directive, which is the foundational legal document for all cybersecurity policies in the United States, evidences government efforts to enlist private sector companies, more broadly monitor Internet activity, and develop offensive cybersecurity capability,” said EPIC in its release of the document.

FAS Joins Emerging Threats Working Group

Appointment provides a unique opportunity for FAS to collaborate with NATO and other Euro-Atlantic states to better address the emerging security threats arising from science and technology breakthroughs.

The rapid pace of scientific discovery and technological innovation demands the redoubling of efforts by scientists, policymakers, non-governmental experts, and the business community to adapt to the security implications. That is why FAS is pleased to announce that Michael Edward Walsh, the Adjunct Fellow for Emerging Technologies and High-end Threats at the Federation of American Scientists (FAS), was recently named to the Partnership for Peace Consortium of Defense Academies and Security Studies Institutes (PfPC) Working Group on Emerging Security Challenges. Continue reading

Up for Debate: Cybersecurity

Mr. Joe Costa of the Cohen Group, Dr. James Lewis of the Center for Strategic and International Studies(CSIS),and Dr. Martin Libicki of the RAND Corporation debate how the United States should operate within the cyber domain.

Debate: How Should the United States Operate in the Cyber Domain?

The United States has incorporated cyber security into its foreign policy, using the Stuxnet worm to destroy nearly 1,000 Iranian centrifuges in June 2012. Countries such as Iran are also using cyber technologies to cause disruptions such as the October 2012 cyberattacks on U.S. banks. With the growing threat of cyber attacks, how should the U.S. operate in this arena? Has cyber warfare made the United States more or less safe?

Mr. Joe Costa of the Cohen Group, Dr. James Lewis of the Center for Strategic and International Studies (CSIS),and Dr. Martin Libicki of the RAND Corporation debate  how the United States should operate within the cyber domain.


Mr. Joe Costa, The Cohen Group

The consequences of a nuclear-armed Iran to international peace and security are so severe that any responsible country must exhaust all options short of war to prevent that outcome.  The narrow and direct use of cyberweapons against Tehran is an additional policy tool to resolve the Iranian nuclear challenge diplomatically. To mitigate the long-term dangers created by cyberattacks, the United States has taken important first steps, and must continue to advance an international conversation that will place appropriate constraints on offensive cyberspace operations.

By the time President Obama assumed office in January 2009, Iran had amassed nearly a bomb’s worth of low-enriched uranium. It had the technical capability to turn this material into weapons-usable fuel if a decision was made to do so. Negotiations with Tehran had failed on multiple occasions over the previous six years. The United States had intelligence that Iran was developing a second covert enrichment plant with no civilian application under the hardened mountains of Qom. Israel was sending a clear and direct message that there was limited time remaining before it may launch a military strike.

The President was approaching a choice between two worst-case scenarios: the possibility that a nuclear-armed Iran could emerge under his watch; or, that a military conflict in the Middle East would occur to prevent that outcome. Both would have catastrophic consequences for global stability.

It was under these circumstances that a malicious worm reportedly developed by the United States and Israel infiltrated Iran’s computer network at the Natanz enrichment plant and disrupted 20% of its operating centrifuges. Nearly a year later, a separate virus collected information from the personal computers of senior Iranian officials. A third wiped out data at Iran’s Oil Ministry, forcing the government to temporarily disconnect some of its oil terminals from the Internet.

These cyberattacks served several useful purposes. The so-called Stuxnet virus that struck Iran’s spinning centrifuges temporarily delayed the program and created a slightly longer window of time to assemble a diplomatic resolution to the crisis. More importantly, they demonstrated to Israel that there was credible determination to delay a nuclear-armed Iran and thereby contributed to holding off a potential military strike.

The Flame virus secretly gathered sensitive information from the personal computers of high-ranking Iranian officials. Acquiring real-time intelligence is critical in identifying potential threats before they evolve and demonstrating to the Iranian leadership that they are being watched 24-hours a day, seven days a week. The Supreme Leader is much less likely to pursue a nuclear weapon if he believes there is a high probability of getting caught.

These tangible benefits have come at a cost. Due to a programming glitch, the Stuxnet virus was released to the world.  It is now accessible by states or individuals who do not have the U.S.’s best interest in mind.

In 2011, Iran’s military created a cyber unit that U.S. officials believe is behind recent cyberattacks that knocked some U.S. banks offline, and rendered useless 30,000 computers at Saudi Arabia’s state oil company, Aramco, in what Secretary of Defense Leon Panetta called, “The most destructive attack that the private sector has seen to date.” Soon after, a similar virus shut down the website and e-mail servers of Qatar’s national energy company, RasGas.

The danger of Iranian retaliation, however, is being managed. In an indirect warning to Tehran, Secretary Panetta declared, “If we detect an imminent threat of attack that will cause significant, physical destruction in the United States or kill American citizens, we need to have the option to take action against those who would attack us to defend this nation when directed by the president.” Iran is not likely to test the credibility of that statement.

Looking to the risks of the future, the U.S. is seeking to constrain state behavior in cyberspace by applying established laws of war to this new domain. As State Department Legal Counsel Harold Hongju Koh recently said, “Cyberspace is not a ‘law-free’ zone where anyone can conduct hostile activities without rules or restraint.”

In the next four years, the Administration must continue to maintain its leadership position on this issue and drive a global dialogue that will create the international institutions and governing principles that will place appropriate boundaries around this emerging technology.


Dr. James Lewis, Center for Strategic and International Studies (CSIS) 

Some say we have opened Pandora ’s Box and militarized cyberspace, unleashing an out of control cyber arms race. What anyone who says this has really unleashed is a herd of clichés.  Nations have been exploiting computer networks since the 1980s. Cyber techniques provide powerful new tools for espionage, coercion, and attack. Since the line between espionage and “attack” is negligibly thin – once you are in, you can harvest information or, if you wish, do damage – any nation that can conduct espionage in cyberspace can also carry out an attack. No country will forsake espionage and in consequence, cyberattack is inescapably with us.

Cyber provides a new tool of coercion available to nations (and to some private actors).  It is fast, covert and relatively cheap. Few defenses are in place against it.  At least a dozen countries are developing offensive cyber capabilities, experimenting with its use and testing plans and doctrine. The U.S. is one of them, and so is Iran.

There has been a sporadic, largely covert conflict between the U.S. and Iran since 1979.  Iran intervened in the Iraq war to attack U.S. troops. It plays a murky role in Afghanistan and a harmful, not-so-murky role in Lebanon and Syria. In turn, there are credible reports of U.S covert actions against Iran’s nuclear programs, in cooperation with several allies – televising the wreckage of a captured drone is a good indicator of American activity.

Covert action makes people uncomfortable, but the U.S. has used it in the past against hostile authoritarian regimes. If there is covert action against Iran, it is Iran’s unwillingness to comply with IAEA rules and give up its atomic bomb program that inspires it. In any case, Iran is no stranger itself to covert warfare and can hardly complain as it flies weapons to Assad.

Cyber espionage and attack now play a role in this covert engagement.  Iran suspects that many nations exploit its networks for intelligence purposes. Recently, unknown hands used a cyberattack to interfere with Iran’s major oil terminal at Kharg Island. Iran has experienced at least one serious attack. Despite Iranian denials, the Stuxnet virus did real damage to the nuclear program. Stuxnet was precise. Although it spread to many networks, it damaged only one. There was no collateral damage and little political risk – much more attractive than an air strike or raid.

Iran has been developing cyber capabilities for about five years. The initial motive was political. Iran does not want its citizens to have untrammeled access to information and its rulers, after their bloody suppression of the 2009 election, out of fear that the power of social networks will unleash something like Arab Spring. Iran has developed an impressive array of institutions to manage its new cyber tools, with a “High Council of Cyberspace,” and a proxy “cyber army” controlled by intelligence agencies and the Iranian Revolutionary Guard. It is even trying to build its own national internet and national search engine (that would find only approved sites). Its programs resemble those of China, and Russia may also help.

Iran has limited technical capabilities for cyber attack, but it has shown it can use these in unexpected ways.  Iran used its skills in August to erase data from 30,000 computers at Saudi Aramco, a major oil producer (probably in retaliation for Kharg) and in September against major U.S. banks (in relation for sanctions). The two attacks were probably tests – of a simple weapon in the case of Aramco and of the U.S. reaction in the case of the banks.

In response, Secretary of Defense Panetta announced a new doctrine that would allow Cyber Command to block attacks or preemptively disable an attacking computer in another country. In his speech, he mentioned only Russia, China – and Iran. Coincidently, Iranian action against the banks seems to have stopped after this, but they may have simply run their course.

The Gulf has become an active theater for cyberattack, with many nations engaged. This is uncertain terrain.  The internet creates unknown political forces and offers new possibilities for disruption.  There is little understanding among nations on how to manage the new arena for conflict.  It is not a stable situation, but the source of instability is not cyber weapons but the tense relations between the two countries. Cyberattack is an effect, not the cause, another chapter in a thirty year dispute.


Dr. Martin Libicki, The RAND Corporation

A matter of degree: Who can authorize a cyberattack?

Understanding when the United States should engage in cyberwar and who should approve cyberattacks requires understanding that cyberwar has multiple personalities: operational, strategic, and that great gray area in-between.

Operational cyberwar, for instance, is the use of cyberattacks to support the use of traditional use of physical (aka kinetic) force. An example (if true) would be how cyberattacks on air-defense radar enabled Israeli jets to safely knock out a Syrian nuclear reactor in 2007. Operational cyberwar is no more problematic than the kinetic operation it would support. If lethal means are acceptable, non-lethal means cannot be a problem. Thus operational cyberwar decisions need not be made by the president, at least not once a precedent is set.

Strategic cyberwar, for its part, is the use of cyberattacks to punish, harass, or annoy the people of another country. The attack by Russians on Estonians in 2007 was an act of strategic cyberwar, albeit one that stayed comfortably within the zone of annoyance rather than anything worse. Once a country has carried out a strategic cyberwar campaign on another country, there is no hiding the fact that the attacker rejoices in the other’s discomfort. The decision to carry out a strategic cyberwar campaign has to be a decision made by a head of state – the president, in the case of America – and not by any military command or intelligence agency, just as the decision to blockade another country’s harbors cannot be made by the U.S. Navy acting on its own.

It’s that great gray area in between where the authority to carry out cyberattacks could profit from further definition. Take Stuxnet. Whoever carried it out is not at war with Iran (no one is), and the Natanz enrichment plant was not a military system in a war zone. So it wasn’t an operational cyberattack. However, the purpose of the attack did not appear aimed at making life miserable for the average Iranian; so it really could not be characterized as a strategic attack, either. Stuxnet was closer to an act of sabotage. Although sabotage is not an act of war, the difference between sabotage and a strategic bombing campaign is a matter of degree (and, invariably, casualties). At a lower level, the United Kingdom reportedly penetrated a jihadist web site and substituted a harmless article (on cupcake manufacturing) for a harmful one (bomb manufacturing); this may not have been the only interference with such web sites. A good rule of thumb is that if the results of the action are going to come to the president’s attention then the responsibility rests there as well. Whether repeat applications need specific authorization is a matter of details.

But the most difficult example is an action that (supposedly) has to take place faster than presidential authorization can be acquired. Let’s say there’s an incoming cyberattack, which as we all know takes place at the speed of light. All will be lost if no one can pre-empt or at least react to it at comparable speed. And so, a return cyberattack takes place, and the president is awakened to find that disaster has been averted. Hence, the case for pre-authorization of “active defense.” But is pre-authorization wise? If intelligence on the nature, potential, and source of an attack were perfect, the response precise, and the rationale unassailable, why not? Alas, not only do men fall short of gods, but cyberwar does not really work that way. Consider, again, Stuxnet. By the time it wormed its way into the right computers at Natanz, exactly which system it came out of is not only past but irrelevant; it’s gone. It worked for months before the Iranians caught on (perhaps only by reading the New York Times). The cyberespionage campaigns that suck intellectual property from U.S. corporations take place over months; indeed, such attacks typically go on for a year prior to discovery. The attacks on bank web sites that Secretary of Defense Panetta ascribed to the Iranians did not have a detonation point that had to be stopped within milliseconds. And even if one could imagine an attack in progress that has yet to reach an imminent detonation point, blocking the attack at its destination rather than source is technically easier and raises fewer issues.

And that takes us back to our first rule. If the president has to answer to it, the president has to authorize it. In cyberspace, as in physical space, the buck stops there.


About the Debaters:

Joe Costa is an Associate at The Cohen Group. Previously, Joe was a researcher at Harvard’s Belfer Center for Science and International Affairs, where his focus was Iran’s nuclear program. He was a member of Harvard’s Iran Nuclear Negotiations Working Group, and is the current Director of the Truman National Security Project’s Nuclear Nonproliferation Expert Group. Joe served as a Rosenthal Fellow on the Committee on Homeland Security in the U.S. House of Representatives and earned a Masters in Public Policy at the University of Chicago.


James Lewis is a senior fellow and director of the Technology and Public Policy Program at CSIS. Before joining CSIS, he worked at the Departments of State and Commerce as a Foreign Service officer and as a member of the Senior Executive Service. Lewis’s recent work has focused on cybersecurity, including the groundbreaking report “Cybersecurity for the 44th Presidency,” space, and innovation. His current research examines the political effect of the Internet, strategic competition among nations, and technological innovation. Lewis received his Ph.D. from the University of Chicago.


Martin Libicki is a senior management scientist at the RAND Corporation. His research focuses on the impacts of information technology on domestic and national security. This work is documented in commercially published books—e.g., Conquest in Cyberspace: National Security and Information Warfare (Cambridge University Press, 2007) andInformation Technology Standards: Quest for the Common Byte (Digital Press, 1995)—as well as in numerous monographs, notably How Insurgencies End (with Ben Connable, 2010), Cyberdeterrence and Cyberwar (2009), How Terrorist Groups End: Lessons for Countering al Qa’ida (with Seth G. Jones, 2008), Exploring Terrorist Targeting Preferences (with Peter Chalk and Melanie W. Sisson, 2007), and Who Runs What in the Global Information Grid (2000). His most recent research involved organizing the U.S. Air Force for cyberwar, exploiting cell phones in counterinsurgency, developing a post-9/11 information technology strategy for the U.S. Department of Justice, using biometrics for identity management, assessing the Terrorist Information Awareness program of the Defense Advanced Research Project Agency, conducting information security analysis for the FBI, and evaluating In-Q-Tel. Prior to joining RAND, Libicki spent 12 years at the National Defense University, three years on the Navy staff as program sponsor for industrial preparedness, and three years as a policy analyst for the U.S. General Accounting Office’s Energy and Minerals Division. Libicki received his Ph.D. in economics from the University of California, Berkeley.


About Up for Debate:

In Up For Debate, FAS invites knowledgeable outside contributors to discuss science policy and security issues. This debate among experts is conducted via email and posted on FAS invites a demographically and ideologically diverse group to comment – a unique FAS feature that allows readers to reach conclusions based on both sides of an argument rather than just one point of view.


Please read the guidelines for the official debate and rebuttal policy for participants of FAS’s ‘Up For Debate.’ All participants are required to follow these rules. Each opinion must stay on topic and feature relevant content, or be a rebuttal. No ad hominem and personal attacks, name calling, libel, or defamation is allowed, and proper citations must be given.

Social Motivations in a Cyber World

“The major threat to security, our way of life, to prosperity  is not kinetic warfare or terrorism, but is in fact espionage and crime and cheating,” according to Ben Hammersley, technologist and Wired editor at large. Hammersley spoke on “Adding Fuel to the Wi-fire: What is the Nexus between Social Media, Emerging Technologies and digital Radicalization” at The Brookings Institute on Tuesday, July 17th .

Hammersley explained that he is mainly a “Futurist … get[ting] paid to live six months in the future and tell stories about it.” He often referred to Moore’s Law, which is the concept that every 12-18 months the computing capabilities of a certain product that costs “x” amount of dollars, will have twice as much computing power for the same cost, or that the cost of a unit with the same commuting power will cost half as much as it did previously. As current British ambassador to East London Tech City, essentially the British Silicon Valley, he knows what he’s talking about. Continue reading