Congress Urges Cyber Ops Against Russia, Others

Rebuking the Trump Administration for its “passivity,” Congress is pressing the Department of Defense to engage in “active defense” in cyberspace against Russia, China, North Korea and Iran.

A new provision in the conference report on the FY2019 national defense authorization act (sect. 1642) would “authorize the National Command Authority to direct the Commander, U.S. Cyber Command, to take appropriate and proportional action through cyberspace to disrupt, defeat, and deter systematic and ongoing attacks by the Russian Federation in cyberspace.” It would further “add authorizations for action against the People’s Republic of China, the Democratic People’s Republic of Korea, and the Islamic Republic of Iran.”

“The conferees have been disappointed with the past responses of the executive branch to adversary cyberattacks and urge the President to respond to the continuous aggression that we see, for example, in Russia’s information operations against the United States and European allies in an attempt to undermine democracy.”

“The administration’s passivity in combating this campaign. . . will encourage rather than dissuade additional aggression.”

“The conferees strongly encourage the President to defend the American people and institutions of government from foreign intervention,” the report language said.

The congressional report does not propose an actual cyber strategy, nor does it specify desired outcomes, or address unintended consequences.

Another provision in the new conference report says that the Department of Defense ought to be just as assertive and “aggressive” in cyberspace as it is elsewhere (sect. 1632).

“The conferees see no logical, legal, or practical reason for allowing extensive clandestine traditional military activities in all other operational domains (air, sea, ground, and space) but not in cyberspace,” the report said.

“It is unfortunate that the executive branch has squandered years in interagency deliberations that failed to recognize this basic fact and that this legislative action has proven necessary.”

“The conferees agree that the Department should conduct aggressive information operations to deter adversaries.”

Curiously, the report found it necessary to add that “the conferees do not intend this affirmation as an authorization of clandestine activities against the American people.”

In general, another provision (sect. 1636) states, the U.S. needs to be ready for war in cyberspace:

“It shall be the policy of the United States, with respect to matters pertaining to cyberspace, cybersecurity, and cyber warfare, the United States should employ all instruments of national power, including the use of offensive cyber capabilities, to deter if possible, and respond to when necessary, all cyber attacks or other malicious cyber activities of foreign powers that target United States interests with the intent to… cause casualties among United States persons or persons of United States allies; significantly disrupt the normal functioning of United States democratic society or government (including attacks against critical infrastructure that could damage systems used to provide key services to the public or government); threaten the command and control of the Armed Forces, the freedom of maneuver of the Armed Forces, or the industrial base or other infrastructure on which the United States Armed Forces rely to defend United States interests and commitments; or achieve an effect, whether individually or in aggregate, comparable to an armed attack or imperil a vital interest of the United States.”

Cyber War as a Career Path

Military cyber operations have been normalized to the point that there is now a defined career path for would-be cyber warriors in the U.S. Air Force and a formal curriculum for training them.

The role of a cyber war specialist, which includes defense as well as offense, is “to develop, sustain, and enhance cyberspace capabilities to defend national interests from attack and to create effects in cyberspace to achieve national objectives,” according to a new Air Force training plan that was published this week.

The Air Force training plan outlines the anticipated career progression of its cyber warriors, and describes the tasks that they must master. See Cyber Warfare Operations Career Field Education and Training Plan, CFETP 1B4X1, July 15, 2018.

Offensively, trainees must learn methods such as buffer overflow tactics and techniques, privilege escalation, rootkits, redirection and triggering, tunneling, and so forth. Defensive methods include encryption, secure enclaves, boundary protection, intrusion detection, etc.

A select group of especially competent trainees will be selected “to futher develop their skills in the areas of secure system design, vulnerability analysis, computer network defense (CND), and computer network exploitation (CNE)” in joint programs with the National Security Agency and US Cyber Command.

The programs will enhance students’ technical skills and will help to “bridge gaps between typical Computer Science/Engineering curriculum and those necessary for Computer Network Attack / Exploitation / Defense.”

“Each intern must complete at least one offensive and at least one defensive tour during the program,” the training plan said.

*    *    *

Some other noteworthy new military doctrinal and other publications include the following.

Human Remains Associated with Sunken Military Craft, SecNav Instruction 5360.2, July 11, 2018. Navy policy normally precludes efforts to recover the remains of those lost at sea. “The Department of the Navy (DON) has long recognized the sea as a fit and final resting place for personnel who perish at sea.”

The guided missile destroyer USS John S. McCain is now named for Senator McCain as well as for his father and grandfather. “As a prisoner of war, [Sen.] McCain represented our nation with dignity and returned with honor,” wrote Secretary of the Navy Richard V. Spencer in a July 12 memorandum memorializing the designation.

The production of electric power for military operations is addressed in a new Army manual. “Modern warfare relies on electrically powered systems, making electricity an essential element that supports warfighting functions.” Though nuclear power systems have previously played a role in the Army, there is no mention of nuclear reactors or isotope power in the new publication. See ATP 3-34.45, Electric Power Generation and Distribution, July 6, 2018.

Superiority in Cyberspace Will Remain Elusive

Military planners should not anticipate that the United States will ever dominate cyberspace, the Joint Chiefs of Staff said in a new doctrinal publication. The kind of supremacy that might be achievable in other domains is not a realistic option in cyber operations.

“Permanent global cyberspace superiority is not possible due to the complexity of cyberspace,” the DoD publication said.

In fact, “Even local superiority may be impractical due to the way IT [information technology] is implemented; the fact US and other national governments do not directly control large, privately owned portions of cyberspace; the broad array of state and non-state actors; the low cost of entry; and the rapid and unpredictable proliferation of technology.”

Nevertheless, the military has to make do under all circumstances. “Commanders should be prepared to conduct operations under degraded conditions in cyberspace.”

This sober assessment appeared in a new edition of Joint Publication 3-12, Cyberspace Operations, dated June 8, 2018. (The 100-page document updates and replaces a 70-page version from 2013.)

The updated DoD doctrine presents a cyber concept of operations, describes the organization of cyber forces, outlines areas of responsibility, and defines limits on military action in cyberspace, including legal limits.

“DOD conducts CO [cyberspace operations] consistent with US domestic law, applicable international law, and relevant USG and DOD policies.” So though it may be cumbersome, “It is essential commanders, planners, and operators consult with legal counsel during planning and execution of CO.”

The new cyber doctrine reiterates the importance and the difficulty of properly attributing cyber attacks against the US to their source.

“The ability to hide the sponsor and/or the threat behind a particular malicious effect in cyberspace makes it difficult to determine how, when, and where to respond,” the document said. “The design of the Internet lends itself to anonymity and, combined with applications intended to hide the identity of users, attribution will continue to be a challenge for the foreseeable future.”

The changing role of “information” in warfare was addressed in a predecisional draft Joint Concept for Operating in the Information Environment (Joint Chiefs of Staff, December 2017).

“Integrating physical and informational power across geographic boundaries and in multiple domains could lead to campaigns and operations with enormous complexity,” the document warns. “The fog and friction of war punishes unnecessary complexity.”

Another concern is that a “focus on informational power could be misread by Congress and other resource allocators to suggest there is little need for a well-equipped and technologically-advanced Joint Force capable of traditional power projection and decisive action.”

Army Sketches Future Cyberspace Operations

The U.S. Army this week published an overview of future military cyberspace operations. See The U.S. Army Concept for Cyberspace and Electronic Warfare Operations 2025-2040, TRADOC Pamphlet 525-8-6, 9 January 2018.

The new Army publication is intended to promote development of cyber capabilities, to foster integration with other military functions, to shape recruitment, and to guide technology development and acquisition. It addresses defense against cyber threats as well as offensive cyber activities.

Proliferation of cyber threats is eroding the benefits of US superiority in conventional military power, the document said.

“The Army faces a complex and challenging environment where the expanding distribution of cyberspace and EMS [electromagnetic spectrum] technologies will continue to narrow the combat power advantage that the Army has had over potential adversaries.”

“Adversaries will conduct complex cyberspace attacks integrated with military operations or independent of traditional military operations.”

“Since every device presents a potential vulnerability, this trend represents an exponential growth of targets through which an adversary could access Army operational networks, systems, and information.”

“Conversely, it presents opportunities for the enhanced synchronization of Army technologies and information to exploit adversary dependencies on cyberspace.”

“If deterrence fails, Army forces isolate, overwhelm, and defeat adversaries in cyberspace and the EMS to meet the commander’s objectives.”

“These [Army] capabilities exploit adversary systems to facilitate intelligence collection, target adversary cyberspace and EMS functions, and create first order effects. Cyberspace and EW [electronic warfare] operations also create cascading effects across multiple domains to affect weapons systems, command and control processes, critical infrastructure, and key resources to outmaneuver adversaries physically and cognitively, applying combined arms in and across all domains.”

Military action in cyberspace is an evolving field that may have overtaken existing law or convention.

“Many effects of cyberspace operations require considerable legal and policy review,” the Army document said.

What is an Act of War in Cyberspace?

What constitutes an act of war in the cyber domain?

It’s a question that officials have wrestled with for some time without being able to provide a clear-cut answer.

But in newly-published responses to questions from the Senate Armed Services Committee, the Pentagon ventured last year that “The determination of what constitutes an ‘act of war’ in or out of cyberspace, would be made on a case-by-case and fact-specific basis by the President.”

“Specifically,” wrote then-Undersecretary of Defense (Intelligence) Marcel Lettre, “cyber attacks that proximately result in a significant loss of life, injury, destruction of critical infrastructure, or serious economic impact should be closely assessed as to whether or not they would be considered an unlawful attack or an ‘act of war.'”

Notably absent from this description is election-tampering or information operations designed to disrupt the electoral process or manipulate public discourse.

Accordingly, Mr. Lettre declared last year that “As of this point, we have not assessed that any particular cyber activity [against] us has constituted an act of war.”

See Cybersecurity, Encryption and United States National Security Matters, Senate Armed Services Committee, September 13, 2016 (published September 2017), at p. 85.

See related comments from Joint Chiefs Chairman Gen. Joseph Dunford in U.S. National Security Challenges and Ongoing Military Operations, Senate Armed Services Committee, September 22, 2016 (published September 2017), at pp. 56-57.

In January 2017, outgoing Obama DHS Secretary Jeh Johnson for the first time designated the U.S. election system as critical infrastructure. “Given the vital role elections play in this country, it is clear that certain systems and assets of election infrastructure meet the definition of critical infrastructure, in fact and in law,” he wrote. It follows that an attack on the electoral process could now be considered an attack on critical infrastructure and, potentially, an act of war.

“Russia engaged in acts of war against America, not with bullets and bombs, but through a modern form of warfare, a cyberattack on our democracy,” opined Allan Lichtman, a history professor at American University, in a letter published in the latest issue of the New York Review of Books.

Not so fast, replied Noah Feldman and Jacob Weisberg: “The US is not now in a legal state of war with Russia despite that country’s attempts to affect the 2016 election.”

The current issue of the US Army’s Military Intelligence Professional Bulletin (Oct-Dec 2017) includes an article on Recommendations for Intelligence Staffs Concerning Russian New Generation Warfare by MAJ Charles K. Bartles (at pp. 10-17).

Is “Cyberwar” War?

Are offensive cyber operations an act of war?

“I would say specifically to your question what defines an act of war [in the cyber domain]– that has not been defined. We are still working towards that definition across the interagency,” said Thomas Atkin of the Office of Secretary of Defense at a congressional hearing last year.

He elaborated in newly published responses to questions for the record:

“When determining whether a cyber incident constitutes an armed attack, the U.S. Government considers a number of factors including the nature and extent of injury or death to persons and the destruction of, or damage to, property. Besides effects, other factors may also be relevant to a determination, including the context of the event, the identity of the actor perpetrating the action, the target and its location, and the intent of the actor, among other factors.” See Military Cyber Operations, hearing of the House Armed Services Committee, June 22, 2016.

If cyberwar is in fact war, would civilians who support military cyber operations be lawful combatants? They might not be, Mr. Atkin said.

“During armed conflict, some civilians who support the U.S. armed forces may sit at the keyboard and participate, under the direction of a military commander, in cyberspace operations. The law of war does not prohibit civilians from directly participating in hostilities, such as offensive or defensive cyberspace operations, even when that activity would be a use of force or would involve direct participation in hostilities; however, in such cases, a civilian is not a ‘lawful combatant’ and does not enjoy the right of combatant immunity, is subject to direct attack for such time as he or she directly participates in hostilities, and if captured by enemy government forces may be prosecuted for acts prohibited under the captor’s domestic law.”

But any such danger to unlawful civilian cyber-combatants is probably not an imminent hazard, he added. “Most, if not the great majority, of our civilian cyber workforce involved in providing support to cyberspace operations during armed conflict will not be serving on the battlefield where they may be the object of attack or risk being detained by the enemy. Instead, most will be providing their support remotely from areas outside the area of hostilities, are not easily identifiable as an individual, and are likely serving in the United States.”

US Military Advantage in Cyberspace is Challenged

The superiority of the US military in cyberspace, which once could be taken for granted, is gradually eroding, says an Army Field Manual published this week.

In the past decade, “U.S. forces dominated cyberspace and the electromagnetic spectrum (EMS) in Afghanistan and Iraq against enemies and adversaries lacking the technical capabilities to challenge our superiority in cyberspace.”

“However, regional peers have since demonstrated impressive capabilities in a hybrid operational environment that threaten the Army’s dominance in cyberspace and the EMS,” according to the new Field Manual.

“Rapid developments in cyberspace and the EMS will challenge any assumptions of the Army’s advantage in this domain. While it cannot defend against every kind of intrusion, the Army must take steps to identify, prioritize, and defend its most important networks and data.”

The underlying principles of US Army operations in cyberspace were described in the new Field Manual 3-12, Cyberspace and Electronic Warfare Operations, 11 April 2017 (unclassified, 108 pages).

Air Force Updates Doctrine on Cyberspace Operations

Within living memory, even a passing mention of cyber weapons or U.S. offensive activities in cyberspace was deemed sufficient to justify national security classification. Now, although the Obama Administration generally neither claims nor receives credit for it, military cyberspace doctrine has become one of a number of significant policy areas in which this Administration is demonstrably “more transparent” than its predecessors.

A new US Air Force directive “provides policy guidelines for planning and conducting AF cyberspace operations to support the warfighter and achieve national security objectives.”

“The AF will execute Cyberspace Operations” — including both offensive and defensive actions — “to support joint warfighter requirements, increase effectiveness of its core missions, increase resiliency, survivability, and cybersecurity of its information and systems, and realize efficiencies through innovative IT solutions.” See Cyberspace Operations, Air Force Policy Directive AFPD 17-2, April 12, 2016.

A companion directive further specifies, for example, that “Air Force Space Command (AFSPC) will… deploy AF approved cyber weapon systems.” See Air Force Policy Directive 17-1, Information Dominance, Governance and Management, 12 April 2016.

A Bureaucratic History of Cyber War

When Gen. Keith Alexander became the new director of the National Security Agency in 2005, “his predecessor, Mike Hayden, stepped down, seething with suspicion”– towards Alexander.

As told by Fred Kaplan in his new book Dark Territory, Gen. Hayden and Gen. Alexander had clashed years before in a struggle “for turf and power, leaving Hayden with a bitter taste, a shudder of distrust, about every aspect and activity of the new man in charge.” The feeling was mutual.

The subject (and subtitle) of Kaplan’s book is “the secret history of cyber war.” But the most interesting secrets disclosed here have less to do with any classified missions or technologies than with the internal bureaucratic evolution of the military’s interest in cyber space. Who met with whom, who was appointed to what position, or even (as in the case of Hayden and Alexander) who may have hated whom all turn out to be quite important in the ongoing development of this contested domain.

Kaplan seems to have interviewed almost all of the major players and participants in this history, and he has an engaging story to tell. (Two contrasting reviews of Dark Territory in the New York Times are here and here.)

Meanwhile, the history of cyber war is becoming gradually less secret.

This week, the Department of Defense openly published an updated instruction on Cybersecurity Activities Support to DoD Information Network Operations (DoD Instruction 8530.01, March 7).

It replaces, incorporates and cancels previous directives from 2001 that were for restricted distribution only.

Army: Rapid Reprogramming Needed for Cyber Ops

Changes in the cyber threat environment require the Army to be able to rapidly reprogram its own military software, a newly updated Army Regulation directs.

“Warfare is rapidly moving into a new domain: cyberspace. This will affect warfighting in all domains, and the Army will take measures to adapt to the cyberspace environment.”

“This increased responsiveness demands shortened timelines to combat enemy threats as they adapt to new technology and to new methods of employment.”

“RSR [Rapid Software Reprogramming] will be required to become even more adaptive, automated, and integrated with weapons systems operating in the EMS [electromagnetic spectrum].”

“This policy gives the Army a process which enables soldiers a reach-back RSR capability that will assist commanders to attain tactical superiority, achieve surprise, gain and retain the initiative, maintain awareness of new and emerging threats, and obtain decisive results…,” the unclassified Regulation said.

The Assistant Secretary of the Army (ALT) will “Ensure that sensor-based weapons and CEMA [Cyber Electromagnetic Activities] systems are developed using software reprogrammable signature detection, classification, and response capabilities that can be responsive and enabling to EW [Electronic Warfare], spectrum management and cyber operations.”

See Software Reprogramming for Cyber Electromagnetic Activities, Army Regulation 525-15, 19 February 2016.