A new report from the Congressional Research Service presents an introduction to U.S. military operations in cyberspace and the thorny policy issues that arise from them.

“This report presents an overview of the threat landscape in cyberspace, including the types of offensive weapons available, the targets they are designed to attack, and the types of actors carrying out the attacks. It presents a picture of what kinds of offensive and defensive tools exist and a brief overview of recent attacks. The report then describes the current status of U.S. capabilities, and the national and international authorities under which the U.S. Department of Defense carries out cyber operations.”

The Department of Defense requested $5.1 billion for “cybersecurity” in 2015, the CRS report noted. Cybersecurity here includes funding for cyberspace operations, information assurance, U.S. Cyber Command, the National Cybersecurity Initiative, and related functions. See Cyber Operations in DoD Policy and Plans: Issues for Congress, January 5, 2015.

(The CRS report includes only a capsule summary description of the Stuxnet episode.  A fuller account is presented in Kim Zetter’s gripping book Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon.)

Other noteworthy new and updated CRS reports that Congress has withheld from online public distribution include the following.

State Sponsors of Acts of International Terrorism–Legislative Parameters: In Brief, December 24, 2014

The President’s Immigration Accountability Executive Action of November 20, 2014: Overview and Issues, January 8, 2015

Proposed Retirement of A-10 Aircraft: Background in Brief, January 5, 2015

American War and Military Operations Casualties: Lists and Statistics, January 2, 2015

A Shift in the International Security Environment: Potential Implications for Defense–Issues for Congress, December 31, 2014

Secret Sessions of the House and Senate: Authority, Confidentiality, and Frequency, December 30, 2014

Navy Littoral Combat Ship (LCS) Program: Background and Issues for Congress, December 24, 2014

Navy Shipboard Lasers for Surface, Air and Missile Defense: Background and Issues for Congress, December 23, 2014

Definitions of “Inherently Governmental Function” in Federal Procurement Law and Guidance, December 23, 2014

Congressional Careers: Service Tenure and Patterns of Member Service, 1789-2015, January 3, 2015

The Congressional Research Service has never been more frequently cited or more influential in informing public discourse than it is today, as its publications are increasingly shared with the public in violation of official policy.

But budget cuts and congressional dysfunction seem to have bred discontent among some staff members, judging from an article by former CRS analyst Kevin R. Kosar.

“Thanks to growing pressure from a hyper-partisan Congress, my ability to write clearly and forthrightly about the problems of government–and possible solutions–was limited. And even when we did find time and space to do serious research, lawmakers ignored our work or trashed us if our findings ran contrary to their beliefs. When no legislation is likely to move through the system, there’s simply not much market for the work the CRS, at its best, can do,” he wrote. See “Why I Quit the Congressional Research Service,” Washington Monthly, January/February 2015.

A newly disclosed Department of Defense doctrinal publication acknowledges the reality of offensive cyberspace operations, and provides a military perspective on their utility and their hazards.

Attacks in cyberspace can be used “to degrade, disrupt, or destroy access to, operation of, or availability of a target by a specified level for a specified time.” Or they can be used “to control or change the adversary’s information, information systems, and/or networks in a manner that supports the commander’s objectives.”

However, any offensive cyber operations (OCO) must be predicated on “careful consideration of projected effects” and “appropriate consideration of nonmilitary factors such as foreign policy implications.”

“The growing reliance on cyberspace around the globe requires carefully controlling OCO, requiring national level approval,” according to the newly disclosed Cyberspace Operations, Joint Publication 3-12(R).

That publication was first issued by the Joint Chiefs of Staff as a SECRET document in February 2013 (as JP 3-12, without the R). But this week it was reissued as a public document. It is unclear whether the public document has been redacted or modified for release.

The discussion of “offensive cyberspace operations” in the original, classified version of JP 3-12 led to adoption of that term in the official DoD lexicon for the first time in March 2013, where it has remained through the latest edition.

Offensive cyberspace operations (OCO) are “intended to project power by the application of force in and through cyberspace. OCO will be authorized like offensive operations in the physical domains, via an execute order (EXORD).”

The DoD document is fairly candid about the challenges and limitations of cyberspace operations.

“Activities in cyberspace by a sophisticated adversary may be difficult to detect” and to attribute to their source. Yet such detection and attribution capabilities are “critical” for enabling offensive and defensive cyberspace operations.

By the same token, “first-order effects of [US cyberspace operations] are often subtle, and assessment of second- and third-order effects can be difficult,” requiring “significant intelligence capabilities and collection efforts” to evaluate.

Not only that, but US cyberspace operations “could potentially compromise intelligence collection activities. An IGL [Intelligence Gain/Loss] assessment is required prior to executing a CO to the maximum extent practicable.”

In any event, offensive cyber operations are to be used discriminatingly. “Military attacks will be directed only at military targets. Only a military target is a lawful object of direct attack.” But military targets are defined broadly as “those objects whose total or partial destruction, capture, or neutralization offers a direct and concrete military advantage.”

Meanwhile, there are persistent vulnerabilities inherent in DoD information systems, DoD said. “Many critical [US] legacy systems are not built to be easily modified or patched. As a result, many of the risks incurred across DOD are introduced via unpatched (and effectively unpatchable) systems on the DODIN [DoD Information Network].”

The risks are increased because “DOD classified and unclassified networks are targeted by myriad actions, from foreign nations to malicious insiders.”

“Insider threats are one of the most significant threats to the joint force,” the DoD document said.  “Whether malicious insiders are committing espionage, making a political statement, or expressing personal disgruntlement, the consequences for DOD, and national security, can be devastating.”

Overall, “Developments in cyberspace provide the means for the US military, its allies, and partner nations to gain and maintain a strategic, continuing advantage,” the Cyberspace Operations publication said.

But “access to the Internet provides adversaries the capability to compromise the integrity of US critical infrastructures in direct and indirect ways.”

These features represent “a paradox within cyberspace: the prosperity and security of our nation have been significantly enhanced by our use of cyberspace, yet these same developments have led to increased vulnerabilities….”

In January 2008, the Bush Administration issued the Top Secret National Security Presidential Directive 54 on Cybersecurity Policy which “establishes United States policy, strategy, guidelines, and implementation actions to secure cyberspace.”

Despite its relevance to a central public policy issue, both the Bush and Obama Administrations had refused to release the Directive.

But last week, in response to a five-year Freedom of Information Act effort by the Electronic Privacy Information Center, the National Security Agency released a lightly redacted version of the document, most of which had been unclassified all along.

“This Directive, which is the foundational legal document for all cybersecurity policies in the United States, evidences government efforts to enlist private sector companies, more broadly monitor Internet activity, and develop offensive cybersecurity capability,” said EPIC in its release of the document.