Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities (2009)

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

3 A Military Perspective on Cyberattack 3.1  U.S. Military Doctrine and Cyberattack The most current statement of U.S. military doctrine regarding cyber- attack identifies computer network attack (an aspect of what this report calls cyberattack) as an element of computer network operations (CNO), the other two of which are computer network defense (CND) and related computer network exploitation (CNE) enabling operations. Computer network attack (CNA) refers to actions taken through the use of com- puter networks to disrupt, deny, degrade, or destroy information resident in computers and computer networks, or the computers and networks themselves. CND refers to actions taken through the use of computer networks to protect, monitor, analyze, detect, and respond to unauthor- ized activity against or within DOD information systems and computer networks. CNE (computer network exploitation, an aspect of what this report calls cyberexploitation) refers to operations conducted through the use of computer networks to gather data from target or adversary automated information systems or networks, and the term “related CNE enabling operations” refers to operations undertaken to gather intelli- gence information for carrying out CNO or CND operations. Current doctrine (Joint Publication 3-13, Joint Doctrine on Information Operations) notes that all of these capabilities can be used for both offen- sive and defensive purposes. For example, under this rubric, a computer network attack might be used for a defensive purpose, such as the neu- tralization of a cyberthreat to a DOD computer or network. At the date of this writing, an unclassified and authoritative state- 161 

162 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES ment of current joint doctrine for the use of computer network attack is unavailable, and it is fair to say that current doctrine on this matter is still evolving. However, in testimony to the House Armed Services Commit- tee on March 21, 2007, General James E. Cartwright, Commander of the United States Strategic Command, said that “cyberspace has emerged as a warfighting domain not unlike land, sea, and air, and we are engaged in a less visible, but nonetheless critical battle against sophisticated cyber- space attacks.” He pointed out the importance of deterring adversaries and assuring U.S. freedom of action in cyberspace, and argued that “fun- damental to this approach is the integration of cyberspace capabilities across the full range of military operations.” He then observed that “to date, our time and resources have focused more on network defenses to include firewalls, antivirus protection, and vulnerability scanning. [But] while generally effective against unsophisticated hackers, these measures are marginally effective against sophisticated adversaries.” Following this observation, he then stated: History teaches us that a purely defensive posture poses significant risks; the “Maginot Line” model of terminal defense will ultimately fail without a more aggressive offshore strategy, one that more effectively layers and integrates our cyber capabilities. If we apply the principles of warfare to the cyber domain, as we do to sea, air, and land, we realize the defense of the nation is better served by capabilities enabling us to take the fight to our adversaries, when necessary to deter actions detrimental to our interests. A number of other DOD and service statements and publications have added texture to the perspective articulated by General Cartwright. The 2006 National Military Strategy for Cyberspace Operations (redacted copy available online) says that “as a war-fighting domain . . . cyberspace favors the offense . . . an opportunity to gain and maintain the initiative.” It further defines cyberspace as a domain “characterized by the use of elec- tronics and the electromagnetic spectrum to store, modify, and exchange data via networked systems and associated physical infrastructures.” Prevailing military doctrine calls for the U.S. dominance of domains of warfare, traditionally including land, sea, air, and space, and now including cyberspace. Dominance in a domain means that the U.S. mili- tary should have freedom of access to and use of the domain, and should be able to deny access to and use of that domain to an adversary—and dominance requires that the United States play both offense and defense. Furthermore, if cyberspace is like any other warfighting domain, the fun- damental concepts of warfare must apply to the cyberspace domain.  See http://www.dod.mil/pubs/foi/ojcs/07-F-2105doc1.pdf. 

A MILITARY PERSPECTIVE ON CYBERATTACK 163 An example of how such thinking regarding cyberspace-as-domain can play out was described to the committee in a briefing from the Air Force Cyberspace Task Force. In the CTF view, the United States should be provided with “offensive capabilities and deliberate target sets.” In addition, the briefing argued that “cyber favors the offensive” and that under this rubric fell several different missions, including strategic attack directly at enemy centers of gravity, suppression of enemy cyberdefenses, offensive countercyber, defensive countercyber, and interdiction. Consis- tent with Secretary of the Air Force Michael W. Wynne’s statement that “all aspects of air war will have some equivalent role in cyber war,” these missions have rather close analogs to traditional Air Force missions— s ­ trategic bombing attack against enemy centers of gravity, suppression of enemy air defenses to facilitate airspace penetration of enemy borders, offensive counter-air (destroying enemy aircraft on the ground), defen- sive counter-air (defending friendly territory from enemy aircraft in the air), and interdiction (attack of enemy assets far behind the battlefront).  (Whether this particular view of cyberspace as a domain of military con- flict will ultimately be adopted throughout the Department of Defense is not clear at this time.) The doctrinal perspective that cyberspace is another warfighting domain has other implications as well. For example, operations in cyber- space need to be synchronized and coordinated with other operations, just as land and air operations, for example, must be synchronized and coordinated. In other words, during overt or open military conflict, it is highly likely that information operations—including cyberattacks if mili- tarily appropriate—will not be the only kind of military operations being executed. Examples of coordination issues are described in Box 3.1. The doctrinal perspective further implies that cyberweapons should be regarded as no different from any other kind of weapon available to U.S forces. That is, their use should be initiated on the basis of their suit- ability for conducting the attacks in question, and should not require any extraordinary analysis or authority to which the non-cyberspace military is not already accustomed. Thus, in determining the best way to attack a target, cyberweapons simply provide the operational planner with another option, in addition to the air-delivered laser-guided bomb and the Special Operations force with demolition charges. Similar considerations apply from a legal perspective. For example,  Michael W. Wynne, “Flying and Fighting in Cyberspace,” Air & Space Power Journal, Spring 2007, available at http://www.airpower.maxwell.af.mil/airchronicles/apj/apj07/ spr07/wynnespr07.html.  Indeed, Lt. Gen. Bill Donahue (USAF, ret.) argued in a briefing to the committee that one could almost literally do a global search and replace that would replace “Air” with “Cyberspace” in Air Force warfighting doctrine. 

164 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES BOX 3.1  Possible Coordination Issues for Cyberattack Cross-domain coordination requires that the effects of a cyberattack on the physical world (both direct and consequential) and the timing of those effects should be known with enough certainty that their possible use can be taken into account in operational planning. Some issues include the following: • Coordination with other military operations. Planners might choose to at- tack a given target using both a cyberweapon and a kinetic weapon. Redundancy in an attack, especially using different modes of attack that might exploit different vulnerabilities, is often desirable from a planning perspective. On the other hand, problems may result if the damage assessment from one operation is not avail- able to those planning the other operation (e.g., as the result of stovepiping within executing agents). • Coordination between cyber operations for attack and for defense. A computer network attack launched by the U.S. military may stimulate a counter- response from an adversary that could affect U.S. computers and networks, which may—or may not—be under military control. For example, a cyberattack that is conducted against a target in a given geographic command (e.g., PACOM) by the U.S. Strategic Command may stimulate action that has an impact on the regional networks used by that geographic command. A cyberattack launched by the United States may also stimulate adversary action that would have an impact on private sector network use and potentially disrupt important civilian activities—suggesting that cyberattacks by the U.S. military may have defensive implications. • Coordination between cyberattack and cyberexploitation. Unless attack and exploitation are coordinated, it is possible to imagine scenarios in which a cyberattack to plant false information in an adversary’s database results in the cyberexploitation extracting that false information and using it as though it were real and valid. And, of course, there is the classic conflict about whether it is more desirable to shut down an adversary’s communication channel (an attack opera- tion) or to listen to it (an exploitation operation). all military operations are subject to certain limitations mandated by the law of armed conflict regarding differentiation of targets, military neces- sity, limiting collateral damage, and so on. Of course, targets in cyberspace are different from targets on the ground, so the facts relevant to any given operation may be different in the former case than in the latter, but the analytical process remains the same. Thus, if it was legitimate to attack a target with kinetic weapons, it remains legitimate under the laws of armed conflict to attack it with cyberweapons. These considerations are addressed at length in Chapter 7. In short, according to this perspective, conflict in cyberspace should be treated like conflict in a physical domain, the same rules and policies should apply, and the only differences are operational. 

A MILITARY PERSPECTIVE ON CYBERATTACK 165 3.2  DEPARTMENT OF DEFENSE Organization for Cyberattack The U.S. Strategic Command (STRATCOM) plays a key role in DOD cyber operations. STRATCOM is composed of eight functional compo- nents, including five Joint Functional Component Commands (JFCCs). Each JFCC is responsible for focusing on a specific operational area—one of those operational areas involves offensive network warfare (NW) and defensive network operations (NetOps). Offensive network warfare is the responsibility of the Joint Functional Component Command for Network Warfare (JFCC-NW). The commander of the JFCC-NW is also the director of the National Security Agency (NSA) and is “responsible for deliberate planning of network warfare, which includes coordinated planning of offensive network attack.” JFCC-NW was established in January 2005. Network warfare as used in the context of JFCC-NW means “the employment of Computer Network Operations (CNO) with the intent of denying adversaries the effective use of their computers, information systems, and networks, while ensuring the effec- tive use of our own computers, information systems, and networks.” These operations include computer network attack (CNA), computer network exploitation (CNE), and Computer Network Defense (CND). The JFCC-NW also supports the network warfare needs of Combatant Commands/Commanders (COCOMs). Defensive network operations are the responsibility of the Joint Task Force-Global Network Operations (JTF-GNO). The commander of JTF- GNO is also the director of the Defense Information Systems Agency and is responsible for operating and defending the DOD information infra-  The eight components are JFCC–Global Strike and Integration (JFCC-GSI), JFCC– Integrated Missile Defense (JFCC-IMD), JFCC–Intelligence, Surveillance and Reconnaissance (JFCC-ISR), JFCC–Space (JFCC-SPACE), Joint Information Operations Warfare Command (JIOWC), STRATCOM Center for Combating Weapons of Mass Destruction (SCC-WMD), and Joint Task Force–Global Network Operations (JTF-GNO). See http://www.stratcom. mil/organization-fnc_comp.html.  Lt. Gen. Keith B. Alexander, “Warfighting in Cyberspace,” Joint Force Quarterly 46(3):58-61, 2007.  Clay Wilson, “Information Operations and Cyberwar: Capabilities and Related Policy Issues,” U.S. Congressional Research Service (RL31787), updated September 14, 2006, p. 8.  JFCC-NW Implementation Directive, January 20, 2005. Cited in Keith B. Alexander, “Warfighting in Cyberspace,” Joint Force Quarterly, July 2007, available at http://www. military.com/forums/0,15240,143898,00.html.  USSTRATCOM Command Video, available at http://www.stratcom.mil/Videos/ transcripts/Command%20Video.txt.  Joint Publication 3-13 (2006) states that STRATCOM has responsibility for “identify- ing desired characteristics and capabilities of CNA, conducting CNA in support of assigned missions, and integrating CNA capabilities in support of other combatant commanders.” 

166 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES structure known as the Global Information Grid (GIG). The Joint Informa- tion Operations Warfare Command, responsible for assisting combatant commands with an integrated approach to information operations, coor- dinates network operations and network warfare with the JTF-GNO and the JFCC-NW.10 As of November 2008, the JTF-GNO is for the first time placed under the operational control of the JFCC-NW.11 The JFCC-NW engages in a substantial amount of coordination with other entities. It coordinates its offensive activities directly with the defen- sive activities of the JTF-GNO. It “facilitates cooperative engagement with other national entities in computer network defense and network warfare as part of global information operations.”12 Because the commander of the JFCC-NW is dual-hatted as the director of the National Security Agency (Box 3.2), the JFCC-NW can easily work with the intelligence community to provide intelligence support for computer network operations. In addi- tion, coordination between cyberattack (a Title 10 function) and cyberex- ploitation (a Title 50 function) is more easily accomplished. Lastly, Joint Publication 3-13 also notes that CDRUSSTRATCOM’s specific authority and responsibility to coordinate IO [information operations, Box 3.3] across AOR and functional boundar- ies does not diminish the imperative for the other combatant command- ers to coordinate, integrate, plan, execute, and employ IO. These efforts may be directed at achieving national or military objectives incorporated in TSCPs [Theater Security Cooperation Programs], shaping the opera- tional environment for potential employment during periods of height- ened tensions, or in support of specific military operations. Two important points are embedded in this paragraph. First, STRAT- COM is not necessarily the only command that can actually carry out information operations, including computer network attack. (In some cases, STRATCOM will be a supporting command that provides support to other regional or functional commands. In other cases, it will be the supported command, receiving support from other regional or functional commands.) Second, information operations, including computer net- work attack, may be used both in support of specific military operations and during periods of “heightened tensions,” that is, early use before overt conflict occurs. 10 Clay Wilson, “Information Operations and Cyberwar,” 2006. 11 Memo of Robert Gates (Secretary of Defense) to DOD regarding Command and Con- trol for Military Cyberspace Missions, November 12, 2008. Copy available from the NRC. 12 U.S. Strategic Command website, http://www.stratcom.mil/about-ch.html. 

A MILITARY PERSPECTIVE ON CYBERATTACK 167 BOX 3.2  The National Security Agency-Central Security Service Often known simply as the National Security Agency, the organization is in fact a combat support agency of the DOD under the authority, direction, and con- trol of the Secretary of Defense, and is responsible for centralized coordination, direction, and performance of highly specialized intelligence functions in support of U.S. government activities. It includes both the National Security Agency and the Central Security Service. The NSA carries out the responsibilities of the Secretary of Defense to serve as executive agency for U.S. government signals intelligence (SIGINT), communications security, computer security, and operations security training activities. The CSS is composed of the Service Cryptologic Elements of the four uniformed services that are responsible for conducting their Title 50 SIGINT mission, and provides the military Services a unified cryptologic organization within the DOD that assures proper control of the planning, programming, budgeting, and expenditure of resources for cryptologic activities. Service cryptologic elements also perform other missions in direct support of their respective Services related to information operations (including computer network operations), and in doing so, they operate under Title 10 authority. The director of the National Security Agency (DIRNSA) serves as the director of both the National Security Agency and the Central Security Service and has both Title 10 and Title 50 responsibilities. As national executive agent for SIGINT, DIRNSA has operated with Title 50 authority and thus would be responsible for conducting cyberexploitations, which by definition are not supposed to damage, degrade, or disable adversary computer systems or networks. As the party re- sponsible for DOD information assurance, DIRNSA has operated with Title 10 authority. Finally, in January 2005, the Joint Functional Component Command for Network Warfare (JFCC–NW) was established under the U.S. Strategic Command, and DIRNSA was designated as its commander. As such, DIRNSA operates with Title 10 authority for any offensive missions (including cyberattacks) undertaken by the JFCC-NW. As this report is being written, these arrangements are in flux, as the DOD and the intelligence community are discussing the potential standup of a cyber combatant command. 3.3  Rules of Engagement In general, the rules of engagement (ROEs) for military forces specify the circumstances under which they may take certain kinds of action. (The laws of armed conflict place additional constraints on the permis- sible actions of military forces.) For example, many military installations contain areas in which “the use of deadly force is authorized” to stop individuals from trespassing—guards of such areas are authorized (but not required) to use any means necessary to do so. 

168 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES BOX 3.3  Information Operations and Related Capabilities Computer network operations are themselves part of a larger complex des- ignated as information operations (IO) by the Joint Chiefs of Staff. These other elements of information operations include: • Psychological operations (PSYOP), which include operations to convey selected truthful information and indicators to foreign audiences to influence their emotions, motives, objective reasoning, and ultimately, the behavior of their gov- ernments, organizations, groups, and individuals. The purpose of PSYOP is to induce or reinforce foreign attitudes and behavior favorable to the originator’s objectives. • Military deception, which includes actions taken with the purpose of delib­ erately misleading adversary decision makers as to friendly military capabilities, intentions, and operations, thereby causing the adversary to take specific actions (or inactions) that will contribute to the accomplishment of the friendly forces’ mission. • Operations security (OPSEC), which is a process of identifying critical information and subsequently analyzing friendly actions and other activities to identify what friendly information is necessary for the adversary to have suffi- ciently accurate knowledge of friendly forces and intentions; deny adversary deci- sion makers critical information about friendly forces and intentions; and cause adversary decision makers to misjudge the relevance of known critical friendly information because other information about friendly forces and intentions remains secure. OPSEC seeks to deny real information to an adversary and prevent correct deduction of friendly plans. • Electronic warfare (EW) refers to any military action involving the use of electromagnetic (EM) and directed energy to control the EM spectrum or to at- tack the adversary. EW includes electronic attack (EM energy, directed energy, or antiradiation weapons to attack personnel, facilities, or equipment with the intent of degrading, neutralizing, or destroying adversary combat capability), electronic protection (which ensures the friendly use of the EM spectrum), and electronic war- fare support (ES, which searches for, intercepts, identifies, and locates or localizes sources of intentional and unintentional radiated EM energy for the purpose of im- mediate threat recognition, targeting, planning, and conduct of future operations). ES data can be used to produce SIGINT, provide targeting for electronic or other forms of attack, and produce measurement and signature intelligence (MASINT). SIGINT and MASINT can also provide battle damage assessment (BDA) and feedback on the effectiveness of the overall operational plan. In addition, a number of other capabilities support information operations in the DOD context, such as information assurance (IA), physical security, physical attack, and counterintelligence. Capabilities related to IO include public affairs (PA), civil-military operations (CMO), and defense support to public diplomacy. The Joint Chiefs of Staff note that these capabilities can also make significant contributions to IO but that their primary purpose and the rules under which they operate must not be compromised by IO. 

A MILITARY PERSPECTIVE ON CYBERATTACK 169 Some of the issues relevant to formulating ROEs for cyberattack might include: • When to execute a cyberattack—what are the circumstances under which a cyberattack might be authorized? • Scope of a cyberattack—what are the entities that may be targeted? • Duration of the cyberattack—how long should a cyberattack last? • Notifications—who must be informed if a cyberattack is conducted? • Authority for exceptions—what level of authority is needed to grant an exception for standing ROEs? To illustrate, consider the standing rules of engagement promul- gated by the Joint Chiefs of Staff, which state that “a [U.S.] commander has the authority and obligation to use all necessary means available and to take all appropriate [i.e., necessary and proportional] actions to defend that commander’s unit and other U.S. forces in the vicinity from a hostile act or demonstration of hostile intent [emphasis added]”13 where “hostile intent” is understood to mean that another party has taken some action that reasonably indicates a potential for more or less immediate attack. Applying this rule to the cyber domain raises the question of actions that constitute a demonstration of hostile intent. For example, do non- destructive adversary probes of important military U.S. computer systems and networks (or even systems and networks associated with U.S. critical infrastructure) constitute demonstrations of hostile intent? If so, do such actions justify actions beyond the taking of additional passive defense measures? Would a commander be permitted to conduct probes on adver- sary networks from which these probes were emanating? To conduct a responsive cyberattack to neutralize the probes? On this specific topic, Rear Admiral Betsy Hight of the Joint Task Force on Global Network Operations testified to the committee that the commander of the U.S. Strategic Command has operational authority to conduct cyber operations that are defensive in purpose against systems outside the DOD networks. The action taken in the operation may have an offensive character—that is, it may seek to damage or disrupt a system that is adversely affecting a DOD asset. Self-defense is generally limited in scope to addressing or mitigating the immediate hostile act, and is a last resort. The frequency with which the U.S. Strategic Command has actu- ally acted under this asserted authority, if at all, is unknown. 13 JointChiefs of Staff, Chairman of the Joint Chiefs of Staff Instruction, CJCSI 3121.01A, January 15, 2000, Standing Rules of Engagement for US Forces, available at http://www.fas. org/man/dod-101/dod/docs/cjcs_sroe.pdf. 

170 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES CND response actions (RAs) are a specific subset of self-defense and are likewise constrained to a measured response used as a last resort. CND RAs can be used only in response to a network event that creates a threshold impact. Additional limitations constrain the scope, duration, and impact of the CND RA. Moreover, CND RAs, like all self-defense, is a tactical activity, characterized as such because it is used in response to a specific hostile action and is designed to address and mitigate that action, and only that action. Offensive actions are not so limited. Both offensive and defensive actions must follow the law of war limitations with regard to differentiation of targets, military necessity, and limiting collateral damage, but defensive actions tend to be more limited in scope. Such self-defense operations would be designated as a CND response action, authority for which is described, constrained, and granted through standing rules of engagement established by the National Command Authority and flowing, through the secretary of defense, from the Pres- ident’s authority as commander-in-chief. Standing rules of engagement generally describe the authority commanders have to defend their per- sonnel and designated property. According to Admiral Hight’s testimony to the committee, the rules of engagement for CND response actions also specify that they are not authorized unless the hostile action has an impact on the ability of a combatant commander to carry out a mission or an ongoing military operation, and in particular that hostile actions that result only in inconvenience or that appear directed at intelligence gathering do not rise to this threshold. An example of a legitimate target for a CND response action would be a botnet controller that is directing an attack on DOD assets in cyber- space. Thus, if bots are active in DOD networks, and if through DOD mis- sion partners the controller of those bots can be identified in cyberspace, and if the botnet attack is compromising the DOD network’s ability to carry out its mission operationally, a CND response action—involving cyberattack—can be directed against the controller under these standing rules of engagement. As for geographic scope, a hostile cyber act may emanate from any- where in cyberspace. Accordingly, the impact of CND response actions directed against that source could also occur anywhere in cyberspace. The ease with which actors can use and misuse U.S.-based cyber assets for malicious purposes increases the probability that future CND response actions might impact that space. For this reason, the JTF-GNO maintains relationships with law enforcement, other federal entities, and Internet service providers. This ensures that if some other national asset, or the commercial sector, can mitigate malicious cyber activity against the DOD, those assets are used before resorting to CND response actions. The final point about this particular example is that from the DOD 

A MILITARY PERSPECTIVE ON CYBERATTACK 171 perspective, the cessation of a hostile action may be more important than the attribution of the action to a particular actor. Accordingly, under the stated policy, the DOD may be willing to take many steps to ensure that the hostile action ceases, even if those actions have ramifications beyond U.S. borders. 3.4  Some Historical Perspective Because the number of confirmed and unclassified instances of cyberattack launched by governments, friendly or hostile, is vanishingly small, it is hard to cite actual experience as a basis for understanding the effects of cyberattack. But a number of other incidents can provide some insight. Although the events described are not cyberattacks themselves, the affected entities involved are the kinds of targets that proponents of cyberattack weapons often discuss when advancing the case for the value of such weapons. The operational effects are the kinds of effects that cyberattacks might seek to cause. • In December 2006, a major fiber optic cable providing some 50 percent of Iran’s digital communications and Internet connections was damaged in Iran’s territorial waters in the Persian Gulf. A month later, 80 percent of the damaged capability had been restored. • In late December 2006, an earthquake off the shores of Taiwan dam- aged or destroyed eight fiber optic lines that connected Taiwan to other nations in the Pacific. There was some disruption to Internet and phone for about 2 days, and Internet connections were slow in Taiwan, Hong Kong, Japan, China, Singapore, and South Korea. However, although the cables were not repaired for almost 3 weeks, workaround restored most services quickly. • In February 2007, Mexico’s largest cell phone company experi- enced a “crash” that left 40 million cell phone users without service for most of a day. • In May 1999, the United States targeted the Belgrade electric power system as part of the Kosovo conflict, using carbon fibers to short genera- tors. In all, four strikes were conducted against the power system, but in each case, power generation was restored within a few days to a substan- tial fraction of what it was prior to the strike. Perhaps the most important feature of these incidents is the fact that their effects were relatively transitory, largely because the parties affected found workarounds that enabled them to compensate for the immedi- ate loss of capability. If these incidents had been caused deliberately, it is likely that repeated attacks would have been necessary to ensure that 

172 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES the reduction of capability persisted over time. Moreover, these incidents were, by themselves, of little strategic significance, though if they had been timed to coincide with some kinetic military operation, they might well have had a significant impact. At the same time, these observations do not account for possible impact on the psychological state of mind of relevant decision makers. The same major outage of service may result from a natural disaster, by a deliberate overt action, or by a deliberate and well-concealed action—but decision makers are likely to care about the specific cause of such an event. An outage caused by deliberate action is fundamentally differ- ent from the “same” outage caused by natural disaster, because the first carries with it the implicit threat of happening again when an adversary wants it to happen again. A well-concealed action attributed to a specific party could be argued to have an even greater impact on a decision maker, since he might well be hard-pressed to do anything about it. The 2007 cyberattack on Estonia yielded similar lessons (Box 3.4). The attack had a variety of short-term consequences for Estonia, including the inability of Estonians to access online banking services and government services, and for individuals outside Estonia to access the Estonian web for a while. Less measurable impacts such as confusion and miscom- munication were also noted.14 Although these impacts led press reports to suggest that the conflict was variously the first war in cyberspace, 15 Web War I,16 and “the first real example of nation-states flexing their cyber-warfare capabilities,”17 no critical infrastructure was targeted in the attacks, most sites were restored to service quickly, and the primary operational result of the attack was inconvenience. This is not to say that the attack was inconsequential. The incident did serve as a “wake-up call” for many other nations to inquire how they should respond to similar situations that might arise in the future. Dur- ing the attack, NATO provided experts in Internet warfare to assist in the investigation and defense.18 Furthermore, in the aftermath of the attacks, Estonia has proposed that NATO create a Cooperative Cyber Defense Center of Excellence to improve NATO members’ ability to cooperate 14 Jaak Aaviksoo, Minister of Defense of Estonia, presentation to Centre of Strategic and International Studies, November 28, 2007, p. 3. of transcript, available at http://www.csis. org/component/option,com_csis_press/task,view/id,3525/. 15 Mark Landler and John Markoff, “In Estonia, What May Be the First War in Cyber- space,” International Herald Tribune, May 28, 2007. 16 Joshua Davis, “Hackers Take Down the Most Wired Country in Europe,” Wired, Issue 15.09, August 21, 2007. 17 MacAfee Corp., “Cybercrime: The Next Wave,” McAfee Virtual Criminology Report, 2007, p. 9. 18 Economist, “A Cyber-riot,” May 10, 2007. 

A MILITARY PERSPECTIVE ON CYBERATTACK 173 BOX 3.4  The Cyberattacks on Estonia and Georgia Estonia On April 27, 2007, a series of distributed denial of service (DDOS) attacks b ­ egan on a range of Estonian government websites, media sites, and online bank- ing services.1 Attacks were largely conducted using botnets to create network traffic. The duration and intensity of attacks varied across the websites attacked. According to data collected by Arbor Networks, the attacks were primarily Internet Control Message Protocol (ICMP) floods with most lasting from 1 minute to 1 hour and a few lasting up to 10 hours. Most attacks had an intensity of 30 Mbps or less, though some measured up to 95 Mbps.2 Some Estonian websites were also ­defaced by people claiming to be Russian hackers, and tools in the form of scripts to conduct attacks were offered on Russian hacker sites and chat rooms.3 Computers running those scripts became packet sources, also contributing to the attacks.4 The attacks followed the removal the previous night of a statue memorial- izing WWII Soviet war dead from the center of the Estonian capital of Tallinn. They continued off and on until mid-May after peaking on May 9th, the day Russia commemorates Victory in Europe.5 The attacks were started and stopped deliber- ately by the attackers rather than being shut down through defensive measures.6 The Estonian government was quick to claim links between those conducting the ­ ttacks and the Russian government.7 The Estonian minister of defense stated that a the attacks were “unusually well-coordinated and required resources unavailable to common people.”8 He claimed this indicated involvement beyond the capabilities of outraged citizens, though he did not make any explicit claims about involvement by state actors. One expert in cyberterrorism was quoted as saying that the attacks bore the hallmarks of a “false flag” operation, used to test out defenses.9 Russian officials denied any involvement.10 Evidence of Russian involvement was circumstantial with no “smoking gun” found to indicate any connection between the Russian government and the con- duct of the attacks.11 Hillar Aarelaid, chief security officer for Estonia’s version of the U.S. Computer Emergency Response Team, dismissed claims that a Russian government link could be proven.12 The botnets were composed of compromised computers from the United States, Europe, Canada, Brazil, Vietnam, and other countries around the world. There was evidence of Russian nationalists promoting the attacks through blog posts with scripts and instructions for conducting DDOS attacks on Estonian websites.13 One script used in the attacks which sent ping floods to Estonian websites was shared extensively on Russian language boards.14 Some attackers in the earliest attacks were identified by their IP addresses as coming from Russia, including some from Russian state institutions.15 An Estonian news site stated that a member of Nashi, a Russian youth group tied to Russian President Putin, claimed that the group was behind the attacks, but there was no corroboration of this claim.16 Continued 

174 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES Box 3.4 Continued Georgia In August 2008, a military conflict involving land, air, and sea forces of Geor- gia and Russia occurred in South Ossettia and Abkhazia, provinces under the nominal control of Georgia. Russian military action in this conflict was immediately preceded by a number of cyberattacks against a variety of websites of the Geor- gian government.17 These attacks defaced these websites and also made it very difficult for the Georgian government to put out its side of the story. Cyberattacks against certain Georgian government Web sites reportedly continued even after Russia declared a cease-fire. In broad outline, the cyberattacks against Georgia were very similar to those against Estonia. As in the Estonian case, these attacks were not conclusively traced to the Russian government, and the Russian government denied involve- ment.18 Various analysts argue that they were controlled by the Russian Business Network,19 a business organization alleged to have criminal ties, and even private Russian citizens.20 The primary significance of the cyberattacks on Georgia is in their appearing to be the first instance of simultaneous actions involving cyberattack and kinetic attack, rather than in any of the particulars of the cyberattacks themselves. 1 Economist, “A Cyber-riot,” May 10, 2007; Jaak Aaviksoo, Minister of Defense of Estonia presentation to Centre of Strategic and International Studies, November 28, 2007. 2 The most detailed measurements on the attacks are from Arbor Networks; Jose ­Nazario, “Estonian DDoS Attacks—A Summary to Date,” May 17, 2007, available at http://asert.­ arbornetworks.com/2007/05/estonian-ddos-attacks-a-summary-to-date/. Those measurements also show a small percentage of the TCP SYN attacks. 3 Some examples are available from the F-Secure weblog at http://www.f-secure.com/­ weblog/archives/archive-052007.html#00001188. See also Miska Rantanen, ­“Virtual Harass- ment, But for Real,” Helsingin Sanomat, May 6, 2007, available at http://www.hs.fi/english/­ article/Virtual+harassment+but+for+real+/1135227099868. 4 Heise Security, “Estonian DDoS—A Final Analysis,” May 31, 2007, available at http://www. heise-security.co.uk/news/90461. This article quotes Jose Nazario from Arbor Networks. See also the Arbor Networks measurements cited previously. 5 Michael Lesk, “The New Front Line: Estonia under Cyberassault,” IEEE Security & Privacy 5(4):76-79, 2007. in operational situations and to develop a doctrine for responding to cyberattacks.19 Data on and analysis of the attacks have been provided to NATO members to inform efforts aimed at better defending against such 19 Jaak Aaviksoo, Minister of Defense of Estonia, presentation to Centre of Strategic and International Studies, November 28, 2007, p. 7. of transcript, available at http://www.csis. org/component/option,com_csis_press/task,view/id,3525/. 

A MILITARY PERSPECTIVE ON CYBERATTACK 175 6 MacAfee Corporation, “Cybercrime: The Next Wave,” McAfee Virtual Criminology Report, 2007, p. 11. 7 Maria Danilova, “Anti-Estonia Protests Escalate in Moscow,” Washington Post, May 2, 2007, available at http://www.washingtonpost.com/wp-dyn/content/article/2007/05/02/ AR2007050200671_2.html. The article quotes both the Estonian president and ambassador to Russia as claiming Kremlin involvement. 8 Jaak Aaviksoo, minister of defense of Estonia, in a presentation at the Centre of Strategic and International Studies, November 28, 2007, p. 2 of transcript, available at http://www.csis. org/component/option,com_csis_press/task,view/id,3525/. 9 MacAfee Corp., op. cit., p. 9. The report quotes Yael Shahar, International Institute for Counter-Terrorism, Israel. 10 MacAfee Corp., op. cit., p. 7. 11 E-mail from Jose Nazario of Arbor Networks, July 5, 2007. See also Heise Security, “Estonian DDoS—A Final Analysis,” May 31, 2007, available at http://www.heise-security. co.uk/news/90461. 12 Jeremy Kirk, “Estonia Recovers from Massive DDoS Attack,” Computerworld Securi- ty, May 17, 2007, available at http://www.computerworld.com/action/article.do?command= viewArticleBasic&articleId=9019725. 13 Jeremy Kirk, “Russian Gov’t Not Behind Estonia DDOS Attacks: Analysis Throws Doubt on Whether a Single Agency Alone Was Involved,” InfoWorld, June 1, 2007, available at http:// www.infoworld.com/article/07/06/01/Russia-not-behind-Estonia-DDOS-attacks_1.html. 14 Heise Security, op. cit. 15 Ian Traynor, “Russia Accused of Unleashing Cyberwar to Disable Estonia,” Guardian, May 17, 2007, available at http://www.guardian.co.uk/russia/article/0,,2081438,00.html. 16 Cory Doctorow in a June 2, 2007, blog entry on Boing Boing (http://www.boingboing. net/2007/06/02/estonia-didnt-suffer.html) cited an Estonian news article from Postimees.ee posted on May 29, 2007, available at http://www.postimees.ee/290507/esileht/siseuudised/ 263405.php. See Owen Matthews and Anna Nemtsova, “Putin’s Powerful Youth Guard,” News- week, May 28, 2007, for a description of Nashi and its link to President Putin and the Russian government. 17 “Georgia Accuses Russia of Coordinated Cyberattack,” CNET News, August 11, 2008, available at http://news.cnet.com/8301-1009_3-10014150-83.html. 18 John Markoff, “Before the Gunfire, Cyberattacks,” New York Times, August 13, 2008, avail- able at http://www.nytimes.com/2008/08/13/technology/13cyber.html?fta=y. 19 Gregg Keizer, “Cyberattacks Knock Out Georgia’s Internet Presence,” Computerworld, August 11, 2008, available at http://www.computerworld.com/action/article.do?command= viewArticleBasic&articleId=9112201. 20 Byron Acohido, “Some Russian PCs Used to Cyberattack Georgia,” USA Today, August 17, 2008, available at http://www.usatoday.com/tech/news/computersecurity/ hacking/2008-08-17-russia-georgia-war-hackers_N.htm. attacks.20 From a legal and policy standpoint, the attack raised questions about whether such an attack constituted an armed attack in the sense intended by the UN Charter and whether cyberattacks against a member nation ought to be included in the provisions of Article V of the North 20 MacAfee Corporation, “Cybercrime: The Next Wave,” McAfee Virtual Criminology Report, 2007, p. 11. 

176 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES Atlantic Treaty which provides for collective self-defense if any member is attacked.21 A second set of issues appears to have emerged from the U.S. experi- ence more generally with information operations in the Kosovo conflict. Analysts and decision makers considered using information operations, including computer network attack, as part of an integrated campaign against certain targets in Kosovo. However, in practice, options such as computer network attack proved harder to use than expected, in part because of the difficulties in obtaining the necessary approvals and autho- rizations to use them. In some cases, the approval process took so long that the utility of the operation had passed, at least in part because the execution of a particular option had many unknowns about likely effects. In other cases, it would have been relatively straightforward for the adversary to counter the use of such an option. The summary assessment of a senior military officer regarding information operations in Operation Allied Force—“a big wind-up to an underhand throw.” Of course, the past may not be the best predictor of the future, espe- cially when Allied forces are just starting to explore the possibilities and limitations of information operations, and in particular where decision- making processes have not yet fully accommodated the need to account for information operations. These observations are offered only to suggest that initial predictions of easy application are not likely to be realized. The past decade has also seen a number of shifts in doctrinal perspec- tive. For example, in 1998 the DOD publication JP3-13, Joint Doctrine for Information Operations, made reference to offensive and defensive infor- mation operations, as well as to “information warfare.” The 2006 revision of JP3-13, Information Operations, discontinued the terms “offensive IO” and “defensive IO” but retained the recognition that information opera- tions can be applied to achieve both offensive and defensive objectives, and it eliminated the term “information warfare” from joint IO doctrine. Furthermore, it defined five core capabilities for information operations (electronic warfare, computer network operations, psychological opera- tions, operations security, and military deception) and their associated supporting and related capabilities. Lastly, it established the core IO capa- bility of computer network operations, integrating computer network attack, computer network defense, and computer network exploitation under one umbrella. 21 Ian Traynor, “Russia Accused of Unleashing Cyberwar to Disable Estonia,” Guardian, May 17, 2007, available at http://www.guardian.co.uk/russia/article/0,,2081438,00.html. 

A MILITARY PERSPECTIVE ON CYBERATTACK 177 3.5  Cyberattack in Support of Military Operations— Some Hypothetical Examples What are some of the applications of cyberattack? It is helpful to consider several broad categories separately. Cyberattack can support information operations within the information operations sphere and also other military operations. In addition, cyberattack can be applied to mis- sions that are not traditionally within the military domain. 3.5.1  Cyberattack in Support of Defense, Exploitation, and Other Information Operations As noted above, cyberattack can be used defensively to eliminate a threat to DOD systems or networks (an application of computer network defense). For example, the DOD might use a botnet to launch a DDOS counterattack to disable the computers from which a threat to DOD sys- tems originates.22 In support of CNE, a cyberattack could be used to dis- able security software so that a cyberexploitation could insert monitoring software (e.g., key loggers) on adversary computers or networks. Cyberattack can also be used to support other non-computer IOs. For example: • Psychological operations. A cyberattack could be used to generate frequent e-mail messages or telephone calls to specific adversary deci- sion makers. The frequency of such e-mail messages or phone calls could disrupt their work environments, making it difficult for them to work there. And the content of such e-mail messages could include threats such as “your building is going to be bombed in 30 minutes; it is a good idea if you leave” or “we know where your lover’s safe house is.”23 Another PSYOP application might call for the launching of a small but very visible 22 The notion that the United States would actually do so—use a botnet in such a m ­ anner—is speculative, but such speculation has been seen from senior military lawyers, such as the staff judge advocate for the Air Force Intelligence, Surveillance and Reconnais- sance Agency. See Charles W. Williamson III, “Carpet Bombing in Cyberspace: Why America Needs a Military Botnet,” Armed Forces Journal International, May 2008, available at http:// www.armedforcesjournal.com/2008/05/3375884. 23Air Force Doctrine Document 2-5 (issued by the Secretary of the Air Force, January 11, 2005) explicitly notes that “psychological operations can be performed using network attack [defined as employment of network-based capabilities to destroy, disrupt, corrupt, or usurp information resident in or transiting through networks] to target and disseminate selected information to target audiences.” See http://www.herbb.hanscom.af.mil/tbbs/R1528/AF_ Doctrine_Doc_2_5_Jan_11_2005.pdf. 

178 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES cyberattack and then announcing it to an adversary in order to undermine the adversary’s confidence in its essential systems.24 • Operations security. Cyberattacks could be used to target specific adversary sensor systems that are intended to report on information related to the location of friendly forces. For example, an adversary may have compromised a computer system on a DOD network that has access to information related to troop movements. An attack on that computer could render it inoperative, but it might be more useful to feed it incor- rect information about troop movements knowing that such information might be highly trusted by the adversary. • Military deception.25 Cyberattacks could be used to gain access to an adversary computer system in its command and control structure. By assuming control of a computer used by a senior intelligence analyst, for example, bogus e-mail traffic could be sent to that analyst’s custom- ers. The contents of these e-mails could easily provide misinformation regarding the military capabilities, intentions, locations, and operations of friendly forces. Moreover, responding e-mails back to the analyst could be intercepted and appropriately modified before being displayed to the analyst. • Electronic warfare. Cyberattacks could be used to disable an adver- sary’s software-defined radios, thus preventing enemy wireless battlefield communications (which is often a goal of EW). In addition, EW could sup- port cyberattacks. For example, to the extent that adversary computer sys- tems are connected through wireless links, EW might be used to jam those links in order to disrupt the wireless network—that is, jamming would be a denial-of-service cyberattack against the network in question. Cyberattack can also be used to support related missions, such as propaganda. Here is one possible example: • Ruritania and Zendia are adversaries. Ruritania penetrates a Zendian GIS system focused on Armpitia, a Ruritarian ally, to alter maps and targeting databases. An Armpitian building containing a day-care center is marked as a munitions bunker, a historic cathedral as a troop barracks, and the embassy of a neutral nation as a branch of the ally’s 24 Defense Science Board, “Report of the Defense Science Board Task Force on Mission Impact of Foreign Influence on DoD Software,” U.S. Department of Defense, September 2007, p. 22. 25 Air Force Doctrine Document 2-5 (issued by the secretary of the Air Force, Janu- ary 11, 2005) explicitly notes that “network attack may support deception operations against an adversary by deleting or distorting information stored on, processed by, or transmitted by network devices.” Available at http://www.herbb.hanscom.af.mil/tbbs/R1528/AF_ Doctrine_Doc_2_5_Jan_11_2005.pdf. 

A MILITARY PERSPECTIVE ON CYBERATTACK 179 ministry of defense. When Zendia launches an attack on Armpitia using cruise missiles, it destroys the embassy and the church, and kills dozens of children. CNN shows the evidence of the war crimes to the world. Public opinion swings against Zendia, war crime charges are filed at the Hague, and Zendian planners lose confidence in their standoff weapon systems. Another example is the use of botnets to send spam e-mail carry- ing propaganda messages to an entire population. One related instance occurred in 2000, when a virus was used to spread information regarding a specific ethnically based incident or community in Sri Lanka. 26 3.5.2  Cyberattack in Support of Traditional Military Operations Cyberattacks could also be used in connection with a variety of traditional military operations. Five illustrative examples are provided below: • Disruption of adversary command, control, and communications. Such disruption could involve denial of service (so that those links are unus- able) or spoofing or impersonation of legitimate authorities (so that infor- mation received by one party is not the information sent by the originat- ing party). Tactical C2 networks and/or links between the adversary national command authority and forces in the field could be disrupted. Adversary planning (e.g., for military actions against U.S. forces) could be disrupted or altered clandestinely. • Suppression of adversary air defenses. A networked air defense system that can pass data from forward-deployed sensors to air defense forces in the rear is much more effective than one without such coordination available. Disruption of such communications links can degrade the per- formance of the overall system considerably. It is also possible to imagine that long before any attack took place, an air defense radar delivered to an adversary might be clandestinely programmed to ignore certain radar sig- natures, namely those associated with airplanes friendly to the attacker, but only during certain times of day. From the adversary’s perspective, the radar would appear to be working properly, as it would detect most airplanes most of the time. But the attacker would know the proper win- dow to attack so that its airplanes would be ignored. • Degradation of adversary smart munitions and platforms (example 1). Platforms (e.g., airplanes) and munitions (e.g., missiles) are increasingly 26 Second Incident of Cyber-Terrorism in Sri Lanka, available at http://www.lankaweb. com/news/items01/210501-2.html. 

180 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES controlled by microelectronics, and such platforms may be sold or made available to other parties (e.g., friendly nations or insurgent groups). But there may be no assurances that these items will not ever be used against U.S. forces. To guard against this possibility, the electronics of such sys- tems could be programmed to self-destruct if a “stay-alive” code were not entered after a fixed period of time, or if the hardware saw a particular bit stream on a communications bus or in memory. The “self-destruct” bit stream could, in principle, be transmitted by U.S. forces confronted with these platforms or munitions. • Degradation of adversary smart munitions and platforms (example 2). Zendia acquires smart weapons using GPS chips made in a factory in a country friendly to the United States. Unbeknownst to Zendia, the GPS chips have circuitry such that if they are given coordinates within the borders of the United States or its allies, they actually translate the coordinates in a random direction to 2 times the damage radius that the United States has calculated for the weapons in use. The weapons test fine for Zendia on all ranges, and work fine when they are used in a skirmish against a neighbor. However, in any engagement with an U.S. ally, the weapons consistently fail to hit targets, and there is no adjustment pos- sible because of the random nature of the translation. • Attacking adversary warfighting or warmaking infrastructure (the adversary defense industrial base). A cyberattack might be used to gain access to a factory producing electric motors for military vehicles. (The factory in question is poorly managed and produces motors only for military use.) With a few commands, the factory is redirected to produce motors using materials that are badly suited for the demands of heavy military use. Such motors work for a short time, but by the time the prob- lem is discovered, many such motors have been shipped and installed in the adversary’s military vehicles. 3.5.3  Cyberattack in Support of Other Operations Cyberattack can support a variety of other operations as well, though these are not in the category of what are traditionally undertaken by mili- tary forces. Illustrative cyberattacks against terrorist groups or interna- tional organized crime are described in Chapter 4, on the intelligence com- munity; illustrative cyberattacks to support cyberexploitation on domestic criminals are described in Chapter 5, on domestic law enforcement. However, an important point to note is that irrespective of whether the intelligence community or domestic law enforcement agencies find it useful and appropriate to conduct cyberattacks against some adversary, it may well be that the U.S. military is the only U.S. government agency with the technical capacity to launch appropriately focused cyberattacks 

A MILITARY PERSPECTIVE ON CYBERATTACK 181 of significance. Thus, if U.S. military assets and personnel are needed for such purposes, appropriate interagency understandings would have to be reached—and necessary legal authorities obtained—to allow the DOD to execute cyberattacks on behalf of any of these other agencies. For illustrative purposes only, the examples below describe how cyberattack might be used in support of non-military objectives: • The leader of an adversary nation controls significant military forces, presides over significant human rights violations in his coun- try, and enriches himself at public expense. A cyberattack could be one approach to threatening the leader’s personal financial assets. The exis- tence of such a personal threat might be useful in influencing the leader to stand down his military forces when peacekeeping forces arrive. • Cyberattack might be an element of a strategic communications effort with the population of a nation. Just as radio has been used as a medium through which the United States has been able to provide infor- mation unfiltered by the governments of nations of interest (e.g., Radio Free Europe), the Internet is such a medium today and for the future. However, since nations have been known to seek to block information flows that they regard as unfriendly, U.S. cyberattacks might be used to help residents of these nations circumvent or avoid these various blocking mechanisms. • Cyberattack might be an element of a strategic communications effort against an adversary. For example, some terrorist groups are known to use the World Wide Web for recruiting purposes and the Internet for communications. Cyberattacks might be used to compromise recruiting websites or servers known to be used by terrorists. Another scenario relates to a kinetic attack on a nation that is accompanied by a cyberat- tack against that nation’s government and media websites. Such an attack might be used to inhibit that nation’s ability to tell the world its side of the story,27 or perhaps even to assume control of those websites and provide the world (and its own citizens) with information more favorable to the attacker’s position. It must be emphasized that the scenarios described above are not endorsed by the committee as being desirable applications—only that 27According to press reports, a cyberattack on Georgian government websites was launched (perhaps by the Russian government, perhaps by private parties sympathetic to the Russian attack) to coincide with the August 2008 Russian attack on South Ossetia, which had the effect of limiting the Georgian government’s ability to spread its message online and to connect with sympathizers around the world during the fighting with Russia. See John Markoff, “Before the Gunfire, Cyberattacks,” New York Times, August 13, 2008, available at http://www.nytimes.com/2008/08/13/technology/13cyber.html?_r=1&oref=slogin. 

182 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES they represent kinds of scenarios that arise naturally in discussions about cyberattack in pursuit of large-scale strategic interests. As an illustration of a potential problem with such scenarios, consider that manipulation of the information on the websites of an adversary nation’s government might affect the information received by U.S. citizens (e.g., through news media receiving altered or manipulated information from those sources and broadcasting that information in the United States). To the extent that the altered or manipulated information was untrue, the U.S. government might be explicitly responsible for misleading the public—an action that could negatively affect the free speech rights of U.S. citizens. 3.6  Operational Planning Operational planning processes for cyberattack are not known pub- licly. But given the similarities of Air Force doctrine for air operations and the cyber missions laid out in Section 3.1, it is not unreasonable to suggest one notional planning process for cyberattack that is roughly par- allel to the process for planning offensive air operations—specifically the development of the air tasking order (ATO) that specifies at a high level of detail the actions of air assets in a specific conflict for a specific period of time (usually, 24 hours). The development of a notional cyberattack tasking order (CTO) might entail the following steps. • The starting point is the explication of a commander’s objectives and guidance, and his vision of what constitutes military success. The intent of the operation is defined, and priorities are set. The commander’s intent drives the development of targeting priorities and the appropriate rules of engagement. For example, the commander would determine if the intent of the cyberattack is to create widespread chaos or very specific targeted damage. • The next step is target development. Subject to requirements imposed by the law of armed conflict and the rules of engagement, targets are nominated to support the targeting objectives and priorities provided by the commander. Targets are selected from a variety of sources, includ- ing requests from the field, reconnaissance, and intelligence recommenda- tions. Target development often begins before hostilities begin, and the end product of target development is a prioritized list of targets. Legal issues enter here regarding whether a proposed target is indeed a valid and legitimate military target (the necessity requirement discussed in Chapter 7). • Then comes weaponeering assessment. In these phases, the target list is matched to the appropriate types of weapons in the inventory, taking into account the expected results of using weapons on these tar- 

A MILITARY PERSPECTIVE ON CYBERATTACK 183 gets. Knowledge of munition effectiveness is thus an essential aspect of weaponeering. Legal issues enter here regarding whether the military value of destroying the target outweighs the collateral damage that might occur during the attack (the proportionality requirement, discussed in Chapter 7). • Force execution refers to the actual execution of the various forces allocated to servicing the targets on the target list, and is the phase in which all elements of the operation are integrated to gain maximum effect. A cyberattack tasking order could support other combat operations and other combat operations could support cyber operations which could be their principal role. Deconfliction (i.e., coordination of forces to ensure that they do not interfere with each other) is part of force execution. For a cyberattack, two phases of execution may be required. An initial phase may introduce a vulnerability that can be exploited later, though if an exploitable vulnerability already exists, this phase may not be necessary. A later phase (perhaps much later) involves the actual exploitation of the vulnerability to cause the damage desired. • Combat assessment evaluates the effectiveness of combat opera- tions against the commander’s objectives. Combat assessment includes battle damage assessment and recommendations for reattack, and it pro- vides the inputs for the next iteration of the cyberattack tasking order. Another notional process for operational planning of cyberattack might be similar to that used to develop the Single Integrated Operating Plan (SIOP) for using nuclear weapons.28 It is publicly known that the SIOP contains a variety of options from which the President may select should he decide that nuclear weapons should be used. These options fall into categories such as “Major Attack Options,” “Selected Attack Options,” “Limited Attack Options,” “Demonstration Use,” and so on. Any given option consists of a list of targets, a timetable on which the targets are to be attacked, and the nuclear weapons systems that are to be used in the attack on those targets. Translated into the cyberattack domain, a cyber-SIOP could similarly include a list of targets, a timetable on which the targets are to be attacked, and the cyberweapons that are to be used in the attack on those targets. Large-scale attack options might involve large attacks intended to create far-reaching effects, while small-scale options might be narrowly tailored to address a particular target set. Depending on the rules of engagement and the authorizations needed to execute such a plan, either STRATCOM 28 The name of the strategic nuclear response plan was changed to OPLAN 8044 in early 2003. The SIOP terminology is retained here because it is less cumbersome than OPLAN 8044. 

184 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES or the geographic combatant command could carry out any one of these options, though it is likely that STRATCOM is largely responsible for planning regional attack options as well as attack options relevant to the entire globe. A major difference between a cyber-SIOP and a nuclear response plan is the possibility of rapid changes in defensive postures for cyber targets. Many of the targets in any nuclear response plan would be fixed in location, with no defensive measures in place. To the extent that cyber targets might change their defensive postures in ways unknown to a cyberattacker, they are more analogous to targeting mobile assets in the nuclear response plan—and targeting of mobile assets is known to be an extraordinarily challenging task. The operational implication of a cyber- SIOP is that a static planning process is unlikely to be effective, and both intelligence gathering and attack planning on possible targets in the vari- ous attack options would have to be done on a frequent if not continuous basis. 3.7  Human Capital and Resources As the U.S. armed forces become more involved with offensive cyber operations, it becomes more important to have a professional military corps that is actively engaged in thinking about how best to use the new capabilities associated with cyberattack. From an operational perspective, the complexity and scope of cyber- attack suggest that the mix of skills needed to operate successfully is quite broad. Moreover, the necessary skills are not limited to the traditional military specializations of operations, intelligence, and communications— necessary specialized knowledge and information may be needed from the private sector or from other government agencies (e.g., the State Department or Department of Commerce or the Office of the U.S. Trade Representative). Thus, the operational planning process must include some ways of making such expertise available to military planners and decision mak- ers. Note also that a distributed planning process is also more logistically cumbersome than one in which all the individuals with relevant expertise are available in one location (and are in the same time zone). Another problem regarding the specialized expertise brought to bear in operational planning is the highly classified nature of cyberattack. With such classification practices in widespread use, it becomes difficult to gain broad exposure to the techniques and the operational implications of employing those techniques—and thus the available expertise is more restricted than it would otherwise be. Yet another issue is that, as noted in Chapter 2, the success of a cyber- 

A MILITARY PERSPECTIVE ON CYBERATTACK 185 attack may well depend on the availability of skilled operators who can think “on the fly” and adapt an attack in progress to circumvent unex- pected defenses and unanticipated problems. This fact has many implica- tions for training and suggests the importance of focusing on developing cyberattack skills to a very high level of proficiency in a few individuals in addition to developing basic skills in a large number of individuals. Today, cyberattack operators do not have their own specialization, and they are often typically drawn from those in the intelligence and communications career tracks. (In other cases, they are drawn from com- bat specializations that do not nurture any particular expertise relevant to cyberattack at all.) In the long run, the increasing skill requirements described above for conducting successful cyberattacks suggest a need for specialization comparable to the more traditional combat specializa- tions for personnel. Such specialization—likely in operations rather than intelligence or communications—would provide training and education that integrates the relevant skills from all of the relevant disciplines. It would also provide upward mobility and well-defined career paths with opportunities for multiple promotions and senior leadership. Lastly, the Department of Defense invests heavily in realistic training and exercises for personnel with traditional military specializations. Train- ing and exercises go far beyond developing individual competence and expertise in combat—they are proving grounds for new tactical concepts and provide insight into how groups of people (i.e., units) can function effectively as a team. Today, traditional military exercises may include a cyber component, but often the cyber component is not prominent in the exercise and only a relatively small fraction of the exercise involves cyber activities. The investment in training and exercises for cyberattack and cyber- conflict is far below that which is allocated to training for combat in tra- ditional domains. However, not enough is known to determine if the cur- rent investment is adequate (that is, if it properly reflects the importance and scale of cyber operations in the future) or inadequate (as might be the case if institutional pressures and prejudices gave short shrift to this type of combat). As this report was going to press, Secretary of Defense Robert Gates announced that in order to improve cyberspace capabilities, the DOD will seek to increase the number of cyber experts that the depart- ment can train from 80 students per year to 250 per year by FY 2011. 29 29 “Gates Unveils Overhaul of Weapons Priorities,” Wall Street Journal, April 6, 2009, avail- able at http://online.wsj.com/article/SB123904207376593845.html?mod=googlenews_wsj. 

186 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES 3.8  Weapons systems acquisition The acquisition of weapons is one of the prime responsibilities of the military services. To illustrate some service desires for cyberweaponry: • The Air Force is seeking to acquire a Cyber Control System (CCS) to provide command and control for the Air Force portion of the DOD Global Information Grid (GIG). The CCS is intended to enable active defense operations “by providing GIG situational awareness along with both automated responses (based on pre-defined Rules of Engagement) and recommended Courses of Action (COA) in response to network intrusions/attacks.” The CCS is also intended to enable network attack operations.30 • The Air Force is supporting the Dominant Cyber Offensive Engage- ment problem, which is intended to develop capabilities for gaining access to any remotely located open or closed computer information systems; obtaining full control of a network for the purposes of information gath- ering and effects-based operation; and maintaining an active stealthy but persistent presence within the adversaries’ information infrastructure. 31 • The U.S. Air Force has noted a need for new technologies to sup- port network attack (network-based capabilities to destroy, disrupt, cor- rupt, or usurp information resident in or transiting through networks), network defense (network-based capabilities to defend friendly informa- tion resident in or transiting through networks against adversary efforts to destroy, disrupt, corrupt, or usurp it), and network warfare support (actions tasked by or under direct control of an operational commander to search for, intercept, identify, and locate or localize sources of access and vulnerability for the purpose of immediate threat recognition, target- ing, planning, and conduct of future operations such as network attack).32 Some of these specific needs are described in Box 3.5. • The Army has issued a broad agency announcement seeking tech- nologies for network disruption using “subtle, less obvious methodology 30 See http://www.fbo.gov/spg/USAF/AFMC/ESC/R1739/SynopsisP.html. 31 FUNDING OPPORTUNITY NUMBER: BAA 08-04-RIKA, https://www.fbo.gov/ index?s=opportunity&mode=form&id=b34f1f48d3ed2ce781f85d28f700a870&tab=core&_ cview=0&cck=1&au=&ck=. 32 Broad Agency Announcement (BAA ESC 07-0001), OL-AA 950 ELSG/KIS, Network Warfare Operations Capabilities (NWOC), Technology Concept Demonstrations, available at http://www.herbb.hanscom.af.mil/tbbs/R1528/Final_NWOC_BAA_Amend_5.doc. 

A MILITARY PERSPECTIVE ON CYBERATTACK 187 BOX 3.5  Illustrative U.S. Air Force Technology Needs for Cyberattack A broad agency announcement from the U.S. Air Force calls for proposals to develop the following technologies for network attack, network defense, and network warfare support.1 Some of the technologies sought include: • Mapping of networks (both data and voice); • Access to networks; • Denial of service on current and future operating systems and network devices; • Data manipulation; • Technologies/concepts for developing capabilities for IO modeling and simulation; • Situational awareness that gives the operator near real-time effectiveness feedback in a form that is readily observed by the operator; • Technologies/concepts for developing capabilities to assess and visualize non-kinetic effects; • Technologies/capabilities/concepts for generating and distributing dynam- ic electronic target folders to include non-kinetic courses of action (COAs); • Processing of multi-level security information; and • Technologies/concepts for developing capabilities to support rapid imple- mentation of effects-based capabilities. 1 Broad Agency Announcement (BAA ESC 07-0001), OL-AA 950 ELSG/KIS, Network Warfare Operations Capabilities (NWOC), Technology Concept Demonstrations, available at http://www.herbb.hanscom.af.mil/tbbs/R1528/Final_NWOC_BAA_Amend_5.doc. that disguises the technique used and protecting the ability whenever possible to permit future use.”33 Acquisition policy in general terms is addressed in Chapter 6. 33 Army Offensive Information Operations Technologies Broad Agency An- nouncement, May 3, 2007, available at https://abop.monmouth.army.mil/baas.nsf/ Solicitation+By+Number/9BE5D8EAE22A6339852572D4004F0DD5/$File/BAA+Army+ Offensive+Information+Operations+Technologies.doc.