The Cyber National Mission Force (CNMF) achieved full operational capability in May 2018, with 133 teams fielded across the services.1 These teams ultimately are controlled by U.S. Cyberspace Command (CyberCom), now officially a unified combatant command, with some control delegated to the five respective service cyber components.2 The teams range from purely offensive to purely defensive, depending on their assigned primary level of operation and supported command. The CNMF has been evolving since 2013, with CyberCom and the service components working largely in parallel to determine how to conduct cyber operations in this new warfighting domain.
With the goal of pulling together forces and equipment under one unified command now accomplished, the focus needs to shift to the underdeveloped concept of employment, improving formal training, integrating cyber capability into conventional forces, and applying this capability at the tactical level. During this process, care must be taken to protect the CNMF’s responsibility to support conventional operations.
Offensive cyber operations (OCO) are highly classified. However, a cursory observation of the cyber attacks on Ukraine, which were widely attributed to Russia, offers a window into what is possible, at least by U.S. rivals. Perhaps the most compelling example is the coordinated attack in December 2015 against three Ukrainian energy companies, affecting seven 110 kiloVolt(kV) and 23 35kV substations. This resulted in 225,000 customers losing power across various regions.3 The attack was carefully planned and coordinated, as evidenced by supporting attacks on backup systems and telephonic floods of customer service lines. The initial assaults were followed by an attack designed to turn off power to target regions and subsequent amplifying strikes that wiped management computers and destroyed physical hardware controlling critical functions within the substations. A massive amount of conventional munitions would have been required to accomplish the same amount of damage and confusion, leaving no doubt that preparatory “cyber fires” offer significant advantages to hostile forces in the future.
It is reasonable to assume the CNMF has cyber capabilities equal to those that were demonstrated against Ukraine. Unlike its adversaries, the United States has not had the opportunity to test the integration of cyber capabilities and conventional operations at scale against a state the size of Ukraine. Thus, commanders of conventional forces are largely ignorant of the CNMF’s full capabilities, and the CNMF has been afforded limited opportunities to integrate with conventional forces to support their scheme of maneuver through offensive and defensive cyber operations (DCO). The U.S. military needs to rapidly mature its collective mind-set, training, resources, and legal foundation to wield this new form of combat power so that it best supports objectives at every level of war.
First, Be Strong on Defense
The military, political, and media communities have become obsessed with the effects that can be generated through OCO, fueled by examples of its effectiveness in various open and clandestine state conflicts, as well as in criminal activities around the world. While these capabilities are impressive, the United States must make DCO its primary effort in the cyberspace domain. No types of fires are in themselves decisive, including those delivered through cyberspace. If OCO fails to achieve its intended effects supporting a conventional operation, but DCO is successful in denying an adversary the ability to affect friendly warfighting networks, the mission likely will be an overall success. DCO is not as glamorous or worthy of headline news, while its primacy in the hierarchy of needs in cyberspace is clear. DCO is essential for mission assurance.
Train Officers and Hold Them Accountable
It is unlikely that Navy and Marine Corps operational and tactical commanders ten years from now will have been adequately exposed to cyber warfare at any previous point in their careers. Therefore, formal education—beyond the few existing PowerPoint presentations on cyber warfare at command and staff colleges—is necessary to equip commanders at all levels with the skills to employ both OCO and DCO in their cyber areas of operations. Once trained, these leaders must be held accountable for failures to consider appropriate cyber capabilities within the span of their control.
An infantry battalion commander who left a flank unguarded would be relieved, yet the equivalent can occur within the infantry unit’s critical warfighting information technology networks without so much as a verbal admonishment to the commander. The two situations are not treated in the same manner only because we have not been subjected to a network compromise that led directly to loss of life—that we know of. Cyber warfare is not wizardry, nor is it too complex for someone without a computer science degree to grasp at a functional level. We must not continue to allow military leaders to be willfully ignorant of the great cyber power that can be wielded either by or against us, some of which resides at the battalion and ship levels.
Effective training also must be realistic. This means the cyber warfare community must coexist with the other combat elements. It needs to get out of the cubicles inside its sensitive compartmented information facilities. Because adversaries of the United States have proven the effectiveness of their cyber fires, it has become clear that the military needs cyber liaison officers much like the naval gunfire, artillery, and aviation officers attached to Marine Corps battalions.4
These cyber-fire liaison attachments and the troops delivering the effect must have realistic training that not only requires them to demonstrate their capabilities while integrated with conventional forces, but also pushes them to better appreciate the timing and tempo of a supported commander’s concept of operations. This necessitates widespread retrofitting of urban combat training environments, which should emulate our near-peer competitors’ cyber terrain of industrial and modern cities. In addition, a cyber opposing force must be integrated into every exercise to further simulate realistic operating environments. To the greatest extent possible, the military must identify and exploit gaps in the friendly force’s systems and create outages and compromises. This will teach commands not to rely too heavily on cyber-enabled capabilities integral to each warfighting function, while aiding communication personnel to identify and improve weaknesses in their defensive postures. Realistic environments are necessary for the CNMF to be trained to execute operations in austere conditions and for commanders and their staffs to experience firsthand the capabilities and limitations of cyber to create physical effects for and against them.
Foundational Doctrine Is Needed
Cyber warfare has developed so quickly that timely publication of detailed and technical concepts of employment has been neglected. Now that we are long past the recognition of cyberspace as a warfighting domain, a common lexicon and realistic expectation of cyber support are desperately needed. These publications should come in unclassified and classified versions and detail the appropriate application of both OCO and DCO in more than hackneyed terms. When an infantryman discusses the fire support plan and location of crew-served weapons supporting his defense, his seniors and subordinates alike have a solid frame of reference for his scheme of maneuver. When assigned tactical tasks, the companies ordered to seize and clear know how to prepare for each and what success looks like. Yet regarding cyber warfare, there is little tactical guidance in doctrine from CyberCom and less from the services, resulting in confusion within joint communications and frequent opportunity for the misapplication of cyber capabilities.
Even something as basic as a standard set of operational terms and graphics for the cyberspace domain would be immensely helpful in standardizing the lexicon.5 This, combined with formal commander training, would begin to change the U.S. military culture vis-à-vis cyber warfare. Too many commanders who have yet to develop a mature understanding of warfighting in the digital age casually dismiss cyber and communications officers as being “too technical.”
Legal Authorities Must Be Clarified
Cyber legal authorities must be exhaustively defined. Cyber rules of engagement (ROE) are required to the same exacting level of detail as for conventional military operations. During relatively peaceful conditions, OCO is considered a strategic asset necessitating endorsements up an approval chain that reaches top military and political leaders. By design, this process is inflexible and heavily controlled to avoid an international political incident in the event that the cyber operation should accidentally affect more than the intended target. Such restrictions likely would be relaxed or lifted against a specific belligerent in full-scale combat operations. There are, however, unique legal complexities to employing cyber fires that the military staff judge advocate community and U.S. legal system more generally still are laboring to fully consider and clarify.
The U.S. Army Judge Advocate General acknowledges that many legal experts question the current lack of clarity in international law on cyber warfare. They believe the uncertainty is significant enough to cast doubt on whether existing laws of armed conflict are adequate for application to cyber operations.6 Now is the time to determine what the legal authorities are and to work toward amending relevant international laws so the military has latitude to employ cyber capabilities. In addition, solving ROE dilemmas at the strategic and operational levels will streamline convoluted command-and-control relationships, thus reducing uncertainty in the use of cyber forces and ultimately improving support to the warfighter.
These laws must account for targets that belligerents operate remotely and that are physically located in neutral or even “friendly” cyberspace. It needs to be legally permissible to carry out cyber attacks against designated military objectives without the consent of the owner of the cyber infrastructure where the target resides. The foundations of tactical cyber ROE must be laid now if OCO is to be as effective for the warfighter as conventional artillery or electronic warfare.
As the United States and its adversaries increasingly depend on cyber-enabled capabilities, the extent to which chaos can be imposed through cyberspace is growing dramatically.7 From turning out the lights before a raid to compromising the integrity of digital firing data sent to the gunline, cyber fires offer new opportunities for advantage while simultaneously exposing U.S. warfighting networks to anyone in the world with a laptop and an internet connection. It is only by further developing clear, detailed cyber doctrine and fully integrating all OCO and DCO capabilities into every training event that we will see those capabilities emerge more comprehensively onto the tactical scene. Once integrated and trained, U.S. forces must be provided freedom of maneuver to employ the full range of their newfound combat power against their enemies. Our competitors have done it. When will we?
1. U.S. Cyber Command, “Cyber Mission Force Achieves Full Operational Capability,” press release, 17 May 2017.
2. Executive Office of the President, “Elevation of U.S. Cyber Command to a Unified Combatant Command,” memorandum, 15 August 2017.
3. Robert M. Lee, Michael J. Assante, and Tim Conway, “Analysis of the Cyber Attack on the Ukrainian Power Grid,” Electricity Information Analysis and Sharing Center, 18 March 2018.
4. Sydney J. Freedberg Jr., “Rogers, Richardson, Neller Brainstorm Future Cyber Structure,” Breaking Defense, 24 February 2017.
5. Eric D. McKroskey and Charles A. Mock, “Operational Graphics for Cyberspace,” Joint Force Quarterly 83, no. 4 (October 2016).
6. U.S. Army Judge Advocate General, Law of Armed Conflict Deskbook, 5th ed. (Washington, DC; Government Publishing Office, 2015).
7. Jim Garamone, “U.S. Military’s Cyber Capabilities Provide Strength, Challenges,” DoD News, 22 June 2016.