Offensive Cyber for the Join Force Commander: It's Not That Different
Carter, Rosemary M., Feick, Brent, Undersander, Roy C., Joint Force Quarterly
The instruments of battle are valuable only if one knows how to use them.
--Charles Ardant du Picq (1)
In 2008, as part of the campaign against the Republic of Georgia, Russia con-ducted a series of widely publicized cyber attacks. The attacks were not against purely military target sets. For 19 days, cyber warriors conducted distributed denial-of-service attacks against Georgia's Internet infrastructure and defaced public and private Web sites. (2) The initial impact was a virtual cyber-blockade against the government of Georgia that reduced the country's ability to lead internally and stifled its ability to gain international sympathy. A second-order effect was that the National Bank of Georgia shut down its Internet connections for 10 days, stopping all electronic financial transactions. The strike is one of the first publicized employments of offensive cyber as an integrated part of a military operation and demonstrates the powerful impact of these types of attacks on private sector business. (3)
The cyber domain consists of four operating areas: providing capability, protecting that capacity, exploiting within the domain, and conducting offensive operations that are also referred to as computer network attack. The areas of "provide" and "protect" are the most mature because our day-to-day information technology operations require a secure and functioning cyber domain. This article focuses instead on offensive cyber capability, which is the newest segment of the domain but is rapidly maturing. Unlike airpower, where development was limited to nations with significant industrial and financial resources, the cyber warfare arena is inexpensive and characterized by state and nonstate actors limited only by creativity and the Internet. Therefore, to maintain strategic capability for cyber superiority, (4) the cyber domain must be rapidly synchronized with the other warfighting domains. A full understanding of the features, capabilities, limitations, and impacts of the cyber domain may be years away, but actionable knowledge of this domain at the operational level will not be achieved as long as cyber operations remain segregated from the other warfare mission areas.
The assertion that cyber operations are different is the most common argument for segregating cyber from the other domains. Cyber is different just as the solid terrain of the land domain differs from the physical structures of air and space domains. Speed of action is also different in cyber. Events occur and situations develop faster than the human mind can observe, orient, decide, and act. (5) But this is not the first time in the history of warfare that the speed of conflict has changed. The introduction of fighter aircraft and space capabilities changed the military decision calculus, yet these capabilities were not in themselves sufficient justification to segregate the domain. In fact, initial efforts to isolate space from the other domains were overcome as our understanding of the domain matured. The purpose of this article is to analyze the challenges of cyber policy, targeting, and the planning process to argue that offensive cyber is not so different from other capabilities, and that it must be fully integrated at the joint force command level to ensure unity of effort and maximize effectiveness.
The Need for Rules
U.S. policy, authorities, and doctrine for military operations in the cyber domain are not mature. The International Strategy for Cyberspace (6) (May 2011) and the Department of Defense (DOD) Strategy for Operating in Cyberspace (7) (July 2011) are a start, but both documents focus almost entirely on cyber defense. While this is an important aspect, it leaves the Armed Forces in a state of flux with regard to integrating offensive capability. As is to be expected, conduct of cyber attacks is a sensitive issue. International organizations such as North Atlantic Treaty Organization (NATO) Watch advocate for a ban on offensive cyber operations altogether because the domain is so pervasive that offensive operations could quickly escalate beyond the intended virtual boundaries with devastating global impact. …