USAF Cyber Command (catch all)

[selil]

- I'm not with you with respect to "mental midgets" -- many of these potential recruits may not understand Clausewitz or Mahan, but they definitely "get it" with respect to Jullan Assange and his global impact.

And there you floundered. Julian Assange and WIkileaks is primarily a information operation. I know y'all in DOD link and re-link cyber to IO with CNA, CNE, CND but that is kind of like linking ISR to ground warfare. It is a tool used in a set of tactics, BUT if cyber is truly a new domain like sea, air, land then you have to expect some cross linkages.

The CNE of Assange and Wikileaks was a CD-R labeled Lady Gaga and a few hours unfettered at a terminal for a likely narcissistic sycophant.

That makes your primary people who "get it" with respect to Assange and his global impact the cyber equivalent of skateboarders who get a good rail or cute trick using the furniture poorly. That doesn't make them engineers or warriors on that terrain. If cyber is a new domain then we should expect people and their shenanigans but that isn't what fighting in that domain should look like. Graffiti exists in sea (changing the Chicago River to green on St. Patty's day), air (sky writing), land (ever see a Cargill rail road car?). And, on the web (defacement of webpages). That doesn't make those things cyber warfare or really about war fighting.

Cyber must break things, and kill people, and we need people in DOD who do those things through cyber means. Whether hybridized mass casualty events using an unassociated tech to kill via cyber engagement or something else. The key words are degrade, disrupt, or destroy and they are requirements. Disruption of social processes is information operations regardless of tools. Causing the nations corn to not grow because you hacked the Monsanto genomics database is cyber terrorism/warfare.

Unfortunately I see a lot of people hiding behind various doctrine documents that aren't very well thought out, and by do so are ignoring real world capabilities that aren't fear mongering.

Cyber is greatly about the sideways attack.

[Brett Patron]

Brett-

The USAF already has doctrine - see AFDD 3-12 for USAF's cyber doctrine. Cyber is a domain according to the USAF doctrine, hence why I think there may end up being a "Cyber corps" - we'll have to see. The alternative is that it remains a core competency of the USAF - much as space has. We can debate the differences based on the different characteristics of the domains ad naseum, but I think for now we won't see a cyber service.

The cited JP 1-02 definition of cyberspace makes clear that any "Service-only" view is way too narrow to be useful. There is no codified Joint doctrine, so Service doctrine is a nice idea that only applies to the Service. There is a "Joint Test Pub 3-12" roaming about, but is mired in stakeholder dispute.

By the way, the term "cyberspace operations" is defined thus: cyberspace operations (DOD) The employment of cyber capabilities where the primary purpose is to achieve objectives in or through cyberspace. Such operations include computer network operations and activities to operate and defend the Global Information Grid.

If you are involved in cyberspace operations, you'll know that there is (still) no codified lexicon (there are several attempts but still a good deal of acrimony among the various stakeholders).

For example: The legacy terms of "Computer Network Operations" and it's attendant terms "Computer Network Attack", "-Defense" and "-Exploitation" are being replaced, redefined or mulled for revision. Terms such as "Offensive Cyberspace Operations" (OCO), "Defensive Cyberspace Operations" (DCO), and "Defense of the Global Information Grid" (DGO) are in common (if inexact) use in USCYBERCOM, USSTRATCOM, and in other Combatant Command circles.

I stand to be corrected; but absent something that's been snuck through the process in the last 72 hours, I am comfortable saying there is no doctrine.

[Cliff]

The cited JP 1-02 definition of cyberspace makes clear that any "Service-only" view is way too narrow to be useful. There is no codified Joint doctrine, so Service doctrine is a nice idea that only applies to the Service. There is a "Joint Test Pub 3-12" roaming about, but is mired in stakeholder dispute.

Where do you think joint doctrine comes from? Joint doctrine is normally a combination of the best the various services have to offer. After all, you can't get doctrine for the unified whole if the individual parts don't know what they are doing...

By the way, the term "cyberspace operations" is defined thus: cyberspace operations (DOD) The employment of cyber capabilities where the primary purpose is to achieve objectives in or through cyberspace. Such operations include computer network operations and activities to operate and defend the Global Information Grid.

If you are involved in cyberspace operations, you'll know that there is (still) no codified lexicon (there are several attempts but still a good deal of acrimony among the various stakeholders).

I would argue that anyone that uses a DoD computer is involved in Cyber Operations. I'm not a cyber guy by trade, though - never claimed to be.

For example: The legacy terms of "Computer Network Operations" and it's attendant terms "Computer Network Attack", "-Defense" and "-Exploitation" are being replaced, redefined or mulled for revision. Terms such as "Offensive Cyberspace Operations" (OCO), "Defensive Cyberspace Operations" (DCO), and "Defense of the Global Information Grid" (DGO) are in common (if inexact) use in USCYBERCOM, USSTRATCOM, and in other Combatant Command circles.

I stand to be corrected; but absent something that's been snuck through the process in the last 72 hours, I am comfortable saying there is no doctrine.

Brett, I said the Air Force has doctrine for cyber- I posted the link to the USAF doctrine. I get the feeling you don't like it... your words indicate that you dismiss it - "any "Service-only" view is way too narrow to be useful." Yet you then say that there is no joint doctrine. Is your preferred solution for the services to ignore this domain and wait for someone to deliver the joint doctrine?

I think that joint doctrine will follow from what the service doctrine brings in. This will likely take time and be influenced by the COCOMs that you cited. That said, I don't see any harm in the services trying to work their own doctrine in the meantime.

Finally, JP 6-0's new (10 June 2010) edition contains some pretty specific doctrine on CND and GND. Is this doctrine invalid for some reason?

I take it by your post that you're a part of the cyber world, and like I said before I'm not a cyber professional, just a dumb operator. The tone of your post initially made me feel like you're dismissing my views as a result. I'm sure that's not your intent, but that leads me back to my last post - I think one of the best things for cyber will be to integrate it with the other warfighting functions. If Cyber folks try to separate themselves from the other warfighters it will be to the detriment of our joint forces. We all work more effectively when we understand each other's capabilities and leverage our strengths to fill in our weaknesses. This doesn't happen if we use doctrine or classification to avoid integration.

The USAF Weapons School has led the way on this in other domains - space being one of the most important. I think you'll see a USAF Weapons School Cyber Division in the next few years - which will go a long way to integrating these functions in the USAF. It will be interesting to see how that plays out in the joint world.

Again, my post was not an attempt to start an argument - the thread simply asked about doctrine, and I was attempting to point out the USAF's existing doctrine. Looking forward to hearing your thoughts.

V/R,

Cliff



Definitions in joint doctrine:

CND includes actions taken to protect, monitor, analyze, detect, and respond to unauthorized activity within DOD information systems and computer networks. JP 3-0, 17 September 2006 (Incorporating Change 1 13 February 2008), pg 3-27.

computer network defense. Actions taken to protect, monitor, analyze, detect, and respond to unauthorized activity within the Department of Defense information systems and computer networks. Also called CND. (JP 6-0) JP 3-0, 17 September 2006 (Incorporating Change 1 13 February 2008), pg GL-10.

Computer Network Defense (CND). Actions taken to protect, monitor, analyze, detect, and respond to unauthorized activity within DOD information systems and computer networks. CND also employs intelligence, counterintelligence, law enforcement, and other military capabilities to defend DOD information and computer networks. CND employs IA capabilities to respond to unauthorized activity within DOD information systems and computer networks in response to a CND alert or threat information. DOD’s CND mission is global and focuses on protection and defense of DOD’s interconnected systems and networks. To protect the communications system, CND measures are employed with a defense-in-depth strategy.
JP 6-0, Joint Communications System, 10 June 2010, pg I-11-I-12.

Cyberspace is a global domain within the information environment consisting of the interdependent network of information technology (IT) infrastructures, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers. Cyberspace threats are a real and imminent danger to GIG operations and information. Information is crucial to the success of joint and multinational operations. Information is also a critical instrument of national power, and the ability to achieve and maintain an advantage in cyberspace is crucial to national security. The GIG through cyberspace provides the valuable service of assured information transport, storage, and delivery for the owners and authorized users of the information. Networks and network operations (NETOPS) are the means by which DOD manages the flow of information over the GIG. Because all DOD components need the ability to operate unhindered in cyberspace, this presents a unique challenge. We are not the sole users or occupants of cyberspace nor is our participation isolated or without the presence of sophisticated adversaries who challenge us daily. Our joint forces, mission partners, and first responders demand communications that are not only secure, but also flexible enough to meet the ever-changing requirements demanded by joint and multinational operations.
JP 6-0, Joint Communications System, 10 June 2010, pg I-6-I-7.

Global Information Grid (GIG) Network Defense (GND) isn't in the definitions section but is discussed in JP 6-0, Pg 4-6.

[Allen Ford]

- Assange's cyberattack left many dead or targeted in its wake with blood on his hands. If that's not ".... break[ing] things, and kill[ing] people .... through cyber means" then please provide a concrete example.

[Brett Patron]

Cliff:
I'm in the process of talking to pretty much every stakeholder entity over the next few months. I am currently helping build curriculum for a Joint Cyberspace Operations Planners Course. The doctrine - and more importantly, the consensus on what doctrine should be - simply ain't there.

I am not a cyber "operator", per se (although I did serve as a Signal Officer for a good part of my career). I can say I'm pretty agnostic. It is fun to watch the constituencies maneuver to gain some degree of primacy in this burgeoning world. Whatever the final definitions are, they will carve out a rather challenging new field of endeavors.

Please don't recite the JP definitions unless you have the current context. If you read what I posted, you'd recall that those terms (currently codified in doctrine) are being challenged, rethought, and/or subsumed. The definitions were sufficient until it was decided to designate cyberspace a warfighting domain.

The problems are huge; the word "domain" as applied to cyberspace is creating all sorts of second and third order problems (from a JSCP/Unified Command Plan perspective). Important things such as authorities, lines of command and control, forces, what is "maneuver, etc are all being challeged and rethought. And this is an area where defense will be preeminent; with "offense" and "weapons" having to be rather significantly rethought as compared to traditional use. "Attack" and "response" have different meanings and different authorities.

It gets even more touchy when you discuss where IO ends and "cyberspace ops" begins. For example, how much of cyberspace ops is "content" vs merely technology? That's the stuff that is causing much venting of spleens and shoe-throwing in some quarters.

Where we agree:
Considering the Weapons Schools program is nascent - essentially just started this month - I'd hardly call that "out front". However, the programs that AFIT is running at Wright-Patterson AFB are probably the example that better makes your point.

I agree that that Cyberspace cannot be thought of monolithically. It may be that even DoD is too narrow a scope, but that's a conversation for a different day (preferably with adult beverages about).

[Allen Ford]

Brett:

Great post....w/respect to your "problems are huge" laundry list: perhaps consider network O&M stakeholders.....the equivalent of an assigned AO! Best of luck w/your doctrine curriculum!

[selil]

- Assange's cyberattack left many dead or targeted in its wake with blood on his hands. If that's not ".... break[ing] things, and kill[ing] people .... through cyber means" then please provide a concrete example.

What evidence to death or "blood on his hands" do you have? I'm not excusing his efforts just don't see the hysteria at this point.

You're also missing a critical point. If the cables had been published in the New York Times (al la Pentagon Papers) then you'd admit no cyber component. Though Wikileaks brushes up against cyber-espionage the mere use of the Internet does not/should not make it cyber war/terrorism. You could make the argument that the arrest of certain people are impacts of Wikileaks, but then how is it different from publishing them above the fold on the NYTimes?

I am fully aware that there is a logical fallacy in the previous. If you take it apart and look at terrain functional elements. If it exists in land warfare/espionage/on the front page of the New York Times, it should as an element also exist in cyber, and conversely the opposite is also likely required to be true (where the fallacy lies).

The question is... IS the effort to label Wikileaks as cyber warfare based on the effect or the tactics used? Would you label a really big explosion armor warfare, because it blew up like a tank would blow something up, even if none was involved?

Solar Sunrise is a really good idea of cyber-espionage rising to cyber-warfare as it directly impacted the plans for a possible war. Yet it was a couple of teenagers and a foreign national. The effect on national interests was much more dramatic than even Wikileaks yet nobody was calling it cyber warfare, and most unclass reports I've seen put it at the annoyance level.

You've identified a specific issue. If killing people and breaking things is the requirement (Parks, Duggan, and a bunch of others set that requirement not me) then cyber has some ways to go. There aren't very many examples we can talk about then.

[Allen Ford]

Can't compete until I learn more about "Solar Sunrise" -- good stuff, thanks.

[Brett Patron]

Can't compete until I learn more about "Solar Sunrise" -- good stuff, thanks.

That's the trap Allen. Don't get hung up on the super tech stuff. There are geeks for that.

The problem we have is the lack of real thinking about what is really new and what is merely additional capabilities.

[Brett Patron]

This may be a good time to introduce the hydration/drinking game I've come up with as i've delved into this burgeoning Cyberspace thing...

As you read an article, book, or post on the topic and come across any word with the prefix or modified "cyber", take a drink (water, adult beverage, etc). It is guaranteed to keep you well hydrated (or get your blood-alcohol count up) in a jiffy. <The word "Cyberspace" itself is exempt.>

Right now, my favorite "cyber" appellation is "Cyber hygiene".

[selil]

Can't compete until I learn more about "Solar Sunrise" -- good stuff, thanks.

Nothing to compete on. Here is a video done by the FBI on Solar Sunrise (YouTube 18 minutes).

[selil]

That's the trap Allen. Don't get hung up on the super tech stuff. There are geeks for that.

The problem we have is the lack of real thinking about what is really new and what is merely additional capabilities.

From my discussions with COCOMS they want to know what threats exist, what the nature of those threats are (who, what, where, why), and what they need to mitigate those threats. Then if they have time they'd like to know what their real capabilities are going to be in response, in advantage, and how those integrate into situational awareness and tactical planning.

Now I'm not military or a DOD civilian. I'm a prof at a research institution so my perspective requires some translation. What I have done is work in industry at a global scale on what the military calls the GIG. I have seen different communities focus on specific aspects of the cyber arena because the whole picture is rather daunting. It leads to exploitation from side channels that they excluded, and often leads to surprises.

The information layer where cognitive and communicative processes are found is layered on to a logical layer, that then is layered on a physical layer, that then is dependent on a systems of systems layer (infrastructure support layer). Command and control activities, hacktivism, information operations, and much of what you find currently in doctrinal statements are all in that information layer of cyber space. No different than land and cohesively conjoined with land, air, sea and space activities.

The logical layer is where denial of service attacks and much of the "hacking" of systems for exploitation and espionage at the information layer occurs. It is a highly resilient networked structure that is inclusive of end point devices and conduits that effectively heal themselves as interruptions occur. Underlying that though is the physical layer which is extremely vulnerable. There are only so many landing points for undersea cables. That layer is then very dependent on the electrical grid, which is also dependent on the information layers way high above it. A toppling hierarchy of system of systems is the result.

So, if you're a COCOM talking to your spooky NSA or CIA guy about why they just don't hack the bad guy. It might be very hard to understand self degrading network access due to self imposed denial of service. Or, impacting intelligence gathering at the information layer through kinetic denial of service.

Then you have to explain the difference between an information operation, versus a CNA, CNE, CND effort and why none of these things work 100 percent of the time. What military maneuver, weapon system, or tactic works 100 percent of the time? Why do military leaders expect cyber to suddenly be perfect in a world of imperfection? The COCOMS seem to want to understand more of what is possible. The spooky guys aren't going to give up their tools easily, but they also don't want to express how hard CNE is when the N is an airgap.

Then there are internal military arguments over signals versus cyber versus electronic warfare versus information operations versus... well what ever stake holder is crying for money. In my world I can ignore all of those political frictions and focus on operational strategies and tactical capabilities. Which is exactly why so many attacks work against military targets and other hard targets that shouldn't work.

Lots of work for those who want it.

[rmills]

Hey gang... although this is my first post here (excluding my hail and farewell), I've been thinking, teaching, reading, and writing about many of these topics for the last 4-5 years now.

In that time, I've watched people argue (sometimes fanatically) about definitions (what is cyberspace, who is a cyber operator, etc.), organizational structures (who's in charge, or who should be), whether cyberspace is truly a domain (in the same sense as air, land, sea and space), and do we need a new military service specifically dedicated to cyberspace.

These discussions almost inevitably boil down to resources -- people, orgs and money. You can define cyberspace however you like, but as soon as your definition appears threatening to someone else, the antibodies all come out and start fighting.

Many Air Force leaders like to talk about how we are in the 1920s at the dawn of air power. Back then, air power advocates were developing theories about how wars might be fought in the air environment -- some of these theories panned out, while others didn't work out so well. But it wasn't until after WWII that the Air Force was recognized as a separate service. Unfortunately far too many "cyberspace debates" tend to revolve around who's in charge rather than "so how do we fight in this domain?"

One area in which we are woefully lacking is theory on how to wield power in cyberspace. As Brett said earlier, we really don't have much in the way of doctrine. Others have pushed back when I say this quoting me JP 3-13, Information Operations. But the focus of IO is on decision making and not about control of a domain. Gen Alexander had a good article on this several years ago in Joint Force Quarterly. The AF produced AFDD 3-12 specifically looking at cyberspace as a domain -- it is not a perfect document by any means, but it's a start. I am very curious to see what the other services come up with.

As Sam Liles wrote in one of his posts -- cyber is different, but conflict is similar. I could not agree more. How do principles of warfare apply in cyberspace? What about operational art -- maneuver, fires, key terrain, decisive points, interior/exterior lines, etc. -- do these concepts apply to cyberspace? Why or why not? What doctrinal nuggets and principles can we draw from the other domains as we figure out what a theory of cyber power might look like? I believe the Air Force is to some extent trying to make cyberspace fit into its air and space paradigm -- which is quite evident in AFDD 3-12. But perhaps there are similarities with the land and maritime domains that can be used to develop our understanding of cyberspace. Cyberspace is inherently a joint (and interagency) problem.

While I see cyberspace as a distinct domain, I also think you can't divorce it entirely from the other domains. We created cyberspace to enable business processes and improve our effectiveness in other domains. We did not build networks to employ IT people or to give us a new place in which to fight -- we built them to facilitate information processing. For this reason, I don't really see a new military service branch because all of the services care about cyberspace. It is both a warfighting and a utility domain, so ownership (however that is defined) will be shared to some extent.

One last point before I hit post and wait for the flaming arrows (as an academic, I've had to develop thick skin )... One of my former students and I were trying to get a paper published on some approaches to operational targeting. The paper was rejected because a subject matter expert told the editor that our paper didn't describe "how they really do things." I thought that was quite interesting for a couple of reasons: (1) there was nothing in the open literature about "how they do things", (2) "how they do things" is apparently good enough, and there's no need to discuss further. Contrast this with the VOLUMES of articles talking about nuclear deterrence, strategic bombing, air campaign planning, land warfare, etc. We ultimately published the paper in a different venue and received good feedback. So even the experts disagree, which is why we need more academic research, publishing and discourse in these areas.

cheers
Bob

[Allen Ford]

Nothing to compete on. Here is a video done by the FBI on Solar Sunrise (YouTube 18 minutes).

Thanks...I'll download and reengage.

[Allen Ford]

RMILLS:

I agree with you in that making a bold move comes

..down to resources -- people, orgs and money. You can define cyberspace however you like, but as soon as your definition appears threatening to someone else, the antibodies all come out and start fighting.

This is precisely why I think a successful attack on our "Commercial" versus USG Critical Infrastructure would incite our nation's demand for either a military or USG service dedicated to this domain. WWII begot the Air Force, Eagle Claw begot SOCOM, 9/11 begot the DHS etc.

[Ken White]

WWII begot the Air Force, Eagle Claw begot SOCOM, 9/11 begot the DHS etc.

How have all those worked out for us...

Forgive the snark, too good to pass up. Snark aside, your assertion is almost certainly correct. CyCom has a nice ring to it.

[Brett Patron]

How have all those worked out for us...

Forgive the snark, too good to pass up. Snark aside, your assertion is almost certainly correct. CyCom has a nice ring to it.

Funny. Unhelpful, but funny.

One the one hand we have one camp that takes itself too seriously, failing to remember past efforts and trying to recreate the wheel.

We have a second camp that is too smart by half, and everything is a joke. No constructive inputs - just waiting to defecate on any idea because that's what they do.

The problem, as I see it unfolding, is the word "domain" as applied by the military lexicon. That word begets far more things than either the zealots appreciate or the nay-sayers consider. Until there is useful doctrine, and an agreed-to lexicon, all these "cyber" discussions are so much unreclaimed hot air (and it's typing equivalent).

So many entities want to "do something" - yet they can't even define what it is they want to accomplish; just that they want the $$ and the control.

[Brett Patron]

This is precisely why I think a successful attack on our "Commercial" versus USG Critical Infrastructure would incite our nation's demand for either a military or USG service dedicated to this domain. WWII begot the Air Force, Eagle Claw begot SOCOM, 9/11 begot the DHS etc.

(Emphasis added)

To properly address this, I would offer that it would have to be a Cabinet level position on par with State, DOD, etc. "Cyberspace" either transcends all the other domains (since it requires aspects of the other domains to exist), or it is actually merely a series of (very important, although different) tasks (i.e "cyberspace operations") which are executed simultaneously within each of the other domains. (For want of a term, a 4th Dimension, vice a 5th or 6th Generation, of "warfare" (sic).

BJP

[anonamatic]

The question is... IS the effort to label Wikileaks as cyber warfare based on the effect or the tactics used? Would you label a really big explosion armor warfare, because it blew up like a tank would blow something up, even if none was involved?
...

You've identified a specific issue. If killing people and breaking things is the requirement (Parks, Duggan, and a bunch of others set that requirement not me) then cyber has some ways to go. There aren't very many examples we can talk about then.

I consider it to be IO that borders on warfare. Assange's stated goals have been effects that are easily associated with warfare.

I take breaking things as a means to accomplish other goals. It's frequently a more effective method than just removing information to change things. Quite often, I'd say normally even, people do not think about the possibility of damage and ruin on hardware. Stuxnet has changed some of that `in the box' thinking, but less so than I expected too. It's a hard framework of thinking about technology to break though because frequently it's damned hard to get technology to do what you want, much less what's normally not wanted.

[anonamatic]

...

One last point before I hit post and wait for the flaming arrows (as an academic, I've had to develop thick skin )... One of my former students and I were trying to get a paper published on some approaches to operational targeting. The paper was rejected because a subject matter expert told the editor that our paper didn't describe "how they really do things." I thought that was quite interesting for a couple of reasons: (1) there was nothing in the open literature about "how they do things", (2) "how they do things" is apparently good enough, and there's no need to discuss further. Contrast this with the VOLUMES of articles talking about nuclear deterrence, strategic bombing, air campaign planning, land warfare, etc. We ultimately published the paper in a different venue and received good feedback. So even the experts disagree, which is why we need more academic research, publishing and discourse in these areas.

cheers
Bob

Bob, one thing I can recommend is not to pay any attention to the "how they do things" people more than whatever content they offer. Way too often the reality is that they're speaking of how they think they might do things, not in fact how they actually do things. That because they never actually do any of it.

If they are really so good as they want to claim, why is it that it took my friends and I to literally invent hacktivism by way of one example. I will readily grant that I wish Assange wasn't a complete ass hat, but years of arguing about ethical extremism has been like arguing with a stone wall too. This is way more of a self-fulfilling prophecy than anyone seems to understand. The idea of 'what would you do if?' with respect to the more decent nations of the world is not a new question for the guy. Nor are the resulting arguments anything new to him either. Irrespective of the mess he's made, there's huge heaps of online activism going on that's missed by people distracted by other events. Most nations have been very, very slow to develop ways to facilitate useful hacktivism, as well as deal with hostile activity. It's clearly an area that the US for instance is still lurching around with, that over a decade after the first serious promotions of hacktivism were done.

Non-IO activities are in some respects in an equally sad state, and that's part of the reason why there's more focus on it now than ever before. So much of that "how they do things" BS has been flying around unchallenged for so long it's landed us in a very obviously woeful state. So when people come off with that completely self serving drivel, it's useful to note that they're the ones responsible for the very mess we're now trying to be more realistic about. Here's a clue though, no one gives a damn about the "how they do things" when they're your opponent. They care about what they can do, not what you're vaguely claiming you could do, but never will. These are NOT nuclear arms, and if you run around treating them as if they're some icon in a high temple that should never be removed from the altar, I'm going to laugh at your constant lack of results. The result of that sort of thinking & (in)action is that well now the US & other countries are stuck with a huge developmental deficit. The results of that kind of attitude do way more harm than good, and that at this point is a proven fact.