Lorem, ipsum
Ajaybaby40
mod4USMilJointPubCyberopsCh4_v2.pdf
D E
P A
O
TM EN
T F THE
A R
M Y
•
•
E
U N
I T
E D
S T AT S O A
F A
M E
R I
C
R
TH IS W E' LL D E F E N D
Joint Publication 3-12
Cyberspace Operations
8 June 2018
i
PREFACE 1. Scope
This publication provides joint doctrine to plan, execute, and assess cyberspace operations.
2. Purpose
This publication has been prepared under the direction of the Chairman of the Joint Chiefs of Staff (CJCS). It sets forth joint doctrine to govern the activities and performance of the Armed Forces of the United States in joint operations, and it provides considerations for military interaction with governmental and nongovernmental agencies, multinational forces, and other interorganizational partners. It provides military guidance for the exercise of authority by combatant commanders and other joint force commanders (JFCs), and prescribes joint doctrine for operations and training. It provides military guidance for use by the Armed Forces in preparing and executing their plans and orders. It is not the intent of this publication to restrict the authority of the JFC from organizing the force and executing the mission in a manner the JFC deems most appropriate to ensure unity of effort in the accomplishment of objectives.
3. Application
a. Joint doctrine established in this publication applies to the Joint Staff, commanders of combatant commands, subordinate unified commands, joint task forces, subordinate components of these commands, the Services, and combat support agencies.
b. The guidance in this publication is authoritative; as such, this doctrine will be followed except when, in the judgment of the commander, exceptional circumstances dictate otherwise. If conflicts arise between the contents of this publication and the contents of Service publications, this publication will take precedence unless the CJCS, normally in coordination with the other members of the Joint Chiefs of Staff, has provided more current and specific guidance. Commanders of forces operating as part of a multinational (alliance or coalition) military command should follow multinational doctrine and procedures ratified by the United States. For doctrine and procedures not ratified by the US, commanders should evaluate and follow the multinational command’s doctrine and procedures, where applicable and consistent with US law, regulations, and doctrine.
For the Chairman of the Joint Chiefs of Staff:
KEVIN D. SCOTT Vice Admiral, USN Director, Joint Force Development
Preface
ii JP 3-12
Intentionally Blank
iii
SUMMARY OF CHANGES REVISION OF JOINT PUBLICATION 3-12
DATED 05 FEBRUARY 2013 • Changes the format from a classified publication to an unclassified publication
with a classified appendix.
• Reflects United States Cyber Command as a functional combatant command.
• Incorporates discussion of the Cyber Mission Force.
• Expands the discussion of command and control of cyberspace operations (CO).
• Includes discussion of information as a joint function.
• Enhances the discussion of CO planning considerations.
Summary of Changes
iv JP 3-12
Intentionally Blank
v
TABLE OF CONTENTS
EXECUTIVE SUMMARY .............................................................................................. vii
CHAPTER I OVERVIEW OF CYBERSPACE AND CYBERSPACE OPERATIONS
Introduction ................................................................................................................. I-1 The Nature of Cyberspace .......................................................................................... I-2 Integrating Cyberspace Operations with Other Operations ........................................ I-8 Cyberspace Operations Forces .................................................................................... I-8 Challenges to the Joint Force’s Use of Cyberspace .................................................. I-11
CHAPTER II CYBERSPACE OPERATIONS CORE ACTIVITIES
Introduction ................................................................................................................II-1 Military Operations In and Through Cyberspace .....................................................II-2 National Intelligence Operations In and Through Cyberspace ..................................II-9 Department of Defense Ordinary Business Operations
In and Through Cyberspace .......................................................................................II-9 The Joint Functions and Cyberspace Operations .......................................................II-9
CHAPTER III AUTHORITIES, ROLES, AND RESPONSIBILITIES
Introduction .............................................................................................................. III-1 Authorities................................................................................................................ III-2 Roles and Responsibilities ....................................................................................... III-2 Legal Considerations ............................................................................................. III-11
CHAPTER IV PLANNING, COORDINATION, EXECUTION, AND ASSESSMENT
Joint Planning Process and Cyberspace Operations ................................................ IV-1 Cyberspace Operations Planning Considerations .................................................... IV-1 Intelligence and Operational Analytic Support to Cyberspace
Operations Planning ................................................................................................. IV-6 Targeting .................................................................................................................. IV-8 Command and Control of Cyberspace Forces ....................................................... IV-11 Synchronization of Cyberspace Operations ........................................................... IV-18 Assessment of Cyberspace Operations .................................................................. IV-21 Interorganizational Considerations ........................................................................ IV-23 Multinational Considerations ................................................................................. IV-24
vii
EXECUTIVE SUMMARY COMMANDER’S OVERVIEW
• Discusses the Nature of Cyberspace
• Describes how to integrate Cyberspace Operations with Other Operations
• Discusses Cyberspace Operations Forces
• Outlines Challenges to the Joint Force’s Use of Cyberspace
• Describes Cyberspace Operations Core Activities
• Outlines Authorities, Roles, and Responsibilities related to Cyberspace Operations
• Discusses Planning, Coordination, Execution, and Assessment of Cyberspace Operations
Overview of Cyberspace and Cyberspace Operations
Cyberspace operations (CO) is the employment of cyberspace capabilities where the primary purpose is to achieve objectives in or through cyberspace.
This publication focuses on military operations in and through cyberspace; explains the relationships and responsibilities of the Joint Staff (JS), combatant commands (CCMDs), United States Cyber Command (USCYBERCOM), the Service cyberspace component (SCC) commands, and combat support agencies; and establishes a framework for the employment of cyberspace forces and capabilities.
The Nature of Cyberspace Relationship with the Physical Domains. Cyberspace, while part of the information environment, is dependent on the physical domains of air, land, maritime, and space.
CO use links and nodes located in the physical domains and perform logical functions to create effects first in cyberspace and then, as needed, in the physical domains. Actions in cyberspace, through carefully controlled cascading effects, can
Executive Summary
viii JP 3-12
enable freedom of action for activities in the physical domains.
Cyberspace Layer Model. To assist in the planning and execution of CO, cyberspace can be described in terms of three interrelated layers: physical network, logical network, and cyber- persona.
Department of Defense (DOD) Cyberspace. The Department of Defense information network (DODIN) is the set of information capabilities and associated processes for collecting, processing, storing, disseminating, and managing information on-demand to warfighters, policy makers, and support personnel, whether interconnected or stand-alone, including owned and leased communications and computing systems and services, software (including applications), data, security services, other associated services, and national security systems.
Connectivity and Access. Gaining access to operationally useful areas of cyberspace, including targets within them, is affected by legal, policy, or operational limitations. For all of these reasons, access is not guaranteed. Additionally, achieving a commander’s objectives can be significantly complicated by specific elements of cyberspace being used by enemies, adversaries, allies, neutral parties, and other United States Government (USG) departments and agencies, all at the same time.
The operational environment (OE) is a composite of the conditions, circumstances, and influences that affect the employment of capabilities and impact the decisions of the commander assigned responsibility for it. The information environment permeates the physical domains and therefore exists in any OE.
The information environment is the aggregate of individuals, organizations, and systems that collect, process, disseminate, or act on information.
Executive Summary
ix
Given that cyberspace is wholly contained within the information environment and the chief purpose of information operations (IO) is to create effects in the information environment, there is significant interdependency between IO and CO.
Integrating Cyberspace Operations with Other Operations
During joint planning, cyberspace capabilities are integrated into the joint force commander’s (JFC’s) plans and synchronized with other operations across the range of military operations. While not the norm, some military objectives can be achieved by CO alone. Commanders conduct CO to obtain or retain freedom of maneuver in cyberspace, accomplish JFC objectives, deny freedom of action to the threat, and enable other operational activities.
Cyberspace Operations Forces Commander, United States Cyber Command (CDRUSCYBERCOM), commands a preponderance of the cyberspace forces that are not retained by the Services. USCYBERCOM accomplishes its missions within three primary lines of operation: secure, operate, and defend the DODIN; defend the nation from attack in cyberspace; and provide cyberspace support as required to combatant commanders (CCDRs).
The Services man, train, and equip cyberspace units and provide them to USCYBERCOM through the SCCs.
Challenges to the Joint Force’s Use of Cyberspace
Threats. Cyberspace presents the JFC’s operations with many threats, from nation-states to individual actors to accidents and natural hazards.
Anonymity and Difficulties with Attribution. To initiate an appropriate defensive response, attribution of threats in cyberspace is crucial for any actions external to the defended cyberspace beyond authorized self-defense.
Geography Challenges. In cyberspace, there is no stateless maneuver space. Therefore, when US military forces maneuver in foreign cyberspace, mission and policy requirements may require they
Executive Summary
x JP 3-12
maneuver clandestinely without the knowledge of the state where the infrastructure is located.
Technology Challenges. Using a cyberspace capability that relies on exploitation of technical vulnerabilities in the target may reveal its functionality and compromise the capability’s effectiveness for future missions.
Private Industry and Public Infrastructure. Many of DOD’s critical functions and operations rely on contracted commercial assets, including Internet service providers (ISPs) and global supply chains, over which DOD and its forces have no direct authority.
Globalization. The combination of DOD’s global operations with its reliance on cyberspace and associated technologies means DOD often procures mission-essential information technology products and services from foreign vendors.
Mitigations. DOD partners with the defense industrial base (DIB) to increase the security of information about DOD programs residing on or transiting DIB unclassified networks.
Cyberspace Operations Core Activities
CO comprise the military, national, and ordinary business operations of DOD in and through cyberspace. Although commanders need awareness of the potential impact of the other types of DOD CO on their operations, the military component of CO is the only one guided by joint doctrine and is the focus of this publication. CCDRs and Services use CO to create effects in and through cyberspace in support of military objectives. Military operations in cyberspace are organized into missions executed through a combination of specific actions.
Military Operations In and Through Cyberspace
Cyberspace Missions. All actions in cyberspace that are not cyberspace-enabled activities are taken as part of one of three cyberspace missions: offensive cyberspace operations (OCO), defensive cyberspace operations (DCO), or DODIN
Executive Summary
xi
operations. These three mission types comprehensively cover the activities of the cyberspace forces. The successful execution of CO requires integration and synchronization of these missions.
DODIN Operations. The DODIN operations mission includes operational actions taken to secure, configure, operate, extend, maintain, and sustain DOD cyberspace and to create and preserve the confidentiality, availability, and integrity of the DODIN.
DCO. DCO missions are executed to defend the DODIN, or other cyberspace DOD cyberspace forces have been ordered to defend, from active threats in cyberspace.
OCO. OCO are CO missions intended to project power in and through foreign cyberspace through actions taken in support of CCDR or national objectives.
National Intelligence Operations In and Through Cyberspace
National-level intelligence organizations conduct intelligence activities in, through, and about cyberspace in response to national intelligence priorities. This intelligence can support a military commander’s planning and preparation.
Department of Defense Ordinary Business Operations In and Through Cyberspace
Ordinary business operations in and through cyberspace are “cyberspace-enabled activities” that comprise those non-intelligence and non- warfighting capabilities, functions, and actions used to support and sustain DOD forces and components.
The Joint Functions and Cyberspace Operations
Command and Control (C2). Cyberspace provides communications pathways, planning and decision-support aids, and cyberspace-related intelligence to enable timely decision making and execution of those decisions. This provides the commander the advantage of controlling the timing and tempo of operations.
Intelligence. Understanding the OE is fundamental to all joint operations, including CO. Intelligence may be derived from information
Executive Summary
xii JP 3-12
gained during military operations in cyberspace or from other sources.
Fires. Cyberspace attack capabilities create fires in and through cyberspace and are often employed with little or no associated physical destruction. However, modification or destruction of computers that control physical processes can lead to cascading effects (including collateral effects) in the physical domains.
Movement and Maneuver. Cyberspace operations enable force projection without the need to establish a physical presence in foreign territory. Maneuver in the DODIN or other blue cyberspace includes positioning of forces, sensors, and defenses to best secure areas of cyberspace or engage in defensive actions as required. Maneuver in gray and red cyberspace is a cyberspace exploitation action and includes such activities as gaining access to adversary, enemy, or intermediary links and nodes and shaping this cyberspace to support future actions.
Sustainment. From the perspective of cyberspace-enabled activities in support of global logistics, DOD relies on protected DODIN and commercial network segments to coordinate sustainment of forces.
Protection. Protection of the DODIN and other critical US cyberspace includes the continuous and synchronized integration of cyberspace security and, when required, cyberspace defense actions.
Information. The information function encompasses the management and application of information and its deliberate integration with other joint functions to influence perceptions, behavior, action or inaction, and human and automated decision making.
Authorities, Roles, and Responsibilities
Under the authorities of the Secretary of Defense (SecDef), DOD uses cyberspace capabilities to shape cyberspace and provide integrated offensive
Executive Summary
xiii
and defensive options for the defense of the nation. USCYBERCOM coordinates with CCMDs, the JS, and the Office of the Secretary of Defense; liaises with other USG departments and agencies; and, in conjunction with the Department of Homeland Security, DOD’s Department of Defense Cyber Crime Center, and the Defense Security Service, liaises with members of the DIB. Similarly, as directed, DOD deploys necessary resources to support efforts of other USG departments and agencies, and allies.
Authorities Authority for CO actions undertaken by the US Armed Forces is derived from the US Constitution and federal law. Key laws that apply to DOD include Title 10, United States Code (USC), Armed Forces; Title 50, USC, War and National Defense; and Title 32, USC, National Guard.
Authorities for specific types of military CO are established within SecDef policies, including DOD instructions, directives, and memoranda, as well as in execute orders and operation orders authorized by the President or SecDef and subordinate orders issued by commanders approved to execute the subject missions.
Roles and Responsibilities SecDef. Directs the military, intelligence, and ordinary business operations of DOD in cyberspace.
Chairman of the Joint Chiefs of Staff (CJCS). As the global integrator advises the President and SecDef on operational policies, responsibilities, and programs.
Service Chiefs. Provide appropriate administration of and support to cyberspace forces, including Service-retained forces and forces assigned or attached to CCMDs.
Chief, National Guard Bureau (NGB). Advises CDRUSCYBERCOM on NGB matters pertaining to CCMD CO missions, and supports planning and coordination for such activities as requested by the CJCS or the CCDRs.
Executive Summary
xiv JP 3-12
CDRUSCYBERCOM. As the coordinating authority for CO, plans, coordinates, integrates, synchronizes, and conducts activities to:
Direct the security, operations, and defense of the DODIN.
Prepare to, and when directed, conduct military CO external to the DODIN, including in gray and red cyberspace, in support of national objectives.
Other CCDRs. Secure, operate, and defend tactical and constructed DODIN segments within their commands and areas of responsibility.
Director, Defense Information Systems Agency (DISA). Complies with the commander of Joint Force Headquarters-Department of Defense Information Network’s direction to execute DODIN operations and defensive cyberspace operations-internal defensive measures (DCO- IDM) missions at the global and enterprise level, within DISA-operated portions of the DODIN.
Director, National Security Agency/Chief, Central Security Service. Provides signals intelligence support and cybersecurity guidance and assistance to DOD components and national customers.
Director, Defense Intelligence Agency. Provides timely, objective, and cogent military intelligence to warfighters, defense planners, and defense and national security policy makers.
Legal Considerations DOD conducts CO consistent with US domestic law, applicable international law, and relevant USG and DOD policies. The laws that regulate military actions in US territory also apply to cyberspace. Therefore, DOD cyberspace forces that operate outside the DODIN, when properly authorized, are generally limited to operating in gray and red cyberspace only, unless they are issued different rules of engagement or conducting defense support of civil authorities (DSCA) under appropriate authority. Since each CO mission has
Executive Summary
xv
unique legal considerations, the applicable legal framework depends on the nature of the activities to be conducted, such as OCO or DCO, DSCA, ISP actions, law enforcement and counterintelligence activities, intelligence activities, and defense of the homeland.
Planning, Coordination, Execution, and Assessment
Joint Planning Process and Cyberspace Operations
Commanders plans should address how to effectively integrate cyberspace capabilities, counter adversaries’ use of cyberspace, identify and secure mission-critical cyberspace, access key terrain in cyberspace, operate in a degraded environment, efficiently use limited cyberspace assets, and pair operational requirements with cyberspace capabilities.
Cyberspace Operations Planning Considerations
While many elements of cyberspace can be mapped geographically, a full understanding of an adversary’s disposition and capabilities in cyberspace involves understanding the target, not only at the underlying physical network layer but also at the logical network layer and cyber-persona layer, including profiles of system users and administrators and their relationship to adversary critical factors.
Characteristics of Cyberspace Capabilities. While cyberspace is complex and ever changing, cyberspace capabilities, whether devices or computer programs, must reliably create the intended effects. However, cyberspace capabilities are developed based on environmental assumptions and expectations about the operating conditions that will be found in the OE.
Cascading, Compounding, and Collateral Effects. Overlaps among military, other government, corporate, and private activities on shared networks in cyberspace make the evaluation of probable cascading, compounding, and collateral effects particularly important when targeting for CO.
DODIN operations underpin nearly every aspect of military operations, and this reliance on cyberspace
Executive Summary
xvi JP 3-12
is well understood by our adversaries. However, a commander’s reliance on specific segments of the DODIN is often not considered during plans development, but planning for DODIN resiliency is essential. JFC planning staffs should incorporate DCO-IDM branches and sequels for any operations that pose an increased threat to the DODIN.
Intelligence and Operational Analytic Support to Cyberspace Operations Planning
Intelligence requirements (IRs). During mission analysis, the joint force staff identifies significant information gaps about the adversary and other relevant aspects of the OE. After gap analysis, the staff formulates IRs, which are general or specific subjects upon which there is a need for the collection of information or the production of intelligence.
Targeting Three fundamental aspects of CO require consideration in the targeting processes: recognizing cyberspace capabilities are a viable option for engaging some designated targets; understanding a CO option may be preferable in some cases, because it may offer low probability of detection and/or no associated physical damage; and higher-order effects on targets in cyberspace may impact elements of the DODIN, including retaliation for attacks attributed to the joint force.
Command and Control of Cyberspace Forces
The complex nature of CO, where cyberspace forces can be simultaneously providing actions at the global level and at the theater or joint operations area level, requires adaptations to traditional C2 structures. Joint forces principally employ centralized planning with decentralized execution of operations. CO require constant and detailed coordination between theater and global operations, creating a dynamic C2 framework that can adapt to the constant changes, emerging threats, and unknowns. Certain CO functions, including protection of the DODIN’s global networks and pursuit of global cyberspace threats, lend themselves to centralized planning and execution to meet multiple, near-instantaneous requirements for response. Centrally controlled CO should be integrated and synchronized with the CCDR’s regional or local CO, conducted by forces assigned or attached to the CCDR, or in support of the CCDR.
Executive Summary
xvii
Synchronization of Cyberspace Operations
The pace of CO requires significant pre-operational collaboration and constant vigilance after initiation, for effective coordination and deconfliction throughout the OE. Keys to this synchronization are maintaining cyberspace situational awareness and assessing the potential impacts to the joint force of any planned CO, including the protection posture of the DODIN, changes from normal network configuration, or observed indications of malicious activity.
Assessment of Cyberspace Operations
The assessment process for external CO missions begins during planning and includes measures of performance and measures of effectiveness of fires and other effects in cyberspace, as well as their contribution to the larger operation or objective. Historically, combat assessment has emphasized the battle damage assessment (BDA) component of measuring physical and functional damage, but this approach does not always represent the most complete effect, particularly with respect to CO. CO effects are often created outside the scope of battle and often do not create physical damage. Assessing the impact of CO effects requires typical BDA analysis and assessment of physical, functional, and target system components.
CONCLUSION
This publication provides joint doctrine to plan, execute, and assess cyberspace operations.
Executive Summary
xviii JP 3-12
Intentionally Blank
GL-1
GLOSSARY PART I—ABBREVIATIONS, ACRONYMS, AND INITIALISMS
AOR area of responsibility BDA battle damage assessment C2 command and control CCDR combatant commander CCMD combatant command CCMF Cyber Combat Mission Force CDRUSCYBERCOM Commander, United States Cyber Command CDRUSSTRATCOM Commander, United States Strategic Command CI counterintelligence CI/KR critical infrastructure and key resources CIO chief information officer CJCS Chairman of the Joint Chiefs of Staff CJCSI Chairman of the Joint Chiefs of Staff instruction CJCSM Chairman of the Joint Chiefs of Staff manual CMF Cyber Mission Force CMT combat mission team CNMF Cyber National Mission Force CNMF-HQ Cyber National Mission Force Headquarters CO cyberspace operations COCOM combatant command (command authority) CO-IPE cyberspace operations-integrated planning element CONOPS concept of operations CONPLAN concept plan COP common operational picture CPF Cyber Protection Force CPT cyberspace protection team CSA combat support agency CSSP cybersecurity service provider CST combat support team DACO directive authority for cyberspace operations DC3 Department of Defense Cyber Crime Center DCI defense critical infrastructure DCO defensive cyberspace operations DCO-IDM defensive cyberspace operations-internal defensive measures DCO-RA defensive cyberspace operations-response actions DHS Department of Homeland Security DIA Defense Intelligence Agency DIB defense industrial base DISA Defense Information Systems Agency
Glossary
GL-2 JP 3-12
DOD Department of Defense DODD Department of Defense directive DODI Department of Defense instruction DODIN Department of Defense information network DOJ Department of Justice DSCA defense support of civil authorities EA electronic attack EMS electromagnetic spectrum EW electronic warfare EXORD execute order FBI Federal Bureau of Investigation (DOJ) GCC geographic combatant commander GFMIG Global Force Management Implementation Guidance HQ headquarters IAW in accordance with IC intelligence community IGL intelligence gain/loss IJSTO integrated joint special technical operations IP Internet protocol IR intelligence requirement IRC information-related capability ISP Internet service provider ISR intelligence, surveillance, and reconnaissance IT information technology JFC joint force commander JFHQ-C joint force headquarters-cyberspace JFHQ-DODIN Joint Force Headquarters-Department of Defense Information Network JIACG joint interagency coordination group JOA joint operations area JP joint publication JPP joint planning process JS Joint Staff JTL joint target list LE law enforcement LOC line of communications MILDEC military deception MISO military information support operations
Glossary
GL-3
MNF multinational force MOE measure of effectiveness MOP measure of performance MTFP mission-tailored force package NG National Guard NGB National Guard Bureau NGO nongovernmental organization NIPRNET Non-classified Internet Protocol Router Network NMT national mission team NST national support team OA operational area OCO offensive cyberspace operations OE operational environment OPCON operational control OPLAN operation plan OPORD operation order OPSEC operations security OSC offensive space control OSD Office of the Secretary of Defense OSINT open-source intelligence PIT platform information technology PN partner nation PPD Presidential policy directive RC Reserve Component RFI request for information ROE rules of engagement SATCOM satellite communications SCC Service cyberspace component SecDef Secretary of Defense SIGINT signals intelligence SIPRNET SECRET Internet Protocol Router Network TACON tactical control TCPED tasking, collection, processing, exploitation, and dissemination TST time-sensitive target USC United States Code USCYBERCOM United States Cyber Command USD(P) Under Secretary of Defense for Policy USG United States Government
Glossary
GL-4 JP 3-12
PART II—TERMS AND DEFINITIONS
cyberspace. A global domain within the information environment consisting of the interdependent networks of information technology infrastructures and resident data, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers. (DOD Dictionary. Source: JP 3-12)
cyberspace attack. Actions taken in cyberspace that create noticeable denial effects (i.e.,
degradation, disruption, or destruction) in cyberspace or manipulation that leads to denial that appears in a physical domain, and is considered a form of fires. (Approved for inclusion in the DOD Dictionary.)
cyberspace capability. A device or computer program, including any combination of
software, firmware, or hardware, designed to create an effect in or through cyberspace. (Approved for inclusion in the DOD Dictionary.)
cyberspace defense. Actions taken within protected cyberspace to defeat specific threats
that have breached or are threatening to breach cyberspace security measures and include actions to detect, characterize, counter, and mitigate threats, including malware or the unauthorized activities of users, and to restore the system to a secure configuration. (Approved for inclusion in the DOD Dictionary.)
cyberspace exploitation. Actions taken in cyberspace to gain intelligence, maneuver,
collect information, or perform other enabling actions required to prepare for future military operations. (Approved for inclusion in the DOD Dictionary.)
cyberspace security. Actions taken within protected cyberspace to prevent unauthorized
access to, exploitation of, or damage to computers, electronic communications systems, and other information technology, including platform information technology, as well as the information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation. (Approved for inclusion in the DOD Dictionary.)
cyberspace superiority. The degree of dominance in cyberspace by one force that permits
the secure, reliable conduct of operations by that force and its related land, air, maritime, and space forces at a given time and place without prohibitive interference. (Approved for incorporation into the DOD Dictionary.)
defensive cyberspace operations. Missions to preserve the ability to utilize blue
cyberspace capabilities and protect data, networks, cyberspace-enabled devices, and other designated systems by defeating on-going or imminent malicious cyberspace activity. Also called DCO. (Approved for incorporation into the DOD Dictionary.)
defensive cyberspace operations-internal defensive measures. Operations in which
authorized defense actions occur within the defended portion of cyberspace. Also called DCO-IDM. (Approved for inclusion in the DOD Dictionary.)
GL-5
defensive cyberspace operations-response actions. Operations that are part of a defensive cyberspace operations mission that are taken external to the defended network or portion of cyberspace without the permission of the owner of the affected system. Also called DCO-RA. (Approved for replacement of “defensive cyberspace operation response action” and its definition in the DOD Dictionary.)
Department of Defense information network operations. Operations to secure,
configure, operate, extend, maintain, and sustain Department of Defense cyberspace to create and preserve the confidentiality, availability, and integrity of the Department of Defense information network. Also called DODIN operations. (Approved for incorporation into the DOD Dictionary.)
directive authority for cyberspace operations. The authority to issue orders and
directives to all Department of Defense components to execute global Department of Defense information network operations and defensive cyberspace operations internal defensive measures. Also called DACO. (Approved for inclusion in the DOD Dictionary.)
information assurance. None. (Approved for removal from the DOD Dictionary.) offensive cyberspace operations. Missions intended to project power in and through
cyberspace. Also called OCO. (Approved for incorporation into the DOD Dictionary.)
Glossary
GL-6 JP 3-12
Intentionally Blank
IV-1
CHAPTER IV PLANNING, COORDINATION, EXECUTION, AND ASSESSMENT
1. Joint Planning Process and Cyberspace Operations
a. Commanders integrate CO into their operations at all levels. Their plans should address how to effectively integrate cyberspace capabilities, counter adversaries’ use of cyberspace, identify and secure mission-critical cyberspace, access key terrain in cyberspace, operate in a degraded environment, efficiently use limited cyberspace assets, and pair operational requirements with cyberspace capabilities. The commander provides initial planning guidance, which may specify time constraints, outline initial coordination requirements, authorize the movement of forces within the commander’s authority, and direct other actions as necessary. Supporting CO plans and concepts describe the role and scope of CO in the commander’s effort and address how CO support the execution of the supported plan. If requested by a commander, CDRUSCYBERCOM provides assistance in integrating cyberspace forces and capabilities into the commander’s plans and orders.
b. JP 5-0, Joint Planning, describes the joint planning process (JPP) as a proven process to organize the work of the commander, staff, subordinate commanders, and other partners to develop plans that appropriately address the problem to be solved. It focuses on framing the situation and end states, defining the military mission, analysis of critical factors, and designing an operational approach to accomplish mission objectives. CO capabilities and functions are integrated along with all other joint capabilities and functions into the JPP and into the Adaptive Planning and Execution enterprise.
See JP 5-0, Joint Planning, for more information on the JPP.
2. Cyberspace Operations Planning Considerations
a. Overview. Although CO planners are presented the same operational design considerations and challenges as planners for operations in the physical domains, there are some unique considerations for planning CO. For instance, because of unforeseen linkages in cyberspace, higher-order effects of some CO may be more difficult to predict. This may require more branch and sequel planning. Further, while many elements of cyberspace can be mapped geographically, a full understanding of an adversary’s disposition and
“We’re trying to both physically and virtually isolate ISIL [Islamic State of Iraq and the Levant], limit their ability to conduct command and control, limit their ability to communicate with each other, limit their ability to conduct operations locally and tactically. I’ll be one of the first ones arguing that that’s about all we should talk about.... We want them to be surprised when we conduct cyber[space] operations. And, frankly, they’re going to experience some friction that’s associated with us and some friction that’s just associated with the normal course of events in dealing in the information age.”
General Joseph Dunford Chairman of the Joint Chiefs of Staff
February 2016 News Conference
Chapter IV
IV-2 JP 3-12
capabilities in cyberspace involves understanding the target, not only at the underlying physical network layer but also at the logical network layer and cyber-persona layer, including profiles of system users and administrators and their relationship to adversary critical factors. For planning internal operations within DOD cyberspace, DODIN operations and DCO-IDM planners require a clear understanding of which friendly forces or capabilities might be targeted by an adversary; what DODIN vulnerabilities are most likely to be targeted and the potential effects of the adversary’s action; the mission assurance risks involved; and an understanding of applicable domestic, foreign, and international laws and USG policy. Threats in cyberspace may be nation-states, non-state groups, or individuals, and the parts of cyberspace they control are not necessarily within the geographic borders associated with the threat’s nationality or proportional to their geopolitical influence. A criminal element, a politically motivated group, or even a well- resourced individual may have a greater presence and capability in cyberspace than do many nations. Moreover, many adversaries operate cyberspace capabilities from portions of cyberspace geographically associated with the US or owned by a US entity. Each of these factors complicates the planning of CO.
b. Planning Timelines. For external missions, it is essential OCO and DCO-RA planners understand the authorities required to execute the specific CO actions proposed. The applicable authorities may vary depending upon the phase of the operation. This includes accounting for the lead time required to obtain the necessary intelligence to define the correct target; develop target access; confirm the appropriate authorities; complete necessary coordination, including interagency coordination and/or synchronization; and to verify the cyberspace capability matches the intended target using the results of technical assurance evaluations. For internal missions, the timelines for DCO-IDM and DODIN operations planners are impacted by other factors, including levels of automation available to manage network posture, availability of security solutions from commercial providers and their licensing requirements, and operational considerations that may impact a defender’s abilities to maneuver or take systems off-line to better manage their protection. However, the planning fundamentals remain the same, and despite the additional considerations and challenges of integrating CO, planners use most elements of the traditional processes to implement the commander’s intent and guidance.
c. Planning Considerations for Operating in Red and Gray Cyberspace
(1) Characteristics of Cyberspace Capabilities. While cyberspace is complex and ever changing, cyberspace capabilities, whether devices or computer programs, must reliably create the intended effects. However, cyberspace capabilities are developed based on environmental assumptions and expectations about the operating conditions that will be found in the OE. These conditions may be as simple as the type of computer operating system being used by an adversary or as complex as the exact serial number of the hardware or version of the software installed, what system resources are available, and what other applications are expected to be running (or not running) when the cyberspace capability activates on target. These expected conditions should be well documented by the capability developer and are important for planners and targeting personnel to understand as capability limitations. The extent to which the expected environmental conditions of a target cannot be confirmed through ISR sources represents an increased level of risk
Planning, Coordination, Execution, and Assessment
IV-3
associated with using the capability. All other factors being equal, cyberspace capabilities that have the fewest environmental dependencies and/or allow the operator to reconfigure the capability are preferred. DODI O-3600.03, Technical Assurance Standard (TAS) for Computer Network Attack (CNA) Capabilities, provides detailed requirements for technical assurance evaluations that document these characteristics.
(2) Cascading, Compounding, and Collateral Effects. Overlaps among military, other government, corporate, and private activities on shared networks in cyberspace make the evaluation of probable cascading, compounding, and collateral effects particularly important when targeting for CO. The effects can ripple through a targeted system, sometimes cascading through links with related systems that were not evident to the planner. Cascading effects sometimes travel through systems subordinate to the one targeted but can also move laterally to peer systems or up to higher-level systems. Compounding effects are an aggregation of various levels of effects that have interacted in ways that may be intended or may have been unforeseen. Collateral effects, including collateral damage, are the incidental effects of military operations on non-combatants and civilian property that were not the intended targets of the strike. Depending upon the strategic and operational situation, an order or applicable ROE may limit CO to only those actions likely to result in no or low levels of collateral effects. A collateral effects estimate to meet policy restrictions is separate from the proportionality analysis required by the law of war. This estimate is a tool for the commander to understand risk when considering approval of operations. Therefore, even if a proposed CO is permissible after a collateral effects analysis, the likely effects of the proposed CO must also be permissible under a law of war proportionality analysis, as applicable.
(3) Reversibility of Effects. An important consideration for planning cyberspace attack and cyberspace exploitation effects is the level of control over the duration of the effect that can be exercised by friendly forces. There are two basic ways to categorize effects by this standard:
(a) Operator Reversible Effects. Effects that can be recalled, recovered, or terminated by friendly forces. These effects may represent a lower risk of undesired consequences, including discovery or retaliation.
(b) Non-Operator Reversible Effects. Effects that cannot be recalled,
recovered, or terminated by friendly forces after execution. These effects may represent a higher risk of response from the threat or other undesired consequences and may require more coordination. See Appendix A, “Classified Planning Considerations for Cyberspace Operations,” for additional planning considerations for external missions. See JP 3-60, Joint Targeting, for additional information on creation of effects. Refer to CJCSI 3160.01, No-Strike and the Collateral Damage Estimation Methodology, for additional information on collateral damage.
d. Planning Considerations for Protecting the DODIN
Chapter IV
IV-4 JP 3-12
(1) For Specific Plans and Operations. DODIN operations underpin nearly every aspect of military operations, and this reliance on cyberspace is well understood by our adversaries. However, a commander’s reliance on specific segments of the DODIN is often not considered during plans development, but planning for DODIN resiliency is essential. JFC planning staffs should incorporate DCO-IDM branches and sequels for any operations that pose an increased threat to the DODIN. The CCDR’s CO staff coordinates and deconflicts DCO-IDM mission activities with the USCYBERCOM CO-IPEs. If the planned defensive actions will create effects in cyberspace outside of the GCC’s AOR, JFHQ-DODIN will ensure the cyberspace defense actions are coordinated and synchronized globally.
(2) Prioritizing DODIN Protection. Cybersecurity policies generally apply to all of the DODIN, unless specific exceptions or waivers are granted. Each segment of the DODIN has an organization responsible for its security and first-line defensive actions, including administrative and non-mission-critical networks, which are protected primarily by their operators and their CSSP. Some of these protection services may be contracted, particularly when the creation and operation of the network itself has been contracted. The determination of whether or not a specific piece of contractor hardware or a specific contractor network segment is considered part of the DODIN is determined by the exact language of the contract. Given the limited number of CPTs and other cyberspace forces, the significant scope of the DODIN means not every segment can be defended in the same depth. Primarily, these specialized cyberspace forces focus on protecting the highest priority segments of the DODIN, including mission-critical, classified, and those directly supporting operations. As resources allow, CPTs may assist service providers and network segment operators with defense of lower priority networks.
(3) Coordinating DODIN Defense. Effective response to intrusions or other malicious activity on the DODIN requires coordinated action. Although the ultimate goal of DCO is to defeat the threat and reestablish secure cyberspace, the nature of the threat determines the specific response to each incident. All cybersecurity incidents are reported IAW DOD policy, but some threat adversary activity may be effectively remediated by well-trained, local cyberspace forces without external support. Sophisticated nation-state threats that penetrate our security measures require a different type of response. Each encounter with a peer or near-peer adversary in cyberspace warrants careful consideration of the response. Choosing when, where, and how to engage the threat is as important in DCO as it is to defense in the physical domains. If circumstances allow, including a consideration of threat to the supported mission, intelligence gain/loss (IGL) considerations may suggest careful observation of the threat while limiting its maneuver. When a command is engaged with a threat in cyberspace, the global enterprise adapts to support that command IAW defensive priorities. Reachback support for analytics, intelligence, and even fires is provided to maintain continuity of operations at the supported command. Local and Service commanders consult with USCYBERCOM and its subordinate HQ staffs to create tailored responses to specific threats. Some incidents require remote or on-site response by CPTs to assist network operators and the assigned CSSP with remediation and restoration of the affected network segment.
Planning, Coordination, Execution, and Assessment
IV-5
(4) Situational Awareness. Cyberspace situational awareness is the requisite current and predictive knowledge of cyberspace and the OE upon which CO depend, including all factors affecting friendly and adversary cyberspace forces. A commander continually assesses the OE through a combination of staff element and other reporting; personal observation; intelligence, to include threat warning; and representations of various activities occurring in the OE using a common operational picture (COP). The DODIN is a primary source of information used to support the commander’s situational awareness of the OE, including the status of the DODIN itself. Sustainment of DODIN sensors, communication channels, data feeds, and user interfaces is a key outcome of DODIN operations. Accurate and comprehensive situational awareness is critical for rapid decision making in a constantly changing OE and while engaging an elusive, adaptive adversary. Situational awareness of adversary activity in gray and red cyberspace relies heavily on cyberspace exploitation and SIGINT, but contributions can come from all sources of intelligence. Situational awareness within the DODIN is provided by the Services and agencies operating their portions of the DODIN, by DISA and JFHQ-DODIN through the network operations and security centers, by USCYBERCOM’s Joint Operations Center, and by the Joint Functional Component Command for Space’s Joint Space Operations Center for SATCOM. They coordinate with each other as required for operational effectiveness and shared situational awareness. The ever-increasing complexity and scope of cyberspace means a commander never has perfect or even optimal situational awareness of cyberspace factors that could impact operations and should consider the risks represented by this lack of information when making decisions.
e. Preparing for Assessment. Assessment is used to measure progress of the joint force toward mission accomplishment. Commanders continuously assess the OE and the progress of operations and compare them to their initial vision and intent. The assessment process begins during the planning process and helps the commander and staff decide what to measure and how to measure it, in order to determine progress toward accomplishing a task, creating an effect, or achieving an objective. The data collected to support these measures can range from simply noting an inability to reach the target network after a cyberspace attack to complex network monitoring and statistical analysis. Data gathered about the target’s state prior to the operation, through access, execution, and possibly its long-term post-attack state, may facilitate later assessment of higher- order effects. Assessment of internal missions to protect the DODIN requires similar preparation. It is difficult to determine the degree that protection measures reduce risk to mission without accurate knowledge of the initial conditions of the network. Assessment of CO is not limited to analysis of data from within cyberspace. For example, if the desired effect of an OCO mission was to cause a power outage, the assessment might be made using visual sensors to observe indications of an outage. Planners submit assessment requests, with sufficient justification, as early as is necessary for the appropriate allocation of resources. For further information, see paragraph 7, “Assessment of Cyberspace Operations.”
Refer to Appendix A, “Classified Planning Considerations for Cyberspace Operations,” for additional information on planning CO.
Chapter IV
IV-6 JP 3-12
3. Intelligence and Operational Analytic Support to Cyberspace Operations Planning
a. IRs. During mission analysis, the joint force staff identifies significant information gaps about the adversary and other relevant aspects of the OE. After gap analysis, the staff formulates IRs, which are general or specific subjects upon which there is a need for the collection of information or the production of intelligence. Based upon identified IRs, the staff develops more specific questions known as information requirements (those items of information that must be collected and processed to develop the intelligence required by the commander). Information requirements related to cyberspace can include such things as network infrastructures and status, readiness of adversary’s equipment and personnel, and unique cyberspace signature identifiers such as hardware/software/firmware versions and configuration files. These IRs are met through a combination of military intelligence and national intelligence sources.
See JP 2-0, Joint Intelligence, for additional information on IRs.
(1) Requests for Information (RFIs). CO planners can submit an RFI to generate intelligence collection efforts in any part of the OE or discipline in support of the JPP. RFIs are specific, time-sensitive, ad hoc requirements for intelligence information to support an ongoing crisis or operation and not necessarily related to standing requirements or scheduled intelligence production. RFIs fulfill customer requirements and range from disseminating existing products through integrating or tailoring on-hand information to scheduling new collection and production. The RFI manager translating the customer’s requirement and the primary intelligence producer determine how best to meet the customer’s needs. In addition to information collected during military operations, information required to support CO planning can come from SIGINT, human intelligence, CI, measurement and signature intelligence, geospatial intelligence, or open-source intelligence (OSINT). Regardless of source, the information should be timely, accurate, and in a usable format.
See JP 2-01, Joint and National Intelligence Support to Military Operations, for additional information on RFIs.
(2) Tasking, Collection, Processing, Exploitation, and Dissemination (TCPED) Architecture. The DOD’s global connectivity enables commanders to task assigned or attached ISR sensors or assets and submit collection and production requirements directly to other ISR or IC activities.
For more information on TCPED, see JP 2-01, Joint and National Intelligence Support to Military Operations.
b. Threat Detection and Characterization. Some threats in cyberspace are detected by intelligence sources and others during the course of military maneuver.
(1) Detection. The activities in cyberspace of a sophisticated threat may be difficult to detect. Unlike actions in the physical domains, which are often detected by the presence of military equipment or other types of observables, threat actions in cyberspace
Planning, Coordination, Execution, and Assessment
IV-7
may not be easily distinguishable from legitimate network activity. Detecting of activities in cyberspace is critical for enabling effective CO.
(2) Characterization. Because the DOD cyberspace missions are categorized based on the commander’s intent and because friendly forces are often uncertain of a threat’s actual intent, threat activities in cyberspace are referred to more generically. Threat actions in cyberspace are generally referred to as malicious cyberspace activity. If known details of adversary activity support more precise categorization, specific threat actions may qualify as cyberspace attack if they have created noticeable denial effects or cyberspace exploitation if the adversary has only maneuvered for collection or enabling purposes.
(3) Analysis and Attribution. Due to the characteristics of the physical network, logical network, and cyber-persona layers of cyberspace, attribution of malicious cyberspace activity to a specific person, criminal organization, non-state threat, or even a responsible nation-state can be exceptionally difficult. Although attribution is not necessarily required for self-defense, the difficulty of attribution, along with the possibility that an apparent threat may actually be an attempt at misdirection, is one of the principal reasons DCO-RA mission planning may be more difficult than planning for response to conventional attack. The risks of a defensive response against the wrong threat, particularly a nation-state or a target within an unwitting nation-state where the attack originated, are weighed against strategic objectives and the consequences of making an attribution mistake. Working effectively within these constraints requires unique skills on the part of all-source intelligence analysts to understand the context of the threat activity. They use skills like analyzing deception techniques, anonymity techniques, virtual representations and avatars, and other artifacts of the logical network and cyber-persona layers to characterize activities with the requisite degree of confidence required to enable an effective response.
c. IGL. Another planning concern is that maneuver and fires in red and gray cyberspace could potentially compromise intelligence collection activities sources and methods. To the maximum extent practicable, an IGL assessment is required prior to executing such actions. The IGL assessment can be complicated by the array of non-DOD USG and multinational partners operating in cyberspace. JFCs use IGL analysis to weigh the risks of conducting the CO versus achieving the desired objective via other methods.
d. Warning Intelligence. Cyberspace threat intelligence includes all-source analysis to factor in political, military, and technical warning intelligence. Adversary cyberspace actions may occur separate from, and well in advance of, related activities in the physical domains. Additionally, cyberspace threat sensors may recognize malicious activity with only a very short time available to respond. These factors make the inclusion of all-source intelligence analysis very important for effectively assessing adversaries’ intentions in cyberspace.
e. OSINT. All-source intelligence analysis of cyberspace sources should take advantage of the information available from OSINT, including Internet social media and other nontraditional sources of information. The constantly evolving sphere of open-
Chapter IV
IV-8 JP 3-12
source activity offers the opportunity to add useful data to all-source analysis. But this constantly changing landscape of media and the low “signal to noise” ratio of data available in cyberspace also complicate the intelligence collection problem, requiring active collection management to stay abreast of these sources.
f. ISR in Cyberspace. ISR in cyberspace is an activity that synchronizes and integrates the planning and operation of sensors; assets; and processing, exploitation, and dissemination systems in direct support of current and future operations. This is an integrated intelligence and operations function. ISR in cyberspace focuses on gathering tactical and operational information and on mapping enemy and adversary networks to support military planning. To facilitate the optimum utilization of all available ISR assets, an ISR concept of the operations (CONOPS) should be developed in conjunction with the command’s planning effort. The ISR CONOPS should be based on the collection strategy and ISR execution planning and should be developed jointly by the joint force intelligence directorate of a joint staff and the operations directorate of a joint staff. The ISR CONOPS documents the synchronization, integration, and operation of ISR resources in direct support of current and future operations. It outlines the capability to task, collect, process, exploit, and disseminate accurate and timely information that provides the awareness necessary to successfully plan and conduct operations. It addresses how all available ISR collection assets and associated processing, exploitation, and dissemination infrastructure, including multinational and commercial assets, will be used to satisfy the joint force’s anticipated collection tasks. It also requires appropriate deconfliction and personnel that are trained and certified to a common standard with the IC.
4. Targeting
The purpose of targeting is to integrate and synchronize fires (the use of weapon systems or other actions to create a specific lethal or nonlethal effect on a target) into joint operations. Targeting is the process of selecting and prioritizing targets and matching the appropriate response to them, considering operational requirements and capabilities. Integrating and synchronizing planning, execution, and assessment are pivotal to the success of joint targeting. The overall joint targeting cycle and target development process described in JP 3-60, Joint Targeting, apply generally to targeting in support of CO. In addition, the coordination required by Chairman of the Joint Chiefs of Staff Manual (CJCSM) 3139.01, (U) Review and Approval Process for Cyberspace Operations, for certain OCO and DCO-RA missions is unique to CO and applies to many aspects of the joint targeting cycle. Therefore, CO planners and decision makers often use a targeting process specifically adapted to the circumstance. Three fundamental aspects of CO require consideration in the targeting processes: recognizing cyberspace capabilities are a viable option for engaging some designated targets; understanding a CO option may be preferable in some cases, because it may offer low probability of detection and/or no associated physical damage; and higher-order effects on targets in cyberspace may impact elements of the DODIN, including retaliation for attacks attributed to the joint force. Additionally, some characteristics unique to the cyberspace components of targets and to cyberspace capabilities are described below.
Planning, Coordination, Execution, and Assessment
IV-9
a. Targeting In and Through Cyberspace. Planning and targeting staffs develop and select targets in and through cyberspace based on the commander’s objectives rather than on the capabilities available to achieve them. The focus is on creating effects that accomplish targeting-related tasks and objectives, not on using a particular cyberspace capability simply because it is available. Targets that can be accessed in cyberspace are developed, vetted, and validated within the established targeting process. Although targets paired with cyberspace capabilities can often be engaged with no permanent damage, due to the interconnectedness of cyberspace, the effects of CO may cross geographical boundaries and, if not carefully planned, may have unanticipated effects. As a result, engaging targets in and through cyberspace requires close coordination within DOD and with interagency and multinational partners. Every target has distinct intrinsic or acquired characteristics (i.e., physical, functional, cognitive, environmental, and temporal) that form the basis for detection, location, and identification; for determining target value within the target system; and for classification for future surveillance, analysis, strike, and assessment. The challenge in targeting for CO is to identify, correlate, coordinate, and deconflict multiple activities occurring across the physical network, logical network, and cyber- persona layers. This requires a C2 capability that can operate at the tempo of CO and can rapidly integrate impacted stakeholders.
(1) Physical Network Layer Target Features. The physical network layer is the medium where the data travels. It includes wired (e.g., land and undersea cable) and wireless (e.g., radio, radio-relay, cellular, satellite) transmission means. It is a point of reference for determining geographic location and the applicable legal framework.
(2) Logical Network Layer Target Features. The logical network layer provides an alternate view of the target, abstracted from its physical location, and referenced from its logical position in cyberspace. This position is often represented through a network address (e.g., IP address). It depicts how nodes in the physical domains address and refer to one another to form entities in cyberspace. The logical network layer is the first point where the connection to the physical domains may be lost. Targeting in the logical layer requires the logical identity and logical access to the target to have a direct effect.
(3) Cyber-Persona Layer Target Features. The cyber-persona layer, the aggregate of an individual’s or group’s online identity(ies), and an abstraction of logical network layer data, holds important implications for joint forces in terms of positive target identification and affiliation and activity attribution. Cyber-personas are created to group information together about targeted actors in order to organize analysis, engagement, and intelligence reporting. Because cyber-personas can be complex, with elements in many virtual locations but often not linked to a single physical location or form, sufficient intelligence collection and analysis capabilities are required for the joint forces to gain insight and situational awareness required to enable effective targeting of a cyber-persona. Ultimately, cyber-personas will be linked to features that will be engaged in either the logical or physical network layers.
b. Target Access. Cyberspace forces develop access to targets or target elements in cyberspace by using cyberspace exploitation actions. This access can then be used for
Chapter IV
IV-10 JP 3-12
various purposes, ranging from information collection to maneuver and to targeting nomination. Not all accesses are equally useful for military operations. For instance, the level of access required to collect information from an entity may not be sufficient to create a desired effect. Developing access to targets in or through cyberspace follows a process which can often take significant time. In some cases, remote access is not possible, and close proximity may be required. All target access efforts in cyberspace require coordination with the IC for deconfliction IAW national policy and to illuminate potential IGL concerns. If direct access to the target is unavailable or undesired, sometimes a similar or partial effect can be created by indirect access using a related target that has higher-order effects on the desired target. Some denial of service cyberspace attacks leverage this type of indirect access.
c. Target Nomination and Synchronization. CO use standard target nomination processes, but target folders should include unique cyberspace aspects (e.g., hardware and software configurations, IP address, cyber-persona applications) of the target. Development of this data is imperative to understand and characterize how elements targetable through cyberspace are relevant to the commander’s objective. This data also allows the planner to match an appropriate cyberspace capability against a particular target. Component commanders, national agencies, supporting commands, and/or the JFC planning staff nominate targets to the targeting staff for development and inclusion on the joint target list (JTL). Once placed on the JTL, JFCs in receipt of an EXORD with relevant objectives and ROE can engage the target with organic assets (if within a component commander’s assigned area of operations) or nominate the target to CDRUSCYBERCOM for action by other joint force components and other organizations.
See JP 3-60, Joint Targeting, and CJCSI 3370.01, Target Development Standards, for additional details on vetting, validation, and joint targeting working groups.
d. Time-Sensitive Targets (TSTs)
(1) A TST is a validated target of such high priority to friendly forces that the commander designates it for immediate engagement because it poses (or will soon pose) a threat to friendly forces or is a highly lucrative, fleeting target. TSTs are normally engaged dynamically. However, to be successfully engaged, they require considerable planning and preparation within the joint targeting cycle. Engaging TSTs in cyberspace is difficult in most situations, because they are likely to cross-AORs and require detailed joint, interagency, and/or multinational planning efforts.
(2) Being prepared to engage a TST in cyberspace requires coordination between cyberspace planners, operators, and the supported commander early in the planning phase, to increase the likelihood that adequate flexibility and access is available should a fleeting opportunity arise. In addition, JFCs should establish procedures to quickly promulgate strike orders for TSTs in cyberspace. Successful prosecution of TSTs in cyberspace requires a well-organized and well-rehearsed process for sharing sensor data and target information, identifying suitable strike assets, obtaining mission approval, and rapidly deconflicting cyberspace capability employment. Performing as much advanced
Planning, Coordination, Execution, and Assessment
IV-11
coordination and decision making as possible, based on the types of TSTs expected and the nature of the mission, is the key to success.
See JP 3-60, Joint Targeting, for additional information on joint targeting, and JP 2-01, Joint and National Intelligence Support to Military Operations, for additional information on intelligence operations.
Refer to Appendix A, “Classified Planning Considerations for Cyberspace Operations,” for additional information on intelligence support to planning CO.
5. Command and Control of Cyberspace Forces
a. Clearly established command relationships are crucial for ensuring timely and effective employment of forces, and CO require unity of command and unity of effort. However, the complex nature of CO, where cyberspace forces can be simultaneously providing actions at the global level and at the theater or JOA level, requires adaptations to traditional C2 structures. Joint forces principally employ centralized planning with decentralized execution of operations. CO require constant and detailed coordination between theater and global operations, creating a dynamic C2 framework that can adapt to the constant changes, emerging threats, and unknowns. Certain CO functions, including protection of the DODIN’s global networks and pursuit of global cyberspace threats, lend themselves to centralized planning and execution to meet multiple, near-instantaneous requirements for response. Centrally controlled CO should be integrated and synchronized with the CCDR’s regional or local CO, conducted by forces assigned or attached to the CCDR, or in support of the CCDR. For these reasons, there may be times when C2 of forces executing simultaneous global CO and theater CO is conducted using supported/supporting command relationships under separate, but synchronized, chains of command. CO are integrated and synchronized by the supported commander into their CONOPS, detailed plans and orders, and specific joint operations.
b. C2 for Global CO. CDRUSCYBERCOM is the supported commander for transregional and global CO and manages day-to-day global CO even while he or she is the supporting commander for one or more geographic or functional CCDR’s operations. For a specific CO mission, the supported/supporting command relationships are established in an EXORD, OPORD, or establishing directive. A supported relationship for CO does not exempt either command from coordinating response options with affected commanders prior to conducting an operation. Regardless of the approach employed for any particular operation, unless otherwise specified by the President or SecDef, C2 for CO are implemented IAW existing CJCS C2 EXORD and other relevant orders to help ensure effective coordination and synchronization of joint forces and to provide a common construct for JFCs to execute their mission within a global context. JFHQ-DODIN centrally coordinates and directs global DODIN operations and DCO-IDM when these operations have the potential to impact the integrity and operational readiness of multiple DOD components. Although execution of many actions may be decentralized, CDRUSCYBERCOM is the supported commander for CO to secure, operate, and defend the DODIN and, when ordered, to defend other US critical cyberspace assets, systems, and functions. As the DODIN continues to migrate towards a common architecture standard,
Chapter IV
IV-12 JP 3-12
routine cyberspace security actions for global networks will continue shifting to centralized locations, such as a global enterprise operations center.
c. C2 for CO Supporting CCMDs. CCDRs are supported for CO in their AOR or for their transregional responsibilities, with CDRUSCYBERCOM supporting as necessary. These CO comprise actions intended to have effects localized within a GCC’s AOR or a functional CCMD’s transregional responsibilities. These could be cyberspace security and defense actions internal to a theater DODIN segment or external actions, such as cyberspace exploitation or cyberspace attack against a specific enemy capability. In addition to the theater segments of global networks, CCMD-level DODIN operations and DCO-IDM include the protection of stand-alone and tactical networks and computers used exclusively by the CCMD. For example, CCMD-level maneuvers in cyberspace include activities to reposition capabilities to enhance threat detection in specified areas, focus cyberspace forces activity in areas linked to specific operational branches and sequels to keep the adversary at risk, or activate stand-by tactical cyberspace capabilities to transition friendly C2 to more secure locations. Such CO maneuvers are vital when a CCDR’s systems are under attack to the degree that subsets of the DODIN are degraded, compromised, or lost. In such operations, the supported CCDR coordinates, through their USCYBERCOM CO-IPE, with their associated enterprise operation center, supported by JFHQ-DODIN and DISA, to restore the affected cyberspace. The supported CCDR also integrates, synchronizes, and normally directs CO actions in red and gray cyberspace, including fires, with other lethal and nonlethal effects, for which they may use assigned, attached, or supporting cyberspace forces. CCDRs develop and coordinate their requirements for such effects with the USCYBERCOM CO-IPE, for deconfliction and prioritized execution. When a CCDR establishes a subordinate force (e.g., a joint task force), the cyberspace unit(s) assigned to support that force are determined by the CCDR’s mission requirements in coordination with CDRUSCYBERCOM.
d. C2 Distinctives for Routine and Crisis/Contingency CO. The CJCS has established two models for C2 of CO, depending upon the prevailing circumstances. The relationships are described below and depicted graphically in Figure IV-1 and Figure IV-2.
(1) The following relationships guide the C2 of cyberspace forces during normal operating conditions, when no crisis or contingency is in effect:
(a) USCYBERCOM C2 relationships:
1. CDRUSCYBERCOM has COCOM of all GFMIG-assigned cyberspace forces.
2. CDRUSCYBERCOM has support relationships with all other CCDRs.
3. CNMF commander has OPCON of NMTs/NSTs and national CPTs.
4. JFHQ-C commanders have OPCON of CMTs/CSTs.
Planning, Coordination, Execution, and Assessment
IV-13
5. SCC commanders have OPCON of Service CPTs and other forces attached by CDRUSCYBERCOM (e.g., CSSPs).
6. JFHQ-DODIN commander has OPCON of DODIN CPTs.
7. JFHQ-DODIN commander has tactical control (TACON) of SCC commands for DODIN operations and DCO-IDM only.
Figure IV-1. Routine Cyberspace Command and Control
Combatant CommandUSCYBERCOM
JFHQ-DODIN
CO-IPE
Service Cyberspace Components
CCMD CPTs
CNMF-HQ JFHQ-C
CCMD CPTs
JCC/ Cyber Staff
Service CPTs
National CPTs
DODIN CPTs
CMTs
CSTs
NMTs
NSTs
DOD Components
*
Routine Cyberspace Command and Control
COCOM OPCON TACON DACO supporting/supported direct support coordination
CCMD combatant command CMT combat mission team CNMF-HQ Cyber National Mission Force
Headquarters COCOM combatant command (command
authority) CO-IPE cyberspace operations-integrated
planning element CPT cyberspace protection team CST combat support team DACO directive authority for cyberspace
operations DOD Department of Defense DODIN Department of Defense information
network JCC Joint Cyber Center
JFHQ-C joint force headquarters-cyberspace JFHQ-DODIN Joint Force Headquarters-Department
of Defense Information Network NMT national mission team NST national support team OPCON operational control TACON tactical control USCYBERCOM United States Cyber Command
Legend
* CO-IPE is provided by USCYBERCOM in direct support of combatant commander. Organizational relationships between CO-IPEs and USCYBERCOM subordinate headquarters will be specified via USCYBERCOM orders.
Chapter IV
IV-14 JP 3-12
8. JFHQ-DODIN commander has DACO, delegated from CDRUSCYBERCOM, over all DOD components for global DODIN operations and DCO- IDM.
9. SCC commanders have DACO, delegated from CDRUSCYBERCOM, over all related Service components for DODIN operations and DCO-IDM.
Figure IV-2. Crisis/Contingency Cyberspace Command and Control
Combatant CommandUSCYBERCOM
JFHQ-DODIN
CO-IPE
Mission Tailored Force Package
Service Cyberspace Components
CCMD CPTs
CNMF-HQ JFHQ-C
CCMD CPTs
JCC/ Cyber Staff
Service CPTs
National CPTs
DODIN CPTs
CMTs
CSTs
NMTs
NSTs
DOD Components
**
*
Crisis/Contingency Cyberspace Command and Control
OPCON TACON DACO supporting/supported direct support coordination
CCMD combatant command CMT combat mission team CNMF-HQ Cyber National Mission Force
Headquarters CO-IPE cyberspace operations-integrated
planning element CPT cyberspace protection team CST combat support team DACO directive authority for cyberspace
operations DOD Department of Defense DODIN Department of Defense information
network JCC Joint Cyber Center
JFHQ-C joint force headquarters-cyberspace JFHQ-DODIN Joint Force Headquarters-Department
of Defense Information Network NMT national mission team NST national support team OPCON operational control TACON tactical control USCYBERCOM United States Cyber Command
Legend
* USCYBERCOM Commander has OPCON of the mission-tailored force package and retains the flexibility to delegate OPCON to subordinate headquarters depending on the nature of the crisis/contingency. The commander receiving a mission-tailored force package has TACON to control the timing and tempo of cyberspace operations.
**Organizational relationships between CO-IPEs and USCYBERCOM subordinate headquarters will be specified via USCYBERCOM orders.
Planning, Coordination, Execution, and Assessment
IV-15
(b) CCMD C2 relationships:
1. CCDRs have COCOM of assigned cyberspace forces.
2. CCDRs have OPCON of CCMD CPTs.
3. SecDef establishes support relationships between CCDRs for CO.
4. JFHQ-C commanders support more than one CCDR using the general support model.
5. USCYBERCOM CO-IPEs provide direct support to CCDRs.
(2) When a cyberspace-related crisis or contingency is in effect, the routine relationships carry over, with these additional caveats:
(a) USCYBERCOM commander retains OPCON of any cyberspace forces USCYBERCOM provides to support a CCDR for crisis/contingency operations.
(b) When directed, CCDRs receiving forces from USCYBERCOM for crisis/contingency operations (e.g., a mission-tailored force package [MTFP]) have TACON of those forces.
(3) MTFP. A MTFP is a USCYBERCOM-tailored support capability comprised of assigned CO forces, additional CO support personnel, and cyberspace capabilities, as required. When directed, USCYBERCOM establishes a tailored force to support specific CCMD crisis or contingency mission requirements beyond the capacity of forces available for routine support. Each MTFP is task-organized and provided to the supported CCDR for the duration of the crisis/contingency operation or until redeployed by CDRUSCYBERCOM in coordination with the supported CCDR.
e. C2 Distinctives for Internal and External Cyberspace Missions. The nature of C2 relationships for CO vary, depending upon whether they are internal to DODIN or other defended cyberspace, or they are external missions in foreign cyberspace.
(1) Internal Missions. C2 of forces conducting DODIN operations and DCO- IDM may require preplanned and preauthorized actions based on particular conditions and triggers, executed either manually or automatically, depending upon the nature of the threat and urgency of the required response. The commander’s operations and planning staff should understand the interrelationships of the cyberspace they are protecting, how the appropriate capabilities can be effectively employed to defeat threats, and, when necessary, how to deconflict cyberspace defense actions with the mission critical operations that cannot be interrupted. Cyberspace forces defending CCMD segments of the DODIN may be geographically separated from the supported theater of operations. For example, forces conducting remote actions in support of DCO-IDM often simultaneously support defense of cyberspace in multiple geographic locations. This requires extensive coordination, planning, and early integration of requirements and capabilities. Such cases require all involved commanders to take extra measures so the supported commander is continuously
Chapter IV
IV-16 JP 3-12
aware of the remote supporting forces’ operational status. In other cases, CPTs may be deployed to specific locations where they are placed in direct support to local commanders to resecure compromised cyberspace. In other cases where there is no local military commander, for instance, when a CPT is deployed to assist a DOD agency, all C2 authorities remain with the CPT’s commander. Supported and supporting commanders coordinate the deployment and employment of cyberspace forces required to accomplish the assigned mission.
(2) External Missions. C2 relationships established to execute OCO and DCO- RA missions, which involve actions in foreign cyberspace, require careful consideration of projected effects and geopolitical boundaries. The reliance of the global population on the interconnectivity of cyberspace requires carefully controlling the effects created during OCO and DCO-RA missions, with detailed planning, in-depth intelligence support, and national-level deconfliction to assure appropriate consideration of nonmilitary factors such as foreign policy implications. Some of these external missions require centralized execution by CMTs or NMTs to create a global effect. For example, a DCO-RA mission employing external countermeasures in multiple AORs to counter a large botnet (a network of computers linked together by malware) or actions, up to and including pre-emption, to block cyberspace attack command signals directed from one AOR at another. Other external missions may be more regionally and tactically focused and use regionally deployed cyberspace forces. When directed, GCCs control operations in and through cyberspace when there is confidence that effects are limited to their geographic AOR. Such authorities require GCCs to remain cognizant of national cyberspace policy and its application to their plans and operations.
(3) Based on the nature of CO, the cyberspace C2 framework is adjusted for flexible and agile C2 of cyberspace forces to ensure US freedom of action in cyberspace while denying adversaries the same. For additional details beyond those discussed here, refer to the applicable CJCS EXORD and other relevant orders.
f. Enabling C2 of Cyberspace Forces. To provide effective C2 of forces conducting CO, several enabling factors are essential.
(1) COP. Despite the difficulties of achieving accurate and comprehensive situational awareness of all the aspects of cyberspace relative to a commander, the best available, real-time COP for cyberspace is important for effective C2 of forces executing CO. A COP of activities in cyberspace requires rapid fusion, correlation, and display of data from global network sensors to deliver a reliable picture of friendly, neutral, adversary, and enemy activity in all layers of cyberspace. In addition, an accurate cyberspace COP integrates real-time threat and event data from myriad sources (e.g., DOD enterprise operations centers and other service providers, IC, interagency partners, private industry, and international partners) and improves commanders’ ability to identify, monitor, characterize, track, locate, and take action in response to malicious cyberspace activity. CDRUSCYBERCOM maintains global cyberspace situational awareness, and CCMDs maintain regional/functional cyberspace situational awareness along with an awareness of global factors in cyberspace that may impact operations in their theater/functional area.
Planning, Coordination, Execution, and Assessment
IV-17
(2) Reach-Forward. The complexity presented by cyberspace requires flexibility of forces and C2 to counter the broad variety of threats. Units of cyberspace forces operating under JFHQ-DODIN and the CNMF-HQ, which provide global CO support, may need to reach-forward to support multiple CCMDs simultaneously. Allowing them to support CCMDs in this way permits faster adaptation to rapidly changing needs and allows threats that initially manifest only in one AOR to be mitigated globally in near real-time. Likewise, while synchronizing CO missions related to accomplishing CCDR objectives, some cyberspace capabilities that support this activity may need to be forward deployed, or for speed in time-critical situations, made available via reachback. This might involve augmentation or deployment of cyberspace capabilities to forces already forward or require deployment of a fully equipped team of personnel and capabilities.
(3) Reachback. At the same time, CCMDs require the freedom and capability to effectively plan, coordinate, and conduct theater and functional CO. To enable these efforts, staff supporting GCCs and other CCDRs should arrange for timely and effective reachback support from USCYBERCOM and its subordinate units to augment the expertise and capacity of the supported commander.
(a) CCDRs size and structure their CO support staff to best support their mission and requirements. This staff, supported by a USCYBERCOM CO-IPE, coordinates CO requirements and capabilities throughout their planning, intelligence, operations, assessment, and readiness processes to integrate and synchronize CO with other military operations. Additionally, as necessary and in partnership with USCYBERCOM, the CCMD coordinates regionally with interagency and multinational partners. The CCMD:
1. Combines inputs from USCYBERCOM with information about CCMD tactical and/or constructed networks to develop a regional/functional situational awareness/COP tailored to CCMD requirements.
2. Facilitates, through USCYBERCOM, coordination and deconfliction of CCDR-directed CO which may impact or conflict with other DOD or other USG cyberspace activities or operations within the AOR. As early as possible in the planning process, provide USCYBERCOM with sufficient information about CCDR-planned CO to enable deconfliction with other USG CO.
(b) USCYBERCOM CO-IPEs are organized to meet individual CCMD requirements and facilitate planning and coordination of all three cyberspace missions, as required. USCYBERCOM CO-IPEs remain in direct support of and are integrated with CCMD CO staff to provide a bridge for USCYBERCOM and its subordinate HQ to enable theater/tactical and global/national integration of cyberspace forces and operations.
g. C2 of Multinational CO. Although the US military will likely enter future conflicts as part of a multinational force (MNF), the level of integration of US cyberspace forces with foreign cyberspace forces will vary depending upon in-place agreements with each partner and may not mirror the level of integration of other types of forces. Planning for the specific C2 elements desired by the US commander depends upon the type and scale
Chapter IV
IV-18 JP 3-12
of the operation, the cyberspace presence or sophistication of the adversary, and the types of targets identified. Regardless of which elements are established, the overlaps between global and theater missions in cyberspace, and relevant operational limitations, necessitate close coordination, and potentially, some level of integration, among CCDRs conducting multinational operations, CDRUSCYBERCOM, and other multinational and interagency partners. See paragraph 9, “Multinational Considerations,” for additional information on multinational CO.
6. Synchronization of Cyberspace Operations
a. The pace of CO requires significant pre-operational collaboration and constant vigilance after initiation, for effective coordination and deconfliction throughout the OE. Keys to this synchronization are maintaining cyberspace situational awareness and assessing the potential impacts to the joint force of any planned CO, including the protection posture of the DODIN, changes from normal network configuration, or observed indications of malicious activity. The timing of planned CO should be determined based on a realistic assessment of their ability to create effects and support operations throughout the OE. This may require use of cyberspace capabilities in earlier phases of an operation than the use of other types of capabilities. Effective planners and operators understand how other operations within the OE may impact the CO. For example, the joint force uses fire support coordination measures in air, land, and maritime operations to facilitate the rapid engagement of targets and simultaneously provide safeguards for friendly forces. CO deconfliction and coordination efforts with other operations should include similar measures.
b. Deconfliction. For CO, deconfliction is the act of coordinating the employment of cyberspace capabilities to create effects with applicable DOD, interagency, and multinational partners to ensure operations do not interfere, inhibit, or otherwise conflict with each other. The commander’s intended effects in cyberspace, and the capabilities planned to create these effects, require deconfliction with other commands and agencies that may have equities in the same area of cyberspace. This critical step is managed from multiple aspects. From a purely technical perspective, it can be shown that two cyberspace capabilities can either interoperate without interference in the same environment or they cannot. However, from an operational risk perspective, even if multiple capabilities can operate without interference, it may not be wise to use them together. For example, the effect of one capability may draw the adversary’s attention on the target system in a way that jeopardizes another previously unnoticed US or mission partner capability. Technical deconfliction uses the results of technical assurance evaluations and includes detailed interoperability analysis of each capability and the cyberspace aspects of the OE. CDRUSCYBERCOM is the DOD focal point for interagency deconfliction of all actions proposed for OCO and DCO-RA missions. Commander, JFHQ-DODIN, is the focal point for interagency deconfliction of global DODIN operations and DCO-IDM activities which may affect more than one DOD component. The timelines required for analysis and coordination should be considered and included in the plan. Interagency coordination often takes longer than concomitant DOD coordination. CO may also require deconfliction and synchronization with integrated joint special technical operations (IJSTO). Information
Planning, Coordination, Execution, and Assessment
IV-19
and processes related to IJSTO and its contribution to CO can be obtained from the IJSTO planners at CCMD or Service component HQ.
c. EMS Factors
(1) EMS Dependencies. Advancements in technology, including an ever- increasing shift to mobile technologies, have created a progressively complex EMS portion of the OE. This has significant implications for CO. The JFC uses joint EMS operations to coordinate elements of CO, space operations, electronic warfare (EW), navigation warfare, various forms of EMS-dependent information collection, and C2. Although these activities can be integrated with other information-related capabilities (IRCs) as part of information operations synchronization, the offensive aspects of CO, space operations, and EW operations are often conducted under different specific authorities. Likewise, some IRCs enabled by CO, such as MISO and MILDEC, have their own execution approval process. Therefore, synchronizing IRCs that use the EMS is a complex process that requires significant foresight and awareness of the various applicable policies. Planners should also maintain awareness of their operational dependencies on mobile devices and wireless networks, including cellular, wireless local area networks, Global Positioning System, and other commercial and military uses of the EMS. Plans that assume access to the EMS for effects in cyberspace should consider contingencies for when bandwidth or interference issues preclude access to the required portion of the EMS.
(2) Fires in and through the EMS. Cyberspace attack, EA, and offensive space control (OSC) are deconflicted to maximize the impact of each type of fires. Uncoordinated EA may significantly impact EMS-enabled cyberspace attack actions, and vice-versa. Depending upon power levels, the geographic terrain in which they are used, and the nature of the system being targeted, unintended effects of EA and OSC could also occur outside of a local commander’s OA, just as higher-order effects of CO may be possible outside the OA. The JFC and staff may need to comply with different coordination requirements for the various types of fires that depend upon the EMS, forwarding requests for execution as early in the planning process as possible to comply with US law and to facilitate effective and timely effects. To minimize overlap, the primary responsibility for cyberspace attack coordination between USCYBERCOM and the joint force resides with the applicable JFHQ-C and USCYBERCOM CO-IPEs in coordination with the CCMD CO staff. Refer to respective doctrine and policy documents of supported IRCs for specifics on their authorities.
See JP 3-13.1, Electronic Warfare; JP 3-14, Space Operations; and JP 6-01, Joint Electromagnetic Spectrum Management Operations, for more information on EMS factors.
d. Integration of Cyberspace Fires. Cyberspace attack capabilities, although they can be used in a stand-alone context, are generally most effective when integrated with other fires. Some examples of integrating cyberspace fires are: disruption of enemy air defense systems using EMS-enabled cyberspace attack, insertion of messages into enemy leadership’s communications, degradation/disruption of enemy space-based and ground- based precision navigation and timing systems, and disruption of enemy C2. Effects in cyberspace can be created at the strategic, operational, or tactical level, in any phase of the
Chapter IV
IV-20 JP 3-12
military operation, and coordinated with lethal fires to create maximum effect on target. Integrated fires are not necessarily simultaneous fires, since the timing of cyberspace attack effects may be most advantageous when placed before or after the effects of lethal fires. Each engagement presents unique considerations, depending upon the level and nature of the enemy’s dependencies upon cyberspace. Supporting cyberspace fires may be used in a minor role, or they can be a critical component of a mission when used to enable air, land, maritime, space, and special operations. Forces operating lethal weapons and other capabilities in the physical domains cannot use cyberspace fires to best advantage unless they clearly understand the type and timing of planned effects in cyberspace. Properly prepared and timed cyberspace fires can create effects that cannot be created any other way. Poorly timed fires in cyberspace can be useless, or even worse, interfere with an otherwise effective mission.
e. Risk Concerns. JFCs should continuously seek to minimize risks to the joint force, as well as to friendly and neutral nations, societies, and economies, caused by use of cyberspace. Coordinated joint force operations benefit from the use of various cyberspace capabilities, including unclassified Web sites and Web applications used for communication efforts with audiences internal and external to DOD. Forward-deployed forces use the Internet, mobile phones, and instant messaging for logistics and morale purposes, including communication with friends and family. These uses of cyberspace are targeted by myriad actors, from foreign nations to malicious insiders. The JFC works with JFHQ-DODIN and the Services, as well as with assigned cyberspace forces, to limit the threat to the DODIN and mission partners’ cyberspace. Several areas of significant risk exist for the JFC:
(1) Insider threats are a significant concern to the joint force. Because insiders have a trusted relationship with access to the DODIN, the effects of their malicious or careless activity can be far more serious than those of external threat actors. Any user who does not closely follow cybersecurity policy can become an insider threat. Malicious insiders may exploit their access at the behest of foreign governments, terrorist groups, criminal elements, unscrupulous associates, or on their own initiative. Whether malicious insiders are committing espionage, making a political statement, or expressing personal disgruntlement, the consequences for DOD and national security can be devastating. JFCs use risk mitigation measures for this threat, such as reinforcing training of the joint force to be alert for suspicious insider activity and use of two-person controls on particularly sensitive hardware, software, or data.
(2) Internet-based capabilities, including e-mail, social networking, Web sites, and cloud-based repositories, are used for both official and unofficial purposes and pose continuously evolving security risks that are not fully understood. The security risks of Internet-based capabilities are often obscured, and our ability to mitigate these risks is limited, due to the commercial ownership of the majority of the supporting information systems or sites. These cyberspace and information security concerns, combined with bandwidth requirements of Internet applications, create an imperative for the commander to be aware of and actively manage the impact of official and unofficial use of Internet- based capabilities.
Planning, Coordination, Execution, and Assessment
IV-21
(3) Cross-domain (network) solutions that connect systems operating at different classification levels can provide significant operational value to the JFC but complicate cryptographic and other security support considerations and should be included as a planning consideration. Cross-domain solutions are often required in multinational operations and at the tactical level. The pace of operations and increasing demand for information from commanders and their staffs can sometimes pressure end-users into using poor security practices. Likewise, emergent tasking for information sharing has sometimes caused network managers to build ad hoc links over existing commercial infrastructure or connect non-DOD US and partner cyberspace without adequate security controls. The security risk of these behaviors is significant. USCYBERCOM, through JFHQ-DODIN, works with JFCs to develop appropriate technical solutions and detailed security policies to address the operational requirements without adding unnecessary risk. Planners should include requirements for early coordination so the security features included are appropriate for the commander’s needs.
7. Assessment of Cyberspace Operations
a. Assessment measures progress of the joint force toward mission accomplishment. Commanders continuously assess the OE and the progress of CO and compare them to their vision and intent. Measuring this progress toward the end state, and delivering timely, relevant, and reliable feedback into the planning process to adjust operations during execution, involves deliberately comparing the forecasted effects of CO with actual outcomes to determine the overall effectiveness of cyberspace force employment. More specifically, assessment helps the commander determine progress toward attaining the desired end state, achieving objectives, or performing tasks.
b. The assessment process for external CO missions begins during planning and includes measures of performance (MOPs) and measures of effectiveness (MOEs) of fires and other effects in cyberspace, as well as their contribution to the larger operation or objective. Historically, combat assessment has emphasized the battle damage assessment (BDA) component of measuring physical and functional damage, but this approach does not always represent the most complete effect, particularly with respect to CO. CO effects are often created outside the scope of battle and often do not create physical damage. Assessing the impact of CO effects requires typical BDA analysis and assessment of physical, functional, and target system components. However, the higher-order effects of cyberspace actions are often subtle, and assessment of second- and third-order effects can be difficult. Therefore, assessment of fires in and through cyberspace frequently requires significant intelligence collection and analysis efforts. Incorporating pre-strike prediction and post-strike assessment for CO into the existing joint force staff processes increases the likelihood that all objectives are met.
c. Assessment of CO at the Operational Level
(1) The operational-level planner is concerned with the accumulation of tactical effects into an overall operational effect. At the operational level, planning and operations staffs develop objectives and desired effects for the JFC to assign to subordinates. Subordinate staffs use the assigned operational objectives to develop tactical-level
Chapter IV
IV-22 JP 3-12
objectives, tasks, and subordinate targeting objectives and effects and to plan tactical actions and MOPs/MOEs for those actions. Individual tactical actions typically combine with other tactical actions to create operational-level effects; however, they can have operational or strategic implications. Usually, the summation of tactical actions in an operational theater is used to conduct an operational-level assessment principally operation assessments (see JP 3-0, Joint Operations, and JP 5-0, Joint Planning), which in turn supports the strategic-level assessment (as required). Operational MOPs/MOEs avoid tactical information overload by providing commanders a shorthand method of tracking tactical actions and maintaining situational awareness. MOPs and MOEs are clearly definable and measurable, are selected to support and enhance the commander’s decision process, and guide future actions that achieve objectives and attain end states.
(a) MOEs. MOEs are used to assess changes in targeted system behavior or in the OE. They measure progress toward the attainment of an end state, achievement of an objective, or creation of an effect. Data gathered on the target from its pre-mission state through access, execution, and possibly long-term post-operations analysis may enable later, more comprehensive assessment, including that of higher-order effects. MOEs generally reflect a trend or show progress toward or away from a measurable threshold. While MOEs may be harder to derive than MOP for a discrete task, they are nonetheless essential to effective assessment. For example, a MOE for a cyberspace attack action might be a meaningful reduction in the throughput of enemy data traffic or their shift to a more interceptable means of communication. Assessment of CO takes place both inside and outside of cyberspace. For instance, an OCO mission to disrupt electric power might be assessed through visual observation to determine that the power is actually out.
(b) MOP. MOPs are criteria for measuring task performance or accomplishment. MOPs are generally quantitative and are used in most aspects of combat assessment, which typically seeks specific quantitative data or a direct observation of an event to determine accomplishment of tactical tasks. An example of a MOP for a cyberspace exploitation action might be gaining a required access or emplacing a cyberspace capability on a targeted system.
(2) Development of operational-level MOPs/MOEs for CO is still an emerging aspect of operational art. In some cases, activities in cyberspace alone have operational-level effects; for example, the use of a cyberspace attack to bring down or corrupt the enemy HQ network could very well reverberate through the entire JOA. A CO option may be preferable in some scenarios if its effects are temporary or reversible. In such cases, accurate assessment requires the ability to effectively track the current status of the potentially changing effect using MOE indicators.
(3) CO often involve multiple commanders. Additionally, with CO typically conducted as part of a larger operation, assessment of CO is usually done in the context of supporting the overarching objectives. Therefore, CO assessments require close coordination within each staff and across multiple commands. Coordination and federation of the assessment efforts may require prior arrangements before execution. CO planners submit assessment requests as early as possible and provide sufficient justification to support priority allocation of relevant collection capabilities, including those outside of cyberspace.
Planning, Coordination, Execution, and Assessment
IV-23
See JP 5-0, Joint Planning, for a detailed description of assessment. See JP 3-60, Joint Targeting, and Defense Intelligence Agency Publication 2820-4-03, Battle Damage Assessment (BDA) Quick Guide, for more information on the assessment process related to targeting, BDA, and munitions effectiveness assessment.
8. Interorganizational Considerations
a. When appropriate, JFCs coordinate and integrate their CO with interagency partners during planning and execution. Effective integration of interagency considerations is vital to successful military operations, especially when the joint force conducts shaping, stability, and transition to civil authority activities. Just as JFCs and their staffs consider how the capabilities of other USG components and NGOs can be leveraged to assist in accomplishing military missions and broader national strategic objectives, JFCs should also consider the capabilities and priorities of interagency partners in planning and executing CO. In collaboration with interagency representatives, JS, and USCYBERCOM, JFCs should coordinate with interagency partners during CO planning to help ensure appropriate agreements exist to support their plans.
b. At the national level, the National Security Council, with its policy coordination committees and interagency working groups, advises and assists the President on all aspects of national security policy. OSD and JS, in consultation with the Services and CCMDs, coordinate interagency support required to support the JFC’s plans and orders. While supported CCDRs are the focal points for interagency coordination in support of operations in their AORs, interagency coordination with supporting commanders is also important. For integration into their operational-level estimates, plans, and operations, commanders should only consider interagency capabilities and capacities that interagency partners can realistically commit to the effort.
c. Military leaders work with the other members of the national security team to promote unified action. A number of factors can complicate the coordination process, including various agencies’ different and sometimes conflicting policies, overlapping legal authorities, roles and responsibilities, procedures, and decision-making processes for CO. A supported commander develops interagency coordination requirements and mechanisms for each OPLAN. The JFC’s staff requires a clear understanding of military CO capabilities, requirements, operational limitations, liaison, and legal considerations. Additionally, planners should understand the nature of this relationship and the types of CO support interagency partners can provide. In the absence of a formal interagency command structure, JFCs are required to build consensus to achieve unity of effort. Robust liaison facilitates understanding, coordination, and mission accomplishment.
d. Interagency command relationships, lines of authority, and planning processes vary greatly from those of DOD. Interagency management techniques often involve committees, steering groups, and/or interagency working groups organized along functional lines. During joint operations, use of a JIACG provides the CCDR and subordinate JFCs with an increased capability to coordinate with other USG departments and agencies. The JIACG is composed of USG civilian and military experts tailored to meet the CCDR’s specific needs and accredited to the CCDR. The JIACG establishes regular, timely, and collaborative working
Chapter IV
IV-24 JP 3-12
relationships between civilian and military planners, providing a CCDR with the capability to collaborate at the operational level with other USG departments and agencies. JIACG members participate in all appropriate planning efforts. Additionally, they provide a collaborative conduit back to their parent organizations to help synchronize joint operations with the efforts of nonmilitary organizations. In the absence of a JIACG focused on CO, planners may find it more difficult to verify that all mission partner equities in cyberspace are accounted for and, therefore, should begin to develop contacts with relevant departments and agencies as soon as the planning process begins.
9. Multinational Considerations
a. Collective security is a strategic objective of the US, and joint planning is frequently accomplished within the context of planning for multinational operations. There is no single doctrine for multinational action, and each alliance or coalition develops its own protocols and plans. US planning for joint operations accommodates and complements such protocols and plans for potential use of US cyberspace forces to protect MNF networks. JFCs also anticipate and incorporate mission partner planning factors, such as their domestic laws, regulations, and operational limitations on the use of various cyberspace capabilities and tactics.
b. When working within an MNF, each nation and Service can expect to be tasked by the commander with the mission(s) most suited to their particular capability and capacity. For example, a CPT supporting a CCMD could be tasked, with the agreement of all nations involved, to investigate and mitigate the effects of malicious cyberspace activity on a multinational network. CO planning, coordination, and execution items that require consideration when an MNF operation or campaign plan is developed include:
(1) National agendas of the PNs on an MNF may differ significantly from those of the US, creating potential difficulties in determining the CO objectives.
(2) Differing national standards and foreign laws, as well as interpretation of international laws pertaining to operations in cyberspace, may affect their ability to participate in certain CO. These differences may result in partner policies or capabilities that are either narrower or broader than those of the US.
(3) Nations without established CO doctrine may need to be advised of the potential benefits of CO and assisted in integrating CO into the planning process.
(4) Nations in an MNF often require approval for the CO portion of plans and orders from higher authority, which may impede CO implementation. This national-level approval requirement increases potential constraints and restraints upon the participating national forces and further lengthens the time required to gain approval for their participation. Commanders and planners should be proactive in seeking to understand PNs’ laws, policies, and other matters that might affect their use of CO and anticipate the additional time required for approval through parallel national command structures. Partners’ national caveats and ROE are often not transmitted thoroughly to commanders and planners, potentially leading to misunderstanding, delays, and incompleteness in execution.
Planning, Coordination, Execution, and Assessment
IV-25
(5) Security restrictions may prevent full disclosure of individual CO plans and orders between multinational partners; this may complicate cyberspace synchronization efforts. Therefore, the JFC’s staff should seek approval for sharing required information among partners and then issue specific guidance on the release of classified US material to the MNF as early as possible during planning. Likewise, once these information-sharing restrictions are identified by each nation, policy should be established and mechanisms put in place to encourage appropriate CO-related information sharing across the force. These considerations further highlight the importance of ensuring CO material is not over classified and is releasable to partners to the greatest extent possible.
(6) To effectively conduct multinational operations, mission partners require appropriate access to systems, services, and information. Emerging standards for the technologies and applications applied to DODIN segments used in a joint environment are designed to allow seamless and secure interaction with multinational partners. Until such technology is widespread, the US joint force strives to provide necessary and appropriate access and support at the lowest appropriate security classification level on the infrastructure they have available. Commanders involved in multinational operations can enable this shared access by coordinating with proper authorities early to determine appropriate access levels, necessary services, and satisfactory means for expediting the process for foreign disclosure of appropriate intelligence information consistent with National Disclosure Policy, and Director of National Intelligence guidance, as applicable. Hardware and software incompatibilities can still be expected and may cause a slowdown in the sharing of information among multinational partners. Failure to bridge these incompatibilities may introduce seams, gaps, and vulnerabilities requiring additional cyberspace security and defense efforts.
(7) Responsibility for cyberspace security and cyberspace defense actions to protect multinational networks should be made clear before the network is activated. If responsibility for these actions is to be shared amongst PNs, explicit agreements, including expectations and limitation of action of each partner, should be in place. Unless otherwise agreed, US cyberspace forces or other DOD personnel protect DODIN segments of multinational networks.
c. Integration. In support of each MNF, an established hierarchy of bilateral or multilateral bodies defines objectives, develop strategies, and coordinates strategic guidance for planning and executing multinational operations, including CO. Through dual involvement in national and multinational security processes, USG leaders integrate national and theater strategic CO planning with the MNF whenever possible. Within the multinational structure, US participants work to ensure objectives and strategy complement US interests and are compatible with US capabilities. Within the US national structure, US participants verify international commitments are reflected in national military strategy and are adequately addressed in strategic guidance for joint planning. Planning with international organizations and NGOs is often necessary, particularly if CO support foreign humanitarian assistance, peace operations, and other stability efforts. Incorporating NGOs and their capabilities into the planning process requires the JFC and staff to balance NGOs’ information requirements with the organization’s need to know. Additionally, many NGOs are hesitant to become associated with military organizations in any form of formal
Chapter IV
IV-26 JP 3-12
relationship, especially in the case of conducting CO, because doing so could compromise their status as an independent entity, restrict their freedom of movement, and even place their members at risk in uncertain or hostile environments.
d. Multinational partners often use a different lexicon, assumptions, decision thresholds, and operational limitations pertaining to CO. All of these factors affect coordination, integration, and execution and should be taken into consideration during planning.
See JP 3-16, Multinational Operations, for more information on multinational operations.
Maintenance
Approval Development
Initiation
JOINT DOCTRINE
PUBLICATION
ENHANCED JOINT
WARFIGHTING CAPABILITY
STEP #3 - Approval STEP #2 - Development
l
l
l
l
JSDS delivers adjudicated matrix to JS J-7
JS J-7 prepares publication for signature
JSDS prepares JS staffing package
JSDS staffs the publication via JSAP for signature
l
l
l
l
l
l
LA selects primary review authority (PRA) to develop the first draft (FD)
PRA develops FD for staffing with JDDC
FD comment matrix adjudication
JS J-7 produces the final coordination (FC) draft, staffs to JDDC and JS via Joint Staff Action Processing (JSAP) system
Joint Staff doctrine sponsor (JSDS) adjudicates FC comment matrix
FC joint working group
STEP #4 - Maintenance
l
l
l
l
JP published and continuously assessed by users
Formal assessment begins 24-27 months following publication
Revision begins 3.5 years after publication
Each JP revision is completed no later than 5 years after signature
STEP #1 - Initiation
l
l
l
l
l
l
Joint doctrine development community (JDDC) submission to fill extant operational void
Joint Staff (JS) J-7 conducts front- end analysis
Joint Doctrine Planning Conference validation
Program directive (PD) development and staffing/joint working group
PD includes scope, references, outline, milestones, and draft authorship
JS J-7 approves and releases PD to lead agent (LA) (Service, combatant command, JS directorate)
JOINT DOCTRINE PUBLICATIONS HIERARCHY
JOINT DOCTRINE
JP 1
LOGISTICS COMMUNICATIONS
SYSTEMPLANSPERSONNEL INTELLIGENCE
JP 1-0 JP 2-0 JP 4-0 JP 5-0 JP 6-0
OPERATIONS
JP 3-0
All joint publications are organized into a comprehensive hierarchy as shown in the chart above. Joint Publication (JP) 3-12 is in the Operations series of joint doctrine publications. The diagram below illustrates an overview of the development process:
- PREFACE
- SUMMARY OF CHANGES
- TABLE OF CONTENTS
- EXECUTIVE SUMMARY
- CHAPTER I OVERVIEW OF CYBERSPACE AND CYBERSPACE OPERATIONS
- 1. Introduction
- 2. The Nature of Cyberspace
- 3. Integrating Cyberspace Operations with Other Operations
- 4. Cyberspace Operations Forces
- 5. Challenges to the Joint Force’s Use of Cyberspace
- CHAPTER II CYBERSPACE OPERATIONS CORE ACTIVITIES
- 1. Introduction
- 2. Military Operations In and Through Cyberspace
- 3. National Intelligence Operations In and Through Cyberspace
- 4. Department of Defense Ordinary Business Operations In and Through Cyberspace
- 5. The Joint Functions and Cyberspace Operations
- CHAPTER III AUTHORITIES, ROLES, AND RESPONSIBILITIES
- 1. Introduction
- 2. Authorities
- 3. Roles and Responsibilities
- 4. Legal Considerations
- CHAPTER IV PLANNING, COORDINATION, EXECUTION, AND ASSESSMENT
- 1. Joint Planning Process and Cyberspace Operations
- 2. Cyberspace Operations Planning Considerations
- 3. Intelligence and Operational Analytic Support to Cyberspace Operations Planning
- 4. Targeting
- 5. Command and Control of Cyberspace Forces
- 6. Synchronization of Cyberspace Operations
- 7. Assessment of Cyberspace Operations
- 8. Interorganizational Considerations
- 9. Multinational Considerations
- APPENDIX
- APPENDIX A (U) CLASSIFIED PLANNING CONSIDERATIONS FOR CYBERSPACE OPERATIONS
- APPENDIX B CYBERSPACE OPERATIONS POINTS OF CONTACT
- APPENDIX C REFERENCES
- APPENDIX D ADMINISTRATIVE INSTRUCTIONS
- GLOSSARY
- PART I—ABBREVIATIONS, ACRONYMS, AND INITIALISMS
- PART II—TERMS AND DEFINITIONS
- FIGURE
- Figure I-1. The Three Interrelated Layers of Cyberspace
- Figure I-2. Department of Defense Cyber Mission Force Relationships
- Figure II-1. Cyberspace Operations Missions, Actions, and Forces
- Figure III-1. United States Code
- Figure IV-1. Routine Cyberspace Command and Control
- Figure IV-2. Crisis/Contingency Cyberspace Command and Control
