New cyber doctrine shows more offense, transparency
The Pentagon has outlined a military strategy that goes beyond previous doctrine in its focus on offensive cyber operations.
The Pentagon this week published a doctrine that was unusually candid about offensive scenarios in cyberspace, a transparency that experts say could lead to an open and perhaps overdue policy debate.
The document, released internally by the Joint Chiefs of Staff in February 2013 and publicly on Oct. 21, argues that the "growing reliance on cyberspace around the globe requires carefully controlling OCO [offensive cyber operations], requiring national level approval. This requires commanders to remain cognizant of changes in national cyberspace policy and potential impacts on operational authorities."
The document also clearly defines offensive cyber operations as those "intended to project power by the application of force in and through cyberspace." The document is a reference point for top brass in planning cyber operations, not something that the budding force of thousands of military cyber specialists will draw on in day-to-day work, if ever.
Jay Healey, director of the Atlantic Council's Cyber Statecraft Initiative, said the document was a welcome departure from past military practice of over-classifying discussions of strategy.
"Just think of ... the problems of classification over the last 10 years. By completely classifying 'China' and what was going on, treating it like it was a huge counterintelligence secret, it delayed us from trying to react to Chinese espionage, in ways, for decades," he said.
Healey, a former member of a cyber war-fighting unit in the Air Force, hopes that making the document public will open up debate among experts and officials on U.S. military goals for cyberspace. Physical conflicts in Vietnam, Iraq and Afghanistan came with at least some debate of strategy, he said, so why not the same for cyberspace?
Robert M. Lee, a digital forensic specialist and Ph.D. candidate at King's College London, agreed that in a military often hampered by over-classification, "to get to the point where we can declassify some of this is a big step" that will prompt debate among experts in and out of government.
The newly released doctrine, banally named Joint Publication 3-12 (R), builds on a 2006 document known as the National Military Strategy for Cyberspace Operations (NMS-CO), which then-Chairman of the Joint Chiefs Gen. Peter Pace described as the armed forces' "comprehensive strategic approach for using cyberspace to assure U.S. military strategic superiority in the domain."
The NMS-CO touched on cyber offense, but another key document, DOD's Strategy for Operating in Cyberspace (SOC), published in July 2011, made no mention of it at all. The day the Pentagon unveiled that strategy, Gen. James Cartwright, then vice chairman of the Joint Chiefs, said the U.S. approach to cyberspace was "too predictable" and lamented the lack of an offensive strategy.
There is no one authoritative document on U.S. military cyber operations. But there is a body of literature whose shape reveals the trajectory of U.S. policy.
In that sense, the newly released document could help bring offensive cyber operations to the fore, Lee said. The doctrine is "legitimizing that seat at the table, where you are absolutely going to see offensive cyber operations used more often and more openly. I think there's an argument to be made that it would be done anyway, but documents like this that really firm it up add to the process," said Lee, who is an active-duty Air Force cyber warfare operations officer.
Codifying an offensive cyber option builds it into the chain of command for military operations like the ongoing one against the Islamic State of Iraq and Syria. The Pentagon established U.S. Cyber Command four years ago for chain-of-command clarity, and its commander, Adm. Michael Rogers, has said he has a close eye on ISIS in cyberspace.
Though a doctrinal hurdle to offensive cyber operations may have been cleared with the release of the joint doctrine, a large bureaucratic hurdle apparently remains. The military wants to dominate cyberspace, but enlisting the help of civilian agencies could present a huge challenge.
House Intelligence Chairman Mike Rogers (R-Mich.) recently identified a lack of cross-agency coordination as a barrier to more offensive cyber operations. No doctrine from the Joint Chiefs can solve that problem.