The Cyber Defense Review

Division Cyber Operations

By LTC James Montgomery | May 16, 2016

Modern adversaries can now integrate cyber operations into military plans. Recent events have shown that rival governments can not only develop cyber-attack plans, but synch them to achieve national goals. The U.S. Department of Defense must begin integrating and normalizing the use of cyber effects. While there are numerous methods to begin that process, the key is choosing a method and beginning the long process of training in its employment. The primary level this training should be performed is at the Army Division level. Often, the division is the first major headquarters that can develop a list of requirements to submit to the Joint Task Force Headquarters or the Combatant Command. With that in mind, training at home station and during operational level exercises is absolutely necessary. Simulation technology will catch up with cyber operations in due course, but this is no reason to not begin training now.

As a military, the US faces adversaries that have proven their ability to integrate offensive cyber effects from the tactical up to the strategic level. Though multiple methods exist to request and execute Cyber Operations (CO) at the division level, the bigger and more looming problem is the lack of training in utilizing these effects, and being ready to put these effects to use on the battlefield. For the United States to keep pace with near-peer nations, it must train on and prepare to use these effects in a real-world combat environment.

What is Available to Division Planners?  The U.S. Army Operating Concept states that a critical component to a strategic victory is being able to present the enemy with multiple, simultaneous dilemmas to contend with.1  Going forward, cyber options present a perfect additional capability to bring into the fight. Cyber Electromagnetic Activities (CEMA) personnel should maintain their subject matter expertise on tools that are currently in use, but also should be ready to make requests for new cyber tools. Nothing should prevent the planner from asking for a specific effect as long as it properly addresses the commander’s intent. Requirements developed through the CEMA Working Group and approved through the targeting process will drive tool development. As the requirements list moves up the chain, the next hurdle to overcome is negotiating with higher echelons on what level of command should retain execution authority. The most important portion of this process is getting requirements up to the next higher level of command.

At what level? There are a few schools of thought on what command level should conduct cyber operations. The JP 3-12 indicates that CO should be integrated at all levels, and in all military operations.  However, usage of offensive cyber operations at the division level requires military units to rethink how they perceive the ‘level’ of operations.2 More to the point, one of the Major Army Warfighting Challenges directly addresses the optimal method by which to support Unified Land Operations at all echelons.3 As long as divisions are generating requirements that do not massively overstep their given mission, Army divisions can confidently say they are getting after that challenge.

This is not to say that Army units at all levels should be given carte blanche to cyberattack the adversary.  It is a typical practice to limit certain activities to higher echelons. The primary reasoning behind it is to ensure those effects that have much further reaching results are controlled to avoid unnecessary collateral damage or unforeseen effects. Some weapons also should be withheld from a lower echelon because their effects can have strategic implications (i.e. nuclear munitions). It stands to reason that authority to release cyber effects should be held at a considerably higher level than a division. That being said, this should not preclude divisions from asking for tailored effects that support the ground commander’s vision.4 In fact, the division planners stand the best chance of requesting cyber effects that could substantially affect the conflict within their Area of Operation (AO).

Higher echelons do not typically direct specific tactical actions for maneuver units. It is not practical and higher echelons will not have the sort of tactical situational awareness required for effective decision making. Consequently, senior commands would most benefit by allowing divisions a substantial amount of authority to synch cyber operations as it nests with their overall execution plan.

Division planners can concentrate on specific effects that would have a localized effect in their AO. The assets to perform collateral damage estimates reside at levels higher than the division. It is important to perform due diligence to ensure planned effects do not propagate uncontrolled. Thus, division CEMA personnel craft the request for effects and begin a two-way discussion with the assigned Cyber Mission Teams (CMT) as the request matures.5 Bottom-up requests with top-down refinement provides the most efficient method of acquiring specific and effective cyber effects.

As a combat multiplier, CEMA personnel must look at their job as being inherently joint and thus must always work with the CMT to craft and synch requested effects. Planners must be completely clear when making requests on how their plans will nest with the command’s vision and endstate.6 The common thread of Mission Command (MC) provides a framework for CEMA planners to begin the request process.

Mission Command: The true bottom line of MC is enabling subordinate commanders to achieve the commander’s intent within certain limiting factors. This method allows for the greatest amount of autonomy but also permits a considerable amount of initiative based operations. Division Electronic Warfare Officers (EWO) have the primary responsibility in applying cyber solutions to key tasks to facilitate the commander’s picture of the endstate.7 Essential to that responsibility is understanding what is within the realm of possible for CO, and how best to synch that to a plan.8

High Priority Target List (HPTL): There is a challenge with providing cyber targets to the Division targeting cycle in that, often times, a valid and lucrative cyber target isn’t on the Commander’s HPTL. It might be the last thing one would think as a valid military target. Some of the best targets for cyber manipulation are targets the enemy never thinks to protect due to their perceived low military value. A HPTL is typically populated with kinetic weapon systems and enemy combat multipliers. CEMA personnel need to be aware of this and be able to fully explain the value of a target, and why it’s being actioned. Further, cyber targets don’t necessarily need to be located on the commander’s HPTL. They merely have to be a valid military target. The reason behind this is that servicing these targets will not involve the usage of limited divisional resources.9 Identifying targets of this nature requires the planners to ensure they are using tools based in doctrine.

Figure 1. Example of a Cyber Targeting Cycle10

 

Methodology: Cyber Operations must be fully integrated into the targeting process. The process of bringing cyber effects can work the same way that typical lethal targeting works. That being said, the planning horizons of CO are considerably different.11 The level of target fidelity is often unknown to a requesting unit, and at the Division level, access to pertinent targeting data may or may not exist. It’s almost never possible to have perfect information. This type of target granularity is not an absolute requirement. The primary job of the CEMA staff at division is to develop a listing of requirements and immediately push these requests to their higher headquarters as soon as there is a decision to move forward with a cyber Course of Action (COA).

It is possible for a unit below Corps to get wrapped up in the intricacies of fine-grain cyber target development. What is most important for Division CEMA planners is to be aware of what cyber techniques are possible, and develop the planning products to issue a request to Corps and above. Of critical importance is a well thought out and detailed Concept of Operations (CONOP). Greater detail in the CONOP will allow echelons above division to apply the proper solution, and gain sound intelligence during cyber tool development. A Cyber Effect Request Format (CERF) will sometimes be called for from the Division to accompany the CONOP. While the CERF can (and certainly should) be forwarded with the CONOP, it is operative to understand that most of the information required by the CERF will not be readily available to a division. Hence the CONOP’s absolute importance in this process.

The next key step will be well crafted Measures of Effectiveness (MoE) and detailed synchronization of effects. Knowledge of programming code and tool development can help with overall formulation of a plan, but it should not be considered a prerequisite. Measurable results gets the commander accustomed to working more cyber options into the overall plan. As stated previously, there are a number of methods for selecting targets, and provided the process yields viable targets, and can be synched to the Division’s lethal targeting process, any version will work. The following step will be to craft the request and understand what type of effect will yield the best results.

Shotgun Effect versus Chess Match.12 The design of cyber effects are an important consideration when attempting to plan at the tactical and operational level. There is literally no limit to the methods that a cyber operation can use to achieve results. For the purpose of this article, the left and right limits can be depicted by the amount of pre-coordination and planning involved in putting the effect into execution.

A menu of pre-coordinated effects colloquially named “shotgun effects” refers to effects that have all been prearranged and can be executed rapidly. These effects address a very specific problem set with coordination to use these tools performed well in advance. The tactical order they operate under defines specific targets and times the effects can be utilized. They sacrifice flexibility for responsiveness.  Grouped within this category are specific cyber operations that are designed and implemented with one single purpose in mind. These “silver bullet” effects are just as specific as other shotgun effects, and will likely only be used once due to the tailored nature of the tool.

On the opposite end of the spectrum, effects that have a significantly longer term execution cycle and aim at seemingly innocuous vulnerabilities work much like a “chess match”. These effects, are often less defined and work against multiple vulnerabilities. The key to success of this type of attack is its ability to operate for a longer period of time without being discovered. This kind of attack should be aimed at systems not really deemed of significant military value, and less likely to be heavily defended.  Small changes over time stand less of a chance of being discovered and can produce massive cascading effects. They would be considerably harder to fix until it is far too late in the battle. These types of operations can have the capacity to preclude a major military engagement by removing the enemy’s initiative. Plans like this are (understandably) the hardest to put into play. The operation will certainly be executed at a much higher level (than division) but, as stated before, this should not prevent units from asking for these effects. To be effective in today’s fight, Cyber/EW personnel must employ both shotgun and chess match type effects. Further, CEMA planners must effectively employ these operations against enemy vulnerabilities that may not be immediately apparent.

What enemy vulnerabilities does one attack? A trouble spot for CEMA personnel is knowing just what to target and exploit. With a small amount of creative thinking, a planner can utilize the tools available to Division targeteers to plan and execute CO. Simply put, the Division’s targeting process can be fed with cyber requirements just as it is fed with lethal requirements.

Target research. As the Cyber Attack/Defend Methodology has provided, a targeting tool (PMESII crosswalk) that can be modified to suit a cyber targeting approach.13 This method will allow CEMA personnel to cage their efforts, better produce CONOPS and formulate the basis of an effective attack. This also allows other members of the staff to visualize how CEMA looks at the enemy. Cyber planners at the division level will often have little access to make specific requests. As previously stated, full target resolution is not a necessity to make the request, but elements well above the division are equipped to do the heavy lifting to resolve a target and compute collateral damage estimates.

Figure 2. PMESII examination of adversary

 

Way Ahead: To become better at integrating and to normalize the use of these techniques, Division CEMA elements must train in their employment. The challenge with training CO is properly replicating effects and ensuring enough of the staff has a grasp of the cyber support plan. It begins with ensuring cyber planning is included in the division’s battle rhythm and ensuring effects are briefed during combined exercises. While most of these effects cannot be replicated in an exercise, the effects can be worked into the scenario by Observer Controllers. As scenario technology improves, so will the ability to replicate special effects as a matter of course. It is incumbent on the Division CEMA staff to press for inclusion of these effects. Educating the division staff will allow leadership to continue to involve cyber operations in their menu of options when planning courses of action. These capabilities are real and can become a normal part of division operations provided we are willing to train and use them. Conflict is going continue to increase in complexity and scope. The US military must keep pace with the changing face of warfare to ensure we can contend with any threat to national security regardless of how new or emergent it is.

About the author

montgomeryLTC James Montgomery is the Cyber Electro-Magnetic Activities (CEMA) Chief for the 4th Infantry Division, Fort Carson, Colorado.  In addition to previous assignments within the signals intelligence community, he has had multiple deployments as an Electronic Warfare Officer at the Brigade and Combined Joint Task Force level. He is a graduate of the Joint Electronic Warfare Theater Operations Course and the Joint Advanced Cyber Warfare Course.  He holds a master’s degree in ethics and decision making from The Pennsylvania State University.

Notes

  1. S Army Training and Doctrine Command, “TRADOC Pamphlet 525-3-1, The U.S. Army Operating Concept,” October 31, 2014, http://www.tradoc.army.mil/tpubs/pams/TP525-3-1.pdf (Accessed March 3, 2016).
  2. S. Department of Defense, “Joint Publication (JP) 3-12, Cyberspace Operations,” February 5, 2013, x. http://www.dtic.mil/doctrine/new_pubs/jp3_12R.pdf.
  3. Army Capabilities Integration Center, “Army Warfighting Challenges,” December 10, 2014, http://www.arcic.army.mil/Initiatives/army-warfighting-challenges.aspx. Challenge 7, Learning Demand 3.
  4. Department of the Army, “Field Manual (FM) 3-0, Operations,” February 27, 2008, 5-3. http://downloads.army.mil/fm3-0/FM3-0.pdf.
  5. IBID, 5-3.
  6. S. Department of Defense, “Joint Publication (JP) 3-12, Cyberspace Operations,” February 5, 2013, 1-7. http://www.dtic.mil/doctrine/new_pubs/jp3_12R.pdf.
  7. FM 3-38, Cyber Electromagnetic Operations, February 12, 2014, 2-2. http://armypubs.army.mil/doctrine/DR_pubs/dr_a/pdf/fm3_38.pdf.
  8. Army Doctrine Reference Publication (ADRP) 6-0 Mission Command, March 28, 2014, 1-12 https://armypubs.us.army.mil/doctrine/DR_pubs/dr_a/pdf/adrp6_0.pdf.
  9. S. Department of Defense, “JP 3-60, Joint Targeting,” January 31, 2013, C-7 https://jdeis.js.mil/jdeis/new_pubs/jp3_60.pdf.
  10. Department of the Army, “Army Techniques Publication (ATP) 3-60,” May 1, 2015, 2-1 http://armypubs.army.mil/doctrine/DR_pubs/dr_a/pdf/atp3_60.pdf.
  11. S. Department of Defense, “Joint Publication (JP) 3-12, Cyberspace Operations,” February 5, 2013, 1-7 http://www.dtic.mil/doctrine/new_pubs/jp3_12R.pdf.
  12. Non-doctrinal terms utilized to illustrate the differences (time, coordination, scope) in requested cyber effects. Considering the unique nature of each cyber tool that is developed; this was an attempt to classify, in general terms, types of effects.
  13. Department of the Army, “ADRP 5-0, The Operations Process,” May 17, 2012, 1-7 http://armypubs.army.mil/doctrine/DR_pubs/dr_a/pdf/adrp5_0.pdf.


US Army Comments Policy
If you wish to comment, use the text box below. Army reserves the right to modify this policy at any time.

This is a moderated forum. That means all comments will be reviewed before posting. In addition, we expect that participants will treat each other, as well as our agency and our employees, with respect. We will not post comments that contain abusive or vulgar language, spam, hate speech, personal attacks, violate EEO policy, are offensive to other or similar content. We will not post comments that are spam, are clearly "off topic", promote services or products, infringe copyright protected material, or contain any links that don't contribute to the discussion. Comments that make unsupported accusations will also not be posted. The Army and the Army alone will make a determination as to which comments will be posted. Any references to commercial entities, products, services, or other non-governmental organizations or individuals that remain on the site are provided solely for the information of individuals using this page. These references are not intended to reflect the opinion of the Army, DoD, the United States, or its officers or employees concerning the significance, priority, or importance to be given the referenced entity, product, service, or organization. Such references are not an official or personal endorsement of any product, person, or service, and may not be quoted or reproduced for the purpose of stating or implying Army endorsement or approval of any product, person, or service.

Any comments that report criminal activity including: suicidal behaviour or sexual assault will be reported to appropriate authorities including OSI. This forum is not:

  • This forum is not to be used to report criminal activity. If you have information for law enforcement, please contact OSI or your local police agency.
  • Do not submit unsolicited proposals, or other business ideas or inquiries to this forum. This site is not to be used for contracting or commercial business.
  • This forum may not be used for the submission of any claim, demand, informal or formal complaint, or any other form of legal and/or administrative notice or process, or for the exhaustion of any legal and/or administrative remedy.

Army does not guarantee or warrant that any information posted by individuals on this forum is correct, and disclaims any liability for any loss or damage resulting from reliance on any such information. Army may not be able to verify, does not warrant or guarantee, and assumes no liability for anything posted on this website by any other person. Army does not endorse, support or otherwise promote any private or commercial entity or the information, products or services contained on those websites that may be reached through links on our website.

Members of the media are asked to send questions to the public affairs through their normal channels and to refrain from submitting questions here as comments. Reporter questions will not be posted. We recognize that the Web is a 24/7 medium, and your comments are welcome at any time. However, given the need to manage federal resources, moderating and posting of comments will occur during regular business hours Monday through Friday. Comments submitted after hours or on weekends will be read and posted as early as possible; in most cases, this means the next business day.

For the benefit of robust discussion, we ask that comments remain "on-topic." This means that comments will be posted only as it relates to the topic that is being discussed within the blog post. The views expressed on the site by non-federal commentators do not necessarily reflect the official views of the Army or the Federal Government.

To protect your own privacy and the privacy of others, please do not include personally identifiable information, such as name, Social Security number, DoD ID number, OSI Case number, phone numbers or email addresses in the body of your comment. If you do voluntarily include personally identifiable information in your comment, such as your name, that comment may or may not be posted on the page. If your comment is posted, your name will not be redacted or removed. In no circumstances will comments be posted that contain Social Security numbers, DoD ID numbers, OSI case numbers, addresses, email address or phone numbers. The default for the posting of comments is "anonymous", but if you opt not to, any information, including your login name, may be displayed on our site.

Thank you for taking the time to read this comment policy. We encourage your participation in our discussion and look forward to an active exchange of ideas.