The National Military Strategy of the United States of America 2015 (NMS) illustrates that cyber-related issues, capabilities, and threats have become commonplace in how the U.S. military perceives the global security environment. Though cyber issues are not a dominant theme in the NMS, they receive relatively significant attention in various portions of the document. This attention highlights how cyber continues its evolution from a new trend that gets discussed around the margins, to being a major part of how the defense establishment does business.
This article will illustrate that evolution by surveying and briefly elaborating upon the attention paid by the NMS to cyber issues, as these issues appear in each of the NMS's four major sections:
Moreover, recognition of cyber issues’ increasingly everyday role in defense not only illustrates how times have changed, but also gives hints as to how times will change as cyber’s evolution continues.
I. The Strategic Environment
The NMS's opening section on the strategic environment highlights the global spread of information technologies that empower individuals, groups, and governments. Such technologies provide more information than these entities have ever had, and allow them to share that information quickly. Thus, people and governments can mobilize more quickly and effectively than ever before, presenting Joint Forces with a more volatile environment.
This phenomenon of readily available, easily shared information relates to information operations more broadly than to cyberspace operations specifically, but one can infer the cyber implications fairly easily. For one, the basic information technologies now used by these empowered entities are mostly the same as those used by Joint Forces. Further, these technologies have security weaknesses (protocols developed without security in mind, poorly written code, etc.) that adversaries can exploit, leaving Joint Forces vulnerable unless they expend the effort and resources necessary to mitigate risk. Conversely, these same weaknesses provide Joint Forces with opportunities to gather intelligence and conduct cyber attacks against adversaries. As a result, whether they’re targeting or benefiting friendly forces, information technologies and cyberspace operations are now a prominent component of the strategic environment.
Another particularly important part of this opening section discusses how state actors are using information sharing technologies to their advantage. These technologies facilitate states' development of capabilities previously dominated by the U.S., such as early warning and precision strike. With this in mind, U.S. offensive cyber capabilities must form part of the portfolio designed to counter adversary states' newfound suite of high-tech systems. Indeed, the distance from which cyber attacks can occur may sometimes make offensive cyberspace operations a preferred method of targeting state adversaries’ high-end systems.
Getting more specific, the NMS's opening section also highlights North Korea's increased propensity to conduct cyber attacks, to include one that caused "major damage to a U.S. corporation." When considered in conjunction with Iran's attacks on Saudi Aramco and other targets, North Korea's growing offensive cyber capabilities signal that the U.S. must concern itself with cyber state actors other than “traditional” advanced threats like Russia and China.
II. The Military Environment
The second section of the NMS specifically calls out cyber capabilities among those that state actors may use to "curtail access to the global commons" and "contest regional freedom of movement." This brings to mind China's well-documented development of anti-access/area denial (A2/AD) concepts and capabilities. Attacks on U.S. logistical networks- often unclassified- can greatly disrupt the flow of American forces and materiel into theater, and attacks on command and control (C2) networks can frustrate U.S. forces' employment and maneuver within theater. Thus, defensive cyberspace operations and the resilience of networks under attack are vital from home station all the way to the final objective.
This section of the NMS also states that violent extremist organizations (VEOs) are exploiting information technologies as well, to "propagate destructive ideologies, recruit and incite violence, and amplify the perceived power of their movements." In addition, VEOs use "tailored cyber tools" among other capabilities to "spread terror," as Matt Lembright described in ISIL's recent doxing of U.S. military personnel and attacks on French media sites. Consequently, though state actors present the much greater cyber threat, VEOs cannot be overlooked, especially as the years pass and more coming-of-age VEO members have had lifelong exposure to information technologies.
Between state and non-state violence lie hybrid conflicts. As explained by the NMS, hybrid conflicts may “consist of military forces assuming a non-state identity… or involve a VEO employing rudimentary combined arms capabilities.” Alternatively, hybrid conflicts “may involve state and non-state actors working together toward shared objectives, employing a wide range of weapons such as we have witnessed in eastern Ukraine.” Among the "weapons" used in Eastern Ukraine (and other hybrid conflicts such as Georgia in 2008) were cyber tools. In instances such as these, it is often unclear whether the attackers were military forces or patriotic or state-sponsored hackers. As Jason Healey writes in A Fierce Domain: Conflict in Cyberspace 1986 to 2012, however, the strategic circumstances at the time of the attack generally make clear which country the attack originated from. Thus the usual challenge of cyber attribution can be narrowed a bit. Furthermore, as attribution capabilities improve, hybrid actors may perhaps be targeted.
III. An Integrated Military Strategy
The heart of the NMS, Section III outlines the U.S. Military's three National Military Objectives (NMOs). The section then discusses the Joint Force's employment of Globally Integrated Operations as detailed in "The Capstone Concept for Joint Operations: Joint Force 2020." This discussion of globally integrated operations is then applied to the twelve Joint Force Prioritized Missions.
In discussion of the first NMO, "Deter, Deny, and Defeat State Adversaries," the strategy states that homeland defense efforts include “growing investments in the cyber realm designed to protect vital networks and infrastructure.” These vital networks and infrastructure include both those of the military and key civilian assets. Protecting military assets requires defensive cyberspace operations and the aspects of Department of Defense Information Network Operations (building, configuring, operating networks) that involve security. The Joint Force’s role in protecting key civilian networks and infrastructure falls on the National Mission Teams of U.S. Cyber Command.
The NMS’s discussion of the first NMO also places a premium on resilient logistics and transportation infrastructures, networked intelligence, and strong communications links. These all require properly developed and defended networks. Furthermore, this section states that should an adversary attack the U.S. or its interests, we are “prepared to project power across all domains.” This inherently includes cyber, given its recognition in Joint doctrine as a domain.
Going a step further, projecting power across all domains requires doing so in an integrated fashion. A foreign example of this may be found in Israel’s 2007 attack on a Syrian nuclear reactor, when Israeli jets reportedly electronically “fired” malicious code into Syrian air defense radars. The code then compromised the air defense network, leaving Syrian air defense personnel manning their systems unaware that Israeli attack aircraft were approaching. If this operation occurred as reported, it represents a compelling real-world example of the integration of the air and cyber domains (not to mention the integration of cyberspace operations and electronic warfare).
Another example of integrating cyber with other domains may be found in the Army-Marine Corps-USSOCOM Strategic Landpower White Paper, which introduces the Strategic Landpower Task Force and specifically charges it with studying the convergence of the land and cyber domains. Accordingly, the Army has begun introducing cyber support (and attack) to forces conducting exercises at home stations and major training centers. Dubbed “Cyber Support to Corps and Below” (CSCB), this initiative made its debut in 3rd Brigade Combat Team (BCT), 25th Infantry Division’s recent Joint Readiness Training Center rotation. According to a July 16th Army “STAND-TO!” announcement, Army Cyber Command support to 3rd BCT included incorporating more “robust” cyber effects into training scenarios; training and educating the BCT on “threats, tools, tactics and capabilities;” and integrating “cyberspace operations into planning and targeting.” As in the early days of air power, when U.S. forces had to learn to integrate air operations with maritime and land operations, so now must they integrate cyber operations with maritime, land, air, and space operations. Initiatives like CSCB illustrate that U.S. forces have moved well beyond the concept phase in doing so.
The NMS’s discussion of the second NMO, "Disrupt, Degrade, and Defeat VEOs," does not explicitly mention cyber. It does note, however, that defeating VEOs “requires an appreciation of the nexus between such groups and transnational criminal organizations… [in order to] disrupt illicit funds, weapons, and fighters that are flowing into conflict-ridden regions.” Much of the intelligence and operations necessary to understand and target VEO-criminal relationships occur in the cyber domain. Though the smarter among them limit how often they do it, VEO members communicate via information technology networks like the vast majority of the rest of the world. Thus, building the intelligence picture of a VEO or particular members of it often includes monitoring their e-mails, identifying steganography in VEO-affiliated web pages, etc.
The third NMO, "Strengthen Our Global Network of Allies and Partners," emphasizes the importance of “placing our most advanced capabilities and greater capacity” in the Asia-Pacific, in support of the Department of Defense’s rebalance to that region. This section explicitly mentions cybersecurity as one of the components of the rebalance, and adds that when partnering with “advanced partners like NATO, Australia, Japan, and Korea, our exercises emphasize sophisticated capabilities such assuring access to contested environments.” This again brings to mind China’s A2/AD efforts, and U.S. and partner efforts to overcome them.
A potential example of this received public attention when in late May, the Department of Defense and Japan’s Ministry of Defense issued a Joint Statement of the U.S. - Japan Cyber Defense Policy Working Group outlining how extensive their security relationship is becoming. In particular, this relationship will include incident response, to include attacks that occur in concert with physical attacks on Japanese territory. The relationship will also include cooperation on “information assurance, defensive cyberspace operations, and information security.” In addition, the two militaries will explore ways to increase operational cooperation between cyber units, and address threats to electronic services used by the Japan Self-Defense Forces and U.S. Forces, Japan. Also, the two partners will enhance their already healthy sharing of cyber threat and vulnerability information, as well as best practices on “military training and exercises, education and workforce development.” The statement adds that this may even extend into site visits and combined training and exercises.
Following Section III’s discussion of the three NMOs is a subsection called “Advance Globally Integrated Operations.” Introduced in the “Capstone Concept for Joint Operations: Joint Force 2020,” globally integrated operations is the Chairman of the Joint Chiefs of Staff’s vision for how future Joint Forces will operate. Among other requirements, integrated operations “rely upon a global logistics and transportation network, secure communications, and integrated joint and partner intelligence, surveillance, and reconnaissance (ISR) capabilities.” As discussed previously, logistics and C2 networks require secure communications from ports of embarkation all the way to the objective, as do ISR networks. This underscores the importance of defensive cyberspace operations and network resilience in conducting globally integrated operations.
Additionally, the globally integrated operations construct is applied across DoD’s twelve prioritized missions. Those with significant cyber implications are discussed below.
Maintain a Secure and Effective Nuclear Deterrent. The Defense Science Board Task Force Report “Resilient Military Systems and the Advanced Cyber Threat” explains that while the term “survivability” in a nuclear context traditionally refers to physical resilience in the face of a nuclear strike and its accompanying effects (e.g., electromagnetic pulse), in today’s environment cyber resilience must be added to one’s conception of survivability. This highlights the importance of properly building, configuring, maintaining, and defending strategic networks and systems.
The same Task Force even goes so far as to recommend incorporating strategic-level offensive cyber attacks into the U.S.’s overall deterrence strategy along with nuclear and high-end conventional strike capabilities. Though this is an undertaking not to be entered into lightly, it vividly highlights how revolutionary cyber capabilities and capacities may one day become.
Provide for Military Defense of the Homeland. This mission explicitly cites the Cyber Mission Force as a key capability. Specifically, this would include the National Mission Teams, which are charged with defending key U.S. infrastructure from strategic-level cyber attacks. It would also include U.S. cyber forces sharing information with law enforcement on threats the military cannot legally or feasibly act upon.
Defeat an Adversary. Again the NMS calls for the ability to project power across multiple domains to decisively defeat the adversary. As cyber is a domain, cyberspace operations are inherently included in this prioritized mission. On a more operational level, cyberspace operations design, build, configure, secure, operate, maintain, and sustain friendly networks; defend against attack; and attack adversaries’ networks and systems. These are fundamental functions on the modern battlefield.
Combat Terrorism. As discussed in NMO #2, building the intelligence picture of a VEO or particular members often includes monitoring e-mails, breaking into their networks and web servers, etc.
Deny an Adversary's Objectives. Along with Respond to Crisis and Conduct Limited Contingency Operations, this mission is very similar to Defeat an Adversary but is less ambitious, intended not to render an enemy ineffective but to respond quickly and powerfully enough to prevent him from accomplishing his goals. Among other things, these missions require “well trained and equipped surge forces at home, robust transportation infrastructure and assets, and reliable and resilient communications links with allies and partners.” Well trained and equipped surge forces increasingly include cyber forces. Robust and resilient transportation and communication assets must be defended in the cyber domain as well as in the physical domains.
Conduct Military Engagement and Security Cooperation. As discussed with the U.S.-Japan security relationship above, multinational partnering occurs among cyber forces as well as among forces in the physical domains. Moreover, the relatively inconspicuous and logistically modest nature of cyber activities may even sometimes make cyber partnering a preferred method of military partnering. Additionally, the very fact that cyber-related interactions can occur in two geographically distant places further enhances the feasibility of frequent, meaningful engagement.
IV. Joint Force Initiatives
The final section of the NMS outlines enabling actions DoD is undertaking in support of the strategy. Like the remainder of the NMS, this section has significant cyber implications.
For one, the “People and the Profession of Arms” subsection notes how today’s youth “grow up in a thoroughly connected environment. They are comfortable using technology and interactive social structures to solve problems.” Again, this social shift speaks more to culture and to information operations in general than to cyberspace operations in particular, but a younger generation more frequently using electronic devices is one that will produce more individuals interested in the protocols, networks, and software that connect them. Thus, attracting future talent and shaping the future force must account for the shifting assumptions, culture, and aptitudes of a more electronic generation.
The “Processes: Capturing Innovation and Efficiencies” subsection cites the importance of DoD’s Better Buying Power (BBP) 3.0 initiative. The cyber connection here is that BBP 3.0 stipulates that new material capabilities must be developed with cybersecurity integrated into their design from the earliest stages of their life cycles. This recognizes that key characteristics cannot be tacked onto a system after its major design elements have been produced. It further recognizes that cybersecurity does not begin once the final system is developed; the supply chain and the component parts that produced the system must be secure as well.
The final subsection, “Programs: Sustaining Our Quality Edge,” begins with a passage replete with cyber implications that is worth quoting at length:
“In view of the anti-access/area denial (A2/AD) challenges we increasingly face, our future force will have to operate in contested environments. Key to assuring such access will be deploying secure, interoperable systems between Services, allies, interagency, and commercial partners. Priority efforts in that regard are establishing a Joint Information Environment (JIE), advancing globally integrated logistics, and building an integrated Joint ISR Enterprise. The results of these initiatives – particularly the enhanced connectivity and cybersecurity provided by the JIE - will provide the foundation for future interoperability.”
Overcoming A2/AD threats, securing logistical networks and ISR capabilities, and taking advantage of the JIE require that future capabilities:
“…sustain our ability to defend the homeland and project military power globally. Important investments to counter A2/AD, space, cyber, and hybrid threats include: space and terrestrial-based indications and warning systems, integrated and resilient ISR platforms… and the Cyber Mission Force, among others.”
One can see from the above passages that DoD investment plans place great emphasis on cyber and cyber-related capabilities.
Thus, DoD is in the middle of an evolution- perhaps even a revolution- of cyber forces and capabilities. In the contemporary environment, cyber assets are essential to defeating state threats, an important part of defeating VEOs, and an increasingly feasible and attractive way to engage foreign partners. Cyber forces and capabilities play key roles in several of DoD’s prioritized missions, and they comprise a hefty share of current and future investment priorities. As the world’s information technologies continue to proliferate and become more sophisticated, one can only imagine cyber’s stock continuing to rise. Moreover, the emergence of cyber occupational specialties and even entire career fields cause some commentators to predict the eventual establishment of a Cyber branch of the Joint Force on par with the other services. Whether or not this development and others like expanding deterrence to include strategic-level cyber attacks occur, the current global security environment now differs greatly from that of only a short time ago, and one is left wondering how much the future environment will differ from today’s.
Images from acqnotes.com, arcyber.army.mil, and forwallpaper.com
About the Author
Major Michael Lenart is an Army Strategist. His areas of interest include national security strategy and policy, cyberspace operations and cybersecurity, capabilities development, and organizational change.