Editor's Note: This article originally appeared in the Fall 2017 edition of the Georgetown Journal of International Affairs (International Engagement on Cyber VII, Volume 18, No. 3), available for purchase from Georgetown University Press. For a PDF of this article, click here.
The military not only plans for operations, it also plans to plan. Yet there is no current plan or process in place to integrate cyber initiatives into campaign planning. The US government must determine how to integrate offensive and defensive cybercapabilities into campaign planning in order to leverage these capabilities and pair them with the military’s broad array of tools.
During both war and peace militaries plan, and plan to plan, for a variety of contingencies, scenarios, and incidents. But the theme of having a plan—even if it never survives first contact with the enemy—runs strong. Unsurprisingly, the US military devotes significant time to planning, especially campaign plans to prepare for hostilities in various regions of the world. At the same time, the US military is investing significant resources in building a Cyber Mission Force to conduct defensive and offensive cyber operations. For these operations to be militarily relevant in the future, they need to be integrated into campaign plans.
In 2015 the US Department of Defense (DOD) Cyber Strategy stressed the importance of this integration, but it devoted a mere three sentences to how the military should do so.1 In this paper, I offer several recommendations for integrating defensive and offensive operations into campaign plans. Done right, integrating cyber operations into a campaign plan can improve a plan’s resiliency in the face of an adversary’s cyberattacks while giving commanders new options to achieve meaningful results with lower risks of collateral damage. The obstacles to integration are significant, including over-classification, concerns about so-called intelligence gain-loss—the long-term loss of a source of intelligence for a shorter term gain—and the reality that there is no one-size-fits-all approach to integrating cyber operations into campaign plans. Before I begin discussing these challenges, and my recommendations, I first describe the current doctrinal campaign planning process and the military’s cybercapabilities. The remainder of the paper is broken into four sections: the first two recommend how defensive and cyber operations can be integrated into campaign planning, the third section addresses the importance of integration, and the final section discusses the obstacles to integration.
Done right, integrating cyber operations into a campaign plan can improve a plan’s resiliency in the face of an adversary’s cyberattacks while giving commanders new options to achieve meaningful results with lower risks of collateral damage.
The US military has gone to great lengths to institutionalize the process of planning for contingencies and conflicts. Entire manuals and courses are devoted to teaching military planning, so its brief treatment here will necessarily be incomplete.2 For the purposes of this paper, there are three crucial points to convey about contingency and conflict planning.
First, through a series of formalized guidance documents, leaders in Washington articulate their broad priorities for military commanders and their planners to follow in their specific areas of operation and responsibility.3 The focus of this piece is less about this top-level guidance and more about how regional commanders (Combatant Commanders and their components) construct campaign plans to prepare for especially probable or worrisome contingencies.4 While the nature of these plans rightly remains secret, it is safe to assume that in each major region of the world, commanders have prepared plans to address the pressing threats to US national security interests in that region.5
Second, these campaign plans are designed to accomplish strategic, operational, and tactical objectives through a range of means. One key purpose of these plans is therefore to synchronize warfighting activities across air, land, sea, space, and more recently, cyberspace. As the senior-most commanders set objectives, it falls to planning staffs to determine the range of options available to meet those objectives, along with the risks and benefits each option entails. The standard approach planners apply to evaluate options is through the Joint Operational Planning Process. This process consists of mission analysis, development of courses of action, course of action analysis, wargaming, and comparisons of these courses of action, which leads to the development of more specific concept plans.6
Third, as concept plans become more detailed, they include a growing amount of information in lettered annexes.7 The most detailed plans are known as Operation Plans, which contain annexes and intricate information about the flow of forces to support contingencies.8 The core cyber-related planning question that commanders and their staffs need to address is how to best employ the cyber forces available to accomplish plan-specific objectives.
There is sufficient literature on the origins of the US military’s efforts to protect itself from cyber intrusions and to conduct offensive cyber operations.9 In brief, the US military spent decades refining concepts like influence operations, information operations, and military deception, while the intelligence community studied computer network defense, exploitation, and attack.10 In the late 1990s, the DOD established the first multiservice effort to protect the department’s networks from computer intrusions.11 In 2005 DOD expanded into offensive operations by creating Joint Functional Component Command–Network Warfare to apply computer operations to more traditional military objectives.12 In 2009 Secretary of Defense Robert Gates merged these defensive and offensive missions into a new US Cyber Command (CYBERCOM).13
As CYBERCOM matured, DOD leaders determined that a Cyber Mission Force would be necessary to conduct three missions: first, to defend DOD’s systems and platforms from cyberattacks; second, to support operational commanders in the field by delivering full-spectrum effects in cyberspace; and third, to defend the nation from a cyberattack of significant consequences.14 To build this Cyber Mission Force, the military services were to assume their traditional role as providers of forces to operational commands by organizing, training, and equipping over six thousand individuals into units that would support each of these three missions.15
The mission to defend the nation from a cyberattack of significant consequence was assigned to CYBERCOM’s National Mission Force, an elite group of soldiers that, under the personal direction of the Commander of CYBERCOM, would be the vanguard for the overall Cyber Mission Force.16 Although military leaders had for years been vague about what constituted a cyberattack “of significant consequence,” CYBERCOM Commander Admiral Michael Rogers has stated that an attack on the nation’s most critical physical infrastructure would meet that definition.17 However, former Assistant Secretary of Defense Eric Rosenbach cautioned that these “significant consequence” scenarios would only constitute about 2 percent of cyberattacks against the United States.18
Meanwhile, CYBERCOM’s defensive Cyber Protection Teams (CPTs) and its offensive Combat Mission Teams (CMTs) were to be shared with other combatant commands (like US Pacific Command, which commands all US military forces in and around the Asia Pacific region).19 The next two sections describe how commanders should integrate CPTs and CMTs into their broader campaign plans to ensure these cyber forces are providing useful support in the midst of an escalating conflict.
I. Integrating Defensive Cyber Operations in Campaign Plans
The principle objective of CPTs in a campaign plan is to protect the systems, networks, and platforms that are controlled by the command in question. While this objective appears relatively straight-forward, actually achieving success will require military planners to consider how to achieve those objectives well before a time of crisis.
First, planners need to consider how a plan’s many concepts of operation and lines of effort may be vulnerable to cyberattacks. These attacks need not be destructive to hinder a plan’s execution: even commonplace denial of service activities may degrade a critical network at a critical time. Planners and CPT personnel need to determine the critical junctures in a plan that are most susceptible to cyber interference, as well as those junctures where cyber interference would pose unacceptable risks to a plan’s integrity. This work needs to occur in peacetime, when there is time to examine a plan’s vulnerabilities in depth. And it cannot be left only to cyber-specialized soldiers; broader political and military priorities of the plan itself need to determine cyber defense actions.
This work needs to occur in peacetime, when there is time to examine a plan’s vulnerabilities in depth. And it cannot be left only to cyber-specialized soldiers; broader political and military priorities of the plan itself need to determine cyber defense actions.
Plans must also envision how, at varying levels of threat, CPTs can manage at least four critical tasks: harden passive defenses that primarily monitor for attacks, hunt for active threats on a command’s networks, halt a cyberattack in progress, and mitigate ensuing damage. These are significant responsibilities, requiring cyber forces, planners, headquarters staffs, and operational commanders to coordinate which units are given which of these four tasks, and under what conditions this allocation of responsibilities might change in the midst of executing a campaign plan. Such coordination must also account for the new role of Joint Force Headquarters–DOD Information Network, which exercises command and control over global aspects of defending DOD’s networks.20
Finally, planners would be wise to focus not only on which Internet-connected systems must be priorities for cyber defense, but also on the vulnerabilities of US weapons systems that are crucial to a plan’s execution. The 2015 DOD Cyber Strategy stresses the need for the military acquisition community to apply better cybersecurity standards to new weapons, which implies that weapons systems can be vulnerable to interference and attack from cyberspace.21 If that is true, then campaign planners need to understand the cyber risks to those weapon systems on which their plans rely.
Planners would be wise to focus not only on which Internet-connected systems must be priorities for cyber defense, but also on the vulnerabilities of US weapons systems that are crucial to a plan’s execution.
II. Integrating Offensive Cyber Operations into Campaign Plans
Despite a series of unauthorized disclosures that revealed some alleged US offensive cyber activities, there remains scant official acknowledgment of specific offensive cyber operations by the military.22 However, there is sufficient public information to consider how offensive cyber operations can support a broader campaign plan and the factors that planners should consider as they prepare.
The core responsibility for campaign planners is to assess how offensive cyber operations can support and enable the fulfilment of their commander’s broader military objectives. Planning cells will often be staffed with personnel sufficiently familiar with air, ground, and sea operations to provide multiple options to meet the objectives. Going forward, planning cells should include personnel who are sufficiently familiar with offensive cybercapabilities (such as a CMT unit commander) who can apply those capabilities to a campaign plan’s broader objectives.
CYBERCOM needs to closely coordinate with the intelligence community to determine the adversary’s vulnerabilities to different kinds of US offensive cyber operations. Not only will different campaign plans contain different objectives, but different adversaries will be vulnerable in different ways—and, critically, at different times. Because holding targets at risk in cyberspace requires constant validation, the ability for US forces to engage those targets successfully may be fleeting.23
Planners will also want to work with offensive cyber forces to ensure that sufficient preparation has gone into attacking emergent targets on short notice. According to accounts of past cyber operations, it can take many months to lay the groundwork for offensive cyber activities.24 Some fixed targets may indeed lend themselves to this kind of intense reconnaissance before an attack is needed. But in the midst of an escalating conflict, cyber operators may not have many months to plan their attacks. Instead, they need to generate effects that support a plan’s objectives in a matter of hours.
One scenario that may increasingly call for short-term targeting is the need to counter information operations. Recent attempts to marry cyber operations with information operations to influence national elections should encourage campaign planners to see how these operations can be combined to shape an adversary’s perceptions throughout a conflict. The Army has institutionalized information operations in organizations like its First Information Operations Command, and military information support groups for the Special Operations community, and many historical antecedents of today’s cyber operations trace their origins to the information operations community. A natural evolution could be to consider how cyber and information operations can reflect and inform each other to further a commander’s objectives in a campaign plan.
Finally, campaign plans should envision how scarce cyber resources should be used both for surveillance and reconnaissance and for generating results in the physical and virtual realms. Planners will want to spend time understanding how reversible certain virtual and physical effects can be and when to employ cyber operations not just to destroy a target, but to degrade its operation should less escalatory options be desired.
III. Why Integrate Cyber Operations into Campaign Plans?
What should US military commanders expect if cyber operations are successfully integrated into campaign plans? Three benefits are readily identifiable, although these benefits will be neither guaranteed nor uncontested. First, integrated cyber operations can offer commanders more precise targeting with lower risks of physical collateral damage. However minimizing the risk of accidental destruction of property and deaths of civilians has become owing to precision-guided munitions, cyber operations hold out the promise of disabling, degrading, and even destroying certain targets with even lower levels of civilian casualty risk. The tremendous investments DOD has made in building a cyber force could pay few dividends without its thoughtful integration into campaign plans. Indeed, cyber operations could become such a reserved, niche capability that commanders might be unaware that a cyber operation could provide a superior option to achieve an objective.
Second, civilian review of campaign plans is one of the most institutionalized aspects of contemporary civilian-military relations in the United States. Indeed, of all the myriad of responsibilities placed on the under secretary of defense for policy by custom and directive, her only statutory responsibility is to oversee the development of plans.25 The more cyber operations are integrated into these plans, the more robust civilian oversight of cyber operations should become. Otherwise, civilian oversight could become far more ad hoc, risking hurried decision making and a disconnect between political and military priorities.
Finally, integrating cyber operations into campaign plans can refine collection requirements for the intelligence community. To support defensive cyber operations, the intelligence community can discern an adversary’s efforts to disrupt a US campaign plan. It can also guide targeting and other efforts to generate effects to support offensive cyber forces. However, absent integration into plans, it will be far more challenging to enlist the intelligence community’s expertise to support how both defensive and offensive cyber operations are employed in campaign plans.
IV. Obstacles to Integration
While the benefits of integrating cyber operations into campaign plans may seem logical, there will be obstacles that limit the extent of integration. The first is that the US military heavily classifies most information about cyber operations. In theory, classification should not pose a problem, since any good military plan should remain classified. However, experienced practitioners will instantly recognize how divorced theory is from reality on this point: differing classification schemes and original classification authorities can complicate sharing of even the most mundane information.26 If there is to be any chance of successful integration, leaders across the DOD will have to overcome the natural resistance to widening access to certain kinds of information about plans and about cyber operations.
A second obstacle is the risk that executing offensive cyber operations may pose to ongoing intelligence collection activities. DOD doctrine on offensive cyber operationsexplicitly contemplates this risk and requires an “intelligence gain-loss” assessment to determine if the operational benefits of a cyber operation outweigh the potential intelligence losses.27 The challenge is that the potential for operational gain may be fleeting, as the adversary may be able to adapt its defenses quickly or the effectiveness of the cyberattack may be less than anticipated. Given these caveats, decision makers are likely to err on the side of caution by preferring to maintain intelligence collection and not risk exposing sources and methods. Cyber planners will need to integrate thorough tradeoff analyses in their recommendations to help DOD leaders overcome their conservative reflex to prioritize safeguarding collection above all else. Perhaps in the midst of escalating hostilities, military leaders will accept more risk. Unfortunately, integrating cyber operations into campaign plans cannot wait for a conflict to break out: integration into plans must begin far in advance.
A final obstacle is that there is no single model or template to integrate cyber operations into operational plans. Such a model could be developed by drawing on lessons learned from the integration of electronic warfare capabilities and the targeting process into campaign planning. On defense, different commanders will face different cyberthreats to their campaign plans, so tasking cyber defense CPTs will require deliberate and informed tailoring. On offense, commanders will have their own objectives based on the contingencies envisioned and the adversaries involved. Different kinds of cyber operations may be more or less useful depending on these circumstances. Even assuming successful integration in any one plan, the challenge then becomes maintaining that integration over time as the adversary’s cyberattack capabilities and its vulnerabilities evolve.
The Department of Defense wisely recognized in its 2015 Cyber Strategy that cyber operations needed to be incorporated into campaign plans. However, this incorporation has not been codified. This article outlined how the US military could begin to realize that need by proposing several areas of focus for both offensive and defensive cyber operations. This importance is fairly straight-forward. Successful integration can, among other things, provide commanders with better resilience when adversaries contest cyberspace during a conflict and offer additional options to achieve objectives with reduced risk of collateral damage. Yet the obstacles to effective integration loom large.
There are reasons to be optimistic that these obstacles can be overcome. First, the military’s own investment (both financially and in manpower) in cyber operations should increase the overall force’s exposure to these relatively new cybercapabilities. With greater exposure and education should come a greater acceptance of the role cybercapabilities can play to achieve core objectives in a conflict.
Civilians in the defense establishment have a role to play as well. As previously stated, the under secretary of defense for policy has statutory responsibility to oversee plans development.28 Indeed, there is a dedicated deputy assistant secretary of defense for plans within the policy organization. Civilians in this office can work with staffs of the various combatant commands to ensure cyber operations are accounted for as campaign plans go through various levels of approval. Together, civilian and military leaders have it within their power to increase the integration of cyber operations into campaign plans so that if war ever comes, the plans that guide US forces will have accounted for the challenges and opportunities of cyber operations.
Dr. Michael Sulmeyer is the Belfer Center’s cyber security director at the Harvard Kennedy School. He is also a contributing editor for the national security blog Lawfare. Before Harvard, he served as the director for plans and operations for cyber policy in the Office of the Secretary of Defense. There, he worked closely with the Joint Staff and Cyber Command on a variety of efforts to counter malicious cyber activity against US and DOD interests. For this work, he received the Secretary Medal for Exceptional Public Service.
1. “The DoD Cyber Strategy,” Department of Defense, April 2015, 26, https://www.defense.gov/Portals/1/features/2015/0415_cyber-strategy/Final_2015_DoD_CYBER_STRATEGY_for_web.pdf.
2. “Joint Operation Planning: JP 5-0,” Chairman of the Joint Chiefs of Staff, August 2011.
3. “Guidance for Employment of the Force (GEF),” United States Naval War College, July 2015.
4. “Unified Campaign Plan,” Department of Defense, May 2017.
5. “Guidance for the Employment of the Force.”
6. “Joint Operation Planning: JP 5-0.”
8. “Guidance for the Employment of the Force,” 6.
9. Jason Healy, A Fierce Domain (Arlington, VA: Cyber Conflict Studies Association, 2013), chap. 1; Michael Hayden, Playing to the Edge (London: Penguin, 2016), chap. 8.
10. Chief Information Officer, “Computer Network Defense Roadmap,” Department of the Navy, May 2009, and “Information Operations, Joint Publication 3-13,” Chairman of the Joint Chiefs of Staff, November 2012; “Military Deception: Joint Publication 3-13.4,” Chairman of the Joint Chiefs of Staff, January 2012, and Chief Information Officer, “Computer Network Defense Roadmap,” Department of the Navy, May 2009.
11. Hayden, Playing to the Edge, chap. 8.
13. “Gates Establishes US Cyber Command and Names First Commander,” US Strategic Command, May 21, 2010, http://www.stratcom.mil/Media/News/News-Article-View/Article/983809/gates-establishes-us-cyber-command-and-names-first-commander/.
14. Ashton Carter, “Remarks by Deputy Secretary of Defense Carter at the Aspen Security Forum at Aspen, Colorado,” US Department of Defense, July 18, 2013, http://archive.defense.gov/Transcripts/Transcript.aspx?TranscriptID=5277.
15. “DoD Cyber Strategy.”
16. Ibid., 6.
17. Michael Rogers, “Statement of Admiral Michael S. Rogers Commander United States Cyber Command before the Senate Committee on Armed Services,” Senate Committee on Armed Services, May 2017.
18. Gizbot Bureau, “Pentagon to Release New Cyber Strategy Soon,” Gizbot, April 16, 2015, https://www.gizbot.com/news/pentagon-release-new-cyber-security-strategy-soon-024351.html
19. “DoD Cyber Strategy.”
20. Patrick Browne, “Joint Force Head Quarters: Department of Defense Information Network Update,” Defense Information Systems Agency, April 2016.
21. “DoD Cyber Strategy,” 21.
22. Ryan Browne and Barbara Starr, “Top Pentagon Official: Right Now It Sucks to Be ISIS,” CNN Politics, April 2014.
23. Owing to how even the most subtle configuration change on one part of a network can affect access to systems elsewhere.
24. Kim Zetter, Countdown to Zero Day (Danvers, MA: Crown, 2014).
25. 10 U.S. Code § 134. General Article, Legal Information Institute.
26. “DoD Information Security Program: Overview, Classification, and Declassification,” Department of Defense, February 2012.
27. “Cyberspace Operations: Joint Publication 3-12 (R),” Chairman of the Joint Chiefs of Staff, February 2013.
28. 10 U.S.C. § 134.