35+ Years of Freedom of Information Action

Cyber Brief: Who gets to make U.S. cybersecurity strategy?

Published: Mar 20, 2018

Edited by Malcolm Byrne and Michael Martelle

For more information, contact:
202-994-7000, nsarchiv@gwu.edu

UPDATE: USCYBERCOM has put flesh on the bones of its skeletal strategy declaration initially released in February 2018.  A month later, on March 23, the Command made public a new, 12-page “Command Vision” that substantially expands on the earlier paper (posted below).  Several analysts have already remarked on its significance.  For example, Richard J. Harknett at the University of Cincinnati, who was consulted on the new approach, writes in Lawfare that it “marks a significant evolution in cyber operations and strategic thinking.” 

The Archive is adding this new paper to its posting, along with two recent, fundamental strategy documents promulgated by the current administration. 

Original posting: The U.S. Cyber Command has stepped into the fray over the nation’s cybersecurity strategy with a pithy but loaded statement of intent. The brief declaration reproduced here appeared in February 2018.  It may be truncated but its calls for “cyberspace superiority,” “agility” in the cyber “battlespace,” and increasing “our ... lethality” are clearly the tip of a deeper policy iceberg.  Look for these and other concepts in the earlier strategy documents, attached to this posting for context, to be the subject of much future debate in cyber/military circles.


From the Vault

United States Strategic Command, CDRUSSTRATCOM CONPLAN 8039-0, February 28 2008. Secret. (FOIA 18-002)


Source: NSArchive FOIA request

This document provides cyberspace strategy for Strategic Command. It provides a framework for the execution of tasks to generate effects in cyberspace in support of DoD objectives and within pre-planned authorities

Department of Defense, The Department of Defense Strategy for Counterintelligence in Cyberspace, August 28, 2009. Unclassified/For Official Use Only.


Source: https://cyberwarfare.nl

This document notes that "a new operational environment has emerged as evidenced by the increasing frequency and destructiveness of attacks and exploits launched against the United States through cyberspace." The central aspects of the strategy are the definition of mission objectives (e.g. neutralizing intelligence activities targeting U.S. and DoD interests in cyberspace) and enterprise objectives (e.g. achieving unity of effort in cyberspace).

U.S. Strategic Command, USCYBERCOM Announcement Message, May 21, 2010. Unclassified/For Official Use Only.


Source: U.S. Strategic Command Freedom of Information Act Release

This message notifies recipients that the U.S. Strategic Command has established a subordinate command, the U.S. Cyber Command, with initial operational capability as of May 21, 2010. It also specifies the mission of the new command, its responsibilities, organization, and command relationships.

Kevin P. Chilton, U.S. Strategic Command, Memorandum for the Secretary of Defense, Subject: Full Operational Capability (FOC) of U.S. Cyber Command (USCYBERCOM), September 21, 2010. Secret.


Source: U.S. Strategic Command Freedom of Information Act Release

This memo from the head of the U.S. Strategic Command, the parent command of the U.S. Cyber Command, recommends that the latter, established that May (Document 6), be declared fully operational. It also summarizes the Cyber Command's six key missions, including one that is partially classified.

Joint Chiefs of Staff, Joint Publication 3-12 (R), Cyberspace Operations, February 3, 2013. Unclassified.


Source: www.dtic.mil/doctrine/new-pubs/jp3-12R.pdf

This formerly restricted publication discusses cyberspace (including national intelligence) operations; authorities, roles, and responsibilities (including legal considerations); and planning and coordination (including inter-organizational and multinational considerations).

Department of Defense, The DOD Cyber Strategy, April 17, 2015. Unclassified.


Source: www.defense.gov

The two main components of this strategy document are the identification of five strategic goals (including establishing forces and capabilities to conduct cyberspace operations and the ability to defend against disruptive or destructive cyber attacks) and the implementation objectives associated with the strategic goals.

U.S. Cyber Command, Beyond the Build: Delivering Outcomes through Cyberspace - The Commander's Vision and Guidance for US Cyber Command, June 3, 2015. Unclassified.


Source: www.defense.gov

This vision document identifies key objectives for the U.S. Cyber Command (including integrating cyberspace operations in support of joint force operations), and identifies the "enablers" that are expected to allow achievement of those objectives.

United States Cyber Command, Mission Analysis Brief: Cyber Support to Counter ISIL, April 12, 2016. Unclassified.

Source: FOIA

This document outlines the cyber mission to counter ISIL. See also: USCYBERCOM to CDRUSACYBER

USCYBERCOM to CDRUSACYBER, Subj: CYBERCOM FRAGORD 01 to TASKORD 16-0063 To Establish Joint Task Force (JTF)-ARES to Counter the Islamic State of Iraq and the Levant (ISIL) in Cyber Space, May 5, 2016. Secret//Rel to USA, [Redacted].


Source: U.S. Strategic Command Freedom of Information Act Release.

The unit established by this order, the subject of an article in the Washington Post, was assigned the mission of developing malware and other cyber-tools in order to escalate operations to damage and destroy ISIS networks, computers, and mobile phones.

House Committee on Armed Services, Implementing the Department of Defense Cyber Strategy, September 2016. Unclassified.


Source:  Federation of American Scientists.

This hearing document contains the prepared statement and testimony of the commander of the U.S. Cyber Command as well as responses to questions asked during and after the hearing.

Defense Science Task Board. “Final Report, Task Force on Cyber Deterrence.” February 2017. Unclassified.


Source:  Office of the Undersecretary of Defense for Acquisition, Technology, and Logistics.

This report specified, and elaborated on, four guiding principles that the task force believed the Defense Department and other elements of the U.S. government should take account of in working to enhance the U.S. cyber deterrence posture. Principles include developing a cyber deterrence posture which has deterrence by denial and by cost imposition components, understanding the values of key adversary decision makers, development of credible response options at different levels of conflict, and ensuring that the issues in the event of an attack are how and when to respond as well as how to connect the response to the attack.

Martin C. Libicki, U.S. Naval Academy and RAND Corporation, “It Takes More than Offensive Capability to Have an Effective Cyberdeterrence Posture,” Testimony before the House Committee on Armed Services, March 1, 2017. Unclassified.


Source:  House Committee on Armed Services.

In this testimony, Dr. Libicki discusses four prerequisites for an effective cyberdeterrence posture: the ability to attribute attacks, the communication of thresholds (what actions will lead to reprisals), the credibility of threats to retaliate, and the capability to carry out reprisals.

Dr. Craig Fields and Dr. Jim Miller, Defense Science Board, Statement before the Armed Services Committee, United States Senate, "Cyber Deterrence," March 2, 2017. Unclassified.


Source:  Senate Armed Services Committee.

This testimony notes the studies conducted by the Defense Science Board on cyber issues, identifies fundamental principles of cyber deterrence, and discusses three cyber deterrence challenges (plan and conduct tailored deterrence campaigns, create a cyber-resilient "thin line" of key U.S. strike systems, and pursue foundational capabilities)

Admiral Michael S. Rogers, Commander United States Cyber Command, "Statement before the Senate Committee on Armed Services," May 9, 2017.


Source: Senate Armed Services Committee.

In his testimony, the commander of the U.S. Cyber Command (and director of the National Security Agency) covers the cyber threat environment, the Cyber Command in operation, and conclusions.