Washington, D.C., January 20, 2016 - U.S. military activities in cyberspace have been surprisingly widespread over the years, occurring mainly out of the public eye. Given the sensitivity of many of their operations, this is understandable to a point, but as the number of reported and unreported attacks on military and civilian infrastructure increases – along with the stakes – there is a corresponding public interest in how the Pentagon (and the U.S. government in general) has responded in the past and is preparing for future eventualities. Today, the National Security Archive is posting 27 documents that help illuminate various aspects of U.S. military operations in cyberspace. These materials are part of a unique and expanding educational resource of previously classified or difficult-to-obtain documentation the Archive is collecting and cataloguing on the critical issue of cybersecurity.
Today’s posting, including a number of records acquired through the Freedom of Information Act, can be grouped into six areas: the language of cyberspace, vision and strategy, military cyber organization, activities and responsibilities, computer network defense, and intelligence operations in cyberspace. Highlights include:
The terminology of cyberspace (Document 1, Document 10) The creation and responsibilities of the U.S. Cyber Command (Document 6, Document 8) The role of the Cyber Command and other military cyber organizations in Operation Gladiator Shield – defense of the Global Information Grid (Document 12) The Joint Chiefs of Staff-mandated process for computer network defense activities (Document 2) The Department of Defense strategy for counterintelligence in cyberspace (Document 3) DoD policy, responsibilities, and procedures with regard to human intelligence operations in cyberspace (Document 19)
The United States and Cyberspace: Military Organization, Policies, and Activities
By Jeffrey T. Richelson
The United States military has been operating in cyberspace for decades. It has faced attacks by hackers trying to break into Defense Department computer systems, been authorized to conduct offensive cyber operations, and recognized the need to confront the impact of cyberspace on human intelligence and counterintelligence operations. As with the civilian sector of the U.S. government, the focus on cyberspace has increased dramatically in recent years – as illustrated by the increasing production of documents concerning the subject.
Those documents have sought to define the multitude of terms associated with cyberspace activities, set out visions and strategies for operating in cyberspace, and create and define the missions of military cyber organizations. Other documents describe the activities and responsibilities associated with cyber missions – including computer network defense and intelligence.
The Language of Cyberspace
A number of Defense Department publications have sought to provide readers with extensive accounts of the definitions associated with cyberspace operations – to establish a common language for the discipline. In 2009, the U.S. Strategic Command (STRATCOM) – the parent command of the U.S. Cyber Command – produced The Cyber Warfare Lexicon (Document 1), which in addition to containing approximately 50 definitions of cyber terms, contained 15 discussions on cyberspace operations – including “weapons outcomes: a differentiation,” “delivery considerations,” and “when things go wrong.” The next year, the Joints Chief of Staff issued its own document, the Joint Terminology for Cyberspace Operations (Document 10), which also provided 16 pages of definitions of cyber terms. In his cover letter announcing the issuance of the joint terminology, James Cartwright, vice chairman of the Joint Chiefs, noted that the document had been produced due to the “inadequacy of current terminology to describe our [cyber operations] capabilities and missions.”
Vision and Strategy Documents
Vision and strategy documents are a routine product of both civilian and government agencies. Cyberspace vision and strategy documents include those produced by the Defense Department (Document 25), Cyber Command (Document 27), Air Force headquarters (Document 17), the Air Force Space Command (Document 4, Document 7), the Navy (Document 16), and the Coast Guard (Document 26).
The DoD Cyber Strategy (Document 25) identifies five strategic goals, including building and maintaining forces and capabilities to conduct cyberspace operations, a variety of ‘implementation objectives’ for each strategic goal, and steps believed necessary to manage the department’s cyber strategy – including an end-to-end assessment of the department’s cyber capabilities. The U.S. Cyber Command’s vision statement (Document 27) focuses on the commander’s intent (including strengthening partnerships with the National Security Agency and the Intelligence Community as well as the Defense Department). It goes on to specify “imperatives” (such as integrating cyberspace operations in support of joint force operations), and “enablers”(including “acquisition agility”) to permit satisfying the identified imperatives or objectives.
The Air Force Space Command’s cyberspace strategy documents include its 2009 The United States Air Force Blueprint for Cyberspace Operations(Document 4), which notes presidential guidance, joint guidance, the Air Force concept of cyberspace operations, and operational responsiveness, among other topics. A more recent strategy document is the June 2015 United States Coast Guard Cyber Strategy (Document 26), which specifies three strategic priorities (defending cyberspace, enabling operations, and protecting infrastructure), and seven measures aimed at “long-term success.”
Military Cyber Organization
The increased focus on cyber operations by the Defense Department and military services has led to the establishment of one or more cyber organizations within DoD and each of the military services. Thus, in 2009, the secretary of defense directed STRATCOM to establish, as a subordinate command, a U.S. Cyber Command.  In May 2010, STRATCOM announced (Document 6) that the Cyber Command had achieved an initial operational responsibility and described its responsibilities, organization, and command relationships. Then, in September, STRATCOM’s commander informed the secretary of defense (Document 8) that the command had reached full operational capability, and stated the command’s six key missions (one of which is partially classified).
Subordinate to the Cyber Command are its component commands. The U.S. Army Cyber Command was established less than two weeks after the U.S. Cyber Command was declared fully operational via an Army General Order (Document 9), which specified some of its responsibilities and authorities over other Army organizations. Refinement of the Army organization for cyber operations took place in February 2011, when the secretary of the Army signed a directive (Document 11) assigning control of an information operations command to the Army Cyber Command.
The Navy’s cyber command, the Fleet Cyber Command/U.S. Tenth Fleet, was already in existence by April 2010, when the command’s technical director presented a briefing (Document 5) that provided information and graphics concerning the command’s mission, organization, authorities, command and control relationships, and global operations. The briefing also showed that the Navy’s cyber unit, unlike the other service cyber commands, was also responsible for managing the Navy’s signals intelligence operations, via the Navy Information Operations Command detachments.
The Air Force did not establish a separate command for cyber operations, but assigned responsibility to the Air Force Space Command through the 24 th Air Force.  But cyber-related operations were not the sole responsibility of the Space Command. In 2012, the commander of the Air Force Intelligence, Surveillance, and Reconnaissance Agency (now the 25 th Air Force), established a Cyber Division in his agency. The commander’s one-page memorandum (Document 13) explained that the division was to provide a “greater focus” on cyber issues and identified six functions – including intelligence, surveillance, and reconnaissance support to offensive and defensive cyber operations.
Activities and Responsibilities
One of the defensive activities undertaken by the U.S. Cyber Command was the subject of a 2011 operations order for Operation Gladiator Shield (Document 12), whose purpose was to direct the Department of Defense and its mission partners to “secure, operate and defend the critical mission elements of the DoD Global Information Grid” – described by the National Security Agency as “the globally interconnected, end-to-end set of information capabilities for collecting, processing, storing, disseminating, and managing information on demand to warfighters, policy makers, and support personnel.”  The order provides a concept of operations as well as specifying the tasks of relevant DoD organizations, including the U.S. Cyber Command and its components, NSA, the Defense Intelligence Agency, and other units.
Several additional Defense Department and military service documents focus on cyberspace operations rather than individual components, although they often also specify the responsibilities of specific organizations. Thus, a 2012 Air Force policy directive (Document 15) on cyberspace operations discussed the responsibilities of Air Staff components, the Air Force Space Command, legal units, and other organizations. The following year, the Joint Chiefs issued what was, initially, a restricted publication (Document 18) on cyberspace operations which covered cyberspace operations, including those related to national intelligence, authorities, roles, as well as planning and coordination – including with regard to U.S. government and international/multinational organizations.
Department of Defense cybersecurity activity is the focus of the 2014 instruction (Document 23), 59 pages in length, that states department policy, defines the responsibilities of 15 different organizations (including the Defense Information Systems Agency, the Defense Security Service, and the National Security Agency) and 21 different procedures – including risk management, cyberspace defense, and identity assurance. It also lists 132 U.S. government documents ((a) through (eb)) relevant to DoD cybersecurity organization and activities.
Computer Network Defense
One consequence of the attacks on Defense Department computers systems over the last several decades has been a new emphasis on computer network defense. Part of that focus is the delineation of responsibilities within each organization for protecting its computer systems, reporting incidents, and responding to incidents – as illustrated by a July 2013 instruction (Document 20) issued by the Northern Command and NORAD.
How incidents should be handled was the subject of a much longer JCS document, a 176-page manual (Document 2) issued in 2009. An diagrammatic overview of the manual shows its seven different enclosures, which cover subjects from incident handling methodology to incident analysis to incident response and beyond. In each case, there are a multitude of subordinate components. Thus, computer forensic analysis, network analysis, and the examination of legal issues are just three of ten components of the incident analysis process.
Human Intelligence and Counterintelligence
Since Defense Department human intelligence operations may extend into cyberspace, with operators adopting a cyber persona, the department issued a Secret instruction (Document 19) on HUMINT activities in cyberspace, heavily redacted in its declassified form, that specifies the responsibilities of different DoD components – including the undersecretary of defense for intelligence, the National Security Agency, the Defense Intelligence Agency, and the Cyber Command.
Counterintelligence operations were also the subject of a DoD directive as well as an August 2009 strategy document (Document 3).  The latter document contained two key parts – one identified mission objectives (outcomes), the other named enterprise objectives (capabilities). One mission objective is neutralizing foreign cyber intelligence activities that had attacked U.S. and Defense Department interests while enterprise objectives included achieving “unity of effort in cyberspace.”
Read the documents
In addition to providing a series of definitions concerning cyber activities, this document also contains a series of discussions on aspects of cyberspace operations.
This 176-page manual covers a variety of aspects of computer incident handling - including the overall incident handling program, methodology, reporting, analysis, response, tools, and collaboration with other strategic communities.
This document notes that "a new operational environment has emerged as evidenced by the increasing frequency and destructiveness of attacks and exploits launched against the United States through cyberspace." The central aspects of the strategy are the definition of mission objectives (e.g. neutralizing intelligence activities targeting U.S. and DoD interests in cyberspace) and enterprise objectives (e.g. achieving unity of effort in cyberspace).
The Air Force Space Command is the lead U.S. Air Force organization for cyberspace operations. The Command's blueprint reports on presidential guidance, joint guidance, Air Force intent, the Commander's guidance, the Air Force concept of cyberspace operations, integration of capabilities, operational responsiveness, and cyberspace culture.
These briefing slides, presented by the U.S. Fleet Cyber Command's technical director, provide information on the command's mission, organization, and authorities, Navy cyberspace command and control relationships, global operations, as well as cyber initiatives and challenges.
U.S. Strategic Command Freedom of Information Act Release
This message notifies recipients that the U.S. Strategic Command has established a subordinate command, the U.S. Cyber Command, with initial operational capability as of May 21, 2010. It also specifies the mission of the new command, its responsibilities, organization, and command relationships.
This document provides, inter alia, an overview, discussion of the missions and desired effects, necessary and enabling capabilities, and command relationships of USAF cyberspace operations.
U.S. Strategic Command Freedom of Information Act Release
This memo from the head of the U.S. Strategic Command, the parent command of the U.S. Cyber Command, states that the latter, established that May (Document 6), had yet to reach full operational capability. It also summarizes the Cyber Command's six key missions, including one that is partially classified.
This order established the Army Cyber Command, and specifies some of its responsibilities and its authority over other Army organizations.
As with Document 1, this publication provides a series of definitions concerning different aspects of cyberspace activities.
This directive further refines Army organization and authorities concerning Army cyber and information operations.
U.S. Strategic Command Freedom of Information Act Release
The purpose of this heavily redacted operations order is to guide and direct "the Department of Defense (DoD) and, as authorized, designated missions partners for cyberspace operations to secure, operate and defend the critical mission elements of the DoD Global Information Grid." It provides a concept of operations, and specifies tasks for the relevant DoD components - CYBERCOM headquarters, CYBERCOM service components (e.g. the U.S. Fleet Cyber Command), combatant commands, the military services, the National Security Agency, Defense Intelligence Agency, and other entities.
25th Air Force Freedom of Information Act Release
This one-page memo announces the creation of the Air Force ISR Agency's Cyber Division to provide a "greater focus" on cyber issues by the agency's staff. It also specifies six functions to be performed by the division, including intelligence, surveillance, and reconnaissance support to both offensive and defensive cyber operations.
These briefing slides describe the organization of the Air Staff cyber operations directorate and the functions of its components.
This directive identifies responsibilities for Air Force cyberspace operations of different organizations - including Air Staff components, the Air Force Space Command, legal units, the Air Materiel Command, and other organizations.
This document provides a strategic assessment of cyber issues - identifying threats, key trends, and current challenges - as well as specifying the "way ahead," which includes integrated operations, an optimized cyber workforce, technology innovation, as well as PPBE (planning, programming, budget, and execution), and acquisition reform.
This document describes Air Force objectives and plans for achieving them with regard to the application of science and technology to cyberspace activities.
This formerly restricted publication discusses cyberspace (including national intelligence) operations; authorities, roles, and responsibilities (including legal considerations); and planning and coordination (including inter-organizational and multinational considerations).
Department of Defense Freedom of Information Act Release
This heavily redacted instruction discusses DoD policy for conducting human intelligence operations in cyberspace. It also defines the responsibilities of Defense Department components (including the undersecretary of defense for intelligence, the National Security Agency, and Defense Intelligence Agency), as well as procedures.
This instruction notes that "NORAD and USNORTHCOM information and information systems incur higher risks due to mission requirements to share information with our partners" and goes on to define the roles and responsibilities of Northern Command components with regard to information assurance and computer network defense.
This instruction implements Air Force Policy Directive 10-17 (Document 15) and provides a specific guide for the command and control of Air Force cyber activities, including the Air Force cyber orders flow process. It defines the roles and responsibilities of different Air Force components and a glossary.
This document further refines the Army's organization (Document 9, Document 11) for the conduct of cyber operations.
This 59-page DoD directive covers two key aspects of the department's cybersecurity effort - the responsibilities of 15 different organizations (including the Defense Information Systems Agency, the Defense Security Service, and the National Security Agency) and 21 different procedures (including risk management, cyberspace defense, and identity assurance).
This report is a response to a Congressional requirement for the National Guard Bureau to prepare an assessment of the possibility for "successfully integrating the National Guard into the Department of Defense's (DoD) Cyber Mission Force (CMF)."
The two main components of this strategy document are the identification of five strategic goals (including establishing forces and capabilities to conduct cyberspace operations and the ability to defend against disruptive or destructive cyber attacks) and the implementation objectives associated with the strategic goals.
This document identifies the three key elements of the Coast Guard cyber strategy - defending cyberspace, enabling Coast Guard operations (including intelligence and law enforcement operations), and protecting infrastructure (including critical maritime infrastructure and the Maritime Transportation System).
This vision document identifies key objectives for the U.S. Cyber Command (including integrating cyberspace operations in support of joint force operations), and identifies the "enablers" that are expected to allow achievement of those objectives.
1. Robert M. Gates, Memorandum to Secretaries of the Military Departments, Subject: Establishment of a Subordinate Unified U.S. Cyber Command Under U.S. Strategic Command for Military Cyberspace Operations, June 23, 2009. See Jeffrey T. Richelson, National Security Archive Electronic Briefing Book #424, Cyberspace and U.S. National Security , April 26, 2013, Document 29.
2. U.S. Air Force, Fact Sheet, “Air Force Space Command,” August 2015, www.afspc.af.mil .
3. “Global Information Grid,” www.nsa.gov/programs/global_information_grid/ , accessed December 28, 2015.
4. Department of Defense, DoD Instruction S-5240.23, Subject: Counterintelligence (CI) Activities in Cyberspace, December 13, 2010. See Richelson, National Security Archive Electronic Briefing Book #424, Cyberspace and U.S. National Security , Document 41.