Washington, D.C., January 20, 2016 - U.S. military activities in cyberspace have been surprisingly widespread over the years, occurring mainly out of the public eye. Given the sensitivity of many of their operations, this is understandable to a point, but as the number of reported and unreported attacks on military and civilian infrastructure increases – along with the stakes – there is a corresponding public interest in how the Pentagon (and the U.S. government in general) has responded in the past and is preparing for future eventualities. Today, the National Security Archive is posting 27 documents that help illuminate various aspects of U.S. military operations in cyberspace. These materials are part of a unique and expanding educational resource of previously classified or difficult-to-obtain documentation the Archive is collecting and cataloguing on the critical issue of cybersecurity.
Today’s posting, including a number of records acquired through the Freedom of Information Act, can be grouped into six areas: the language of cyberspace, vision and strategy, military cyber organization, activities and responsibilities, computer network defense, and intelligence operations in cyberspace. Highlights include:
The terminology of cyberspace (Document 1, Document 10) The creation and responsibilities of the U.S. Cyber Command (Document 6, Document 8) The role of the Cyber Command and other military cyber organizations in Operation Gladiator Shield – defense of the Global Information Grid (Document 12) The Joint Chiefs of Staff-mandated process for computer network defense activities (Document 2) The Department of Defense strategy for counterintelligence in cyberspace (Document 3) DoD policy, responsibilities, and procedures with regard to human intelligence operations in cyberspace (Document 19)
The United States and Cyberspace: Military Organization, Policies, and Activities
By Jeffrey T. Richelson
The United States military has been operating in cyberspace for decades. It has faced attacks by hackers trying to break into Defense Department computer systems, been authorized to conduct offensive cyber operations, and recognized the need to confront the impact of cyberspace on human intelligence and counterintelligence operations. As with the civilian sector of the U.S. government, the focus on cyberspace has increased dramatically in recent years – as illustrated by the increasing production of documents concerning the subject.
Those documents have sought to define the multitude of terms associated with cyberspace activities, set out visions and strategies for operating in cyberspace, and create and define the missions of military cyber organizations. Other documents describe the activities and responsibilities associated with cyber missions – including computer network defense and intelligence.
The Language of Cyberspace
A number of Defense Department publications have sought to provide readers with extensive accounts of the definitions associated with cyberspace operations – to establish a common language for the discipline. In 2009, the U.S. Strategic Command (STRATCOM) – the parent command of the U.S. Cyber Command – produced The Cyber Warfare Lexicon (Document 1), which in addition to containing approximately 50 definitions of cyber terms, contained 15 discussions on cyberspace operations – including “weapons outcomes: a differentiation,” “delivery considerations,” and “when things go wrong.” The next year, the Joints Chief of Staff issued its own document, the Joint Terminology for Cyberspace Operations (Document 10), which also provided 16 pages of definitions of cyber terms. In his cover letter announcing the issuance of the joint terminology, James Cartwright, vice chairman of the Joint Chiefs, noted that the document had been produced due to the “inadequacy of current terminology to describe our [cyber operations] capabilities and missions.”
Vision and Strategy Documents
Vision and strategy documents are a routine product of both civilian and government agencies. Cyberspace vision and strategy documents include those produced by the Defense Department (Document 25), Cyber Command (Document 27), Air Force headquarters (Document 17), the Air Force Space Command (Document 4, Document 7), the Navy (Document 16), and the Coast Guard (Document 26).
The DoD Cyber Strategy (Document 25) identifies five strategic goals, including building and maintaining forces and capabilities to conduct cyberspace operations, a variety of ‘implementation objectives’ for each strategic goal, and steps believed necessary to manage the department’s cyber strategy – including an end-to-end assessment of the department’s cyber capabilities. The U.S. Cyber Command’s vision statement (Document 27) focuses on the commander’s intent (including strengthening partnerships with the National Security Agency and the Intelligence Community as well as the Defense Department). It goes on to specify “imperatives” (such as integrating cyberspace operations in support of joint force operations), and “enablers”(including “acquisition agility”) to permit satisfying the identified imperatives or objectives.
The Air Force Space Command’s cyberspace strategy documents include its 2009 The United States Air Force Blueprint for Cyberspace Operations(Document 4), which notes presidential guidance, joint guidance, the Air Force concept of cyberspace operations, and operational responsiveness, among other topics. A more recent strategy document is the June 2015 United States Coast Guard Cyber Strategy (Document 26), which specifies three strategic priorities (defending cyberspace, enabling operations, and protecting infrastructure), and seven measures aimed at “long-term success.”
Military Cyber Organization
The increased focus on cyber operations by the Defense Department and military services has led to the establishment of one or more cyber organizations within DoD and each of the military services. Thus, in 2009, the secretary of defense directed STRATCOM to establish, as a subordinate command, a U.S. Cyber Command.  In May 2010, STRATCOM announced (Document 6) that the Cyber Command had achieved an initial operational responsibility and described its responsibilities, organization, and command relationships. Then, in September, STRATCOM’s commander informed the secretary of defense (Document 8) that the command had reached full operational capability, and stated the command’s six key missions (one of which is partially classified).
Subordinate to the Cyber Command are its component commands. The U.S. Army Cyber Command was established less than two weeks after the U.S. Cyber Command was declared fully operational via an Army General Order (Document 9), which specified some of its responsibilities and authorities over other Army organizations. Refinement of the Army organization for cyber operations took place in February 2011, when the secretary of the Army signed a directive (Document 11) assigning control of an information operations command to the Army Cyber Command.
The Navy’s cyber command, the Fleet Cyber Command/U.S. Tenth Fleet, was already in existence by April 2010, when the command’s technical director presented a briefing (Document 5) that provided information and graphics concerning the command’s mission, organization, authorities, command and control relationships, and global operations. The briefing also showed that the Navy’s cyber unit, unlike the other service cyber commands, was also responsible for managing the Navy’s signals intelligence operations, via the Navy Information Operations Command detachments.
The Air Force did not establish a separate command for cyber operations, but assigned responsibility to the Air Force Space Command through the 24 th Air Force.  But cyber-related operations were not the sole responsibility of the Space Command. In 2012, the commander of the Air Force Intelligence, Surveillance, and Reconnaissance Agency (now the 25 th Air Force), established a Cyber Division in his agency. The commander’s one-page memorandum (Document 13) explained that the division was to provide a “greater focus” on cyber issues and identified six functions – including intelligence, surveillance, and reconnaissance support to offensive and defensive cyber operations.
Activities and Responsibilities
One of the defensive activities undertaken by the U.S. Cyber Command was the subject of a 2011 operations order for Operation Gladiator Shield (Document 12), whose purpose was to direct the Department of Defense and its mission partners to “secure, operate and defend the critical mission elements of the DoD Global Information Grid” – described by the National Security Agency as “the globally interconnected, end-to-end set of information capabilities for collecting, processing, storing, disseminating, and managing information on demand to warfighters, policy makers, and support personnel.”  The order provides a concept of operations as well as specifying the tasks of relevant DoD organizations, including the U.S. Cyber Command and its components, NSA, the Defense Intelligence Agency, and other units.
Several additional Defense Department and military service documents focus on cyberspace operations rather than individual components, although they often also specify the responsibilities of specific organizations. Thus, a 2012 Air Force policy directive (Document 15) on cyberspace operations discussed the responsibilities of Air Staff components, the Air Force Space Command, legal units, and other organizations. The following year, the Joint Chiefs issued what was, initially, a restricted publication (Document 18) on cyberspace operations which covered cyberspace operations, including those related to national intelligence, authorities, roles, as well as planning and coordination – including with regard to U.S. government and international/multinational organizations.
Department of Defense cybersecurity activity is the focus of the 2014 instruction (Document 23), 59 pages in length, that states department policy, defines the responsibilities of 15 different organizations (including the Defense Information Systems Agency, the Defense Security Service, and the National Security Agency) and 21 different procedures – including risk management, cyberspace defense, and identity assurance. It also lists 132 U.S. government documents ((a) through (eb)) relevant to DoD cybersecurity organization and activities.
Computer Network Defense
One consequence of the attacks on Defense Department computers systems over the last several decades has been a new emphasis on computer network defense. Part of that focus is the delineation of responsibilities within each organization for protecting its computer systems, reporting incidents, and responding to incidents – as illustrated by a July 2013 instruction (Document 20) issued by the Northern Command and NORAD.
How incidents should be handled was the subject of a much longer JCS document, a 176-page manual (Document 2) issued in 2009. An diagrammatic overview of the manual shows its seven different enclosures, which cover subjects from incident handling methodology to incident analysis to incident response and beyond. In each case, there are a multitude of subordinate components. Thus, computer forensic analysis, network analysis, and the examination of legal issues are just three of ten components of the incident analysis process.
Human Intelligence and Counterintelligence
Since Defense Department human intelligence operations may extend into cyberspace, with operators adopting a cyber persona, the department issued a Secret instruction (Document 19) on HUMINT activities in cyberspace, heavily redacted in its declassified form, that specifies the responsibilities of different DoD components – including the undersecretary of defense for intelligence, the National Security Agency, the Defense Intelligence Agency, and the Cyber Command.
Counterintelligence operations were also the subject of a DoD directive as well as an August 2009 strategy document (Document 3).  The latter document contained two key parts – one identified mission objectives (outcomes), the other named enterprise objectives (capabilities). One mission objective is neutralizing foreign cyber intelligence activities that had attacked U.S. and Defense Department interests while enterprise objectives included achieving “unity of effort in cyberspace.”