if - leI See 1 4 ai I USCYBERCOM 120-Day Assessment of Operation - GLOWING Executive Summary This document represents the United States Cyber Command USCYBERCOM assessment of Operation GLOWING after 120 days from initiation of the operation It Is a subsequent update to the 30- -day assessment that was released on 15 Dec 16 Where numbers are reported the number from the 30-day assessment is shown afterward in brackets El tI' 5' 063' Is a USCYBEFICOM operation targeting the Islamic State in Iraq anti aoh Shamt Galat I We t Through OGS USCYBERCOM sought to contest to execute its ood contest the enemy to the information domain aatt 99 To I a USCYBERCOM designed 068 to Key to this operation was close coordination between Joint Task Force JTFI ARES USCYBERCOM the Federal Bureau of Investigation FBI the NSA and to maintain pressure on ISIS and to address attempts by ISIS media to reconstitute PEL TT USCYBERCOM initiated OGS Based upon the experiences and lessons learned USCYBERCOM notified the Joint Staff the Office of the Secretary of Defense OSDI for Policy and the Interagency- - at its intent to - USCYBERCOM requested Since the start of the operation Coalition forces have Addition-ole led to - i USCYBERCOM assesses that 063 successfully contested ISIS In the information domain The operation contested ISIS to execute 10 S SI 1301 5 5- 3 - -- 'Id reirtisec 1 qraiidirqi its media operations by imposing time and resource costs errd disrupting isre rrte-die iTEJKSijg eit Tr Lil Reflections also indicate that 0G3 disruptions impacts against media distribution and dissemination continues to Tit Lif During USCYBERCOM has continued to leverage the crccess directed Writtiri Career Mission Fcrces while the USCYBERCOM Joint Operations Center facilitates operational deconfliction with lnteragencg r partners To date these processes have worked well i 3 FiiE' r Absent of significant policy changes from 080 Is limited in its ability to challenge iSlS_ As a result USCYBERCOM hes tc objectives The updated version of seeks to provide rt The scale and complexity of OGS has allowed us to learn a number of lessons that will benefit the community as we move forward This report summarizes two new lessons learned since the 30 day assessment strategic communication and_ and provides additional recommendations with respect to targeting and_ data exploitation The entire compiled set of lessons learned encompassing both assessments can be found in the updated Appendix C USCYBERCOM has Through cos we have seen iSiS ccritirtiie te counter lSlS radicalization efforts through cyberspace permits continued integration with USCENTCOM Combined Joint Task Force Operation Inherent Resolve and- during while also allowing us to sociaiize the CONOP with our partners- bl Sec 1 4 id or USCYBERCOM 120-Day Assessment of Operation GLOWING This document represents the United States Cyber Command assessment of Operation 068 after 120 days from initiation of the operation It Is a subsequent update to the 30 day assessment that was released on 15 Dec 16 Where numbers are reported the number from the 30-day assessment is shown afterward in brackets This assessment is divided into four main sections The Operational Overview section describes the planning and execution of the operation including an assessment of task accomplishment The Operational Effectiveness section summarizes the USCYBERCOM assessment of the effects of OGS on ISIS as well as the maturation of United States US Government USG approval processes for offensive cyberspace operations 000 The Lessons Learned section describes a selected subset of the lessons learned as a result of 0G8 Finally the Way Ahead section describes USCYBERCOM follow- on actions U OPERATIONAL OVERVIEW - fest t' IOGS is a USCYBERCUM operation targetingthe lsiamic State of Iraq and ash Sham - OGS focuses on media and propaganda operations Hrcr'Ix'r-I i - -This section describes the planning and execution of OGS with focus on the 90 days The planning portion explains the purpose concept of the operation and initial expectations The second portion summarizes the execution of OGS including Coalition and lnteragency efforts 10 U S C 23 1 30 lb ll Sec 1 4 at 5-H PLANNING i 7 -7 - E7 In accordance with intent through Operation GLOWING USCYBERCOM sought to contest iSiS ability to execute its media and contest the enemy in the information domain and 71 7 Ute The initial mission period for OGS covered a 30-day window beginning at USCYBERCDM notified the Joint Staff the Office of the Secretary of Defense DEB for Policy and the lnteragency of its intent to For a detailed overview of the concept of the operation for 088 refer to the original 30-dayr assessment in addition to the types of missions described in the 30-day assessment subsequent 000 also included unique missions Also Joint Task Force ARES has begun '77 -_7_T7'_7_ll 7 surveillance and reconnaissance C ISR operations conducted against The purposes or soon operations irpluse The teem is also authorized to collect information related to media production distribution and dissemination For these operations - 7J -7- 77 7 7'57 - Initialexpectations were that Coalition operations would significantly impact media distribution and dissemination however planners also recognized that U EXECUTION 7rr - - - -r 1 1-51 -3 17' i 0G5 continues 10 media Through our coordination and planning with the Furthermore the FBI continues to address EL Til i At the request of US Centrai Command JTF ARES is continuing to Additionaliy we continue to coordinate with USCENTCOM to in support of ground operations - I i Under 068 JTF ARES leveraged lnteragency and Coalition partners to increase pressure on ability to develop distribute and disseminate media E- Err With respect to the Coalition's task performance we continue to assess our task accomplishment in the execution of 083 as successful overall in support of USCENTCOM operations For further discussion of task accomplishment measures of performance and the updated assessment for 0GB see Appendix A OPERATIONAL EFFECTIVENESS - This section assesses the effectiveness of DES in two parts tied to the original purpose of the operation The first part describes the impacts of 063 on lSiS as reported in tbiili Sec intelligence reflections and operational observations The second part summarizes the maturation of the process for approving OCO om ISIS I '0 assesses that CBS successfully contested ISIS In the domain Ti I 0G8 disrupted Through OGS coordination with the FBI -L JTF ARES in partnership with the FBI The FBI and USCYBERCOM assess that - Itatjft To tut-t ct I JTF ARES partnered with assesses that the operation was successful and led to a significant reduction In Its a result at ongoing counter-menta Ti't To use USCYBERCOM assesses that 065 OGS contested ability to execute its media and by imposing time and resource and disrupting ISIS hi Sec 1 4 aiidi igi I 't tL USCYBERCOM estimates that OGS ted disruptions of to conduct its operations and better posture-d the Coalition to achieve decisive future effects r n-a-rz- oss disrupted ISIS media - t t rt 068 had signi cant nn since the start of 068 - -t 063 Ittety disrupted - According to recent signals inteiligence reporting media - i to E t'i OGS caused internal disruption of I t E TC- US -I - Re ections also indicated that OGS disruptions affected media distribution and dissemination continues to diSti bUte 5 DGS conducted more than_ missions to date- Finally 0G5 enabled Combatant Command Page bi ili See Leta id Io U PROCESS MAWRATJON LI I I During USCYBERCOM has continued to leverage the deconfliction process directed within Cvoer Mission Forces utilize while the Joint Operations Center facilitates operational with Interagency partners To data these processes have worked well LI Absent of signIfIcant policy changes from 08D USCYBERCOM is limited In Ite te ehelreege ISis es result USCYBERCOM hee Ie our objectives - exemee has been werkiee Ie - Specifically USCYBERCOM is working with the FBI in orderto I - During The updated version of seeks to provide U LESSONS LEARNED 11 - r I Planning and executing 065 provided the opportunity to truly exercise the While the eemmene learned mere lessons throughout the process a number of areas stand out- For this assessment update there is no change to the following lessons learned from the 30day assessment Authorities and Policies - Joint Interagencv Coordination Collection Management - Political Military Assessments There were two new observations with respect to strategic communications and- as well as additional recommendations for targeting and data 1 7 e i Sec 1 i-l lei id to 1 lie exploitation The primary recommendations for those four observations are described below Appendix 0 includes the moredetailed discussions and is a comprehensive appendix that replaces Appendix from the original 30-day assessment Icy Alas Strategic Communication To our communications planning add consideration of will be kept informed during operations to include as well as written USCYBERCOM summaries updates This plan should also include USCYBERCOM should engage the stakeholders of the Trilateral memorandum of Agreement Tri- -Lat Appendix in order to establish governance underneath the tri-tet for one for execution under should include language that expiieiny states - --Targeting Additional Recommendation Employ a wider range of joint doctrine and to i iior ciocreooco operations I l i_ Data Exploitation Additional Recommendations where possible Leverage IT ARES mission requirements to drive the development of an initioi capacity on cart or tite- U WAY AHEAD - i Si USCYBERCOMI allows our operators to continue to pursue lSiS in cyberspace in support of efforts to combat the virtual caliphate while USCYBERCOM develops and socializes follow-on Concepts of Operation to counter media with the Interagenov Through OGS we have seen continue to counter iSiS efforts through cyberspace it is useful to note that will continue to euocon OGS ooerotionc vie 'Tgr- Li will formally submit this CONOP to the lnteragency for approval will allow us to continue operations while also allowing us to socialize the CONDP with our partners The new CONOP require in the cyber domain We will incorporate a recurring assessment into this CONOP which will allow the lnteragencv the opportunity to provide feedback and input to improve ongoing and future cyberspace operations against iSlS hi ill Sec 1 4ial o'l lei U APPENDICES Lew Appendices B D E and have not been changed from the 30 day assessment and are not being distributed with this update Refer to the original assessment for those Appendices A and have been updated completely replace the corresponding appendices from the 30-day assessment and are being republished with this assessment update Note that Appendix is classified NOFORN and will therefore be maintained as a separate document A Assessment of Task Accomplishment Updated B L JsLi z The Joint Interagency Coordination Timeline No Change C it Lessons Learned Updated D t United States Cyber Command Concept of Operations to disrupt ism sperm some No Change E- SECDEF Approval for We Change F Trilateral Memorandum of Agreement among the DOD and Intelligence Community Regarding Computer Network Attack and Computer Network Exploitation No Change I3 14 Sec 1 4m Sec 1 4 la loll iql APPENDIX A ASSESSMENT OF TASK ACOUMPLISHMENT UPDATED i I_i This appendix describes our framework for assessing task accomplishment which captures how well we executed Operation BLOWING This in an update to and fully replaces the same appendix to the 30-day assessment with the only change being to the information Shown graphically in Figure 1 OPERATION GLOWING Leased Successful task accomplishment Successfulwith some caveats Unsuccessful Initial mission Net evaluated period only Flgure 1 MW OGS Assessment of Task Accomplishment The framework is broken down by phase from the OGS Concept of the Operation CONOP with supporting measures of performance and indicators Actual numerical data for each indicator are shown in blue After each indicator description are the Coalition partners represented in the data The stop light circle next to each indicator assesses that particular measure against the thresholds established in the CONOP The gray circles represent indicators that are not important for assessing task accomplishment but still contribute to the understanding of Coalition activities Black outlined circles indicate those measures that only apply to the initial mission period and were not updated as the operation continued The full legend is shown on the bottom left of the figure -- 1 0verall we assess the task execution of OGS as green or successful Only two evaluated indicators are amber the remainder are green The first indicator is amber because the teams were not able to had no negative impact on the mission The second amber indicator is for Whit was the origina' intent 0 the CONDP The threshold for green qu 131 1 Sec Note that some reporting shows different numbers for The difference 5 that here we do not count the bi hi Sec 1 4ialidlig APPENDIX c LESSONS LEARNED UPDATED -- -- - This appendix describes the observations and recommendations associated 1With our primary lessons learned as a result of planning and executing Operation GLOWING This in an update to and fully replaces the same appendix to the 30- day assessment senses AND POLICIES 5T5 1 A ri'tiObservatlon Although the coilateraleffects estimate CEE was determined to be no GEE the operation required approval because within the context ctr - Discussion was the authority used duringthe conduct of 088 - approved by the President of the United States POTUS In the event of a non-concur from a voting member of the lnteragency _ USCYBERCDM exercised this exact process and the timeline in support of the OGS approval see Appendix The non-concurs highlighted Recommendation Normalize_ approval processes Interagency policies and processes are not established to Joint Interagency Coordination process that is still in a transitional state - Observation Prior to 000 actions bii3i lU U S C 1301 lb Sec 1 4ialidl 10 - - ween operating under the authorities granted via i e rei Despite the eien and agreement er USCYBERCOM continues to analyze reporting to codify the degree to which the adversary exploited this opportunity fir L Ir Should follow-on operations propose more invasive tactics and or utilize more sophisticated capabilities it would be ill- aclvisecl to risk critical infrastructure and or capabilities unnecessarily Recommendation remains an unresolved policy issue- U fm JOINT COORDINATION - establish a Jeiet interagency Task Force JIATF that is focused on_ Specifically the as part or the operational review and approval process in support of However eei - Discussion requires targets be deconflicteo in accordance with the Trilateral Memorandum of Agreement Trilat Additionally a Strike Package is required that consists of an Intelligence Technical Gain Loss Assessment Political Military Assessment Legal Review and CONOP As implemented each 0C0 mission requires these documents In addition to deconfliction under the leg bi Sec 1 4ial id lgi bi Si Trilat MOA - The amount of informal meetings briefings and overall information sharing that occurred was extremely In- depth and time consuming for both USCYBERCOM and JTF ARES staffs if this same level of detail is required for each proposed action during an DCO mission Further discussion of the Joint interagency Coordination process and timeline can be found in Appendix a other against ISIL should be TIZI DJF As a result of the lnteragency coordination 0G3 was to be deliberated under different policy decisions as a Combatant Command CCMD action In Recommendation Normalize Interagency policies and processes to adjudicate Interagency non concurs expeditiously in a manner that supports dynamic targeting within the cyber domain COLLECHON MANAGEMENT Observation Through extensive pro-operation coordination all US intelligence agencies were highlyI attuned to the GIGS plan and were postured to focus collection assets to gauge the impact of DGS on members - rbluIIlrIrEl a Discussion USCYBERCOM J2 and JTF ARES developed Multiple meetings in the ore-operational phase with iC DoD ai lied intelligence representatives ensured high awareness of 0GB collection requirements 'Til'll'n L l rIReoommendation incorporate positive lessons learned Into standard practices collection management tradecraft and products for future operations In addition codify collection timelines and deliverables to U lmi Observation s capabilities - contributed significantly to OGS pianning and execution however I'e-L-iei Discussion DoD s Cyoer Strategy emphasizes in cyberspace operations however Recommendation in cyberspace element could provide substantial support to operational planning should also be requested and incorporated into the operation TARGEHNG i Tactic To I at Observation During target development This made the target vetting process for 063 and difficult as USCYBERCOM and JTF ARES personnei had to frequente i Discussion As such it is recommended that it be vetted with the as weII as I0 partners_ Themes-t was sent out for vetting IC partners but with owns and Ic vetting agencies Much of the difficulty revolved around igii SEC Objectives for the mission were tit - regard to the additional information requirement to support target development and if vetting the ma bility of JTF ARES to from teams under operational control DPCON of JTF ARES led to i0 vetting mess for ARES is that relates to JTF ARES operational needs 3- Recommendation 1 Adhering to established vetting standards should reduce the time and effort required advance the targeting process as all parties get to vote comment at the same time Targets should be developed to support established plans containing MOPS and MOEs that are clearly linked to well-defined objectives Establish measureaole MOES based on determination of what intelligence is known or liltei i to be known about adversary activities i iRecommendationz Recommendation 3 Employ a wider range ofjoint doctrine and procedures leg - i for Cyberspace operations Ur 000 DATA EXPLORATION Observation 083 plans factored the possibility of adversary data recovery and aclinowledged the need for exploiting that data but did not JTF ARES did not anticipate priorities were established for exploiting the data but policies are needed to clarify handling procedures for ca ptured data Discussion JTF ARES established - priorities for exploiting captured data which JTF ARES iv working through HQs USCYBERCOM 13 in accordance with USCYBERCOM OCO data policies JTF ARES worked through USCYBERCOM to identify sources for short-term support -- Recommendation 1 Future plans should account for - 13 1 15 bill Sec 1 Iel bits USCYBERCOM formulate policy and capability to support any JTF or JFHQ-C that covers all future operations - Recommendation 2 where possible The USCYBERCOM Capabilities Development Group CDG Is pursuing CDG Is developing data storage solutions- - Is expected to be operational for_ 16 in modular should loo on lo oodloulon Recommendation 3 Leverage JTF ARES mission requirements to drive the development of an initial capability as part of the Doueloomoot ot an lottlal U POLITICAL MILITARYASSESSMENTS 7 Observation The current timeline for ccnductinga Political Military A soot-moot Pluto l against adversary infrastructure Tedd-El Discussion to produce PMAs for the target elements with significant challenges in meeting the timeline factoring the need tor - Other agencies were similarly stressed to meet the deadline to staff a required PMA and the K is given another to review - - - - Recommendation Given the likelihood that USCYBERCOM will be conducting more frequent and widely-scoped cyber operations throughout the global Internet infrastructure In the future would help expedite the request and approval process and provide planners with factored up front into cyber CONOPS U STRATEGIC COMMUNICATION t'i tugi Observation An expanded strategic communication plan is needed to provid- timely operational updates and messaging hi Sec Lela igi 13 Si II Discussion A communication pian was adequate during the planning phase but waned during execution Once the operations commenced further notifications or updates shared and among agencies Due to USCYBERCOM's particularly when USCYBERCOM was Recommendation Add consideration of how be kept informed during operations to include as well as written USCYBERCOM summaries updates This plan should also include delivery of communications Ctirl Observation Current deconfliction processes place unnecessary restrictions on a Combatant Command' 5 CCMD s ability to coordinate Cyoer Operations for a target has been validated vetted and formally designated lay the CCMD the CCMD should not be prevented from requesting USCYBERCOM support - specifically in situations where I Discussion The Trilateral Memorandum of Agreement MBA dated May 200 is the keystone policy document outlining offensive oyber operations deconfliction processes The language in the MBA reflect the policies authorities and capabilities that were in place when the MOA was written I Recommendation 1 Recommend the following verbiag - Cyber operations for within a designated A0 and as defined in joint poolication 3- 60 USCYBERCOM will attempt to to the fullest extent possible in the eveni of USCYBERCOM Examnies include but are not limited to - Recommendation 2 USCYBERCOM should engage the stakeholders of the Trilateral Memorandum of Agreement Tri Lat Appendix in order to establish governance underneath the Tri Lat for and develop a standard for execution under_ Sec 1 4 - Task Accomplishment - Operational Effectiveness 10 U S C 13013 Classified By - Derived From NSAICSSM 1-52 Dated 20130930 Declassify On 20411101 MSW biili Sec 1 4 aiidiigi OBJ Disrupt and Counter lSlL's use of social media 081 Disrupt sponsored media Sec 1 4 aJ WW - OBJ Disrupt and Counter use of social media DBJ Disrupt ISIL's sponsored media 10 U S C 13013 Classified By - Derived From 1-52 Dated 20130930 Declassify On 20411101 1 Sec 1 4 a This document is from the holdings of The National Security Archive Suite 701 Gelman Library The George Washington University 2130 H Street NW Washington D C 20037 Phone 202 994-7000 Fax 202 994-7005 nsarchiv@gwu edu