Document approved for release on 1 September 2015 under the U S Freedom of Information Act by U S Cyber Command through coordination with the National Security Agency UNITED STATES CYBER COMMAND 9800 Savage Road Fort George G Meade Maryland 20755 UAR 23 2012 Reply to USCYBERCOM CDR MEMORANDUM FOR RECORD Subject United States Cyber Command USCYBERCOM Commander·s Strategic Assessment for Operating in Cyberspace - Preventing a Pearl Harbor Environment I The United States U S is vulnerable to the accelerated pace of cyberspace 'events The U S must immediatdy act through several cybcr initiatives to ensure we avoid a cybcr Pearl I arbor 2 The President identified cyber security as one of the most serious threats we face as a nation Events in cyberspace continue to accelerate as Nation States and non-state actors seek to exploit asymmetrical advantages in the cyber domain Examples include a Recent Google RSA Lockheed Martin Booz Allen Hamilton and NASDAQ exploits b Disruption of networks Estonia banks etc c Development of Cyber attack tools by Nation States Russia China and Iran d Recent reports of AQ intent to use Cyber Attack tools e Critical loss oflntellectual Property greatest transfer of wealth in history f UAV virus 3 The risks of failure in the cybcr domain are widespread cascading and potentially catastrophic a The nation relies on the cyber domain for its major activities military commerce utilities governing posing risks to the value of the entire U S investment in military capabilities intellectual property critical infrastructure and diplomatic relationships b The cybcr domain poses uniqm challenges because it is a globally connected domain without traditional borders the enabling infrastructure is owned and operated by military and ciYilians alike activities occur at cyher speed making synchronization of national-level rt sponses essential 1 The attacker currently has the adrnntagc over the defender because the defcndc r must defend everywhere across the network while the attacker merely needs to find a single point of vulnerability d The U S as a society is extraordinarily vulnerable because we rely on highly interdependent networks Vr'ith ubi4uitous access points that arc unsccurc sensitive to interruption and lack rcsiliem y 4 Adversaries leverage their comparative advantages and exploit our vulnerabilities a Our capabilities continue to grow with increasing access into other countries hut others have access into our net vorks b They are preparing future battlefields now by stealing intellectual property and exploiting networks across the defense financial and communication sectors c We know adversaries are actively conducting reconnaissance surveillance penetration and establishing persistence 5 The USCYHERCOM Commander·s Assessment a We can prevent some attacks but we cannot prevent a major cyber attack against the U S now because 1 We have a multitude or asset types with various configurations and more gravely have multiple organizations enacting inconsistent policies capabilities and configurations preventing unified approaches to cyber security 2 We cannot sec across all networks vhich allows adversaries to operate in uncontested areas as they seek to penetrate our defenses 3 We lack authorities and policy to act in dcfonse of the nation as a whole 4 We have insullicient trained and ready forces to act 5 We rely on an inherently indetensible architecture built for availability functionality and t ase of use with security bolted on as an afterthought 6 We have immature operational concepts 7 Commercial industry is rclu- tant to divulge penetrations attacks due to perceiYt d vulnerability lack of technical competency and loss of share holder confidence vhich could negatively impact future business relationships b What must an adversary have to conduct a cyber Pearl I Iarbor 1 Strategy to drive goals and objectives 2 Operational Concept on how they v ill fight 3 Capabilities to achicYc the eftects required to meet those objectives 4 Training to ensure their forces can employ capabilities effectively 5 Knowledge and access to vulnerabilities in our 6 Catalyst for the decision to attack n t vorks 7 An opponent susceptible to surprise or unwill ing unablc to proactivcly defend itself c Today we are seeing 1 Cyber development is following the traditional path from commercial innovations to war fighting capabilities much like that of aviation 2 Russian operations in Estonia and Georgia demonstrated how cyber could be employed and provided lessons learned for cyber operations 3 China and others have been thinking about cyber doctrine for years at senior military schools and think tanks 4 The U S has already observed the cyber equivalents of the sinking of a battleship at Taranto and the practice for using torpedoes in shallow waters a The attack by British airplanes using modified torpedoes validated the concept that air dropped torpedoes could be effective in shallow waters bl The Japanese carefully studies the attack and openly practiced the techniques months prior to the attack on Pearl Harbor c The tactics and planning that enabled the Pearl Harbor attacks were a direct result of the lessons learned from the Battle of Taranto d Lessons learned from Russian operations in cyberspace are being turned into tactics and planning by future adversaries today 5 Cyber capabilities already exist that can attack systems and render them inoperable even when basic security measures are employed a Capabilities are being developed and deployed for foreign intelligence commercial espionage and criminal activil · to penetrate networks b Advance Persistent Threats can maintain access undetected for long durations ready to act 6 Adversaries arc only 12-18 months away from having the capability to conduct a cyber Pearl Harbor against the U S a Once they have the capability to conduct the attack all that remains is a catalyst before they would act b They must develop the ability to prevent l r mitigate that possibility or we left waiting for the adversary to decide when to strike ' ·ill be d What we need to do to prevent a cyber Pearl Harbor' 1 At a minimum prevent attacks if that fails stop attacks and if that fails reduce their effect on the nation as they occur regardless of the attacker target means of attack and launch point and quickly recover from their effects sustained 2 The U S needs to publicly debate the roles of the DoD and the lntclligcncc Community IC in the protection of the Nation·s critical cyber resources 3 a If the DoD and the JC are going to be operating in cyberspace their roles and functions must be understood and generally approved by the public b Part of this discussion should be What critical infrastructures are serious enough to require DoD IC involvement' c Being open about our strategy puts our adversaries on notice and removes the possibility of false expectations on the part of the C S public 3 Global Visibility Enabling Action al We need to be able to see cyberspace red blue and gray and provide situational awareness for our decision makers and cyber operators b Build the capability to recognize early indications of an attack 4 l Delensible Architecture a We need a defensible infrastructure with clear identification of critical systems bl lnfom1ation Technology IT efficiencies will support the DoD initiati cs to implement defensible architecture that ·ill 1 Streamline IT capabilities 11 Enable shared control of lim itcd resources iii Increase ability to outmaneuver threats iv Support single organizational direction and technical configuration 5 Authorities to Act in Defense of the Nation a We need the authorities to defend designated networks by creating effects outside of the defended net r ·ork Computer Network Defense-Response Action b Long term response should be led by the Executive Branch but DoD must be capable of stopping attacks v hile in progress - or before i Pre-approve Standing Rules of Engagement SROE response options so they can he immediately implemented at each level of command from tactical to strategic ii Establish processes to rapidly approve additional response options in a crisis analogous to nuclear Command and Control options 6 Command and Control of Cybcr Forces a Immediately co-locate needed authorities with designated cyber operators in the form of operators empowered to act on behalf of their pan nt organizations at an Integrated Cyber Center h Integrate and leveragt interagenty commercial industry allies and foreign partners I I 1 Supponed by policies for exchanging intelligence on threats and capabilities 11 Expand defensive capabilities to critical infrastructure and key sectors c Incorporate cyber as a flexible option for consideration by decision makers during shaping and deterrence phase ops L s Government d Further build out the Cybcr Support Elements with trained cyber analysts and planners and fully integrate them into the Combatant Commands COCOMs e Develop the Joint Communications Control Centers and enable them to fully support the COCOMs 7 Trained and Ready Cyber Forces a We need a standing cybcr force that is prl pared to act immediately and is capable of fighting and winning in cyberspace b USCYBERCOM should set and enforce unifonn training and certifications standards across all services and DoD i Lead USCYBERCOM components should lead Service efforts to organize train and equip cyber forces lO meet training and readiness standards ii Assign Service Cyber Components proponency for cyber functional areas Cc We need to create joint cybcr designators to track military civilian cyber workforce i Standardize Cyber Work Ro1cs across DoD and the IC ii Track officer Enlisted and DoD Civilians cybcr career paths an l assignments lo ensure our success Cd Repurposc IT personnel not needed as a result l f IT etliciencics e Recruit cyher warriors including use of non-traditional recruiting sources t Make greater use of reserve and guard component forces - cyber units but also cyber joint planning teams to work on lower-priority missions that are below the active components' cut lines 6 Recommendations for Improving DoD s Cybcr Defenses a Strengthen Network Defenses I Reduce the number of individual DoD networks and net vork lmncrs to a minimum necessary to provide required services 2 Architect the remaining networks to be more robust resilient and defensible Develop global visibility of red blue and gray a Cyber Pilot 5 bl l ational Security Agency NSA Infrastructure c Op Center connecth·ity 3 Leverage global cryptologic platform to idcntitY threats exploits and attacks before they are launched against us and enable USCYBERCOM to deploy defenses in ad ance of their use 4 Leverage panncrships with commercial entities com Defen e Industrial Base DIB etc as a means of strengthening our defenses and also gathering infonnation ahout enemy actions exploitations and attacks 5 Leverage cloud computing to store critical infonnation where it can be most easil protected by emerging attribute based access protocols 6 Share classified signatures and other infonnation with Tier 1 Internet Service Providers DIB and Critical Infrastructure and Key Resources to strengthen National beyond the Global Information Grid GIG dct nse 7 Expand h lundary dcfonscs employ reconnaissance counter-reconnaissance and countcnncasurcs beyond the GIG to pren nt attacks on our net orl s 8 l eutralize ad ersary capabilities affecting DoD systems at the point of origin without necessarily destroying the adversary system or network regardless of the capability surveillance reconnaissance attack b Assume our networks are compromised improve Operations Security and Rear Area Security I Employ hunter teams to patrol inside the ire searching for signs of enemy exploits or intrusions 21 Build insider protection tools and prm tit cs 3 Architet t nd orks to be robust mid resilient to enemy al'lion c Deter attncks in the long tem1 I Build capability to ensure rapid and reliable attribution 2 Establish credible commitment to respond to attacks in proportional fashion 3 Signal clear political will to act in response to credible threats of planned aggression a l ational boundaries have less meaning in cyberspace the virtual cyber battle may take place on servers physically located anywhere around the world Hl Continually build accesses into adversary networks to gain critical intelligence for actin defense and tu enable the U S to project pm er through cyberspace d Respond smartly 1 Rapid response options in plal e Standing escalatory cybcr to kinetic Rul s or Engagement - proportional tn 2 Assess second third order effects of both the attack and proposed responses 3 Dccontlict with partners assess consequences of targeting key cybcr terrain on military operations effects and intelligence 4 aximize pre-planning pre-authorization and automation of cyber operations 5 Streamline approval processes to act to enable us the ability to act at net speed·· c Treat the network as a weapons platform and train they way we will fight in cyberspace 1 Cyber forces across all components active reserve guard DoD civilians must be trained to common baseline standards 2 Having all Lines of Operation under the same chain of command provides unity of effort and provides the synergy necessary to make them stronger 3 Partner between SA and USCYBERCOM to build accesses that support contingency planning and COCOM deliberate planning objectives and desired effects 4 Develop streamlined targeting procedures that allow us to operate at net speed · 5 Grow a cybcr training center in which cyber warriors practice their tradecraft in a realistic stressful environment a Focus cyber training at the individual collective Joint Task Force and COCOM staff level b Track and evaluate via exercises real world operations 6 Establish common Tactics Techniques and Procedures ITPs for fighting in cyberspace a This would take the form of a Cyber Field Manual analogous to the Counter Insurgency manual b Think beyond one-off attacks develop tactics that are generally applicable to a variet ' of situations 7 Be prepared to execute cyber missions as part of a larger national response to attacks against the nation K f A fdDER General U S Arnw Commander · 7