22 September 2014

Tactical Cyber: How to Move Forward

19 September 2014

Is it time for the US to think harder about the practical implications of using its cyber capabilities at the tactical level of war? Andrew Metcalf and Christopher Barber think so. If it doesn’t, it will be at a disadvantage in conflicts where cyber assets are used at all levels.

By Andrew Metcalf and Christopher Barber for Small Wars Journal

This article was originally published by Small Wars Journal on 14 September 2014.

Cyberspace operations, both defensive and offensive, captured the attention of many pundits, military professionals, and interested observers. Their attention has increased focus on the viability of military operations in cyberspace, specifically at the tactical and operational levels. Some argue cyberspace will cause transformational change to warfare, while others argue cyber operations are more likely to evolve into the canon of older, traditional military means. This paper argues from the latter viewpoint, but focuses on the obstacles and opportunities inherent in providing timely cyberspace effects to tactical level commanders. There is currently a lack of literature and thinking on tactical cyberspace employment relative to strategic, and this paper argues for more focus on solving the issues presented by it in order to prepare for potential adversaries who are certainly experimenting with tactical cyber operations now.

In September, 2013 issue of Marine Corps Gazette, Maj Paul Stokes presented an argument for a Marine Expeditionary Brigade cyber warfare cell.[1] Maj Stokes added to a growing number of voices calling for tactical employment of cyber capabilities. He envisioned a cyber unit capable of supporting MAGTF commanders with timely and relevant cyber operations. The cyber warfare cell was an excellent idea but the article failed to address the significant practical and policy challenges with employing cyber capabilities at the tactical level. Without squarely addressing these limits at the start of any discussion, tactical cyber will remain a developing capability more risk at from over selling than from under delivering. This article seeks to clarify the issues and practical limits with cyber capability use at the tactical level, while underscoring Maj Stokes call for increased development of viable capabilities that can be tested and trained for. Without experimentation now, the United States risks being at a disadvantage in the future conflicts where adversaries are likely to employ cyber capabilities at every level of war.

Except for a few small efforts, like DARPA’s Plan X[2], cyber development within the DoD and the U.S. has focused on targets and capabilities at the strategic or national level. [3], [4] This focus has left a void during planning for cyber integration into military operations. This gap is particularly acute for the Marine Corps, where plans and capabilities are focused at the tactical level of war.[5]

As a result, during cyber focused exercises like Cyber Flag[6], there has been a serious attempt to support tactical warfighting but with limited success. Cyber is being integrated to some degree in a growing number of exercises, but not without a struggle during exercise design to come up with realistic scenarios where a national capability for cyber provides effective results for a tactical commander. In exercises where cyber is employed, this struggle usually is overcome by scripting scenarios with white carded results baked into the exercise. Examples include a tactical force calling for fires to be delivered by a cyber capability when the capability has had extensive and high level vetting and approval prior to execution at the tactical level, or the fires require detailed intelligence work to be done before execution is possible. For specialized or small-scale operations with significant high-level interest, these assumptions may be realistic. In the dynamic battlespace of conventional warfighting, the assumption that all the “homework” will be done, or even can be done, remains to be proven.

Most of the problem is related to practical limits with application of strategic cyber capabilities to a tactical fight. The techniques and capabilities employed at the National and Strategic level do not lend themselves to tactical employment. The deconfliction, coordination and cross-boundary coordination requirements are substantial. Finally, the largest pool of skill, experience and expertise has been developed at the national and strategic level. But the effect of these limits is that the techniques, understanding, and requirements for tactical cyber are not nearly as well developed

The current dynamic creates a vicious cycle in military planning, where the challenges posed by cyber operations in terms of policy, authority, coordination, and logistics appear to be completely disproportionate to the benefit of pursuing cyber operations. This effect leaves their benefits largely unexplored by tactical planners, because apparent costs make it inordinately difficult to develop plans where cyber demonstrates sufficient benefits to be worth the planning.[7] Since perceived difficulties in approval cut off discussion early, many planners never explore the capabilities cyber forces could provide.

To ensure a common frame of reference, this article uses the term “tactical cyber” to include cyber operations, both inside and outside of DoD networks, conducted in the context of a traditional kinetic battlefield where the authorization, deconfliction and control for the specific operation is at the battalion level or lower. Tactical use would mean both a Fallujah or Marjah-type clearing operation, where squad to battalion sized elements are clearing in zone and the more steady state but still dangerous actions undertaken during hold/build operations. Cyber is defined as any action within the cyber domain that would serve to further one of the five-warfighting functions around which a commander would base an operation’s design.

In order to move forward and develop and employ tactical cyber capabilities, we need to normalize cyber as a regular warfighting capability in the tactical commander’s toolkit while recognizing and protecting national equities. To do so requires providing cyber capabilities that produce predictable, reliable and standardized effects, can be employed and contained within battlespace boundaries, and don’t require sophisticated intelligence work before employment. Tactical cyber has to be suitable from both a policy and a practical perspective and still deliver value. These requirements will shape both the tactical requirements for cyber as well as the character of the cyber capabilities that may be available to the tactical commander.

Currently, with a few notable failures[8], we have been fighting our kinetic wars against an adversary not fully prepared to exploit the Americans’ reliance on information technology. The U.S. Military cannot rely on such a dynamic to remain true in future conflicts. In future conflicts, even if tactical commanders are not able to reach outside of their own networks, they will have to be prepared to conduct internal defensive measures within friendly tactical networks in order to ensure the confidentiality, availability, and integrity of his systems. Even though those measures are internal to tactical networks, anything done in them will cause effects and consequences to those networks and possibly higher or adjacent networks. Purely defensive tools and techniques must be subject to the same analysis and approval that operations external to friendly operations would be to ensure coordination.

Examples of the need for holistic integration of cyber are abundant. A program that centrally controls and monitors a unit’s computers for anomalous behavior may require so much bandwidth that it greatly reduces the efficacy of other tactical systems needed to complete operations. A change to one-half of this equation, even if it results is a more broadly secured network, could have dire tactical consequences to the other half without a holistic approach. Possible examples of this dynamic are easy to imagine. Remediation of a hard drive thought compromised may take that whole system offline. An action taken by a local administrator on a small network may have adverse effects on many larger networks. The intelligence and technology necessary to effect a defensive action may be just as sensitive as anything used in an offensive operation. It should also be considered that in the past decade plus of war, unit dependency on large, static networks has grown exponentially. It will be difficult for units conditioned to rely on real time data to simply go back to voice without either a focused effort to (re)train them in such techniques or an equally focused effort to integrate cyber capabilities, effects, and doctrine down to the tactical level.

The fundamental problem with tactical cyber operations is that cyberspace is not tied to the same geographic boundaries as more traditional tactical warfighting functions. The “strategic corporal” problem becomes infinitely larger when the corporal’s rifle can fire around the globe and hit any number of unknown targets. Any military planner implementing tactical cyber must recognize the potential impact unconstrained cyber operations may have on the larger diplomatic, information, military, economic, financial, intelligence and legal (DIMEFIL) situation and the impact these national interests will have on the willingness to delegate cyber authorities to the tactical level.

While the geographical effect of a unit’s mortars and rifles can be very narrowly prescribed, actions taken in cyberspace, both offensive and defensive are not so easily controlled or predicted. In the terrorist attacks on Mumbai, the Lashkar e Taiba used an array of open source cyber tools during planning and execution, many of which relied on services hosted outside of either India or Pakistan.[9] It would have greatly reduced the death toll if Indian forces could have responded quickly to block or limit those services, but the global nature of internet made such an effort difficult, if not impossible, to do in time to be relevant.

From the intelligence and law enforcement perspective, agencies have, in many cases, worked for years on projects critical to national security. Any cyber operation needs to be conducted in such a manner that it does not jeopardize or compromise these vital missions or the sources and methods used by them. During conflict and within a battlespace, the commander acquires ultimate deconfliction authority for targets within his area of operations through his control over kinetic targeting. However, cyber targets may be geographically located well outside the commander’s span of control. The more important the cyber target is to military forces, the more likely it is to also have significant intelligence and law enforcement interest as well.

Even where such conflicts do not exist with intelligence or law enforcement, military tactical cyber operations contain serious diplomatic ramifications. From a practical standpoint, it is unlikely a tactical cyber operation relying on the same technical approach as national cyber assets will have the time and ability to do the intelligence work necessary to avoid discovery, or to perform the necessary checks on where effects will occur geographically. A tactical cyber force could easily find itself violating the neutrality of another country or embarrassing allies. As David Sanger related in his New York Times interview; the entire Stuxnet program was compromised by a programming error that led to the failure of a deactivation routine and the malware escaping.[10]

To address these concerns, the most important step forward in employing tactical cyber is developing battlespace control measures that allow for effective constraint, coordination, and control of cyber effects. The effects of a cyber action, even if only defensive, must be known definitively, be constrainable to specific portions of cyberspace, and any effects outside of the tactical commander’s battlespace must be coordinated both laterally and vertically. Cyberspace’s lack of geographical constraints may make any deconfliction process too long and complicated and make cyberspace effects outside of a controlled battlespace too unresponsive to be relevant to a tactical operation. To support a tactical fight, a commander may want to deny a local insurgent group access to a social media service they have been using for communication. If the service is hosted outside of the battlespace, the commander is not going to be shutting down the service at the upstream source with his own assets, and any process for interagency coordination is likely too slow to meet the commander’s needs. The only way tactical cyber is going to be employable is through the development of an approach that can reliably and consistently ensure effects remain within a constrained area. The ability to conform to battlespace control measures also means coordination and deconfliction can be done in advance of the operation.

Related to the issues of integrating cyber effects with current battlespace control measures is the issue of tracking and displaying cyber capabilities for situational awareness. A vital C2 function is the common operational picture, an overlay of military operations, geography, time, and space that allows everyone to maintain a common battlespace understanding. Tactical cyber has to fit into this paradigm as well. Adjacent commanders will need to know when a cyber effect is operating across boundaries and have the opportunity to prevent it. A useful operational overlay for tactical cyber requires some predictability and ability to control execution of cyber, which will require the development of both a cyber operating concept for tactical employment, as well as requirements for useful cyber tools suitable for such employment. The requirement for an accurate and reliable operational overlay before tactical cyber can be employed may greatly constrain or at least shape the type and nature of cyber capabilities available to the tactical commander.

Adapting cyber to fit within battlespace control measures may be the most important step, but it isn’t the only one necessary to develop an effective tactical cyber program. In addition to the policy impacts of tactical cyber, there are practical impacts as well.

The speed of tactical operations increases the chances of the enemy discovering the action, though hopefully only after the effect has been delivered. The likelihood of discovery changes the calculus on the employment of platforms and techniques for cyber. It is illogical to invest a huge amount of time and money into a cyber platform that relies on obscurity and stealth if the entire cyber platform is rendered ineffective after the first mission by an antivirus update or a password reset. It is no secret CYBERCOM is tied closely with NSA and they share expertise and coordination.[11] Tactical cyber must be decoupled from that relationship. The technology and intelligence requirements for long term national and strategic cyber planning must not be placed at risk by tactical commander’s employment.

Another practical problem with tactical cyber is tactical forces do not operate at highly classified levels. In order for tactical cyber to be relevant, the classified technology and intelligence necessary to undertake a cyber operation must be decoupled from the ability of the tactical commander to implement. In this sense, DARPA’s Plan X[12] may be the most forward leaning. For example, it may take a lot of time and money to develop a theoretical capability to access and monitor WiMax[13] communications without being detected, but may take $25 worth of Radio Shack parts to create a jammer capable of locally denying WiMax. If the commander wants to isolate an enemy position communicating through directional WiMax, the $25 solution may be the best tactical solution.

Together, all of these concerns mean tactical cyber has to be something that does not require a lot of intelligence, does not require a great deal of sophistication and stealth, delivers effects that can be completely contained within a specific battlespace, and can be monitored, reported and measured accurately and efficiently. In short, a tactical commander should have no more confusion about employing a cyberweapon than he would about employing a mortar or anti-tank guided weapon. Until leaders can meet those benchmarks, it is unlikely tactical commanders will be able to leverage cyber capabilities.

These requirements clearly indicate the initial emphasis when developing tactical cyber delivery should be on wireless, wifi, satellite, and cell phones because those items are the means US forces have most commonly encountered during recent conflicts, and trends point to them being the most likely that tactical forces are likely to encounter in the future. Unlike approaches relying on the internet for access, radio spectrum access is constrained to a defined geographical area.

To meet the requirements for cyber at the tactical level, employment of tactical cyber may be better focused on delivering supporting capabilities like offensive counterintelligence (OFCO), military deception (MILDEC) and military information support operations (MISO), or more sophisticated versions of traditional Electronic Warfare missions, though these functions are also limited by rigid approval processes. Enabling a tactical cyber capability may also mean pushing those authorities down as well, which implies there needs to be more work done into thinking how to best dovetail these operations in, around, and with cyber operations.

Importantly, once battlespace control measures for tactical cyber are defined, experimentation on robust tactical cyber capabilities meets both the practical and policy issues can begin. Tactical effects must meet battalion level and below situational needs and achieve quick, concrete, and limited effects for tactical commanders. As previously mentioned, some capabilities will be inherently limited to the tactical commander, but these limitations do not take all cyber options off the table.

Cyber operations that cross national boundaries or combatant commander (CCDR) areas of responsibility (AOR), involve systems in neutral or friendly countries, or otherwise have diplomatic, political or military sensitivities must remain the province of US Cyber Command.[14] Retaining some cyber effects at the strategic level does not mean that tactical forces should walk away from cyber effects in their planning.

A good rule of thumb moving forward should be that if a capability openly exists in the civilian market, and employment will meet all requirements, it should be available to tactical commanders. When tactical commanders are given the power of life and death in their employment of kinetic weapons systems, higher leadership should not limit them from employing an openly available system that can achieve the identical effect without destroying infrastructure or risking civilian lives.

Once tactical cyber techniques are designed and implemented to be useful to a tactical commander, we still need to design and implement appropriate rules of engagement (ROE). In line with employment of kinetic force, ROE would include a process for damage estimation that may escalate approval levels if the consequences of the cyber activity exceed pre-approved limits to ensure higher scrutiny of cyber effects. This ROE process needs to normalize the cyber processes in line with other capabilities so that tactical commanders do not need to distinguish between IO, EW, Cyber or kinetic options in their planning and execution. Capabilities should not be forced into stovepipes, rather they should be employed holistically to achieve synchronized effects.

The to do list for developing concrete capabilities, controls, and rules before tactical cyber capabilities are pushed to tactical commanders is daunting. Nevertheless, the U.S. military needs to start developing an effective tactical cyber doctrine if it ever hopes to be effective. Focusing on strategic capabilities while complaining about authorities is not a valid plan of action. This article attempted to describe the box any successful tactical cyber capability has to fit in. The list should drive a realistic approach by services to develop, acquire and employ tactical cyber capabilities. The recent experience of facing less technologically advanced adversaries has made it easy to shrug off issues involved with cyber capabilities at the tactical level. History demonstrates what worked in the last war will rarely work in future wars. Operating in the cyber domain is new for all services, but its complexity and unfamiliarity should drive testing and experimentation, not prevent the development of viable tools that can be used at every level of war. We need to start doing our homework, as the next major security challenge America faces will likely involve an adversary who will have already done their homework on effective employment of tactical cyber.

[1] Stokes, Paul. "The MEB Cyber Warfare Cell." Marine Corps Gazette 97.9 (2013): 68--71. Web. 16 July 2014.

[2]Shachtman, Noah. "Darpa Looks to Make Cyberwar Routine With Secret ‘Plan X’ | Danger Room | WIRED." Wired.com. Conde Nast Digital, 19 Aug. 2012. Web. 16 July 2014

[3] Leed, Maren. Offensive Cyber Capabilities at the Operational Level the Way Ahead. Washington, D.C.: Center for Strategic & International Studies, 2013. Center for Strategic and International Studies. CSIS, 1 Sept. 2013. Web. 16 July 2014.

[4]Reed, John. "Cyber Command Fielding 13." Foreign Policy. Foreign Policy, 12 Mar. 2013. Web. 16 July 2014.

[5]Pellerin, Cheryl. "United States Department of Defense." Marines Focused at Tactical Edge of Cyber, Commander Says. DOD, 10 June 2013. Web. 16 July 2014.

[6]"Cyber Flag Exercise Highlights Teamwork, Training." Defense.gov News Article. Department of Defense, 19 Nov. 2013. Web. 01 Aug. 2014.<http://www.defense.gov/news/newsarticle.aspx?id=121179>

[7]Department of Defense Cyberspace Policy Report A Report to Congress Pursuant to the National Defense Authorization Act for Fiscal Year 2011, Section 934. Rep. Department of Defense, 1 Nov. 2011. Web. 16 July 2014.

[8]Gorman, Siobahn, Yochi J. Drezan, and August Cole. "Insurgents Hack U.S. Drones."The Wall Street Journal. Dow Jones & Company, 17 Dec. 2009. Web. 16 July 2014.

[9] "Cyber Space Played Key Role in 26/11 Mumbai Attack: US Commander." The Economic Times. Bennett, Coleman & Co, 16 May 2012. Web. 16 July 2014.



[12]"Plan X." DARPA. Department of Defense, n.d. Web. 16 July 2014.

[13] "WiMAX." Wikipedia. Wikimedia Foundation, 16 July 2014. Web. 16 July 2014.

[14]Nakashima, Ellen. "Pentagon to Boost Cybersecurity Force." Washington Post. The Washington Post Company, 27 Jan. 2013. Web. 16 July 2014.

Lieutenant Colonel Andrew Metcalf (Ret.) was the Staff Judge Advocate for Marine Forces Cyberspace Command, he has decades of experience in operational law, cybersecurity, and military justice. His views are his own and do not reflect Marine Forces Cyberspace Command, The Marine Corps, or the Department of Defense.

Captain Christopher Barber is a staff officer at Marine Forces Cyberspace Command, he previously served with 2D Battalion 9TH Marines in Marjah, Afghanistan for two tours as the battalion intelligence officer and scout sniper platoon commander. His views are his own and do not reflect Marine Forces Cyberspace Command, the Marine Corps, or the Department of Defense.

No comments: