For other versions of this document, see http://wikileaks.org/wiki/CRS-RL31787 ------------------------------------------------------------------------------ ¢ ¢ ¢ ¢ ¢ Prepared for Members and Committees of Congress ¢ ¢ This report describes the emerging areas of information operations, electronic warfare, and cyberwar in the context of U.S. national security. It also suggests related policy issues of potential interest to Congress. For military planners, the control of information is critical to military success, and communications networks and computers are of vital operational importance. The use of technology to both control and disrupt the flow of information has been generally referred to by several names: information warfare, electronic warfare, cyberwar, netwar, and Information Operations (IO). Currently, IO activities are grouped by the Department of Defense (DOD) into five core capabilities: (1) Psychological Operations, (2) Military Deception, (3) Operational Security, (4) Computer Network Operations, and (5) Electronic Warfare. Current U.S. military doctrine for IO now places increased emphasis on Psychological Operations, Computer Network Operations, and Electronic Warfare, which includes use of non- kinetic electromagnetic pulse (EMP) weapons, and non-lethal weapons for crowd control. However, as high technology is increasingly incorporated into military functions, the boundaries between all five IO core capabilities are becoming blurred. DOD also acknowledges the existence of a cyber domain, which is similar to air, land, and sea. This new domain is the realm where military functions occur that involve manipulation of the electromagnetic spectrum. This report will be updated to accommodate significant changes. ¢ Introduction ..................................................................................................................................... 1 Background ............................................................................................................................... 1 Definitions ....................................................................................................................................... 2 Information................................................................................................................................ 2 DOD Information Operations ................................................................................................... 2 DOD Information Operations Core Capabilities ............................................................................. 3 Psychological Operations (PSYOP).......................................................................................... 3 Military Deception (MILDEC) ................................................................................................. 4 Operational Security (OPSEC) ................................................................................................. 4 Computer Network Operations (CNO) ..................................................................................... 4 Computer Network Defense (CND) ................................................................................... 5 Computer Network Exploitation (CNE) ............................................................................. 5 Computer Network Attack (CNA) ...................................................................................... 6 Electronic Warfare (EW)........................................................................................................... 6 Domination of the Electromagnetic Spectrum.................................................................... 7 Electromagnetic Non-Kinetic Weapons.............................................................................. 7 New U.S.A.F. Cyber Command ...................................................................................................... 8 Joint Command Structure for Cyberwarfare ................................................................................... 9 DOD and the U.S. Critical Infrastructure........................................................................................ 9 Information Operations by Adversaries......................................................................................... 10 Attribution for Cyberattack: Estonia, April 2007 ...........................................................................11 Law and Proportionality for Information Operations.....................................................................11 Cyberwarrior Education ................................................................................................................ 12 Policy Issues .................................................................................................................................. 13 Current Legislation........................................................................................................................ 14 Author Contact Information .......................................................................................................... 14 ¢ Control of information has always been part of military operations, and the U.S. Strategic Command views information operations as a core military competency, with new emphasis on (1) use of electromagnetic energy, (2) cyber operations, and (3) use of psychological operations to manipulate an adversary's perceptions. Department of Defense (DOD) officials now consider cyberspace to be a domain for warfare, similar to air, space, land, and sea.1 Each service has organizations with Information Operations (IO) and Electronic Warfare (EW) responsibilities: (1) the Naval Network Warfare Command (NETWARCOM) is the Navy's central operational authority for space, information technology requirements, network and information operations in support of naval forces afloat and ashore;2 (2) the Army Reserve Information Operations Command has responsibility for conducting information operations, the U.S. Army IO Proponent is responsible for developing requirements for IO doctrine and training, and the Army Intelligence and Electronic Warfare Directorate provides testing services for Electronic Warfare;3 and finally, (3) the Air Force has created a new Cyber Command with responsibility for its portion of cyberwarfare, electronic warfare, and protection of U.S. critical infrastructure networks that support telecommunications systems, utilities, and transportation.4 The DOD views information itself as both a weapon and a target in warfare. In particular, Psychological Operations (PSYOP) provides DOD with the ability to rapidly disseminate persuasive information to directly influence the decision making of diverse audiences, and is seen as a means for deterring aggression, and important for undermining the leadership and popular support for terrorist organizations.5 However, a 2006 report by the Rand Corporation describes how IO can also affect audiences outside of the intended target, stating, ... in contingencies involving an opponent, information operations planning and execution should include noncombatant considerations that may have nothing to do with affecting the enemy's activities or defending friendly force capabilities. In today's conflict environment the impact of information operations is seldom limited to two opposing sides. Second and 1 Jason Ma, "Information Operations To Play a Major Role in Deterrence Posture," Inside Missile Defense, December 10, 2003 http://www.insidedefense.com/secure/defense_docnum.asp?f=defense_2002.ask&docnum=MISSILE-9-25-4. Todd Lopez, Air Force Leaders to Discuss new `Cyber Command', Air Force News, November 5, 2006, http://www.8af.acc.af.mil/news/story_print.asp?storyID=123031988. 2 Naval Network Warfare Command, http://www.netwarcom.navy.mil/. 3 United States Army Information Operations Proponent, April 2007, http://usacac.army.mil/CAC/usaiop.asp. James E. McConville, U.S. Army Information Operations: Concept and Execution, Military Intelligence Professinal Bulletin, http://www.fas.org/irp/agency/army/mipb/1997-1/mcconvl.htm. U.S. Army Test and Evaluation Command, http://www.atec.army.mil/OTC%5Cwho_iewtd_is.htm. 4 Peter Buxbaum, Air Force Explores the Next Frontier, Government Computer News, February 19, 2007, http://www.gcn.com/print/26_04/43153-1.html. 5 DOD Information Operations Roadmap, October 30, 2004, p. 3. This document was declassified January 2006, and obtained through FOIA by the National Security Archive at George Washington University, http://www.gwu.edu/ ~nsarchiv/NSAEBB/NSAEBB177/info_ops_roadmap.pdf. ¢ higher-order effects will most likely influence all parties in opposition, impact various and varied noncombatant groups, and be interpreted in different ways by members of the media and audiences worldwide.6 Thus, new technologies for military IO also create new national security policy issues, including (1) consideration of psychological operations used to affect friendly nations or domestic audiences; and (2) possible accusations against the U.S. of war crimes if offensive military computer operations or electronic warfare tools severely disrupt critical civilian computer systems, or the systems of non-combatant nations. Because of the new communications technologies and the growth of the Internet, EW and IO have taken on new importance. Insurgents use cell phones and other electronic devices to detonate roadside bombs, and afterwards transmit video images of successful attacks against U.S. troops for broadcast on the local news or the Internet to influence public opinion about the future outcome of the War. In some cases, populations may have these video broadcasts or local TV news stories in their native language as their only source of information. DOD is seeking methods to counter these actions where violence may be seen as secondary to the use and manipulation of information. This report describes DOD capabilities for conducting military information operations, and gives an overview of related policy issues. Information is a resource created from two things: phenomena (data) that are observed, plus the instructions (systems) required to analyze and interpret the data to give it meaning. The value of information is enhanced by technology, such as networks and computer databases, which enables the military to (1) create a higher level of shared awareness, (2) better synchronize command, control, and intelligence, and (3) translate information superiority into combat power. The current DOD term for military information warfare is "Information Operations" (IO). DOD information operations are actions taken during time of crisis or conflict to affect adversary information, while defending one's own information systems, to achieve or promote specific objectives.7 The focus of IO is on disrupting or influencing an adversary's decision-making processes. 6 Russell Glenn, Heavy Matter: Urban Operations' Density of Challenges, Rand Monograph Report, Turning Density to Advantage: C4ISR and Information Operations as Examples, Ch. 4, p. 25, http://www.rand.org/pubs/ monograph_reports/MR1239/MR1239.ch4.pdf. 7 From the DOD Dictionary of Military and Associated Terms, January 2003, http://www.dtic.mil/doctrine/jel/doddict/ data/i/index.html. ¢ An IO attack may take many forms, for example: (1) to slow adversary computers, the software may be disrupted by transmitting a virus or other malicious code; (2) to disable sophisticated adversary weapons, the computer circuitry may be overheated with directed high energy pulses; and (3) to misdirect enemy sensors, powerful signals may be broadcast to create false images. Other methods for IO attack may include psychological operations such as initiating TV and radio broadcasts to influence the opinions and actions of a target audience, or seizing control of network communications to disrupt an adversary's unity of command. Computer Network Defense (CND) is the term used to describe activities that are designed to protect U.S. forces against IO attack from adversaries. Part of CND is information assurance (IA), which requires close attention to procedures for what is traditionally called computer and information security. DOD places new emphasis on the importance of dominating the entire electromagnetic spectrum with methods for computer network attack and electronic warfare. DOD also emphasizes that because networks are increasingly the operational center of gravity for warfighting, the U.S. military must be prepared to "fight the net".8 Because the recently declassified source document containing this phrase has some lines blacked out, it is not clear if "...net" means the Internet. If so, then this phrase may be a recognition by DOD that Psychological Operations, including public affairs work and public diplomacy, must be employed in new ways to counter the skillful use of the Internet and the global news media by U.S. adversaries. DOD identifies five core capabilities for conduct of information operations; (1) Psychological Operations, (2) Military Deception, (3) Operations Security, (4) Computer Network Operations, and (5) Electronic Warfare. These capabilities are interdependent, and increasingly are integrated to achieve desired effects. ¢ DOD defines PSYOP as planned operations to convey selected information to targeted foreign audiences to influence their emotions, motives, objective reasoning, and ultimately the behavior of foreign governments, organizations, groups, and individuals.9 For example, during the Operation Iraqi Freedom (OIF), broadcast messages were sent from Air Force EC-130E aircraft, and from Navy ships operating in the Persian Gulf, along with a barrage of e-mail, faxes, and cell phone calls to numerous Iraqi leaders encouraging them to abandon support for Saddam Hussein. At the same time, the civilian Al Jazeera news network, based in Qatar, beams its messages to well over 35 million viewers in the Middle East, and is considered by many to be a "market competitor" for U.S. PSYOP. Terrorist groups can also use the Internet to quickly place their own messages before an international audience. Some observers have stated that the U.S. will continue 8 DOD Information Operations Roadmap, October 30, 2003, p. 6-7, http://www.gwu.edu/~nsarchiv/NSAEBB/ NSAEBB177/info_ops_roadmap.pdf. 9 DOD Dictionary of Military Terms, http://www.dtic.mil/doctrine/jel/doddict/. ¢ to lose ground in the global media wars until it develops a coordinated strategic communications strategy to counter competitive civilian news media, such as Al Jazeera.10 Partly in response to this observation, DOD now emphases that PSYOP must be improved and focused against potential adversary decision making, sometimes well in advance of times of conflict. Products created for PSYOP must be based on in-depth knowledge of the audience's decision-making processes. Using this knowledge, the PSYOPS products then must be produced rapidly, and disseminated directly to targeted audiences throughout the area of operations.11 DOD policy prohibits the use of PSYOP for targeting American audiences. However, while military PSYOP products are intended for foreign targeted audiences, DOD also acknowledges that the global media may pick up some of these targeted messages, and replay them back to the U.S. domestic audience. Therefore, a sharp distinction between foreign and domestic audiences cannot be maintained.12 ¢ Deception guides an enemy into making mistakes by presenting false information, images, or statements. MILDEC is defined as actions executed to deliberately mislead adversary military decision makers with regard to friendly military capabilities, thereby causing the adversary to take (or fail to take) specific actions that will contribute to the success of the friendly military operation. As an example of deception during Operation Iraqi Freedom (OIF), the U.S. Navy deployed the Tactical Air Launched Decoy system to divert Iraqi air defenses away from real combat aircraft. ¢ OPSEC is defined as a process of identifying information that is critical to friendly operations and which could enable adversaries to attack operational vulnerabilities. For example, during OIF, U.S. forces were warned to remove certain information from DOD public websites, so that Iraqi forces could not exploit sensitive but unclassified information. CNO includes the capability to: (1) attack and disrupt enemy computer networks; (2) defend our own military information systems; and (3) exploit enemy computer networks through intelligence collection, usually done through use of computer code and computer applications. The Joint Information Operations Warfare Command (JIOWC) and the Joint Functional Component Command for Network Warfare (JFCCNW) are responsible for the evolving mission of Computer 10 Air Force, Operation Iraqi Freedom Information Operations Lessons Learned: First Look, AFC2ISRC/CX, July 23, 2003, http://www.insidedefense.com/secure/data_extra/pdf3/dplus2004_265.pdf. 11 DOD Information Operations Roadmap, October 30, 2003, p. 6, http://www.gwu.edu/~nsarchiv/NSAEBB/ NSAEBB177/info_ops_roadmap.pdf. 12 DOD Information Operations Roadmap, October 30, 2003, p. 26, http://www.gwu.edu/~nsarchiv/NSAEBB/ NSAEBB177/info_ops_roadmap.pdf. ¢ Network Attack.13 The exact capabilities of the JIOWC and JFCCNW are highly classified, and DOD officials have reportedly never admitted to launching a cyber attack against an enemy, however many computer security officials believe the organization can destroy networks and penetrate enemy computers to steal or manipulate data, and take down enemy command-and- control systems. They also believe that the organization consists of personnel from the CIA, National Security Agency, FBI, the four military branches, and civilians and military representatives from allied nations.14 CND is defined as defensive measures to protect information, computers, and networks from disruption or destruction. CND includes actions taken to monitor, detect, and respond to unauthorized computer activity. Responses to IO attack against U.S. forces may include use of passive information assurance tools, such as firewalls or data encryption, or may include more intrusive actions, such as monitoring adversary computers to determine their capabilities before they can attempt an IO attack against U.S. forces. Some DOD officials believes that CND may lack sufficient policy and legal analysis for guiding appropriate responses to intrusions or attacks on DOD networks. Therefore, DOD has recommended that a legal review be conducted to determine what level of intrusion or data manipulation constitutes an attack. The distinction is necessary in order to clarify whether an action should be called an attack or an intelligence collection operation, and which aggressive actions can be appropriately taken in self-defense. This legal review should also determine if appropriate authorities permit U.S. forces to retaliate through manipulation of unwitting third party computer hosts. And finally, DOD has recommended structuring a legal regime that applies separately to domestic and to foreign sources of computer attack against DOD or the U.S. critical. infrastructure.15 ¡ CNE is an area of IO that is not yet clearly defined within DOD. Before a crisis develops, DOD seeks to prepare the IO battlespace through intelligence, surveillance, and reconnaissance, and through extensive planning activities. This involves intelligence collection, that in the case of IO, is usually performed through network tools that penetrate adversary systems to gain information about system vulnerabilities, or to make unauthorized copies of important files. Tools used for CNE are similar to those used for computer attack, but configured for intelligence collection rather than system disruption. 13 John Lasker, U.S. Military's Elite Hacker Crew, Wired News, April 18, 2005, http://www.wired.com/news/privacy/ 0,1848,67223,00.html, U.S. Strategic Command Fact File http://www.stratcom.mil/fact_sheets/fact_jtf_gno.html and http://www.stratcom.mil/fact_sheets/fact_jioc.html. 14 John Lasker, U.S. Military's Elite Hacker Crew, April 18, 2005, Wired News, http://www.wired.com/news/privacy/ 0,67223-0.html?tw=wn_story_page_prev2. 15 DOD Information Operations Roadmap, October 30, 2003, p. 52. http://www.gwu.edu/~nsarchiv/NSAEBB/ NSAEBB177/info_ops_roadmap.pdf. ¢ CNA is defined as effects intended to disrupt or destroy information resident in computers and computer networks. As a distinguishing feature, CNA normally relies on a data stream used as a weapon to execute an attack. For example, sending a digital signal stream through a network to instruct a controller to shut off the power flow is CNA, while sending a high voltage surge through the electrical power cable to short out the power supply is considered Electronic Warfare (However, a digital stream of computer code or a pulse of electromagnetic power can both be used to also create false images in adversary computers). During Operation Iraqi Freedom, U.S. and coalition forces reportedly did not execute any computer network attacks against Iraqi systems. Even though comprehensive IO plans were prepared in advance, DOD officials stated that top-level approval for several CNA missions was not granted until it was too late to carry them out to achieve war objectives.16 U.S. officials may have rejected launching a planned cyber attack against Iraqi financial computers because Iraq's banking network is connected to a financial communications network also located in Europe. Consequently, according to Pentagon sources, an information operations attack directed at Iraq might also have brought down banks and ATM machines located in parts of Europe as well. Such global network interconnections, plus close network links between Iraqi military computer systems and the civilian infrastructure, reportedly frustrated attempts by U.S. forces to design a cyber attack that would be limited to military targets only in Iraq.17 In a meeting held in January 2003, at the Massachusetts Institute of Technology, White House officials sought input from experts outside government on guidelines for use of cyber-warfare. Officials have stated they are proceeding cautiously, since a cyberattack could have serious cascading effects, perhaps causing major disruption to networked civilian systems.18 In February 2003, the Bush Administration announced national-level guidance for determining when and how the United States would launch computer network attacks against foreign adversary computer systems. The classified guidance, known as National Security Presidential Directive 16, is intended to clarify circumstances under which a disabling computer attack would be justified, and who has authority to launch such an attack. EW is defined by DOD as any military action involving the direction or control of electromagnetic spectrum energy to deceive or attack the enemy. High power electromagnetic energy can be used as a tool to overload or disrupt the electrical circuitry of almost any equipment that uses transistors, micro-circuits, or metal wiring.19 Directed energy weapons amplify, or disrupt, the power of an electromagnetic field by projecting enough energy to overheat and permanently damage circuitry, or jam, overpower, and misdirect the processing in computerized systems. The Electronic Warfare Division of the Army Asymmetric Warfare Office 16 Elaine Grossman, "Officials: Space, Info Targets Largely Cobbled On-The-Fly for Iraq," Inside the Pentagon, May 29, 2003. 17 Charles Smith, "U.S. Information Warriors Wrestle with New Weapons," NewsMax.com, March 13, 2003 http://www.newsmax.com/archives/articles/2003/3/12/134712.shtml. 18 Bradley Graham, "Bush Orders Guidelines for Cyber-Warfare," Washington Post, February 7, 2003, Section A, p. 1. 19 CRS Report RL32544, High Altitude Electromagnetic Pulse (HEMP) and High Power Microwave (HPM) Devices: Threat Assessments, by Clay Wilson. ¢ has responsibility for creating electronic warfare policy, and for supporting development of new electromagnetic spectrum concepts that can be translated into equipment and weapons. DOD now emphasizes maximum control of the entire electromagnetic spectrum, including the capability to disrupt all current and future communication systems, sensors, and weapons systems. This may include: (1) navigation warfare, including methods for offensive space operations where global positioning satellites may be disrupted; or, (2) methods to control adversary radio systems; and, (3) methods to place false images onto radar systems, block directed energy weapons, and misdirect unmanned aerial vehicles (UAVs) or robots operated by adversaries.20 For example, recent military IO testing examined the capability to secretly enter an enemy computer network and monitor what their radar systems could detect. Further experiments tested the capability to take over enemy computers and manipulate their radar to show false images.21 Non-kinetic weapons emit directed electromagnetic energy that, in short pulses, may permanently disable enemy computer circuitry. For example, an electromagnetic non-kinetic weapon mounted in an aircraft, or on the ground, might disable an approaching enemy missile by directing a High Power Microwave (HPM) beam that burns out the circuitry, or that sends a false telemetry signal to misdirect the targeting computer.22 Also, at reduced power, electromagnetic non-kinetic weapons can also be used as a non-lethal method for crowd control. The Active Denial System (ADS), developed by the Air Force, is a vehicle-mounted nonlethal, counter-personnel directed energy weapon. Currently, most non-lethal weapons for crowd control, such as bean-bag rounds, utilize kinetic energy. However, the ADS projects a focused beam of millimeter energy waves to induce an intolerable burning sensation on an adversary's skin, repelling the individual without causing injury. Proponents say the ADS is safe and effective at ranges between 50 and 1,600 feet. The nonlethal capabilities of the ADS are designed to protect the innocent, minimize fatalities, and limit collateral damage.23 The Pentagon reportedly has requested immediate deployment of at least 8 ADS devices to Iraq to assist Marines in guarding posts, countering insurgent snipers and protecting convoys. The ADS system would be the first operationally deployed directed-energy weapon for counter-personnel missions.24 20 DOD Information Operations Roadmap, October 30, 2003, p. 61. http://www.gwu.edu/~nsarchiv/NSAEBB/ NSAEBB177/info_ops_roadmap.pdf. 21 These programs were called Suter 1 and Suter 2, and were tested during Joint Expeditionary Forces Experiments held at Nellis Air Force Base in 2000 and 2002. David Fulghum, "Sneak Attack," Aviation Week & Space Technology, June 28, 2004, p. 34. 22 David Fulghum, "Sneak Attack," Aviation Week & Space Technology, June 28, 2004, p. 34. 23 Active Denial System, Fact Sheet, Air Force Research Lab, Office of Public Affairs, Kirtland Air Force Base, http://www.de.afrl.af.mil/Factsheets/ActiveDenial.pdf. 24 Jason Sherman, Pentagon Considering Sending Non-Lethal Ray Gun to Iraq, Inside Defense, March 2, 2007. ¢ ¢ The Air Force is not laying claim to the cyber domain, but their new mission statement indicates they are building a force to operate in that domain. Secretary of the Air Force Michael W. Wynne recently stated that the new mission of the U.S. Air Force is to "fly and fight in air, space, and cyberspace." For the Air Force, this means that military action in cyberspace now includes defending against malicious activity on the Internet, and anywhere across the entire electromagnetic spectrum (including the energy spectrum bands for radio, microwaves, infrared, X-ray, and all other options for directed energy), where national security is threatened.25 Secretary Wynne stated that cyberwarfare flows naturally from the Air Force's traditional missions, such as downloading data from platforms in space, and that U.S. capabilities should be expanded to also enable the shut down of enemy electronic networks. Consequently, the 8th Air Force, headquartered at Barksdale Air Force Base, La., has been designated as the operational Cyber Command, responsible for organizing, training, and equipping the Air Force for cyberspace operations.26 The new Cyber Command will draw on resources from all Air Force commands to gather needed expert capabilities. Air Force officials, led by the Air Force Chief of Staff Gen. Michael Mosley, met at the Pentagon in a "cyberwarfare-themed summit" during November 2006, to make plans for the new Air Force Cyber Command.27 General Elder stated that the planning session will include an assessment of cyberwarfare requirements to defend the nation.28 Homeland security reportedly will also be a large part of the Cyber Command's new responsibility, including protection of telecommunications systems, utilities, and transportation. Several issues to be considered may include: (1) what kind of educational skills, technical skills, and training are needed for staff at the Cyber Command; and (2), what kind of career path can be offered to those in the Air Force who want to participate in defending the new cyber domain. In addition, the Air Force Materiel Command will review the research now ongoing at the 8th Air Force headquarters to identify which work should receive funding as part of the new cyberwarfare function.29 Some examples of systems or projects that could be affected by the cyber command mission include (1) the Airborne Laser System at Edwards AFB, (2) the Active Denial System at Moody AFB, (3) the Joint Surveillance Target Attack Radar System at Robins AFB, and (4) efforts to protect against damage to computer systems due to electromagnetic pulse attack. Officials at the 8th Air Force report that as of January 2007, the new U.S.A.F. cyber command has not yet been officially activated, and the final command structure has not been determined.30 25 John Bennett and Carlo Munoz, USAF Sets Up First Cyberspace Command, Military.com, November 4, 2006, http://www.military.com/features/0,15240,118354,00.html. 26 Todd Lopez, 8th Air Force to become New Cyber Command, Air Force Link, November 3, 2006, http://www.af.mil/ news/story.asp?storyID=123030505. Dave Ahearn, Air Force Forms Cyberspace Unit, Defense Daily, November 3, 2006. 27 Contact for Dr. Lani Kass, Director of Air Force Cyberspace Task Force, and Special Assistant to General Michael Moseley, is through Maj. Gary Conn, Gary.Conn@pentagon.af.mil, 703-697-3143. 28 Personal communication with Air Force Public Affairs Office, January 26, 2007. 29 Head Quarters at Wright Patterson AFB, 937-522-3252, http://www.wpafb.af.mil/. 30 Personal communication, Public Affairs Office at the 8th Air Force, which can be reached at 318-456-2145, (continued...) ¢ Initially, the new organization will operate on an equal footing with other numbered Air Force headquarters. However, eventually the new organization will become a major command that will stand alongside the Air Force Space Command and the Air Combat Command. Precise future command relationships are still being decided in the ongoing planning effort, and more details will be forthcoming.31 ¢ Currently, the U.S. Strategic Command (USSTRATCOM), which is a unified combatant command for U.S. strategic forces, controls military information operations, space command, strategic warning and intelligence assessments, global strategic operations planning, and also has overall responsibility for Computer Network Operations (CNO).32 Beneath USSTRATCOM are several Joint Functional Component Commands (JFCCs): (1) space and global strike integration; (2) intelligence, surveillance and reconnaissance; (3) network warfare; (4) integrated missile defense; and (5) combating weapons of mass destruction.33 The JFCC-Network Warfare (JFCC-NW), and the JFCC-Space & Global Strike (JFCC-SGS) have responsibility for overall DOD cyber security, while the Joint Task Force-Global Network Operations (JTF-GNO) and the Joint information Operations Warfare Center (JIOWC) both have direct responsibility for defense against cyber attack.34 The JTF-GNO defends the DOD Global Information Grid, while the JIOWC assists combatant commands with an integrated approach to information operations. These include operations security, psychological operations, military deception, and electronic warfare. The JIOWC also coordinates network operations and network warfare with the JTF-GNO and with JFCC-NW. DOD officials have noted that because 80 percent of U.S. commerce goes through the Internet, DOD systems must develop a capability to adequately protect them.35 Currently, to assist commercially-owned telecommunications networks, communications satellite systems, and other civilian critical infrastructure systems, DOD contracts with Carnegie Mellon's Software Engineering Institute to operate the Computer Emergency Response Team (CERT-CC), while DHS in partnership with private industry operates a parallel organization called US-CERT. Both organizations monitor trends in malicious code and cyber crime, send out alerts about threats to computer systems, and provide guidance for recovery after an attack. (...continued) http://www.8af.acc.af.mil. 31 Personal communication with Air Force Public Affairs Office, January 26, 2007. 32 The Public Affairs Office for the Air Force at the Pentagon can be contacted at 703-571-2776. 33 United State Strategic Command, July 2006, http://www.stratcom.mil/organization-fnc_comp.html. 34 Clark A. Murdock et al., Beyond Goldwater-Nichols: U.S. Government and Defense Reform for a New Strategic Era, Phase 2 Report, July 2005, Center for Strategic and International Studies, p. 128, http://www.ndu.edu/lIbrary/docs/ BeyondGoldwaterNicholsPhase2Report.pdf. 35 John Doyle, Air Force To Elevate Status Of Cyberspace Command, Aerospace Daily & Defense Report, March 22, 2007. ¢ ¢ The low cost of entry (for example, a laptop connected to the Internet), and the ability to operate anonymously, are factors that makes cyberspace attractive to adversaries who know they cannot challenge the United States in a symmetrical contest. Potential adversaries, such as China, Russia, Cuba, Iran, Iraq, Libya, North Korea, and several non-state terrorist groups are reportedly developing capabilities to attack or degrade U.S. civilian and military networks. "Moonlight Maze" and "Titan Rain" are examples of successful attacks against non-classified military systems which DOD officials claim were directed by other governments.36 According to the Defense Department's annual report to Congress on China's military prowess, the Chinese military is enhancing its information operations capabilities.37 The report finds that China is placing specific emphasis on the ability to perform information operations designed to weaken an enemy force's command and control systems.38 Terrorist groups also use wireless electronics to detonate roadside bombs (Improvised Explosive Devices). They also use the Internet to transmit financial transactions, and use free Global Positioning System (GPS) signals and commercial satellite video and images to direct their ground attacks against U.S. and coalition troops.39 Reportedly, only a small portion of the Iraqi populace watch and listen to the current government run television and radio news broadcasts, with the majority preferring instead to support the foreign satellite news stations such as Al-Jazeera and Al-Arabiya. Observers say that most Arabs believe that U.S. sponsored news broadcasts are managed too closely by the coalition powers and do not objectively present the news. When the Iraqi Governing Council (IGC) prohibited Al- Jazeera and Al-Arabiya from covering all IGC events during a short period in early 2004, this action reportedly gave many Iraqi people the impression that the Coalition Provisional Authority (CPA) was manipulating their information.40 Some observers have also stated that terrorist groups, through use of the Internet, are now challenging the monopoly over mass communications that both state-owned and commercial media have long exercised. A strategy of the terrorists is to propagate their messages quickly and repeat them until they have saturated cyberspace. Internet messages by terrorist groups have become increasingly sophisticated through use of a cadre of Internet specialists who operate 36 Elinor Abreu, Epic cyberattack reveals cracks in U.S. defense, CNN.com, May 10, 2001, http://archives.cnn.com/ 2001/TECH/internet/05/10/3.year.cyberattack.idg/. Declan McCullagh, Feds Say Fidel Is Hacker Threat, WiredNews.com, February 9, 2001, http://www.wired.com/news/politics/0,1283,41700,00.html. Staff, Cyberattack could result in military response, USAToday, February 14, 2002, http://www.usatoday.com/tech/news/2002/02/14/ cyberterrorism.htm. 37 See the FY2004 Report to Congress on PRC Military Power, http://www.defenselink.mil/pubs/d20040528PRC.pdf. 38 John Bennett, "Commission: U.S. Should Push Beijing to up Pressure on North Korea," Inside the Pentagon, June 17, 2004. 39 Daniel Helmer, The Poor Man's FBCB2: R U Ready 4 the 3G Celfone?, Armor, November/December 2006, p. 7. 40 Maj. Patrick Mackin, Information Operations and the Global War on Terror: The Joint Force Commander's Fight for Hearts and Minds in the 21st Century, Joint Military Operations Department, Naval War College, September 2, 2004, p. 14. ¢ computer servers worldwide. Other observers have also stated that al-Qaeda now relies on a Global Islamic Media Unit to assist with its public outreach efforts.41 ¢ A persistent problem after a computer network attack is accurate and timely identification of the attacker. This uncertainty may affect decisions about how and against whom, or even whether, to retaliate. On April 27, 2007, officials in Estonia moved a Soviet-era war memorial commemorating an unknown Russian who died fighting the Nazis. The move stirred emotions, and soon incited rioting by ethnic Russians, and the blockading of the Estonian Embassy in Moscow. The event also marked the beginning of a series of large and sustained Distributed Denial-Of-Service (DDOS) attacks launched against several Estonian national websites, including government ministries and the prime minister's Reform Party.42 The attacks were described as crippling, owing to the limited IT resources of Estonia. Initially, the Russian government was blamed by Estonian officials for the cyberattacks, but it is unclear whether the attacks are sanctioned or initiated by the Russian government. NATO sent computer security experts to Estonia to help protect government systems against continued attacks, and to help recover from the attacks. However, some analysts later concluded that the cyber attacks targeting Estonia were not a concerted attack, but instead were the product spontaneous anger from a loose federation of separate attackers. Technical data showed that sources of the attack were worldwide rather than concentrated in a few locations. The computer code that caused the DDOS attack was posted and shared in many Russian language chat rooms, where the moving of the statue was a very emotional topic for discussion. These analysts state that although various Estonian government agencies were taken offline, there was no apparent attempt to target national critical infrastructure other than internet resources, and no extortion demands were made. Their analysis concluded that there was no Russian government connection to the attacks against Estonia.43 ¢ The new Air Force Cyber Command reportedly will follow the law of Armed Conflict, meaning a response taken after receiving an electronic or cyber attack will be scaled in proportion to the attack received, and distinctions will be maintained between combatants and civilians.44 However, 41 Jacquelyn S. Porth, Terrorists Use Cyberspace as Important Communications Tool, U.S. Department of State, USInfo.State.Gov, May 5, 2006, http://usinfo.state.gov/is/Archive/2006/May/08-429418.html. 42 Robert Vamosi, Cyberattack in Estonia--what it really means, CnetNews.com, May 29, 2007, http://news.com.com/ Cyberattack+in+Estonia-what+it+really+means/2008-7349_3-6186751.html. 43 Estonian DDoS--a final analysis, Heise Security, http://www.heise-security.co.uk/news/print/90461. 44 The Law of Armed Conflict (LOAC) is a part of public international law that regulates the conduct of armed hostilities between nations, and is intended to protect civilians, the wounded, sick, and shipwrecked. LOAC training for U.S. military is a treaty obligation for the United States under provisions of the 1949 Geneva Conventions. Also, under 18 U.S. Code 2441, war crimes committed by or against Americans may violate U.S. criminal law. James Baker, When Lawyers Advise Presidents in Wartime, Naval War College Review, Winter 2002, Vol. LV, No. 1. Terry Kiss, ed., Law (continued...) ¢ protection against attack through cyberspace is a new task for the military, and the offensive tools and other capabilities used by DOD to stage retaliatory strikes against enemy systems are highly classified. Experience has shown that a reactive defense is not very effective against increasingly powerful and rapid malicious cyber attacks, or against other malicious activity using the electromagnetic spectrum. A more effective defense against these attacks is to incorporate predictive, active, and pre-emptive measures that allow DOD defenders to prevent, deflect, or minimize the efforts of the attacker. ¢ As more U.S. military systems become computerized and linked to networks, there is a growing need for qualified Electronic Warfare operators.45 Each year, DOD conducts a Cyber Defense Exercise, where teams of students from the nation's military academies advance their cyber skills in practice competition where they deliberately hack into test networks, and also protect these test networks against intrusions by other teams. However, DOD must attract, train, and retain skilled information technology professionals beyond those enrolled in the military academies. In an attempt to solve this problem, the Air Force Research Laboratory (AFRL) Cyber Operations Branch offers a 10-week summer program each year for university students, consisting of intensive studies in cyber security. The Advanced Course in Engineering (ACE) Cyber Security Boot Camp has been held at Rome, NY for the past 4 years, and involves between 40 and 60 student applicants from Air Force and Army pre-commissioning programs, some National Science Foundation Cyber Corps Fellows, and some civilian college students. For 2006, the theme was "Cybercraft", described as a non-kinetic weapon platform that seeks dominance in cyberspace, corresponding to the new mission of the Air Force to `fly and fight in air, space, and cyberspace', according to program director Dr. Kamal Jabbour. Students study legal and policy issues, cryptography, computer network defense and attack, steganography, and analysis of malicious code. ACE students also spend an average of three days per week in internships at the Air Force Research Laboratory, or with local industry partners, and participate in officer development activities. The faculty for ACE is drawn from Syracuse University, West Point, and Norwich University. DHS and the National Science Foundation (NSF) have recognized the ACE program as an official internship program for Federal Cyber Service Scholarship for Service (SFS) program. The SFS program seeks to increase the number of skilled students entering the fields of information assurance and cyber security by funding universities to award 2-year scholarships in cyber security. Graduates are then required to work for a federal agency for two years. Recent ACE graduates are now working at the Air Force Office of Special Investigations, the AFRL, and the NSA. Also, as a result of ACE summer program success with college students, in September 2006, Syracuse University developed a special cyber security course to be offered in 12 high schools in (...continued) of Armed Conflict, Air University Library, Maxwell AFB, Jan 2005, http://www.au.af.mil/au/aul/bibs/loacots.htm. Josh Rogin, Air Force to Create Cyber Command, FCW.COM, November 13, 2006, http://www.fcw.com/article96791-11- 13-06-Print&printLayout. 45 Patience Wait, Army Shores up EM spectrum skills, Government Computer News, March 19, 2007. ¢ New Your State. Currently, Syracuse University offers 29 introductory cyber security courses in 148 high schools throughout New York, New Jersey, Maine, Massachusetts, and Michigan. High school students who successfully complete the cyber security courses can receive Syracuse college credits in computer science and engineering. ¢ Potential oversight issues for Congress may include the following areas. Could provocative actions, for example, intelligence gathering by the U.S. military that involves using intrusive cyber or electronic warfare tools to monitor enemy system activity, or copy important data files, be challenged by other nations as a violation of the law of Armed Conflict? Exploratory intrusions by U.S. military computers to gather intelligence may provoke other strong or unexpected responses from some countries or extremist groups that are targeted for monitoring by DOD. Several questions also may arise when considering a retaliatory cyber or electronic warfare counterstrike: (1) if the attacker is a civilian, should the attack be considered a law enforcement problem rather than a military matter?; (2) if a U.S. military cyberattack against a foreign government also disables civilian infrastructure, can it be legally justified?; or (3) how can the military be certain that a targeted foreign computer system has not been innocently set up to appear as an attacker by another third party attacker? Some observers have stated that success in future conflicts will depend less on the will of governments, and more on the perceptions of populations, and that perception control will be achieved and opinions shaped by the warring group that best exploits the global media.46 As a result of the increasingly sophisticated use of networks by terrorist groups and the potentially strong influence of messages carried by the global media, does DOD now view the Internet and the mainstream media as a possible threat to the success of U.S. military missions? How strongly will U.S. military PSYOP be used to manipulate public opinion, or reduce opposition to unpopular decisions in the future? Another emerging issue may be whether DOD is legislatively authorized to engage in PSYOP that may also affect domestic audiences.47 DOD Joint Publication 3-13, released February 2006, provides current doctrine for U.S. military Information Operations, and explains the importance of achieving information superiority.48 However, the DOD Information Operations Roadmap, published October 2003, states that PSYOP messages intended for foreign audiences increasingly are consumed by the U.S. domestic audience, usually because they can be re-broadcast through the global media. The Roadmap document states that, "...the distinction between foreign and domestic audiences becomes more a question of USG (U.S. Government) intent rather than information dissemination practices (by DOD)."49 This may be interpreted to mean that DOD has 46 Maj. Gen. Robert Scales (Ret), Clausewitz and World War IV, Armed Forces Journal, July 2006, p. 19. 47 Psychological Operations are authorized for the military under Title 10, USC, Subtitle A, Part I, Chapter 6, Section 167. 48 DOD Joint Publication 3-13, Information Operations, February 13, 2006, http://www.dtic.mil/doctrine/jel/new_pubs/ jp3_13.pdf. 49 DOD Information Operations Roadmap, October 30, 2003, p. 26. http://www.gwu.edu/~nsarchiv/NSAEBB/ (continued...) ¢ no control over who consumes PSYOP messages once they are re-transmitted by commercial media. H.R. 1585, the National Defense Authorization Act for Fiscal Year 2008, would require the Secretary of Defense to conduct a `quadrennial roles and missions review' for the Department of Defense, which will also include cyber operations. This bill was passed by House on 5/17/2007, and received in the Senate on 6/4/2007. H.Rept. 110-146, on H.R. 1585, by the Committee on Armed Services. This report states that within 180 days after enactment of the National Defense Authorization Act for 2008, the Secretary of Defense must submit a report to congressional defense committees, with the following requirements: 1. Review legal authorities to ensure effective cyberspace operations. 2. Review DOD's policies for information sharing and risk management for cyberspace operations. 3. Provide an overview of DOD's cyberspace organization, strategy, and programs. 4. Assess operational challenges, including the impact of the military's reliance on commercial communications infrastructure. 5. Recommend ways to improve DOD's ability to coordinate cyberspace operations with law enforcement, intelligence communities, the commercial sector, and with international allies. The recommendations shall include consideration of the establishment of a single joint organization for cyberspace operations. 6. Provide an overview of training and educational requirements. 7. Provide an overview of funding for cyberspace operations. Clay Wilson Specialist in Military Information Technology cwilson@crs.loc.gov, 7-8748 (...continued) NSAEBB177/info_ops_roadmap.pdf. ------------------------------------------------------------------------------ For other versions of this document, see http://wikileaks.org/wiki/CRS-RL31787