Military Review English Edition May-June 2014 | Page 13

OFFENSIVE CYBERSPACE OPERATIONS planning. However, successful integration of OCO can enable a JTF to expand its reach beyond what traditional fires assets would allow, and to husband those assets for more suitable targets. Consolidated legal review. The legal challenges facing a JTCB seem daunting, but the board can address them in a way that satisfies the combatant commander’s requirements. While the details of rules of engagement and target legitimacy reside in the realm of law, it is, especially with new technologies, a subjective field. The use of two distinct legal processes—in the target development and prioritization process described in Joint Publication 3-60 and the acquisitions process described in DODD 5000.01—to approve the development and employment of a cyber weapon is redundant and overuses scarce legal resources. Instead, USCYBERCOM should conduct both legal reviews. The legal review during target development and prioritization should be skipped for cyberspace targets. USCYBERCOM should conduct an initial and final LOAC review while coordinating with the JTCB during the cyber weapon development. Moreover, since cyber weapons are custom crafted to engage a specific target, the legal team can conduct the legal reviews mandated by DODD 5000.01 as well as target validation. USCYBERCOM, in coordination with the cyberspace representative, should have the technical expertise to review and assist in the weapon development. This will enhance the effectiveness of OCO development and employment. Furthermore, since the legal review team is not part of the combatant command, there is less opportunity for “group think” or command influence to warp the process. Conclusion OCO offer potent tools for a combatant command or JTF commander. However, our own internal friction—manifested as misunderstanding, inaccessibility, and slowly evolving processes— has not allowed us to take full advantage of these capabilities. None of the solutions described above are particularly costly, nor do they involve purchasing equipment or adding to the force structure. Rather, they focus on developing our people and processes so they are more prepared to engage an adversary in all domains. While implementing these solutions would be a long-term effort, delaying implementation only would enable the problem to fester, effectively denying use of OCO to joint force commanders. MR NOTES 1. Saul David, The Illustrated Encyclopedia of Warfare: From Ancient Egypt to Iraq (London: DK Publishing, 2012), 95. 2. Sascha-Dominik Bachmann, “Hybrid Threats, Cyber Warfare and NATO’s Comprehensive Approach for Countering 21st Century Threats—Mapping the New Frontier of Global Risk and Security Management,” Amicus Curiae 88 (January 2012). 3. Mark Landler and John Markoff, “After Computer Siege in Estonia, War Fears Turn to Cyberspace,” New York Times (29 May 2007). 4. Ibid. 5. Joshua Davis, “Hackers Take Down the Most Wired Country in Europe,” Wired. com (21 August 2007), . 6. James P. Farwell and Rafal Rohozinski, “Stuxnet and the Future of Cyber War,” Survival: Global Politics and Strategy 53 , no. 1 (January 2011): 23-40. 7. Stephen W. Korns and Joshua E. Kastenburg, “Georgia’s Cyber Left Hook,” Parameters 38, no. 4 (Winter 2008-2009). 8. Eli Jellenc, quoted in Iain Thomson, “Georgia Gets Allies in Russian Cyberwar,” Vnunet.com (12 August 2008), ; see also John Markoff, “Before the Gunfire, Cyberattacks,” New York Times (12 August 2008), . 9. Mark Clayton, “How Stuxnet Cyber Weapon Targeted Iran Nuclear Plant,” The Christian Science Monitor (16 November 2010): 4. 10. Farwell and Rohozinski, 23-40. 11. Ralph Langner, as reported in Clayton, 4. 12. Stephenie Gosnell Handler, “The New Cyber Face of Battle: Developing a Legal Approach to Accommodate Emerging Trends in Warfare,” Stanford Journal of International Law 48, no. 1 (Winter 2012): 209. 13. Anoop Singal and Ximming Ou, Security Risk Analysis of Enterprise Net- MILITARY REVIEW May-June 2014 works Using Probabilistic Attack Graphs (Gaithersburg, MD: NIST Interagency Report 7788, National Institute for Standards and Technology, U.S. Department of Commerce, August 2011). 14. Joint Publication 3-60, Joint Targeting (Washington, DC: U.S. Government Printing Office [GPO], 31 January 2013), Figure II-2. 15. Eric Schmitt and Thom Shanker, “U.S. Debated Cyberwarfare in Attack Plan on Libya,” New York Times (17 October 2011). . 16. Nicolas Falliere, Liam Murchu, and Eric Chien, W32.Stuxnet Dossier (Cupertino: Symantec Corporation, 2011), . 17. Ibid. 18. Rene G. Rendon and Keith F. Snider, Management of Defense Acquisition Projects (Reston, VA: American Institute of Aeronautics and Astronautics, 2008), 66. 19. Falliere, Murchu, and Chien, 3. 20. Stewart A. Baker and Charles Dunlap Jr., “What Is the Role of Lawyers in Cyberwarfare?” ABA Journal (1 May 2012). . 21. Ibid. 22. Department of Defense Directive 5000.01, The Defense Acquisition System (Washington, DC: GPO, 12 May 2003), 7. 23. U.S. Air Force, Air Force Instruction 51-402: Legal Reviews of Weapons and Cyber Capabilities (Washington, DC: GPO, 27 July 2011), 2. 24. Baker and Dunlap Jr. 25. Debra Van Opstal, “‛Aha’ Findings from the Workshop on Securing the Smart Grid: Best Practices in Supply Chain Security, Integrity, and Resilience,” Center for Critical Infrastructure Protection and Homeland Security 11, no. 2 (August 2012). 26. Ibid. 11