As the Federation of American Scientists first pointed out earlier this week, the Defense Department has just posted an unclassified version of its joint military doctrine for cyberspace operations.
The document — Joint Publication 3-12 — was first issued in March 2013, but it was marked as secret. The new unclassified version doesn’t give any indication of what had to be scrubbed in order to make the publication safe for public viewing, but in general, it’s clear the department is trying to consolidate all of its thinking on cyberspace operations into one cohesive document. As the Government Accountability Office noted in 2011, cyber doctrine until recently has been scattered across 16 different joint pubs and dozens of other service-specific documents.
Much of the content in the unclassified version won’t be surprising to anyone who’s been watching the evolution of the Pentagon’s cyber policy over the last three years, and we won’t attempt to summarize all 70 pages here, but a few items of note:
The doctrine reiterates the U.S. government’s consistent position that the Department of Homeland Security has the lead for defending civilian agency and private sector networks — but not always. It asserts that a Presidential directive or unspecified “standing authorities” could allow DoD’s missions to “take primacy over, and subsume the standing missions of other departments or agencies.”
DoD cyber officials usually describe the military’s day-to-day defensive cyber mission in terms that suggest it’s mostly made up of passive countermeasures that are designed to defend its own networks from adversaries. But the doctrine makes clear that certain rules of engagement allow DoD to attack the attacker as part of that defensive mission, “and may rise to the level of use of force.”
Not surprisingly, the unclassified version includes comparatively little discussion about offensive cyber operations. But it strains to remind future commanders that the fact that they’re working in cyberspace doesn’t obviate the need to abide by the Law of War and other foreign treaty obligations. Cyber attacks by the U.S. military can only be directed at military targets, defined as “those objects whose total or partial destruction, capture, or neutralization offers a direct and concrete military advantage.”
Overall, the publication makes a serious effort to translate cyberspace into the military’s familiar doctrinal lexicon, describes it the same terms that generals think about when they’re pondering the six joint functions of warfare in the physical world, and paints the clearest picture that’s been publicly released to date as to how DoD plans to command and control its cyber forces.
But it also acknowledges the complexity of the military’s newest domain, with all the overlapping authorities, capabilities and interests that go along with it.
“Access to the Internet provides adversaries the capability to compromise the integrity of U.S. critical infrastructures in direct and indirect ways. These characteristics and conditions present a paradox within cyberspace: the prosperity and security of our nation have been significantly enhanced by our use of cyberspace, yet these same developments have led to increased vulnerabilities and a critical dependence on cyberspace, for the U.S. in general and the joint force in particular.”
This post is part of Jared Serbu’s Inside the DoD Reporter’s Notebook feature. Read more from this edition of Jared’s Notebook.