DoD declassifies its long-awaited joint doctrine for cyberspace operations

As the Federation of American Scientists first pointed out earlier this week, the Defense Department has just posted an unclassified version of its joint military doctrine for cyberspace operations.

The document — Joint Publication 3-12 — was first issued in March 2013, but it was marked as secret. The new unclassified version doesn’t give any indication of what had to be scrubbed in order to make the publication safe for public viewing, but in general, it’s clear the department is trying to consolidate all of its thinking on cyberspace operations into one cohesive document. As the Government Accountability Office noted in 2011, cyber doctrine until recently has been scattered across 16 different joint pubs and dozens of other service-specific documents.

Much of the content in the unclassified version won’t be surprising to anyone who’s been watching the evolution of the Pentagon’s cyber policy over the last three years, and we won’t attempt to summarize all 70 pages here, but a few items of note:

  • The doctrine reiterates the U.S. government’s consistent position that the Department of Homeland Security has the lead for defending civilian agency and private sector networks — but not always. It asserts that a Presidential directive or unspecified “standing authorities” could allow DoD’s missions to “take primacy over, and subsume the standing missions of other departments or agencies.”
  • DoD cyber officials usually describe the military’s day-to-day defensive cyber mission in terms that suggest it’s mostly made up of passive countermeasures that are designed to defend its own networks from adversaries. But the doctrine makes clear that certain rules of engagement allow DoD to attack the attacker as part of that defensive mission, “and may rise to the level of use of force.”
  • Not surprisingly, the unclassified version includes comparatively little discussion about offensive cyber operations. But it strains to remind future commanders that the fact that they’re working in cyberspace doesn’t obviate the need to abide by the Law of War and other foreign treaty obligations. Cyber attacks by the U.S. military can only be directed at military targets, defined as “those objects whose total or partial destruction, capture, or neutralization offers a direct and concrete military advantage.”

Overall, the publication makes a serious effort to translate cyberspace into the military’s familiar doctrinal lexicon, describes it the same terms that generals think about when they’re pondering the six joint functions of warfare in the physical world, and paints the clearest picture that’s been publicly released to date as to how DoD plans to command and control its cyber forces.

But it also acknowledges the complexity of the military’s newest domain, with all the overlapping authorities, capabilities and interests that go along with it.

“Access to the Internet provides adversaries the capability to compromise the integrity of U.S. critical infrastructures in direct and indirect ways. These characteristics and conditions present a paradox within cyberspace: the prosperity and security of our nation have been significantly enhanced by our use of cyberspace, yet these same developments have led to increased vulnerabilities and a critical dependence on cyberspace, for the U.S. in general and the joint force in particular.”

DoD tries to institutionalize gains on rapid acquisition, but much depends on workforce

Readers of Robert Gates’ biography will remember that one of the former Defense secretary’s biggest disappointments was how much effort and political capital he had to personally expend to get the DoD acquisition system to deliver results to the field when there was no clear constituency for a given program within the bureaucracy of the military services.

The mine-resistant, ambush-protected (MRAP) vehicle program is now the main poster child for the “if there’s a will, there’s a way” approach to rapid acquisition. But Andrew Hunter, the director of DoD’s rapid acquisition cell says senior leaders have come to realize that they should be able to acquire urgent items quickly without the secretary of Defense having to effectively become the program manager.

Hunter, speaking to reporters in a rare media engagement before he leaves the Pentagon for a new job at the Center for Strategic and International Studies, argued that the department has done a fairly respectable job of making rapid acquisition part of DoD’s DNA.

As evidence, Hunter pointed to DoD’s project to destroy Syria’s chemical weapons. Within the span of a few months, it brought together mature technologies from the Army and Navy, cobbled them together aboard a civilian-crewed ship operated by the Military Sealift Command, and neutralized the chemicals in the middle of the Mediterranean Sea without much trouble.

And as part of the Pentagon’s main acquisition guidebook, DoD Instruction 5000.02, defense acquisition officials added a new enclosure (Enclosure 13 — for those interested in the details) that attempts to reassure program managers who need something right away that the system really can accommodate their needs.

“We’ve always had a gap: people always tell us, ‘Yes, we’re always hearing that you’re doing rapid acquisition and that you can do it, but where do we go to see how it’s done and which rules you we have to follow?’ It’s probably not perfect, but [the enclosure] does that, and it largely reflects how we’ve done this over the past several years.”

When challenged about the notion that a new annex to a longstanding document could alter the culture of DoD’s massive acquisition bureaucracy, Hunter was still optimistic.

“It can’t lock in the progress we’ve achieved, but I think it lets the workforce know it’s OK to keep doing this, and that things like the MRAP weren’t just a one-time experiment,” he said. “If you go back to 2003, there were a lot of questions in the acquisition community. People said, ‘Can we really deliver things inside a year?’ And they said the budget process and the requirements process just can’t do it. I think a lot of this is about remembering that we can achieve it. The workforce knows this can be done now. The message of the enclosure is that not only was it OK then, it’s OK now, and it’s expected. This is how our system is going to behave from now on for things that are urgent operational needs.”

Pentagon announces several policy changes to cut travel expenses

In one of DoD’s more creative responses to sequestration, the department is turning to credit card perks as one way to offset its appropriations cuts.

The military services have begun implementing policies that require both uniformed members and civilians to use government-issued travel cards to pay for all of the expenses they incur while they’re moving to a new duty station.

The Pentagon framed the changes as a benefit to its personnel — they’ll no longer have to pay out-of-pocket for those incidental expenses and wait for reimbursement.

But the policy will help DoD’s bottom line too: if DoD can increase its expenditures through the travel card program by 5 percent, its credit card vendor will bump the department’s cash-back rebate for all those charge card expenses up to 11 percent, according to the Defense Travel Management Office.

DoD says more use of the travel cards will also generate better data for the department.

“And that allows us to negotiate better rates, whether it’s with the rental car companies or amenities with hotels,” Harvey Johnson, DTMO’s director said in a release.

The Army and Air Force have already implemented the policy change. The Navy is still in a pilot phase, but it’s expected to follow with permanent change in the coming months.

Separately, officials are making two changes to the DoD-wide Joint Travel Regulation, also in an effort to save money.

As of Oct. 1, DoD stopped reimbursing members separately for incidental expenses such as ATM fees, laundry and tips. Those items will now fall under a flat reimbursement for “miscellaneous expenses” that’s capped at $5 a day. The move is projected to save $18 million per year.

And beginning Nov. 1, DoD will significantly scale back its reimbursements for service members and civilians who are serving away from their normal duty stations for extended periods of time.

As of now, federal travelers are reimbursed per diem for both their hotel and meal and incidental expenses at levels that are supposed to reflect the costs at the travel destination. The new policy will cut back those payments during extended stays: for trips of more than 30 days, DoD will only pay 75 percent of the set per diem rates. And for stays of more than 180 days, the payments will fall to 55 percent of the locality rate. DoD’s rationale is that it’s probably overpaying for those longer trips right now, since it already has agreements in place with large hotel chains that give it discounted rates for extended stays.

“If both the traveler and their (commercial travel office) determine that lodging is not available at the reduced per diem rate, the authorizing official may authorize reimbursement of actual lodging expenses (not to exceed the locality per diem rate),” DTMO officials wrote in a message announcing the change. “However, the traveler will receive M&IE at the reduced rate.”

DISA shops for expansion of its classified commercial smartphone service

The Defense Information Systems Agency is looking for a vendor that can support up to 2,000 smartphones that store and transmit classified data, part of DoD’s gradual evolution beyond the SME-PED, a $3,000 handheld that only runs on 2G networks.

In a sources sought notice DISA issued on Thursday, officials said they’re planning a procurement for the back-end infrastructure necessary to support classified data on commercial devices. The contract would involve the operation and expansion of two secure mobile gateways in the U.S., plus the potential stand-up of two more gateways overseas.

The vendor would need to be able to provide ongoing maintenance and helpdesk services for up to 2,000 devices under the DoD Mobile Classified Capability (DMCC) program. Earlier this year, DISA certified its first commercial device under the program, a hardened version of the Samsung Galaxy S4.

Here’s a giant asterisk for interested companies: The sources sought notice helpfully points out there’s only one security technology that’s been approved by the National Security Agency for transmission of classified data across commercial networks, at least so far. The owner of that proprietary system, Apriva, is also the incumbent vendor that built the gateways DISA has been using during its classified mobility pilots.