Military Review English Edition May-June 2014 | Page 11

OFFENSIVE CYBERSPACE OPERATIONS of matching targets to weapons. Not only must a combatant command request USCYBERCOM to attack a target, but also each target in the command’s JIPTL competes for resources against targets in the JIPTLs of other commands. USCYBERCOM sorts through all of the se lists, assigning a global priority to individual targets and allocating scarce resources to them. Even if USCYBERCOM considers a target high priority, the command may not have the resources needed to service it. USCYBERCOM needs to inform combatant commands and JTFs of its ability to service targets on their JIPTLs. Onerous legal reviews. Stewart A. Baker, former Department of Homeland Security assistant secretary for Policy and Technology, suggests that U.S. legal interpretation of the Hague Conventions reduces the operational utility of OCO.20 He writes that “lawyers across the government have raised so many show-stopping legal questions about cyberwar that they’ve left our military unable to fight, or even plan for, a war in cyberspace.”21 Part of this legal complexity stems from the nature of OCO. As noted above, any but the most rudimentary cyberspace attack on an enemy requires the acquisition, development, or modification of software to engender the effects that a JTF commander desires. This brings Department of Defense Directive (DODD) 5000.01, The Defense Acquisition System, into the process. DODD 5000.01 requires that “the acquisition or procurement of DOD weapons and weapon systems shall be consistent with all applicable domestic law and treaties and international agreements.”22 In regard to Air Force operations, Air Force Instruction 51-402 states that the office of the Judge Advocate General of the Air Force will conduct legal reviews of any new cyberspace capabilities (including weapons) or any contemplated modification of a cyberspace capability to ensure legality under the Law of Armed Conflict (LOAC), domestic law, and international law.23 A traditional attack on a target with missiles and bombs only has to pass through legal scrutiny during target development and prioritization since the weapons being employed have long since passed their assessment (per DODD 5000.01) during acquisition. By contrast, since cyberspace weapons are unique for almost every target, Air Force OCO require two legal reviews: one during target validation and the second during the acquiMILITARY REVIEW May-June 2014 sition process. This puts conducting OCO at the mercy of the most restrictive reading of the LOAC by two separate legal teams. This constraint, and the general ambiguity of how the LOAC applies to cyberspace operations, has created what Stewart Baker interprets as “a cyberwar strategy that simply omitted Cyberspace, including OCO awareness, should be part of every officer’s basic accession curriculum. any plan for conducting offensive operations. Apparently, they’re still waiting for all these lawyers to agree on what kind of offensive operations the military is allowed to mount.”24 Solutions Clarifying the perception of OCO. Education is the key to changing how we think, plan for, and employ OCO. Cyberspace, including OCO awareness, should be part of every officer’s basic accession curriculum. Joint professional military education (JPME) level I should include foundational cyberspace operations and doctrine for all officers. Intermediate and senior officers should study and integrate operational and strategic cyberspace operations into joint planning through JPME II. In addition, capstone courses should include instruction in the capabilities and limitations of OCO. The goal of this education should not be to turn officers into cyber specialists, but to give them the same basic awareness of this domain that officers who are in supporting or combat arms fields have of how those in the other fields conduct their profession. Not unlike the intricacies of sophisticated conventional weapon systems, the details of OCO should remain classified. This is an attribute of cyberspace operations that must be taken into account when targeting: knowledge of the specific processes by which cyber effects are achieved should be limited to those with a need to know. The inaccessibility 9