Synopsis "Cyber Operations in DOD Policy and Plans: Issues for Congress"
Cyberspace is defined by the Department of Defense as a global domain consisting of the interdependent networks of information technology infrastructures and resident data, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers. Attacks in cyberspace have seemingly been on the rise in recent years with a variety of participating actors and methods. As the United States has grown more reliant on information technology and networked critical infrastructure components, many questions arise about whether the nation is properly organized to defend its digital strategic assets. Cyberspace integrates the operation of critical infrastructures, as well as commerce, government, and national security. Because cyberspace transcends geographic boundaries, much of it is outside the reach of U.S. control and influence. The Department of Homeland Security is the lead federal agency responsible for securing the nation's non-security related digital assets. The Department of Defense also plays a role in defense of cyberspace. The National Military Strategy for Cyberspace Operations instructs DOD to support the DHS, as the lead federal agency, in national incident response and support to other departments and agencies in critical infrastructure and key resources protection. DOD is responsible for defensive operations on its own information networks as well as the sector-specific agency for the defense of the Defense Industrial Base. Multiple strategy documents and directives guide the conduct of military operations in cyberspace, sometimes referred to as cyberwarfare, as well as the delineation of roles and responsibilities for national cybersecurity. Nonetheless, the overarching defense strategy for securing cyberspace is vague and evolving. This report presents an overview of the threat landscape in cyberspace, including the types of offensive weapons available, the targets they are designed to attack, and the types of actors carrying out the attacks. It presents a picture of what kinds of offensive and defensive tools exist and a brief overview of recent attacks. The report then describes the current status of U.S. capabilities, and the national and international authorities under which the U.S. Department of Defense carries out cyber operations. Of particular interest for policy makers are questions raised by the tension between legal authorities codified at 10 U.S.C., which authorizes U.S. Cyber Command to initiate computer network attacks, and those stated at 50 U.S.C., which enables the National Security Agency to manipulate and extrapolate intelligence data-a tension that Presidential Policy Directive 20 on U.S. Cyber Operations Policy manages by clarifying the Pentagon's rules of engagement for cyberspace. With the task of defending the nation from cyberattack, the lines of command, jurisdiction, and authorities may be blurred as they apply to offensive and defensive cyberspace operations. A closely related issue is whether U.S. Cyber Command should remain a sub-unified command under U.S. Strategic Command that shares assets and its commander with the NSA. Additionally, the unique nature of cyberspace raises new jurisdictional issues as U.S. Cyber Command organizes, trains, and equips its forces to protect the networks that undergird critical infrastructure. International law governing cyberspace operations is evolving, and may have gaps for determining the rules of cyberwarfare, what constitutes an "armed attack" or "use of force" in cyberspace, and what treaty obligations may be invoked.
