Chapter 9

Cyberspace Operations

I.  INTRODUCTION

A.   Overview.  Most aspects of joint operations rely in part on cyberspace, which is a global domain within the information environment (IE) that consists of the interdependent network of information technology (IT) infrastructures and resident data.^[1] Cyberspace operations (CO) are the employment of cyberspace capabilities where the primary purpose is to achieve objectives in or through cyberspace.^[2] A cyberspace capability is a device or computer program, including any combination of software, firmware, or hardware, designed to create and effect in or through cyberspace.^[3] To understand and provide legal advice in this complex area, legal advisors must be familiar with distinguishing the types of CO activity, basic terminology and technology (section II); significant legal considerations and analysis for each type of activity (section III); and command relationships and authorities (section IV).

B.    Sources of Law and Authorities.  Generally, cyberspace law is not the practice of a unique body of law, rather it is the application of other national security law disciplines (e.g., Constitutional law, Intelligence law, Public International law, etc.) to cyberspace operations and cyberspace-enabled activities.^[4] The “DoD conducts CO consistent with U.S. domestic law, applicable international law, and relevant [United States Government] (USG) and DoD policies.”^[5] However, cyberspace operations often raise unique and complex factual issues that make the application of existing law challenging.^[6] For example, understanding precisely how the law of war applies to CO is “not well-settled.”^[7] This area of the law continues to develop as new cyber capabilities emerge and States determine and declare their legal positions.^[8] Legal advisors should also consider the following in determining the proper source and application of laws and authorities.

1.    CO are conducted across the full spectrum of operations. Given the spectrum of operations, it is important to remember that “each CO mission has unique legal considerations.”^[9] The legal framework will depend on the type of cyberspace operation and nature of the activity. “Before conducting CO, commanders, planners, and operators require clear understanding of the relevant legal framework to ensure compliance with laws and policies.”^[10]

2.    When analyzing legal issues raised by cyberspace operations, legal advisors should also be aware that most cyberspace operations are subject to classified directives and guidance. Approval and oversight requirements for cyberspace operations often remain at the most senior leadership levels within the DoD.^[11] Therefore, when preparing legal advice on CO, take note of these important caveats:

a.    Classified Sources.  Many specific sources of operational guidance specific to CO remain classified including some Presidential guidance, Secretary of Defense guidance, and Chairman of the Joint Chiefs (CJCS) policies. This chapter cites to, but does not discuss, the content of some of these sources.^[12] Legal advisors are strongly encouraged to seek out, consult, and safeguard classified sources applicable to particular capabilities, commands, and operations. 

b.    Operational Guidance and Authorization.  Specific guidance and authorizations for CO may be found in standard military planning documents and orders, particularly in the operations plans (OPLANs), operations orders (OPORDs), and/or execute orders (EXORDs).^[13] In most cases, these documents have standardized formats and annexes, several of which apply directly to CO, and are usually classified to protect military decision-making and strategies. Legal advisors must have a firm grasp of the planning process and standard document formats, as well as knowledge of the roles and responsibilities of varying levels of command to provide input to, promulgate, and execute such orders.^[14] For most CO guidance questions, legal advisors should start their research by looking at existing operational guidance for specific missions.

II.  Basic TERMINOLOGY

A.   Overview.  This section defines several basic terms related to CO. The primary source for definitions used in this handbook and by the Services in planning military operations in and through cyberspace is published joint doctrine.^[15] However, classified national and inter-agency policies may employ slightly different terms and definitions, which are critical for a legal advisor to understand in categorizing certain CO activities for the proper application of authorities and procedures.

B.    Cyberspace.  “[T]he domain within the information environment that consists of the interdependent network of information technology (IT) infrastructures and resident data.”^[16] “Physically, and logically, the domain is in a state of perpetual transformation.”^[17] “Cyberspace, while part of the information environment, is dependent on the air, land, maritime, and space physical domains.”^[18] The DoD has divided cyberspace into three interconnected layers: physical network layer, logical network layer, and the cyber-persona layer.^[19]

1.    Physical Network Layer: “[C]onsists of the IT devices and infrastructure in the physical domains that provide storage, transport, and processing of information within cyberspace, to include data repositories and the connections that transfer data between network components. The physical network components include the hardware and infrastructure (e.g., computing devices, storage devices, network devices, and wired and wireless links).”^[20] “The physical network layer is the first point of reference CO use to determine geographic location and appropriate legal framework.”^[21]

2.    Logical Network Layer:  “[C]onsists of those elements of the network related to one another in a way that is abstracted from the physical network, based on the logic programming (code) that drives network components (i.e., the relationships are not necessarily tied to a specific physical link or node, but to their ability to be addressed logically and exchange or process data). Individual links and nodes are represented in the logical layer but so are various distributed elements of cyberspace, including data, applications, and network processes not tied to a single node.”^[22] “Logical layer targets can only be engaged with a cyberspace capability.”^[23]

3.    Cyber-Persona Layer:  “[C]onsists of network or IT user accounts, whether human or automated, and their relationships to one another. Cyber-personas may relate directly to an actual person or entity, incorporating some personal or organizational data (e.g., e-mail and IP addresses, Web pages, phone numbers, Web forum log-ins, or financial account passwords).  One individual may create and maintain multiple cyber-personas; . . . [c]onversely, a single cyber-persona can have multiple users.”^[24]  This feature, along with other aspects of cyberspace and cyber operations, “can make attributing responsibility for actions in cyberspace difficult.”^[25]

C.    The Department of Defense Information Network (DODIN).  “[T]he DODIN is defined as the set of information capabilities and associated processes for collecting, processing, storing, disseminating, and managing information on demand to warfighters, policy makers, and support personnel, whether standalone or interconnected, including owned and leased communications and computing systems and services, software (including applications), data, security services, other associated services, and national security systems.^[26] The DODIN includes DoD information technology (IT) (e.g., DoD-owned or DoD-controlled information systems (ISs), platform information technology (PIT) systems, IT products and services) as defined in DoDI 8500.01^[27] and control systems and industrial control systems (ICSs) as defined in National Institute (NIST) Special Publication (SP) 800-82^[28] that are owned or operated by or on behalf of DoD Components.^[29]

D.   Cyberspace Operations.  “The employment of cyberspace capabilities where the primary purpose is to achieve objectives in or through cyberspace.”^[30] The DoD Law of War Manual adds, “Cyber operations:  (1) use cyber capabilities, such as computers, software tools, or networks; and (2) have a primary purpose of achieving objectives or effects in or through cyberspace.”^[31]

Practice Tip:  It is imperative to distinguish CO from certain other types of operations that merely use computers or networks as the tool for achieving a non-cyber objective (i.e., command and control or broad use of computers for message distribution). Likewise, targeting cyber capability through non-cyber mechanisms would not be considered a CO.^[32] “CO can be conducted independently or synchronized, integrated, and deconflicted with other activities and operations.”^[33] “During joint planning, cyberspace capabilities are integrated into the joint force commander’s (JFC’s) plans and synchronized with other operations across the range of military operations.”^[34]

E.    Types of Military Cyberspace Operations:  “All actions in cyberspace that are not cyberspace-enabled activities are taken as part of one of three cyberspace missions: offensive cyberspace operations (OCO), defensive cyberspace operations (DCO), or DODIN operations.”^[35] “[S]uccessful execution of CO requires integration and synchronization of these missions.”^[36] Specific mission categorization of these operations are as follows:

1.    Offensive Cyberspace Operations (OCO):  “CO missions intended to project power in and through foreign cyberspace through actions taken in support of CCDR or national objectives.”^[37]

2.    Defensive Cyberspace Operation-Response Action (DCO-RA): “DCO mission where actions are taken external to the defended network or portion of cyberspace without the permission of the owner of the affected system. DCO-RA actions are normally in foreign cyberspace. Some DCO-RA missions may include actions that rise to the level of use of force, with physical damage or destruction of enemy systems.”^[38]

3.    Defensive Cyberspace Operations-Internal Defensive Measures (DCO-IDM): “DCO mission where authorized defense actions occur within the defended network or portion of cyberspace.”^[39] While DCO generally focus on the DODIN, which includes all of DOD cyberspace, military cyberspace forces prepare to defend any U.S. or other blue cyberspace when ordered.”^[40]

4.    DODIN Operations :  “[O]perational actions taken to secure, configure, operate, extend, maintain, and sustain DOD cyberspace and to create and preserve the confidentiality, availability, and integrity of the DODIN.”^[41]  “DODIN operations are network focused and threat-agnostic.”^[42]

Practice Tip:  While each mission set of CO present complex legal issues, because OCO and DCO-RA operations go outside the DODIN and other friendly networks, they present unique issues under constitutional and international law.  Particular attention must be paid to legal implications of these types of operations.

III.  SIGNIFICANT LEGAL CONSIDERATIONS IN CYBERSPACE OPERATIONS

1. Framework & Key Considerations for Legal Analysis:

1.  There is no single “checklist” for analyzing the legal aspects of CO. As discussed above, the legal landscape necessarily changes with the contours of the specific operation. Nevertheless, a consistent approach to analyzing the myriad of legal issues in CO is desirable, and the following questions will often provide a useful starting point for legal analysis.

2.    Questions to ask:^[43]

a.    What is the purpose of the activity?  What is the military objective we seek to achieve? What is the operational scheme of maneuver and how does it contribute to achieving that objective?

c.    Where is the target located? Does the operation involve multiple geographic locations?

d.    What is the target system used for?

e.    How will we access the target system?  What cyber capabilities will be employed? 

f.     What effects—such as loss of access to data—will we generate within that system? How will those effects impact the system’s functioning?

g.    Which people or processes will be affected by anticipated changes to the system’s functioning? Are any of those likely to impact civilians or public services?

3.    General Legal Review Framework for CO.^[44] To analyze the legal and policy implications for cyberspace operations, legal advisors should address, at a minimum, the following: (1) U.S. Domestic Law, (2) International Law, (3) National and Agency (DoD) policies and directives.

       a.  U.S. Domestic Law. A review of U.S. domestic law should include considering the foundational question of domestic legal authority (or authorization) to conduct a specific military cyber operation.^[45] Domestic law considerations should also include an analysis regarding whether specific constitutional or statutory provisions restrict the activity or whether there are any privacy and civil liberties concerns raised by the activity (e.g., the First Amendment, the Fourth Amendment, the Computer Fraud and Abuse Act (CFAA),^[46] surveillance and intelligence collection laws, etc.).^[47] Legal advisors should also address congressional oversight and reporting requirements mandated by law, which may include reporting requirements pursuant to both Title 10 and Title 50.

       b. Public International Law. It continues to be the view of the United States that existing international law applies to State conduct in cyberspace.^[48] Legal advisors may have to consider international legal issues such as, but not limited to, State Responsibility, Neutrality, Humanitarian International Law (including both jus ad bellum and jus in bello), and Human Rights Law when analyzing proposed military cyberspace operations. For example, a legal review may need to address whether particular operations raise issues of sovereignty, constitute prohibited interventions (against the principle of non-intervention) or a use of force, or whether it may be conducted as a countermeasure.^[49] Legal advisors may also need to consider evolving State norms, especially those expressed by the United States.^[50]

       c. National and Agency Policies and Directives. Legal advisors will need to ensure that cyberspace operations comply with all procedures, authorizations, and limitations outlined in both national and agency policies and directives. For example, legal advisors will need to comply with National Security Presidential Memorandum (NSPM) 13, as amended by NSPM-21, for certain operations, which “allows for the delegation of well-defined authorities to the Secretary of Defense to conduct time-sensitive military operations in cyberspace.”^[51]

4.  Legal and Policy Considerations for Cybersecurity (i.e., DODIN) Operations. Legal advising on defending the DODIN and its assets requires understanding a tremendous scope of applicable laws, policies, and cybersecurity standards, as well as some contract law application. The DoD Cybersecurity & Information Systems Information Analysis Center has captured in an online chart key legal authorities, federal/national level cybersecurity policies, and operational and subordinate level documents, which can serve as a starting point for legal advisors to become familiar with laws and policies applicable to advising in this area.^[52]

2. Authorities and Responsibilities: 

1.    Strategic Authorities, Roles and Responsibilities. The National Defense Strategy, 2022, the Chairman of the Joint Chiefs of Staff National Military Strategy, 2022, and The Department of Defense Cyber Strategy, 2023, provide high-level strategy considerations and requirements for national defense in cyberspace and DOD’s role in defending DOD and larger U.S. national security interests through CO.^[53] For specific DoD roles and responsibilities in cyberspace, legal advisors should consult the United Command Plan, a document approved by the President that sets forth basic guidance to all unified combatant commanders, establishing their missions, responsibilities, force structure, and geographic areas of responsibility among other matters.^[54]

2.   Operational Authorities, Roles and Responsibilities. Authority to conduct CO is generally held at the upper echelons of government. Subject to the direction of the President, Title 10, and Title 50, military cyberspace operations are conducted pursuant to the authorities and delegations of the Secretary of Defense.^[55] Subject to the authority, direction, and control of the SecDef, Commander, USCYBERCOM, shall have the authority to conduct all affairs relating to cyber operations activities,^[56] to include managing day-to-day global CO.^[57] Direction to conduct CO by USCYBERCOM, other Combatant Commands, and subordinate units can generally be found in several different documents, most commonly EXORDs.^[58] National Security Presidential Memorandum (NSPM) 13, as amended, provides the general guidance for certain types of CO and “allows for the delegation of well-defined authorities to the Secretary of Defense to conduct time-sensitive military operations in cyberspace.”^[59]

2.    Directive Authority for Cyberspace Operations (DACO): DACO, established by the Secretary of Defense in 2014, is “[t]he authority to issue orders and directives to all Department of Defense components to execute global Department of Defense information network [DODIN] operations and defensive cyberspace operations internal defensive measures.” ^[60] United States Cyber Command (USCYBERCOM) delegated DACO to the Service Cyberspace Component (SCC) Commands in 2016.^[61]

3.    Chief Information Officers and Cybersecurity: In 1996, the Clinger-Cohen Act created the Chief Information Officers.^[62] The DoD Chief Information Officer and the Service Chief Information Officers establish and enforce standards for acquisition and security of information technologies, including the implementation of what we now call cybersecurity activities.^[63] “Joint doctrine for CO uses the term ‘cyberspace security’ to distinguish this tactical-level cyberspace action from the policy and programmatic term ‘cybersecurity’ used in DoD and United States Government (USG) policy. To enable effective planning, execution, and assessment, doctrine distinguishes between cyberspace security and cyberspace defense actions, a distinction not made in DOD and USG cybersecurity policy, where the term cybersecurity includes the ideas of both security and defense. Doctrine uses both ‘cyberspace security’ and “cybersecurity,” depending upon the context.”^[64]

C.    Law of Armed Conflict in Cyberspace:  While the majority of CO will occur outside of armed conflict, those that rise to the level of a use of force or are conducted as part of an ongoing armed conflict must comply with the law of armed conflict. “[T]he principles of the law of war form the general guide for conduct during war, including conduct during cyber operations.”^[65] A CO may present challenging legal issues under both the jus ad bellum and jus in bello. Legal advisors should consult the DoD Law of War Manual chapter XVI as a starting point to identify critical legal doctrines and issues involved with applying the Law of Armed Conflict to cyberspace operations. Below is only a brief summary of some key points.

1.    Jus ad bellum.

a.    A CO may, in certain circumstances, constitute a use of force.^[66]  If a CO rises to the level of a use of force under Article 2(4) of the United Nations Charter and customary international law, there must be “a proper legal basis in order not to violate jus ad bellum prohibitions on the resort to force.”^[67]

b.    “Cyber activities that proximately result in death, injury, or significant destruction would likely be viewed as a use of force. In assessing whether an event constituted a use of force in or through cyberspace, we must evaluate factors: including the context of the event, the actor perpetrating the action (recognizing challenging issues of attribution in cyberspace), the target and location, effects and intent, among other possible issues.”^[68]

c.    “The dilemma lies in the fact that [CO] span the spectrum of consequentiality.  [Their] effects freely range from mere inconvenience (e.g., shutting down an academic network temporarily) to physical destruction (e.g., as in creating a hammering phenomenon in oil pipelines so as to cause them to burst) to death (e.g., shutting down power to a hospital with no back-up generators).”^[69]

e.    CO may also implicate other aspects of international law that govern interactions among states, such as the prohibition on coercive intervention in the core functions of another state, countermeasures, necessity, and state sovereignty.^[70] Because of evolving state practice and ever-changing technology, how these areas of international law impact CO is not entirely clear. Nevertheless, some clarity may be found. “For example, ‘a cyber operation by a State that interferes with another country’s ability to hold an election’ or that tampers with ‘another country’s election results would be a clear violation of the rule of non-intervention.’”^[71]

2.    Jus in Bello.

1. “If a cyber operation constitutes an attack, then the law of war rules on conducting attacks must be applied to those cyber operations.”^[72] 
2. Conversely, a CO operation that does not constitute an attack is not restricted by the rules that apply to attacks and may be directed at civilians or civilian objects so long as they are deemed militarily necessary.  These operations should nonetheless “comport with the general principles of the law of war,”^[73] and the parties must take feasible precautions to reduce the risk of incidental harm to the civilian population and civilian infrastructure.^[74]
3. A CO that only involves temporary or reversible effects is likely not an attack.^[75]  Examples include: “defacing a government webpage; a minor, brief disruption of internet services; briefly disrupting, disabling, or interfering with communications; and disseminating propaganda.”^[76]

IV.  CYBER FORCES AND COMMAND AUTHORITIES

A.   Legal advisors must be aware of the cyber force structure and respective operational authority to determine if a unit has the authority to engage in a certain CO.  If the unit is not part of this force structure, then it is unlikely they may take action beyond the protection and operation of their own network. Legal advisors must be proactive in determining what authorities, if any, have been granted to their units before they engage in CO.

B.    United States Cyber Command (USCYBERCOM).  USCYBERCOM was elevated to a combatant command in 2018. The Commander of USCYBERCOM “commands a preponderance of the cyberspace forces that are not retained by the Services,”^[77] and “manages day-to-day global CO.”^[78]

C.    Service Components.  Each service is responsible for protecting its service-specific cyber network to ensure its ability to detect, mitigate, and defeat advanced persistent threats capable of compromising the network and the DODIN itself.^[79] Service components work with parent services, USCYBERCOM, JFHQ-DODIN (described below), the Defense Information Systems Agency (DISA), and the National Security Agency (NSA) to prevent malicious actors from gaining access to service-specific networks.

D.   The Cyber Mission Force (CMF).  The goal of the CMF is to “organize and resource the force structure required to conduct key cyberspace missions.”^[80]  “Service tactical cyberspace units, assigned to CDRUSCYBERCOM, comprise the three elements of the CMF.”^[81] The CMF consists of the following:

1.    Cyber Protection Force (CPF).  Defend the DODIN and other blue cyberspace when directed.^[82]

2.    Cyber National Mission Force (CNMF).  Defeat significant cyber threats to the DODIN and, when ordered, the nation.^[83]  Forces that conduct DCO-RA are normally assigned to the CNMF. The Cyber National Mission Force was elevated to a subordinate unified command under USCYBERCOM in 2022.

3.    Cyber Combat Mission Force (CCMF).  Conduct CO to support the combatant commands.^[84] OCO missions are normally conducted by forces assigned to the CCMF.

E.    USCYBERCOM Subordinate Headquarters.  Subordinate Headquarters of USCYBERCOM execute C2 of the CMF and other cyberspace forces. These subordinate headquarters include the following:

1. Cyber National Mission Force Headquarters (CNMF-HQ).  The National Mission Teams are aligned under the CNMF-HQ against specific cyber threats.^[85] Responsible for operational-level planning and execution of DCO-RA missions.^[86]
2. Joint Force Headquarters-Department of Defense Information Network (JFHQ-DODIN).  Responsible for the overall operation and defense of DoD information systems.^[87]  While each service maintains some responsibility for protection and operation of its networks, JFHQ-DODIN provides overall unity of effort and command for sustained effort at scale. Generally this means identifying and imposing standards for application across the DODIN. 
3. Joint Force Headquarters-Cyber (JFHQ-C).  The Combat Mission Teams that are normally assigned to conduct OCO missions are aligned under the JFHQ-C in support of a combatant command.^[88]
4. SCC Headquarters.  The Services provide cyber forces to USCYBERCOM through the SCCs.^[89]  Each of the SCC commanders is dual-hatted as the commander of one of the four JFHQs-C.^[90]  In conjunction with JFHQ-DODIN, they conduct DODIN operations and DCO-IDM within their Service portion of the DODIN.^[91]