(Credit: istockphoto.com/JanPietruszka)
No. 1
Cyber Warfare for JAs
Understanding the Legal Operating Environment
Major Phillip Dickerson and Brigadier General Joseph B. Berger
I. Introduction
In October of 2017, the Wall Street Journal reported Russia opened a new battlefront with NATO by exploiting a point of vulnerability for almost all allied soldiers: personal smartphones.1 The campaign targeted the contingent of some 4,000 NATO troops deployed to Poland and the Baltic States and involved sophisticated drones equipped with surveillance electronics.2
Although some NATO officials played down the threat posed, others said that in a crisis, compromised cellphones could be used to slow NATO’s response to Russian military action if, for example, the personal cellphone of a commander was used to send out fake instructions.3 Beyond the disruption of communications, if a compromised phone were brought into a secure area such as a military command post, it could be used to collect sensitive information. The ubiquitous smartphone represents one more potential attack vector, in peace and war.
Similarly, October of 2017 saw the liberation of Raqqah from ISIS by U.S. backed forces in Norther Syria.4 Despite this major loss, and certainly prior to it, ISIS was alarmingly effective in its use of social media to recruit fighters, inspire acts of terrorism, and project an image of unwavering confidence to the West.5 This success required a sophisticated public relations strategy. It also required a working internet connection.6 Counter-terrorism experts agree that ISIS almost certainly uses satellite internet to get online.7 Satellite Internet requires no local infrastructure, and the very small aperture terminal (VSAT) satellite stations required for internet access can be purchased for about $500 in countries like Turkey and then smuggled into ISIS-controlled parts of Syria.8
Violent extremist organization (VEO) use of the internet is well-established. The Financial Times reported back in 2014, that the internet was ISIS’s command-and-control network of choice, specifically noting that the terrorist group sent out over 40,000 tweets per day during its assault on Mosul.9 Then in 2016, the Washington Post declared that the encrypted messaging application Telegram surpassed Twitter as ISIS’s communication app of choice.10
These case-studies clearly demonstrate that the use of cyberspace is an indispensable and absolutely necessary part of both modern society and warfare. It will only grow in importance to both friendly forces and adversaries, and U.S. military units need to be able to defend it and leverage it offensively. Unfortunately, commanders at corps level and below are unlikely to have authority to conduct what are commonly understood to be Offensive Cyber Operations (OCO), but they may have authority to engage in cyber-related activities.
Similar to the relationship between electronic warfare (EW) and signals intelligence (SIGINT) or between intelligence activities and intelligence-related activities, the categorization of actions involving cyberspace can be a nuanced, facts-and-circumstance based determination. Brigade commanders are not going to have the authority to implant a computer virus that will destroy a centrifuge or turn off the power at a North Korean missile base, but cyber tools and capabilities exist that those commanders may be able to utilize in certain circumstances. It is imperative that the judge advocates advising those commanders understand the current legal operating environment, can correctly issue spot, and have a framework for subsequent analysis.
II. Definitions
In Section 954 of FY 2012 National Defense Authorization Act, Congress affirmed that the Department of Defense has the capability, and upon direction by the President may conduct offensive operations in cyberspace to defend our nation, allies, and interests, subject to the policy principles and legal regimes that the Department follows for kinetic capabilities, including the law of armed conflict.11
Joint Publication (JP) 3-12 (R) defines cyberspace as a global domain within the information environment consisting of the interdependent networks of information technology infrastructures and resident data, including the internet, telecommunications networks, computer systems, and embedded processors and controllers (emphasis added).12
Offensive cyberspace operations are cyberspace operations intended to project power by the application of force in or through cyberspace.13
Electronic warfare (EW) refers to military action involving the use of electromagnetic and directed energy to control the electromagnetic spectrum or to attack the enemy.14 EW includes activities such as electromagnetic jamming, electromagnetic hardening, and signal detection, respectively.15 EW affects, supports, enables, protects, and collects on capabilities operating within the electromagnetic spectrum (EMS), including cyberspace capabilities.16
Title 50 U.S.C. Section 403-5, defines Open Source Information as “publicly, available information that anyone can lawfully obtain by request, purchase, or observation” and defines Open Source Intelligence (OSINT) as “produced from publicly available information that is collected, exploited, and disseminated in a timely manner to an appropriate audience for the purpose of addressing a specific intelligence requirement.”17
As described in Joint Publication 2-01, OSINT is developed using media and Web-based sources. OSINT processing transforms (converts, translates, and formats) text, graphics, sound, and motion video in response to user requirements. For example, at the national level, the ODNI Open Source Enterprise provides translations of foreign broadcast and print media.18 OSINT is also developed from information collected by commercial companies that use their own assets or purchase information from independent contractors who monitor media.19
Signals Intelligence (SIGINT) is defined as intelligence produced by exploiting foreign communications systems (e.g., radio or other electromagnetic means) and non-communications emitters (e.g., radar).20 The National Security Agency (NSA) is the national SIGINT manager and all SIGINT operations must be conducted under authority delegated from the NSA.
III. So What’s The Difference?
These definitions demonstrate the significant amount of overlap that exists and the confusion that can result. Cyberspace operations may include the internet, but may not. EW operations may include cyberspace, but may not. And a given operation affecting the EMS may be classified as SIGINT or EW depending on the underlying intent. Furthermore, it is not uncommon that a given operation could legitimately be defined as either an OCO or EW operation. Often, the ultimate categorization that is adopted will very likely be the result of the authorities possessed by the classifier.
EW and SIGINT missions may use similar—or even the same—resources. The two differ, however, in the intent, the purpose for the task, the detected information’s intended use, the degree of analytical effort expended, the detail of information provided, and the timelines required.21 EW missions respond to the immediate requirements of a tactical commander or exist to develop information to support future cyberspace or EW operations.22 The primary intent of SIGINT is to meet national intelligence requirements over a longer period of time.
And if that distinction wasn’t confusing enough, often the same activity may start its life as EW, but will live a “second life” as SIGINT.23
The analysis of intelligence derived from all intelligence disciplines across all echelons, including theater and national collection assets, provides insight about enemy cyberspace and EW operations.24 Leveraging the information collection requirements process may support aspects of cyberspace and EW operations.
IV. What Can Be Done: A Scenario
A. VEO utilization of the internet
As discussed above, ISIS’s primary means of communication among fighters is mobile phones, specifically utilizing apps like Telegram, because its primary means of communicating with the outside world is through VSAT connections to the internet. During the planning of an advise and assist mission intended to support a partner force’s assault on an ISIS position, a special forces battalion staff identifies these two facts as opportunities to disrupt ISIS communications that could give the partner force a distinct, if not decisive, advantage. The commander knows his unit, with the broader coalition force, has the capability to disrupt both of these avenues of communications. So, he turns to his judge advocate and asks what he’s allowed to do.
B. Disrupt the Cellular Network, WiFi Networks, and VSATs
The planners inform the commander that the unit has an organic capability to jam WiFi and GSM signals in a two-kilometer radius around the device. The commander is also aware that the capability exists to gain access to specific WiFi routers through the internet. The staff suggests the unit send a small recon element out to map the networks operating in the target area so the jamming tool can be utilized most effectively. Alternatively, it’s likely that the same information could be obtained through the use of internet-based tools. However, obtaining intelligence via an internet connection, rather than the EMS, will likely require SIGINT authorities. This is where much of the confusion over authorities manifests itself. Currently, SIGINT authorities are unlikely to be delegated to the battalion level, or at least not in a timely enough manner to be effective in such a mission.
It is critical to remember the Laws of Armed Conflict apply to cyber and EW operations. Therefore, judge advocates, working with the staff, must ensure the targets are valid military targets and weigh the impact on the civilian population of disrupting cellular and internet connections.
Cyber warfare operators assigned to the 275th Cyber Operations Squadron of the 175th Cyberspace Operations Group of the Maryland Air National Guard configure a threat intelligence feed for daily watch in the Hunter's Den at Warfield Air National Guard Base, Middle River, Md., Dec. 2, 2017. (U.S. Air Force photo by J.M. Eddins Jr.)
C. Monitor Facebook, Twitter, etc. for adversary response to the assault
Generally speaking, monitoring publicly available social media communications falls squarely within the definition of OSINT. If, however, these communications are taking place within a restricted group of some sort, additional authorities may be required before the unit may proceed. It is also important to note that OSINT refers only to the gathering of information, not the introduction of data into the information environment.25
Further consideration must be given when contracting for OSINT. Typically, the U.S. Government is not allowed to enter into a contract for goods or services that it could not legally obtain or engage in on its own.26 For example, if the U.S. Government cannot dispose of hazardous waste in a particular manner, it could not hire a contractor to dispose of the waste if it believed the contractor intended to dispose of it in this prohibited way. Additionally, the U.S. Government is often prohibited from tasking a contractor to violate local laws that the contractor is subject to. For example, U.S. Forces-Korea could not task a local contractor to dispose of waste in a way that violates South Korean environmental laws.
This principal raises interesting concerns with regard to contracting for open-source information or intelligence. The legal advisor must consider whether any concerns regarding U.S. persons have been raised, whether U.S. or foreign privacy laws have been violated in the collection of the data in question, and whether the unit has the authority to obtain this type of information/intelligence. Deconfliction with partner forces is critical; understanding privacy laws that may apply to partner forces, even extraterritorially, is equally important.
D. Conduct information operations via cyberspace before, during, and after the assault
Information Operations (IO) are those actions specifically concerned with the integrated employment of information-related capabilities during military operations, in concert with other lines of operation, to influence, disrupt, corrupt, or usurp the decision making of adversaries and potential adversaries while protecting friendly forces.27 Thus, cyberspace is a medium through which some information-related capabilities, such as military information support operations (MISO) or military deception (MILDEC), may be employed.
IO in cyberspace raises a number of issues that must be considered. When considering a possible IO activity, the unit must have both product/message authority and dissemination authority. The unit may have the ability to produce anti-VEO message, but may only have the authority to disseminate via print and audio-broadcast. In such a scenario, the unit may have to seek additional authority to disseminate its authorized message via internet-based platforms. Another consideration that must be analyzed is geography. It’s fairly easy to limit the distribution of leaflets dropped from a plane or broadcast via radio signal to the authorized area of responsibility/area of hostilities (AOR/AOH). Doing so in cyberspace (i.e., “geo-fencing”), however, can prove much more difficult. Additionally, even if the recipients of a cyber-delivered IO product can be geographically constrained to the AOR/AOH, what if that message transits though or resides on a server in a third country?
The Norse data wall on the operations floor of the 275th Cyber Operations Squadron, called the Hunter's Den, provides real time worldwide cyber attack sources and attack locations for the 175th Cyberspace Operations Group of the Maryland Air National Guard at Warfield Air National Guard Base, Middle River, Md., Dec. 2, 2017. This portion of the screen is focused on attacks within North America. (U.S. Air Force photo by J.M. Eddins Jr.)
V. Russian cyber operations within Syria targeting mobile devices
A. Network mapping as force protection
The modern battlefield is rarely defined by clear front lines. Often, U.S. forces find themselves operating in close vicinity to potential adversaries. As a result, it is important for a commander to have a sense of who is operating nearby. Judge advocates must be prepared to help the commander identify tools that the commander may have to determine who is, in fact, operating in close proximity. It could be classified as EW, but if it is a state actor adversary, EW collection authority may be limited or non-existent, especially during training or Phase Zero operations. Such collection could be classified as SIGINT if the activity is related to planning operations against an enemy force, but the commander very likely does not have SIGINT authorities. There may be an argument for inherent force-protection authority, but this can be a difficult case to make.
B. Disrupt the intruder
As noted above, U.S. forces often find themselves operating near adversaries that may not be members of a targetable force. If that adversary is attempting to compromise U.S. forces’ cell phones though cyber/EW equipment carried by UAVs, what authority does the commander have to repel the intrusion? The right of self-defense is inherent, but an act of intelligence gathering may not be considered a hostile act authorizing a kinetic response. Can the commander turn on a jammer that blocks the signal penetrating the unit’s mobile devices? What if the commander knows the jammer will also bring down the UAVs?
If those same mobile phones are being penetrated through the phone’s internet connection, can the commander authorize his 17 series Soldier to “hack-back” against the intrusion? What if the commander believes his unit’s network of mobile devices has been penetrated in support of an imminent attack? Can the inherent right of self-defense be used to authorize an OCO?
VI. Conclusions (But Not Really)
The introduction of cyberspace operations at the tactical level is still in its nascent stages. As the Chief of Staff of the Army has noted, “The character of war is changing very significantly”, and cyber is one of the three key emerging technologies driving that change in character.28 The battlefield is constantly evolving. Like the earlier introduction of airpower, there has been a steady clamor for new rules to deal with the threats, and more specifically, rules to deal with cyberspace. Identifying authorities and tools that can be leveraged against the myriad of emerging threats will remain a fluid challenge. Our foundational law of war principles remain the bedrock and start point for analysis.
This short practice note is, at best, a rough roadmap in the next step of any analysis for judge advocates practicing at the tactical level. Judge advocates must understand the key definitions outlined here and the basic interplay between the capabilities and attendant authorities (e.g., SIGINT versus EW). With that understanding, judge advocates can begin to more effectively spot issues, address risk for commanders, and contribute to a broader understanding of the capabilities and rules inherent in the changing nature of warfare.
Future iterations of this discussion—which must occur and need to be captured and shared—will rely heavily on practitioners’ experiences. Addressing electromagnetic spectrum issues will not be limited to niche jobs in specialized commands. While the strategic level issues may reside in those formations, their practical (and tactical level) application is in the hands of our junior practitioners. You must write the next chapters. TAL
BG Berger is the Commander of the United States Legal Services Agency and Chief Judge of the U.S. Army Court of Criminal Appeals.
MAJ Dickerson is assigned to the 10th LOD as a member of its Intelligence Law Support Team.
Notes
1. Thomas Grove et al., Russia Targets NATO Soldier Smartphones, Western Officials Say, Wall St. J., Oct. 4, 2017, https://www.wsj.com/articles/russia-targets-soldier-smartphones-western-officials-say-1507109402.
2. Id.
3. Id.
4. Anne Barnard & Hwaida Saad, Raqqa, ISIS ‘Capital,’ Is Captured, U.S.-Backed Forces Say, N.Y. Times, Oct. 17, 2017, https://www.nytimes.com/2017/10/17/world/middleeast/isis-syria-raqqa.html.
5. Clint Finley, It’d be Great to Kick ISIS Offline – If it were Possible, Wired, Mar. 30, 2016, https://www.wired.com/2016/03/how-is-isis-online/.
6. Id.
7. Id.
8. Id.
9. Robert Hannigan, Opinion, The web is a terrorist’s command-and-control network of choice, Fin. Times, Nov. 3, 2014, https://www.ft.com/content/c89b6c58-6342-11e4-8a63-00144feabdc0.
10. John Warrick, The ‘app of choice’ for jihadists: ISIS seizes on Internet tool to promote terror, Wash. Post, Dec. 23, 2016, https://www.washingtonpost.com/world/national-security/the-app-of-choice-for-jihadists-isis-seizes-on-internet-tool-to-promote-terror/2016/12/23/a8c348c0-c861-11e6-85b5-76616a33048d_story.html?noredirect=on&utm_term=.12848116ce4c.
11. Section 954 of FY 2012 National Defense Authorization Act for Fiscal Year 2012, Pub. L. No. 112-81, § 954 (2011).
12. This definition is notable because it makes clear the fact that cyberspace is more than just the internet. For example, a smartphone’s 4G connection allows it to connect to the internet, the 4G connection itself is not an internet connection. Similarly, a wireless router’s signal may allow devices to connect to the internet, but the WiFi signal itself is not “the internet.” This is an important distinction to understand since a cyber tool or effect may be delivered via the internet or delivered via a WiFi connection and different authorities may apply to each.
13. Joint Chiefs of Staff, Joint Pub. 3-12, Cyberspace Operations ch. 2, para. 2 (Jun. 8 2018).
14. Joint Chiefs of Staff, Joint Pub. 3-13.1, Electronic Warfare ch. 1, para. 4 (Jan. 25 2007) [hereinafter JP 3-13.1].
15. JP 3-13.1, supra note 14, at vi.
16. JP 3-13.1, supra note 14, ch. 1, para. 5.
17. 50 U.S.C.§ 403-5 (2006).
18. ODNI News Release No. 6-05, ODNI Announces Establishment of Open Source Center, Nov. 8, 2005, https://www.dni.gov/files/documents/Newsroom/Press%20Releases/2005%20Press%20Releases/20051108_release_content.htm.
19. Joint Chiefs of Staff, Joint Pub. 2-01, Joint and National Intelligence Support to Military Operations ch. 3, para. 19 (Jul. 5 2017).
20. Joint Chiefs of Staff, Joint Pub. 2-0, Joint Intelligence app. B, para. 3 (Oct. 22 2013) [hereinafter JP 2-0].
21. U.S. Dep’t of Army, Field Manual 3-12, Cyberspace and Electronic Warfare Operations para. 1-130 (Apr. 11 2017) [hereinafter FM 3-12].
22. Id.
23. JP 3-13.1, supra note 14, ch. 1, para. 10.
24. JP 2-0, supra note 20, para. 2-10.
25. For example, while a commander could direct his S2 section to review and analyze information on Twitter, the commander may not, without additional authorities, direct his S2 section to disseminate information on Twitter, regardless of whether that information consists of S2’s own messages—or messages previously created by others—factual or otherwise.
26. 31 U.S.C. § 1301 (1982).
27. U.S. Dep’t of Air Force, Pol’y Dir. 10-7, Information Operations para. 1 (Aug. 4 2014).
28. David Thornton, Army Trying to Keep up with Changing Character of War, FederalNewsRadio.com, https://federalnewsradio.com/army/2018/06/army-tries-to-keep-up-with-changing-character-of-war/ (quoting General Mark Milley at the 21 June 2018 Capitol Hill National Security Forum).