2. U.S. Cyber Strategy and Offensive Cyber Operations NSEC506 – Nov/Dec 2015
Mark Raduenzel Page 1 of 14
Introduction
Computer Network Operations (CNO), or “cyber operations”, have become an important
element of modern warfare. As part of cyber warfare, offensive cyber operations may be
executed by a nation to disrupt, deny, degrade or destroy the information which resides in
computers or the networks in which the computers are members of. These actions can be taken
either as a prelude to conventional, kinetic war or even in lieu of war if the actions are taken to
further a national security policy objective. In May of 2011, the Obama administration published
its “International Strategy for Cyberspace” which aims to “build and sustain an environment in
which norms of responsible behavior guide states’ actions, sustain partnerships, and support the
rule of law in cyberspace” (White House 2011). In April of 2015, the Department of Defense
(DoD) released its own cyber-strategy document which is intended to act as a guide for
developing DoD’s own cyber forces while also strengthening cyber defense and improving cyber
deterrence (DoD 2015, 2). It is widely recognized that all cyber strategies published to date
necessarily include elements of defense. However, a well-defined cyber-strategy should also
explicitly contain a blueprint for offensive cyber operations which could be used in support of
military operations or to achieve national security objectives.
Purpose of the Study
The purpose of this study is to examine the United States’ existing cyber-strategy in order to
determine if offensive computer network operations are supported or if current strategy should
be revised to incorporate offensive operations. Offensive cyber operations, if supported, could be
invaluable in helping the United States achieve its national security objectives.
3. U.S. Cyber Strategy and Offensive Cyber Operations NSEC506 – Nov/Dec 2015
Mark Raduenzel Page 2 of 14
Research Question and Hypothesis
The primary research question this study will attempt to answer is: what elements of the United
States' current cyber-strategy support offensive computer network attacks? A secondary question
which the research will hope to answer is: why would the United States or any nation conduct
offensive computer network attacks? The tentative hypothesis to answer the primary question is
that while current cyber-strategy provides an adequate defensive approach for United States’
military and non-military computer networks, the strategy does not explicitly support the use of
computer network attacks to further national security.
Research Strategy
This study will utilize a qualitative research strategy to identify the parameters, if any, for
conducting offensive cyber operations. Current elements of national cyber-strategy will be
examined to determine the strategy’s objectives paying special attention to the concept of
offensive operations. The study will also explore the doctrine of conducting pre-emptive strikes
and their appropriateness within the context of cyber operations. Lastly, the current national
cyber-strategy will be compared to existing international cyber-strategy in order to highlight gaps
in United States’ strategy and identify areas for improvement.
Literature Review
Dr. Andrew M. Colarik is an independent consultant, researcher and author of multiple security
books and publications covering cyber terrorism, information warfare and cyber security. Dr.
Lech Janczewski has over thirty-five years of experience in information technology with
extensive research in cyber terrorism. Their co-authored article in the Journal of Strategic
Security, “Establishing Cyber Warfare Doctrine”, examines the theoretical foundation of current
cyber warfare research, what has been learned to date about its application and some of the
4. U.S. Cyber Strategy and Offensive Cyber Operations NSEC506 – Nov/Dec 2015
Mark Raduenzel Page 3 of 14
emerging themes to be considered including the development of a national cyber warfare
doctrine.
Considered in the article by Colarik and Janczewski is why computer systems and the
infrastructures which support them should be included as valid military targets and further
highlights several recent events to support this assertion. The authors postulate that “modern
nations lack a grand strategy for handling cyber-attacks, one that gathers and coordinates their
national resources for shared security and prosperity” (Colarik and Janczewski 2012, 32). As
mentioned above, this perspective places the focus of cyber-strategy solely on defense and
ignores the benefits an offensive strategy could have for the United States.
Recent examples of cyber-attacks are reviewed by Colarik and Janczewski which is applicable to
this research because they serve as examples where offensive computer network attacks were
conducted by states or their proxies in order to further their own national strategy. For example,
a series of Distributed Denial of Service (DDoS) attacks against Estonia in 2007 forced the
country to isolate itself digitally in order to prevent the nation from being crippled. Also
examined are the attacks against the former Soviet-bloc state of Georgia which utilized similar
methods to the Estonian attacks, and the Stuxnet worm which targeted Iran’s Bushehr nuclear
power plant and set Iran’s nuclear program back by several years (Colarik and Janczewski 2012,
34). While these events demonstrate previous incidents of offensive computer network attacks,
the authors do not indicate if this approach is permitted within the context of United States’
current cyber-strategy.
Mark D. Young is a Special Counsel for Defense Intelligence, House Permanent Select
Committee on Intelligence. In the Journal of National Security Law & Policy, Young also takes a
look at the implementation of United States’ cyber-strategy in his article titled “National cyber
5. U.S. Cyber Strategy and Offensive Cyber Operations NSEC506 – Nov/Dec 2015
Mark Raduenzel Page 4 of 14
doctrine: The missing link in the application of American cyber power”. Unfortunately, the
article is slightly dated since it was written a year before the Obama administration published its
“International Strategy for Cyberspace” in 2011. In his article, Young makes the argument that a
national cyber doctrine is necessary but shows there is no doctrine which guides the application
of the nation’s cyber-power, at least at the time the article was written (Young 2010, 174). The
author suggests that a national cyber doctrine would encourage the integration between the
commercial, academic and government sectors and focus the application of the United States’
cyber-power (Young 2010, 176). Once again, however, this integration is for the application of
cyber-power from a defensive mind-set instead of offensive.
Like Colarik and Janczewski, Young details recent cyber-attack events to show that offensive
operations are not unprecedented, at least by nations other than the United States (Young 2010,
173). And also like Colarik and Janczewski, Young fails to indicate if these operations are part
of current United States’ cyber-strategy. The author elaborates on existing cyber operations
documents by reviewing the Joint Chiefs of Staff’s “Joint Publication 3-13”, which defines
information operations, electronic warfare, computer network operations, psychological
operations, military deception and operations security (Young 2010, 178). These definitions
certainly allow for, or at least imply, the capabilities of offensive attacks. Also examined by
Young are the United States Army and Air Force cyber doctrines which demonstrate that
offensive attacks could be taken by military units if deemed within the national interest, even if
the strategy does not explicitly call for them (Young 2010, 182).
Policy adviser at the French Ministry of Defence (Directorate for Strategic Affairs) and adjunct
lecturer in international security at the French Institute for Political Sciences, Jean-Loup Samaan
writes in The RUSI Journal regarding the US efforts to develop a coherent cyber-strategy and the
6. U.S. Cyber Strategy and Offensive Cyber Operations NSEC506 – Nov/Dec 2015
Mark Raduenzel Page 5 of 14
divide in the interpretation of the conduct of cyber-warfare. The challenges with developing a
coherent cyber-strategy have been expounded on by Samaan in his article “Cyber Command:
The Rift in US Military Cyber-Strategy”. In the article, a background on the newly created
Cyber Command is given along with the supposition the United States government would place
more focus on cyber defense with the creation of this unit (Samaan 2010, 16). Samaan also
touches on the concept of cyber-warfare and the fact that any cyber-war could have economic
and psychological effects which should call for a robust doctrine of cyber-deterrence (Samaan
2010, 17). This would seem to support the implementation of offensive computer network
attacks and warrant their inclusion as part of the national cyber-strategy. However, the author is
silent on whether or not offensive operations are supported by current cyber-strategy.
Unlike the previous authors mentioned above, Samaan points out some parties involved in cyber-
strategy have complained that cyber-deterrence is misleading and irrelevant (Samaan 2010, 18).
Part of the reason for this is the challenges with attribution which prevents retaliation since the
attacker often cannot be determined. Without the ability to accurately prove the attacker’s
identity, there is no way of knowing if the attacks originated from a state or an individual non-
state actor. What Samaan fails to acknowledge though, is that the lack of ability to attribute
attacks is also a good reason for the United States to include offensive cyber operations as part of
its national cyber-strategy.
The author of “Rewired warfare: rethinking the law of cyber attack”, Michael N. Schmitt is the
Director of the Stockton Center for the Study of International Law, United States Naval War
College; Professor of Public International Law at Exeter University; and Senior Fellow at the
NATO Cyber Defence Centre of Excellence with extensive experience working with multiple
international expert working groups on cyber-strategy. In his article published in the
7. U.S. Cyber Strategy and Offensive Cyber Operations NSEC506 – Nov/Dec 2015
Mark Raduenzel Page 6 of 14
International Review of the Red Cross, Schmitt discusses the relation of international
humanitarian law to cyber operations. The author analyzes the debate between the permissive
approach which allows for a more extensive use of cyber-attacks even to the point of targeting
non-military targets during an attack, and a restrictive approach which holds to a more narrow
view of when cyber-attacks may be used and that targets must be confined to those of a military
nature (Schmitt 2014, 196). While these comparisons are interesting from an academic
viewpoint, they hold little value with regards to the topic of this study beyond what may be
targeted if an offensive cyber-strategy is implemented. This debate becomes more relevant if the
research concludes current cyber-strategy already incorporates offensive computer network
attacks.
Dr. Kenneth Geers is the Senior Executive in the U.S. Naval Criminal Investigative Service
(NCIS) as a cyber Subject Matter Expert and was the first U.S. Representative to the NATO
Cooperative Cyber Defence Centre of Excellence in Tallinn, Estonia. Geers describes four
nation-state approaches to mitigating cyber-attacks in “Strategic Cyber Defense: Which Way
Forward?” published in the Journal of Homeland Security and Emergency Management. These
various approaches make use of new and improved technology, doctrine, deterrence and arms
control in order to limit the threat from cyber-attacks (Geers 2012, 1). These defense
mechanisms are necessary because the Internet can easily increase the speed, scale and power of
any cyber-attack. Because of these factors, Geers emphasizes the need for military strategists to
include cyber-attacks as well as defense into military doctrine (Geers 2012, 3). It is increasingly
more likely that cyber-attacks will play a prominent role in future wars with fighting taking place
over the entire length and breadth of cyberspace. This may not necessarily be negative since
conflicts could be shorter and incur minimal loss of life. While this advances support for
8. U.S. Cyber Strategy and Offensive Cyber Operations NSEC506 – Nov/Dec 2015
Mark Raduenzel Page 7 of 14
offensive cyber operations, the author does not indicate that such operations are part of current
cyber-strategy.
Geers’ article is unique to this research in that the author touches upon the revolutionary aspects
of cyber conflict such as the fact that cyberspace is an artificial environment, cyber conflict
favors the attacker and physical proximity between the attacker and the target is not required
(Geers 2012, 4). But Geers’ article suffers from the same gaps as the previous authors in that it
does not approach computer network operations from an offensive standpoint, but treats the
strategy as purely a defensive one. Even the revolutionary aspects should be treated as positive
conditions which could be used to benefit the United States if offensive cyber-attacks are
included in the national cyber-strategy.
Current literature primarily focuses on the defensive aspect of current cyber-strategy. Recent
history contains examples of offensive computer network attacks used to further states’ national
interests and current definitions of information operations, and electronic warfare which certainly
imply the capabilities of the United States to use offensive cyber operations. The same pitfalls
which signify the importance of defending against cyber-attacks can also be shown in a positive
light if viewed from an offensive perspective. If research confirms the absence of a national
offensive cyber-strategy, steps may be taken to rectify those gaps and advocate the inclusion of
an offensive strategy.
Methodology
This qualitative research project was undertaken by examining current United States' cyber-
strategy. Elements of the strategy were reviewed to determine if any aspects support the concept
of offensive cyber operations. The variables identified during this research are offensive cyber
9. U.S. Cyber Strategy and Offensive Cyber Operations NSEC506 – Nov/Dec 2015
Mark Raduenzel Page 8 of 14
operations, currently published national cyber-strategy, preemptive strikes in accordance with
Bush Doctrine, international cyber-strategy and international humanitarian law.
Neo-conservatism theory, also known as the “Bush Doctrine", supports the use of preemptive
strikes to achieve national security objectives. This doctrine was first announced by President
George W. Bush in a 2002 speech to West Point cadets and was a significant shift in U.S.
military policy. As Kellner notes, this new policy replaced "the Cold War doctrine of
containment and deterrence with a new policy of preemptive strikes" (Kellner 2004, 417).
Neo-conservatives operate under the belief that the United States has the most powerful military
in the world and that same military should be used to shape the world according to U.S. interests.
Due to this military might, the rest of the world should fear the United States and hesitate to
openly and even in some cases, covertly stand against the U.S. This is a form of deterrence
which also directly applies to the cyber domain.
The faith of neo-conservatives to deter actions by other nations is in large part based on the
modern revolution of military affairs (RMA). This faith causes policy-makers and military
strategists to believe that instead of relying on large armies, "the United States could rely on
stealth technology, air-delivered precision-guided weapons, and small but highly mobile ground
forces to win quick and decisive victories" (Mearsheimer 2005, 2). Cyber operations are a
natural extension of RMA given the low cost of entry to perform operations, attackers and targets
do not need to be within the same physical proximity and the relative size, speed and scale of
cyber-attacks. These factors mean that cyber operations can be used as a projection of military
power which fits nicely into the neo-conservatism theory.
10. U.S. Cyber Strategy and Offensive Cyber Operations NSEC506 – Nov/Dec 2015
Mark Raduenzel Page 9 of 14
Findings and Analysis
Computers and their networks have become an integral part of modern societies. In ways never
seen before, information technology is fostering the flow of goods and services around the globe
as well as facilitating the exchange of information and ideas. This infrastructure also supports
safely controlling air traffic, delivering water and electricity to communities and maintaining a
robust financial system. States have come to the realization that targeting the infrastructure of
other nations during conflicts could result in fewer lives lost as well as facilitate economic
recovery after the cessation of hostilities. Deterring these cyber operations has often been futile
which points to deterrence in general as a misleading and irrelevant idea. Attribution, which
identifies the attacker in cyber space, is a key limitation to deterrence since the attacker often
cannot be positively identified. This makes it clear that cyber conflict always favors the attacker.
In light of this revelation, if it were in the national security interests of the United States to
disrupt, deny, degrade or destroy key infrastructure or military systems of an adversary, would
the current national cyber-strategy support these offensive operations?
In determining if current United States' cyber strategy supports the use of offensive cyber-
attacks, it is necessary to begin by examining the Obama administration's "International Strategy
for Cyberspace" published in 2011. This strategy outlines the principles the United States will
adhere to when confronting the challenges of operating in cyberspace. The principles reflect a
commitment to the free flow of information and exchange and uninhibited communication which
are considered fundamental freedoms. Along with these freedoms is the obligation to protect
individual privacy through oversight and judicial review balanced with investigative authorities
for law enforcement (White House 2011, 5).
11. U.S. Cyber Strategy and Offensive Cyber Operations NSEC506 – Nov/Dec 2015
Mark Raduenzel Page 10 of 14
Another important concept included in "International Strategy for Cyberspace" is the
establishment of norms of behavior. It is the Obama administration's standpoint that already
existing international norms which guide the behavior of states still apply in the domain of
cyberspace (White House 2001, 9). In addition to the principles previously reviewed, additional
principles which support norms may include protection from crime, right of self-defense, global
interoperability, network stability and governance. While the principles outlined here are
important to ensuring national security, it is apparent they are most applicable to defending
against cyber-attacks instead of conducting them. Several of these factors, such as network
stability and protecting privacy, also enable and encourage computer network operations against
the United States. Still other principles, for example uninhibited communication and network
stability, should discourage the United States from using computer network operations against
targets since such operations run counter to the principles defined. Either way, the published
strategy neither supports nor forbids the use of offensive cyber operations.
The cyber strategy as laid out by the Department of Defense (DoD) and published in April 2015
contains an admission of the advantages which offensive computer network operations contain
for a state. In fact, the DoD begins with the assumption that potential adversaries would attempt
to target United States infrastructure and military systems in order to gain the upper hand in a
conflict. To neutralize those threats, the DoD "has developed capabilities for cyber operations
and is integrating those capabilities into a full array of tools that the United States government
uses to defend U. S. National interests, including diplomatic, informational, military, economic,
financial, and law enforcement tools" (DoD 2015, 2). If the US government is aware of the need
to defend against these threats, it is plausible to assume the government understands the
advantage to be gained by targeting these sectors offensively.
12. U.S. Cyber Strategy and Offensive Cyber Operations NSEC506 – Nov/Dec 2015
Mark Raduenzel Page 11 of 14
The DoD's cyberspace strategy outlines three primary cyber missions. First and foremost is the
mission to defend the networks, systems and information which are part of the DoD's domain.
DoD's closely related second mission is to ensure its agencies are prepared to defend its interests
as well against cyber-attacks. Under this mission, the United States military may be directed by
the President or Secretary of Defense to conduct cyber operations which would attempt to thwart
an on-going or imminent attack in cyberspace, thus preventing the destruction of property or loss
of life (DoD 2015, 5). However, neither counter-attacks nor offensive operations are explicitly
supported under this mission.
The DoD's third mission is the most relevant for this research which states that the DoD must be
able to integrate cyber operations in support of military operations and contingency plans if so
directed by the President or the Secretary of Defense (DoD 2015, 5). The addition of this
mission recognizes the possibility the President or Secretary of Defense could make a
determination that it would be advantageous for the military to conduct cyber operations which
are intended to disrupt, deny, degrade or destroy an adversary's military networks or
infrastructure. The support of this mission would allow the United States military to protect and
further U.S. interests in whatever area of operations the military finds itself.
While the DoD's third mission does explicitly support the use of offensive cyber operations, the
strategy also dictates the United States "will always conduct cyber operations under a doctrine of
restraint as required to protect human lives and to prevent the destruction of property" (DoD
2015, 6). Presumably, any decision which is made to conduct cyber operations on networks
which fall outside of the DoD's network domain would be made with serious deliberation and
with strict oversight which conforms to the law of armed conflict (LOAC). Does adherence to
13. U.S. Cyber Strategy and Offensive Cyber Operations NSEC506 – Nov/Dec 2015
Mark Raduenzel Page 12 of 14
this international law, also sometimes referred to as International Humanitarian Law (IHL),
hamper the ability of the U.S. to effectively conduct offensive cyber operations?
One of the principles of LOAC is that the attacking party should do everything which is feasible
in order to ensure the target is military in nature. This does not mean that proof must be
absolutely conclusive, however, any commander should be able to reasonably conclude the target
is a military objective (Dunlap 2011, 91). Finding targets of a military nature in cyberspace can
be a great challenge, especially when viewed from the standpoint that billions of machines may
be connected to the Internet at any one time. It becomes necessary, therefore, to determine that
the potential target computer or network first belongs to the adversary and then identify if the
target is also a viable military target in order to conform to LOAC.
Some strategists dispute this restrictive approach and argue that cyber operations which are
directed towards civilian infrastructure but do not cause damage are indeed permissible because
operations without damage do not qualify as an attack (Schmitt 2014, 191). This approach can be
considered "effects based" and would appear to allow for the "neutralization" of computer
systems and networks as long as there is no loss of life which could be directly associated with
the attack and any resulting damage is not permanent. These opposing viewpoints are still open
for debate and should be evaluated by commanders before undertaking any offensive cyber
operations.
An additional challenge is that by applying LOAC to cyber operations, only members of the
states’ armed forces are allowed to conduct cyber-warfare and offensive computer network
operations. As Dunlap indicates, "This means so long as LOAC is otherwise observed, military
personnel are legally permitted to engage in killing and destruction in war without fear of
prosecution for doing so" (Dunlap 2011, 91). Therefore, when conducting offensive cyber
14. U.S. Cyber Strategy and Offensive Cyber Operations NSEC506 – Nov/Dec 2015
Mark Raduenzel Page 13 of 14
operations which are lethal or as destructive when compared to kinetic attacks, the operations
must be performed by uniformed military personnel. This is a significant limitation to engaging
in offensive cyber operations since cyber agencies like the NSA are not uniformed members of
the United States military and could theoretically face international prosecution for engaging in
offensive cyber operations.
Conclusion
As the research shows, the International Strategy for Cyberspace which the Obama
administration published in 2011 outlines the principles the United States will adhere to when
confronting the challenges of cyberspace. While the principles outlined in the strategy are
critical for ensuring national security, close examination shows they strictly relate to defending
against cyber-attacks. The Department of Defense’s Cyber Strategy publication expands on the
Obama administration’s international strategy and defines three primary cyber missions. Two of
the missions are associated with defending military networks and the United States’ national
interests. The third mission, however, explicitly supports the use of offensive cyber operations if
directed by the President or the Secretary of Defense and refutes the hypothesis of the primary
research question. Although permissible according to current strategy, any offensive cyber
operations conducted should operate within the previously defined law of armed conflict
(LOAC) whenever possible. Unfortunately, operating under this international paradigm leaves
significant gaps, such as which targets are permissible to attack, the amount of damage allowable
and which agencies are legally permitted to mount an attack. These gaps should be further
explored and the national cyber strategy continue to be refined in accordance with international
norms.
15. U.S. Cyber Strategy and Offensive Cyber Operations NSEC506 – Nov/Dec 2015
Mark Raduenzel Page 14 of 14
References
Colarik, Andrew M. and Lech Janczewski. 2012. "Establishing Cyber Warfare Doctrine."
Journal of Strategic Security 5, no. 1: 31-48.
Department of Defense. 2015. “The Department of Defense Cyber Strategy.” April.
Dunlap, Charles J. 2011. "Perspectives for Cyber Strategists on Law for Cyberwar." Strategic
Studies Quarterly. Spring: 81-99.
Farnsworth, Timothy. 2011. "Pentagon Issues Cyber Strategy." Arms Control Today 41, no. 7:
37-38.
Geers, Kenneth. 2012. "Strategic Cyber Defense: Which Way Forward?" Journal of Homeland
Security and Emergency Management 9, no. 1: 1-10.
Kellner, Douglas. 2004. "Preemptive strikes and the war on Iraq: a critique of Bush
administration unilateralism and militarism." New Political Science 26, no. 3: 417-440.
Mearsheimer, John. 2005. "Hans Morgenthau and the Iraq war: realism versus neo-
conservatism." opendemocracy.com, posted May 19.
Samaan, Jean-Loup. 2010. "Cyber Command: The Rift in US Military Cyber-Strategy." The
RUSI Journal vol. 155, no. 6: 16-21.
Schmitt, Michael N. 2014. "Rewired warfare: rethinking the law of cyber attack." International
Review of the Red Cross 96, no. 893: 189-206.
Young, Mark D. 2010. "National cyber doctrine: the missing link in the application of American
cyber power." Journal of National Security Law & Policy vol. 4, no. 1: 173-196.
White House. 2011. “International Strategy for Cyberspace: Prosperity, Security, and Openness
in a Networked World.” May.