This document provides an overview of a lesson on cyberspace operations. It defines key terms related to cyber operations and discusses the three layers of cyberspace. It also summarizes the United States' approach to cyber operations, including the three categories of joint CO, computer network exploitation and attack methods. Additionally, it outlines the history and development of US cyber operations and capabilities.

1. Cyberspace Operations (CO)
29 July 19
THIS LESSON IS UNCLASSIFIED

2. 2
UNCLASSIFIED
UNCLASSIFIED
This lesson is
UNCLASSIFIED

3. 3
UNCLASSIFIED
UNCLASSIFIED
Overview
• Criterion Objective
• Enabling Objectives
• MP1: Introduction to Cyber Operations
• MP2: U.S. approach to Cyber Operations
• MP3: Adversary approach to Cyber Operations
• Summary

4. 4
UNCLASSIFIED
UNCLASSIFIED
Objective
• Criterion Objective:
• Given associated reference materials and this lecture,
identify potential vulnerabilities and threats to your weapon
system with at least 80% accuracy

5. 5
UNCLASSIFIED
UNCLASSIFIED
Objective
• Enabling Objectives:
• Given associated reference materials and this lecture,
identify basic facts and terms pertaining to Cyber
Operations with at least 80% accuracy
• Given associated reference materials and this lecture,
summarize the United States approach to Cyber
Operations with at least 80% accuracy
• Given associated reference materials and this lecture,
describe the United States adversaries approach to
Cyber Operations with at least 80% accuracy

6. 6
UNCLASSIFIED
UNCLASSIFIED
Introduction to Cyber Operations

7. 7
UNCLASSIFIED
UNCLASSIFIED
• Joint Publication 3-12 (JP 3-12) provides direction to our
joint forces with regards to the use of cyberspace
• What is the definition for Cyberspace Operations (CO)?
• JP 3-12 defines CO as “the employment of cyberspace
capabilities when the primary purpose is to achieve
objectives in or through cyberspace”
Introduction to Cyber Operations

8. 8
UNCLASSIFIED
UNCLASSIFIED
• What is cyberspace?
• “Cyberspace is the global domain within the information
environment consisting of the interdependent network of
information technology infrastructures and resident data,
including the internet, telecommunications networks,
computer systems, and embedded processors and
controllers”
Introduction to Cyber Operations

9. 9
UNCLASSIFIED
UNCLASSIFIED
• Three layers: the Physical Network Layer, the Logical
Network Layer and the Cyber-Persona Layer
The Three Layers of Cyberspace
Physical Network Layer Logical Network Layer Cyber-Persona Layer
Introduction to Cyber Operations

10. 10
UNCLASSIFIED
UNCLASSIFIED
• The Physical Network Layer: geographic component and
physical network component.
• The Logical Network Layer: the digital relationships or
associations that exist on a network.
• The Cyber-Persona Layer: the personnel operating the
terminals or workstations connected to the network.
Introduction to Cyber Operations

11. 11
UNCLASSIFIED
UNCLASSIFIED
PROGRESS CHECK
• Guided Discussion:
• Identify the three cyberspace network layers
• Give examples of the physical network layer
• Explain the cyber-persona layer
Introduction to Cyber Operations

12. 12
UNCLASSIFIED
UNCLASSIFIED
U.S. approach to Cyber Operations

13. 13
UNCLASSIFIED
UNCLASSIFIED
• Cyberspace Operations Terminology
• Joint CO consist of three general categories
• Offensive Cyberspace Operations (OCO)
• Application of force through cyberspace, authorized via
EXORD
• Defensive Cyberspace Operations (DCO)
• CO executed to defend DoD/friendly cyberspace assets
• Department of Defense Information Network (DODIN)
• Global network infrastructure used to manage critical DoD
data
U.S. approach to Cyber Operations

14. 14
UNCLASSIFIED
UNCLASSIFIED
• Computer Network Exploitation (CNE)
• Spying through the cyberspace domain
• Computer Network Attack (CNA)
• Offensive operations through cyberspace to achieve
strategic objectives
• Deny - prevent use of capabilities
• Degrade - reduce capabilities
• Disrupt - temporarily interfere with operations
• Destroy - cause irreparable damage
• Manipulate – control/change data, IT systems and/or
networks
U.S. approach to Cyber Operations

15. 15
UNCLASSIFIED
UNCLASSIFIED
PROGRESS CHECK
• Guided Discussion:
• Identify the three general categories of Joint Cyber
Operations.
• What is Computer Network Exploitation (CNE)?
• Summarize the 5 Computer Network Attack methods.
U.S. approach to Cyber Operations

16. 16
UNCLASSIFIED
UNCLASSIFIED
Air Force Cyber Warfare
“I think most people today understand that cyber clearly
underpins the full spectrum of military operations,
including planning, employment, monitoring, and
assessment capabilities. I can’t think of a single military
operation that is not enabled by cyber. Every major
military weapon system, command and control system,
communications path, intelligence sensor, processing and
dissemination functions—they all have critical cyber
components.”
—Gen William L. Shelton
U.S. approach to Cyber Operations

17. 17
UNCLASSIFIED
UNCLASSIFIED
• History
• Form of cyber warfare conducted in WWII using radio
signals
• German bombers used radio signals to find their targets
• British engineers developed countermeasures
• Broadcasted similar signals to confuse bombers
• Early use of frequency spectrum to create effects
U.S. approach to Cyber Operations

18. 18
UNCLASSIFIED
UNCLASSIFIED
• Lessons learned during Operation Desert Storm
• Identified importance of information to military operations,
need to protect information from adversaries and need to
exploit adversary information to gain operational advantage
• Validated by attack on Air Force networks in 1994 (Rome
Labs incident)
• In 1993 the Air Force established the Air Force
Information Warfare Center (AFIWC)
• Information superiority center of excellence, dedicated to
offensive and defensive counter information and
information operations
U.S. approach to Cyber Operations

19. 19
UNCLASSIFIED
UNCLASSIFIED
• In 1995 the 609th Information Warfare Squadron was
established
• Mission: Conceive, develop and field information warfare
combat capabilities
• From 1995 to 1999 the 609th Information Warfare
Squadron pioneered defensive counterintelligence
operations, then transferred mission to AFIWC
U.S. approach to Cyber Operations

20. 20
UNCLASSIFIED
UNCLASSIFIED
• Events that took place during this time led to increased
interest in information operation at DoD level
• Attacks on military networks: Solar Sunrise and Moonlight
Maze
• Highlighted critical vulnerabilities in US Pacific Command’s
systems, as well as in 911 and power grids in nine US
cities
• Attackers stole tens of thousands of files from the
Pentagon, National Aeronautics and Space Administration
and Department of energy
U.S. approach to Cyber Operations

21. 21
UNCLASSIFIED
UNCLASSIFIED
• In 1998 DoD activated Joint Task Force Computer
Network Defense under Maj Gen John Campbell
• Envisioned as having warfighting role
• In 2000 the task force was renamed to Joint Task Force
Computer Network Operations and took on and
additional offensive role
• Offensive mission later moved to Joint Forces Component
Command-Network Warfare
U.S. approach to Cyber Operations

22. 22
UNCLASSIFIED
UNCLASSIFIED
• National Strategy to Secure Cyberspace released in
2003 and National Military Strategy for Cyberspace
Operations released in 2006
• These documents established the strategic importance of
cyberspace to national interest
• United States Cyber Command established in 2009
U.S. approach to Cyber Operations

23. 23
UNCLASSIFIED
UNCLASSIFIED
• Current Cyber Operations
• Defined by a mixture of mature and developing capabilities,
doctrine, and organizations
• Initiatives
• Completed Air Force Network (AFNet) migration in 2014
• Maturation of cyber weapon systems to increase cyber
capacity in terms of number or missions conducted in
support of warfighters
U.S. approach to Cyber Operations

24. 24
UNCLASSIFIED
UNCLASSIFIED
• Three Operational Mission Areas
• DODIN operations, DCO and OCO
• Each mission area enables effects in the air, space, sea
and land domain
• Across spectrum of conflicts from small special operations
missions to global conventional warfare
• DODIN Operations
• Increase in weapon systems and C2 systems that rely on
network and wireless connections
• Highlights importance of DODIN
U.S. approach to Cyber Operations

25. 25
UNCLASSIFIED
UNCLASSIFIED
• DODIN operations construct, operate, and sustain the
cyber domain, offering mission assurance and defense
through prioritized network provisioning (dynamic
construction), hardening, and configuration
management.
• Provision access to information sources
• Harden friendly portions of the domain from unauthorized
access
• Configure network systems to provide ease of maneuver to
friendly forces
• Constrain the adversary’s options
U.S. approach to Cyber Operations

26. 26
UNCLASSIFIED
UNCLASSIFIED
• Twenty-Fourth Air Force manages and defends the
AFNet
• AFNet is the Air Force portion of the DODIN
• 850,000 total force users
• Billions of dollars in systems and infrastructure
U.S. approach to Cyber Operations

27. 27
UNCLASSIFIED
UNCLASSIFIED
• Air Force advanced AFNet’s defensive posture through
two initiatives
• Deployment of Air Force gateways reduced the number of
external network access points from 120 to 16
• Consolidated 850,000 users into a single integrated Air
Force network, enabling enterprise-wide collaboration and
improved, trusted secure communications
• This initiative delivers embedded security that substantially
reduces an adversary’s ability to act on the network by using
compromised user credentials
U.S. approach to Cyber Operations

28. 28
UNCLASSIFIED
UNCLASSIFIED
• DODIN defensive improvements inverted the cost/risk
calculus of attack versus defense by forcing the
adversary to work harder to find vulnerabilities/making it
easier for the defender to guard critical assets
• DODIN operators limit attack vectors and reduce
vulnerabilities by strategic placement of defensive
capabilities on the network
U.S. approach to Cyber Operations

29. 29
UNCLASSIFIED
UNCLASSIFIED
• DCO mission area
• Twenty-Fourth Air Force’s units prevent, detect, and
respond to enemy actions through both active and passive
defensive capabilities
• Conduct defense through a set of layered, overlapping
technologies called “defense in depth,” an architecture that
ensures monitoring and defense of avenues of access as
well as end points such as clients and servers
• DCO operators actively engage adversaries inside Air
Force networks to prevent intrusions, detect malicious
capabilities and techniques, and respond to system
compromises
U.S. approach to Cyber Operations

30. 30
UNCLASSIFIED
UNCLASSIFIED
• DCO operators
• Monitor defenses for signs of attack
• Configure defenses to foil future attempts
• Detect known adversary tactics (signatures)
• Limit visibility into the AFNet
• Continuously monitoring intelligence streams for indications
of pending attacks
• Analyze capabilities and methods used by adversaries
• Develop signatures that match patterns unique to a
particular attack
U.S. approach to Cyber Operations

31. 31
UNCLASSIFIED
UNCLASSIFIED
• Twenty-Fourth Air Force has both hunting and pursuit
capabilities to offer real-time defense and response
against adversary actions and regularly analyze
enterprise resources for indications of advanced enemy
presence or attempted access
• OCO Mission Area
• OCO have developed from being non-existent to being well
integrated into joint operations
• Mission set concentrates on gaining and maintaining
access to enemy areas of cyberspace without detection
• Requires operators to carefully plan missions to
characterize and exploit enemy networks
U.S. approach to Cyber Operations

32. 32
UNCLASSIFIED
UNCLASSIFIED
• OCO operators
• Provide strategic alternatives to Combatant Commanders
• Perform network reconnaissance with sophisticated TTPs
• Develop techniques, weapons, or select one from an
existing repository
• After accessing a target, operators establish a
permanent presence on the machine while cloaking
indications of the incursion, allowing them to maintain
access indefinitely
U.S. approach to Cyber Operations

33. 33
UNCLASSIFIED
UNCLASSIFIED
• OCO operators (continued)
• Persistent presence allows OCO operators to effectively
exploit information on the target in support of warfighter
objectives
• Adversaries can block a weapon using a specific signature
once it has been detected
U.S. approach to Cyber Operations

34. 34
UNCLASSIFIED
UNCLASSIFIED
• Operational planners must assess the technical gain/loss
associated with the employment of OCO weapons
• If the desired effect is not substantial enough to justify the
potential loss of an OCO weapon, then they should
consider other methods
• Increased capacity for OCO will put enemy strongholds
at risk, forcing adversaries to divert manpower and
attention to defenses and reducing the defensive burden
on US networks
U.S. approach to Cyber Operations

35. 35
UNCLASSIFIED
UNCLASSIFIED
• Future of US Cyberspace Operations
• Although cyber warfare is currently limited to information
networks and network-attached systems, it will drastically
expand in the future
• Cyber-based effects will not be limited to networks of
computers; rather, they will encompass all electronic
information processing systems across land, air, sea,
space, and cyberspace domains
• Full domain dominance will permit freedom of maneuver in
all war-fighting domains by holding the enemy’s electronic
information-processing systems at risk while defending
friendly systems from attack
U.S. approach to Cyber Operations

36. 36
UNCLASSIFIED
UNCLASSIFIED
PROGRESS CHECK
• Guided Discussion:
• What were the lessons learned identified during Operation
Desert Storm?
• What effect does DODIN defensive improvements have on
adversaries?
• Explain some of the responsibilities of OCO operators.
Adversary approach to Cyber Ops

37. 37
UNCLASSIFIED
UNCLASSIFIED
Adversary approach to Cyber Ops

38. 38
UNCLASSIFIED
UNCLASSIFIED
• Cyber warfare and the future of cyber security
• Common cyber attack targets
• Critical infrastructures
• Power grids, nuclear enrichment facilities, and missile
launch systems, civilian computers and other devices
• Many attacks rely on recruiting consumer devices into
botnets or simply using your devices as a way to infect
military and corporate networks with malware
• Everyone is exposed to the growing threats of cyber
weapons
Adversary approach to Cyber Ops

39. 39
UNCLASSIFIED
UNCLASSIFIED
• What is cyber warfare
• Warfare between states in the cyber realm
• Objectives of launching these attacks vary
• Motives may include
• Steal corporate or state secrets
• Disrupt critical infrastructure, or merely infect the software
behind this infrastructure and lay silent until it is needed
Adversary approach to Cyber Ops

40. 40
UNCLASSIFIED
UNCLASSIFIED
• What is cyber warfare continued
• Even if two states are not actively at war, they will often
launch cyber-attacks against each other.
• Launching cyber attacks is cheap and essentially
undetectable if done correctly
• Attacks can be launched covertly, and partly because there
is no internationally agreed framework for assigning blame,
or applying sanctions, for cyber-attacks
Adversary approach to Cyber Ops

41. 41
UNCLASSIFIED
UNCLASSIFIED
• Types of cyber attacks
• Man in the middle attacks
• A type of cyber-attack where a hacker intercepts the data
passing between you and a website, app, or server
• Phishing
• Designed to get access to your banking details, but phishing
is also commonly used in cyber warfare
• Malware
• An attacker needs to infect as many computers as possible
with malware in order to increase the chances that one of
these civilian machines will then infect the target system
Adversary approach to Cyber Ops

42. 42
UNCLASSIFIED
UNCLASSIFIED
• The future of cyber security
• Three key pieces of technology likely to drive the
development of cyber warfare in the coming decade
• Machine Learning and AI
• Artificial Intelligence is already being deployed in a wide range of
situations
• Likely that governments are already incorporating it into their
cyber weapons
• The Cloud
• Represents both a risk and an asset
• Distributed storage can make critical information easier to steal
• Blockchain
• Secure way to share key information between multiple users
Adversary approach to Cyber Ops

43. 43
UNCLASSIFIED
UNCLASSIFIED
• Adversary attack behavior model
• Shows how three key aspects of an adversary’s successful
cyberattack translate into probability of success
• Means, Motive, And Opportunity for Cyber Attacks
• Analysis of attacker behavior in the cyber realm
• Adversary must first determine which attack steps are
available options, then determine which available attack step
option is most attractive
• Success of an attempt is determined by the capability of the
adversary to execute such an attack step
Adversary approach to Cyber Ops

44. 44
UNCLASSIFIED
UNCLASSIFIED
• Three stages of an adversary’s attack attempt
• Opportunity: Attack Step Precondition
• Motive: Probability of Attempt
• Four attractiveness measures
• Cost to the adversary in attempting the attack step
• Payoff to the adversary for successfully executing the attack step
• Probability of successfully completing the attack step, as
perceived by the adversary
• Probability of being detected by the system during or after
attempting the attack step
• Means: Probability of Success Given Attempt
Adversary approach to Cyber Ops

45. 45
UNCLASSIFIED
UNCLASSIFIED
• What to do about it
• Follow local cyber security procedures
• Encrypt everything
• A powerful tool to protect your information and privacy
• Encryption stops anyone from being able to
• Read the data you are sending
• Protects you against many common forms of cyber-attack
• Using a Virtual Private Network (VPN) you can make sure that
every piece of information you send or receive online is
encrypted
• VPNs will also protect against a wide array of online threats
Adversary approach to Cyber Ops

46. 46
UNCLASSIFIED
UNCLASSIFIED
PROGRESS CHECK
• Guided Discussion:
• Identify the three stages of an adversary’s attack attempt
• Summarize the four attractiveness measure the contribute to
an adversary’s probability of attempt
• What is the one of the best tools you have to defend against
a cyber-attack?
Adversary approach to Cyber Ops

47. 47
UNCLASSIFIED
UNCLASSIFIED
• Adversary cyber profiles
• Use the “Adversary Cyber Profile” handout
• Russia
• China
• Iran
• North Korea
Adversary approach to Cyber Ops

48. 48
UNCLASSIFIED
UNCLASSIFIED
PROGRESS CHECK
• Open Book Discussion:
• Summarize one cyber strategy from one of the countries
identified in the handout
• Student summarize one cyber capability from one of the
countries identified in the handout
Adversary approach to Cyber Ops

49. 49
UNCLASSIFIED
UNCLASSIFIED
• Top 10 of the world's largest cyberattacks
• Use “TOP 10 of the world's largest cyberattacks _ Outpost
24 blog” handout
• Adobe
• Sony
• South Korea
• Target
• Alteryx
• Equifax
• Adult Friend Finder
• Marriott Hotels
• Hold Security
• Yahoo!
Adversary approach to Cyber Ops

50. 50
UNCLASSIFIED
UNCLASSIFIED
PROGRESS CHECK
• Open Book Discussion:
• Summarize one cyber-attack identified in the handout
• Identify protection measures your mission systems employ
that prevent these type of attacks
Adversary approach to Cyber Ops

51. 51
UNCLASSIFIED
UNCLASSIFIED
Summary
• Criterion Objective:
• Given associated reference materials and this lecture,
identify potential vulnerabilities and threats to your weapon
system with at least 80% accuracy

52. 52
UNCLASSIFIED
UNCLASSIFIED
Summary
• Enabling Objectives:
• Given associated reference materials and this lecture,
identify basic facts and terms pertaining to Cyber
Operations with at least 80% accuracy
• Given associated reference materials and this lecture,
summarize the United States approach to Cyber Operations
with at least 80% accuracy
• Given associated reference materials and this lecture,
describe the United States adversaries approach to Cyber
Operations with at least 80% accuracy

53. 53
UNCLASSIFIED
UNCLASSIFIED
QUESTIONS?