CARNEGIE MELLON UNIVERSITY
Law of Armed Conflict:
Implications for Navy Cyber Strategy
Masters of Information Technology Strategy
Practicum - 2012
CDR James Adkisson, Mr. Tokunbo Davies, LT Brian Evans,
Mr. Rick Lanchantin, Ms. Patty Walters
Information Networking Institute
8/3/2012
CARNEGIE MELLON UNIVERSITY
ABSTRACT
The pervasiveness of computing and network technologies has led to the emergence of
cyberspace as a warfare domain. As with any traditional warfare domain, military actions in
cyberspace are subject to a set of international laws and norms known as the Law of Armed
Conflict (LOAC). While the United States (U.S.) Navy is working to develop capabilities within
the cyberspace domain, the level of knowledge and understanding within the Navy regarding the
application and implications of LOAC to cyber is unclear. This report examines LOAC, U.S.
cyber operations policy, and U.S. Navy cyber readiness, using the information to develop a cyber
operations case study scenario. The scenario presents an evolving cyber event involving the
Islamic Republic of Iran and a U.S. Carrier Strike Group (CSG). The scenario was used to
conduct original research evaluating cyber operators’ and commanders’ knowledge and
understanding about the implications of LOAC on cyber operation and strategy. Case study
findings as well as background research are utilized to provide recommendations aimed at
assisting the Navy in fulfilling its mission within the cyberspace domain.
ii
EXECUTIVE SUMMARY
“Modern armed forces cannot conduct high-tempo, effective operations without reliable
information and communication networks and assured access to space and cyberspace.”
- Secretary of Defense Leon E. Panetta, January 2012
The ongoing technological revolution has redefined the way the United States (U.S.)
military conducts operations. The advance of technology has allowed the U.S. Department of
Defense (DoD) to migrate the exchange of information, intelligence and command and control
signals to cyberspace. As a result, all other warfare domains have become reliant on operations
within cyberspace. Given this dependence, U.S. adversaries have clearly identified cyberspace
as a potential center of gravity. The pervasiveness of technology has created a low threshold of
entry for any adversaries desiring cyberspace capability. Unable to compete with the U.S. in
terms of conventional military capability, these nations seek to use cyberspace as an asymmetric
advantage. The threat to the U.S. presented by these capabilities has led to the recognition of
cyberspace as an independent war fighting domain.
While recognizing and working to adapt to the emergence of cyberspace as a warfare
domain, it is unclear whether the Navy is prepared for the full range of actions in this dynamic
environment. One area of uncertainty that has received little attention is the sufficiency of
understanding within the Navy regarding the application and implication of Law of Armed
Conflict (LOAC) on cyberspace operations. Of particular concern is the impact of LOAC on
cyberspace operations conducted by maritime combatants. The Navy’s emphasis on forward
deployment for force projection places commanders of maritime combatants in areas with higher
likelihoods for cyber conflict. This increased likelihood, coupled with the characteristics of high
geographic dispersion and low rates of connectivity that have historically characterized U.S.
naval operations, creates a rich threat environment. Additionally, the traditional independence
iii
given commanders of maritime combatants creates the opportunity for them to exercise a larger
degree of discretion regarding the use of force. As a result, the 2012 Master of Information
Technology Strategy Practicum Report, Law of Armed Conflict: Implications for Navy Cyber
Strategy, examines the LOAC, U.S. cyber operations policy, and U.S. Navy cyber readiness with
a focus on maritime combatants.
The Law of Armed Conflict: Implications for Navy Cyber Strategy report begins with a
review of international law, focusing in on the elements of LOAC. The review identifies areas of
uncertainty in international law concerning how ‘use of force’ and ‘armed attack’ are defined in
the context of cyber operations. Within international law there are also conflicting legal
arguments regarding whether the use of cyber attacks violates LOAC. The arguments concern
the potential for widespread effects, both intentional and unintentional, or whether cyber attacks
are more humane due to their non-lethal nature, assuming they are engineered correctly.
In terms of policy, the Law of Armed Conflict: Implications for Navy Cyber Strategy
report reveals that U.S. cyber operations policies, including priorities stated by the White House,
have been primarily focused on defense. In contrast, policy for offensive cyber operations
(OCO) is non-existent. The report attributes this to retention of authorities at the national
strategic level due to intelligence gain verses loss concerns. While intelligence gathering
activities conducted via Exploitation Cyber Operations (ECO) continue to be governed by U.S.
Title 50, these mandates only apply to activities conducted by the Intelligence Community (IC)
and provide no authorizations for military combatants engaged in normal operations. The report
asserts that as a result of the lack of both OCO and ECO authorities, current policies restrain the
tactical and operational commanders’ ability to forcefully respond to cyber attacks as permitted
by LOAC.
iv
Law of Armed Conflict: Implications for Navy Cyber Strategy also provides a review of
U.S. Navy cyber readiness with a focus on maritime combatants. The review broadly identifies
the key elements of the Navy’s cyber readiness: technology, personnel and policy. With regard
to technology, the report identified significant progress in cyber defense based on standardization
and defense-in-depth; however, these approaches have largely focused on meeting commercial
threats with minimal incorporation of analysis examining threats specific to Navy systems.
Additionally, maritime combatants lack of capability for organic cyber forensics analysis. In
contrast to the large investment by Navy in defensive technology, there are currently no major
efforts at obtaining or developing afloat cyber technologies for OCO or ECO. In the area of
personnel, the Navy currently lacks sufficient expertise across the spectrum of cyber operations,
including sufficiently trained commanders. Similar to the other areas, Navy policy has largely
focused on cyber defense. The report identifies a lack of effective information sharing between
cyber operations and Navy intelligence elements as well as a lack of policy mandating red
teaming for vulnerability discovery or readiness evaluation, as avenues for continued
improvement. Additionally, the report highlights that the absence of OCO policy from higher
authorities has led the Navy to forgo policy development in this area.
These three topics above come together in Law of Armed Conflict: Implications for Navy
Cyber Strategy and are combined with an analysis of Iranian cyber readiness to generate a case
study involving cyber events that affect a U.S. Carrier Strike Group (CSG). The case study
revealed a range of interpretations regarding the application and implications of LOAC for Navy
cyber operations. Additionally, the study exposed the absence of consensus regarding the
thresholds for what are considered ‘cyber attacks’, ‘armed attacks’ in cyberspace, and when
‘inherent right to self-defense’ is warranted. The study also made clear that if a CSG did desire
v
to respond to an ‘armed attack’ within cyberspace in accordance with its inherent right to selfdefense, tactical commanders have neither the authorities nor tools necessary. Finally, the case
study and research results point to the absence of a central repository or publication to bring
together the scope of information and references concerning the application and implication of
LOAC on Navy cyber operations.
Law of Armed Conflict: Implications for Navy Cyber Strategy, leveraging the results of
the reviews and case study, proposes a number of recommendations to help the Navy fulfill its
mission and Joint responsibilities within the cyberspace domain. These recommendations
include:






Creation of a reference repository or publication containing information required
to understand the implications to Navy cyberspace operations
Ensure delivery of adequate instruction for commanders and Judge Advocate
General (JAG) lawyers on cyber operations (threats, policies, implications of
LOAC) commensurate with its critical role in modern naval combat
Implement policies strengthening ties between cyberspace operators and
intelligence elements
Improve means for translating adversary cyberspace capabilities into actionable
threat evaluations centered on risks
Develop and deploy organic forensics analysis capability onboard maritime
combatants
Implement policies mandating red teaming for vulnerability discovery and
readiness evaluation
While each of the above recommendations represents an avenue for potential Navy
action, Law of Armed Conflict: Implications for Navy Cyber Strategy suggest additional studies
of each to identify and analyze the most impactful, cost effective, and expeditious means of
implementation.
vi
ACKNOWLEDGEMENTS
The information and findings in this report would not have been possible without the gracious
assistance of many individuals, both active duty military and civilian. In each instance, these
individuals were extremely generous in giving of their time and extensive expertise.
We would like to extend our extreme gratitude to the following individuals:
CAPT Terry Roberts (USN Ret), former Deputy Director of Naval Intelligence,
for her mentorship as we developed and refined the concept for this practicum,
especially regarding the identification of potential adversaries for our case study.
RADM Sam Cox (USN), Director of Intelligence at U.S. Cyber Command for his
uninterrupted time and unique insight into the cyber challenges facing the nation
and the U.S. Navy. Additionally, we sincerely appreciate his counsel in shaping
the scope of this practicum to enhance its utility in meeting the needs of the Navy.
Mr. Jack Summe (SES), Mr. Josh Alexander, and Mr. Michael McNerney from
the Office of the Secretary of Defense (Cyber Policy & Law) for their time,
expertise, and generous donation of Pentagon facilities.
CAPT William Diehl (USN), CAPT Eric Exner (USN), CAPT James Mills
(USN), CAPT Brian Broene (USN Ret), CDR Dan Kenda (USN), LtCol Troy
Mattahorn (USMC), CDR Dan Sander (USN), and MAJ Geoffrey DeWeese
(USA) for their participation in our case study analysis. Also, Mr. Jim Hansis,
Mr. Fred Tafoya, Mr. Mike Weaver, and Mr. Keith Gologorsky. We would also
like to extend special thanks to CDR Mick Brons (USN) and the Fleet
Information Operations Center (FIOC) Defense Cyber Operations (DCO) at
Naval Information Operations Center (NIOC) Maryland who fully embraced the
spirit of the case study and utilized the scenario as a real-time training exercise,
providing excellent feedback for our analysis.
LCDR Matthew Cegelske (USN), Cyber Federal Executive Fellow, for his
assistance in providing research material and advice on avenues of academic
exploration.
Our Carnegie Mellon University Faculty Advisors, CDR Dave ‘Rooter’ Root
(USN Ret) for his academic guidance and mentorship throughout this process as
we negotiated the development, research and production of this practicum. Dr.
Harry M. Bovik, Carnegie Mellon University, for his continual encouragement
and for inspiration that will last a lifetime.
A special thanks is also extended to CAPT Mills and CDR Kenda who took time to assist us with
this practicum despite being currently deployed to the Commander Fifth Fleet area of operations.
vii
TABLE OF CONTENTS
I. INTRODUCTION
A. Purpose
B. Scope
C. Report Progression
1
1
2
3
II. REVIEW OF THE LAW OF ARMED CONFLICT
A. Background
B. Jus in bello
C. Jus ad bellum
D. Inherent Right to Self-Defense
E. Force in Cyberspace
F. Summary
4
4
4
6
8
9
9
III. REVIEW OF U.S. CYBER OPERATIONS POLICY
A. Introduction
B. Defining Policy
C. Existing National Cyber Policy
D. Summary
12
12
12
13
21
IV. U.S. NAVY CYBER READINESS
A. Introduction
B. Technology
C. Personnel
D. Policy
E. Summary
23
23
23
31
33
39
V. CASE STUDY: IRANIAN CYBER CONFLICT
A. Introduction
B. Iranian Cyber Readiness
1. Background
2. Investment in Cyber Capabilities
3. Offensive Cyber Capabilities
4. Defensive Cyber Capabilities
5. Impact to U.S. Navy Operations
C. Case Study Methodology
1. Background
2. Scenario Generation
3. Question Generation
4. Sample Selection
5. Sources of Bias
43
43
43
43
44
45
48
49
50
50
50
51
51
52
viii
D. Case Study Results
1. Question Set 1
2. Question Set 2
3. Question Set 3
4. Question Set 4
5. Question Set 5
E. Case Study Findings
1. Nomenclature
2. Functions and Resources
3. Cyber Procedures
52
53
54
56
58
59
60
60
61
61
VI. RECOMMENDATIONS
A. Introduction
B. Deficiencies
C. Recommendations
64
64
64
65
REFERENCES
67
APPENDIX A –ACRONYMS AND ABBREVIATIONS
A-1
APPENDIX B – CASE STUDY SUPPORTING MATERIALS
A. List of Participants
B. Case Study Scenario as Presented
C. Case Study Responses
B-1
B-1
B-2
B-9
ix
I. INTRODUCTION
“Modern armed forces cannot conduct high-tempo, effective operations without
reliable information and communication networks and assured access to space and
cyberspace.”
- Secretary of Defense Leon E. Panetta, January 2012
A. Purpose
The ongoing technological revolution has redefined the way the United States (U.S.)
military conducts operations. At the heart of every successful operation is an effective exchange
of information, intelligence and command and control (C2) signals. The advance of technology
has allowed the U.S. Department of Defense (DoD) to migrate this exchange to cyberspace.a
This migration enables enhanced coordination of forces, precision weapons delivery, increased
access to information, and a more rapid decision cycle. As a result, the four other warfare
domains have become reliant on operations within the cyberspace domain. Within the range of
U.S. military operations, assured access to cyberspace and the ability for C2 to deliver decisive
effects in cyberspace are a prerequisite for achieving maximum effectiveness and advantage for
Navy and Joint commanders.
Given the U.S. military’s dependence on cyberspace, adversaries have clearly identified it
as a center of gravity. The pervasiveness of technology has created a low threshold of entry for
any adversaries desiring cyberspace capability. Unable to compete with the U.S. in terms of
conventional military capability, these nations seek to use cyberspace as an asymmetric
advantage. The threat to the U.S. presented by these capabilities, has led to the recognition of
cyberspace as an independent warfighting domain.
a
DoD Joint Publication 1-02 defines cyberspace as: A global domain within the information environment consisting
of the interdependent network of information technology infrastructure, including the Internet, telecommunications
networks, computer systems, and embedded processors and controllers.
1
Although cyberspace is a relatively new warfare domain, the international laws and
norms that govern armed conflict between nation states are not. These international laws and
norms are collectively known as the Law of Armed Conflict (LOAC) and are as equally
applicable in cyberspace as they are in any other warfare domain. While the applicability of
LOAC is not in question, the unique characteristics of cyberspace create challenges in
interpreting appropriate limits on military operations.
The U.S. Navy has recognized cyberspace as a warfare domain and is working to adapt to
it; however, it is unclear whether the Navy is prepared for the full range of actions in this
dynamic environment. One area of uncertainty that has received little attention is the sufficiency
of understanding within the Navy regarding the application and implication of LOAC on
cyberspace operations. As a result, this report will examine the current level of knowledge and
understanding within the Navy regarding the application and implications of LOAC within
cyberspace. These findings will inform recommendations aimed at assisting the Navy in
fulfilling its mission within the cyberspace domain.
B. Scope
While this report examines the Navy’s current understanding of LOAC as it applies to
cyberspace operations, the examination is specifically focused on cyberspace operations
conducted by maritime combatants. This focus was selected for three reasons. First, the Navy’s
emphasis on forward deployment for force projection places commanders of maritime
combatants in areas with higher likelihoods for cyber conflict. Second, the traditional
independence given commanders of maritime combatants creates the opportunity for them to
exercise a larger degree of discretion regarding the use of force. Finally, U.S. naval operations
2
are historically characterized by high geographic dispersion of combatants with low rates of
connectivity, increasing the risks associated with disruption in access to cyberspace.
C. Report Progression
The remaining body of this report is divided into six sections. The next section discusses
LOAC in the context of jus in bello, establishing norms for conduct of belligerents after the
commencement of hostilities, and jus ad bellum, establishing when a nation is permitted to
engage in armed conflict. Particular attention is provided to aspects of LOAC that create
challenges for the conduct of cyberspace operations. The section following provides an
overview of policy governing U.S. military cyber operations and strategy. In this section
policies are examined to determine what guidance is provided to cyber operators that supports
and constrains actions within the bounds of LOAC. The report then proceeds with a section
examining current U.S. Navy cyber readiness, with a focus on the Navy’s technologies,
personnel and policies that support operations within cyberspace. The report transitions into a
case study, beginning with a review of the Islamic Republic of Iran’s cyber capability. The
information from this review is combined with that of three previous sections to develop a case
study scenario and accompanying questions. The scenario presents the reader with an evolving
fictional cyber event involving Iran and affecting a U.S. Carrier Strike Group (CSG). The case
study scenario and questions were distributed to a sample of individuals, many who are currently
forward deployed. Participant responses to the questions form the basis for an evaluation of the
baseline level of knowledge and understanding regarding the application and implication of
LOAC to cyberspace operations. The final section uses the case study findings and research
results from all previous sections to provide summarizing remarks and recommendations aimed
at assisting the Navy in fulfilling its mission within the cyberspace domain.
3
II. REVIEW OF THE LAW OF ARMED CONFLICT
A. Background
Cicero’s classic maxim states that “Laws are silent amidst the clash of arms,” but the
modern world has adamantly rejected this premise.1 As a result, international consensus and
agreements have been developed that constrain the extremes of war. These constraints are
embodied in LOAC, the International Humanitarian Laws (IHL) and the Geneva Conventions.
These laws seek to limit the effects of armed conflict on persons who are not actively
participating in hostilities. When LOAC was written, the primary concern was the potential
impact of conventional arms on non-combatants; however, the emergence of cyber weapons has
created questions about the application of LOAC. If sequenced correctly and delivered
accurately; cyber weapons can be as devastating as conventional munitions; and bring with them
collateral damage; including civilian casualties. When considering LOAC and IHL, it is
beneficial to consider the concepts of jus in bello, the principles designed to limit unnecessary
suffering and destruction during armed conflict, and jus ad bellum, the criteria for determining
when a state may legitimately use force. The following discussions of LOAC are similarly
organized based upon these two philosophical classifications.
B. Jus in bello
Every member of the armed forces, regardless of rank or pay grade, is responsible for
their conduct and compliance with LOAC, as well as ensuring compliance by subordinates.
Violations can and have resulted in prosecutions in not only U.S. courts, but also foreign jurists,
courts, and tribunals. Under LOAC, commanders have a broad and unique responsibility to: 2
4





Ensure that personnel under their command are trained regarding LOAC
Give lawful and unambiguous orders
Take responsibility for difficult decisions
Ensure that orders are lawfully carried out by their subordinates
Report violations by members of enemy or allied forces, including their own, to a
higher military authority
The Geneva Conventions (1949) make up the primary basis for the LOAC and IHL.3
They consist of four conventions, as well as three additional protocols, and were primarily
crafted in the aftermath of the Second World War (WWII). The first two protocols were adopted
in 1977 and extended the terms of the 1949 Conventions with additional protections. A third
protocol was added in 2005.
The first convention deals with the “Amelioration of the Condition of the Wounded and
Sick in Armed Forces in the Field.” The second convention provides for “Amelioration of the
Condition of Wounded, Sick and Shipwrecked Members of Armed Forces at Sea.” The third
convention covers topics related to the “Treatment of Prisoners of War.” The fourth and final
convention dictates the “Protection of Civilian Persons in Time of War.”4
In 1977, two protocols were added to the terms of the conventions. The first was an
addition to the Geneva Conventions of 12 August 1949, and relates to the Protection of Victims
of International Armed Conflicts. The second protocol added addresses the Protection of
Victims of Non-International Armed Conflicts.5 The most recent protocol concerning the
Adoption of an Additional Distinctive Emblem was added to the Geneva Conventions in 2005.6
A central concept within LOAC and IHL for restraining the devastation of armed conflict
is the Principle of Proportionality. Following a decision to employ force, a state must consider
the extensiveness of the target set and the required degree of force. According to Gary Sharp,
“proportionality is a limitation on the use of force against a military objective only to the extent
that such a use of force may cause unnecessary collateral destruction of civilian property or
5
unnecessary human suffering of civilians.”7 Adhering to the principle of proportionality requires
commanders to balance the desire to avoid collateral damage and the successful pursuit of the
military objective.
In addition to proportionality, constraining the extremes of armed conflict requires a clear
distinction between individuals engaged in armed conflict (combatants) and those who are not
engaged in armed conflict (non-combatants). LOAC provisions allow the use of force against
combatants in specific circumstances, but in all cases seek to minimize the suffering of noncombatants. Combatants that become hors de combat, combatants outside the fight, are those
who have lost or given up the ability or intent to participate in hostilities. Non-combatants are
protected from attack but lose that protection if they take direct part in hostilities for the duration
of their participation.
C. Jus ad bellum
The conclusion of WWII brought with it a consensus in the international community that
the use of force to settle international disputes is flawed. The United Nations (U.N.) sought to
provide an alternative framework for resolving disputes, including a prohibition against the use
of force as a means of conducting international relations. Article 2(4) of the U.N. Charter
requires member states to refrain from both the use and the threat of the use of force.8 Language
in Article 51 articulates the recognized and customary right to self-defense stating, “Nothing in
the present Charter shall impair the inherent right of individual or collective self-defense if an
armed attack occurs against a member of the United Nations.”9
The U.N. Charter uses the terms ‘aggression’, ‘armed attack’ and ‘use of force’ in a
number of provisions without clear definitions. This omission has resulted in a 50 year debate
over intended meanings. The U.N. General Assembly Resolution 3314, passed in 1974,
6
corrected this omission with Article 1 of the Resolution defining aggression as “the use of armed
force by a State against the sovereignty, territorial integrity or political independence of another
State, or in any other manner inconsistent with the charter of the U.N., as set out in this
Definition.”10 Article 3 goes on to specify:11
“Any of the following acts, regardless of a declaration of war, shall, subject to and in
accordance with the provisions of article 2, qualify as an act of aggression:
(a) The invasion or attack by the armed forces of a State of the territory of another
State, or any military occupation, however temporary, resulting from such
invasion or attack, or any annexation by the use of force of the territory of another
State or part thereof;
(b) Bombardment by the armed forces of a State against the territory of another State
or the use of any weapons by a State against the territory of another State;
(c) The blockade of the ports or coasts of a State by the armed forces of another
State;
(d) An attack by the armed forces of a State on the land, sea or air forces, or marine
and air fleets of another State;
(e) The use of armed forces of one State which are within the territory of another
State with the agreement of the receiving State, in contravention of the conditions
provided for in the agreement or any extension of their presence in such territory
beyond the termination of the agreement;
(f) The action of a State in allowing its territory, which it has placed at the disposal
of another State, to be used by that other State for perpetrating an act of
aggression against a third State;
(g) The sending by or on behalf of a State of armed bands, groups, irregulars or
mercenaries, which carry out acts of armed force against another State of such
gravity as to amount to the acts listed above, or its substantial involvement
therein.”
Although the U.N. Charter encompasses the use of military force, Article 41 sets out
measures “not involving the use of armed force” which the Security Council may employ to
enforce its decisions. As a result, Article 41 implies that “complete or partial interruption of
economic relations and of rail, sea, air, postal, telegraphic, radio and other means of
7
communication” are not uses of armed force.12 This limited definition of the ‘use of force’ is of
particular interest when considering cyber operations and the capability to cause economic
consequence and political instability without physical intrusion into a nation state.
D. Inherent Right to Self-Defense
The language of Article 51 and its discussion of the ‘inherent right of self-defense’
provide significant room for debate about the extent of this right.13 Extending this discussion to
cyber operations, the question becomes what constitutes an attack on an information system
sufficient to justify self-defense. Currently there is no consensus on a threshold of action that
would permit self-defense to ensure continued operation of a nation’s critical infrastructure.a
Any act of self-defense is expected to be conducted within a reasonable time period following
the offending action. Additionally, without continued aggression by the offending nation, a
delay in response may become unlawful and considered an act of retaliation instead of selfdefense.14 This may create challenges in responding to a cyber attack where attribution takes an
extended period of time.
Disagreement exists amongst international legal scholars whether the right of anticipatory
self-defense exists under international law. Despite this debate, a significant number of military
and political leaders accept its legitimacy. U.S. doctrine relies heavily on the validity of
anticipatory actions. This is illustrated in the current National Security Strategy: 15
We will disrupt, dismantle, and defeat al-Qa’ida and its affiliates through a
comprehensive strategy that denies them safe haven, strengthens front-line
partners, secures our homeland, pursues justice through durable legal approaches,
and counters a bankrupt agenda of extremism and murder with an agenda of hope
and opportunity. The frontline of this fight is Afghanistan and Pakistan, where we
are applying relentless pressure on al-Qa’ida, breaking the Taliban’s momentum,
a
Section 1016(e) of the USA PATRIOT Act of 2001 (42 U.S.C. 5195c(e)) defines critical infrastructure as:
Systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of
such systems and assets would have a debilitating impact on security, national economic security, national public
health or safety, or any combination of those matters.
8
and strengthening the security and capacity of our partners. In this effort, our
troops are again demonstrating their extraordinary service, making great sacrifices
in a time of danger, and they have our full support.
- President of the United States, 2010
E. Force in Cyberspace
International law clearly supports the use of force as a response to an armed attack or in
self-defense. The question regarding cyber operations is what should be considered an ‘armed
attack’ in cyber space? W. Gary Sharp suggests that an armed cyber attack should be evaluated
using a sliding scale that is adjusted based on the specifics of the situation. He asserts that
“What constitutes a prohibited ‘threat or use of force,’ in cyberspace and elsewhere, is a question
of fact that must be subjectively analyzed in each and every case in the context of all relevant
law and circumstances.”16 Ultimately, it is the victim state that determines whether such act was
‘use of force’ and what response it will take; however, these decisions are always subject to
judgment by the international community.
F. Summary
The uncertain definition of the ‘use of force’ is increasingly problematic when analyzing
cyber attacks. Although cyber attacks do not utilize lethal effects, cyber attacks present a clear
danger due to their ability to inflict both intended and unintended damage to critical
infrastructure, financial markets, banks and the overall welfare of a nation. Such attacks could
lead to the paralysis of a nation due to an inability to support its population, resulting in
significant suffering and/or death of non-combatants. As a result, there is a strong argument that
the threat of cyber attack is itself a violation of the U.N. Charter and LOAC. In contrast, there is
also an argument that cyber should be used in preference to conventional weapons in order to
comply with LOAC. This argument is based on the assertion that cyber attacks are more
humanitarian because they have less potential to create collateral damage than conventional
9
weapons. These are the issues that commanders and military planners must balance when
conducting operations in cyberspace.
10
Notes:
1
Cicero, Marcus Tullius., “Speech in Defense of Titus Annius Milo”, 52 BC.
International Comittee of the Red Cross (ICRC). "Law of Armed Conflict, Basic Knowledge."
Training. International Red Cross, June 2002.
3
Final Record of the Diplomatic Conference of Geneva. "Final Record of the Diplomatic
Conference of Geneva of 1949." Bern: Federal Political Department, 1949.
4
Ibid.
5
International Committee of the Red Cross. "Protocols additional to the Geneva Conventions of
12 August 1949." Protocols additional to the Geneva Conventions. Geneva: International
Committee of the Red Cross, 1977. 89-101.
6
Notification of the Federal Department of Foreign Affairs of Switzerland. "Protocol additional
to the Geneva Conventions of 12 August 1949." Geneova Conventions, Protocol III.
Bern: International Committee of the Red Cross, 2005.
7
Sharp, Walter Gary. Cyberspace and the use of force. Falls Church, VA: Aegis Research
Corporation, 1999. p. 40.
8
United Nations. (1945). Charter of the United Nations and Statute of the International Court of
Justice. San Francisco: United Nations., Article 2(4).
9
United Nations. (1945). Charter of the United Nations and Statute of the International Court of
Justice. San Francisco: United Nations., Article 51.
10
United Nations. (1974). U.N. General Assembly Resolution 3314. New York: United Nations.
11
Ibid., Article 3.
12
United Nations. (1945). Charter of the United Nations and Statute of the International Court
of Justice. San Francisco: United Nations., Article 41.
13
United Nations. (1945). Charter of the United Nations and Statute of the International Court
of Justice. San Francisco: United Nations., Article 51.
14
Ibid.
15
President of the United States. "National Security Strategy." Whitehouse.gov. May 2010.
http://www.whitehouse.gov/sites/default/files/rss_viewer/national_security_strategy.pdf
(accessed July 12, 2012).
16
Sharp, Walter Gary. Cyberspace and the use of force. Falls Church, VA: Aegis Research
Corporation, 1999.
2
11
III. REVIEW OF U.S. CYBER OPERATIONS POLICY
A. Introduction
In a February 2012 testimony to Congress, the Director of National Intelligence (DNI),
Director of the Central Intelligence Agency (CIA), and Director of the Federal Bureau of
Investigations (FBI) stated that cyber security ranks among the top national security concerns.
They also indicated that current policy requires revision to address how the use of force in
cyberspace conforms to national and international law, including LOAC.1 The previous section
reviewed the applicability of LOAC to cyber operations. This section builds on that
understanding and reviews national policy that impact DoD operations in cyberspace.
B. Defining Policy
The DoD does not expressly define the term ‘policy’. A standard dictionary definition
implies that policy provides guidance for solving problems without explicitly defining the
solution.2 Accordingly, policy for cyber operations should offer a means to arrive at solutions
for achieving the established operational objectives within cyberspace.
While DoD policy is designed to guide the decision-making process, the policies must
conform to LOAC. Accordingly, the DoD has stated that current policy and legal regimes that
govern actions in traditional warfare domains also apply to cyberspace operations.3 The U.S.
Navy has in turn stated that Navy cyberspace operations will conform to DoD and national
efforts.4 Despite these efforts, cyber policy across the U.S. Government remains severely
underdeveloped. Many of the policy documents from the Executive Branch, DoD, individual
military services, and Department of Homeland Security (DHS) were written more than ten years
ago. Despite their age, these documents continue to influence decisions about cyber operations
that result in “legally acceptable plans and orders that support national security objectives.”5
12
C. Existing National Cyber Policy
While there is significant debate regarding cyber operations amongst the international
community, the U.S. Government (USG) is moving forward to try and establish domestic
strategies and policies. These policies can generally be examined from the perspectives of
offense and defense. Due to lack of international consensus regarding the characteristics of an
‘armed attack’ in cyberspace, there is minimal policy regarding Offensive Cyber Operations
(OCO) or Exploitation Cyber Operations (ECO). Policy concerning OCO continues to suffer
from a lack of authorities concerning its use. ECO is conducted under U.S. Title 50 authorities
that govern the operations of the Intelligence Community (IC).6 The international community
does agree that if a cyber attack were to meet the threshold of an ‘armed attack’, then the
provision of LOAC and IHL are applicable.
In contrast to offensive policies, policies guiding Defensive Cyber Operations (DCO) are
largely derived from domestic law. National policies concerning DCO primarily address
methods to establish and maintain confidentiality, integrity, and availability of U.S. networks
through defense-in-depth by preventing, detecting, containing threats, and establishing methods
of recovery. The White House 2009 Cyberspace Policy Review discusses the component
elements of cyber security policy as:
“Cyber security policy includes strategy, policy, and standards regarding the security of
and operations in cyberspace, and encompasses the full range of threat reduction,
vulnerability reduction, deterrence, international engagement, incident response,
resiliency, and recovery policies and activities, including computer network operations,
information assurance, law enforcement, diplomacy, military, and intelligence missions
as they relate to the security and stability of the global information and communications
infrastructure.”7
U.S. cyber security policy assigns management and responsibility for ‘.mil’ internet domain to
the DoD and ‘.gov’ domain to the DHS. While the U.S. does solicit participation from private
13
industry, which designs, builds, owns, and operates most of the network infrastructure that
supports the government, current law does not permit the use of tools employed to protect
government assets to be used to protect commercial assets. 8 This policy directly conflicts with
other policies designed to leverage experience from military operations to assist in protecting the
U.S. civilian critical infrastructure.
Additional guidance is provided by the White House which established cyberspace policy
for the DoD that loosely mirrors the Political, Military, Economic, Social, Intelligence, and
Information structure that is used for the military’s Theater Security Cooperation (TSC)
planning.9 While this construct addresses numerous cyber security issues, it does not address
OCO. A summary review of the White House priority policies from the “International Strategy
for Cyberspace” is shown in Table 1 below:
14
Priority: High
Economy
Networks
Protection
Sustain a free-trade
environment that
encourages technological
innovation on accessible,
globally linked networks
Promote cyberspace
cooperation, particularly on
norms of behavior for states
& cyber security, bilaterally,
& in a range of multilateral
organizations &
multinational partnerships
Law Enforcement
Participate fully in
international cybercrime
policy development
Military
Recognize and adapt to the
military’s increasing need
for reliable and secure
networks
Internet
Governance
International
Development
Internet Freedom
Prioritize openness and
innovation on the Internet
Low
Protect intellectual
property, including
commercial trade
secrets, from theft
Ensure the primacy of
interoperable and
secure technical
standards, determined
by technical experts
Reduce intrusions
into and disruptions
of U.S. networks
Ensure robust incident
management,
resiliency, and
recovery capabilities
for information
infrastructure
Improve the security
of the high-tech
supply chain, in
consultation with
industry
Focus cybercrime
laws on combating
illegal activities, not
restricting access to
the Internet
Deny terrorists and
other criminals the
ability to exploit the
Internet for
operational planning,
financing, or attacks
Harmonize
cybercrime laws
internationally by
expanding accession
to the Budapest
Convention
Build and enhance
existing military
alliances to confront
potential threats in
cyberspace
Preserve global
network security and
stability, including the
domain name system
(DNS)
Expand cyberspace
cooperation with
allies and partners to
increase collective
security
Promote and enhance
multi-stakeholder
venues for the
discussion of Internet
governance issues
Provide the necessary
knowledge, training, and
other resources to countries
seeking to build technical
and cyber security capacity
Continually develop
and regularly share
international cyber
security best practices
Enhance states’
ability to fight
cybercrime including
training for law
enforcement, forensic
specialists, jurists, and
legislators
Support civil society actors
in achieving reliable, secure,
and safe platforms for
freedoms of expression and
association
Collaborate with civil
society & nongovernmental
organizations to
establish safeguards
protecting their
Internet activity from
unlawful digital
intrusions
Encourage
international
cooperation for
effective commercial
data privacy
protections
Develop
relationships with
policy-makers to
enhance technical
capacity building,
providing regular &
ongoing contact with
experts and their
USG counterparts
Ensure the end-toend interoperability
of an Internet
accessible to all
Table 1: Prioritized Policy for International Strategy for Cyberspace 10
The Senator Ike Skelton National Defense Authorization Act (NDAA), Fiscal Year 2011,
also explicitly addressed cyber policy. The NDAA directive instructed the DoD to develop a cyber
strategy to integrate cyber as a warfare domain consistent with policies to protect U.S. cyber and
critical infrastructures. In response, the DoD published the “Department of Defense Strategy for
Operating in Cyberspace”.
15
The cyber strategy document focused on five strategic initiatives:11





Treat cyberspace as an operational domain to organize, train, and equip so that
DoD can take full advantage of cyberspace’s potential in its military, intelligence,
and business operations
Employ new defense operating concepts, including active cyber defense, to
protect DoD networks and systems
Partner closely with other U.S. Government departments and agencies and the
private sector to enable a whole-of-government strategy and a nationally
integrated approach to cyber security
Build robust relationships with U.S. Allies and international partners to enable
information sharing and strengthen collective cyber security
Leverage the Nation’s ingenuity by recruiting and retaining an exceptional cyber
workforce and enabling rapid technological innovation
The strategic initiatives leverage existing policies and authorities; and address the complex
challenges and opportunities of cyberspace in an integrated manner. The initiatives also
provided the basis for addressing specific concerns laid out in the NDAA regarding the DoD’s
policies for cyberspace.12 Although the DoD has not modified the National Military Strategy to
reflect these initiatives, responses to the NDAA concerns were published in the November 2011
DoD Cyberspace Policy Report. The contents of this report are very detailed, but the Secretary
of Defense’s (SECDEF) summary of the DoD’s cyber policy is consistent with The White House
cyber policy goals and leverages existing domestic and international law, including LOAC.
The SECDEF’s summary outlines clear objectives and policies for DoD to explore
cyberspace’s full potential, while recognizing the risk involved with cyber threats and
vulnerabilities. Since the DoD is as reliant on cyberspace as the civilian community, efforts to
improve cyber security for the American people, the U.S. critical infrastructure, and the USG
will be accomplished in close coordination with commercial industry. A brief review of the
NDAA cyber policy concerns and DoD responses provides insight into the current states of
policy within the Department:
16
Development of a Declaratory Deterrence Posture for Cyberspace: This concern also
encompasses the relationship between military operations in cyberspace and lethal operations.13
DoD has stated that it intends to discourage adversaries from attacking or exploiting U.S.
networks by continuing to use tactics, techniques and procedures to deny or minimize rewards
for conducting malicious activity in cyberspace. Consistent with the TSC approach presented in
White House policy, DoD will enhance defenses, increase resiliency, and conduct military-tomilitary bilateral and multilateral discussions to ensure international cooperation. DoD will
exercise a whole-of-government approach to protect the Nation.a The Department is working
closely with its interagency partners, including the DHS, to increase the cyber security of critical
infrastructure and with the Department of State (DoS) to strengthen ties with U.S. allies and
international partners to enhance mutual security.
Preserving the President’s Freedom of Action: In a situation where the President’s
freedom of action in cyberspace is restrained by a nation’s sophisticated cyber capabilities, such
as a crippling cyber attack against U.S. economy, government or military interests, the DoD will
exercise response options as directed by the President. These options may include the use of
cyber and/or lethal capabilities to counter the threat. As discussed in the previous section, such
response options would be constrained by LOAC, which recognizes international consensus that
“any cyber operation resulting in injury to or death of individuals or damage to or destruction of
objects would permit such response options, but there is also agreement that cyber activities that
merely cause inconvenience or irritation do not qualify.”14
Attribution Limitations: The DoD will address attribution limitations by employing three
key strategies to enable deterrence or effective retaliation when required. First, the DoD will
a
A whole-of-government approach refers to coordination by numerous USG departments and agencies to achieve a
common objective.
17
support innovative research and development in both DoD and the private sector. Second, the
DoD will continue investment in cyber forensics capabilities, which have shown significant
progress in attribution over the past several years. Third, in partnership with the DHS and DoS,
DoD is expanding its international partnerships to increase shared situational awareness,
indications and warning capabilities, and forensics efforts. These initiatives closely mirror the
White House policy directive and can be easily exercised through TSC events.
Transparency in Cyber Operations: This NDAA concern primarily seeks responsible
declassification of information about U.S. cyber capabilities and plans. The DoD reported that
the dynamic and sensitive nature of cyberspace operations makes it difficult to declassify
specific capabilities. However, cyberspace operations are conducted in a manner consistent with
the policy principles and legal regimes that the Department follows for lethal capabilities,
including the LOAC. If directed by the President, the DoD will declassify material and
procedures in accordance with established policy. This concern chiefly revolves around privacy
of U.S. citizens during ECO and OCO. For such operations, the USG is subject to domestic law,
including the Protect America Act and 18 U.S. Code 1030.
Escalation Management in Cyber Warfare: DoD’s cyberspace operations are subject to
careful coordination and review, including the use of ECO for intelligence gathering and
preparation of the cyber battle environment. International cyberspace norms will improve
stability and predictability of states’ conduct in cyberspace. Transparency is increased by
working with international partners to develop confidence building and risk reduction measures
to decrease the chance of miscommunication and escalation in cyberspace.
Rules of Engagement: The DoD has implemented rules of engagement for the operation
and defense of its networks for peacetime operation and during conflict. DoD’s cyber
18
capabilities are integrated into planning and operations under existing policy and legal regimes.
In the case of domestic threats, policy and legal authorities governing DoD’s domestic activities,
such as Defense Support to Civil Authorities, extend to cyber operations, as they would in any
other domain.
Misinterpretation of Intelligence Collection in Cyberspace: Intelligence collection and
procedures are clarified in a classified annex to the Cyberspace Policy Report. Intelligence
operations are not conducted unilaterally and are governed by long-standing and well-established
considerations, to include the possibility that a target nation may interpret intelligence collection
as hostile act. As a result, the DoD’s intelligence collection via cyberspace is conducted in
compliance with applicable laws, policies, and procedures.
Oversight: DoD will keep the Congress informed of cyber-based initiatives by providing
quarterly briefings to appropriate Members of Congress. These briefings will include
information about significant cyber operations designed to prepare the environment for military
action, including sensitive operations not conforming to the quarterly briefing cycle.
Cooperation with Allies: DoD leverages the White House policy for achieving
international cooperation. Furthermore, the DoD Strategy for Operating in Cyberspace
emphasizes the importance of building robust relationships with U.S. Allies and partners to
strengthen the deterrence of malicious cyberspace activity and to build collective cyber defenses.
This initiative allows the DoD , U.S. Allies, and international partners to maximize the use of
information sharing treaties for leveraging cyber capabilities, mitigating risk, and deterring
malicious activities in cyberspace.
Attacks Against Mission Critical Cyber Infrastructure: This NDAA concern deals with
the situation where supporting cyber infrastructure is attacked in third party countries with U.S.
19
bases or if the host country is attacked putting DoD assets at risk. As part of information sharing
initiatives and mutual cooperation, DoD adheres to well-established processes for determining
whether a third-party country is aware of malicious cyber activity originating from within its
borders. If such activity presents a threat, then the DoD will exercise authorities consistent with
host nation agreements and LOAC.
Cyber Weapons Delivery: In this case the NDAA is concerned about the legality of
delivering cyber “weapons” across the Internet through the cyber infrastructure owned and/or
located in neutral third-party countries without obtaining the equivalent of “overflight rights.”
International authorities have not agreed on what constitutes a cyber weapon, largely due to the
dual use nature of cyberspace. However, LOAC and customary international law provide a
strong basis to apply norms to cyberspace to govern state behavior. “As the President recognized
in the International Strategy for Cyberspace, the development of norms for state conduct does
not require a reinvention of customary international law nor render existing norms obsolete.
Rather, the principled application of existing norms must be developed with our partners and
Allies.”15
Acts of War in Cyberspace and Application of LOAC: This is probably the most heavily
debated question in international politics. As previously discussed, the DoD considers
international legal norms, such as those found in the UN Charter and LOAC that apply to the
physical warfare domains, to also apply to the cyberspace domain. Activities conducted in
cyberspace that cause death or extreme destruction have already been discussed as activities that
may allow a nation to exercise its inherent right to self-defense. In this context, determining
defensive response rests with the President.
20
Use of Force in Cyberspace: The requirements of the War Powers Resolution apply to
U.S. military involvement in hostile action or imminent danger in which the use of force is
clearly indicated.b Cyber operations may not require a physical presence in the area of
hostilities, but may instead be a supporting component of larger operations that could trigger
notification and reporting in accordance with the War Powers Resolution. DoD evaluates all
cyberspace actions to determine when the War Powers Resolution may apply.
D. Summary
U.S. policy regarding cyber operations has been primarily focused on defense. U.S.
Government policy clearly establishes the DoD as responsible for the ‘.mil’ Internet domain.
Additionally, the White House policy priorities are clearly vectored towards improving the
nation’s and DoD’s cyber security posture. The 2011 NDAA builds upon these policies,
requiring the DoD to address a number of concerns regarding responses to potential cyber threats
and the conduct of cyber operations. In contrast, policy for OCO is non-existent. The absence of
such policy is likely because the associated authorities are currently maintained at the national
strategic level, due largely to intelligence gain verses loss concerns.16 In the area of cyber
exploitation, operations continue to be governed by U.S. Title 50 mandates related to intelligence
gathering. These mandates, however, only apply to activities conducted by the IC and provide
no authorizations for military combatants engaged in normal operations. Given the status of
policies for both offensive and defense cyber operations, the DoD has clear direction regarding
cyber security. This direction does not extend to policies for OCO. As a result, current policies
restrain the tactical and operational commanders’ ability to forcefully respond to a cyber attack.c
b
The War Powers Resolution is a federal law intended to constrain the President’s ability to commit the U.S. to an
armed conflict without the consent of Congress.
c
DoD Joint Publication 1-02 defines Levels of War –Operational: Major operations are planned and conducted to
achieve strategic objectives. Tactical: Engagements are planned and executed to achieve military objective.
21
Notes:
1
Hoover, Nicholas. "Cyber Attacks Becoming Top Terror Threat, FBI Says." Information Week.
February 1, 2012. http://www.informationweek.com/news/government/security/
232600046 (accessed July 6, 2012).
2
Encyclopedia Britanica. Merriam Webster.com. July 1, 2011. http://www.merriamwebster.com/ (accessed Jul 8, 2012).
3
Department of Defense. Department of Defense Cyber Policy Report. A Report to Congress
Pursuant to the National Defense Authorization Act for Fiscal Year 2011, Section 934,
Washington DC: U.S. Government, 2011.
4
Secretary of The Navy. Cyberspace Policy and Administration within the Department of the
Navy. Instruction 3052.2, Washington DC: U.S. Navy, 2009.
5
Department of Defense. Legal Support to Military Operations. Joint Publication 1-04,
Washington DC: U.S. Government, 2011.
6
United States Congress. Title 50: War and National Defence, § 36 (United States Code).
7
The White House. Cyberspace Policy Review: Assuring a Trusted and Resilient Information
and Communication Infrastructure. Policy Review, Washington DC: U.S. Government,
2009.
8
Ibid.
9
The White House. International Strategy for Cyberspace. Washington DC: U.S. Government,
2011.
10
Ibid.
11
Department of Defense. DoD Strategy for Operating in Cyberspace. Washington DC: U.S.
Government, 2011.
12
Department of Defense. Department of Defense Cyber Policy Report. A Report to Congress
Pursuant to the National Defense Authorization Act for Fiscal Year 2011, Section 934,
Washington DC: U.S. Government, 2011.
13
United States Congress. (2010). National Defense Authorization Act for Fiscal Year 2011.
Washington D.C.: U.S. Government.
14
Naval War College. (2011). Non-International Armed Conflict in the Twenty-first Century.
Newport: U.S. Government.
15
Department of Defense. DoD Strategy for Operating in Cyberspace. Washington DC: U.S.
Government, 2011.
16
Cox, RADM Samuel J. Personal interview. United States Cyber Command. 4 June 2012.
22
IV. U.S. NAVY CYBER READINESS
A. Introduction
The previous section highlighted key aspects of current U.S. policy and law with regard
to military operations in cyberspace. The section also discussed how these policies and laws
relate and interact with the LOAC. These relationships and interactions form the framework
within which the various military services must operate. Focusing in on the U.S. Navy, the
naturally resulting question is what particular roles should the U.S. Navy fulfill within this
framework?
The desire of the U.S. military is to treat cyber operations similarly to operations in other
warfare domains. Therefore, the traditional paradigm of service and Joint responsibility and
control must be applied. As a result, the Navy as a service is responsible for manning, training
and equipping naval cyber forces for employment by the applicable Joint commander.1
Given the role of manning, training and equipping naval cyber forces; to understand the
status of U.S. Navy cyber readiness it is necessary to examine how effective the Navy has been
in fulfilling these roles. An effective assessment of readiness requires examining the Navy’s
cyber capability in three distinct areas. The following three subsections are dedicated to
individual examinations of technology, personnel and policy related to Navy cyber capability.
B. Technology
The Navy fulfills its responsibility to equip naval forces for the conduct of cyber
operations through the deployment of technological systems. The importance of information
dominance to the operational methods of the U.S. Navy has resulted in cyber systems becoming
critical to combatants’ war fighting capability. Since this paper seeks to concentrate on Navy
23
cyber operations and LOAC, the following technological analysis will focus on cyber
technologies deployed on operational maritime combatants.
The Information Technology for the 21st Century (IT-21) program provides the backbone
of technology for networks deployed on maritime combatants. The IT-21 program aims to
provide maritime combatants with a network environment that supports reliable Non-secure
Internet Protocol Router Network (NIPRNet), classified Secure Internet Protocol Router
Network (SIPRNet), and Sensitive Compartmentalized Information (SCI) network
communications; as well as a diverse array of applications supporting both tactical and nontactical functions. Additionally, the IT-21 network environment should be able to support
necessary operations in low-bandwidth and limited data reach-back conditions. Examining these
systems for insight into the U.S. Navy’s cyber technological readiness is best achieved by
analyzing two categories of cyber capabilities, defensive and offensive. To date, the Navy’s
investments in cyber technology have almost exclusively focused on defensive capabilities.
These investments have primarily focused on two areas, architectural standardization and
defense-in-depth.
The Navy has expended significant resources on standardization with the goal of
reducing potential vulnerabilities and minimizing complexity. Reducing vulnerabilities limits
the attack vectors available to potential adversaries. Minimizing complexity simplifies the
security management tasks, improving the ability to detect and respond to potential attacks.
The Navy’s current efforts have focused on standardization of hosts and network topology. Host
standardization in the IT-21 environment is challenging due to the wide array of configurations
and applications required for mission success. The diversity of IT-21 hosts has led the Navy to
24
focus on two standardization efforts, one focused on operating environments and the other on
security.
An examination of IT-21 hosts reveals a set of nearly universal core services. These core
services consist of elements such as directory services, email, office applications, collaboration
tools, anti-virus software, as well as other common applications. To standardize this core of
services, the Navy introduced the Common PC Operating System Environment (COMPOSE)
suite. The COMPOSE suite combines a number of commercial and government software
products, including the Microsoft System Center Configuration Manager (SCCM) for remote
management and software updates.2 This facilitates simple yet universal implementation of
security policies and security updates. The standardization provided through the COMPOSE
suite also allows the Navy to test new software products in a lab environment prior to
deployment to maritime platforms. The testing capability enabled by the COMPOSE suite is
critical to ensuring that the integration of new software products does not create new security
vulnerabilities within the currently deployed suite.
The Navy’s second IT-21 cyber defense standardization effort is deployment of the HostBased Security System (HBSS).3 HBSS was originally developed by the Defense Information
Systems Agency (DISA) and its use on all DoD host and servers is currently mandated by
Department policy. The system consists of a suite of commercial software products from
McAfee with patches and updates provided to DoD components by DISA. While the HBSS
includes a number of components, the specific components that support standardization are: 4


ePolicy Orchestrator (ePO) Management Suite – provides functionality for remote
configuration of HBSS hosts, management and distribution of HBSS software
updates, and includes McAfee Agent to facilitate communications with the remote
host for anomaly reporting
Policy Auditor (PA) – ensures host compliance with defined security policies
such as the Federal Information Security Act (FISA)
25

Asset Configuration Compliance Module (ACCM) – ensures host compliance
with configuration specification, as well as required system and application
updates
In addition to standardization of host security, the Navy is also working to create a
common network core for IT-21 systems across the different maritime platform classes. Since
the radio-frequency (RF) equipment deployed on each maritime platform differs, the topology of
the common network core must account for these differences. Additionally, hardware and
software within network enclaves may vary based upon the specifics of the platform and
assigned missions. These RF equipment and enclave requirements have led to the development
of a common network core, shown in Figure 1, that encompasses the network topology between
the enclave Cisco routers and the Automated Digital Network System (ADNS) router, providing
a common interface to the platform’s specific RF equipment suite.
CENTRIXS/
COALITION
SIPRNet
LANs
NIPRNet
LANs
SCI
LANs
Figure 1 – Nominal common core of Navy IT-21 networks5
While standardization remains an essential element to simplifying cyber defense, through
reduction of the size of the attack plane, the Navy is also pursuing enhanced security through
defense-in-depth. The Department of the Navy’s (DoN) Chief Information Officer’s (CIO)
26
vision for cyber defense-in-depth is shown in Figure 2. While Figure 2 shows what appears to be
a comprehensive set of defense mechanisms at each level, actual implementation may not
necessarily conform to this vision. The Navy’s defense-in-depth approach for its IT-21 networks
is primarily based on two elements, HBSS and the Regional Network Operations and Security
Centers (RNOSC).
Figure 2a – Navy’s vision of cyber defense-in-depth6
As previously discussed, the DoD has mandated deployment of HBSS on all hosts and servers.
In addition to the components that support standardization, HBSS also provides a number of
components aimed at providing host level defense:
a
Figure 2 shows the distinct layers of the Navy’s defense-in-depth approach; however, the individual elements
within the layers are not explicitly discussed in this report. For a more detailed discussion of these elements please
see the DoN CIO Computer Network Defense Roadmap (Endnote 6).
27




Host Intrusion Prevention System (HIPS) – enforces security policies distributed
by ePO Management Suite and provides firewall services at network protocol
level and above
Device Control Module (DCM) – prevents unauthorized use of USB and flash
devices
Rouge System Detection (RSD) – provides real-time monitoring of network
traffic to detect connection of an unknown system to the network and alerts ePO
Management Suite
Audit Extraction Module (AEM) – monitors hosts for suspicious user behavior
and alerts ePO Management Suite in the event an anomaly is detected
In addition to HBSS, the second element of the Navy’s defense-in-depth approach is the network
security services provide by the RNOSCs. The RNOSCs provide connectivity to network
security services via an ADNS router that directs traffic to/from the correct RNOSC security
enclave based on the destination/source enclave onboard the maritime platform.
GIG
Figure 3 – RNOSCs (four shown) network security services architecture 7
As Figure 3 shows, any traffic within a RNOSC enclave coming from or destine for the
associated Global Information Grid (GIG) is filtered by a network security suite. This suite is
28
composed of a GIG Premise router, an Outer Security Screening Router (OSSR), a Suite of
firewall Suite, Inner Security Screening Router (ISSR), a virus scanning Suite (VSCAN Suite),
and an Intrusion Detection System (IDS) Suite. The network security suite also includes a
Virtual Private Network (VPN) Suite to allow necessary traffic to bypass the firewall server
suite. While not specifically part of the network security suite, the Fleet Router that connects the
individual enclave to the RNOSC ADNS router also performs network address translation.
The Navy has unquestionably increased its cyber readiness by focusing its technological
cyber defense efforts in two areas, architectural standardization and defense-in-depth. The
Navy’s architectural standardization programs have reduced the potential attack vectors and
simplified the delivery of security services. Despite this simplification, the reactive nature of the
Navy’s current cyber defense efforts, focused on leveraging commercial best practices, leaves
the Navy susceptible to publicly known vulnerabilities. While the current approach is cost
effective, it does not focus on the threats of most concern to the Navy. As a result, the Navy will
remain unnecessarily vulnerable until a capability is developed to identify, prioritize, and
technologically respond to threats of concern in a timely manner.
The second area of technological focus for Navy’s cyber defensive efforts has been
defense-in-depth. The Navy has sought to achieve defense-in-depth through deployment of
HBSS and network security services provided by the RNOSCs. While these efforts have
improved the Navy’s cyber defense posture, absent from this approach have been enclave level
security measures and resiliency. HBSS does provide host level security for enclave servers;
however, there are no mechanisms in place to defend the enclave perimeter or network devices,
such as routers. This presents a potential vulnerability since secure hosts within an enclave are
practically useless if an attack on the associated enclave network devices prevents
29
communications. The Navy’s reluctance to implement security measures at the enclave level is
likely attributable to a risk analysis that indicates that the potential threat does not justify the
increased monetary or personnel costs. As was the case with standardization, this risk analysis is
most likely based on commercial threats and is therefore flawed. In addition to enclave level
security, the Navy’s defense-in-depth approach also fails to address resiliency. In deploying
technologies, the Navy must field not only secure but also resilient systems.8 In the face of a
successful and escalating attack, resiliency serves as the final element of a defense-in-depth
approach, ensuring a degree of continued operation with prioritized delivery of critical services.
While Navy has expended the majority of its technological efforts on passive defensive
capability, cyber situational awareness and forensics capabilities are also critical. There are two
elements required for cyber situational awareness, an understanding of the status of one’s own
cyber capabilities and knowledge of other cyber actors’ capabilities. Presently, the Navy is
focused on the first area due to its inability to capture and understand in real-time the status of its
own networks.9 Despite the enormity of this challenge, the Navy Cyber Defense Operations
Command (NCDOC) has made progress with the development of its Prometheus system.10 The
Prometheus system automates security monitoring by aggregating system, application, firewall,
and router logs, as well as input from other network sensors.11 The forensics tools are essential
to security event analysis because they help identify the characteristics of an attack and aid in
potentially attributing the attack to a source. As a result, this attribution capability is essential if
the Navy desires to meet cyber threats with any approach other than passive defense. While the
Prometheus system does not provide real-time insight, it does represent an improvement in Navy
cyber situational awareness and forensics capabilities. Despite these improvements, the
Prometheus system was not developed for deployment on maritime platforms. As a result, CSGs
30
are not equipped with the technology to independently perform network forensics or attribution
analysis.
While the Navy is pursuing new defensive cyber technologies to enhance its security
posture, there are currently no major efforts for obtaining or developing offensive cyber
technologies afloat. Offensive cyber technologies include those aimed at facilitating exploitation
(i.e. system penetration and data extraction) or attack operations within cyberspace. Authorities
to conduct OCO are currently retained at the national strategic level. As a result, the Navy has
not widely invested in developing and deploying offensive cyber technologies, especially at the
tactical level.
C. Personnel
Analyzing personnel readiness with regard to cyber provides insight into how the Navy
has fulfilled its responsibility for manning and equipping its forces. Personnel cyber readiness
impacts not only the ability to execute cyber operations but also influences the Navy’s decisions
regarding technology and policy. Within the Navy, two groups of personnel are critical to cyber
readiness, those with technical expertise and those assigned command.
Gaining maximum insight into the cyber readiness of Navy personnel is best
accomplished by examining the readiness of each group individually. Prior to these individual
examinations, it is important to note that the DoD mandates that every user of a DoD information
technology system complete Information Assurance (IA) training annually. The user community
within the DoD includes government civilians, contract personnel, reservists, and active duty
members. As a result of this IA training mandate, all personnel within the Navy receive at least a
minimal introduction to cyber defense.
31
In many ways, the personnel readiness of the technical experts tasked with conducting
cyber operations has been the most influential factor affecting overall Navy cyber readiness.
While the Navy has implemented a number of personnel qualification and certification programs,
the current condition of the Navy’s technical cyber community can best be described as
maturing. There are locations within the Navy, such as NCDOC, that possess an extremely high
degree of cyber expertise. This is demonstrated by NCDOC’s development of the Prometheus
system. While the Navy desires and is working diligently to grow its core of cyber professionals,
the number of educated and trained individuals is insufficient to ensure each combatant can
individually manage its cyber defense.12 This reality has resulted in the current defense-in-depth
approach that utilizes HBSS, largely leveraging DISA expertise and RNOSC network security
services. The limited number of RNOSCs means that the Navy can concentrate expertise at
these critical nodes. As a result, the Navy has chosen not to deploy enclave level defense
mechanisms due in part to the absence of sufficient expertise. The concern is that without
resident expertise, a combatant may misconfigure or mismanage its enclave level security
mechanisms to the point where enclave connectivity is completely lost.
In the area of offensive cyber expertise, the Navy has an extremely limited number of
capable cyber professionals.13 Additionally, those individuals who do possess offensive cyber
expertise have most often obtained their skills when assigned to a Joint command or National
Agency. The Navy currently has a single course in place for training Navy personnel on the
entire spectrum of offensive cyber operations. In contrast, there are multiple service specific and
commercial training courses used by the Navy for developing expertise in cyber defense. The
reason Navy is reluctant to invest in developing offensive cyber expertise is because there is
32
currently no offensive cyber authorities delegated to the Navy nor is there a mature servicespecific mission requirement.
Successful execution of cyber operations requires not only technical expertise but also
command expertise. The majority of commanding officers, at all levels of the Navy, lack an
understanding of the complexity and challenges associated with cyber operations. In most cases
the only training in cyber warfare they receive is the previously discussed annual IA training,
which covers little more than a basic identification of potential security threats. The resulting
lack of knowledge manifests itself in a general unfamiliarity with IA and cyber policies.
Additionally, while most commanders receive training regarding the array of threats they should
expect to encounter, cyber threats receive little or no attention. Despite the general knowledge
deficiency, commanders quite often have technical experts to help them work through the
majority of policy and threat issues. The area where technical experts cannot assist the
commander is in understanding and applying LOAC. An understanding of how LOAC applies
to all potential threats is critical for any commander. Assisting the commander in interpreting
LOAC is the responsibility of the Judge Advocate General (JAG) Corps. However, there is
currently no formalized training for JAG Corps personnel or any commander in the Navy about
the application of LOAC to cyber operations.
D. Policy
Policy forms the third area of analysis required to gain an understanding of the Navy’s
overall cyber operational readiness. Policy is influential to how the Navy satisfies its role to
man, train, and equip its forces for cyber operations. Similar to the areas of technology and
personnel, the Navy has focused its policy on cyber defense, passive defense in particular. As a
33
result, it is beneficial to examine the Navy’s policy from first a defensive and then an offensive
perspective.
The Navy’s defensive cyber policies are focused in two primary areas, certification and
security alerts/reporting. The Navy’s certification policies can further be divided into personnel
and combatant certifications. In the area of personnel certification, the Navy has implemented
the DoD’s mandated IA Workforce Program. The IA Workforce Program requires commercial
certifications for technical, management, and training personnel.14
As Figure 4 shows, the precise certification varies depending upon the specific
responsibilities of the position. Navy policy also directs commanders to appoint appropriately
certified IA Workforce members to fill key information assurance positions.15
Figure 4 – DoD IA Workforce Program certification levels16
In addition to personnel certification, Navy has implemented the Cyber Security
Inspection and Certification Program (CSICP). The Commander Fleet Cyber Command
(COMFLTCYBERCOM) message directing implementation of CSICP states that networks on
maritime platforms are considered weapons systems and must adhere to the same inspection and
certification requirements.17 At the core of CSICP are the DoD IA Certification and
34
Accreditation Process (DIACAP) standards; however, additional requirements have been added
to ensure systems also meet the Navy’s unique requirements.18 DIACAP and CSICP focus
heavily on cyber security documentation. The Navy’s CSICP implementation envisions a three
step process as shown in Figure 5.
Figure 5 – CSICP cycle19
It is important to note that CSICP is strongly supported among senior Navy leaders, as
demonstrated by the elevation of CSICP certification as a prerequisite for authorization to deploy
in a combat ready status. While CSICP certification as an element of pre-deployment
preparation constitutes positive progress, to date the Navy has completed only a handful of
CSICP certifications for deploying combatants. Of these certifications, none have been
unsuccessful or led to a delay in a combatant’s deployment timeline.
In addition to certification, security alerts/reporting represent the second area where Navy
has focused its defensive cyber policies. Policies in these areas can be broken down along very
straightforward lines, cyber security alerts and reporting of cyber events. For alerting
combatants of cyber security issues the Navy utilizes two primary methods. The first is via naval
message and the second is via IA Vulnerability Alerts (IAVA). Naval messages are usually used
to alert the entire Navy to a general class of cyber security threat. Historical examples include
notifications regarding security vulnerabilities involving USB devices, email, and social
engineering.
35
The second means of distributing security alerts is via the IA Vulnerability Management
(IAVM) program. Implementation of an IAVM program is mandated by DoD directive and is
designed as a means for identifying, alerting, and verifying the status of IA vulnerabilities.20
DISA operates the DoD-wide IAVM program and notifies the Navy IAVM program via IAVA
of vulnerabilities affecting DoD systems. The Navy IAVM program then releases the IAVA
with an identified corrective actions and a compliance due date. The IAVA then trickles down
the echelon hierarchy of Navy organizations. Once individual combatants have completed the
corrective actions, completion (or a reason for inability to comply) is reported back up the
hierarchy, with each command reporting compliance for its subordinate combatants.21 In
addition to DoD-wide IAVAs, the Navy IAVM program can release IAVAs for Navy specific
systems. Unfortunately, both the DoD and Navy IAVM programs focus exclusively on
commercial software and depend primarily upon commercial identification, notification and
correction of vulnerabilities. As a result, the IAVM program may not identify significant threats
of concern to the Navy.
In addition to the absence of robust threat analysis, cyber security vulnerabilities are also
created by the IAVA timeline. The administrative processing involved in the trickle down from
DISA or the Navy IAVM creates a period between when the commercial security community
publishes the discovery of a particular vulnerability and the implementation of the corrective
action. This period represents an opportunity for an attacker to engineer an exploit around the
published vulnerability. Despite the shortcomings of the IAVM program, the alternative is far
riskier as it would require each CSG, or worse detached combatant, to monitor the commercial
world for software vulnerabilities and implement corrective actions independently. This sort of
ad hoc approach is undesirable due to a lack of required expertise at the combatant level and the
36
absence of an opportunity for testing corrective actions prior to implementation. An ad hoc
approach could result in adverse effects to information systems, combatants implementing
different corrective actions, and an absence of vulnerability notification and correction
verification.
In addition to certification, the element that accompanies vulnerability alerts as the
second focus of Navy cyber policy is reporting of cyber events. The Navy considers reporting of
cyber incidents, events that have adverse implications for network operations, as an element of
its defense-in-depth approach. The specific actions and reporting requirements for cyber
incidents are contained in the DoN Computer Network Incident Response and Reporting
Requirements.22 The response actions outlined in the instruction are designed to facilitate rapid
reporting while also preserving the maximum amount of data for forensic analysis. All Naval
organizations report incidents and forward required data to NCDOC, the DoD designated
Computer Network Defense (CND) service provider for the Navy.
As in other areas of cyber readiness, the Navy’s policy approach has been to implement
commercial best practices to address cyber defense. As previously stated with regards to
technological and personnel readiness, the exclusive focus on commercial practice is not a sound
approach. Neither is this approach sound for cyber operations policy. The Navy currently lacks
the relationships and mechanisms for effective information sharing between elements of Navy
intelligence and those tasked with cyber operations. Additionally, there are currently no policies
mandating red teaming as a mechanism for vulnerability discovery or readiness evaluation.b
Absent from Navy policy is any discussion of the authorities associated with cyber
operations. The Commander’s Handbook on the Law of Naval Operations discusses how to
b
Red teaming is a term used to define the use of friendly forces who act as adversaries to assess friendly force
capabilities, vulnerabilities, and readiness.
37
evaluate the use of Computer Network Attack (CNA), referred in this report as OCO, with
respect to LOAC and other international agreements; however, it does not specify who is
allowed to make these evaluations, even in the context of self-defense.23 The lack of policy
regarding OCO implies that, unless specifically granted, no elements of the Navy or Joint force
possess the authority to conduct offensive operations in cyberspace, including active defense.
There are several potential reasons that authorities for OCO have been withheld. One reason
may be the difficulty involved in engineering exploits for targets of value. These targets are
often military or government systems that are highly secure or air-gapped from the Internet. As
a result, exploits represent highly valuable weapons that should be expended sparingly and in
pursuit of strategic objects for maximum effect. A second potential reason is that a system
valuable to an adversary, when exploited, often represents a significant source of intelligence. In
most cases, a subsequent attack against such a system destroys the intelligence resource in the
process. As a result, a thorough examination of intelligence gain and loss must be performed.
The significance of the intelligence from these sources means that national leaders are often the
only individuals with a complete understanding of the value of the assets. As a result, national
leaders may be reluctant to delegate offensive authorities to subordinates who are unaware of the
intelligence gain and loss tradeoffs. The final reason for withholding offensive cyber authorities
is the risk of collateral damage. Exploits have the potential, if engineered incorrectly, to cause
numerous and widespread unintended effects. This is especially true if the exploits or attacks
utilize the Internet, where they can spread rapidly and extensively. These potential adverse
consequences have led to reluctance on the part of national leaders in employing offensive cyber
capabilities. This reluctance also means that national leaders have been unwilling to delegate
authorities to conduct OCO or DCO-Response Actions (DCO-RA).
38
E. Summary
It is unlikely that the Navy’s responsibility to the Joint force in cyber operations will
change. As a result, the Navy will continue to be tasked with manning, training and equipping
its forces for operations in a dynamic cyber environment. A review of Navy readiness in each of
these areas revealed progress but also significant room for continued improvement.
In the area of technological readiness, the Navy has focused almost exclusively on
passive defense. These efforts have primarily targeted standardization and defense-in-depth.
While standardization has helped simplify cyber defense, the focus on commercial best practice
ignores those threats of most concern to the Navy. Similarly, the Navy’s defense-in-depth
approach is focused on meeting commercial threats, with minimal incorporation of analysis
examining threats specific to Navy systems. The defense-in-depth approach for IT-21 systems
also seems to ignore enclave level network device security. While the Prometheus system
represents a significant step forward, maritime combatants still lack an organic forensics analysis
capability. Finally, CSG commanders do not have authorities to conduct OCO.
The Navy is currently lacking sufficient cyber expertise and the expertise that currently
exists is highly concentrated. The Navy has also primarily focused its personnel readiness on
commercial certification. As a result, there is nearly no expertise in OCO within the Navy.
Current commanders are also ill prepared to conduct cyber operations due to inadequate training.
As a result, at the maritime combatant level, the Navy’s cyber readiness is lacking.
As in other readiness areas, Navy policy has focused on defensive cyber operation as
demonstrated by implementation of the commercially oriented IA Workforce program and the
documentation driven CSICP process. While the IAVM program establishes the correct
mechanisms, the absence of a streamlined method of execution creates additional vulnerability.
39
The absence of Navy policy concerning OCO is based on the decisions of higher authorities.
Overall, the Navy has made respectable progress in improving its defensive cyber
posture; however, if tasked the Navy would be ill prepared to conduct any form of cyber
offensive operation.
40
Notes:
1
Cox, RADM Samuel J. Personal interview. United States Cyber Command. 4 June 2012.
Department of the Navy, Chief Information Officer. "CHIPS Articles: The Common PC
Operating System Environment Program - COMPOSE"
http://www.doncio.navy.mil/chips/ArticleDetails.aspx?ID=3044. Accessed 20 June 2012.
3
Joint Task Force – Global Network Operations. “Computer Tasking Order (CTO) 07-12”. 9
October 2007.
4
Defense Information Systems Agency. "Host Based Security System (HBSS): Components"
http://www.disa.mil/Services/Information-Assurance/HBS/HBSS/Components. Accessed
19 June 2012.
5
Center for Information Dominance. “A-202-0006 / A-3B-0027 Trainee Guide” Revision 01-10.
Pensacola, Florida. p 9-4.
6
Department of the Navy, Chief Information Officer. “Computer Network Defense Roadmap”.
www.doncio.navy.mil/Download.aspx?AttachID=971. Accessed 21 June 2012.
7
Center for Information Dominance. “A-202-0006 / A-3B-0027 Trainee Guide” Revision 01-10.
Pensacola, Florida.
8
National Research Council, Committee on Information Assurance for Network-Centric Naval
Forces. “Information Assurance for Network-Centric Naval Forces”. 2010.
http://www.nap.edu/catalog.php?record_id=12609. Accessed 19 June 2012. p. 105.
9
Cox, RADM Samuel J. Personal interview. United States Cyber Command. 4 June 2012.
10
Ibid.
11
Novell. “U.S. Navy Cyber Defense Operations Command”. 2009.
http://www.infosecurityproductsguide.com/casestudies/2009/Novell_U_S_Navy_Cyber_
Defense_Operations_Command_Case_Study.pdf. Accessed 20 June 2012. p. 1.
12
Cox, RADM Samuel J. Personal interview. United States Cyber Command. 4 June 2012.
13
Ibid.
14
Department of Defense. Instruction 8570.1-M, “Information Assurance Workforce
Improvement Program”. 24 January 2012. p. 17.
15
Chief of Naval Operations. Instruction 5239.1C, “Navy Information Assurance Program”. 20
August 2008. p. 17.
16
Ibid, p. 19.
17
Commander Fleet Cyber Command. “General Admin Message 282138Z JAN 11”. 28 January
2011.
18
Department of Defense. Instruction 8510.01, “DoD Information Assurance Certification and
Accreditation Process”. 28 November 2007.
19
Deets, RADM Ned. “Integrated Air and Missile Defense Symposium”. 14 July 2011.
http://www.dtic.mil/ndia/2011IAMD/RADMDeets.pdf. Accessed 22 June 2012. p. 21.
20
Department of Defense. Directive O-8530.1, “Computer Network Defense”. 8 January 2001.
p. 2.
21
Department of Defense. Instruction O-8530.2, “Support to Computer Network Defense”. 9
March 2001. pp 37-38.
22
Department of the Navy. Instruction 5239.19, “Department of the Navy Computer Network
Incident Response and Reporting Requirements”. 24 January 2012.
2
41
23
Department of the Navy. The Commander’s Handbook on The Law of Naval Operations. NWP
1-14M. Washington DC: U.S. Government, 2007.
42
V. CASE STUDY: IRANIAN CYBER CONFLICT
A. Introduction
This section presents a scenario-based case study as a means to examine the current
baseline level of knowledge and understanding of U.S. Navy personnel regarding the application
and implication of LOAC to cyberspace operations. The case study begins with a
comprehensive review of the Islamic Republic of Iran’s cyber capabilities. This review,
combined with information from the previous section on U.S. Navy’s cyber readiness, was
utilized to develop a fictional cyber scenario that adversely affects a U.S. CSG. The information
presented in the sections reviewing LOAC and current U.S. cyber policies were then used to
develop a set of questions applicable to each element of the scenario. The combined scenario
and questions were then distributed and are discussed in the case study methodology subsection.
The final portion of this section provides case study findings derived from the aggregated
responses received from study participants.
B. Iranian Cyber Readiness
“Over the past three years, the Iranian regime has invested heavily in both
defensive and offensive capabilities in cyberspace…Its leaders now increasingly
appear to view cyber warfare as a potential avenue of action against the United
States.”
- Ilan Berman, Vice President, American Foreign Policy Council,
Testimony to the U.S. House of Representatives 26 April 2012
1. Background
Iran may already perceive itself to be at war with the U.S. This perception is based on
the belief that the U.S. was involved in the Stuxnet cyber attack, which in late 2010 caused 10%
of the centrifuges in Iran’s uranium enrichment facility at Natanz to shut down. This weapon
was able to surgically inflict physical damage on many of the centrifuges in the Natanz facility.
43
Since then, according to General James Clapper, Director of National Intelligence, there has been
a “seismic shift in Iranian Strategy…Iran officials - probably including Supreme Leader Ali
Khamenei - have changed their calculus and are now willing to conduct an attack in the United
States.”1 It is questionable whether Iran possesses the cyber weapons, cyber expertise,
intelligence gathering experience, organizational capability, and financial resources required to
conduct a sustained attack against military Command, Control, Communications, Computers,
Combat Systems, Intelligence, Surveillance, and Reconnaissance (C5ISR) systems. There is
consensus, however, that Iran is quickly advancing their cyber warfare capabilities.
2. Investment in Cyber Capabilities
Iran is currently estimated to be fifth in cyber capability world-wide. It lags closely
behind China, U.S., Russia, and India in overall capability, according to a study coordinated by
independent think-tank Technolytics.2 Iran has rapidly been gaining ground over the past three
years, with heavy investments in both offensive and defensive capabilities. A breakdown of
Iran’s cyber capabilities and resources is given below:
Budget: Approximately $1 billion U.S. Dollars (USD)3 - Iranian intent is to use the
money toward efforts that will leap-frog their progress closer to parity with China and Russia.
They intend on increasing investment in Commercial-Off-The-Shelf (COTS) technologies,
forming strategic alliances to aid progress, and ramping up strategic technology acquisitions.
Iran’s targeted investments include:




Acquisition of new technologies
Investments in cyber defense
Creation of a new cadre of cyber experts
Activation of an independent “Cyber Army” of activists
Cyber Forces: Approximately 2,400 personnel4 - This number does not include any
personnel support Iran may be getting from China, Russia, Venezuela, or North Korea. These
44
countries are thought to have either sold cyber technology to Iran to further its strategic cyber
goals (China and Russia)5, assisted Iran in developing its capabilities (North Korea and Russia)6,
or discussed coordination of cyber attacks on the Pentagon, CIA, and FBI (Venezuela).7 The
number of personnel in the Iranian cyber forces does not include help from non-state actors. The
composition of Iran’s cyber force includes:




Reserves and militia: 1,200
Broadband Connections: <100,000
Hacker Community: Size unknown. Very active in Iran. Known to routinely
execute successful attacks on Israeli web sites
Iranian Cyber Army: Could be a subset of Iran’s Hacker Community. Exact
composition is unknown
Potential Future Investments: Although currently lagging behind leading nations, Iran is
positioning its software sector to become internationally competitive. To more rapidly advance
its software sector and enhance its cyber warfare capability, it is possible that Iran could look to
China for assistance, as it has in the past for Weapons of Mass Destruction (WMD)8 and missile
technologies.9 It is also possible that Iran could take advantage of a robust Internet black market
to obtain malicious software and zero-day exploits at low cost.
3. Offensive Cyber Capabilities
A breakdown of Iran’s offensive cyber capabilities is presented below:
Cyber Arsenal: Iran is known to be in possession of the following:10




Compromised counterfeit computer software
Computer viruses and worms
Cyber data collection exploits
Computer and network reconnaissance tools
Iran is likely attempting to enlarge their arsenal of advanced cyber weapons, along with the
expertise to deploy such weapons. The extent of Iran’s advanced cyber arsenal remains unclear,
45
including the cyber and intelligence expertise required to successfully deploy the weapons
currently in their possession. Some advanced cyber weapons that Iran may possess include:





Exploitation of unreported software vulnerabilities (zero-day exploits)
Self-encrypting/decrypting of malicious code
External disruption of wireless networks
Electronic circuit destruction
Self-morphing malicious code applications
Iranian Cyber Army (ICA): The ICA surfaced in late 2009, soon after the discovery of
Stuxnet. The Armed Forces of the Islamic Republic and The Islamic Revolutionary Guard Corps
(IRGC) have not claimed affiliation with the ICA. The ICA is assumed to be an Iranian statesponsored hacker group specifically tasked to launch offensive cyber attacks on behalf of the
country. A favored tactic appears to be the use of social engineering to exploit the Internet and
cause disruptions.11
Reliable information regarding the composition of the ICA, as well as its intended targets
and goals, is not available. The Center for Strategic and International Studies claims that the
ICA possesses qualities and characteristics that parallel how the Iranian military has been
operating in recent years.12 These characteristics include suppression of the pro-democratic
‘Green Movement’, political retribution against the U.S. in reaction criticisms, and suppression
of freedom of expression via cyberspace.
ICA’s primary methods and tactics suggest that the group is undeveloped, inexperienced,
lacks coordination, and is unsophisticated in its approach. The sophistication of attacks and
targets selected indicate that the ICA is not yet capable of threatening critical military or civilian
infrastructure with any sustained or significant impact. So far, ICA’s primary targets have been
non-critical government and private sector websites such as Twitter, Baidu, and Voice of
America. The attacks themselves tend to involve the compromise of an outside server via DNS
46
cache poisoning in order to gain control of that server.a This type of attack causes minor
disruptions that can be recovered from easily. To date, ICA attacks have never resulted in
permanent damage or loss of sensitive data.
The composition of the ICA remains unclear. The Green Voice of Freedom claims that
professional hackers are blackmailed into participating and threatened with imprisonment if they
do not participate.13 It is also claimed that some hackers are tasked but are unaware that what
they are doing is in support of the ICA. One hacker group in Iran, the Ashiyaneh, is purported to
be a willing participant.14 It is possible that Iran has also recruited from terrorist groups with
known cyber capabilities. The most likely terrorist source would be the radical Iranian-backed
Lebanese Islamic Shiite group, Hezbollah. Hezbollah is considered by some to be the premier
terrorist organization for cyber capability, even though compared to the capabilities of the
leading countries (U.S., China, and Russia) it has a much lower overall capability rating of 3.3.15
Hezbollah is estimated to have several thousand members who support cyber efforts and annual
funding of $60 – 70 million USD.16 It is very unlikely that Hezbollah is capable of
independently executing successful attacks on the U.S. civilian or military critical infrastructure.
Iran appears to be recruiting personnel who have demonstrated hacking prowess to
augment the ICA. It remains unclear if Iran is recruiting a permanent cadre for development of
advanced offensive cyber capabilities, or if the augmented personnel are being used to train its
regular army in hacking skills.
International Comparison: Military cyber capability rating of 3.3 (1-5 scale)17 - The
latest 2012 threat analysis data from Technolytics, shown in Table 1 below, places Iran behind
a
To perform a cache poising attack, the attacker exploits a flaw in the DNS software to insert an imposter DNS
entry. This allows the attacker to redirect users to locations of the attacker’s choosing.
47
the leaders of cyber offensive capabilities (China, Russia, and the U.S.) who each have overall
ratings of 4.0, 3.9 and 3.9 respectively.
North
Russia
Korea
Offensive Intent
3.4
4.2
4.2
4.3
Offensive Capabilitiesb
3.4
3.5
3.4
3.5
Cyber Intelligence
3.0
4.2
3.3
3.8
Overall Rating
3.3
4.0
3.6
3.9
Table 1 – Technolytics Military Cyber Capability Ratings18
Capability
Iran
China
U.S.
Venezuela
4.2
3.6
3.8
3.9
2.1
2.0
1.5
1.9
Iran’s ability to adapt their intelligence collection capability to the cyber domain and their
military offensive cyber attack experience lags much further behind the U.S. or Russia.
4. Defensive Cyber Capabilities
Iran is aggressively responding to the increased threat of offensive cyber by developing
more robust indigenous cyber capabilities. Included in these efforts, the Iranian government has
invested heavily in methods for controlling Internet-based international communications.19
These methods include:








b
Construction of a halal Internet internal to the country of Iran and inaccessible by
the World-Wide Web. It was originally conceived to be on-line by late summer
2012, but this is thought to be an overly optimistic deadline.20
Requiring all Internet Service Providers (ISPs) are required to present halal
versions by August 2012
Installation of a Chinese-origin surveillance system for monitoring phone, mobile,
and Internet communications
Formation of a Supreme Council of Cyberspace manned by government officials
and appointees for monitoring and censorship of the halal Internet
Requiring all ISPs to be approved by the Telecommunication Company of Iran
and the Ministry of Culture and Islamic Guidance
Requiring ISPs to comply with a government filter list (unconfirmed claims
estimate that over 5 million Internet sites are already blocked)
Requiring Iranian people to register to use IranMail if they wish to communicate
over the Internet
Requiring bloggers and websites to be nationally registered
Offensive cyber capability includes force structure, technical superiority, readiness, and sustainability.
48
5. Impact to U.S. Navy Operations
Iran’s naval strategy has historically sought to avoid a direct force-on-force confrontation
with the U.S. due to the superiority of American coordinated air-sea offensive capability. Iran’s
military doctrine is primarily defensive and asymmetric in nature.21 The Iranian military’s
ability and expertise at coordinating combined air-naval defensive strike capability is far inferior
to that of the U.S. and poses no eminent threat to U.S. operations in the Arabian Gulf. Iran’s
ability to project power and launch a sustained offensive is very limited. Any attempts to do so
would quickly be suppressed by combined U.S. naval capabilities.
While the Iranian military could not prevail in a conventional engagement, there is a
potential that it perceives the U.S. military, and by extension the U.S. Navy, as vulnerable to
cyber attacks. While Iran probably does not have the capability to launch a cyber offensive that
significantly degrades U.S. C5ISR systems, it has been forming alliances with other countries
that do possess the capability.22 Additionally, U.S. Navy systems are highly dependent on COTS
components, which may allow Iran to utilize readily available exploits to adversely impact naval
operations.
Iran’s style of warfare is unconventional and asymmetric. It has been described as a
“hybrid mosaic” using a decentralized Command, Control, and Communications (C3)
architecture, making it more resilient to OCO and DCO-RA.23 In addition, Iran’s C3 architecture
continues to improve. The military branches are better coordinated, improving reaction time,
rapid maneuverability, and joint operations capabilities. Their C3 capabilities remain limited,
but communications density has improved despite a continued reliance on Very High-Frequency
(VHF) radio with low data rates and poor security.24 Over the past few years, Iran has begun to
49
acquire Chinese and western encryption systems and digital voice capabilities.25 Overall, their
C3 capability remains far behind that of the U.S., particularly regarding joint operations.
C. Case Study Methodology
1. Background
The remainder of this section examines the case study that was conducted to determine
the baseline level of knowledge and understanding within the Navy regarding the application and
implications of LOAC to cyber operations. The desire is that the case study findings will inform
recommendations to help the Navy fulfill its mission within the cyberspace domain.
Development of this case study proceeded in three phases: scenario generation, question
generation, and sample selection. Each of these phases is individually discussed below.
Appendix B is supplied to provide the full set of case study documentation. The appendix
contains a listing of the respondents, a copy of the scenario as distributed, and a compilation of
responses.
2. Scenario Generation
The scenario for the case study was developed using material from the Iranian and Navy
cyber readiness reviews. The design of the scenario centered on an evolving timeline affecting a
deployed CSG. This timeline encompassed five distinct situations with each situation building
on the events contained in all preceding situations. The objective of this evolving timeline was
to gradually escalate the severity of the effects on the CSG, using questions at each juncture to
help identify various thresholds for what constitutes ‘cyber attacks’, ‘armed attacks’ and allows
the exercise of ‘inherent right to self-defense’.
50
3. Question Generation
The questions for the case study were developed using material from the reviews of
LOAC and U.S. cyber operations policy. The questions were designed to gain insight regarding
understanding and knowledge of LOAC, cyberspace situational awareness, guidance on
cyberspace operations, and understanding authorities for operating in cyberspace. Additionally,
the study sought information concerning the state of response methods for complex cyberspace
incidents.
4. Sample Selection
The selection of the sample population for the case study was based on association with
the Navy, assignment, degree of cyber expertise, availability and amenability. These criteria
specifically targeted a population of personnel with cyber responsibilities. The goal was to first
attempt to understand the level of knowledge among Navy experts.
Within this target sample population, 27 individuals were solicited to participate.
Solicitation was conducted via email, with the case study form attached and a request for a
response by the specified date. Participants’ responses were collected over a period of 11 days.
Of those individuals solicited, 17 responded and 11 were selected based on the above criteria.
The positions of the 11 selected respondents are listed below:









A former Deputy Director of Naval Intelligence
A Network Operations Director
A CSG Assistant Chief of Staff for Intelligence
A consolidated input from personnel of the Fleet Information Operations Center
(FIOC) at Navy Information Operation Command (NIOC) Maryland
A CSG Assistant Chief of Staff for Information Operations
A former CSG Staff Communications Officer
A Deputy National Security Agency (NSA)/Central Security Service (CSS)
Representative for Defense
An Assistant Chief of Staff at the Navy Marine Intelligence Training Center
An Echelon III Commanding Officer responsible to Office of Naval Intelligence
(ONI)
51


The Deputy Chief of Staff for Communications and Networks for a Numbered Fleet
Commander
An Assistant Chief of Staff at U.S. Cyber Command (USCYBERCOM)
This report has intentionally avoided attribution of case study responses to specific individuals to
avoid associating the response of individuals with the official position of their parent
organizations.
5. Sources of Bias
The scenario responses provide some expert commentary on issues of Navy cyber
operations and LOAC. There are some potential sources of bias in the responses that should be
considered. The sources of bias are presented here are intended to permit a more comprehensive
evaluation of the case study results found below. The potential sources of bias include:



This case study intentionally sought expert responses, and was not conducted with
traditional experimental methodology. The participants were solicited based on their
expertise within the cyber arena. It is possible that the absence of variance in some
responses is a direct result of limited diversity in backgrounds.
In an attempt to provide the participants sufficient clarity without making the scenario
overwhelming in length, the scenario emphasizes the central role of the malicious
emails in the background statement. With this early presentation, some participants
may overemphasize its role in the early stages of discovery and analysis. It is
possible that in a similar realistic circumstance they may not have correlated the
malicious emails with other anomalies as quickly.
Only eight participants answered all five sections of the case study completely.
Ideally, the sample size would have been larger to provide a more representative
population.
D. Case Study Results
This section provides a summary of the case study results organized by question set in
accordance with the format presented to participants. Each subsection includes a brief synopsis
of the applicable scenario situation, associated questions, and summary of responses.
52
1. Question Set 1
Scenario Situation:






The USS Forestall CSG (FORSTRKGRU) deploys for the U.S. Central Command
(USCENTCOM) area of responsibility
A week into the deployment, the crew receives emails from WeSupportU.com
containing advertisements and coupons for local venders within USCENTCOM
On Day 76, the CSG pulls into port and discovers that the coupons were not valid.
One week into the deployment CSG network traffic increases by 60% and email
server CPU utilization increases significantly
No viruses appear on the server virus scans
The CSG Deputy Chief of Staff for Computer and Networks (N6) concludes that
increased network traffic and email CPU server utilization and is normal as crew
adjusts to underway life
Questions:
Q 1-1: Given the background and amplifying information above, would you concur with the N6
assessment and why?
Q 1-2: Would you recommend any analysis, notification, or action in addition to or in place of
that discussed above and why?
Summary of Results:
Of the ten participants in this experiment, five concurred with the N6. Each stated that
the N6 made the best assessment based on the network data provided. Despite agreeing with the
initial assessment, all five stated that they would report the incident to the entities capable of
performing a more thorough analysis of the situation. There was little agreement among these
participants regarding which external entities to notify. Three mentioned that they would inform
the NCDOC and three others mentioned Fleet Cyber Command (FCC). Organizations mentioned
less than three times include Naval Criminal Investigative Service (NCIS), National CounterTerrorism Center (NCTC), and the Navy Computer and Telecommunications Area Master
Station (NCTAMS).
53
Two of the five also recommended that the strike group closely monitor its network
traffic to verify the increase in network activity is due to normal network use.
Five participants disagreed with the conclusion of the N6. Two participants stated that
the involvement of a bad actor or a commercial email distribution to the entire CSG were
sufficient to question whether increased network activity was from non-routine causes. A third
participant questioned the validity of the virus scan, inferring that a possible zero-day attack
should be considered. The other two participants that did not concur with the N6 assessment
doubted the accuracy of the network data and argued that more information is necessary to prove
the baseline numbers.
With regard to recommendations, one of these five recommended that the Cryptological
Technician (Network) (CTN) attached to the CSG conduct advanced analysis of servers, packet
shapers and switches. The CSG should then request that NCDOC perform a study of emails to
identify if outgoing messages contain a beacon. He also recommended setting ‘River City’.c
Another recommended using an Internet Security Accelerator (ISA) server to block the
website. He would filter emails at the exchange server and notify NCDOC of the incident. He
would also have the CND deployer scan the network with a NIOC CND toolset for malware.
2. Question Set 2
Scenario Situation:




c
A significant number of service member and associated family member names
appeared on an Iranian website
The site is operated by an Iranian cleric with strong anti-U.S. views
The site prominently displays a fatwa issued by the site’s operator declaring any
individual listed as an infidel and calling for jihad against them and their families
Many of the service members continue to correspond with family and friends on the
website used to facilitate delivery of purchased goods to their homes in the U.S.
River City is condition under which NIPRNet transmissions are restricted to a select group of individuals.
54
Questions:
Q 2-1: In light of this information, you are asked what subject areas should be of concern to the
CSG Commander and to recommend Courses of Action (COA) for consideration? Please
discuss your reasoning.
Q 2-2: While briefing the Admiral on your COAs she states that the cleric’s actions constitute a
‘cyber attack’ on service members and their families, as well as a number of foreign nationals.
Do you concur with this assessment? Why or why not?
Q 2-3: The Admiral requests of USCENTCOM, in conjunction with USCYBERCOM, a
determination on whether the events constitute a cyber-attack. She plans to brief Commander 5th
Fleet on the issue and wants to provide a COAs if the events are determined to constitute a
‘cyber attack’. How would you advise the Admiral? Please also explain why preparing COAs
for the cyber attack contingency are appropriate for the situation.
Summary of Results:
Nine of ten participants judged that the compromise of Personally Identifiable
Information was the most significant issue in this portion of the case study. Eight judged this to
be the direct result of poor Operational Security (OPSEC). Eight of the participants
recommended setting ‘River City’. The participants went on to suggest that the CSG personnel
should review OPSEC principles.
One of the participants believed that the discovery of personal information on a malicious
website justifies increase network monitoring and preparation for a lethal response. Another
participant suggested developing COAs for a set of pre-planned and response options.
One participant provided a detailed COA that follows:







Forward information on crew and merchants to NCIS and Defense Intelligence
Agency (DIA) for updated threat assessments
Advise exposed members of crew and their family of the increased threat and
personal exposure
Hold emergency OPSEC training
Secure/Block all social media access or set ‘River City’
Increase network traffic analysis of all units affected by the jihad threat
Increase Force Protection Condition (FPCON) for future port visits
Cancel further non-U.S. port calls
55
This input included elements all nine other COAs, which may indicate that the other
COAs were either incomplete or participants tried to achieve brevity in their responses. This
assumes that the detailed COA was entirely accurate.
Only one participant believed that the discovery of personal information on the website
constituted a ‘cyber attack’. This participant argued that a cyber operation resulting in death or
serious property damage constitute a ‘cyber attack’. If an information system is considered
property, then its compromise (i.e. unauthorized change of state) could be considered damage,
resulting in a ‘cyber attack’.
3. Question Set 3
Scenario Situation:




A contractor ashore performs network traffic analysis for 21 days
Analysis identifies a large number of encrypted 50 Kilobyte emails from users in the
CSG to a single shore-based email address
CSG virus and malware scans continue to indicate no anomalous activity
A situational awareness message is sent to all principal Navy stakeholders
Questions:
Q 3-1: After receiving the Naval message, the Admiral asks for your recommendation regarding
appropriate FORSTRKGRU and unit level actions. What would you recommend and why?
Q 3-2: In your assessment, do deploying forces have cyber equipment, expertise and associated
authorities and policy to collect data and perform the network analysis discussed above? If not,
then please identify the elements that currently preclude performance of such analysis by
deployed forces.
Summary of Results:
All of the participants concluded that the 50 Kilobyte emails were the result of a virus.
Based on this conclusion, all participants also recommended actions to either reduce CSG
vulnerability to or provide greater insight into the nature of the virus. Most participants, nine of
eleven, proposed the continuation of their previously recommended defensive measures as well
as the solicitation of forensic and all-source analysis services from external entities.
56
One participant recommended that the external entities investigate the source of
encryption and try to discover any plain text versions of the transmissions. Another participant
recommended the CSG increase the Information Condition (INFOCON) level. He also
suggested continual reporting of malicious results to command and support entities, and
suggested that higher headquarters could provide any necessary technical assistance. Four
participants proposed that the CSG initiate forensic analysis of the network. Six participants
explicitly recommended that the CSG implement measures to sever contact with the malicious
server. Two individuals suggested that the CSG initiate network sanitization procedures.
Another participant recommended that the CSG Admiral request a coordinated monitoring and
data seeding campaign to assess the scope of response. He also suggested that the CSG
commander consider additional DCO-RA measures.
All participants agreed that forces afloat are not equipped with either the tools or trained
personnel to perform the type of forensic network analysis needed. One participant indicated
that there is usually only one CTN assigned to a CSG. The CTN is responsible for monitoring
network activity and performing the full spectrum of authorized DCO activities. As a result, a
single CTN is not sufficient to provide a robust DCO capability at the tactical level.
There was disagreement among participants about what capabilities exist afloat. Two
participants stated that there was no cyber defense capability afloat, including HBSS. One
participant stated that ships did maintain an HBSS capability, but they do not have the expertise
onboard to take full advantage of that capability. Another stated that there was no expertise or
equipment, but the authorities and policies to do so were in place. Yet another asserted that it is
not the responsibility of the CSG to perform forensic network analysis.
57
4. Question Set 4
Scenario Situation:



A zero-day exploit is discovered embedded in the Hard Rock Café coupons
Navy is now able to decrypt and read the 50 Kilobyte emails
Destination address for the emails is a webmail server in Estonia with an autoforward feature. It has been accessed by an Iranian IP address of interest.
Questions:
Q 4-1: In your assessment do the above actions constitute a cyber-attack? Why or why not?
Q 4-2: In your assessment is the virus a cyber-weapon and do the actions conducted against the
FORSTRKGRU constitute an armed attack? Why or why not?
Q 4-3: Given the above information, can the FORSTRKGRU leverage any policy or guidance to
invoke rights to self-defense? Why or why not?
Q 4-4: Assuming the FORSTRKGRU Commander is convinced that the actions perpetrated
against the CSG constitute an armed attack, what counter attack, defensive options, or both are
available to the FORSTRKGRU? What response should the CSG Commander recommend to
USCENTCOM and national leaders? What would constitute a proportional response in this
situation?
Summary of Results:
At this point, the participants were split, seven to three, in favor of whether the attack
should now be considered a ‘cyber attack’. Four of the participants believed that the ‘cyber
attack’ should be considered an ‘armed attack’. The other six participants did not agree with this
assessment. Those that considered the action a ‘cyber attack’ also considered the virus a ‘cyber
weapon’.
The group was divided regarding whether policy guidance exists to enable the CSG to
invoke its right of self-defense. Six believed that there is policy in place; three did not. Four
believed that the right to defend the network was inherent and provided under LOAC. Two
participants of the seven stated that despite their personal opinions, they would defer to the CSG
JAG lawyer as the authority on this set of questions.
58
Only seven of the participants answered the question regarding appropriate counter attack
mechanisms. Three stated that it was okay to implement cyber defense mechanisms, like
network sanitization and disabling communication with the malicious email server. Three
believed that offensive responses were an option, although they all expressed concern about the
proportionality of such responses. One of the three suggested the use of a demarche, comparable
exploit, or some other mechanism that would provide appropriate admonishment, yet still show
the adversary that acts like this will not go unpunished. Two suggested that the CSG use this
opportunity to launch a misinformation campaign against Iran. Two acknowledged that any
decision to affect another nation’s network is made at the national level, and there is no decision
authority at the CSG level. However, these two participants did not rule out justification for
counter attack.
5. Question Set 5
Scenario Situation:



CSG discovers an inaccurate order for 72 pallets of bottled water and the unexplained
cancellation of a shipment of small arms ammunition
A secondary virus that interfaces with the previously identified email virus was
discovered on supply system servers
The virus affecting supply system servers appear to be sending email to the Iranian
Embassy in the United Kingdom
Questions:
Q 5-1: In your assessment do the above actions constitute a cyber-attack? Why or why not?
Q 5-2: In your assessment do the actions conducted against the FORSTRKGRU constitute an
armed attack? Why or why not?
Q 5-3: Given the above information, can FORSTRKGRU invoke any rights to self-defense?
Why or why not?
59
Summary of Results:
Only eight participants responded to this set of questions. Of the eight, five asserted that
the recently discovered actions constituted a ‘cyber attack’. One of the five deferred to the JAG
on this set of questions. A sixth participant stated that the intrusion is only a ‘cyber attack’ if it is
verified and attributed. One participant stated that the actions against the supply system do not
constitute a ‘cyber attack’. This individual stated that since a virus was used to penetrate the
network, there was no active disruption and thus no ‘cyber attack’.
Five of the eight participants did not believe that this was an ‘armed attack’ since there
were no lethal consequences from the network intrusion. The three individuals that believed an
‘armed attack’ occurred also considered the use of a ‘cyber weapon’ equivalent to a use of a
traditional weapon.
All eight individuals believed that the CSG could exercise its right of self-defense. Seven
participants assessed that the CSG had the option of implementing defensive measures at the
CSG level. Three of the seven believed that only defensive measures should be considered. Two
participants suggested that proportional offensive responses were a national-level decision and
should be exercised with discretion.
E. Case Study Findings
1. Nomenclature
The case study demonstrates that although there are authoritative documents that define
‘cyber attack’. Cyberspace practitioners tend to use their own understanding of not only the
term, but also what (according to LOAC) constitutes ‘armed attack’, ‘use of force’ and
‘proportionality’ in cyberspace.
60
Additionally, many respondents used the term ‘offensive response’ to refer to retaliatory
measures in response to a cyber attack perceived as hostile and attributable. It was unclear
whether respondents understood the difference between OCO and DCO-RA when referring to
proportional response. While there is some international agreement that a cyber attack may
constitute a hostile act, the USG has not defined procedures that can be used for a proportional
response via DCO-RA. Currently, offensive actions in cyberspace must be conducted using
procedures for OCO.
2. Functions and Resources
At various points in the case study, several of the participants expressed the desire to
report incidents to external entities for situational awareness or to request assistance. Despite
these desires, there was little consensus regarding who required notification. A sampling of the
organizations mentioned by participants includes NCDOC, NIOCs, NCIS, NCTC, and
NCTAMS. It is beyond the scope of this study to determine when each of these organizations
should be leveraged; however, Navy personnel require a more complete and uniform
understanding of each organization’s capabilities and responsibilities.
3. Cyber Procedures
In Question Set 3, after the virus was discovered, six of ten participants agreed on a
recommended COA. Intuitively there should be more consensus on the appropriate COA.
Without judging the responses for correctness, more training and expertise is needed to ensure
that all those responsible are aware of what prioritized actions must be taken.
61
Notes:
1
Berman, Ilan. "The Iranian Cyber Threat to the U.S. Homeland." Statement before the U.S.
House of Representatives Committee on Homeland Security Subcommittee on
Cybersecurity, Infrastructure Protection, and Security Technologies and Subcommittee
on Counterterrorism and Intelligence, April 26, 2012.
2
The Technolytics Institute. The Cyber Commander's eHandbook: The Weaponry & Strategies
of Digital Conflict. McMurray, PA, 2012.
3
Berman, Ilan. "The Iranian Cyber Threat to the U.S. Homeland." Statement before the U.S.
House of Representatives Committee on Homeland Security Subcommittee on
Cybersecurity, Infrastructure Protection, and Security Technologies and Subcommittee
on Counterterrorism and Intelligence, April 26, 2012.
4
Coleman, Kevin. "Iranian Cyber Warfare Threat Assessment." Defensetech. September 23,
2008. http://defensetech.org/2008/09/23/iranian-cyber-warfare-threat-assessment/
(accessed June 1, 2012).
5
Berman, Ilan. "The Iranian Cyber Threat to the U.S. Homeland." Statement before the U.S.
House of Representatives Committee on Homeland Security Subcommittee on
Cybersecurity, Infrastructure Protection, and Security Technologies and Subcommittee
on Counterterrorism and Intelligence, April 26, 2012.
6
The Technolytics Institute. The Cyber Commander's eHandbook: The Weaponry & Strategies
of Digital Conflict. McMurray, PA, 2012.
7
Payton, Theresa. "Technology: Iran's Comprehensive Cyber Strategy and Implications to the
U.S." The Blaze. May 4, 2012. http://www.theblaze.com/contributions/
iran%e2%80%99s-comprehensive-cyber-strategy-and-implications-to-the-u-s/ (accessed
June 1, 2012).
8
Deutch, John M. "Foreign Information Warfare Programs and Capabilities, Congressional
Testimony." Central Intelligence Agency. June 25, 1996. https://www.cia.gov/newsinformation/speeches-testimony/1996/dci_testimony_062596.html.
9
Spector, Leonard. "Chinese Assistance to Iran's Weapons of Mass Destruction and Missile
Programs, Testimony before the House International Relations Committee." Carnegie
Endowment for International Peace. September 12, 1996.
http://www.carnegieendowment.org/1996/09/12/chinese-assistance-to-iran-s-weapons-ofmass-destruction-and-missile-programs/cli.
10
Coleman, Kevin. "Iranian Cyber Warfare Threat Assessment." Defensetech. September 23,
2008. http://defensetech.org/2008/09/23/iranian-cyber-warfare-threat-assessment/
(accessed June 1, 2012).
11
Payton, Theresa. "Technology: Iran's Comprehensive Cyber Strategy and Implications to the
U.S." The Blaze. May 4, 2012. http://www.theblaze.com/contributions/
iran%e2%80%99s-comprehensive-cyber-strategy-and-implications-to-the-u-s/ (accessed
June 1, 2012).
12
Lukich, Alex. The Iranian Cyber Army. July 12, 2011. http://csis.org/blog/iranian-cyber-army
(accessed June 23, 2012).
13
"Who are the Iranian Cyber Army?" The Green Voice of Freedom. February 19, 2010.
http://en.irangreenvoice.com/article/2010/feb/19/1236 (accessed June 30, 2012).
62
14
Carr, Jeffrey. "Iran's Paramilitary Militia is Recruiting Hackers." Forbes. January 12, 2011.
http://www.forbes.com/sites/jeffreycarr/2011/01/12/irans-paramilitary-militia-isrecruiting-hackers/.
15
The Technolytics Institute. The Cyber Commander's eHandbook: The Weaponry & Strategies
of Digital Conflict. McMurray, PA, 2012.
16
Ibid.
17
Ibid.
18
Ibid.
19
Berman, Ilan. "The Iranian Cyber Threat to the U.S. Homeland." Statement before the U.S.
House of Representatives Committee on Homeland Security Subcommittee on
Cybersecurity, Infrastructure Protection, and Security Technologies and Subcommittee
on Counterterrorism and Intelligence, April 26, 2012.
20
Payton, Theresa. "Technology: Iran's Comprehensive Cyber Strategy and Implications to the
U.S." The Blaze. May 4, 2012. http://www.theblaze.com/contributions/
iran%e2%80%99s-comprehensive-cyber-strategy-and-implications-to-the-u-s/ (accessed
June 1, 2012).
21
Wright, Robin. The Iran Primer: Power, Politics, and U.S. Policy. Washington, D.C.: The
United States Institute of Peace Press in collaboration with the Woodrow Wilson
International Center for Scholars, 2010.
22
Payton, Theresa. "Technology: Iran's Comprehensive Cyber Strategy and Implications to the
U.S." The Blaze. May 4, 2012. http://www.theblaze.com/contributions/
iran%e2%80%99s-comprehensive-cyber-strategy-and-implications-to-the-u-s/ (accessed
June 1, 2012).
23
Freier, Nathan. "The Emerging Anti-Access/Area-Denial Challenge." Center for Strategic and
International Studies. May 17, 2012. http://csis.org/publication/emerging-antiaccessarea-denial-challenge.
24
Cordesman, Anthony H. and Adam C. Seitz. Iran Status Report: Iran and the Challenges to
Middle East Security. study, Washington, D.C.: Center for Strategic and International
Studies, 2009.
25
Ibid.
63
VI. RECOMMENDATIONS
A. Introduction
Cyberspace has emerged as a distinct warfare domain, fundamentally altering the way the
USG, and by extension the U.S. Navy, conducts operations. U.S. forces require assured access
to cyberspace as a prerequisite for successful operations in all warfare domains. U.S. adversaries
have identified cyberspace as a center of gravity and are exercising and improving operational
capability to exploit this domain.
The U.S. DoD must be poised to counter cyber threats. As a result, the Navy must fulfill
its obligation to give Navy and Joint commanders the unique advantages that cyberspace can
offer. To do this the Navy must man, train and equip forces that are capable of planning strategy
and executing the full range of cyberspace operations. The case study findings contained in this
report demonstrate that the Navy is not fully prepared, particularly with regard to understanding
the application and implications of LOAC to cyberspace operations.
B. Deficiencies
Although cyberspace is a relatively new warfare domain, LOAC is as equally applicable
in cyberspace as in any other warfare domain. While there is broad international consensus that
LOAC applies in cyberspace, the unique characteristics of cyberspace makes interpretation
challenging. Among these challenges is defining ‘armed attack’ and ‘use of force’, as well as
extending the ‘principle of proportionality’ and ‘inherent right to self-defense’. The case study
reveals a range of interpretations regarding the application and implications of LOAC for Navy
cyber operations. The case study also demonstrates the absence of a consensus on the thresholds
for ‘cyber attacks’, ‘armed attacks’ in cyberspace, and when ‘inherent right to self-defense’ is
warranted. The respondents did generally agree that even if there was a desire to react to an
64
‘armed attack’ within cyberspace, tactical commanders have neither the authorities nor tools
required. The case study also revealed general confusion regarding the organizational structures
and responsibilities for cyber within the Navy and lack of documented procedural methodologies
for addressing complex incidents in cyberspace. The sources within this report demonstrate that
no central Naval repository or publication exists which consolidates the scope of information and
references required to fully understand the application and implication of LOAC on cyberspace
operations.
Policy is essential for guiding commanders’ decisions in situations concerning LOAC.
Currently, DoD and Navy cyber defense policy is sufficient to allow commanders to reach
acceptable solutions to cyber security issues. In contrast, offensive cyber policy is
underdeveloped leaving the commander with no means for considering the implications of
LOAC. As a result, the absence of well-defined and robust cyber policy effectively restrains the
tactical and operational commanders’ ability to use force in response to a cyber attack as
permitted by LOAC.
While this report was primarily concerned with Navy cyber operations in the context of
LOAC, during the course of the report a number of other cyber operations issues came to light:




The Navy has much work to do to perfect a means for translating adversary
capabilities into an actionable threat evaluations centered on risks.
Maritime combatants lack an organic forensics analysis capability.
There are currently no policies mandating red teaming as a mechanism for
vulnerability discovery or readiness evaluation.
Offensive cyber capabilities are absent from the Navy’s cyberspace technological
arsenal.
C. Recommendations
As the case study indicates, the Navy’s level of understanding and knowledge regarding
the application and implications of LOAC is inconsistent at best. This is in part due to
65
unresolved questions regarding what constitutes ‘armed attack’, ‘use of force’ and ‘proportional
response’ in cyberspace. Currently, the authorities responsible to decide these issues reside at
the national strategic level, not within the U.S. DoD or with the Navy. Until these issues are
resolved, new policy to guide cyber operations is unlikely. As a result, in order to address the
Navy’s deficiency in understanding LOAC as it applies to cyberspace operations the Navy
should pursue the following two course of action:


Provide a repository of references which consolidates publications covering the
scope of information required to fully understand the current state of LOAC’s
application and implication to Navy cyberspace operations.
Ensure combatant commanders and JAGs are provided adequate instruction on
cyber operations commensurate with its critical role in modern naval combat,
including material on cyber threats, cyber policies, and the current state of
LOAC’s application and implication to cyberspace operations.
Regarding the Navy’s cyber operations deficiencies not specifically related to LOAC, the
following courses of action are recommended:





Implement policies strengthening ties between cyberspace operators and
intelligence elements.
Improve means for translating adversary capabilities into actionable threat
evaluations centered on risks.
Develop and deploy organic forensics analysis capability onboard maritime
combatants.
Implement policies mandating red teaming for vulnerability discovery and
readiness evaluation.
Invest in offensive and exploitation technologies to ensure the Navy can fulfill its
responsibility to the Joint force.
While each of the above recommendations represents an avenue for potential Navy
action, these areas also deserve additional study to identify and analyze appropriate most
impactful, cost effective, and expeditious means of implementation.
66
REFERENCES
Berman, Ilan. "The Iranian Cyber Threat to the U.S. Homeland." Statement before the U.S.
House of Representatives Committee on Homeland Security Subcommittee on
Cybersecurity, Infrastructure Protection, and Security Technologies and Subcommittee
on Counterterrorism and Intelligence, April 26, 2012.
Carr, Jeffrey. "Iran's Paramilitary Militia is Recruiting Hackers." Forbes. January 12, 2011.
http://www.forbes.com/sites/jeffreycarr/2011/01/12/irans-paramilitary-militia-isrecruiting-hackers/.
Center for Information Dominance. “A-202-0006 / A-3B-0027 Trainee Guide” Revision 01-10.
Pensacola, Florida. p 9-4.
Chief of Naval Operations. Instruction 5239.1C, “Navy Information Assurance Program”. 20
August 2008. p. 17.
Cicero, Marcus Tullius., “Speech in Defense of Titus Annius Milo”, 52 BC.
Coleman, Kevin. "Iranian Cyber Warfare Threat Assessment." Defensetech. September 23, 2008.
http://defensetech.org/2008/09/23/iranian-cyber-warfare-threat-assessment/ (accessed
June 1, 2012).
Commander Fleet Cyber Command. “General Admin Message 282138Z JAN 11”. 28 January
2011.
Cordesman, Anthony H. and Adam C. Seitz. Iran Status Report: Iran and the Challenges to
Middle East Security. study, Washington, D.C.: Center for Strategic and International
Studies, 2009.
Cox, RADM Samuel J. Personal interview. United States Cyber Command. 4 June 2012.
Deets, RADM Ned. “Integrated Air and Missile Defense Symposium”. 14 July 2011.
http://www.dtic.mil/ndia/2011IAMD/RADMDeets.pdf. Accessed 22 June 2012. p. 21.
Defense Information Systems Agency. "Host Based Security System (HBSS): Components"
http://www.disa.mil/Services/Information-Assurance/HBS/HBSS/Components. Accessed
19 June 2012.
Department of Defense. Department of Defense Cyber Policy Report. A Report to Congress
Pursuant to the National Defense Authorization Act for Fiscal Year 2011, Section 934,
Washington DC: U.S. Government, 2011.
67
Department of Defense. Directive O-8530.1, “Computer Network Defense”. 8 January 2001. p.
2.
Department of Defense. DoD Strategy for Operating in Cyberspace. Washington DC: U.S.
Government, 2011.
Department of Defense. Instruction 8510.01, “DoD Information Assurance Certification and
Accreditation Process”. 28 November 2007.
Department of Defense. Instruction 8570.1-M, “Information Assurance Workforce Improvement
Program”. 24 January 2012. p. 17.
Department of Defense. Instruction O-8530.2, “Support to Computer Network Defense”. 9
March 2001. pp 37-38.
Department of Defense. Legal Support to Military Operations. Joint Publication 1-04,
Washington DC: U.S. Government, 2011.
Department of the Navy. Instruction 5239.19, “Department of the Navy Computer Network
Incident Response and Reporting Requirements.”. 24 January 2012.
Department of the Navy, Chief Information Officer. "CHIPS Articles: The Common PC
Operating System Environment Program - COMPOSE"
http://www.doncio.navy.mil/chips/ArticleDetails.aspx?ID=3044. Accessed 20 June 2012.
Department of the Navy, Chief Information Officer. “Computer Network Defense Roadmap”.
www.doncio.navy.mil/Download.aspx?AttachID=971. Accessed 21 June 2012.
Deutch, John M. "Foreign Information Warfare Programs and Capabilities, Congressional
Testimony." Central Intelligence Agency. June 25, 1996. https://www.cia.gov/newsinformation/speeches-testimony/1996/dci_testimony_062596.html.
Encyclopedia Britanica. Merriam Webster.com. July 1, 2011. http://www.merriam-webster.com/
(accessed Jul 8, 2012).
Final Record of the Diplomatic Conference of Geneva. "Final Record of the Diplomatic
Conference of Geneva of 1949." Bern: Federal Political Department, 1949.
Hoover, Nicholas. "Cyber Attacks Becoming Top Terror Threat, FBI Says." Information Week.
February 1, 2012. http://www.informationweek.com/news/government/security/
232600046 (accessed July 6, 2012).
International Comittee of the Red Cross (ICRC). "Law of Armed Conflict, Basic Knowledge."
Training. International Red Cross, June 2002.
68
International Committee of the Red Cross. "Protocols additional to the Geneva Conventions of
12 August 1949." Protocols additional to the Geneva Conventions. Geneva: International
Committee of the Red Cross, 1977. 89-101.
Joint Task Force – Global Network Operations. “Computer Tasking Order (CTO) 07-12”. 9
October 2007.
Lukich, Alex. The Iranian Cyber Army. July 12, 2011. http://csis.org/blog/iranian-cyber-army
(accessed June 23, 2012).
National Research Council, Committee on Information Assurance for Network-Centric Naval
Forces. “Information Assurance for Network-Centric Naval Forces”. 2010.
http://www.nap.edu/catalog.php?record_id=12609. Accessed 19 June 2012. p. 105.
Naval War College. (2011). Non-International Armed Conflict in the Twenty-first Century.
Newport: U.S. Government.
Notification of the Federal Department of Foreign Affairs of Switzerland. "Protocol additional to
the Geneva Conventions of 12 August 1949." Genova Conventions, Protocol III. Bern:
International Committee of the Red Cross, 2005.
Novell. “U.S. Navy Cyber Defense Operations Command”. 2009.
http://www.infosecurityproductsguide.com/casestudies/2009/Novell_U_S_Navy_Cyber_
Defense_Operations_Command_Case_Study.pdf. Accessed 20 June 2012. p. 1.
Payton, Theresa. "Technology: Iran's Comprehensive Cyber Strategy and Implications to the
U.S." The Blaze. May 4, 2012. http://www.theblaze.com/contributions/
iran%e2%80%99s-comprehensive-cyber-strategy-and-implications-to-the-u-s/ (accessed
June 1, 2012).
President of the United States. "National Security Strategy." Whitehouse.gov. May 2010.
http://www.whitehouse.gov/sites/default/files/rss_viewer/national_security_strategy.pdf
(accessed July 12, 2012).
Secretary of The Navy. Cyberspace Policy and Administration within the Department of the
Navy. Instruction 3052.2, Washington DC: U.S. Navy, 2009.
Sharp, Walter Gary. Cyberspace and the use of force. Falls Church, VA: Aegis Research
Corporation, 1999. p. 40.
Spector, Leonard. "Chinese Assistance to Iran's Weapons of Mass Destruction and Missile
Programs, Testimony before the House International Relations Committee." Carnegie
Endowment for International Peace. September 12, 1996.
69
http://www.carnegieendowment.org/1996/09/12/chinese-assistance-to-iran-s-weapons-ofmass-destruction-and-missile-programs/cli.
The Technolytics Institute. The Cyber Commander's eHandbook: The Weaponry & Strategies of
Digital Conflict. McMurray, PA, 2012.
The White House. Cyberspace Policy Review: Assuring a Trusted and Resilient Information and
Communication Infrastructure. Policy Review, Washington DC: U.S. Government, 2009.
The White House. International Strategy for Cyberspace. Washington DC: U.S. Government,
2011.
United Nations. (1945). Charter of the United Nations and Statute of the International Court of
Justice. San Francisco: United Nations.
United Nations. (1974). U.N. General Aassembly Resolution 3314. New York: United Nations.
United States Congress. (2010). National Defense Authorization Act for Fiscal Year 2011.
Washington D.C.: U.S. Government.
United States Congress. Title 50: War and National Defense, § 36 (United States Code).
"Who are the Iranian Cyber Army?" The Green Voice of Freedom. February 19, 2010.
http://en.irangreenvoice.com/article/2010/feb/19/1236 (accessed June 30, 2012).
Wright, Robin. The Iran Primer: Power, Politics, and U.S. Policy. Washington, D.C.: The
United States Institute of Peace Press in collaboration with the Woodrow Wilson
International Center for Scholars, 2010.
70
APPENDIX A ACRONYMNS AND ABBREVIATIONS
ACCM
Asset Configuration Compliance Module
ADMAT
Administration Documentation Management and Training
ADNS
Automated Digital Network System
AEM
Audit Extraction Manager
C2
Command and Control
C3
Command, Control, and Communications
C5ISR
Command, Control, Communications, Computers, Combat
Systems, Intelligence, Surveillance, and Reconnaissance
CENTRIXS
Combined Enterprise Regional Information Exchange System
CIA
Central Intelligence Agency
CIO
Chief Information Officer
CNA
Computer Network Attack
CND
Computer Network Defense
COA
Course Of Action
COMFLTCYBERCOM
Commander Fleet Cyber Command
COMPOSE
Common PC Operating System Environment
COTS
Commercial-Off-The-Shelf
CPU
Central Processing Unit
CSG
Carrier Strike Group
CSICP
Cyber Security Inspection and Certification Program
CSS
Central Security Service
CSU
Channel Service Unit
A-1
CTN
Cryptologic Technician (Network)
CWSP
Commercial Wideband Satellite Program
DAA
Designated Accrediting Authority
DCM
Device Control Module
DCO
Defensive Cyber Operations
DCO-RA
DCO-Response Actions
DHS
Department of Homeland Security
DIA
Defense Intelligence Agency
DIACAP
DoD IA Certification and Accreditation Process
DISA
Defense Information Systems Agency
DNI
Director of National Intelligence
DNS
Domain Name Server
DoD
Department of Defense
DoN
Department of the Navy
DoS
Department of State
DSCS
Defense Satellite Communication System
DSU
Data Service Unit
ECH I/II/III
Echelon I/II/III (Echelon I is the most senior)
ECO
Exploitation Cyber Operations
EHF
Extremely High Frequency
ePO
ePolicy Orechestrator
FBI
Federal Bureau of Investigations
FCC
Fleet Cyber Command
A-2
FIOC
Fleet Information Operations Center
FISA
Federal Information Security Act
FORSTRKGRU
USS Forestall Strike Group
FPCON
Force Protection Condition
GENSER
General Service
GIG
Global Information Grid
HBSS
Host-Based Security System
HIPS
Host Intrusion Prevention System
IA
Information Assurance
IAM
IA Manager
IAT
IA Technician
IAVA
IA Vulnerability Alert
IAVM
IA Vulnerability Management
IC
Intelligence Community
ICA
Iranian Cyber Army
IDS
Intrusion Detection System
IHL
International Humanitarian Laws
INE
Inline Network Encryption
INFOCON
Information Control
IRGC
Islamic Revolutionary Guard Crops
ISA
Internet Security Accelerator
ISIC
Immediate Superior In Chain
ISP
Internet Service Provider
A-3
ISSR
Inner Security Screening Router
IT-21
Information Technology for the 21st Century
JAG
Judge Advocate General
KG
Key Generator
LAN
Local Area Network
LOAC
Law of Armed Conflict
MDR
Medium Data Rate
NCDOC
Navy Cyber Defense Operations Command
NCIS
Navy Criminal Investigative Service
NCTAMS
Navy Computer Telecommunications Area Master Station
NCTC
National Counter Terrorism Center
NDAA
National Defense Authorization Act
NIOC
Navy Information Operations Command
NIPRNet
Non-secure Internet Protocol Router Network
NNWC
Naval Network Warfare Command
NSA
National Security Agency
MDR
Medium Data Rate
OCO
Offensive Cyber Operations
OPSEC
Operational Security
OSSR
Outer Security Screening Router
PA
Policy Auditor
PC
Personnel Computer
RF
Radio-frequency
A-4
RNOSC
Regional Network Operations and Security Center
RSD
Rouge System Detection
SCCM
System Center Configuration Manager
SCI
Sensitive Compartmented Information
SECDEF
Secretary of Defense
SIPRNet
Secret Internet Protocol Router Network
TIMEPLEX
Time Division Multiplexer
TSC
Theater Security Cooperation
TYCOM
Type Commander
U.N.
United Nations
UNCLAS
UNCLASSIFIED
U.S.
United States
USB
Universal Serial Bus
USCENTCOM
US Central Command
USCYBERCOM
US Cyber Command
USD
U.S. Dollars
USG
U.S. Government
USS
US Ship
VHF
Very-High Frequency
VPN
Virtual Private Network
VSCAN
Virus Scanning
WAN
Wide Area Network
WMD
Weapons of Mass Destruction
A-5
WWII
World War II
A-6
APPENDIX B CASE STUDY SUPPORTING MATERIALS
This Appendix presents supporting material for the Iranian cyber conflict case study
discussed in the main body of the report. This Appendix is divided into three sections. The first
section lists the individuals who participated in the study. The second section includes the study
form, scenario, questions, and the distribution email soliciting responses. The final section
provides the participant responses; however, identifying information has been removed to protect
individual privacy.
A. List of Participants
Captain Terry Roberts (USN, Ret), Former Deputy Director of Naval Intelligence. Director
Software Engineering Institute, Carnegie Mellon University, Pittsburgh, Pennsylvania.
Captain Brian Broene (USN, Ret), Director of Network Operations, Naval Network Warfare
Command, Virginia Beach, Virginia.
Captain William Diehl (USN), Deputy National Capital Region, National Security Agency,
Central Security Service, Fort George Meade, Maryland.
Captain Eric Exner (USN), Deputy Chief of Staff for Education and Training (N7), Navy
Marine Intelligence Training Center, Virginia Beach, Virginia.
Captain James Mills (USN), Deputy Chief of Staff for Communications and Networks (N6),
Commander Fifth Fleet (C5F), Manamah, Bahrain.
Captain Christopher Page (USN), Commanding Officer, Hopper Information Support Center,
Suitland, Maryland.
Commander Daniel Kenda (USN), Deputy Chief of Staff for Intelligence (N2), Carrier Strike
Group 12, USS Enterprise, C5F Area of Operations, Arabian Gulf.
Lieutenant Colonel Troy Matterhorn (USMC),
Commander Dan Sander (USN), Deputy Chief of Staff for Information Operations (N39),
Carrier Strike Group 3, USS John C. Stennis, Bremerton, Washington.
Commander Mick Brons (USN), Operations Officer, Naval Information Operations Center
(NIOC) and the FIOC DCO Team, Fort George Meade, Maryland.
NIOC Maryland Watch Section
B-1
B. Case Study Scenario as Presented
A Microsoft Word file was used to email the study form to a group of participants. The text
of the study form is provided below:
Carnegie Mellon University
Information Networking Institute
Masters of Information Technology Strategy (MITS) – 1 Practicum
Cyber Operations & the Law of Armed Conflict
Participant’s Name:
Participant’s Title:
Date reviewed:
Participant,
The following paragraphs provide an evolving scenario that could potentially face a deploying
U.S. Navy Carrier Strike Group (CSG). The scenario begins with general background
information. Each subsequent section provides further amplifying information and a series of
questions. As an integral element of the Navy’s capability to conduct operations in cyberspace,
your perspective on the questions posed below will help shape the findings of the MITS-1
Practicum. These findings will reveal current and relevant thinking on issues related to Navy
operations in cyberspace; as a result, your candid and detailed responses are extremely helpful.
Please do not feel constrained to limit your response to the space provided under the format
below. Thank you in advance for your participation and assistance in supporting the research
objectives of our practicum study.
-
MITS-1 Cohort
Scenario Background Information:
USS Forestall departs Virginia en route to the Central Command Area of Responsibility
(CENTCOM AOR) mid-March 2012. The local media has extensively covered the deployment,
as well as departure of the other units in the CSG. Approximately one week after leaving port, a
significant number of the crew of the Forestall (Commanding Officers/COs, Executive
Officers/XOs, Command Master Chiefs/CMCs included) and her CSG begin receiving emails
from WeSupportU.com containing legitimate appearing discount advertisements for hotels,
restaurants, service industries and shopping locations; as well as recommended liberty activities.
Among these discount advertisements is a 50% off coupon for Hard Rock Cafés in Athens,
Bahrain, and Dubai. The Forestall Strike Group (FORSTRKGRU) makes no port calls en-route
to the Commander Fifth Fleet (C5F) area of responsibility (AOR) until day 76 when the CSG
pulls into Jebel Ali. After three days in port, the FORSTRKGRU CMC reports a number of
complaints from the crew claiming that the Hard Rock Café in Dubai will not honor the coupons
because the employees claim the coupons are counterfeit.
B-2
Scenario Question Set 1:
A subsequent investigation by the USS Forestall Naval Criminal Investigative Service
(NCIS) agent afloat determines that WeSupportU.com is an internet domain owned by a
Canadian national believed to have pro-Iranian beliefs and whose whereabouts are currently
unknown. Virus scans on all servers throughout the CSG using the most current virus signatures
provided by Space and Naval Warfare Command (SPAWAR) show no known viruses or
malware. The investigation did reveal a 60% increase in network traffic, a significant increase
in email server CPU utilization beginning one week into deployment, and widespread complaints
that applications appear to be running significantly slower. Network analysis indicates
bandwidth utilization remains within allotted limits and there is no detectable increase in disk
space use. The FORSTRKGRU Director of Communications and Networks (N6) concludes that
network volume increases are attributable to normal and expected changes in day-to-day
operations as service members adapt to a deployed battle rhythm. The degradation in application
performance is also attributed to these adjustments. The increase in email server demand is
judged to coincide with understandable increases commensurate with the completion of weapons
loading and reduced air operations for the transatlantic crossing, allowing service members more
time to correspond with friends and family ashore.
Q 1-1: Given the background and amplifying information above, would you concur with the N6
assessment and why?
Response 1-1:
Q 1-2: Would you recommend any analysis, notification, or action in addition to or in place of
that discussed above and why?
Response 1-2:
B-3
Scenario Question Set 2:
On the hundredth day of deployment, FORSTRKGRU Director of Intelligence (N2) is
notified that a significant number of service member and associated family member names have
appeared on an Iranian website. According to all source intelligence analysis, the site is operated
by an Iranian cleric with strong anti-U.S. views. In addition to names, unit assignments and links
to social media pages are included. These links provide easy access to recent and up to date
photographs of crew members and liberty activities in the United Arab Emirates (UAE).
Information on European and Middle-Eastern merchants known to do business with the US Navy
is also included, in particular a number of merchants who were on board USS Forestall when the
ship was transiting the Mediterranean Sea en-route to C5F. The site also prominently displays a
fatwa issued by the site’s operator declaring any individual listed an infidel and calling for
“Jihad” against the individuals, their families and all merchants who support the United States.
Many service members continue to correspond and exchange personal information with
merchants included on the website to facilitate delivery of purchased goods to their homes and
families in the U.S.
Q 2-1: In light of this information, you are asked what subject areas should be of concern to the
CSG Commander and to recommend Courses of Action (COA) for consideration? Please
discuss your reasoning.
Response 2-1:
Q 2-2: While briefing the Admiral on your COAs she states that the cleric’s actions constitute a
“cyber-attack” on service members and their families, as well as a number of foreign nationals.
Do you concur with this assessment? Why or why not?
Response 2-2:
Q 2-3: The Admiral requests of US Central Command (USCENTCOM), in conjunction with
USCYBERCOM, a determination on whether the events constitute a cyber-attack. She plans to
brief Commander 5th Fleet on the issue and wants to provide a COAs if the events are
determined to constitute a “cyber-attack”. How would you advise the Admiral? Please also
explain why preparing COAs for the cyber-attack contingency are appropriate for the situation.
Response 2-3:
B-4
Scenario Question Set 3:
Following the previous events, an enterprising contract employee at the Naval Computer
and Telecommunications Area Master Station (NCTAMS) tasked with supporting units in the
C5F AOR learns about the coupon disputes and subsequent investigation from a former
shipmate. Suspicious of emails and changes in network traffic patterns, the contractor employs a
network analysis tool for monitoring and logging traffic emanating from or destined for all units
in FORSTRKGRU. Monitoring and logging is conducted for 21 days, after which traffic
analysis identifies a large number of 50 Kilobyte emails from multiple users within the CSG to a
single shore based email address. All data contained within the emails is encrypted and the
frequency of emails appears to correspond to network utilization. A Naval message outlining the
results of this analysis is distributed to FORSTRKGRU, C5F, U.S. Fleet Forces (USFF), Navy
Network Warfare Command (NNWC), Commander 10th Fleet (C10F), Naval Information
Operations Command (NIOC) Maryland, and US Cyber Command (USCC). Virus and malware
scans on servers and hosts throughout the FORSTRKGRU continue to produce no abnormal
findings.
Q 3-1: After receiving the Naval message, the Admiral asks for your recommendation regarding
appropriate FORSTRKGRU and unit level actions. What would you recommend and why?
Response 3-1:
Q 3-2: In your assessment, do deploying forces have cyber equipment, expertise and associated
authorities and policy to collect data and perform the network analysis discussed above? If not,
then please identify the elements that currently preclude performance of such analysis by
deployed forces.
Response 3-2:
B-5
Scenario Question Set 4:
Analysis by national level agencies reveals that the FORSTRKGRU appears to be the
victim of a previously undetected virus (zero-day attack) deployed utilizing the fictitious
coupons for the Hard Rock Café. Extensive efforts have also resulted in the ability to decrypt
and read the emails recorded during the 21-day monitoring of FORSTRKGRU network traffic.
The emails contain portions of both personal and official emails from FORSTRKGRU, including
portions of briefing slides and spreadsheet attachments. The single destination address for the 50
Kilobyte emails was identified as a web mail account with an auto forward feature. The auto
forward feature was configured to delete all incoming email after sending it to an anonymous
email server. An email containing a network beacon sent to the anonymous email server
identified the end recipient as a web mail server in Estonia. Further investigation revealed the
account has only been accessed from Iran by an IP address correlating to a local Internet Service
Provider (ISP) in Tehran. The same ISP hosts the Iranian cleric’s website that calls for “Jihad”
against the U.S. and foreign individuals listed on the site. The ISP is the primary commercial
server for the civilian population in Tehran and is known to provide services to three large
civilian hospitals. All source intelligence also indicates that the cleric has numerous connections
with the government of Iran, and many members of his congregation are confirmed members of
Iran’s Revolutionary Guard.
Q 4-1: In your assessment do the above actions constitute a cyber-attack? Why or why not?
Response 4-1:
Q 4-2: In your assessment is the virus a cyber-weapon and do the actions conducted against the
FORSTRKGRU constitute an armed attack? Why or why not?
Response 4-2:
Q 4-3: Given the above information, can the FORSTRKGRU leverage any policy or guidance to
invoke rights to self-defense? Why or why not?
Response 4-3:
Q 4-4: Assuming the FORSTRKGRU Commander is convinced that the actions perpetrated
against the CSG constitute an armed attack, what counter attack, defensive options, or both are
available to the FORSTRKGRU? What response should the CSG Commander recommend to
CENTCOM and national leaders? What would constitute a proportional response in this
situation?
Response 4-4:
B-6
Scenario Question Set 5:
While moored in Piraeus, the USS Forestall supply officer (SUPPO) is notified that 72
pallets of bottled water which had been requested to augment ship’s stores would not be
delivered with the next scheduled supply shipment. The SUPPO notifies the CO and
FORSTRKGRU that no additional bottled water had been ordered. Supply records onboard
indicate that no order for bottled water was ever submitted. The records of shore-based supply
facilities supporting FORSTRKGRU indicate an order was submitted via the normal electronic
ordering process and that all supporting documentation appears to have come from authorized
ship’s personnel. A subsequent cyber security analysis conducted by USCC personnel reveals
that no security patches have been installed since prior to deployment. Additionally, the
manufacturers default SYSADMIN password for the supply software was not changed following
the most recent upgrade. An examination of other FORSTRKGRU units reveals an identical
condition on two additional CSG units and a USNS vessel. After auditing supply order records
for accuracy, USS Relentless and USS Audacious and USNS Tenacious assigned to the
FORSTRKGRU, report an unexplained cancellation of orders for small-arms ammunition
needed after numerous weapons qualification sessions.
The USCC analysis also identifies a virus on the supply servers that appears to interface
with the virus affecting CSG email. This interface appears to support data exfiltration and
transmission of accurate information relating to CSG movements and schedules. Further
analysis reveals that resulting email contain a different source/destination address than the
address previously identified for the CSG virus. The supply virus appears to utilize the same
initial address with the auto forward feature, as well as utilizing the same subsequent anonymous
email server. At the anonymous email server the supply signals appear to be routed differently
than other traffic. These supply signals traverse a number of additional servers, all in differing
nations, and appear to either emanate or terminate with an IP address identified as belonging to
the Iranian embassy in London, U.K.
Q 5-1: In your assessment do the above actions constitute a cyber-attack? Why or why not?
Response 5-1:
Q 5-2: In your assessment do the actions conducted against the FORSTRKGRU constitute an
armed attack? Why or why not?
Response 5-2:
Q 5-3: Given the above information, can FORSTRKGRU invoke any rights to self-defense?
Why or why not?
Response 5-3:
Q 5-4: Assuming the FORSTRKGRU Commander is convinced that the actions perpetrated
against the CSG constitute an armed attack, what counter attack, defensive options or both are
available to the FORSTRKGRU? What response should the Admiral recommend to CENTCOM
and national leaders? What would constitute a proportional response in this situation?
Response 5-4:
B-7
B-8
C. Case Study Responses as Received
Participant 1
Scenario Question Set 1
A subsequent investigation by the USS FORRESTALL Naval Criminal Investigative
Service (NCIS) agent afloat determines that WeSupportU.com is an internet domain owned by a
Canadian national believed to have pro-Iranian beliefs and whose whereabouts are currently
unknown. Virus scans on all servers throughout the CSG using the most current virus signatures
provided by Space and Naval Warfare Command (SPAWAR) show no known viruses or
malware. The investigation did reveal a 60% increase in network traffic, a significant increase in
email server CPU utilization beginning one week into deployment, and widespread complaints
that applications appear to be running significantly slower. Network analysis indicates bandwidth
utilization remains within allotted limits and there is no detectable increase in disk space use.
The FORSTRKGRU Director of Communications and Networks (N6) concludes that network
volume increases are attributable to normal and expected changes in day-to-day operations as
service members adapt to a deployed battle rhythm. The degradation in application performance
is also attributed to these adjustments. The increase in email server demand is judged to coincide
with understandable increases commensurate with the completion of weapons loading and
reduced air operations for the transatlantic crossing, allowing service members more time to
correspond with friends and family ashore.
Q 1-1: Given the background and amplifying information above, would you concur with the N6
assessment and why?
Response 1-1: Yes; N6’s conclusion sounds reasonable. However, temporal analysis of the
possible spearphishing with the negative effects on network traffic, CPU utilization and degraded
speed warrant investigation by local IAM personnel. Some additional concerns:


Were only the Hard Rock Café coupons not honored? We would expect all
coupons from a malicious domain to be false.
Would NCIS investigate coupons that were not honored? How would NCIS
know?
Also, many internet domains are registered falsely…

Why did they virus scan? Was this a routine scan?
Q 1-2: Would you recommend any analysis, notification, or action in addition to or in place of
that discussed above and why?
Response 1-2: In addition to above, would report to NCDOC via Initial Incident Report (IIR)
located on their SIPRNET portal.
B-9
Participant 1
Scenario Question Set 2:
On the hundredth day of deployment, FORSTRKGRU Director of Intelligence (N2) is
notified that a significant number of service member and associated family member names have
appeared on an Iranian website. According to all source intelligence analysis, the site is operated
by an Iranian cleric with strong anti-U.S. views. In addition to names, unit assignments and links
to social media pages are included. These links provide easy access to recent and up to date
photographs of crew members and liberty activities in the United Arab Emirates (UAE).
Information on European and Middle-Eastern merchants known to do business with the US Navy
is also included, in particular a number of merchants who were on board USS FORRESTALL
when the ship was transiting the Mediterranean Sea en-route to C5F. The site also prominently
displays a fatwa issued by the site’s operator declaring any individual listed an infidel and calling
for “Jihad” against the individuals, their families and all merchants who support the United
States. Many service members continue to correspond and exchange personal information with
merchants included on the website to facilitate delivery of purchased goods to their homes and
families in the U.S.
Q 2-1: In light of this information, you are asked what subject areas should be of concern to the
CSG Commander and to recommend Courses of Action (COA) for consideration? Please discuss
your reasoning.
Response 2-1: Concern is personnel safety; NCIS should be notified. Recommend Command
Triad advise crewmembers of risks of social media, and instruct them to exercise caution when
dealing with these merchants (avoid use of credit cards, prefer alternate merchants, beware of
overly friendly or inquisitive customers or proprietors at those locations, avoid explicit US Navy
apparel, etc).
Q 2-2: While briefing the Admiral on your COAs she states that the cleric’s actions constitute a
“cyber-attack” on service members and their families, as well as a number of foreign nationals.
Do you concur with this assessment? Why or why not?
Response 2-2: Not a Cyber Attack; no indication given that the Cleric has sent malicious traffic
into the DoD GIG. Does not meet the CNA definition. However, the adversary is clearly using
information to its advantage (and to our harassment/discomfort!).
Q 2-3: The Admiral requests of US Central Command (USCENTCOM), in conjunction with
USCYBERCOM, a determination on whether the events constitute a cyber-attack. She plans to
brief Commander 5th Fleet on the issue and wants to provide a COAs if the events are
determined to constitute a “cyber-attack”. How would you advise the Admiral? Please also
explain why preparing COAs for the cyber-attack contingency are appropriate for the situation.
Response 2-3: Not a Cyber Attack; see previous response.
B - 10
Participant 1
Scenario Question Set 3:
Following the previous events, an enterprising contract employee at the Naval Computer
and Telecommunications Area Master Station (NCTAMS) tasked with supporting units in the
C5F AOR learns about the coupon disputes and subsequent investigation from a former
shipmate. Suspicious of emails and changes in network traffic patterns, the contractor employs a
network analysis tool for monitoring and logging traffic emanating from or destined for all units
in FORSTRKGRU. Monitoring and logging is conducted for 21 days, after which traffic analysis
identifies a large number of 50 Kilobyte emails from multiple users within the CSG to a single
shore based email address. All data contained within the emails is encrypted and the frequency of
emails appears to correspond to network utilization. A Naval message outlining the results of this
analysis is distributed to FORSTRKGRU, C5F, U.S. Fleet Forces (USFF), Navy Network
Warfare Command (NNWC), Commander 10th Fleet (C10F), Naval Information Operations
Command (NIOC) Georgia, and US Cyber Command (USCC). Virus and malware scans on
servers and hosts throughout the FORSTRKGRU continue to produce no abnormal findings.
Q 3-1: After receiving the Naval message, the Admiral asks for your recommendation regarding
appropriate FORSTRKGRU and unit level actions. What would you recommend and why?
Response 3-1: Forensically image the email server and several hosts involved with the incident;
send hard drives to NCDOC for analysis. Submit IIR with date/time of outbound traffic and
advise NCDOC of same.
Q 3-2: In your assessment, do deploying forces have cyber equipment, expertise and associated
authorities and policy to collect data and perform the network analysis discussed above? If not,
then please identify the elements that currently preclude performance of such analysis by
deployed forces.
Response 3-2: Equipment: NO (missing software, sensors). Expertise: NO (training).
Authorities: YES. Policy: YES.
B - 11
Participant 1
Scenario Question Set 4:
Analysis by national level agencies reveals that the FORSTRKGRU appears to be the
victim of a previously undetected virus (zero-day attack) deployed utilizing the fictitious
coupons for the Hard Rock Café. Extensive efforts have also resulted in the ability to decrypt and
read the emails recorded during the 21-day monitoring of FORSTRKGRU network traffic. The
emails contain portions of both personal and official emails from FORSTRKGRU, including
portions of briefing slides and spreadsheet attachments. The single destination address for the 50
Kilobyte emails was identified as a web mail account with an auto forward feature. The auto
forward feature was configured to delete all incoming email after sending it to an anonymous
email server. An email containing a network beacon sent to the anonymous email server
identified the end recipient as a web mail server in Estonia. Further investigation revealed the
account has only been accessed from Iran by an IP address correlating to a local Internet Service
Provider (ISP) in Tehran. The same ISP hosts the Iranian cleric’s website that calls for “Jihad”
against the U.S. and foreign individuals listed on the site. The ISP is the primary commercial
server for the civilian population in Tehran and is known to provide services to three large
civilian hospitals. All source intelligence also indicates that the cleric has numerous connections
with the government of Iran, and many members of his congregation are confirmed members of
Iran’s Revolutionary Guard.
Q 4-1: In your assessment do the above actions constitute a cyber-attack? Why or why not?
Response 4-1: No; these actions are not “using networks to disrupt, deny, destroy, or degrade”
blue force information resident on computer networks.” They constitute cyber espionage or
computer network exploitation (CNE).
Q 4-2: In your assessment is the virus a cyber-weapon and do the actions conducted against the
FORSTRKGRU constitute an armed attack? Why or why not?
Response 4-2: No; these actions are not an armed attack. The virus is being used to exfiltrate
data, not deny/degrade/destroy etc. It is not a cyber weapon. The difference is one of intent.
Q 4-3: Given the above information, can the FORSTRKGRU leverage any policy or guidance to
invoke rights to self-defense? Why or why not?
Response 4-3: No policy is required; the right to self-defense is inherent.
Q 4-4: Assuming the FORSTRKGRU Commander is convinced that the actions perpetrated
against the CSG constitute an armed attack, what counter attack, defensive options, or both are
available to the FORSTRKGRU? What response should the CSG Commander recommend to
CENTCOM and national leaders? What would constitute a proportional response in this
situation?
Response 4-4: No counter-attack options are available to a CSG Commander. There are lots of
defensive options, depending on what the Navy CNDSP or national leaders decided: block,
monitor, or disrupt outbound communications are a few.
B - 12
Participant 1
Scenario Question Set 5:
While moored in Piraeus, the USS FORRESTALL supply officer (SUPPO) is notified
that 72 pallets of bottled water which had been requested to augment ship’s stores would not be
delivered with the next scheduled supply shipment. The SUPPO notifies the CO and
FORSTRKGRU that no additional bottled water had been ordered. Supply records onboard
indicate that no order for bottled water was ever submitted. The records of shore-based supply
facilities supporting FORSTRKGRU indicate an order was submitted via the normal electronic
ordering process and that all supporting documentation appears to have come from authorized
ship’s personnel. A subsequent cyber security analysis conducted by USCC personnel reveals
that no security patches have been installed since prior to deployment. Additionally, the
manufacturers default SYSADMIN password for the supply software was not changed following
the most recent upgrade. An examination of other FORSTRKGRU units reveals an identical
condition on two additional CSG units and a USNS vessel. After auditing supply order records
for accuracy, USS Relentless and USS Audacious and USNS Tenacious assigned to the
FORSTRKGRU, report an unexplained cancellation of orders for small-arms ammunition
needed after numerous weapons qualification sessions.
The USCC analysis also identifies a virus on the supply servers that appears to interface
with the virus affecting CSG email. This interface appears to support data exfiltration and
transmission of accurate information relating to CSG movements and schedules. Further analysis
reveals that resulting email contain a different source/destination address than the address
previously identified for the CSG virus. The supply virus appears to utilize the same initial
address with the auto forward feature, as well as utilizing the same subsequent anonymous email
server. At the anonymous email server the supply signals appear to be routed differently than
other traffic. These supply signals traverse a number of additional servers, all in differing
nations, and appear to either emanate or terminate with an IP address identified as belonging to
the Iranian embassy in London, U.K.
Q 5-1: In your assessment do the above actions constitute a cyber-attack? Why or why not?
Response 5-1: No; does not meet definition.
Additional Concerns:



For a CNA, this requisition cancellation would have to be attributable to some kind of
malicious electronic event that is clearly linked to the specific virus associated with the
Iranian actor, rather than run-of-the-mill malware that sneaked in due to poor security
practices and subsequently deleted other network data besides supply requisitions or
affected other portions of the network in some way.
Supply servers traverse a number of additional servers…..This question refers to
Attribution for the CNE/data exfil.
My DCO team thinks this is not a cyber attack. This is because they think the chain of
causality and attribution for information disruption/destruction (cancelled ammunition
requisitions) is insufficiently clear in your scenario
B - 13
Q 5-2: In your assessment do the actions conducted against the FORSTRKGRU constitute an
armed attack? Why or why not?
Response 5-2: No.
Q 5-3: Given the above information, can FORSTRKGRU invoke any rights to self-defense?
Why or why not?
Response 5-3: Always has right to self-defense; see above.
Q 5-4: Assuming the FORSTRKGRU Commander is convinced that the actions perpetrated
against the CSG constitute an armed attack, what counter attack, defensive options or both are
available to the FORSTRKGRU? What response should the Admiral recommend to CENTCOM
and national leaders? What would constitute a proportional response in this situation?
Response 5-4: As before, lots of defensive options are available to CSG. No counter-attack
options are available to CSG. IF the scenario were written to make this a cyber attack, a
proportional response would cause the adversary to doubt the integrity of his networks in some
way. There is a difficult calculus here in a low-level counter-attack. The gain from showing
resolve/stiff spine in the face of a small-scale attack would have to outweigh the risk of
escalation and/or the “burning” of a cyber tool that would be clearly attributable to the US. If not
a tool easily correlated with the US, no message would be sent to the adversary- unless:
(a)
The response was pre-approved/rule-based and allowed for near-real-time
response action, which could employ publicly available tools but could be recognized as
a US response simply due to coincidence of timeliness. OR
(b)
The response was done in coincidence with a public statement by the US that it
had detected ineffective attempts to degrade its networks on a deployed CSG. OR
(c)
The deployment of the publicly available exploit was done in a sophisticated
manner that demonstrated knowledge of the adversary’s network, in which case the
adversary might reasonably conclude a sophisticated nation-state actor, possibly the US,
had attacked it.
B - 14
Participant 2
Question Set 1
A subsequent investigation by the USS FORESTALL Naval Criminal Investigative
Service (NCIS) agent afloat determines that WeSupportU.com is an internet domain owned by a
Canadian national believed to have pro-Iranian beliefs and whose whereabouts are currently
unknown. Virus scans on all servers throughout the CSG using the most current virus signatures
provided by Space and Naval Warfare Command (SPAWAR) show no known viruses or
malware. The investigation did reveal a 60% increase in network traffic, a significant increase in
email server CPU utilization beginning one week into deployment, and widespread complaints
that applications appear to be running significantly slower. Network analysis indicates bandwidth
utilization remains within allotted limits and there is no detectable increase in disk space use.
The FORSTRKGRU Director of Communications and Networks (N6) concludes that network
volume increases are attributable to normal and expected changes in day-to-day operations as
service members adapt to a deployed battle rhythm. The degradation in application performance
is also attributed to these adjustments. The increase in email server demand is judged to coincide
with understandable increases commensurate with the completion of weapons loading and
reduced air operations for the transatlantic crossing, allowing service members more time to
correspond with friends and family ashore.
Q 1-1: Given the background and amplifying information above, would you concur with the N6
assessment and why?
Response 1-1:
Q 1-2: Would you recommend any analysis, notification, or action in addition to or in place of
that discussed above and why?
Response 1-2:
B - 15
Participant 2
Scenario Question Set 2:
On the hundredth day of deployment, FORSTRKGRU Director of Intelligence (N2) is
notified that a significant number of service member and associated family member names have
appeared on an Iranian website. According to all source intelligence analysis, the site is operated
by an Iranian cleric with strong anti-U.S. views. In addition to names, unit assignments and links
to social media pages are included. These links provide easy access to recent and up to date
photographs of crew members and liberty activities in the United Arab Emirates (UAE).
Information on European and Middle-Eastern merchants known to do business with the US Navy
is also included, in particular a number of merchants who were on board USS FORESTALL
when the ship was transiting the Mediterranean Sea en-route to C5F. The site also prominently
displays a fatwa issued by the site’s operator declaring any individual listed an infidel and calling
for “Jihad” against the individuals, their families and all merchants who support the United
States. Many service members continue to correspond and exchange personal information with
merchants included on the website to facilitate delivery of purchased goods to their homes and
families in the U.S.
Q 2-1: In light of this information, you are asked what subject areas should be of concern to the
CSG Commander and to recommend Courses of Action (COA) for consideration? Please discuss
your reasoning.
Response 2-1:
Q 2-2: While briefing the Admiral on your COAs she states that the cleric’s actions constitute a
“cyber-attack” on service members and their families, as well as a number of foreign nationals.
Do you concur with this assessment? Why or why not?
Response 2-2:
Q 2-3: The Admiral requests of US Central Command (USCENTCOM), in conjunction with
USCYBERCOM, a determination on whether the events constitute a cyber-attack. She plans to
brief Commander 5th Fleet on the issue and wants to provide a COAs if the events are
determined to constitute a “cyber-attack”. How would you advise the Admiral? Please also
explain why preparing COAs for the cyber-attack contingency are appropriate for the situation.
Response 2-3:
B - 16
Participant 2
Scenario Question Set 3:
Following the previous events, an enterprising contract employee at the Naval Computer
and Telecommunications Area Master Station (NCTAMS) tasked with supporting units in the
C5F AOR learns about the coupon disputes and subsequent investigation from a former
shipmate. Suspicious of emails and changes in network traffic patterns, the contractor employs a
network analysis tool for monitoring and logging traffic emanating from or destined for all units
in FORSTRKGRU. Monitoring and logging is conducted for 21 days, after which traffic analysis
identifies a large number of 50 Kilobyte emails from multiple users within the CSG to a single
shore based email address. All data contained within the emails is encrypted and the frequency of
emails appears to correspond to network utilization. A Naval message outlining the results of this
analysis is distributed to FORSTRKGRU, C5F, U.S. Fleet Forces (USFF), Navy Network
Warfare Command (NNWC), Commander 10th Fleet (C10F), Naval Information Operations
Command (NIOC) Georgia, and US Cyber Command (USCC). Virus and malware scans on
servers and hosts throughout the FORSTRKGRU continue to produce no abnormal findings.
Q 3-1: After receiving the Naval message, the Admiral asks for your recommendation regarding
appropriate FORSTRKGRU and unit level actions. What would you recommend and why?
Response 3-1:
Q 3-2: In your assessment, do deploying forces have cyber equipment, expertise and associated
authorities and policy to collect data and perform the network analysis discussed above? If not,
then please identify the elements that currently preclude performance of such analysis by
deployed forces.
Response 3-2:
B - 17
Participant 2
Scenario Question Set 4:
Analysis by national level agencies reveals that the FORSTRKGRU appears to be the
victim of a previously undetected virus (zero-day attack) deployed utilizing the fictitious
coupons for the Hard Rock Café. Extensive efforts have also resulted in the ability to decrypt and
read the emails recorded during the 21-day monitoring of FORSTRKGRU network traffic. The
emails contain portions of both personal and official emails from FORSTRKGRU, including
portions of briefing slides and spreadsheet attachments. The single destination address for the 50
Kilobyte emails was identified as a web mail account with an auto forward feature. The auto
forward feature was configured to delete all incoming email after sending it to an anonymous
email server. An email containing a network beacon sent to the anonymous email server
identified the end recipient as a web mail server in Estonia. Further investigation revealed the
account has only been accessed from Iran by an IP address correlating to a local Internet Service
Provider (ISP) in Tehran. The same ISP hosts the Iranian cleric’s website that calls for “Jihad”
against the U.S. and foreign individuals listed on the site. The ISP is the primary commercial
server for the civilian population in Tehran and is known to provide services to three large
civilian hospitals. All source intelligence also indicates that the cleric has numerous connections
with the government of Iran, and many members of his congregation are confirmed members of
Iran’s Revolutionary Guard.
Q 4-1: In your assessment do the above actions constitute a cyber-attack? Why or why not?
Response 4-1:
Q 4-2: In your assessment is the virus a cyber-weapon and do the actions conducted against the
FORSTRKGRU constitute an armed attack? Why or why not?
Response 4-2:
Q 4-3: Given the above information, can the FORSTRKGRU leverage any policy or guidance to
invoke rights to self-defense? Why or why not?
Response 4-3:
Q 4-4: Assuming the FORSTRKGRU Commander is convinced that the actions perpetrated
against the CSG constitute an armed attack, what counter attack, defensive options, or both are
available to the FORSTRKGRU? What response should the CSG Commander recommend to
CENTCOM and national leaders? What would constitute a proportional response in this
situation?
Response 4-4:
B - 18
Participant 2
Scenario Question Set 5:
While moored in Piraeus, the USS FORESTALL supply officer (SUPPO) is notified that
72 pallets of bottled water which had been requested to augment ship’s stores would not be
delivered with the next scheduled supply shipment. The SUPPO notifies the CO and
FORSTRKGRU that no additional bottled water had been ordered. Supply records onboard
indicate that no order for bottled water was ever submitted. The records of shore-based supply
facilities supporting FORSTRKGRU indicate an order was submitted via the normal electronic
ordering process and that all supporting documentation appears to have come from authorized
ship’s personnel. A subsequent cyber security analysis conducted by USCC personnel reveals
that no security patches have been installed since prior to deployment. Additionally, the
manufacturers default SYSADMIN password for the supply software was not changed following
the most recent upgrade. An examination of other FORSTRKGRU units reveals an identical
condition on two additional CSG units and a USNS vessel. After auditing supply order records
for accuracy, USS Relentless and USS Audacious and USNS Tenacious assigned to the
FORSTRKGRU, report an unexplained cancellation of orders for small-arms ammunition
needed after numerous weapons qualification sessions.
The USCC analysis also identifies a virus on the supply servers that appears to interface
with the virus affecting CSG email. This interface appears to support data exfiltration and
transmission of accurate information relating to CSG movements and schedules. Further analysis
reveals that resulting email contain a different source/destination address than the address
previously identified for the CSG virus. The supply virus appears to utilize the same initial
address with the auto forward feature, as well as utilizing the same subsequent anonymous email
server. At the anonymous email server the supply signals appear to be routed differently than
other traffic. These supply signals traverse a number of additional servers, all in differing
nations, and appear to either emanate or terminate with an IP address identified as belonging to
the Iranian embassy in London, U.K.
Q 5-1: In your assessment do the above actions constitute a cyber-attack? Why or why not?
Response 5-1:
Q 5-2: In your assessment do the actions conducted against the FORSTRKGRU constitute an
armed attack? Why or why not?
Response 5-2:
Q 5-3: Given the above information, can FORSTRKGRU invoke any rights to self-defense?
Why or why not?
Response 5-3:
Q 5-4: Assuming the FORSTRKGRU Commander is convinced that the actions perpetrated
against the CSG constitute an armed attack, what counter attack, defensive options or both are
B - 19
available to the FORSTRKGRU? What response should the Admiral recommend to CENTCOM
and national leaders? What would constitute a proportional response in this situation?
Response 5-4:
Consolidated Response
1.
There is no clear definition for a cyber attack. Generically we call any unauthorized
actions on our computers a cyber attack because that is the term that has been in use for years. It
should not be confused, however, with an attack under the law of armed conflict and
international law. I'm unsure what definition this class will use, or how they will seek to apply it.
If they think that by calling something a cyber attack it gives rise to the right to self-defense
under the law of armed conflict, they are mistaken. Stealing data is not generally going to be an
armed attack. So I'm concerned what definitions are being used and how they are being applied.
2.
To correctly answer some of these questions, the students will need an understanding of
the SROE and authorities. Will this class include that? That would mean going classified. The
students can't really say what the Admiral should do in terms of self-defense without knowing
what the SROE and authorities that apply are. To answer outside that framework may lead to
incorrect assumptions about authority. I think the questions may save this by asking about
recommended actions, but really the best way to approach the law of armed conflict (LOAC)
issues here may be to take it out of what authority this admiral may or may not have, and focus
generally on what responses would be lawful under LOAC. That gets away from how we
delegate authority to take actions under LOAC.
3.
By example - Q5-1 asks if something is a cyber attack. Q5-2 asks if it is an armed attack.
Q5-3 asks if there is a right to self-defense. And Q5-4 asks us to assume an armed attack, and
then gets into what actions the Admiral can take or should recommend. To answer the first and
second, they'll need to define terms ahead of time. Generically, yes, all the questions seem to
qualify as a cyber-attack if that is defined by an unauthorized actor doing things against you or
without your permission via cyber means. The better question is whether they are a use of force.
They are not an armed attack - I'll say that outright. I don't even think they are a use of force. As
to right to self-defense, does this mean on the unit level or national level? Unit level gets into
ROE, as does Q5-4. National level, along with the recommendations part of Q5-4, may be more
generically tied to LOAC and international law and policy.
For an unclassified class, I'd keep more in line with LOAC, international law and national
security law and steer clear of issues that really are ROE matters such as what the Admiral can
do on her own authority. I'd also be careful in what definitions are used for terms such as cyber
attack and armed attack and self-defense.
B - 20
Participant 3
Question Set 1
A subsequent investigation by the USS FORRESTALL Naval Criminal Investigative
Service (NCIS) agent afloat determines that WeSupportU.com is an internet domain owned by a
Canadian national believed to have pro-Iranian beliefs and whose whereabouts are currently
unknown. Virus scans on all servers throughout the CSG using the most current virus signatures
provided by Space and Naval Warfare Command (SPAWAR) show no known viruses or
malware. The investigation did reveal a 60% increase in network traffic, a significant increase in
email server CPU utilization beginning one week into deployment, and widespread complaints
that applications appear to be running significantly slower. Network analysis indicates bandwidth
utilization remains within allotted limits and there is no detectable increase in disk space use.
The FORSTRKGRU Director of Communications and Networks (N6) concludes that network
volume increases are attributable to normal and expected changes in day-to-day operations as
service members adapt to a deployed battle rhythm. The degradation in application performance
is also attributed to these adjustments. The increase in email server demand is judged to coincide
with understandable increases commensurate with the completion of weapons loading and
reduced air operations for the transatlantic crossing, allowing service members more time to
correspond with friends and family ashore.
Q 1-1: Given the background and amplifying information above, would you concur with the N6
assessment and why?
Response 1-1: Yes, I would concur with the N6’s analysis, because 1) logic is sound, 2) systems
are still working, and 3) consistent with my own observations at this point in the deployment.
Q 1-2: Would you recommend any analysis, notification, or action in addition to or in place of
that discussed above and why?
Response 1-2: Certainly I would recommend reporting the “Wesupportu.com” incident to
operational and cyber chains of command, such as Fleet Commanders and NCDOC,
FltCybercom, etc., not just to NCIS (reporting held inside criminal investigations is “law
enforcement sensitive” and does not always inform the bigger picture.”) I’m sure that the
servicing NCTAMS could also provide some sort of network analysis on this CSG’s comms.
B - 21
Participant 3
Scenario Question Set 2:
On the hundredth day of deployment, FORSTRKGRU Director of Intelligence (N2) is
notified that a significant number of service member and associated family member names have
appeared on an Iranian website. According to all source intelligence analysis, the site is operated
by an Iranian cleric with strong anti-U.S. views. In addition to names, unit assignments and links
to social media pages are included. These links provide easy access to recent and up to date
photographs of crew members and liberty activities in the United Arab Emirates (UAE).
Information on European and Middle-Eastern merchants known to do business with the US Navy
is also included, in particular a number of merchants who were on board USS FORRESTALL
when the ship was transiting the Mediterranean Sea en-route to C5F. The site also prominently
displays a fatwa issued by the site’s operator declaring any individual listed an infidel and calling
for “Jihad” against the individuals, their families and all merchants who support the United
States. Many service members continue to correspond and exchange personal information with
merchants included on the website to facilitate delivery of purchased goods to their homes and
families in the U.S.
Q 2-1: In light of this information, you are asked what subject areas should be of concern to the
CSG Commander and to recommend Courses of Action (COA) for consideration? Please discuss
your reasoning.
Response 2-1: The primary areas of concern are poor OPSEC, and poor safeguarding of personal
information. It’s too late to rectify this situation – Personally Identifying Information (PII) can
only be safeguarded from the beginning. Once it’s out in cyberspace – it’s gone forever. I
personally do not believe that social media and OPSEC are compatible – I would seek to limit
social media throughout the Navy, and on this deployment, in particular (I do not participate in
social media). The CSG commander should not have allowed these merchants on the ship during
the passage. Strike Groups need to exercise better OPSEC from the beginning – this was not a
pleasure cruise to the MED on Carnival Cruise Lines – it’s the US’ battle fleet. Either act like a
battle fleet, or better to just not have a Navy, and save the American tax payers’ money.
Serious COA: 1) Counsel Sailors to not release PII, 2) Set RIVER CITY, 3) Conduct Blue Force
Monitoring.
Q 2-2: While briefing the Admiral on your COAs she states that the cleric’s actions constitute a
“cyber-attack” on service members and their families, as well as a number of foreign nationals.
Do you concur with this assessment? Why or why not?
Response 2-2: No, I do not concur that this is a cyber-attack, because 1) not credible, 2) not an
imminent threat (although Navy should report to NCTC and DHS). If this occurred in the U.S., it
would have border-line protection under 1st amendment (although, I’m sure one would be liable
for recent anti-terrorism laws). For example, no commander could exercise the right of
“cyber self-defense” based on this website. But, I’m sure the cleric will find himself on the U.S.
No-fly list. Again, the issue of PII being released where this cleric can access is the bigger matter
of concern – the Navy needs to do 1000% better job at protecting PII.
B - 22
Q 2-3: The Admiral requests of US Central Command (USCENTCOM), in conjunction with
USCYBERCOM, a determination on whether the events constitute a cyber-attack. She plans to
brief Commander 5th Fleet on the issue and wants to provide a COAs if the events are
determined to constitute a “cyber-attack”. How would you advise the Admiral? Please also
explain why preparing COAs for the cyber-attack contingency are appropriate for the situation.
Response 2-3: While this is a troubling issue, I do not consider this a cyber-attack. Again, no one
actually denied, degraded, or disrupted my cyber systems, and there is no credible or imminent
threat against my strike group. While one COA might be to launch a DDOS against this website,
I would not recommend this COA. I don’t believe any lawyer would find with right of selfdefense under this particular scenario. Therefore, any “counter” operations against this cleric
would have to be approved at levels far above the strike group commander; likely by NCA. An
easier COA would be to just enforce CSG OPSEC, and to set a restrictive RIVER CITY
condition if necessary.
B - 23
Participant 3
Scenario Question Set 3:
Following the previous events, an enterprising contract employee at the Naval Computer
and Telecommunications Area Master Station (NCTAMS) tasked with supporting units in the
C5F AOR learns about the coupon disputes and subsequent investigation from a former
shipmate. Suspicious of emails and changes in network traffic patterns, the contractor employs a
network analysis tool for monitoring and logging traffic emanating from or destined for all units
in FORSTRKGRU. Monitoring and logging is conducted for 21 days, after which traffic analysis
identifies a large number of 50 Kilobyte emails from multiple users within the CSG to a single
shore based email address. All data contained within the emails is encrypted and the frequency of
emails appears to correspond to network utilization. A Naval message outlining the results of this
analysis is distributed to FORSTRKGRU, C5F, U.S. Fleet Forces (USFF), Navy Network
Warfare Command (NNWC), Commander 10th Fleet (C10F), Naval Information Operations
Command (NIOC) Georgia, and US Cyber Command (USCC). Virus and malware scans on
servers and hosts throughout the FORSTRKGRU continue to produce no abnormal findings.
Q 3-1: After receiving the Naval message, the Admiral asks for your recommendation regarding
appropriate FORSTRKGRU and unit level actions. What would you recommend and why?
Response 3-1: 1) Take Unit, Group, and Fleet level actions to prohibit contact with the offending
entity. 2) Initiate clean up procedures for affected users.
Q 3-2: In your assessment, do deploying forces have cyber equipment, expertise and associated
authorities and policy to collect data and perform the network analysis discussed above? If not,
then please identify the elements that currently preclude performance of such analysis by
deployed forces.
Response 3-2: I do not believe that deploying forces have the equipment, expertise, and
associated authorities and policy to have figured out this problem on their own. (I am not smart
enough to know all the equipment that they would need). However, I don’t believe that Strike
Groups need all of this equipment. The Strike Groups are part of a network – they do not own the
network (it’s not organic to the strike group). There is no way they could gain the situational
awareness at their level to figure out the sophistication of this attack. Shore-based and national
entities are in a much-better position to figure these things out. Again, the CSG was in a position
to prevent release of so much of their PII, and they failed miserably.
B - 24
Participant 3
Scenario Question Set 4:
Analysis by national level agencies reveals that the FORSTRKGRU appears to be the
victim of a previously undetected virus (zero-day attack) deployed utilizing the fictitious
coupons for the Hard Rock Café. Extensive efforts have also resulted in the ability to decrypt and
read the emails recorded during the 21-day monitoring of FORSTRKGRU network traffic. The
emails contain portions of both personal and official emails from FORSTRKGRU, including
portions of briefing slides and spreadsheet attachments. The single destination address for the 50
Kilobyte emails was identified as a web mail account with an auto forward feature. The auto
forward feature was configured to delete all incoming email after sending it to an anonymous
email server. An email containing a network beacon sent to the anonymous email server
identified the end recipient as a web mail server in Estonia. Further investigation revealed the
account has only been accessed from Iran by an IP address correlating to a local Internet Service
Provider (ISP) in Tehran. The same ISP hosts the Iranian cleric’s website that calls for “Jihad”
against the U.S. and foreign individuals listed on the site. The ISP is the primary commercial
server for the civilian population in Tehran and is known to provide services to three large
civilian hospitals. All source intelligence also indicates that the cleric has numerous connections
with the government of Iran, and many members of his congregation are confirmed members of
Iran’s Revolutionary Guard.
Q 4-1: In your assessment do the above actions constitute a cyber-attack? Why or why not?
Response 4-1: Yes, the above actions constitute a cyber-attack, since they invaded other cyber
systems that they should not have had access to, and altered their operations.
Q 4-2: In your assessment is the virus a cyber-weapon and do the actions conducted against the
FORSTRKGRU constitute an armed attack? Why or why not?
Response 4-2: Yes, the virus is a cyber-weapon. No, this is not an “armed” attack, because
nothing done during this attack had the potential for producing “blood and guts.”
Q 4-3: Given the above information, can the FORSTRKGRU leverage any policy or guidance to
invoke rights to self-defense? Why or why not?
Response 4-3: If the CSG commander had detected the attack in progress, then she logically
should have certain rights of self-defense, provided that the responses are “necessary and
proportional.” I am not certain that ROE or even national policy permits this exercise of selfdefense; these issues are currently being debated at highest levels of government.
Q 4-4: Assuming the FORSTRKGRU Commander is convinced that the actions perpetrated
against the CSG constitute an armed attack, what counter attack, defensive options, or both are
available to the FORSTRKGRU? What response should the CSG Commander recommend to
CENTCOM and national leaders? What would constitute a proportional response in this
situation?
B - 25
Response 4-4: I consider this an “attack,” but not an “armed attack.” I am not certain that there
should be a difference, but clearly there is a difference between “armed” and “cyber,” both in
terms of public opinion, and in LOAC. I think any defensive action which reaches out and
touches systems in a foreign country must be a national decision, since the effects of the action
would reach far beyond affecting only the cleric, and would have national/world-wide
implications.
B - 26
Participant 3
Scenario Question Set 5:
While moored in Piraeus, the USS FORRESTALL supply officer (SUPPO) is notified
that 72 pallets of bottled water which had been requested to augment ship’s stores would not be
delivered with the next scheduled supply shipment. The SUPPO notifies the CO and
FORSTRKGRU that no additional bottled water had been ordered. Supply records onboard
indicate that no order for bottled water was ever submitted. The records of shore-based supply
facilities supporting FORSTRKGRU indicate an order was submitted via the normal electronic
ordering process and that all supporting documentation appears to have come from authorized
ship’s personnel. A subsequent cyber security analysis conducted by USCC personnel reveals
that no security patches have been installed since prior to deployment. Additionally, the
manufacturers default SYSADMIN password for the supply software was not changed following
the most recent upgrade. An examination of other FORSTRKGRU units reveals an identical
condition on two additional CSG units and a USNS vessel. After auditing supply order records
for accuracy, USS Relentless and USS Audacious and USNS Tenacious assigned to the
FORSTRKGRU, report an unexplained cancellation of orders for small-arms ammunition
needed after numerous weapons qualification sessions.
The USCC analysis also identifies a virus on the supply servers that appears to interface
with the virus affecting CSG email. This interface appears to support data exfiltration and
transmission of accurate information relating to CSG movements and schedules. Further analysis
reveals that resulting email contain a different source/destination address than the address
previously identified for the CSG virus. The supply virus appears to utilize the same initial
address with the auto forward feature, as well as utilizing the same subsequent anonymous email
server. At the anonymous email server the supply signals appear to be routed differently than
other traffic. These supply signals traverse a number of additional servers, all in differing
nations, and appear to either emanate or terminate with an IP address identified as belonging to
the Iranian embassy in London, U.K.
Q 5-1: In your assessment do the above actions constitute a cyber-attack? Why or why not?
Response 5-1: Yes, this is another cyber attack, well-crafted and launched by a malicious actor.
Q 5-2: In your assessment do the actions conducted against the FORSTRKGRU constitute an
armed attack? Why or why not?
Response 5-2: No, this was not an armed attack because there was no potential for “blood and
guts.” It is an attack, however. Such attacks have potential to cause the U.S. to lose the war.
Q 5-3: Given the above information, can FORSTRKGRU invoke any rights to self-defense?
Why or why not?
Response 5-3: Intuitively, CSG should have the right to “necessary and proportional self
defense” if she is able to detect an attack in progress (retaliatory strikes are not “necessary and
proportional.”) But, as with the Iran example, national decision would likely be required,
because of the scope of possible effects.
B - 27
Q 5-4: Assuming the FORSTRKGRU Commander is convinced that the actions perpetrated
against the CSG constitute an armed attack, what counter attack, defensive options or both are
available to the FORSTRKGRU? What response should the Admiral recommend to CENTCOM
and national leaders? What would constitute a proportional response in this situation?
Response 5-4: I would not recommend any counter-attack from the CSG level; just better
network security and defensive measures. A proportional response would be to inflict a similar
level of damage on the adversary network, however, national leaders and the U.S. populace as a
whole are likely not interested in causing similar damage against the attacker.
B - 28
Participant 4
Question Set 1
A subsequent investigation by the USS Forestall Naval Criminal Investigative Service
(NCIS) agent afloat determines that WeSupportU.com is an internet domain owned by a
Canadian national believed to have pro-Iranian beliefs and whose whereabouts are currently
unknown. Virus scans on all servers throughout the CSG using the most current virus signatures
provided by Space and Naval Warfare Command (SPAWAR) show no known viruses or
malware. The investigation did reveal a 60% increase in network traffic, a significant increase
in email server CPU utilization beginning one week into deployment, and widespread complaints
that applications appear to be running significantly slower. Network analysis indicates
bandwidth utilization remains within allotted limits and there is no detectable increase in disk
space use. The FORSTRKGRU Director of Communications and Networks (N6) concludes that
network volume increases are attributable to normal and expected changes in day-to-day
operations as service members adapt to a deployed battle rhythm. The degradation in application
performance is also attributed to these adjustments. The increase in email server demand is
judged to coincide with understandable increases commensurate with the completion of weapons
loading and reduced air operations for the transatlantic crossing, allowing service members more
time to correspond with friends and family ashore.
Q 1-1: Given the background and amplifying information above, would you concur with the N6
assessment and why?
Response 1-1: I would not accept the N6’s assessment because I am aware that there are viruses
and or Trojans that although not currently known could be infecting the network. The fact that
the e-mail containing fake coupons was sent and opened on network machines coupled with the
information about the internet domain owner concerns me. I am not convinced that the network
has not been compromised. The fact that bandwidth use is within normal ranges does not prove
that the network has not been compromised. It is possible that the network has been
compromised and that the individuals who planted the virus or Trojan will not fully employ it
until the ship is engaged in high interest operations. They do not want to give away their
presenance until it provides the best tactical advantage.
Q 1-2: Would you recommend any analysis, notification, or action in addition to or in place of
that discussed above and why?
Response 1-2: I would recommend that the N6 notify COMTENTH Fleet and request a blue
team or NCDOC team come aboard to thoroughly inspect the network.
Participant 4
Scenario Question Set 2:
On the hundredth day of deployment, FORSTRKGRU Director of Intelligence (N2) is
notified that a significant number of service member and associated family member names have
appeared on an Iranian website. According to all source intelligence analysis, the site is operated
by an Iranian cleric with strong anti-U.S. views. In addition to names, unit assignments and links
to social media pages are included. These links provide easy access to recent and up to date
B - 29
photographs of crew members and liberty activities in the United Arab Emirates (UAE).
Information on European and Middle-Eastern merchants known to do business with the US Navy
is also included, in particular a number of merchants who were on board USS Forestall when the
ship was transiting the Mediterranean Sea en-route to C5F. The site also prominently displays a
fatwa issued by the site’s operator declaring any individual listed an infidel and calling for
“Jihad” against the individuals, their families and all merchants who support the United States.
Many service members continue to correspond and exchange personal information with
merchants included on the website to facilitate delivery of purchased goods to their homes and
families in the U.S.
Q 2-1: In light of this information, you are asked what subject areas should be of concern to the
CSG Commander and to recommend Courses of Action (COA) for consideration? Please
discuss your reasoning.
Response 2-1: I would recommend that the Commander ensure that their Essential Elements of
Friendly Information (EEFI) are updated and promulgated to the entire CSG. I would also
recommend that River City conditions be put in place restricting off ship access to the internet to
on select key personnel. I would announce to the crew that the restrictions are in place until
further notice because of a significant breach of Operational security (OPSEC). I would also
request an assist visit from COMTENTHFLT to ensure that the network was not compromised.
My reasoning is that the continued flow of the type of information described potentially could
compromise the safety and security of the entire CSG as well as the civilians the sailors are
corresponding with. These tactical actions could have strategic consequences.
Q 2-2: While briefing the Admiral on your COAs she states that the cleric’s actions constitute a
“cyber-attack” on service members and their families, as well as a number of foreign nationals.
Do you concur with this assessment? Why or why not?
Response 2-2: I am not a JAG but I do not concur that the cleric’s actions constitute a “cyberattack”. It is not possible to tell how the information was attained. My philosophy on an e-mail
or post of any kind on an unclassified network is that it is potentially available to anyone
anywhere on the internet.
Q 2-3: The Admiral requests of US Central Command (USCENTCOM), in conjunction with
USCYBERCOM, a determination on whether the events constitute a cyber-attack. She plans to
brief Commander 5th Fleet on the issue and wants to provide a COAs if the events are
determined to constitute a “cyber-attack”. How would you advise the Admiral? Please also
explain why preparing COAs for the cyber-attack contingency are appropriate for the situation.
Response 2-3: I do agree that the situation should be briefed to the CoC to determine if it
constitutes a “cyber-attack. I would implement the COAs I laid out previously. Enforce OPSEC
through EEFIs , institute River City conditions and request assistance from Cyber experts to
determine if the network has been compromised.
B - 30
Participant 4
Scenario Question Set 3:
Following the previous events, an enterprising contract employee at the Naval Computer
and Telecommunications Area Master Station (NCTAMS) tasked with supporting units in the
C5F AOR learns about the coupon disputes and subsequent investigation from a former
shipmate. Suspicious of emails and changes in network traffic patterns, the contractor employs a
network analysis tool for monitoring and logging traffic emanating from or destined for all units
in FORSTRKGRU. Monitoring and logging is conducted for 21 days, after which traffic
analysis identifies a large number of 50 Kilobyte emails from multiple users within the CSG to a
single shore based email address. All data contained within the emails is encrypted and the
frequency of emails appears to correspond to network utilization. A Naval message outlining the
results of this analysis is distributed to FORSTRKGRU, C5F, U.S. Fleet Forces (USFF), Navy
Network Warfare Command (NNWC), Commander 10th Fleet (C10F), Naval Information
Operations Command (NIOC) Maryland, and US Cyber Command (USCC). Virus and malware
scans on servers and hosts throughout the FORSTRKGRU continue to produce no abnormal
findings.
Q 3-1: After receiving the Naval message, the Admiral asks for your recommendation regarding
appropriate FORSTRKGRU and unit level actions. What would you recommend and why?
Response 3-1: I would recommend that the Admiral request assistance from COMTENTHFLT
to get the individuals with the necessary technical knowledge to support the N6 staff in
determining the threat.
Q 3-2: In your assessment, do deploying forces have cyber equipment, expertise and associated
authorities and policy to collect data and perform the network analysis discussed above? If not,
then please identify the elements that currently preclude performance of such analysis by
deployed forces.
Response 3-2: No. Most ships have HBSS installed only on SIPRNET. In many cases, HBSS is
disabled because the ship’s force find that in their opinion HBSS degrades the network
performance to an unacceptable level. Many of the issues stem from lack of expertise on the part
of the ship’s force. The number one issue is a junior/ inexperience workforce ships that lacks the
expertise to emply the tools they are provided with for network security. In many cases smaller
ships are not provide with advanced network tools.
B - 31
Participant 4
Scenario Question Set 4:
Analysis by national level agencies reveals that the FORSTRKGRU appears to be the
victim of a previously undetected virus (zero-day attack) deployed utilizing the fictitious
coupons for the Hard Rock Café. Extensive efforts have also resulted in the ability to decrypt
and read the emails recorded during the 21-day monitoring of FORSTRKGRU network traffic.
The emails contain portions of both personal and official emails from FORSTRKGRU, including
portions of briefing slides and spreadsheet attachments. The single destination address for the 50
Kilobyte emails was identified as a web mail account with an auto forward feature. The auto
forward feature was configured to delete all incoming email after sending it to an anonymous
email server. An email containing a network beacon sent to the anonymous email server
identified the end recipient as a web mail server in Estonia. Further investigation revealed the
account has only been accessed from Iran by an IP address correlating to a local Internet Service
Provider (ISP) in Tehran. The same ISP hosts the Iranian cleric’s website that calls for “Jihad”
against the U.S. and foreign individuals listed on the site. The ISP is the primary commercial
server for the civilian population in Tehran and is known to provide services to three large
civilian hospitals. All source intelligence also indicates that the cleric has numerous connections
with the government of Iran, and many members of his congregation are confirmed members of
Iran’s Revolutionary Guard.
Q 4-1: In your assessment do the above actions constitute a cyber-attack? Why or why not?
Response 4-1: Again, I am not a JAG but since the information was obtained by planting a
virus, I would classify it as a cyber-attack.
Q 4-2: In your assessment is the virus a cyber-weapon and do the actions conducted against the
FORSTRKGRU constitute an armed attack? Why or why not?
Response 4-2: Again, a question for the lawyers. I do consider the actions a cyber-attack but I
do not consider it armed. One of the key principles of Rules of Engagement (ROE) is
proportionality. I do not think that you woud respond to a cyber-attack with a kinetic response.
That is just my opinion.
Q 4-3: Given the above information, can the FORSTRKGRU leverage any policy or guidance to
invoke rights to self-defense? Why or why not?
Response 4-3: Again, JAG question. In my opinion, yes the FORSTRKGRU can defend their
network. It is a cyber-attack and they have the inherent right of self-defense.
Q 4-4: Assuming the FORSTRKGRU Commander is convinced that the actions perpetrated
against the CSG constitute an armed attack, what counter attack, defensive options, or both are
available to the FORSTRKGRU? What response should the CSG Commander recommend to
CENTCOM and national leaders? What would constitute a proportional response in this
situation?
B - 32
Response 4-4: In my opinion I would limit the response to defending the network by eliminating
the virus. I might use the virus to feed misinformation or harmless information we want the
adversary to react to to gather proof of the attack for the international community.
B - 33
Participant 4
Scenario Question Set 5:
While moored in Piraeus, the USS Forestall supply officer (SUPPO) is notified that 72
pallets of bottled water which had been requested to augment ship’s stores would not be
delivered with the next scheduled supply shipment. The SUPPO notifies the CO and
FORSTRKGRU that no additional bottled water had been ordered. Supply records onboard
indicate that no order for bottled water was ever submitted. The records of shore-based supply
facilities supporting FORSTRKGRU indicate an order was submitted via the normal electronic
ordering process and that all supporting documentation appears to have come from authorized
ship’s personnel. A subsequent cyber security analysis conducted by USCC personnel reveals
that no security patches have been installed since prior to deployment. Additionally, the
manufacturers default SYSADMIN password for the supply software was not changed following
the most recent upgrade. An examination of other FORSTRKGRU units reveals an identical
condition on two additional CSG units and a USNS vessel. After auditing supply order records
for accuracy, USS Relentless and USS Audacious and USNS Tenacious assigned to the
FORSTRKGRU, report an unexplained cancellation of orders for small-arms ammunition
needed after numerous weapons qualification sessions.
The USCC analysis also identifies a virus on the supply servers that appears to interface
with the virus affecting CSG email. This interface appears to support data exfiltration and
transmission of accurate information relating to CSG movements and schedules. Further
analysis reveals that resulting email contain a different source/destination address than the
address previously identified for the CSG virus. The supply virus appears to utilize the same
initial address with the auto forward feature, as well as utilizing the same subsequent anonymous
email server. At the anonymous email server the supply signals appear to be routed differently
than other traffic. These supply signals traverse a number of additional servers, all in differing
nations, and appear to either emanate or terminate with an IP address identified as belonging to
the Iranian embassy in London, U.K.
Q 5-1: In your assessment do the above actions constitute a cyber-attack? Why or why not?
Response 5-1: Yes. The network was maliciously manipulated.
Q 5-2: In your assessment do the actions conducted against the FORSTRKGRU constitute an
armed attack? Why or why not?
Response 5-2: No for the same reasons that I stated previously. No shots were fired. No kenetic
actions took place.
Q 5-3: Given the above information, can FORSTRKGRU invoke any rights to self-defense?
Why or why not?
Response 5-3: Yes. They have the inherent right to defend their networks with a proportional
response.
B - 34
Q 5-4: Assuming the FORSTRKGRU Commander is convinced that the actions perpetrated
against the CSG constitute an armed attack, what counter attack, defensive options or both are
available to the FORSTRKGRU? What response should the Admiral recommend to CENTCOM
and national leaders? What would constitute a proportional response in this situation?
Response 5-4: In my opinion an armed response is not proportional. The response should be
limited to defending the network.
B - 35
Participant 5
Question Set 1
A subsequent investigation by the USS Forestall Naval Criminal Investigative Service
(NCIS) agent afloat determines that WeSupportU.com is an internet domain owned by a
Canadian national believed to have pro-Iranian beliefs and whose whereabouts are currently
unknown. Virus scans on all servers throughout the CSG using the most current virus signatures
provided by Space and Naval Warfare Command (SPAWAR) show no known viruses or
malware. The investigation did reveal a 60% increase in network traffic, a significant increase
in email server CPU utilization beginning one week into deployment, and widespread complaints
that applications appear to be running significantly slower. Network analysis indicates
bandwidth utilization remains within allotted limits and there is no detectable increase in disk
space use. The FORSTRKGRU Director of Communications and Networks (N6) concludes that
network volume increases are attributable to normal and expected changes in day-to-day
operations as service members adapt to a deployed battle rhythm. The degradation in application
performance is also attributed to these adjustments. The increase in email server demand is
judged to coincide with understandable increases commensurate with the completion of weapons
loading and reduced air operations for the transatlantic crossing, allowing service members more
time to correspond with friends and family ashore.
Q 1-1: Given the background and amplifying information above, would you concur with the N6
assessment and why?
Response 1-1: My gut feel is that simply deploying would not account for that drastic of an
increase in traffic or slow-down on the network. That said, I would still mostly concur IF it was
shown that a 60% increase was the normal pattern of traffic and system slow-down as
experienced by other deploying carriers. If not, then obviously further investigation is
warranted.
Q 1-2: Would you recommend any analysis, notification, or action in addition to or in place of
that discussed above and why?
Response 1-2: Even if that was determined to be the normal pattern, given that there is a
potential bad actor involved who has engaged in questionable activities that have already
affected us in other ways, I would investigate further into the situation by checking with NCTC
and CYBERCOM at a minimum. I would also report the activity up-chain.
B - 36
Participant 5
Scenario Question Set 2:
On the hundredth day of deployment, FORSTRKGRU Director of Intelligence (N2) is
notified that a significant number of service member and associated family member names have
appeared on an Iranian website. According to all source intelligence analysis, the site is operated
by an Iranian cleric with strong anti-U.S. views. In addition to names, unit assignments and links
to social media pages are included. These links provide easy access to recent and up to date
photographs of crew members and liberty activities in the United Arab Emirates (UAE).
Information on European and Middle-Eastern merchants known to do business with the US Navy
is also included, in particular a number of merchants who were on board USS Forestall when the
ship was transiting the Mediterranean Sea en-route to C5F. The site also prominently displays a
fatwa issued by the site’s operator declaring any individual listed an infidel and calling for
“Jihad” against the individuals, their families and all merchants who support the United States.
Many service members continue to correspond and exchange personal information with
merchants included on the website to facilitate delivery of purchased goods to their homes and
families in the U.S.
Q 2-1: In light of this information, you are asked what subject areas should be of concern to the
CSG Commander and to recommend Courses of Action (COA) for consideration? Please
discuss your reasoning.
Response 2-1: There is no direct evidence that this and the fake coupon events are related yet,
although that is an obvious inference. It warrants close investigation. In terms of COAs, we are
actually pretty limited. You cannot take any direct action against the website itself of course; no
authority or tools to do so and unlikely to be very effective even if you could. Once the info is
out there, it is VERY difficult to fully remove it from cyberspace. The best COAs will involve
getting the word out to the crew about INFOSEC and control of personal information.
Encourage them to disable their social media accounts, even if it is only for the short term.
Review all ship’s INFOSEC procedures to identify any potential problems. Continue to analyze
the network for other problems, and correct them if found (to ensure the ship is not unwittingly
compromising ship’s crew, vendor or port-of-call information.) Encourage crew members to
cease doing business with those merchants or at least to take all transactions offline. Promote the
idea of increased vigilance of one’s surroundings for themselves and their family members, and
report any suspicious activity to the police.
Q 2-2: While briefing the Admiral on your COAs she states that the cleric’s actions constitute a
“cyber-attack” on service members and their families, as well as a number of foreign nationals.
Do you concur with this assessment? Why or why not?
Response 2-2: It may or may be accurate, depending on how she means it. It is certainly possible
that they obtained the information they have FROM a cyber-attack on the ship via the email
system, or from the serviceman’s home computers. It is also possible that they simply obtained
the information by reading unsecured, social media profiles, and did not have to resort to any
cyber attack methods. They also do not appear to be recommending follow-on cyber attacks
specifically, but rather attacks of any type are encouraged.
B - 37
Q 2-3: The Admiral requests of US Central Command (USCENTCOM), in conjunction with
USCYBERCOM, a determination on whether the events constitute a cyber-attack. She plans to
brief Commander 5th Fleet on the issue and wants to provide a COAs if the events are
determined to constitute a “cyber-attack”. How would you advise the Admiral? Please also
explain why preparing COAs for the cyber-attack contingency are appropriate for the situation.
Response 2-3: Preparing and executing COAs, similar to the ones I describe above, are always
prudent whether or not a “cyber-attack” has occurred, and should be carried out regardless of the
results of that determination by CENTCOM and CYBERCOM. Beyond that however, even if
they say a “cyber-attack” has occurred, the CSG will have ZERO cyber role in any follow-on
action. That is all done at the National level under National guidance and authorities. The only
way it could involve the CSG is if a kinetic option is approved as a response (highly unlikely in
this case I would think).
B - 38
Participant 5
Scenario Question Set 3:
Following the previous events, an enterprising contract employee at the Naval Computer
and Telecommunications Area Master Station (NCTAMS) tasked with supporting units in the
C5F AOR learns about the coupon disputes and subsequent investigation from a former
shipmate. Suspicious of emails and changes in network traffic patterns, the contractor employs a
network analysis tool for monitoring and logging traffic emanating from or destined for all units
in FORSTRKGRU. Monitoring and logging is conducted for 21 days, after which traffic
analysis identifies a large number of 50 Kilobyte emails from multiple users within the CSG to a
single shore based email address. All data contained within the emails is encrypted and the
frequency of emails appears to correspond to network utilization. A Naval message outlining the
results of this analysis is distributed to FORSTRKGRU, C5F, U.S. Fleet Forces (USFF), Navy
Network Warfare Command (NNWC), Commander 10th Fleet (C10F), Naval Information
Operations Command (NIOC) Maryland, and US Cyber Command (USCC). Virus and malware
scans on servers and hosts throughout the FORSTRKGRU continue to produce no abnormal
findings.
Q 3-1: After receiving the Naval message, the Admiral asks for your recommendation regarding
appropriate FORSTRKGRU and unit level actions. What would you recommend and why?
Response 3-1: This is strong evidence that a cyber attack has in fact occurred on the ship’s
network, and is of a design that is not yet detectable by anti-virus programs. From an N2
perspective, I would continue to recommend actions that I outlined above, as those are the only
COAs we can execute at the CSG level. How to clean / fix the network servers is an N6 issue,
and I would wait for his recommendation. I anticipate it would likely involve slicking and
reloading the entire email server from known-good master software copies, at a minimum.
Q 3-2: In your assessment, do deploying forces have cyber equipment, expertise and associated
authorities and policy to collect data and perform the network analysis discussed above? If not,
then please identify the elements that currently preclude performance of such analysis by
deployed forces.
Response 3-2: Not even close. To my knowledge (pending N6 input), those tools are not made
available, not approved for use on the LAN, and unless you get lucky, no individual on board is
specifically trained in their use.
B - 39
Participant 5
Scenario Question Set 4:
Analysis by national level agencies reveals that the FORSTRKGRU appears to be the
victim of a previously undetected virus (zero-day attack) deployed utilizing the fictitious
coupons for the Hard Rock Café. Extensive efforts have also resulted in the ability to decrypt
and read the emails recorded during the 21-day monitoring of FORSTRKGRU network traffic.
The emails contain portions of both personal and official emails from FORSTRKGRU, including
portions of briefing slides and spreadsheet attachments. The single destination address for the 50
Kilobyte emails was identified as a web mail account with an auto forward feature. The auto
forward feature was configured to delete all incoming email after sending it to an anonymous
email server. An email containing a network beacon sent to the anonymous email server
identified the end recipient as a web mail server in Estonia. Further investigation revealed the
account has only been accessed from Iran by an IP address correlating to a local Internet Service
Provider (ISP) in Tehran. The same ISP hosts the Iranian cleric’s website that calls for “Jihad”
against the U.S. and foreign individuals listed on the site. The ISP is the primary commercial
server for the civilian population in Tehran and is known to provide services to three large
civilian hospitals. All source intelligence also indicates that the cleric has numerous connections
with the government of Iran, and many members of his congregation are confirmed members of
Iran’s Revolutionary Guard.
Q 4-1: In your assessment do the above actions constitute a cyber-attack? Why or why not?
Response 4-1: In my assessment, yes. They have used illegal and malicious methods to
compromise US information systems to the benefit of a known bad actor.
Q 4-2: In your assessment is the virus a cyber-weapon and do the actions conducted against the
FORSTRKGRU constitute an armed attack? Why or why not?
Response 4-2: It is certainly a “cyber weapon” as there was a specific implement used to
compromise / damage US info systems, and it also is an attack since there was clearly an intent
to cause harm. “Armed” is a term that is difficult to apply here. However, in the most literal
interpretation, I would have to say yes. If a virus is indeed a cyber “weapon,” then use of it
constitutes an “armed” attack. It would be very to describe what an “unarmed” cyber-attack
might be, however.
Q 4-3: Given the above information, can the FORSTRKGRU leverage any policy or guidance to
invoke rights to self-defense? Why or why not?
Response 4-3: Certainly you can, although not in the way I think this question implies. Taking
self-defense measures, in this case, would incorporate all the actions I have described previously
to include N6 actions to clear the servers of malicious code. A proportionate, retaliatory cyberstrike MAY also be allowable, depending on the results of your defensive actions and if the
threat still exists, but again the CSG has no authority or capability currently to conduct one. That
would all be driven and conducted at the National level.
B - 40
Q 4-4: Assuming the FORSTRKGRU Commander is convinced that the actions perpetrated
against the CSG constitute an armed attack, what counter attack, defensive options, or both are
available to the FORSTRKGRU? What response should the CSG Commander recommend to
CENTCOM and national leaders? What would constitute a proportional response in this
situation?
Response 4-4: Regardless of what you call it, your actions do not change from what I outlined
above under current policy. Take defensive INFOSEC measures, clean your servers, alert your
crew to take further precautions. Over to National for any “counter attack.” The CSG has no
role in conducting a cyber attack, unless some portion of the response becomes kinetic. Nor do I
think they should. At a base level, the reason for having a Carrier Strike Group, is so that you
can project power at distances far away from your own country should you choose to do so.
Short of land forces stationed abroad or an ICBM, it is your only option. That same calculus
does not apply to cyber however, as relative distances have no meaning in cyberspace. All attack
options are available from ANY location, regardless of their physical remove, and therefore there
is really no pressing need to replicate that capability afloat.
B - 41
Participant 5
Scenario Question Set 5:
While moored in Piraeus, the USS Forestall supply officer (SUPPO) is notified that 72
pallets of bottled water which had been requested to augment ship’s stores would not be
delivered with the next scheduled supply shipment. The SUPPO notifies the CO and
FORSTRKGRU that no additional bottled water had been ordered. Supply records onboard
indicate that no order for bottled water was ever submitted. The records of shore-based supply
facilities supporting FORSTRKGRU indicate an order was submitted via the normal electronic
ordering process and that all supporting documentation appears to have come from authorized
ship’s personnel. A subsequent cyber security analysis conducted by USCC personnel reveals
that no security patches have been installed since prior to deployment. Additionally, the
manufacturers default SYSADMIN password for the supply software was not changed following
the most recent upgrade. An examination of other FORSTRKGRU units reveals an identical
condition on two additional CSG units and a USNS vessel. After auditing supply order records
for accuracy, USS Relentless and USS Audacious and USNS Tenacious assigned to the
FORSTRKGRU, report an unexplained cancellation of orders for small-arms ammunition
needed after numerous weapons qualification sessions.
The USCC analysis also identifies a virus on the supply servers that appears to interface
with the virus affecting CSG email. This interface appears to support data exfiltration and
transmission of accurate information relating to CSG movements and schedules. Further
analysis reveals that resulting email contain a different source/destination address than the
address previously identified for the CSG virus. The supply virus appears to utilize the same
initial address with the auto forward feature, as well as utilizing the same subsequent anonymous
email server. At the anonymous email server the supply signals appear to be routed differently
than other traffic. These supply signals traverse a number of additional servers, all in differing
nations, and appear to either emanate or terminate with an IP address identified as belonging to
the Iranian embassy in London, U.K.
Q 5-1: In your assessment do the above actions constitute a cyber-attack? Why or why not?
Response 5-1: Yes, for the same reasons as listed in the previous case.
Q 5-2: In your assessment do the actions conducted against the FORSTRKGRU constitute an
armed attack? Why or why not?
Response 5-2: Yes, for the same reasons as listed above.
Q 5-3: Given the above information, can FORSTRKGRU invoke any rights to self-defense?
Why or why not?
Response 5-3: Yes, as described previously.
Q 5-4: Assuming the FORSTRKGRU Commander is convinced that the actions perpetrated
against the CSG constitute an armed attack, what counter attack, defensive options or both are
available to the FORSTRKGRU? What response should the Admiral recommend to CENTCOM
and national leaders? What would constitute a proportional response in this situation?
B - 42
Response 5-4: Same as before. Not in the CSG’s lane to recommend a counter-attack response
in this case; only to take self-defense measures. They likely would not have the resident
expertise to recommend a proportionate response in any event. Although I think that would be a
logical next step. There is no reason why the Information Warfare Commander should NOT
have had the expertise and ability to recommend if he only had the requisite experts and training
available. This is fundamentally different from having the resident capabilities to LAUCNH
such an attack, however.
B - 43
Participant 6
Scenario Question Set 1
A subsequent investigation by the USS Forestall Naval Criminal Investigative Service
(NCIS) agent afloat determines that WeSupportU.com is an internet domain owned by a
Canadian national believed to have pro-Iranian beliefs and whose whereabouts are currently
unknown. Virus scans on all servers throughout the CSG using the most current virus signatures
provided by Space and Naval Warfare Command (SPAWAR) show no known viruses or
malware. The investigation did reveal a 60% increase in network traffic, a significant increase
in email server CPU utilization beginning one week into deployment, and widespread complaints
that applications appear to be running significantly slower. Network analysis indicates
bandwidth utilization remains within allotted limits and there is no detectable increase in disk
space use. The FORSTRKGRU Director of Communications and Networks (N6) concludes that
network volume increases are attributable to normal and expected changes in day-to-day
operations as service members adapt to a deployed battle rhythm. The degradation in application
performance is also attributed to these adjustments. The increase in email server demand is
judged to coincide with understandable increases commensurate with the completion of weapons
loading and reduced air operations for the transatlantic crossing, allowing service members more
time to correspond with friends and family ashore.
- With regard to Question Set (1), while the N6's assessment is plausible, we could and should
conduct further analysis before accepting that assessment. Even a cursory review of such
metrics as ones portraying the "most frequently visited web sites" by time of day and day of
week could contribute to such an analysis. If nothing else, the review could, particularly if it
reveals heightened activity having no readily apparent connections to work or family like
concerns, lead us to reject the N6's hypothesis and begin looking for alternative explanations.
Q 1-1: Given the background and amplifying information above, would you concur with the N6
assessment and why?
Response 1-1:
Q 1-2: Would you recommend any analysis, notification, or action in addition to or in place of
that discussed above and why?
Response 1-2:
B - 44
Participant 6
Scenario Question Set 2:
On the hundredth day of deployment, FORSTRKGRU Director of Intelligence (N2) is
notified that a significant number of service member and associated family member names have
appeared on an Iranian website. According to all source intelligence analysis, the site is operated
by an Iranian cleric with strong anti-U.S. views. In addition to names, unit assignments and links
to social media pages are included. These links provide easy access to recent and up to date
photographs of crew members and liberty activities in the United Arab Emirates (UAE).
Information on European and Middle-Eastern merchants known to do business with the US Navy
is also included, in particular a number of merchants who were on board USS Forestall when the
ship was transiting the Mediterranean Sea en-route to C5F. The site also prominently displays a
fatwa issued by the site’s operator declaring any individual listed an infidel and calling for
“Jihad” against the individuals, their families and all merchants who support the United States.
Many service members continue to correspond and exchange personal information with
merchants included on the website to facilitate delivery of purchased goods to their homes and
families in the U.S.
- With regard to Question Set (2), there will be several factors for the CSG/ARG's staff to
consider while proceeding through the Military Decision Making Process (MDMP) and
formulating Courses of Action (COA). Some will be very operational in nature. Others may be
less so. Examples of factors in the latter category include the potential alteration of Morale,
Welfare, and Recreation (MWR) policies and practices, the blocking or unblocking of selected
web sites, and the reinforcement and enforcement of personnel security rules relating to foreign
contact.
- I believe that the cleric's actions constituted an attack, primarily because it is clear that those
actions had the intended effect of delaying, disrupting, or otherwise interfering with the
operations of FORSTRKGRU. That said, the real questions focus, at this point in the scenario,
on such matters as sponsorship, plausible deniability, and proportionality. If the same cleric had
been pointing a laser dazzler at the Carrier Onboard Delivery (COD) aircraft while on approach
to Oman, we'd have grounds for declaring the action an attack, but we'd have difficulty pinning
the blame on a state and even more difficulty delivering an appropriate, proportional response.
- Preparing COAs is, indeed, an important step. I'll argue that an even more important step
involves using the COAs to develop, codify, implement, and exercise Pre-Planned Responses
(PPRs). The CSG/ARG and its constituent elements, particularly its decision-makers and
operators, need to understand the Commander's Intent and the actions required in order to act
promptly and effectively relative to that intent. PPRs constitute a battle-proven method for
helping commanders ensure subordinate forces act in accordance with their intent during
emergencies and other time-sensitive and/or complex situations, such as the one at the center of
this scenario.
Q 2-1: In light of this information, you are asked what subject areas should be of concern to the
CSG Commander and to recommend Courses of Action (COA) for consideration? Please
discuss your reasoning.
B - 45
Response 2-1:
Q 2-2: While briefing the Admiral on your COAs she states that the cleric’s actions constitute a
“cyber-attack” on service members and their families, as well as a number of foreign nationals.
Do you concur with this assessment? Why or why not?
Response 2-2:
Q 2-3: The Admiral requests of US Central Command (USCENTCOM), in conjunction with
USCYBERCOM, a determination on whether the events constitute a cyber-attack. She plans to
brief Commander 5th Fleet on the issue and wants to provide a COAs if the events are
determined to constitute a “cyber-attack”. How would you advise the Admiral? Please also
explain why preparing COAs for the cyber-attack contingency are appropriate for the situation.
Response 2-3:
B - 46
Participant 6
Scenario Question Set 3:
Following the previous events, an enterprising contract employee at the Naval Computer
and Telecommunications Area Master Station (NCTAMS) tasked with supporting units in the
C5F AOR learns about the coupon disputes and subsequent investigation from a former
shipmate. Suspicious of emails and changes in network traffic patterns, the contractor employs a
network analysis tool for monitoring and logging traffic emanating from or destined for all units
in FORSTRKGRU. Monitoring and logging is conducted for 21 days, after which traffic
analysis identifies a large number of 50 Kilobyte emails from multiple users within the CSG to a
single shore based email address. All data contained within the emails is encrypted and the
frequency of emails appears to correspond to network utilization. A Naval message outlining the
results of this analysis is distributed to FORSTRKGRU, C5F, U.S. Fleet Forces (USFF), Navy
Network Warfare Command (NNWC), Commander 10th Fleet (C10F), Naval Information
Operations Command (NIOC) Maryland, and US Cyber Command (USCC). Virus and malware
scans on servers and hosts throughout the FORSTRKGRU continue to produce no abnormal
findings.
- With regard to Question (3), my view, biased in favor of the use of Computer Network Defense
(CND) to enable the continuation of Distributed Global Information Grid (GIG) Operations
(DGO), suggests that the most logical action is to block the outflow of traffic to the single, shorebased e-mail address identified in the message. Others will undoubtedly disagree. Some will
argue for maintaining and monitoring the outflow. Others will argue for taking FORSTRKGRU
off the grid. I'll leave it to them to make their arguments. For me, I'll sum-up my thoughts with
lines like "the show must go on" or "if we drop off the grid, the adversary wins."
Q 3-1: After receiving the Naval message, the Admiral asks for your recommendation regarding
appropriate FORSTRKGRU and unit level actions. What would you recommend and why?
Response 3-1:
Q 3-2: In your assessment, do deploying forces have cyber equipment, expertise and associated
authorities and policy to collect data and perform the network analysis discussed above? If not,
then please identify the elements that currently preclude performance of such analysis by
deployed forces.
Response 3-2:
B - 47
Participant 6
Scenario Question Set 4:
Analysis by national level agencies reveals that the FORSTRKGRU appears to be the
victim of a previously undetected virus (zero-day attack) deployed utilizing the fictitious
coupons for the Hard Rock Café. Extensive efforts have also resulted in the ability to decrypt
and read the emails recorded during the 21-day monitoring of FORSTRKGRU network traffic.
The emails contain portions of both personal and official emails from FORSTRKGRU, including
portions of briefing slides and spreadsheet attachments. The single destination address for the 50
Kilobyte emails was identified as a web mail account with an auto forward feature. The auto
forward feature was configured to delete all incoming email after sending it to an anonymous
email server. An email containing a network beacon sent to the anonymous email server
identified the end recipient as a web mail server in Estonia. Further investigation revealed the
account has only been accessed from Iran by an IP address correlating to a local Internet Service
Provider (ISP) in Tehran. The same ISP hosts the Iranian cleric’s website that calls for “Jihad”
against the U.S. and foreign individuals listed on the site. The ISP is the primary commercial
server for the civilian population in Tehran and is known to provide services to three large
civilian hospitals. All source intelligence also indicates that the cleric has numerous connections
with the government of Iran, and many members of his congregation are confirmed members of
Iran’s Revolutionary Guard.
- With regard to Question (4), I'll, again, state that the actions constitute an attack. At this point,
I'd be concerned that the other cleric was looking not only to delay or disrupt operations but,
possibly, to draw a large group of Sailors to the off-base facility for much more nefarious
purposes. We'd, of course, need to dig-in, learn more, and execute processes that extend well
beyond the scenario, but let's keep it simple and straightforward: he's not luring FORSRKGRU
members to the Hard Rock Café for any good reasons. Prudence dictates the need to investigate
the possibility that his actions were meant to set conditions for an ambush or other form of armed
attack.
- We have to have a credible presence in the Middle East. We don't have to have a footprint on
the beach in the entertainment districts of Dubai. One response might be to cancel liberty,
remain at sea, conduct as much of our logistics work as possible underway, and defer all MWR
activities, to include onboard and on-line MWR activities, until we sail-on to the Mediterranean
or the Pacific. No one, to include the local merchants and tribal/political leaders, would like
such an outcome. Then again, that pressure from the locals may be just what the doctor ordered.
If they want us to spend our money in UAE instead of Italy or Thailand, maybe they'll find a way
to solve the problem.
Q 4-1: In your assessment do the above actions constitute a cyber-attack? Why or why not?
Response 4-1:
Q 4-2: In your assessment is the virus a cyber-weapon and do the actions conducted against the
FORSTRKGRU constitute an armed attack? Why or why not?
Response 4-2:
B - 48
Q 4-3: Given the above information, can the FORSTRKGRU leverage any policy or guidance to
invoke rights to self-defense? Why or why not?
Response 4-3:
Q 4-4: Assuming the FORSTRKGRU Commander is convinced that the actions perpetrated
against the CSG constitute an armed attack, what counter attack, defensive options, or both are
available to the FORSTRKGRU? What response should the CSG Commander recommend to
CENTCOM and national leaders? What would constitute a proportional response in this
situation?
Response 4-4:
B - 49
Participant 6
Scenario Question Set 5:
While moored in Piraeus, the USS Forestall supply officer (SUPPO) is notified that 72
pallets of bottled water which had been requested to augment ship’s stores would not be
delivered with the next scheduled supply shipment. The SUPPO notifies the CO and
FORSTRKGRU that no additional bottled water had been ordered. Supply records onboard
indicate that no order for bottled water was ever submitted. The records of shore-based supply
facilities supporting FORSTRKGRU indicate an order was submitted via the normal electronic
ordering process and that all supporting documentation appears to have come from authorized
ship’s personnel. A subsequent cyber security analysis conducted by USCC personnel reveals
that no security patches have been installed since prior to deployment. Additionally, the
manufacturers default SYSADMIN password for the supply software was not changed following
the most recent upgrade. An examination of other FORSTRKGRU units reveals an identical
condition on two additional CSG units and a USNS vessel. After auditing supply order records
for accuracy, USS Relentless and USS Audacious and USNS Tenacious assigned to the
FORSTRKGRU, report an unexplained cancellation of orders for small-arms ammunition
needed after numerous weapons qualification sessions.
The USCC analysis also identifies a virus on the supply servers that appears to interface
with the virus affecting CSG email. This interface appears to support data exfiltration and
transmission of accurate information relating to CSG movements and schedules. Further
analysis reveals that resulting email contain a different source/destination address than the
address previously identified for the CSG virus. The supply virus appears to utilize the same
initial address with the auto forward feature, as well as utilizing the same subsequent anonymous
email server. At the anonymous email server the supply signals appear to be routed differently
than other traffic. These supply signals traverse a number of additional servers, all in differing
nations, and appear to either emanate or terminate with an IP address identified as belonging to
the Iranian embassy in London, U.K.
Q 5-1: In your assessment do the above actions constitute a cyber-attack? Why or why not?
Response 5-1:
Q 5-2: In your assessment do the actions conducted against the FORSTRKGRU constitute an
armed attack? Why or why not?
Response 5-2:
Q 5-3: Given the above information, can FORSTRKGRU invoke any rights to self-defense?
Why or why not?
Response 5-3:
Q 5-4: Assuming the FORSTRKGRU Commander is convinced that the actions perpetrated
against the CSG constitute an armed attack, what counter attack, defensive options or both are
available to the FORSTRKGRU? What response should the Admiral recommend to CENTCOM
and national leaders? What would constitute a proportional response in this situation?
B - 50
Response 5-4:
B - 51
Participant 7
I failed the test!
I read through it all – I believe it is very thorough and realistic – but I am simply not up to date
on current Cyber ROE and DOD policy to comment with meaning.
B - 52
Participant 8
Scenario Question Set 1
A subsequent investigation by the USS Forestall Naval Criminal Investigative Service
(NCIS) agent afloat determines that WeSupportU.com is an Iinternet domain owned by a
Canadian national believed to have pro-Iranian beliefs and whose whereabouts are currently
unknown. Virus scans on all servers throughout the CSG using the most current virus signatures
provided by Space and Naval Warfare Command (SPAWAR) show no known viruses or
malware. The investigation did reveal a 60% increase in network traffic, a significant increase
in email server CPU utilization beginning one week into deployment, and widespread complaints
that applications appear to be running significantly slower. Network analysis indicates
bandwidth utilization remains within allotted limits and there is no detectable increase in disk
space use. The FORSTRKGRU Director of Communications and Networks (N6) concludes that
network volume increases are attributable to normal and expected changes in day-to-day
operations as service members adapt to a deployed battle rhythm. The degradation in application
performance is also attributed to these adjustments. The increase in email server demand is
judged to coincide with understandable increases commensurate with the completion of weapons
loading and reduced air operations for the transatlantic crossing, allowing service members more
time to correspond with friends and family ashore. Reviews of the email logs by shipboard
systems administrators reveal no abnormal indications are suspicious emails. In coordination
with supporting communications stations, their reviews of FORSTRKGRU ship’s network
performance reveals no abnormal indications either.
Q 1-1: Given the background and amplifying information above, would you concur with the N6
assessment and why?
Response 1-1: Based on the state of tools available to systems administrators and the NetSA
capabilities, their responses are likely. If the operational degradation is noticeable over a
moderate or long period of time or seen across several ships, there would be additional analysis
that the N6 would direct to suspect potential rootkits or some other malware or operational issue
at a common network support location that supports the ships, such as a Fleet Network
Operations Center. If other information is correlated, a likely measure would be to remove those
workstations to see if the conditions change and if needed coordinate for analysis with the Navy
Cyber Defense Operations Command.
Q 1-2: Would you recommend any analysis, notification, or action in addition to or in place of
that discussed above and why?
Response 1-2: Yes. See above.
Other potential questions:
What other means and methods (tools or procedures) should the network administrators and
computer defense personnel have to assess their network performance (how do they know what
is normal and what is abnormal; “state change”)?
B - 53
Is a manual review process sufficient in the cyber age? Even if they detect a problem how do
they know its not a decoy or just one of many cyber weapons that were emplaced? If there are
multiple vectors, how can they account and react without automated detection and protection
means and methods?
B - 54
Participant 8
Scenario Question Set 2:
On the hundredth day of deployment, FORSTRKGRU Director of Intelligence (N2) is
notified that a significant number of service member and associated family member names have
appeared on an Iranian website. According to all source intelligence analysis, the site is operated
by an Iranian cleric with strong anti-U.S. views. In addition to names, unit assignments and links
to social media pages are included. These links provide easy access to recent and up to date
photographs of crew members and liberty activities in the United Arab Emirates (UAE).
Information on European and Middle-Eastern merchants known to do business with the US Navy
is also included, in particular a number of merchants who were on board USS Forestall when the
ship was transiting the Mediterranean Sea en-route to C5F. The site also prominently displays a
fatwa issued by the site’s operator declaring any individual listed an infidel and calling for
“Jihad” against the individuals, their families and all merchants who support the United States.
Many service members continue to correspond and exchange personal information with
merchants included on the website to facilitate delivery of purchased goods to their homes and
families in the U.S.
Q 2-1: In light of this information, you are asked what subject areas should be of concern to the
CSG Commander and to recommend Courses of Action (COA) for consideration? Please
discuss your reasoning.
Response 2-1:
The intelligence indicates an OPSEC breach. The Commanders would assess internal OPSEC
programs, reinforce OPSEC with the crews, and potentially adjust force protection posture.
Unless there were indicators from the prior network reviews, they may not suspect network
exploitation.
Q 2-2: While briefing the Admiral on your COAs she states that the cleric’s actions constitute a
“cyber-attack” on service members and their families, as well as a number of foreign nationals.
Do you concur with this assessment? Why or why not?
Response 2-2: Attack correlates to action which would likely require a diplomatic or military
response. Exploitation is more appropriate to the scenario. Attribution must also be considered.
Q 2-3: The Admiral requests of reporting with US Naval Forces Central Command
(USCENTCOM), in conjunction with FLTUSCYBERCOM and Navy Cyber Defense Operations
Command, a determination on whether the events constitute a cyber-attack. She plans to brief
Commander 5th Fleet on the issue and wants to provide a COAs if the events are determined to
constitute a “cyber-attack”. How would you advise the Admiral? Please also explain why
preparing COAs for the cyber-attack contingency are appropriate for the situation.
Response 2-3:
B - 55
Advising the Commander would include current status of what is known relative to network
defense status, would include recommendations to adjust the CSG’s cyber defense posture
(INFOCON), and would detail what would be reported to the Fleet Commander and NCDOC.
Also reinforcing OPSEC measures would be discussed. COAs would consider the most likely to
the most dangerous aspects of a potential adversaries behavior. COA analysis would be useful as
there may be related indicators or actions to derive an adversaries intent on future actions.
B - 56
Participant 8
Scenario Question Set 3:
Following the previous events, an enterprising contract employee at the Naval Computer
and Telecommunications Area Master Station (NCTAMS) tasked with supporting units in the
C5F AOR learns about the coupon disputes and subsequent investigation from a former
shipmate. Suspicious of emails and changes in network traffic patterns, the contractor employs a
network analysis tool for monitoring and logging traffic emanating from or destined for all units
in FORSTRKGRU. Monitoring and logging is conducted for 21 days, after which traffic
analysis identifies a large number of 50 Kilobyte emails from multiple users within the CSG to a
single shore based email address. All data contained within the emails is encrypted and the
frequency of emails appears to correspond to network utilization. A Naval message outlining the
results of this analysis is distributed to FORSTRKGRU, NAVCENT/C5F, U.S. Fleet Forces
(USFF), Navy Network Warfare Command (NNWC), Commander 10th Fleet (C10F), NCDOC,
and Naval Information Operations Command (NIOC) Maryland, and US Cyber Command
(USCC). Virus and malware scans on servers and hosts throughout the FORSTRKGRU
continue to produce no abnormal findings.
Q 3-1: After receiving the Naval message, the Admiral asks for your recommendation regarding
appropriate FORSTRKGRU and unit level actions. What would you recommend and why?
Response 3-1: At this point, local measures would be put in place to isolate the clients (if
known) and disconnect. If unknown, email services would be taken offline. However, the
Commander would also have to consider related factors and ensure these actions are coordinated
with supporting cyber commands as the best COA. Additionally, sensitive communications
would be shifted to other methods.
Q 3-2: In your assessment, do deploying forces have cyber equipment, expertise and associated
authorities and policy to collect data and perform the network analysis discussed above? If not,
then please identify the elements that currently preclude performance of such analysis by
deployed forces.
Response 3-2: Network situational awareness and automated detection remain as challenges.
Scalability to counter cyber activity is also a challenge. Training personnel to attain sufficient
expertise is also a concern.
B - 57
Participant 8
Scenario Question Set 4:
Analysis by national level agencies reveals that the FORSTRKGRU appears to be the
victim of a previously undetected virus (zero-day attack) deployed utilizing the fictitious
coupons for the Hard Rock Café. Extensive efforts have also resulted in the ability to decrypt
and read the emails recorded during the 21-day monitoring of FORSTRKGRU network traffic.
The emails contain portions of both personal and official emails from FORSTRKGRU, including
portions of briefing slides and spreadsheet attachments. The single destination address for the 50
Kilobyte emails was identified as a web mail account with an auto forward feature. The auto
forward feature was configured to delete all incoming email after sending it to an anonymous
email server. An email containing a network beacon sent to the anonymous email server
identified the end recipient as a web mail server in Estonia. Further investigation revealed the
account has only been accessed from Iran by an IP address correlating to a local Internet Service
Provider (ISP) in Tehran. The same ISP hosts the Iranian cleric’s website that calls for “Jihad”
against the U.S. and foreign individuals listed on the site. The ISP is the primary commercial
server for the civilian population in Tehran and is known to provide services to three large
civilian hospitals. All source intelligence also indicates that the cleric has numerous connections
with the government of Iran, and many members of his congregation are confirmed members of
Iran’s Revolutionary Guard.
Q 4-1: In your assessment do the above actions constitute a cyber-attack? Why or why not?
Response 4-1: Were forces or critical infrastructure disabled, disrupted, or destroyed? No. This
would constitute an exploitation or intelligence collection via breach of the US network.
National leadership would have to determine if such activity could be (or should be) tolerated.
Defensive measures still remain to shun or minimize the impact of this action. What this
scenario gets to are issues that determination of attribution and intent are important. What are
the consequences of this activity, whether an attack or exploitation? Where is the deterrence and
what constitutes the cyber deterrence? What are the appropriate response actions to take? The
practicum states you are looking at LOAC in the context of cyber operations. Given cyberspace
is a global capability based on interconnecting national and multi-national organizations
infrastructure, attribution and the maturity of cyber law are important. In many conflicts or
political stress points, hactivism and cyber activity has risen. There currently are no cyber
treaties of note nor a solid statement or enaction of cyber detterrance. Unless the “attack”
impacts the self defense of the Strike Group, the Commander is left with only defensive
behavioral and network defense actions.
Q 4-2: In your assessment is the virus a cyber-weapon and do the actions conducted against the
FORSTRKGRU constitute an armed attack? Why or why not?
Response 4-2: This is akin to spying or eavesdropping, think Cold War. This is a cyber-sensor.
If there were destruction or denial of capability, then it could be considered a cyber-weapon. It
does have a payload but that is a sensor.
B - 58
Q 4-3: Given the above information, can the FORSTRKGRU leverage any policy or guidance to
invoke rights to self-defense? Why or why not?
Response 4-3: The aspect of proportionality must be considered. Immediate loss of life or the
ship is not in jeopardy. This event does raise operational risk. There are options to disconnect,
shun or isolate the identified exploitation.
Q 4-4: Assuming the FORSTRKGRU Commander is convinced that the actions perpetrated
against the CSG constitute an armed attack, what counter attack, defensive options, or both are
available to the FORSTRKGRU? What response should the CSG Commander recommend to
the Fleet Commander (and by extension CENTCOM and national leaders)? What would
constitute a proportional response in this situation?
Response 4-4: First question is discussed above. The Commander should identify the
operational impact, known facts, and recommended COA. Proportionality could be a demarche,
a comparable exploitation, or some other demonstration to send a strategic message for the
offender to stop their activity or suffer escalation. The scenario raises the conundrum that the
tactical commander is limited in response options and many cyber activities are a strategic issue
given the consequences of attribution, collateral damage, and an tactical response which may
derail operational or strategic actions.
B - 59
Participant 8
Scenario Question Set 5:
While moored in Piraeus, the USS Forestall supply officer (SUPPO) is notified that 72
pallets of bottled water which had been requested to augment ship’s stores would not be
delivered with the next scheduled supply shipment. The SUPPO notifies the CO and
FORSTRKGRU that no additional bottled water had been ordered. Supply records onboard
indicate that no order for bottled water was ever submitted. The records of shore-based supply
facilities supporting FORSTRKGRU indicate an order was submitted via the normal electronic
ordering process and that all supporting documentation appears to have come from authorized
ship’s personnel. A subsequent cyber security analysis conducted by USCC NCDOC personnel
reveals that no security patches have been installed since prior to deployment. Additionally, the
manufacturers default SYSADMIN password for the supply software was not changed following
the most recent upgrade. An examination of other FORSTRKGRU units reveals an identical
condition on two additional CSG units and a USNS vessel. After auditing supply order records
for accuracy, USS Relentless and USS Audacious and USNS Tenacious assigned to the
FORSTRKGRU, report an unexplained cancellation of orders for small-arms ammunition
needed after numerous weapons qualification sessions.
The USCC NCDOC analysis also identifies a virus on the supply servers that appears to
interface with the virus affecting CSG email. This interface appears to support data exfiltration
and transmission of accurate information relating to CSG movements and schedules. Further
analysis reveals that resulting email contain a different source/destination address than the
address previously identified for the CSG virus. The supply virus appears to utilize the same
initial address with the auto forward feature, as well as utilizing the same subsequent anonymous
email server. At the anonymous email server the supply signals appear to be routed differently
than other traffic. These supply signals traverse a number of additional servers, all in differing
nations, and appear to either emanate or terminate with an IP address identified as belonging to
the Iranian embassy in London, U.K.
Q 5-1: In your assessment do the above actions constitute a cyber-attack? Why or why not?
Response 5-1: If manipulation and disruption are confirmed to be attributed, then this would be
considered an attack. Again the factors of proportionality and self defense apply.
Q 5-2: In your assessment do the actions conducted against the FORSTRKGRU constitute an
armed attack? Why or why not?
Response 5-2: Duplicate question.
Q 5-3: Given the above information, can FORSTRKGRU invoke any rights to self-defense?
Why or why not?
Response 5-3: Yes; protection of logistics which is an essential military function. Measures
would be put in place to shun, isolate or deny the attacker access. Alternate methods would be
used to coordinate logistics.
B - 60
Q 5-4: Assuming the FORSTRKGRU Commander is convinced that the actions perpetrated
against the CSG constitute an armed attack, what counter attack, defensive options or both are
available to the FORSTRKGRU? What response should the Admiral recommend to CENTCOM
and national leaders? What would constitute a proportional response in this situation?
Response 5-4: Same as 4-4. The consequences of the attack would have to be more significant
to illicit an escalation in response. Clarity of the situation and misinterpretation begin to come
in play here…meaning misunderstanding of intent could stimulate unintended actions in other
interactions with the adversary (non-cyber interaction).
More useful to Navy and the Fleet would be for the practicum to comment on and support:
What is the definition of a cyber attack?
What cyber action would constitute a non-cyber response by a Commander?
What should the cyber Rules of Engagement be?
How do you implement cyber deterrence?
What capabilities are there to better support detection of exploitation and attacks?
What are the critical thinking skills that must be in place with our NetOps personnel and
CND personnel to detect and deter cyber threats (attacks / exploits)?
B - 61
Participant 9
Scenario Question Set 1
A subsequent investigation by the USS Forestall Naval Criminal Investigative Service
(NCIS) agent afloat determines that WeSupportU.com is an internet domain owned by a
Canadian national believed to have pro-Iranian beliefs and whose whereabouts are currently
unknown. Virus scans on all servers throughout the CSG using the most current virus signatures
provided by Space and Naval Warfare Command (SPAWAR) show no known viruses or
malware. The investigation did reveal a 60% increase in network traffic, a significant increase
in email server CPU utilization beginning one week into deployment, and widespread complaints
that applications appear to be running significantly slower. Network analysis indicates
bandwidth utilization remains within allotted limits and there is no detectable increase in disk
space use. The FORSTRKGRU Director of Communications and Networks (N6) concludes that
network volume increases are attributable to normal and expected changes in day-to-day
operations as service members adapt to a deployed battle rhythm. The degradation in application
performance is also attributed to these adjustments. The increase in email server demand is
judged to coincide with understandable increases commensurate with the completion of weapons
loading and reduced air operations for the transatlantic crossing, allowing service members more
time to correspond with friends and family ashore.
Q 1-1: Given the background and amplifying information above, would you concur with the N6
assessment and why?
Response 1-1:
No. To make such a decision, one must know what normal looks like. How was 60%
determined? The N6 has not shown that data.
Q 1-2: Would you recommend any analysis, notification, or action in addition to or in place of
that discussed above and why?
Response 1-2:
Yes.
1. Analysis: A review of event logs and HBSS ePO server data is required. Was the network
degradation coincident with the email about Hard Rock? How did the CO/XO/CMC get targeted
for the email.
2. RFI: have incident reports been made to NCDOC (CTF-1020) or RFI to from numbered fleet
to C10F intel.
B - 62
Participant 9
Scenario Question Set 2:
On the hundredth day of deployment, FORSTRKGRU Director of Intelligence (N2) is
notified that a significant number of service member and associated family member names have
appeared on an Iranian website. According to all source intelligence analysis, the site is operated
by an Iranian cleric with strong anti-U.S. views. In addition to names, unit assignments and links
to social media pages are included. These links provide easy access to recent and up to date
photographs of crew members and liberty activities in the United Arab Emirates (UAE).
Information on European and Middle-Eastern merchants known to do business with the US Navy
is also included, in particular a number of merchants who were on board USS Forestall when the
ship was transiting the Mediterranean Sea en-route to C5F. The site also prominently displays a
fatwa issued by the site’s operator declaring any individual listed an infidel and calling for
“Jihad” against the individuals, their families and all merchants who support the United States.
Many service members continue to correspond and exchange personal information with
merchants included on the website to facilitate delivery of purchased goods to their homes and
families in the U.S.
Q 2-1: In light of this information, you are asked what subject areas should be of concern to the
CSG Commander and to recommend Courses of Action (COA) for consideration? Please
discuss your reasoning.
Response 2-1:
1. The Commander has OPSEC authority to block Face Book access. Has this been done? Why
not?
2. Direct STRKGRU Staff Judge Advocate to review peacetime ROE and make
recommendations to OPS on available maneuver opportunities. This has been critical in my
experience in operations from Korea to pre-GWOT and can not be overstated. The “Battle JAG”
is an operational requirement.
Q 2-2: While briefing the Admiral on your COAs she states that the cleric’s actions constitute a
“cyber-attack” on service members and their families, as well as a number of foreign nationals.
Do you concur with this assessment? Why or why not?
Response 2-2: See answer to 2-1 Part 2. Operational SJA’s are a requirement in this discussion
Q 2-3: The Admiral requests of US Central Command (USCENTCOM), in conjunction with
USCYBERCOM, a determination on whether the events constitute a cyber-attack. She plans to
brief Commander 5th Fleet on the issue and wants to provide a COAs if the events are
determined to constitute a “cyber-attack”. How would you advise the Admiral? Please also
explain why preparing COAs for the cyber-attack contingency are appropriate for the situation.
Response 2-3: As cyber authorities are held well above the SKGRU Commander or 5th Fleet,
this translates ino a force protection condition (FPCON) for the STKGRU.
1. Set FPCON to highest level for port visits.
2. Increase network screening/filtering to reduce attack suface available to adversary
B - 63
3. Request NAVCENT/C5F nominate appropriate targets to CENTCOM and USCC to protect
the STRKGRU.
B - 64
Participant 9
Scenario Question Set 3:
Following the previous events, an enterprising contract employee at the Naval Computer
and Telecommunications Area Master Station (NCTAMS) tasked with supporting units in the
C5F AOR learns about the coupon disputes and subsequent investigation from a former
shipmate. Suspicious of emails and changes in network traffic patterns, the contractor employs a
network analysis tool for monitoring and logging traffic emanating from or destined for all units
in FORSTRKGRU. Monitoring and logging is conducted for 21 days, after which traffic
analysis identifies a large number of 50 Kilobyte emails from multiple users within the CSG to a
single shore based email address. All data contained within the emails is encrypted and the
frequency of emails appears to correspond to network utilization. A Naval message outlining the
results of this analysis is distributed to FORSTRKGRU, C5F, U.S. Fleet Forces (USFF), Navy
Network Warfare Command (NNWC), Commander 10th Fleet (C10F), Naval Information
Operations Command (NIOC) Maryland, and US Cyber Command (USCC). Virus and malware
scans on servers and hosts throughout the FORSTRKGRU continue to produce no abnormal
findings.
Q 3-1: After receiving the Naval message, the Admiral asks for your recommendation regarding
appropriate FORSTRKGRU and unit level actions. What would you recommend and why?
Response 3-1:
1. Continue to reduce attack surface.
2. Coord with NCDOC for block list update.
3. Adjust appropriate ACL for STRKGRU
5. Use NIOC-N assigned CTN to work HBSS to counter threat
6. RFI C10F for info and support
Q 3-2: In your assessment, do deploying forces have cyber equipment, expertise and associated
authorities and policy to collect data and perform the network analysis discussed above? If not,
then please identify the elements that currently preclude performance of such analysis by
deployed forces.
Response 3-2: This question is related to the Distributed Information Operations construct
which does not extend it’s capabilities afloat, except is very selective and controlled ways (not
STRKGRU). Should Fleet Commander desire, STRKGRU staffs could be trained to become
“HBSS Jedi” to be able to mitigate and dynamically counter this type of threat.
B - 65
Participant 9
Scenario Question Set 4:
Analysis by national level agencies reveals that the FORSTRKGRU appears to be the
victim of a previously undetected virus (zero-day attack) deployed utilizing the fictitious
coupons for the Hard Rock Café. Extensive efforts have also resulted in the ability to decrypt
and read the emails recorded during the 21-day monitoring of FORSTRKGRU network traffic.
The emails contain portions of both personal and official emails from FORSTRKGRU, including
portions of briefing slides and spreadsheet attachments. The single destination address for the 50
Kilobyte emails was identified as a web mail account with an auto forward feature. The auto
forward feature was configured to delete all incoming email after sending it to an anonymous
email server. An email containing a network beacon sent to the anonymous email server
identified the end recipient as a web mail server in Estonia. Further investigation revealed the
account has only been accessed from Iran by an IP address correlating to a local Internet Service
Provider (ISP) in Tehran. The same ISP hosts the Iranian cleric’s website that calls for “Jihad”
against the U.S. and foreign individuals listed on the site. The ISP is the primary commercial
server for the civilian population in Tehran and is known to provide services to three large
civilian hospitals. All source intelligence also indicates that the cleric has numerous connections
with the government of Iran, and many members of his congregation are confirmed members of
Iran’s Revolutionary Guard.
Q 4-1: In your assessment do the above actions constitute a cyber-attack? Why or why not?
Response 4-1: Defer to staff SJA, however, this could be seen as intelligence collection activity
and not count as an attack.
Q 4-2: In your assessment is the virus a cyber-weapon and do the actions conducted against the
FORSTRKGRU constitute an armed attack? Why or why not?
Response 4-2: Defer to staff SJA, however, this could be seen as intelligence collection activity
and not count as an attack.
Q 4-3: Given the above information, can the FORSTRKGRU leverage any policy or guidance to
invoke rights to self-defense? Why or why not?
Response 4-3: Defer to staff SJA, however, this could be seen as intelligence collection activity
and not count as an attack.
Q 4-4: Assuming the FORSTRKGRU Commander is convinced that the actions perpetrated
against the CSG constitute an armed attack, what counter attack, defensive options, or both are
available to the FORSTRKGRU? What response should the CSG Commander recommend to
CENTCOM and national leaders? What would constitute a proportional response in this
situation?
Response 4-4:
B - 66
Participant 9
Scenario Question Set 5:
While moored in Piraeus, the USS Forestall supply officer (SUPPO) is notified that 72
pallets of bottled water which had been requested to augment ship’s stores would not be
delivered with the next scheduled supply shipment. The SUPPO notifies the CO and
FORSTRKGRU that no additional bottled water had been ordered. Supply records onboard
indicate that no order for bottled water was ever submitted. The records of shore-based supply
facilities supporting FORSTRKGRU indicate an order was submitted via the normal electronic
ordering process and that all supporting documentation appears to have come from authorized
ship’s personnel. A subsequent cyber security analysis conducted by USCC personnel reveals
that no security patches have been installed since prior to deployment. Additionally, the
manufacturers default SYSADMIN password for the supply software was not changed following
the most recent upgrade. An examination of other FORSTRKGRU units reveals an identical
condition on two additional CSG units and a USNS vessel. After auditing supply order records
for accuracy, USS Relentless and USS Audacious and USNS Tenacious assigned to the
FORSTRKGRU, report an unexplained cancellation of orders for small-arms ammunition
needed after numerous weapons qualification sessions.
The USCC analysis also identifies a virus on the supply servers that appears to interface
with the virus affecting CSG email. This interface appears to support data exfiltration and
transmission of accurate information relating to CSG movements and schedules. Further
analysis reveals that resulting email contain a different source/destination address than the
address previously identified for the CSG virus. The supply virus appears to utilize the same
initial address with the auto forward feature, as well as utilizing the same subsequent anonymous
email server. At the anonymous email server the supply signals appear to be routed differently
than other traffic. These supply signals traverse a number of additional servers, all in differing
nations, and appear to either emanate or terminate with an IP address identified as belonging to
the Iranian embassy in London, U.K.
Q 5-1: In your assessment do the above actions constitute a cyber-attack? Why or why not?
Response 5-1: Defer to staff SJA, however, this is an attack in my opinion. Changing records is
different than collecting intelligence.
Q 5-2: In your assessment do the actions conducted against the FORSTRKGRU constitute an
armed attack? Why or why not?
Response 5-2: No. While targets may be ripe for tailored response options outside of the GIG,
that remains beyond STRKGRU resources.
Q 5-3: Given the above information, can FORSTRKGRU invoke any rights to self-defense?
Why or why not?
Response 5-3: Certainly can protect itself (firewalls and filtering), but who are they return fire
at?
B - 67
Q 5-4: Assuming the FORSTRKGRU Commander is convinced that the actions perpetrated
against the CSG constitute an armed attack, what counter attack, defensive options or both are
available to the FORSTRKGRU? What response should the Admiral recommend to CENTCOM
and national leaders? What would constitute a proportional response in this situation?
Response 5-4: Work to nominate TRO via targeting input to C5F. The rest is beyond the
STRKGRU
B - 68
Participant 10
Scenario Question Set 1:
A subsequent investigation by the USS Forestall Naval Criminal Investigative Service
(NCIS) agent afloat determines that WeSupportU.com is an internet domain owned by a
Canadian national believed to have pro-Iranian beliefs and whose whereabouts are currently
unknown. Virus scans on all servers throughout the CSG using the most current virus signatures
provided by Space and Naval Warfare Command (SPAWAR) show no known viruses or
malware. The investigation did reveal a 60% increase in network traffic, a significant increase
in email server CPU utilization beginning one week into deployment, and widespread complaints
that applications appear to be running significantly slower. Network analysis indicates
bandwidth utilization remains within allotted limits and there is no detectable increase in disk
space use. The FORSTRKGRU Director of Communications and Networks (N6) concludes that
network volume increases are attributable to normal and expected changes in day-to-day
operations as service members adapt to a deployed battle rhythm. The degradation in application
performance is also attributed to these adjustments. The increase in email server demand is
judged to coincide with understandable increases commensurate with the completion of weapons
loading and reduced air operations for the transatlantic crossing, allowing service members more
time to correspond with friends and family ashore.
Q 1-1: Given the background and amplifying information above, would you concur with the N6
assessment and why?
Response 1-1: The assessment is unsatisfactory based solely on the observations of activity being
within the acceptable ranges – even if these were historically predictable upticks in activity. A
purely quantitative approach is not appropriate for threat discovery in this instance. N6 would
need to better understand the types, purposes, and destinations of the traffic and the specific
processes that are leveraging additional demand on the system.
Q 1-2: Would you recommend any analysis, notification, or action in addition to or in place of
that discussed above and why?
Response 1-2: Yes; given the nature of the research on the threat, N6 should notify
FLEETCYBER of the incident to augment the information assurance measures already taken.
FLEETCYBER could provide additional capacity and capability from national repositories.
B - 69
Participant 10
Scenario Question Set 2:
On the hundredth day of deployment, FORSTRKGRU Director of Intelligence (N2) is
notified that a significant number of service member and associated family member names have
appeared on an Iranian website. According to all source intelligence analysis, the site is operated
by an Iranian cleric with strong anti-U.S. views. In addition to names, unit assignments and links
to social media pages are included. These links provide easy access to recent and up to date
photographs of crew members and liberty activities in the United Arab Emirates (UAE).
Information on European and Middle-Eastern merchants known to do business with the US Navy
is also included, in particular a number of merchants who were on board USS Forestall when the
ship was transiting the Mediterranean Sea en-route to C5F. The site also prominently displays a
fatwa issued by the site’s operator declaring any individual listed an infidel and calling for
“Jihad” against the individuals, their families and all merchants who support the United States.
Many service members continue to correspond and exchange personal information with
merchants included on the website to facilitate delivery of purchased goods to their homes and
families in the U.S.
Q 2-1: In light of this information, you are asked what subject areas should be of concern to the
CSG Commander and to recommend Courses of Action (COA) for consideration? Please
discuss your reasoning.
Response 2-1: The CSG commander should immediately work with FLEETCYBER to
coordinate protective actions for his sailors and their families with NCIJTF. FLEETCYBER
could also provide national level capabilities to investigate and mitigate this threat. NCIJTF can
leverage INTERPOL and bi-lateral law-enforcement relationships to address the website. If the
CSG Commander feels this activity represents and imminent danger to his sailors and their
families, he is obligated to notify the 5th fleet commander so that they and CDRUSCENTCOM
can advocate for potential military options.
Q 2-2: While briefing the Admiral on your COAs she states that the cleric’s actions constitute a
“cyber-attack” on service members and their families, as well as a number of foreign nationals.
Do you concur with this assessment? Why or why not?
Response 2-2: First, the Admiral bears the ultimately responsibility for the health and welfare of
sailors under his command. If, when presented with the evidence, the Admiral feels this website
represents an imminent threat to his forces and their families sponsored by a foreign power, he is
obligated to notify the 5th fleet commander so that they and CDRUSCENTCOM can advocate
for potential military options. However, absent those conditions, this activity is criminal and
FLEETCYBER can adjudicate the appropriate whole of government response with NCIJTF.
Q 2-3: The Admiral requests of US Central Command (USCENTCOM), in conjunction with
USCYBERCOM, a determination on whether the events constitute a cyber-attack. She plans to
brief Commander 5th Fleet on the issue and wants to provide a COAs if the events are
determined to constitute a “cyber-attack”. How would you advise the Admiral? Please also
explain why preparing COAs for the cyber-attack contingency are appropriate for the situation.
B - 70
Response 2-3: I would advise the Admiral to develop COAs leveraging naval resources to
protect the families of sailors who have been victims of the activity. Current policy does not
permit the Admiral to take action against adversaries attacking via cyberspace.
B - 71
Participant 10
Scenario Question Set 3:
Following the previous events, an enterprising contract employee at the Naval Computer
and Telecommunications Area Master Station (NCTAMS) tasked with supporting units in the
C5F AOR learns about the coupon disputes and subsequent investigation from a former
shipmate. Suspicious of emails and changes in network traffic patterns, the contractor employs a
network analysis tool for monitoring and logging traffic emanating from or destined for all units
in FORSTRKGRU. Monitoring and logging is conducted for 21 days, after which traffic
analysis identifies a large number of 50 Kilobyte emails from multiple users within the CSG to a
single shore based email address. All data contained within the emails is encrypted and the
frequency of emails appears to correspond to network utilization. A Naval message outlining the
results of this analysis is distributed to FORSTRKGRU, C5F, U.S. Fleet Forces (USFF), Navy
Network Warfare Command (NNWC), Commander 10th Fleet (C10F), Naval Information
Operations Command (NIOC) Maryland, and US Cyber Command (USCC). Virus and malware
scans on servers and hosts throughout the FORSTRKGRU continue to produce no abnormal
findings.
Q 3-1: After receiving the Naval message, the Admiral asks for your recommendation regarding
appropriate FORSTRKGRU and unit level actions. What would you recommend and why?
Response 3-1: Immediate engagement with FLEETCYBER and 5th fleet to bring national level
capabilities forward to inspect network. The Admiral should transition to a state of mission
essential communications only within the group until such a time this support can be brought
forward.
Q 3-2: In your assessment, do deploying forces have cyber equipment, expertise and associated
authorities and policy to collect data and perform the network analysis discussed above? If not,
then please identify the elements that currently preclude performance of such analysis by
deployed forces.
Response 3-2: Out of scope of my knowledge for the Navy.
B - 72
Participant 10
Scenario Question Set 4:
Analysis by national level agencies reveals that the FORSTRKGRU appears to be the
victim of a previously undetected virus (zero-day attack) deployed utilizing the fictitious
coupons for the Hard Rock Café. Extensive efforts have also resulted in the ability to decrypt
and read the emails recorded during the 21-day monitoring of FORSTRKGRU network traffic.
The emails contain portions of both personal and official emails from FORSTRKGRU, including
portions of briefing slides and spreadsheet attachments. The single destination address for the 50
Kilobyte emails was identified as a web mail account with an auto forward feature. The auto
forward feature was configured to delete all incoming email after sending it to an anonymous
email server. An email containing a network beacon sent to the anonymous email server
identified the end recipient as a web mail server in Estonia. Further investigation revealed the
account has only been accessed from Iran by an IP address correlating to a local Internet Service
Provider (ISP) in Tehran. The same ISP hosts the Iranian cleric’s website that calls for “Jihad”
against the U.S. and foreign individuals listed on the site. The ISP is the primary commercial
server for the civilian population in Tehran and is known to provide services to three large
civilian hospitals. All source intelligence also indicates that the cleric has numerous connections
with the government of Iran, and many members of his congregation are confirmed members of
Iran’s Revolutionary Guard.
Q 4-1: In your assessment do the above actions constitute a cyber-attack? Why or why not?
Response 4-1: Attribution would have to positively identify the cleric acting as an agent of a
foreign government. Otherwise this is a crime or espionage. However, earlier comments about
the Admiral perceiving a threat to the life of his sailors or their families still apply. Even absent
governmental attribution, a case could be made that an exigent circumstance exists.
Q 4-2: In your assessment is the virus a cyber-weapon and do the actions conducted against the
FORSTRKGRU constitute an armed attack? Why or why not?
Response 4-2: As the virus does not produce lethal or damaging effects itself, it is not a cyberweapon. Unless national decision makers determine the way in which the information stolen by
the virus was handled caused conditions where lethality or destruction of property was probable,
it is not an armed attack. This would be consistent with current American policy (i.e.
wikilieaks.)
Q 4-3: Given the above information, can the FORSTRKGRU leverage any policy or guidance to
invoke rights to self-defense? Why or why not?
Response 4-3: No; current policy does not permit Commanders at that level to take actions
outside of US networks in response to cyber threats. The commander does not posses the means
to respond to this threat in a necessary and proportionate way.
Q 4-4: Assuming the FORSTRKGRU Commander is convinced that the actions perpetrated
against the CSG constitute an armed attack, what counter attack, defensive options, or both are
B - 73
available to the FORSTRKGRU? What response should the CSG Commander recommend to
CENTCOM and national leaders? What would constitute a proportional response in this
situation?
Response 4-4: Assuming national policy makers determined this was an armed attack, national
military or whole-of-government capabilities could be employed to affect the availability of the
information on the internet. Unless lethality or destruction of property is an imminent outcome
of the information’s presence on the internet, the Geographic COCOM commander currently
does not possess the necessary tools to respond in a proportional way.
B - 74
Participant 10
Scenario Question Set 5:
While moored in Piraeus, the USS Forestall supply officer (SUPPO) is notified that 72
pallets of bottled water which had been requested to augment ship’s stores would not be
delivered with the next scheduled supply shipment. The SUPPO notifies the CO and
FORSTRKGRU that no additional bottled water had been ordered. Supply records onboard
indicate that no order for bottled water was ever submitted. The records of shore-based supply
facilities supporting FORSTRKGRU indicate an order was submitted via the normal electronic
ordering process and that all supporting documentation appears to have come from authorized
ship’s personnel. A subsequent cyber security analysis conducted by USCC personnel reveals
that no security patches have been installed since prior to deployment. Additionally, the
manufacturers default SYSADMIN password for the supply software was not changed following
the most recent upgrade. An examination of other FORSTRKGRU units reveals an identical
condition on two additional CSG units and a USNS vessel. After auditing supply order records
for accuracy, USS Relentless and USS Audacious and USNS Tenacious assigned to the
FORSTRKGRU, report an unexplained cancellation of orders for small-arms ammunition
needed after numerous weapons qualification sessions.
The USCC analysis also identifies a virus on the supply servers that appears to interface
with the virus affecting CSG email. This interface appears to support data exfiltration and
transmission of accurate information relating to CSG movements and schedules. Further
analysis reveals that resulting email contain a different source/destination address than the
address previously identified for the CSG virus. The supply virus appears to utilize the same
initial address with the auto forward feature, as well as utilizing the same subsequent anonymous
email server. At the anonymous email server the supply signals appear to be routed differently
than other traffic. These supply signals traverse a number of additional servers, all in differing
nations, and appear to either emanate or terminate with an IP address identified as belonging to
the Iranian embassy in London, U.K.
Q 5-1: In your assessment do the above actions constitute a cyber-attack? Why or why not?
Response 5-1: Yes, the adversary has produced a denial\disruption effect which could be
construed to be an attack. This is above and beyond the theft of information.
Q 5-2: In your assessment do the actions conducted against the FORSTRKGRU constitute an
armed attack? Why or why not?
Response 5-2: While it may be a cyber-attack, it may not be an armed attack. If the commander
reasonably believes this was the pre-cursor to conflict and not simply an annoyance, it could be
considered an armed attack. However, while digital information was modified, physical property
was not destroyed and the lives of the sailors afloat were not placed in significant risk. Other
forms of non-military action could be used to address this activity with the government of Iran.
Q 5-3: Given the above information, can FORSTRKGRU invoke any rights to self-defense?
Why or why not?
B - 75
Response 5-3: No. There is no imminent threat to life or property.
Q 5-4: Assuming the FORSTRKGRU Commander is convinced that the actions perpetrated
against the CSG constitute an armed attack, what counter attack, defensive options or both are
available to the FORSTRKGRU? What response should the Admiral recommend to CENTCOM
and national leaders? What would constitute a proportional response in this situation?
Response 5-4: CENTCOM, as a whole, does not have the appropriate military capability to
respond to this type of attack in a reasonable and proportionate way. I reasonable and
proportionate response would be to employ national military capability or other forms of US
power against those suspected to be involved. CENTCOM can take defensive action by paying
closer attention to their own cyber “security zone.”
B - 76
Participant 11
Scenario Question Set 1:
A subsequent investigation by the USS Forestall Naval Criminal Investigative Service
(NCIS) agent afloat determines that WeSupportU.com is an internet domain owned by a
Canadian national believed to have pro-Iranian beliefs and whose whereabouts are currently
unknown. Virus scans on all servers throughout the CSG using the most current virus signatures
provided by Space and Naval Warfare Command (SPAWAR) show no known viruses or
malware. The investigation did reveal a 60% increase in network traffic, a significant increase
in email server CPU utilization beginning one week into deployment, and widespread complaints
that applications appear to be running significantly slower. Network analysis indicates
bandwidth utilization remains within allotted limits and there is no detectable increase in disk
space use. The FORSTRKGRU Director of Communications and Networks (N6) concludes that
network volume increases are attributable to normal and expected changes in day-to-day
operations as service members adapt to a deployed battle rhythm. The degradation in application
performance is also attributed to these adjustments. The increase in email server demand is
judged to coincide with understandable increases commensurate with the completion of weapons
loading and reduced air operations for the transatlantic crossing, allowing service members more
time to correspond with friends and family ashore.
Q 1-1: Given the background and amplifying information above, would you concur with the N6
assessment and why?
Response 1-1: No. Concurrence would be contingent upon understanding on what information
the N6 based his assessment. If he had the ability to conduct extensive packet analysis on
network traffic and to demonstrate how the traffic adhered to historical baselines, then he might
be justified in his conclusion. However, there is enough evidence to warrant further analysis
from external sources. It is unlikely that any Command N6 would “conclude” that the issues
outlined in the scenario are merely due to anticipated deployment rhythms without further
investigation.
Q 1-2: Would you recommend any analysis, notification, or action in addition to or in place of
that discussed above and why?
Response 1-2: The N6 should comply with Navy standard operating procedure and contact their
Computer Network Defense Service Provider (CNDSP), via an alternate network, for support
and request that they notify FLEETCYBER, USCYBERCOM and NSA of their concerns; they
should discuss their theory that the network anomalies are a result of a potential unknown
exploit. Notification should also be made to regional commanders: 5th Fleet Commander,
NAVCENT, and CENTCOM. I would recommend that outbound connections be closely
reviewed for suspicious packets based on destination, type, and duration of the connections.
Participant 11
Scenario Question Set 2:
On the hundredth day of deployment, FORSTRKGRU Director of Intelligence (N2) is
notified that a significant number of service member and associated family member names have
B - 77
appeared on an Iranian website. According to all source intelligence analysis, the site is operated
by an Iranian cleric with strong anti-U.S. views. In addition to names, unit assignments and links
to social media pages are included. These links provide easy access to recent and up to date
photographs of crewmembers and liberty activities in the United Arab Emirates (UAE).
Information on European and Middle-Eastern merchants known to do business with the US Navy
is also included, in particular a number of merchants who were on board USS Forestall when the
ship was transiting the Mediterranean Sea en-route to C5F. The site also prominently displays a
fatwa issued by the site’s operator declaring any individual listed an infidel and calling for
“Jihad” against the individuals, their families and all merchants who support the United States.
Many service members continue to correspond and exchange personal information with
merchants included on the website to facilitate delivery of purchased goods to their homes and
families in the U.S.
Q 2-1: In light of this information, you are asked what subject areas should be of concern to the
CSG Commander and to recommend Courses of Action (COA) for consideration? Please
discuss your reasoning.
Response 2-1: The CSG is clearly being targeted. Mitigation measures should be directed by the
commander – personnel should consider their ship’s unclassified network to be compromised,
discontinue use of social media, use phone instead of data networks when possible, and
strengthen their OPSEC posture. Meetings with merchants should be rescheduled and relocated.
Q 2-2: While briefing the Admiral on your COAs she states that the cleric’s actions constitute a
“cyber-attack” on service members and their families, as well as a number of foreign nationals.
Do you concur with this assessment? Why or why not?
Response 2-2: I would concur that the CSG is being targeted. The definition of cyber-attack is
open for debate – death or serious property damage requirements may not have yet been
satisfied. Is property damage only achieved via denial (i.e. loss of availability)? Does damaging
the integrity of an information system's authentication system cause serious property damage?
Such activity could also easily leads to loss of confidentiality and integrity of information. If one
agrees that obtaining unauthorized access to a system does cause property damage, then one
must agree that such an event is an attack. Based on this logic, the scenario events would
constitute a “cyber-attack.”
Q 2-3: The Admiral requests of US Central Command (USCENTCOM), in conjunction with
USCYBERCOM, a determination on whether the events constitute a cyber-attack. She plans to
brief Commander 5th Fleet on the issue and wants to provide a COAs if the events are
determined to constitute a “cyber-attack”. How would you advise the Admiral? Please also
explain why preparing COAs for the cyber-attack contingency are appropriate for the situation.
Response 2-3: COAs should be designed to confuse the adversary. Rather than simply cutting
off network connections, we should seek external support to analyze the situation with all source
intelligence and possibly throttle outbound traffic, inject intermittent errors, and plant false
information. All COAs should involve OPSEC and Information Assurance (IA) training in order
to minimize any further leakage. Any counter-attack options, however, would require external
support and authority.
B - 78
Preparing COAs for the cyber-attack contingency is appropriate for the situation, since
there are clear indications and warning that FORSTRKGRU systems have been compromised
and the threat is persistent.
B - 79
Participant 11
Scenario Question Set 3:
Following the previous events, an enterprising contract employee at the Naval Computer
and Telecommunications Area Master Station (NCTAMS) tasked with supporting units in the
C5F AOR learns about the coupon disputes and subsequent investigation from a former
shipmate. Suspicious of emails and changes in network traffic patterns, the contractor employs a
network analysis tool for monitoring and logging traffic emanating from or destined for all units
in FORSTRKGRU. Monitoring and logging is conducted for 21 days, after which traffic
analysis identifies a large number of 50 Kilobyte emails from multiple users within the CSG to a
single shore based email address. All data contained within the emails is encrypted and the
frequency of emails appears to correspond to network utilization. A Naval message outlining the
results of this analysis is distributed to FORSTRKGRU, C5F, U.S. Fleet Forces (USFF), Navy
Network Warfare Command (NNWC), Commander 10th Fleet (C10F), Naval Information
Operations Command (NIOC) Maryland, and US Cyber Command (USCC). Virus and malware
scans on servers and hosts throughout the FORSTRKGRU continue to produce no abnormal
findings.
Q 3-1: After receiving the Naval message, the Admiral asks for your recommendation regarding
appropriate FORSTRKGRU and unit level actions. What would you recommend and why?
Response 3-1: Seek CNDSP / USCC / DISA / NSA support for further investigation. Do not yet
terminate connections to the subject email address. Seek investigation of source of encryption
and whether plain text of the transmissions can be found. Direct heightened OPSEC measures –
including the use of alternate networks when possible.
Q 3-2: In your assessment, do deploying forces have cyber equipment, expertise and associated
authorities and policy to collect data and perform the network analysis discussed above? If not,
then please identify the elements that currently preclude performance of such analysis by
deployed forces.
Response 3-2: Deploying forces only have a minimal capability to collect data and perform
network analysis. External support is available, however. Proper analysis will require broad
teamwork by various stakeholders in regards to the suspicious connections, including:
-
Deploying forces: to provide the necessary physical access and local
administration
-
CNDSP: to provide domain firewalls/IDS knowledge; in coordination with
USCC, NSA, and DISA
-
USCC: to prioritize attention and exercise its ability to direct actions
-
NSA: to conduct SIGINT – extending to crypto analysis and perimeter defenses
-
DISA: to brings its NIPRNET hardening capabilities
-
Law enforcement: to provide ability to exercise domestic authorities
B - 80
-
CENTCOM: to provide ability to correlate activities with other sources and to
direct regional actions
B - 81
Participant 11
Scenario Question Set 4:
Analysis by national level agencies reveals that the FORSTRKGRU appears to be the
victim of a previously undetected virus (zero-day attack) deployed utilizing the fictitious
coupons for the Hard Rock Café. Extensive efforts have also resulted in the ability to decrypt
and read the emails recorded during the 21-day monitoring of FORSTRKGRU network traffic.
The emails contain portions of both personal and official emails from FORSTRKGRU, including
portions of briefing slides and spreadsheet attachments. The single destination address for the 50
Kilobyte emails was identified as a web mail account with an auto forward feature. The auto
forward feature was configured to delete all incoming email after sending it to an anonymous
email server. An email containing a network beacon sent to the anonymous email server
identified the end recipient as a web mail server in Estonia. Further investigation revealed the
account has only been accessed from Iran by an IP address correlating to a local Internet Service
Provider (ISP) in Tehran. The same ISP hosts the Iranian cleric’s website that calls for “Jihad”
against the U.S. and foreign individuals listed on the site. The ISP is the primary commercial
server for the civilian population in Tehran and is known to provide services to three large
civilian hospitals. All source intelligence also indicates that the cleric has numerous connections
with the government of Iran, and many members of his congregation are confirmed members of
Iran’s Revolutionary Guard.
Q 4-1: In your assessment do the above actions constitute a cyber-attack? Why or why not?
Response 4-1: There is no consistent U.S. government or DoD definition of cyber attack? Is
there a need to have clear attribution that the cleric is acting as an agent of the Iranian
government? Can exploitation of someone else’s computer ever be considered defensive? In this
scenario, it seems likely that the employment of a zero-day exploit is designed to exceed
authorized use/access to our network and therefore should be considered a cyber-attack since it
damages FORSTRKGRU property. In cyberspace, there are certain lines that when crossed are a
clear sign of malicious intent. This scenario highlights one of them. If a foreign national
infiltrated illegally into an adversaries’ country, one must consider whether the individual is
there “just to spy” or whether he is there to cause physical damage, conduct an assassination, or
to lay the groundwork for a larger kinetic campaign? Without clear evidence to the contrary, one
must explore the worst possibilities. The same is true in the virtual world and malicious actions
must be taken seriously.
Q 4-2: In your assessment is the virus a cyber-weapon and do the actions conducted against the
FORSTRKGRU constitute an armed attack? Why or why not?
Response 4-2: Since a weapon can be defined as “a means used to defend against or defeat
another,” this virus can be considered a cyber-weapon – a means to defend the Iranian people
against U.S. forces or to defeat U.S forces. In accordance with Article 51 of the Charter of the
United Nations, an armed attack is a crucial trigger to justify a State to launch military operations
against other States. The scenario appears to constitute an armed attack and would justify a
proportional military response in self-defense. As long as it is proportional, then the
ramifications of calling it an “attack” is contained.
B - 82
Q 4-3: Given the above information, can the FORSTRKGRU leverage any policy or guidance to
invoke rights to self-defense? Why or why not?
Response 4-3: While Article 51 of the Charter of the United Nations addresses a nation’s right to
self-defense, current policy does not permit Commanders at this level to take cyber actions
outside DoD network in response to cyber threats. The Commander does not possess the means
to respond to this threat in a proportionate way.
Q 4-4: Assuming the FORSTRKGRU Commander is convinced that the actions perpetrated
against the CSG constitute an armed attack, what counter attack, defensive options, or both are
available to the FORSTRKGRU? What response should the CSG Commander recommend to
CENTCOM and national leaders? What would constitute a proportional response in this
situation?
Response 4-4:
The defensive options available to FORSTRKGRU include requesting focused SIGINT on the
Tehran-based ISP and the Iranian cleric as well as requesting development of a military
deception operation.
The CSG Commander should recommend to CENTCOM and national leaders that we
should take advantage of this discovery to confuse our Iranian adversaries regarding our planned
actions, while at the same time infiltrating Iranian networks to in a proportional way.
A proportional response could include targeting of the cleric to discredit him and possibly
others who are supporting him behind the scenes.
B - 83
Participant 11
Scenario Question Set 5:
While moored in Piraeus, the USS Forestall supply officer (SUPPO) is notified that 72
pallets of bottled water which had been requested to augment ship’s stores would not be
delivered with the next scheduled supply shipment. The SUPPO notifies the CO and
FORSTRKGRU that no additional bottled water had been ordered. Supply records onboard
indicate that no order for bottled water was ever submitted. The records of shore-based supply
facilities supporting FORSTRKGRU indicate an order was submitted via the normal electronic
ordering process and that all supporting documentation appears to have come from authorized
ship’s personnel. A subsequent cyber security analysis conducted by USCC personnel reveals
that no security patches have been installed since prior to deployment. Additionally, the
manufacturers default SYSADMIN password for the supply software was not changed following
the most recent upgrade. An examination of other FORSTRKGRU units reveals an identical
condition on two additional CSG units and a USNS vessel. After auditing supply order records
for accuracy, USS Relentless and USS Audacious and USNS Tenacious assigned to the
FORSTRKGRU, report an unexplained cancellation of orders for small-arms ammunition
needed after numerous weapons qualification sessions.
The USCC analysis also identifies a virus on the supply servers that appears to interface
with the virus affecting CSG email. This interface appears to support data exfiltration and
transmission of accurate information relating to CSG movements and schedules. Further
analysis reveals that resulting email contain a different source/destination address than the
address previously identified for the CSG virus. The supply virus appears to utilize the same
initial address with the auto forward feature, as well as utilizing the same subsequent anonymous
email server. At the anonymous email server the supply signals appear to be routed differently
than other traffic. These supply signals traverse a number of additional servers, all in differing
nations, and appear to either emanate or terminate with an IP address identified as belonging to
the Iranian embassy in London, U.K.
Q 5-1: In your assessment do the above actions constitute a cyber-attack? Why or why not?
Response 5-1: Yes; this is a coordinated action that clarifies the adversary’s intentions of
producing denial of information effects against a military target.
Q 5-2: In your assessment do the actions conducted against the FORSTRKGRU constitute an
armed attack? Why or why not?
Response 5-2: This is an armed attack within the cyberspace domain, in accordance with the
answer to Q 4-2 above. Since the commander reasonably believes this was the pre-cursor to
conflict and not simply an annoyance, it could be considered an armed attack. Digital
information was modified, despite that fact that physical property was not destroyed and the lives
of the sailors afloat were not placed in significant risk. Other forms of non-military action could
be used to address this activity with the government of Iran.
Q 5-3: Given the above information, can FORSTRKGRU invoke any rights to self-defense?
Why or why not?
B - 84
Response 5-3: Yes; FORSTRKGRU can invoke its right to self-defense, but any response must
be proportional and necessary to mitigate the risk to life or property.
Q 5-4: Assuming the FORSTRKGRU Commander is convinced that the actions perpetrated
against the CSG constitute an armed attack, what counter attack, defensive options or both are
available to the FORSTRKGRU? What response should the Admiral recommend to CENTCOM
and national leaders? What would constitute a proportional response in this situation?
Response 5-4:
Available defensive options are limited to manipulation of adversary connections and
information being ex filtrated. Counter attack options include coordination for further external
action by offensive cyber capabilities of the United States.
The Admiral should recommend to CENTCOM development of phased responses that
initially confuses, but then convinces Iranian authorities of the fruitlessness of their cyber
adventures.
Actions should be limited to those that create effects within cyberspace and/or the minds
of those perpetrating these actions against the United States. Furthermore, our response actions
should not cause broad denial affects upon the Iranians within cyberspace, but should
demonstrates our ability to gain access and perform similar clandestine operations.
B - 85