Cyber

Commanders’
Handbook
Cyber COMMANDERS’ HANDBOOK

Copyright © 2020 by NATO Cooperative Cyber Defence Centre of Excellence.

All rights reserved.

ISBN (print): 978-9949-9904-8-1

ISBN (pdf): 978-9949-9904-9-8

Copyright and Reprint Permissions

No part of this publication may be reprinted, reproduced, stored in a retrieval system

or transmitted in any form or by any means, electronic, mechanical, photocopying,
recording or otherwise, without the prior written permission of the NATO
Cooperative Cyber Defence Centre of Excellence ([email protected]).

This restriction does not apply to making digital or hard copies of this publication for
internal use within NATO, or for personal or educational use when for non-profit or
non-commercial purposes, providing that copies bear this notice and a full citation on
the first page as follows:

Cyber Commanders’ Handbook

A. Dalmjin, V. Banse, L. Lumiste, J. Teixeira, A. Balci (Eds.)
2020 © NATO CCDCOE Publications

NATO CCDCOE Publications LEGAL NOTICE: This publication is a product of

the NATO Cooperative Cyber Defence Centre of
Filtri tee 12, 10132 Tallinn, Estonia Excellence (NATO CCDCOE). It does not necessarily
Phone: +372 717 6800 reflect the policy or the opinion of the NATO
CCDCOE or NATO. The NATO CCDCOE may not
Fax: +372 717 6308 be held responsible for any loss or harm arising from
E-mail: [email protected] the use of information contained in this publication
Web: www.ccdcoe.org and is not responsible for the content of the external
sources, including external websites referenced in this
publication.
CONTENTS

FOREWORD 5
Executive Summary 7
1. INTRODUCTION 9
1.1. Scope 9
1.2. Development Process 9
1.3. Target Audience 9
1.4. Purpose 9
1.5. Content 10
1.6. Application 10
1.7. Definitions and Descriptions 10
2. CONTEXT 11
2.1. Strategic View 11
2.2. Cyberspace 13
2.2.1. The nature of cyberspace 13
2.2.2. Cyberspace as a domain 14
2.2.3. Cyberspace zones 17
2.2.4. The threat landscape 18
2.3. Opportunities and Challenges 20
2.3.1. Opportunities 20
2.3.2. Challenges and limitations 20
3. CYBERSPACE OPERATIONS: 24
ROLES AND RESPONSIBILITIES
3.1. Introduction 24
3.2. Mission, Vision & Mandate 26
3.3. Reference Cyber Command Structure 26
3.3.1 Cyber manoeuvre element 27
3.3.2 Cyber support element 29
3.4. Staff Integration 29
3.5. Limitations 30
3.6. Assumptions 30
3.7. Tasks 30
4. CYBERSPACE OPERATIONS: CORE ACTIVITIES 31
4.1. Introduction 31
4.2 Cyberspace Operations Framework 31
4.2.1 CIS Infrastructure Operations (CISIO) 32
4.2.2 Cyberspace ISR Operations (CISRO) 33
 4.2.3 Defensive Cyberspace Operations (DCO) 34
4.2.4 Offensive Cyberspace Operations (OCO) 35
4.3 Cyberspace Activities Catalogue 36
4.4 Synchronisation 37
4.4.1 Maturity 37
4.4.2 Joint targeting process 37
4.4.3 Electronic warfare 37
4.4.4 Sovereign Cyber Effects provided 37
voluntarily by Allies (SCEPVA)
4.5 Legal considerations related to different operations 38
4.5.1 Legal basis 38
4.5.2 Law governing operations 38
4.5.3 Targeting 39
4.5.4 Rules of Engagement 39
5. CYBERSPACE OPERATIONS: PLANNING, 41
COORDINATION, EXECUTION & ASSESSMENT
5.1 Pre-requisites 41
5.1.1 Political & Strategic Pre-requisites 41
5.1.2 Phase zero operations 41
5.1.3 Technical pre-requisites 42
5.2 Planning 42
5.2.1 COPD 42
5.2.2 Planning 43
5.2.3 Considerations 43
5.3 Coordination and Cooperation 46
5.4 Assessment 48
5.4.1 Considerations of targeting cycle 50
6. RECOMMENDATIONS & BEST PRACTICES 52
6.1. Recommendations 52
6.1.1 Standard Operating Procedures 52
6.2. Future research 52
6.2.1. Artificial intelligence 52
6.2.2. Standardisation and diversification 52
ANNEX A Definitions 53
ANNEX B References 56
ANNEX C Cyber Collateral Effects Estimate Process 58
ANNEX D Positive Identification 66
ANNEX E Functional areas and special advisors – cyber-specific tasks 68
Document Information

Project lead:
• LTC Arthur Dalmijn, Law Branch, CCDCOE

Project team:
• LTC Vincent Banse, Strategy Branch, CCDCOE
• LTC José Teixeira, Operations Branch, CCDCOE
• Ahmet Balci, Technology Branch, CCDCOE
• Liina Lumiste, Law Branch, CCDCOE

Contributors and editors:

• COL Gernot Schwierz, Austrian Armed Forces
• LTC Arthur Dalmijn, Law Branch, CCDCOE
• LTC Vincent Banse, Strategy Branch, CCDCOE
• LTC Nestor Ganuza, Joint Cyber-Defence Command, Spain
• LTC Glenn D. Garay, Cyberspace Strategic Plans and Policy, SHAPE
• LTC Nicola Grammatico, Inter-force command for
cybernetic operations, Italy
• LTC Wolfram Christian Hoffmann, Cyber and Information
Domain Service, Germany
• LTC Vasco Marques Prates, Portuguese Naval Staff, Portugal
• LTC José Teixeira, Operations Branch, CCDCOE
• MAJ Geert Alberghs, Cyber directorate of the Armed Forces, Belgium
• MAJ Massine Sadat, Cyber directorate of the Armed Forces, Belgium
• MAJ Daniel Betik, National Cyber Operations Center, Czech Republic
• MAJ Szymon Gabrys, Ministry of National Defence of Poland, Poland
• MAJ Cristian Zec, Austrian Armed Forces
• CAPT Anne Laubacher, Le Commandement de la cyberdéfense, France
• Ahmet Balci, Technology Branch, CCDCOE
• Sander van Dorst, Cyber Warfare and Training Centre, Netherlands
• Daniel Gustoskie, Joint Force Cyber Component Commander,
Department of National Defence, Canada
• Liina Lumiste, Law Branch, CCDCOE
• Piret Pernik, Strategy Branch, CCDCOE

Authorised by: Director CCDCOE, COL Jaak Tarien

Release date: May 2020

3
 Version 1.0

The publication is a product of the NATO Cooperative Cyber Defence Centre of

Excellence (NATO CCDCOE). The CCDCOE does not speak on behalf of NATO and
the research done in the Centre does not necessarily reflect the policy or the opinion
of NATO nor the CCDCOE member nations

4
FOREWORD

Cyberspace is NATO’s newest operational domain and it will present the Alliance
with both significant opportunities and significant challenges in the years ahead. This
domain will require the Alliance to present a range of capabilities and forces – both
defensive and offensive – for the conduct of a full spectrum of cyber operations, all
of which must be executed within a strong legal framework and significant political
oversight. The ability to achieve mission outcomes and operate successfully in this
new arena will be increasingly important to NATO.

This Handbook is intended to assist Commanders (and by extension their staffs and
subordinate organisations) who are tasked with leading organisations that are focused
on operations in cyberspace. It represents an initial effort to characterise, from the
perspective of a Commander, the planning, coordination, execution and assessment of
cyber operations. It does not address the “how” of those cyber operations but rather
focuses on the “what” and “why” of those duties.

Your understanding of the broader context in which you and your command conduct
its cyber operations will be critical to your effectiveness. You will likely operate as
one element of a broader effort or strategy on the part of NATO, and understanding
those broader efforts will be critical to achieving the desired success – for you and
for your broader set of partners in NATO. You must execute your activities while
supporting those efforts, not disrupting them.

Cyberspace is a challenging environment for any commander, let alone an entire

warfighting organisation. Both the Commander and the broader team that he or she
directs must at times be able to operate simultaneously in supported or supporting
roles; and to do so from peacetime to crisis and on to conflict. That is easier said than
done and, like any military activity, at the strategic and operational levels it is almost
as much art as it is science.

Speed is another significant challenge for you as a Commander – it is a key aspect

of most activity in this domain and you must align your organisational structure and
processes accordingly if you are to operate successfully within it. That speed is also
reflected in the pace of change inherent in the world of cyber as its underpinning
technology and infrastructure continually evolve. You must anticipate those changes
and develop and execute organisational structures, methodologies and concepts of
operations that account for the dynamics of this environment.

Finally, great journeys often begin with small steps. NATO’s efforts in this operational
domain represent such a journey. This Handbook is one of those small steps and it

5
 will help to power the Alliance’s efforts as it progresses with its work in cyberspace.
It combines opinions from leading experts who provide an interdisciplinary take on
a Cyber Command’s vision, mission and core tasks. But never forget that it is a point
of departure – not an end state. You, as a Commander or practitioner, must be the
ultimate driver of that journey. I urge all who read this and who plan or execute cyber
operations or cyber policy to share their insights, experiences and perspectives with
each other and with CCDCOE as it continues to refine and, over time, expand this
Handbook. The Handbook must be a living document that represents the knowledge
and insights gained through hard experience by both practitioners and policy.

Admiral Michael S. Rogers, USN (ret)

Commander, United States Cyber Command 2014-2018

6
Executive Summary

This Handbook provides guidelines to support the planning, coordination, execution

and assessment of cyber operations. It gives the overall contexts in which a Cyber
Commander needs to operate, and introduces the roles, responsibilities and core
activities of a Cyber Command. The Cyber Commanders’ Handbook is a product of
coordinated team efforts by the NATO CCDCOE and national cyber defence experts.

The rapid evolution of cyber capabilities has opened new doors to influence and
coercion. State and non-state actors abuse cyberspace in order to weaken democratic
institutions and gain economic, diplomatic and military advantages. Cyber attacks
are becoming on the one hand more common, but on the other hand more complex.
Furthermore, cyber attacks are continuously fine-tuned so that they do not reach the
threshold of an armed attack, leaving the targeted state perplexed. Cyberspace has
many specific characteristics: it has no time or geographic dependency; guaranteed
control is considered unreachable; no offensive or defensive actions and/or
capabilities remain indefinitely effective; no advantage is permanent. What is more,
no nation can claim sovereignty over cyberspace. Instead, there is sovereign equality
among nations. Sovereignty remains over physical assets, individuals and territory.
These features create several challenges, such as complexity of attribution or conflict
between time-consuming preparations and a quickly changing threat-landscape. It
also creates opportunities such as distribution of force, economisation of costs and
potentially instant effects.

The difference between cyberspace operations and operations in other domains is that,
in general, cyberspace operations can be conducted also in peacetime. Considering
all the aspects and layers of cyberspace, it is clear that management of any operation
includes several actors. Although the implementation of roles and responsibilities in
cyberspace operations will always differ from one nation to another, in general those
roles and responsibilities have important common traits. Based on these common
traits, the Handbook gives an overview of the general division of responsibilities at
the national level and provides a Cyber Command’s generic modular structure.

Cyberspace operations in general enhance a nation’s ability to act as a sovereign state

in peacetime and to achieve military advantage in times of conflict. The Handbook
provides a framework of cyberspace operations.

In comparison with traditional operational planning, cyberspace operations require

extensive preparation prior to starting military mission planning. There are also other
specifics in the planning process, such as authorisation processes, timelines, targeting
and effects, that need some extra consideration due to the character of cyberspace.

7
 Due to the complexity and the fact that cyberspace does not acknowledge state
borders, national and international cooperation gains especial importance in cyber
operations. These are only a few of the aspects that a Cyber Commander must take
into consideration.

This Handbook will help Cyber Commanders to command cyber operations efficiently
and avoid stumbling blocks that may be found due to the specifics of cyber space.
In addition, this material aims to facilitate the overall awareness and understanding
of the Cyber Commander’s staff regarding the conduct of cyber operations as a
comprehensive process.

8
1. Introduction
1.1. Scope

This publication is an initiative of the NATO Cooperative Cyber Defence Centre of

Excellence. As such, it provides an expert vision to support the assessment, planning,
and execution of cyberspace operations. In a forthcoming version there will be a set of
best practices for different scenarios, taking into consideration desired strategic goals,
operational (battlefield) effects, legal implications and technical feasibilities.

1.2. Development Process

The aim of the project was to integrate the strategic, operational, technical and legal
issues into a practical guide for national Cyber Commands. For this purpose, the
Cyber Commanders’ Handbook has been developed in close cooperation with experts
from national Cyber Commands and other relevant national and NATO entities. The
concept, structure and contents of the Handbook were developed through several
workshops and written submissions. The process was planned to obtain expert insight,
best practices and real-life lessons learned by the contributing nations in order to
ensure that the Handbook would be relevant and would address the needs of its target
audience. The final version of the Handbook was coordinated with all contributors,
capturing their feedback and comments.

The Handbook is the first of its kind and reflects the evolving state of national
commands, doctrine, operations, and the rapidly evolving nature of cyberspace. The
existence of different national approaches on how to structure organisations forced the
authors to set the environment by creating, framing and establishing the relations of a
generic Cyber Command that will be the basis for all the following chapters.

1.3. Target Audience

The primary target audience for the Cyber Commanders’ Handbook is the national
Cyber Commander and staff.

1.4. Purpose

The aim of the Handbook is to provide guidance to support Cyber Commands in

military operations, and it sets out considerations and examples for collaboration
and cooperation with other organisations. This publication will not cover capability

9
 building and issues already covered in other publications, such as the Comprehensive
Operations Planning Directive (COPD) or the AJP-3.20 Cyberspace Operations
Doctrine. It highlights cyber-specific issues.

Due to the lack of common understanding and/or a comprehensive overview of what

a Cyber Command is about, this Handbook will give a generic explanation. The
Handbook will provide the “whats & whys”, but not the “hows” as such.

1.5. Content

The Handbook is divided into six chapters, covering the most important aspects of
preparing and conducting cyber operations. After giving an overview of the Handbook’s
scope, target audience and purpose in the first chapter, the overall context of cyber
operations is introduced in Chapter 2. The chapter introduces the features of cyberspace
as a domain for operations and focuses on the opportunities and challenges inherent
to it. The third chapter describes different actors and their roles and responsibilities
in cyberspace operations. Furthermore, this chapter introduces a possible model for a
Cyber Command Structure and Cyber Manoeuvre elements. In the next chapter, the
Handbook goes into depth regarding four types of cyber operations: Communication
and Information Systems Infrastructure Operations (CISIO); Cyberspace Intelligence,
Surveillance and Reconnaissance Operations (CISRO); Defensive Cyber Operations
(DCO); and Offensive Cyber Operations (OCO). In addition to describing different
operations, the fourth chapter includes considerations of synchronisation and
legal matters. The fifth chapter covers different stages of an operation - planning,
coordination, execution and assessment – and provides pre-requisites for a cyber
operation. In the last chapter, the Handbook provides some extra recommendations
and looks into the future by discussing some trends that may have effects on the way
in which cyber operations are conducted in coming years.

1.6. Application

This publication is non-authoritative and is applicable to both peacetime and conflict

situations.

1.7. Definitions and Descriptions

To be able to discuss and/or explain aspects of cyber operations, descriptions and

definitions must be understood unambiguously. Because there is no complete set
of agreed definitions available, this Handbook uses the already accepted NATO
definitions and wherever necessary adds “working definitions”1.

1 In order to support the implementation of cyberspace as a domain of operations, the terms and definitions
in Annexe A shall be used as working definitions in the context of development of the Cyber Commanders’
Handbook until NATO-agreed definitions become available.

10
2. Context
2.1. Strategic View

Global security depends on international The new normal

stability and global prosperity. The fast-paced
development and spread of technology and ADVERSARIES OPERATE
communications have enabled new means CONTINUOUSLY BELOW
of influence and coercion. Adversaries THE THRESHOLD OF
continuously operate below the threshold of ARMED CONFLICT
armed conflict. Extending one’s influence TO WEAKEN OUR
without resorting to physical action is the INSTITUTIONS AND
“new normal”. It is possible to provoke and GAIN STRATEGIC
intimidate citizens and organisations without ADVANTAGES.
fear of legal or military consequences. The
constraints under which the NATO member Command Vision for US
nations have chosen to operate in cyberspace, Cyber Command
which include adoption of a traditionally high
threshold for response to adversarial activity,
are well known. This insight may be used to
exploit our dependencies and vulnerabilities in
cyberspace; indeed, our systems, processes and values can be used against us. Aims
of these actions include to weaken our democratic institutions and gain economic,
diplomatic and military advantages.

NATO and national networks face

a broad range of threats, including
advanced and persistent peril that
can evade commercially available
detection tools and defeat generic
security measures. Cyber attacks2 are
becoming more intense and complex.
They reflect an increasing level of
sophistication, as demonstrated, for
example, by advanced persistent
threat activity. This environment
of menace is of a global nature,
transcending geographic boundaries
and characterised by the emerging

2 See definition in Annexe A.

11
 development of offensive cyber capabilities that are now an inherent part of conflicts.
State and non-state actors target government and private-sector information networks
to gain competitive advantages that promote their particular interests. Non-state
actors use cyberspace to target Allies. Criminal elements continue to show growing
sophistication in technical capability and targeting, and today operate a pervasive,
online service economy in illicit cyber capabilities and services that is available to
anyone willing to pay.

NATO considers that ensuring our common defence and security is the ultimate
objective to be sustained by its core activities, and that large-scale or irregular armed
conflict or hybrid war is an undesirable aspect of international relations. We are
living in a world of competition and conflict, in which our adversaries are positioning
their other elements of power (political/social, diplomatic and economic) in such a
way that they have a clear advantage over us. One thing is certain - if the way we
position ourselves before any existing conflict does not grant us freedom of movement
and sometimes information superiority, we may not be able to survive. We must
understand that our tendency to clearly divide areas of expertise such as cyberspace,
electronic warfare, signals intelligence etc., and treat them separately may prevent us
from having a broader view and realising that we are being shaped by the adversary’s
intent.

During the Wales Summit in 2014, it was recognised that cyber defence was part of
NATO’s core task of collective defence. NATO announced after the Warsaw Summit
in 2016 that cyber attacks presented a clear challenge to the security of the Alliance
and could be as harmful to modern societies as conventional attacks. Additionally,
NATO stressed its defensive mandate, and its recognition of cyberspace as a domain
of operations in which the Alliance must defend itself as effectively as it does in the
air, on land and at sea. The latest developments during the Brussels Summit showed
that NATO had agreed how to integrate sovereign cyber effects provided voluntarily
by Allies (SCEPVA) into Alliance operations and missions, in the framework of strong
political oversight. Reaffirming NATO’s defensive mandate, nations were determined
to employ the full range of capabilities, including cyber, to deter, defend against, and
to counter the full spectrum of cyber threats.

Countries have been developing cyber forces in an ongoing process for several
decades; most nations have established or are in the process of establishing a Cyber
Command. Even though this process started with a focus on defensive capabilities,
some NATO countries have publicly announced that they are in “the process” of
developing offensive cyberspace capabilities.

12
A set of basic principles and guidelines needs to be THE ESSENCE
provided in order to operate as a Cyber Command that
OF STRATEGY
can execute its mission, tasks and responsibilities.
IS CHOOSING
Political guidelines and authorisation, strategic
guidelines, chains of command, organisational
WHAT NOT TO
set-ups, (inter)national deployments, roles and DO.
responsibilities, key functions (offensive, defensive
Michael Porter
and intelligence, surveillance and reconnaissance
(ISR)) of military cyberspace forces are essential.

2.2. Cyberspace

2.2.1. The nature of cyberspace3

Cyberspace at its core consists of, but is not limited to, a computerised environment,
artificially constructed and constantly under development. Cyberspace infrastructure
is largely globally interconnected. However, geographic boundaries do apply in the
context of jurisdiction, which is a national responsibility. This is why the assignment of
the classic area of operation (AOO) in cyberspace is particularly difficult. Cyberspace
is not only in constant flux but, more importantly, it may be used by anyone for almost
any purpose. Cyberspace is also distinct in that its underlying physical elements are
entirely human-made, which is different from the land, maritime and air domains.
Risks and vulnerabilities in cyberspace may be managed and mitigated through
manipulation of the domain itself.

FIGURE 1: THE THREE LAYERS OF CYBERSPACE

3. Cyber-persona layer

2. Logical layer

1. Physical layer

Cyberspace can be described in terms of three layers: physical, logical and cyber-
persona layers, as shown in Figure 1. Conduct of cyberspace operations always
involves the logical layer, but may also include activities or elements in the other

3 This chapter is based on Allied Joint Doctrine for Cyberspace Operations AJP 3-20.

13
 two layers. The desired effects of cyberspace operations may exist in all layers or
ultimately outside cyberspace. Activities outside cyberspace that affect cyberspace
are not considered cyberspace operations (e.g., dropping a bomb on communication
information systems (CIS) infrastructure).

Entities in the physical layer, i.e. hardware components, have a geographical location.
The components in this layer include computers, servers, routers, hubs, switches,
wiring and other equipment crucial to data storage, processing and transmission.
It also includes the integrated information and communication technology (ICT)
components of other equipment or systems such as digital sensors, weapons systems,
C2 systems and critical infrastructure. Although the logical and cyber-persona layers
have no geographical borders, the actual position of hardware components is relevant
with regard to jurisdiction.

Entities in the logical layer are elements that are manifested in code or data, such
as firmware, operating systems, protocols, applications, and other software and
data components. The logical layer cannot function without the physical layer,
since information flows through wired networks or the electromagnetic spectrum
(EMS). The logical layer, along with the physical layer, allows the cyber-persona to
communicate and act.

The cyber-persona layer does not consist of real persons or organisations but
representations of their virtual identities. A virtual identity can be an email address,
user-identification, a social media account or an alias. Consequently, one person or
one organisation can have multiple cyber-personas. Conversely, multiple people or
organisations can also create a single, shared cyber-persona. These cyber-personas
form the third layer.

2.2.2. Cyberspace as a domain

Cyberspace is a fluid environment of constant contact and shifting terrain. New
vulnerabilities and opportunities continually arise as the terrain changes. Targets are
in motion; no offensive or defensive capability remains effective indefinitely and no
advantage is permanent. Well-defended cyber terrain is attainable but is continuously
at risk. Adversary offensive activities persist because opportunity costs are low, and
accesses, platforms and payloads can remain useful for extended periods.4

The underlying technologies and protocols of cyberspace enable both legitimate

and malicious activities. Adversaries exploit and weaponise vulnerabilities to steal
wealth and intellectual property, manipulate information, and create malicious
software capable of disrupting or destroying systems. The constant innovation of

4 United States Cyber Command (April 2018) Achieve and maintain cyberspace superiority. Available
at: https://www.cybercom.mil/Portals/56/Documents/USCYBERCOM%20Vision%20April%202018.
pdf?ver=2018-06-14-152556-010

14
disruptive technologies offers all actors fresh opportunities for exploitation. In this
dynamic environment, nations must increase their resilience, defend in depth, demand
security by design and persistently contest malicious cyberspace actors to generate
continuous tactical, operational, and strategic advantages. Nations and organisations
should operate under a constant state of successful adversary infiltration. We achieve
success by seizing the initiative, retaining momentum, and disrupting our adversaries’
freedom of action.5

Although the details of the principle of sovereignty in relation to cyberspace are still
discussed among nations, some parts of this principle seem to be settled: no nation
can claim overall sovereignty over cyberspace; there is sovereign equality among
the nations; and sovereignty includes exclusive authority over territory, individuals
and physical assets. This leads to the situation in the cyber context in which only
sovereign control can be executed over (physical) cyber infrastructure that is located
within the borders of a nation.

One of the big challenges to the understanding of cyberspace and cyberspace operations
as a domain of military operations is the identification of the role and capabilities of
this domain compared with those of the other traditional domains. Understanding
when activities within or through cyberspace can be and are conducted, and for what
reason they are conducted, will help to integrate cyberspace in the overall process
of planning and leading military operations. In general, the traditional military
operational domains are used from the beginning to the end of a crisis – from the first
phase of a crisis to the end of an armed conflict. In contrast, operations in cyberspace
can be, are and will be planned and conducted at any phase of a crisis development
roadmap, including the peacetime phase. Therefore, cyberspace demarcates itself
from the traditional domains and provides any actor, from military organisations to a
single individual, with an opportunity to act.

Because of the possibility that cyberspace operations may be used or cyberspace events
may have to be faced at any time and at any place, conclusions or indications from
any activities can be drawn, analysed and used for own or allied intelligence services.
Increases in the numbers of events in cyberspace can help to indicate potential threats
and risks, which can be within, but not limited to, the activity-spectrum between
intelligence activities and the shaping of the battlefield in advance of a kinetic attack.

5 Ibid.

15
 FIGURE 2: ROAD TO CRISIS

Compared with traditional domains and the Commands of the other domains, a Cyber
Command plans and conducts cyber operations before other Commands are activated.
As a result of the early stage of activity of a Cyber Command, all other Commands
support the Cyber Command and its operations as the supported command. The role
of the Cyber Command changes to a hybrid supported/ supporting role depending on
the intermediate goals and tasks in later stages.

Cyber capabilities range from technologically relatively simple means that can
be developed rapidly, to technically sophisticated instruments that require a long
development period. Cyber capabilities can exert tactical effects or achieve strategic
impacts (and all possible variations in between). The complexity and level of
technology mainly depend on the aimed effects, and the hardening and complexity of
the target system.

Therefore, three time-related aspects must be considered:

– Within milliseconds, cyber actions in one country

YOU THINK
can have distant, direct, first order digital effects
YOU HAVE
in multiple other states, whereas indirect, second
and third order effects in the physical world might
TIME.
follow soon thereafter.

16
 – The preparation time for an attacker will be long in cases in which target
complexity, intelligence gathering, specific effects, collateral damage,
access and/or anonymity are important. Consequently, the period between
the decision to create an effect and its actual use could be significantly
longer than when using traditional weapons. Equally, the time could be short
in cases in which these aspects are of no concern.
– The effects of cyberspace operations can be instant, or purposely delayed.
This fact requires a potentially very high operational tempo and a constant
state of situational awareness.

2.2.3. Cyberspace zones

The achievement of mission objectives through or in cyberspace may be significantly
complicated by the use of specific components of cyberspace by adversaries, allies,
neutral parties and other elements, all at the same time. In addition, since there are no
boundaries in cyberspace, a way to divide cyberspace into zones has been introduced
to aid the process of cyberspace operations planning, decision-making and execution.
This zone system features the geographic location and ownership of cyberspace
components.

When military forces manoeuvre in neutral or adversary cyberspace, (inter)national

rules and regulations may require a specific approach that depends on which state the
cyberspace infrastructure is located in.6 When cyberspace zones are used in visual
format, the approach must include country boundaries.

The system of cyberspace zones uses different colours to differentiate between

adversarial and friendly zones.

FIGURE 3. CLASSIFICATION OF CYBERSPACE ZONES 7

Cyberspace zone Colour Description

Own or allied military cyberspace

Allied Blue
and protected cyberspace.

All cyberspace that does not meet

Neutral Grey
the description of “blue” or “red”.

Cyberspace owned or controlled

Adversary Red
by an adversary

6 For general legal considerations, see Chapter 4, section 4.5: “Legal considerations related to different
operations”
7 A mechanism to show cyberspace components in Allied (Blue) or Neutral (Grey) zones that are controlled
by an adversary is advised.

17
 2.2.4. The threat landscape
Cyber attack can be invisible, asymmetric, multi-role, deniable, global/ instantaneous
and a complete doctrine changer when the attacker has the advantage, which makes it
an ideal toolset for big and small actors alike.

2.2.4.1. Actors
A wide variety of parties are active in cyberspace, including own forces, allied forces,
neutrals and adversaries. A range of the actors can be classified as threats, actual or
potential:

• Nation-states: nation-states are well-resourced actors that are characterised

by geopolitical -, economic – and/or military motivations. They are capable
of launching enduring and/or sophisticated attacks, often for intelligence
and/or sabotage purposes. Nation-states often work through proxies.
• State-proxies: state-proxies are private organisations and/or institutions that
are sponsored and supported by a government to help that government to
achieve its geopolitical, economic or military objectives.
• Cyber terrorists: groups of people or individuals who attack or influence
networks, systems and information, especially against civilians, with the
aim of spreading terror or in the pursuit of political aims.
• Cyber criminals: criminal groups driven by profits. They are typically
looking for personally identifiable information (PII), critical digital
resources to hijack for ransom, or lucrative ways to conduct their classic
criminal business online.
• Hacktivists: individuals who adhere to a specific cause and set up attacks to
distribute propaganda or to damage organisations to which they are opposed.
• Insider threats: individuals from within the own organisation who misuse
privileges and resources accidentally or on purpose (e.g. disgruntled
employees).

Overlaps may exist between different categories of threat actors as particular actors may
choose to employ other categories as proxies. Extensive reuse of tactics, techniques
and procedures (TTP) by different types of threat actors renders the distinguishing of
categories by this means a hazardous proposition.

2.2.4.2. Cyber Common Operational Picture (Cyber COP)

The Cyber COP is the single identical display of relevant “operational” information
shared by more than one organisation (e.g. Cyber Command, CERT, intelligence
agencies). There should be a single entity that controls the Cyber COP to avoid,
for instance, multiple information entry points. When there is a Cyber Command,
it is the entity best suited to assume this responsibility. The Cyber COP facilitates

18
collaborative planning and combined execution and assists all echelons to achieve
situational awareness.

There is a misconception that the Cyberspace COP is synonymous with the CIS COP.
This is not true. The CIS COP typically focuses on the availability of CIS services/
systems and applications, whilst the Cyber COP is the fusion of data from across all
operational cyberspace activities and their implications at the operational and possibly
strategic levels. The information from the CIS COP feeds into and is part of the
Cyberspace COP. The CIS COP shows the levels of risk to operational missions and
conveys implications in terms of mission failure and success across all operational
domains. In short, it strives to achieve situational awareness for the Commander and
his or her staff, in order to support the decision-making process and ensure mission
success. In order to achieve situational awareness in cyberspace, we require three
things:

1. Missions. The Cyber Command must understand the Allied (blue) zone8 in
cyberspace and its implications and links to the other operational domains.
Where are we operating? When are the most important times of those
operations? What are the critical information exchange requirements upon
which decision makers rely? The answers to these questions come from the
mission owners, who are also the individuals who can decide whether a risk
in cyberspace is acceptable or must be mitigated.
2. The Cyber Command also needs to understand the CIS & Technical Aspects that
directly support and enable all missions across all domains. This requires the
decomposition of missions into discrete business processes, an understanding
of the data and information that are required by those business processes and
lastly, an understanding of the CIS services, systems and applications that
provide that data and information. When you have that detailed understanding
of your CIS, you can understand implications at all levels: data, business
process and ultimately the impact on the mission. When a node goes down,
what part of the mission is impacted? Does the mission stop or is it degraded?
Are these NATO-owned systems or sovereign capabilities?
3. Intelligence. Finally, the Cyber Command needs to understand the current
threat picture. We must understand the active threats against our nation, the
Alliance and partner nations. When potential adversaries are identified we can
begin to access the tactics, techniques and procedures used by those potential
adversaries to ensure we are actively defending against those activities,
thereby enabling intelligence to focus our defensive actions. We obtain this
intelligence through intelligence channels and through information provided
by commercial subscription services, from industry service providers, from
the media and via open sources.

8 See Figure 3: Classification of cyberspace zones

19
 2.3. Opportunities and Challenges

2.3.1. Opportunities
In the traditional warfare domains, the concentration of force in both time and space
is a prerequisite for campaign success. Cyberspace, on the other hand, enables the
distribution of force: the same effects can be generated at multiple locations at the
same time, or distributed over time.

Although collateral damage (second and third order effects) is difficult to predict
entirely, cyberspace operations potentially enable a more proportionate generation of
effects and better risk management than traditional warfare.

The Cyber Command can exploit various opportunities that are unique to the digital
domain. Budget requirements for capabilities are low in comparison with those of
other military domains. Cyber capability development may be effectively shielded
from premature detection and may take advantage of the reuse of adversary TTPs.
These capabilities may offer an asymmetric advantage, rendering irrelevant the
capabilities of an adversary in other military domains. Cyber effects may span a wide
range from influence to disruption and destruction. Cyber capabilities offer a near
instantaneous global strategic reach concurrent with distribution of force over space
and time.

All these properties make cyberspace operations a valuable capability in their own
right, but they also form an essential enabler for the other domains. At the same time,
while there are benefits in cyber operations, they still pose challenges and risks that
need to be considered. Some of these are explored in the next subsection.

2.3.2. Challenges and limitations

Preparation time in cyberspace operations might be long depending on target maturity,
desired effects, intelligence gathering efforts, anonymisation requirements and any
mitigation measures required for collateral damage. Consequently, the period between
the decision to create an effect and its actual use may be significantly longer than
when using traditional weapons.

The less physical the attack, the less certainty that it has caused harm. This makes
battle damage assessment in cyberspace extremely difficult, especially regarding
second and third order effects.

To oppose these threat actors, knowledge and cooperation are key. Knowledge is
crucial to understand the technological evolutions, anticipate adversary TTPs and
develop our own defence, intelligence and offensive capabilities. Cooperation is a

20
real force multiplier and is enabled through sharing knowledge of adversary TTPs and
by giving mutual assistance during cyber incidents.
In other words, to ensure high-quality cyberspace operations, good infrastructure,
high-performance toolsets, but most importantly skilled personnel are key.

2.3.2.1. Attribution
Attribution concerns the identification or location of an attacker or attacker’s
intermediary. This activity is undertaken after an attack has been detected and may
be conducted while the attack is in progress or after its conclusion. Defensive cyber
operations will generally prioritise mitigation of an attack over the establishment of
the identities of the parties responsible. Attribution is a prerequisite for reciprocal
action and should therefore precede offensive cyber operations that are conducted in
response to hostile activity.

Attribution has intelligence, technical, legal and political aspects. The Cyber
Command may be involved directly in any or all of these aspects of attribution. The
exact level of involvement is dependent on the division of responsibilities to each
nation. The attribution process may lead to public attribution which will always be a
political decision taken at higher levels than the Cyber Command.

Threat actors also reuse known TTPs among each other. They start with simple TTPs,
escalate to the more sophisticated ones or develop new toolsets when needed. This
depends on the actor’s skills, resources and target environment, which complicates
attribution even more.

Attribution is heavily dependent on a combination of cyber forensics and cyber threat

intelligence. From the intelligence stance, attribution is only performed with a degree
of certainty. The sources to determine the attribution range from OSINT through
Technical Analysis to Closed Sources and other available intelligence capabilities
(SIGINT, HUMINT etc.). These sources are not limited to national capabilities. It is
obvious that the combination of a variety of possible sources enhances the degree of
certainty concerning the developed hypotheses.

Actors in cyberspace regularly aim to operate with a high degree of anonymity. To

this end, considerable effort is expended to remove identifying traits and to add
obfuscating features that render reverse engineering difficult and/or time consuming.
Extensive reuse or adaptation of existing tooling and code that originates from other
parties limits the scope for identification of bespoke characteristics. Depending on
the situation, particular actors may try to hide their identities by conducting false flag
operations in order to deflect attention to other parties. Attribution must therefore not
rely on technical characteristics alone, but needs to be backed up by corroborating

21
 evidence from other sources to reach a satisfactory level of certainty. Necessary
resources may be derived from capabilities available within the Cyber Command or
the wider defence organisation as well as public or private sector partners.

Cooperation with public-sector parties such as government CERT and law

enforcement can provide a useful boost to organic capabilities that are available to
attribute actions in the digital domain. Private parties may also play a role in the
establishment of attribution for cyber incidents and events, either through direct
employment by authorities or on their own initiative. While these private parties may
provide manpower and specialised skills not available to the forces or public sector,
it is important to take into account the particularities associated with this kind of
resource.

As a rule, acts executed by organs of a State are attributable to the State of their origin.
No matter what the functions of the organ – legislative, executive, judicial, or any
other – its acts are counted as the acts of a State.9 This also covers persons and entities
that, under domestic law, are empowered to exercise elements of governmental
authority,10 as long as they act “under colour of authority”.11

In cyberspace, we can see more activity by non-state actors – both individuals and
groups. In some cases, their actions are also attributable to a State. Conduct of a non-
state actor shall be considered as an act of a State if it is acting “on the instructions of,
or under the direction or control of, that State”. Non-state actors are considered to be
acting under effective “direction or control” of a State when they direct or control the
specific operation and the conduct complained of is an integral part of that operation.12

In cases where the conduct of a non-state actor is not attributable to a State based on
the aforementioned grounds, it shall be considered as an act of a State if that State
acknowledges and adopts the conduct as its own. The two conditions are cumulative.
In addition, the State has to actively adopt the conduct as its own, meaning that tacit
approval or omission is not enough.13

2.3.2.2. Human resources

Skilled personnel are a key asset to the Cyber Command. Recruitment of scarce talent
may require adjustment of requirements, with possible consequences for service
employment. Skills are highly perishable, and this has an impact on the management

9 Draft articles on the responsibility of States for internationally wrongful acts adopted by the International
Law Commission at its fifty-third session (2001), Article 4. Hereafter: Articles on State Responsibility.
10 Schmitt, M. (gen. ed)(2017). Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations.
Cambridge, United Kingdom: Cambridge University Press, Rule 15 commentary, p 87-88.
11 Articles on State responsibility, Art 4, para 13 of commentary.
12 This principle is expressed in rule 17 of Tallinn Manual 2.0 [Schmitt, M. (2017)] and mirrors the “effective
control” test in the Nicaragua judgment (Nicaragua v. United States of America - Military and Paramilitary
Activities in and against Nicaragua - Judgment of 27 June 1986, International Court of Justice).
13 Articles on State responsibility, Art 11.

22
of human resources, requiring constant attention to the attraction of new talent with
the appropriate skills and to the education and retraining of existing personnel.

2.3.2.3. Preparation time

The preparation required for cyber capabilities and effects may exceed the preparation
times needed in other military domains. Preparation requirements may be lengthened
due to various factors including target maturity, desired effects, and the requirements
of intelligence gathering, anonymisation and collateral damage mitigation.

23
 3. Cyberspace Operations:
Roles and Responsibilities
3.1. Introduction

Cyberspace is a complex environment that affects every layer of our society. This
is why often a lot of different interdependent actors have been assigned roles and
responsibilities in cyberspace operations at the national level. In order to fulfil their
role effectively, these actors need to be aware of the others’ areas of governance
and mandates. Although the implementation of roles and responsibilities within
cyberspace operations will always differ from one nation to another, in general the
roles themselves have the following traits in common:

– National cyber security. Most nations have an entity that is responsible for
national cyberspace and that pays particular attention to Critical National
Infrastructure (CNI). The main purpose of this entity is to detect, observe
and analyse online security problems and to inform the public. Generally,
a national Computer Emergency Response Team (CERT) is established to
provide assistance to public and private entities affected by cyber incidents.

– Law enforcement. The responsibility for crime prevention, apprehension

and prosecution lies in the hands of national law enforcement. During a
cyber-attack, the complete scope and true intentions of the threat actor are
generally unclear. So cyber attacks should always be considered as possible
criminal acts and therefore law enforcement agencies should be involved as
soon as possible.

– Intelligence community. The intelligence community is responsible for the

collection and analysis of cyber threat intelligence in order to reduce national
security risks with regard to terrorism, espionage, subversion, sabotage and
organised crime. It is essential for the Cyber Command to have properly
established information-sharing mechanisms in place, not only with military
intelligence, but also with all intelligence entities, since they each might
have different information at their disposal.

– Military. The role of the military in cyberspace is to contribute to the defence

of the nation against external threats. Within the military community, four
cyberspace operations authorities can usually be identified:

24
 • CIS authority. This authority is responsible for employing, operating,
maintaining and securing ICT infrastructure. It has to cooperate closely
with the Cyber Command to ensure secure military networks and
weapon systems.
• Military Police. The Military Police is responsible for cyber-crime
investigations within military installations.
• Military intelligence. Military intelligence plays an important role in
cyber threat identification, counter-intelligence and the cyber targeting
process in support of military operations. In some cases, usually
in smaller nations, military intelligence wears two hats: it provides
intelligence and supports or executes the delivery of cyberspace effects.
In bigger nations, the Cyber Command would generally offer the latter.
• Cyber Command. The Cyber Command is the most important authority
with regard to cyber operations and thus national cyber defence.

– Private sector. The private sector plays an important role, since Internet
Service Providers (ISPs), Critical Information Infrastructure (CII) and other
Critical National Infrastructure (CNI) are generally in private hands. The
Cyber Command will often act through private ISP networks or is expected
to defend private CII/CNI. The private sector is responsible for the security
of its own infrastructure and for cooperating with state institutions to
promote cyber security and to enable cyberspace operations where needed.

– International environment. International institutions are mainly respon-

sible for the creation of international rules and regulations and for the
coordination and deconfliction of cyberspace operations’ efforts in case of
multinational projects or military campaigns.

FIGURE 4. ROLES WITHIN THE MILITARY ENVIRONMENT

Cyber Cyber Cyber Cyber

Security intell igence law within
and enforcemen t Milita ry
protection Operations

25
 The intent of the threat actor is not always clear from the beginning. Moreover, there
is no clear demarcation between criminal activities, terrorism, espionage, a military
operation, etc. So all possible legal authorities, including those of the civilian sector,
should actively cooperate and share information as early as possible when conducting
cyberspace operations.
Instrução

3.2. Mission, Vision & Mandate

The Cyber Command plans, prepares, coordinates and conducts full-spectrum
cyberspace operations. This is achieved by ensuring freedom of action for friendly
forces in and through cyberspace while denying the same to adversaries and by
projecting power in and through cyberspace, while continuously innovating and
improving its work to provide the required effects in a timely fashion and in accordance
with national political and strategic guidelines and policy. Therefore, the mandate
should include, but not be limited by, a clear delineation of roles and responsibilities
for the following:

– Authorisation to direct and coordinate defensive, ISR, and offensive

operations.
– Execution of defensive operations 365/24/7.
– Execution of ISR operations in peacetime in support of intelligence services,
possibly at the request of the Cyber Command. Autonomous execution of
ISR operations in crisis and equivalent situations.
– Mandating offensive operations during crisis and other possible identified
circumstances.

3.3. Reference Cyber Command Structure

A standalone command structure, branch or service of the armed forces generally

directs and controls the three main categories14 of cyberspace operations within
its responsibility area: Defensive Cyberspace Operations, Offensive Cyberspace
Operations and ISR Operations. To be able to execute cyberspace operations, the
Cyber Command will have “manoeuvre” elements and “support” elements either
as a part of the Cyber Command or as a subcommand depending on, among other
considerations, size, structure and responsibilities.

A one-size-fits-all Cyber Command structure is impossible to define. Therefore a

reference Cyber Command is proposed, which must be seen as a modular structure
that covers all potential core activities of cyberspace operations:

14 The fourth category, CIS Infrastructure Operations, is the responsibility of the J6/CIS Support structure,
further explained in Par 4.4.

26
 o For some nations, almost all core activities of cyberspace operations might
fall under the authority of the Cyber Commander, whereas for others only a
few will.15
o The cyber-related tasks and responsibilities for the different functional areas
might be concentrated into a single new staff function or distributed over
existing staff functions.

FIGURE 5. ELEMENTS OF CYBER COMMAND ORGANISATION

There are four main levels:

– Commander;
– Advisors;
– Staff; and
– Subcommand level.

For further detailed explanations with regard to tasks and responsibilities, see Annexe D.

3.3.1 Cyber manoeuvre element

Cyber manoeuvre elements are the elements assigned to execute cyber operations.
Examples are: the Security Operations Centre (SOC), the Computer Emergency
Response Team (CERT), the Rapid Reaction Team (RRT), the liaison team(s) and

15 E.g. for some nations, intrusive ISR and/ or offensive operations might be part of the intelligence
community, while for other nations it may also be available within the Cyber Command structure itself.

27
 deployable cyber defence capability (DCDC) in accordance with the NATO Defence
Planning Process (NDPP).

3.3.1.1 SOC
A security operations centre (SOC) is a command centre facility for a team of cyber
professionals that is organised to detect, analyse, respond to, report on, and prevent
cyber security incidents. In the SOC, internet traffic, corporate area networks (CAN),
desktops, servers, endpoint devices, databases, applications and other systems are
continuously examined for signs of a security incident. The SOC staff may work with
other teams or departments, but the SOC is typically self-contained and has employees
that have high-level information technology and cyber security skills. Additionally,
most SOCs function around the clock as employees work in shifts to constantly log
activity and mitigate threats.

Tasks of the SOC employees include real-time monitoring of own cyberspace with a
focus on real-time triage of alerts, fielding phone calls, handling inquiries, and other
routine tasks. SOC employees are not intended to conduct in-depth analysis. Cyber
security incidents that need further attention and/or analysis are escalated to the CERT
level.16

3.3.1.2 CERT17
A computer emergency response team (CERT) is a team of cyber experts that is
organised to analyse, respond to, report on, and mitigate cyber security incidents.
Among other tasks, the CERT analyses cyber incidents in depth and advises
organisations on mitigation. A CERT also has the responsibility of hunting for
threats on own networks or other networks that are temporarily within its area of
responsibility.

3.3.1.3 RRT
A Rapid Reaction Team (RRT) is a segment of a CERT that can be deployed fast.
The primary task of the RRT is incident handling on a site where remote technical
assistance is not an option. The RRT has a notice-to-move period, depending on the
alert status, of within 72 hours. It is comprised of a small team of experts, usually
around six persons who represent the CERT capability. To be able to execute its
tasks remotely, the RRT has a deployable technical kit. The composition of the team
depends on the initial assessment of the assigned cyber incident. To be able to fulfil
assigned tasks, a CERT needs to have a highly qualified and experienced team that

16 Zimmerman, C. (2014) Ten Strategies of a World Class Cybersecurity Operations Centre. MITRE
Corporation. Available at: https://www.mitre.org/sites/default/files/publications/pr-13-1028-mitre-10-
strategies-cyber-ops-center.pdf.
17 The terms SOC, CERT, CSOC, CIRT and CSIRT are sometimes used interchangeably, but a SOC should
be seen as the first level at which a cyber incident is usually detected. The CERT level handles difficult
incidents. CSOC is a different name for a SOC in cases where CERT, CIRT and CSIRT are terms that are
used interchangeably.

28
is trained on a regular basis. A RRT uses the CERT as a reach back functionality to
expand the RRT resources.

3.3.1.4 Liaison elements

Like all military services or domains, cyberspace needs to be taken into account for
the planning of any operations by other services. Therefore, liaison elements need to
be installed and sent to other component commands in order to ensure that cyberspace
is reflected in the development of courses of action. These liaison elements need to be
educated and trained in such a way that they can act as cyberspace specialists/experts
who can advise the operational commander concerning cyberspace operations.
Furthermore, they need to be experts in the process of operational planning and how
to incorporate cyber operations into the process.

In addition to other commands, liaison elements should be sent out to all other military
and governmental units/entities that are responsible for strategic level planning.

3.3.1.5 DCDC
A deployable cyber defence capability is a term used in the NDPP. It is a national
responsibility to fulfil that capability either through a remote network monitoring and
response model or through capabilities on site. The first option is preferable due to
several aspects such as speed, coordination, centralisation of scarce resources and
unity of effort.

3.3.2 Cyber support element

Cyber support elements are those assigned to provide, among others, technical
expertise, coding and infrastructure; e.g., training elements, tech department and
cyber range.

3.4. Staff Integration

Effective staff integration is achieved when functional expertise from across the
staff and from external mission partners is brought together in direct support of the
commander’s decision. Decision boards leverage the analytical capability of the
entire staff and mission partners to support decision requirements through thought-
out interaction between J-codes, working groups and operational planning teams..
The use of these kinds of staff-integrating elements (sometimes referred to as boards,
bureaus, centres, cells, working groups or Operational Planning Teams (OPT)) makes
staff coordination more routine, facilitates monitoring, assessment and planning,
and enables the management of activities across the three event horizons (current
operations, future operations, and future plans).18

18 Deployable Training Division, Joint Staff J7 (September 2019) Joint Headquarters Organization, Staff
Integration, and Battle Rhythm, Third Edition, p 5-8. Available at: https://www.jcs.mil/Portals/36/
Documents/Doctrine/fp/jtf_hq_org_fp.pdf

29
 3.5. Limitations

A military organisation’s primary responsibility is the defence of the military

infrastructure. It can be asked to give support in crisis situations with regard to
national critical infrastructure or other civilian infrastructure. Therefore, the Cyber
Command plans and prepares support for governmental and civilian organisations that
is shaped through national decision-making policy and processes.19 Legal restraints
are discussed in Chapter 4, section 4.7.

3.6. Assumptions

The assumption is made that the Cyber Command has all the capabilities needed to
execute all types of cyber operations.

3.7. Tasks

The main tasks of a Cyber Command are usually the following (but they are not
limited to this list):
– Conduct defensive cyberspace operations to preserve and/or restore the
ability to utilise friendly cyberspace capabilities and protect data, networks,
net-centric capabilities, and other designated systems;
– Conduct ISR operations for non-intrusive and intrusive intelligence
collection;
– Conduct offensive cyberspace operations to project power in and through
cyberspace by employing cyberspace capabilities;
– Prepare the operational environment;
– Act as the cyber advisor.

19 An example is the Dutch National Response Network.

30
4. Cyberspace Operations:
Core Activities
4.1. Introduction

Cyberspace operations in general ensure a nation’s ability not only to act as a sovereign
nation in peacetime, but also to achieve military advantage in times of conflict. Military
operations in general depend heavily on having effective access to, and the usage of,
CIS and the data stored within it. On the other hand, preventing or reducing the ability
of the adversary to use similar assets of its own will facilitate the mission. Cyberspace
operations must be synchronised with air, land, sea, space and special operations, and
of course conducted in conformity with political and diplomatic efforts, not leaving
the joint aspect.

Defensive Cyber Operations (DCO) and Offensive Cyber Operations (OCO) depend
on the Cyber Commander’s intent and objectives. In broad terms, they aim:

– to guarantee the ability to operate freely in cyberspace, by granting our

freedom of action and force protection.
– to project power by causing effects in or through cyberspace that will help to
achieve certain military objectives.

4.2 Cyberspace Operations Framework

In the Cyberspace domain, we recognise four operational activities.20

– Communication and Information Systems Infrastructure Operations (CISIO)

are a responsibility of the CIS support organisation. CISIO design, build,
configure, secure, operate, maintain, and sustain Department of Defence
(DoD) owned and operated networks. The task of auditing and regular
additional assessments could be with the Cyber Command.
– Cyberspace Intelligence, Surveillance and Reconnaissance Operations
(CISRO) perform non-intrusive and intrusive information collection and
operational preparation of the environment.
– Defensive Cyber Operations (DCO) preserve and/or restore the ability to
utilise friendly cyberspace capabilities and protect data, networks, net-
centric capabilities, and other designated systems.

20 IMSM-0222-2018, High-level Taxonomy of Cyberspace Operations, Jun 2018

31
 – Offensive Cyber Operations (OCO) project power in and through cyberspace
through the employment of cyberspace capabilities.

FIGURE 6. CYBERSPACE OPERATIONS FRAMEWORK21

4.2.1 CIS Infrastructure Operations (CISIO)

CIS Infrastructure Operations carry out the process of continuously ensuring cyber
resilience and awareness by supporting the armed forces in developing and operating
highly secured systems and networks both home and abroad. The “6-Branch” is
responsible for applying the Cyber Security Framework.

A cyber security audit team verifies that security measures are implemented and
maintained in accordance with national cyber security policies and directives. The
audit team is also responsible for:

– providing advice and guidance on cyber security policies and directives;

– reviewing and approving cyber security-related documentation, e.g.
Security Operating Procedures (SecOPs), security accreditation plans and
risk management reports;

21 Developed in collaboration with Belgian Armed Forces.

32
 – providing a statement of security accreditation for the deployed CIWS.

A Vulnerability Assessment (VA) team performs:

– Security Test & Evaluation (ST&E) to ensure that the configuration is
established and maintained in its approved state;
– vulnerability scans.

A cyber security assessment team performs:

– Sample tests of agreed audit report improvements;
– Sample tests of agreed VA report improvements;
– Penetration tests.

4.2.2 Cyberspace ISR Operations (CISRO)

Cyberspace ISR Operations coordinate and integrate acquisition in and through
cyberspace. They process and provide timely, accurate, relevant, coherent and
assured information and intelligence to support a commander’s conduct of activities.
A distinction is made between:

– Non-Intrusive Collection: Collection methods that draw from own networks

or open source intelligence on adversary and third party networks; and
– Intrusive Collection: Collection methods that draw from non-available, third
party networks, including adversary networks.

Intrusive ISR operations contain, but are not limited to, system compromise - data
exfiltration - and target observation in the digital environment.

National-level intelligence organisations conduct

intelligence activities in, through, and about “Know thy
cyberspace in response to national intelligence self, know
priorities. National-level intelligence in support of thine enemy. A
military intelligence in adversary or enemy Tactics, thousand battles,
Technics and Procedures (TTP) recognition, a thousand
CIS infrastructure information assurance and victories.”
operational environment understanding, should
be an ongoing effort. The preparation of complex Sun Tzu
military cyber operations makes it necessary
to execute cyber intelligence operations on an
ongoing basis. Because military cyber intelligence
efforts are usually not mandated in peacetime,
these requirements should be fulfilled by national
intelligence organisations. The Cyber Command

33
 can support national intelligence efforts i.a.w. national regulations, agreements and
procedures.

FIGURE 7. CYBERSPACE INTELLIGENCE KEY AREAS

Military cyberspace
Mission impact / Operational environment
intelligence area

Does an adversary or enemy possess the capabilities

to deny, degrade, disrupt, or destroy CIS infrastructure?
Adversary Tactics,
What forces and equipment are needed to secure
Techniques and
CIS infrastructure? Analysis of TTP is performed via
Procedures (TTP)
recognition of enemy’s or adversary’s capabilities and
incident handling.

Forecasting of political, military, economic, social,

infrastructure and information (PMESII) effects for course
Operational of action (COA) evaluation. In particular, analysis of
environment adversary’s cyber groups intentions, possible reactions
analysis - PMESII and readiness. Intelligence provides the commander with
a variety of assessments and estimates that facilitate
understanding of the operational environment.

Both ISR and OCO typically require digital reconnaissance, weaponisation through
code development, exploitation of delivery, system exploitation, persistence
activation, command and control and finally the desired actions on objective.
Substantial preparation times might be required. This essential activity is known as
Comprehensive Preparations of the Operational Environment (CPOE), i.e. ensuring
future access to external networks or systems in order to enable the collection of
information or the delivery of effects.

4.2.3 Defensive Cyberspace Operations (DCO)

AJP-3.20 defines DCO as defensive actions in or through cyberspace to preserve
friendly freedom of action in cyberspace. More precisely, DCO include actions taken
in order to prevent, mitigate or respond to threats and adversary cyberspace operations
in or through cyberspace, thus preserving mission assurance (MA).

In general, DCO are operations that are only planned for and conducted on own owned
networks and services. Any action outside own owned networks or services, even as

34
a result of DCO, change the defined character of DCO and therefore changes the type
of operation to an offensive CO. Therefore DCO are strictly limited to actions within
own networks or controlled services.

DCO are not limited to secure own networks and services, but operate actively within
those networks to ensure safety and security and denial of break in into the networks.
All actions after a detection of unauthorised access to networks or services, including
clean up and securing the network, are also defined as DCO.

In addition to the definition of DCO by AJP-3.20, DCO can be used to support other
military or non-military actions by securing the area of operations and responsibility
from attacks/actions against own forces in or through cyberspace.

The full spectrum for this kind of support can start with coordinated cooperation with
non-military organisations/companies (such as private service providers) and ends
with cooperation with other international organisations (NATO, EU) and/ or militaries
of partner nations.

The planned deactivation of not owned services or the denial of services in advance
of, or parallel to, any operations (including CO) to create an example can have a
huge impact and advantage for the own operation. This kind of DCO, in comparison
with typical OCO, does not involve any enemy cyberspace services or networks, but
networks from partners or service providers with their permission. Most important,
the execution within those networks will be done by the providers themselves.

Awareness is one of the most crucial aspects to keep cyber security healthy in our
networks. Nevertheless, often this issue is not addressed effectively enough, since
it is usually focused more on the content rather than on development of appropriate
secure behaviour in cyberspace. In particular, the awareness issue faces the following
challenges:

– It is necessary to develop suitable content for different types of audience.

– It is necessary to develop means of content distribution in an attractive
manner to different types of audience.
– It is necessary to develop methods so that the right messages are retained by
the right audience, in such a way that the message is not only captured but
also put into practice routinely.

4.2.4 Offensive Cyberspace Operations (OCO)

In cyberspace, one is not able to take full and permanent or long-lasting control or
possession of cyber key-terrain and therefore deny adversaries the possibility of

35
 using it. This is contrary to the situation with other domains. Yet, it is possible, in
limited amounts of time, to deny adversaries this capability by causing a disruption
or degradation of their freedom of action in cyberspace. OCO are used with the clear
intention to project power in and through cyberspace in order to help commanders
achieve operational or strategic objectives.

Before executing OCO, the following points should be taken into account:

– The vulnerability that is explored to create a successful attack will become

known to others;
– The cyber weapon developed to execute the offensive action can be stolen or
copied, studied, changed and reused against its initial creators; and
– Existing asymmetries in the dependence of cyberspace between the
adversaries may potentiate a conflict escalation.

4.3 Cyberspace Activities Catalogue

Possible organisation, functions and tasks of the above described operations are
presented in Figure 8.

FIGURE 8. CYBERSPACE OPERATIONS CATALOGUE.22

22 Developed in collaboration with Belgian Armed Forces.

36
4.4 Synchronisation

4.4.1 Maturity
Cyber operations at national level have reached a level of maturity at which they are
included in national operational processes. On an international level, the level of trust
is currently not sufficient to include national cyber operations in most multinational or
NATO operations. In order to support multinational operations with cyber capabilities,
NATO has started using the SCEPVA-process (see section 4.4.4).

4.4.2 Joint targeting process

Depending upon the commander’s objective, operations in cyberspace can be
offensive or defensive, supporting or supported. Like all forms of operations, those in
and through cyberspace should be included in the joint planning process to facilitate
synchronisation and unity of effort and for overall co-ordination through the joint
targeting process.

4.4.3 Electronic warfare

As cyberspace operations partially rely on the use of the electromagnetic environment,
they must be coordinated with electromagnetic operations (EMO), including
electronic warfare. As a minimum, coordination must be achieved through a common
participation with the appropriate coordination boards. Cyber operations may also
need to provide inputs to the Joint Restricted Frequency List.

4.4.4 Sovereign Cyber Effects provided

voluntarily by Allies (SCEPVA)
Due to the confidentiality of OCO, nations are usually unwilling to share the specifics
of those operations in an international environment. Therefore they have introduced
the SCEPVA process to provide the required cyber support that is translated into cyber
effects for the purpose of integration into operational processes in Alliance Operations
and Missions (AOM).

NATO, as an organisation, does not intend to develop any offensive capability of its
own in cyberspace. However, the Alliance will benefit from cyber effects provided
by nations, in accordance with the legal and political principles agreed by the North
Atlantic Council (NAC), and which abide by AOM dedicated rules of engagement.
NATO will not directly task the nation’s offensive cyber capabilities. NATO’s
Cyberspace Operations Centre (CyOC) in Shape will facilitate the integration of
the SCEPVA into the military planning process. It will provide willing nations with
military objectives to achieve and provide to the NATO operational chain of command
the expertise to approve and synchronise the provided effect.

37
 4.5 Legal considerations related
to different operations

4.5.1 Legal basis

The deployment of cyber elements, activities or tools as (military) instruments outside
national borders is governed by international law, but also domestic law.23

One of the basic principles of international law, as also recognised in national policy
and doctrine, is that nations may not operate in another State without that State’s
consent, or without a legal basis under international law. Three legal principles reflect
this prohibition: the non-intervention principle; the principle of sovereignty; and
the prohibition on the use or threat of the use of force in international relations (as
expressed in the UN Charter). The legal basis for operating across other state borders
is UN Charter chapter 7, (collective) self-defence (Article 51) or authorisation from
the Security Council (Article 42).

It must be borne in mind that the prerequisite to use force in self-defence is armed
attack24, and not every internationally wrongful act gives grounds for use of force.
When an act against a State stays below the threshold of armed attack, but is
attributable to another State, countermeasures can be used. Countermeasures are acts
that are otherwise illegal, but can be taken by the injured State as a response to a
breach of an international obligation.

Wrongfulness of a possible action is precluded in the case of plea of necessity. The

prerequisites for this are the existence of grave and imminent peril to the State’s
essential interest; there is no other way to address the situation; and the non-compliance
by the State with its international obligations is of lesser weight or urgency than the
need to act to protect itself. Plea of necessity does not depend on prior breach by
another State; therefore, attribution is not a prerequisite.25

4.5.2 Law governing operations

The legal framework that applies during deployment outside a country may differ
for each operation, and even sometimes for different areas or phases of the same
operation. International humanitarian law (IHL), jus in bello, as set forth in (inter
alia) the Geneva Conventions I-IV and the associated Additional Protocols, governs

23 Military forces still have to adhere to their national laws even when deployed abroad. See Stinissen, J. et
al. (2015) A Study for Existing and Possible Rules of Engagement. NATO Cooperative Cyber Defence
Centre of Excellence, 2015, p 15.
24 In order to amount to an “attack”, an operation (regardless whether it is offensive or defensive) must
conclude in violent consequences resulting in injury or death to persons or damage to or destruction
of objects. See Protocol Additional to the Geneva Conventions of 12 August 1949, and relating to the
Protection of Victims of International Armed Conflicts (Protocol I), 8 June 1977, Article 49(1) and
Schmitt, M. (2017), Rule 92.
25 Articles on State Responsibility, Art 25. See also Schmitt, M. (2017), Rule 26.

38
conduct during armed conflicts, including cyber operations in that context. IHL
regulates the powers of combatants to take part in hostilities, while the restrictions
mainly encompass rules for the methods and means of warfare and rules that govern
the protection of non-combatants and civilian objects and property. IHL only applies
officially in situations of “armed conflict”; whether a situation is one of armed conflict
depends on a factual evaluation of the situation. It is also standing NATO policy to
apply protective provisions of IHL as a safety margin for all military operations
carried out by NATO forces.

It must be taken into account that assessment of incidental harm of a cyberspace

operation to civilian cyber infrastructure or objects when conducting a proportionality
analysis is much more difficult than in cases that involve more traditional physical
means and weapons. The same challenge is applicable to the identification of
legitimate military targets or objects that are of both military and civilian use.

4.5.3 Targeting
In the targeting process, it is mandatory also to apply IHL. The overall rule for
targeting is that it is forbidden to conduct cyber operations that amount to an attack
against civilians or civilian objects.26 Even though cyber infrastructure is often used
for both military and civil objectives, it may be in conformity with IHL still to target
such an infrastructure, if civil components, incidental damage and proportionality
are taken into consideration.27 In cyber activities, non-state actors may be involved
more often than in kinetic activities. This may raise the question of whether these
actors can be targeted. If their activities amount to the criteria of threshold of harm,
direct causation and belligerent nexus, they can be considered to be participating in
hostilities and, therefore, as possible targets.28

4.5.4 Rules of Engagement

Rules of Engagement (hereinafter ROE) are mission-specific rules for commanders
of military operations that establish the parameters in respect of the use of force
or actions that may be construed as provocative towards other parties in the area
of operations. Therefore, the ROE are relevant for offensive and ISR operations.29
ROE are dependent on the mandate30 or legal basis for the operation in question. It is

26 Additional Protocol I, Article 48.

27 Stinissen, J. et al. A Study for Existing and Possible Rules of Engagement. NATO Cooperative Cyber
Defence Centre of Excellence, 2015, p 14.
28 Ibid, p 15. See also Melzer, N. (2009) ICRC Interpretive Guidance on the Notion of Direct Participation in
Hostilities under International Humanitarian Law, p 46.
29 ROE for cyberspace are directives to military forces that define the circumstances, conditions, degree,
and manner in which force, or actions that might be construed as provocative, may be applied in or by the
use of cyberspace. It is elementary that a State can defend its own systems. Therefore, operations that are
merely defensive do not need ROEs.
30 The legal basis for the operation in combination with the political directives and goals to be adhered to,
and attained by, the force commander.

39
 important specifically to include cyber capabilities in the planning when preparing the
mandate and the ROE for an operation.31

In a multinational deployment, ROE are drafted and promulgated by the relevant

command authorities of the international alliance or union, or - in the case of an
operation by a coalition of states - in consultation with the states that are participating
in the coalition. Based on national policy or national law, a State may impose
restrictions on the agreed ROE and issue such restrictions to the deployed forces as
supplementary instructions.

31 Commanders may restrict the relevant ROE for subordinate commanders at any time, but they cannot
expand them. ROE never restrict the universal right to personal self-defence provided that the principles of
proportionality - no more force may be used than is necessary to counter the threat - and necessity – force
should be the last reasonable resort and be absolutely necessary under the circumstances - are adhered to.

40
5. Cyberspace Operations:
Planning, Coordination,
Execution & Assessment
5.1 Pre-requisites

5.1.1 Political & Strategic Pre-requisites

The starting point for any action by a Cyber Commander is the political guidance and
military directives. Based on these, potential areas of interest are defined and efforts to
create situational awareness are determined in order to pre-process the commander’s
scope of action in his or her national as well as international environment.

The traditional prerequisites are required to start the cyber planning process. These are
based on the Comprehensive Operations Planning Directive (COPD). However, an
additional pre-requisite is the minimum Cyber Common Operational Picture (Cyber
COP). The minimum Cyber COP consists of information about:

– threats and vulnerabilities, and threat actors;

– own organisations and capabilities, including troop readiness levels and
maturity;
– own networks including security standards, resilience and procurement (life
cycle);
– relevant issues to the mission regarding the internet;
– status of preparations in\outside networks, including political and economic
perspectives; and
– national and international partners, including competencies, capabilities and
restrictions.

The Cyber COP preferably contains much more information than this minimum.
The content of the Cyber COP determines the quality of information available to
the commander, and is therefore heavily dependent on the sharing of cyber related
information and INTEL between nations and national organisations in a timely
fashion.

5.1.2 Phase zero operations

One of the bigger challenges to the understanding of cyberspace and cyberspace

41
 operations as a domain of military operations is the identification of peculiarities
(force, space, time, information) of cyberspace.

In general, traditional military operational domains are used to plan and act from the
beginning to the end of a crisis – from the first phase of a crisis to the end of an armed
conflict. With regard to the cyber domain operations within cyberspace, preparations
and the setting of prerequisites need to be done in advance of any other planning or
preparation cycle.

Specifically, the characteristics of the cyber domain demand extensive preparation

prior to starting any military mission planning. In addition to political guidance, the
Cyber Commander has to request that areas of interest be prioritised as well as details
of the applicable legal frameworks. The intelligence preparation of the environment
is then performed dependent on the provided guidance, directives and prioritised
areas of interest. Based on the aforementioned actions, a commander should develop
courses of action and start and/or adjust capabilities in order to prepare or shape the
potential battlefield.

5.1.3 Technical pre-requisites

Based on the political guidance, the military directives and the cyber effects that are
sought under the Cyber COP must be identified by the Cyber Command in order to
determine the technical pre-requisites. The staff employs the expertise of the cyber
support element to ensure that the technical pre-requisites of both existing capabilities
and of any custom procurement and/or development required are understood and are
duly reflected in the operational planning and Cyber COP. Due to the potential of
cyberspace to exhibit rapid fluctuations in technological possibilities and constraints,
this interaction must be repeated continuously in order to maintain a current Cyber
COP. The cyber support element that is available in the theatre of operations may
require reach-back capabilities in the homeland for a full assessment of technical pre-
requisites, and this has implications for the time that may be needed to provide an
assessment. Technical pre-requisites may have a significant effect on the timelines of
planning due to the combined effects of procurement and development processes of
customised capabilities.

5.2 Planning

5.2.1 COPD
The Allied Command Operations COPD is the international standard tool for
operational planning and should therefore be used in the cyber domain as well.

42
5.2.2 Planning
Compared with the traditional domains and therewith the component commands
of each domain, a Cyber Command plans and conducts cyber operations before
other commands are activated and therefore starts to plan and to execute operations
accordingly. As a result of the early stage of activity of a Cyber Command, all other
commands, where appropriate, will support cyber operations and the Cyber Command
as the supported command. The role of the Cyber Command might change from
supported to supporting in a later stage of the crisis development roadmap, depending
on the situation. Nevertheless, the threat landscape or situation may require immediate
implementation of prepared and sometimes pre-authorised actions.

A Cyber Commander should seek coordination /synchronisation and deconfliction

where applicable (e.g. INTEL, partners, Cyber Command etc.) for operational
planning in COPD’s phases 1 to 5.32

5.2.3 Considerations
The planning and execution of cyber operations and their integration into the COPD
exposes the differences between this new domain of military operations and the
traditional air, land and maritime domains. To avoid difficulties in the planning and
use of cyber operations, some main differences need to be taken into account during
the entire planning process and each step of any sort of crisis response planning.

5.2.3.1. Authorisation process

In general, based on national/international processes and caveats, the authorisation
process for cyber operations is different and more complex than that for traditional
operations. For cyber operations, the final level of authorisation is located higher within
the process. As in general the decision for a COA is the commander’s responsibility,
the authorisation for the use of cyber operations, especially for offensive cyber
operations, is with the political authority as defined by each nation. Therefore military
operations, also and especially during the early phase of a crisis development, are
dependent on authorisation from outside the military organisation. The operational
planning officer must consider this circumstance. Authorisation processes that were
agreed within organisations such as NATO or the EU were designed for kinetic
effects and assets. Although cyber effects are a voluntary contribution by a nation,
the authorisation for a cyber operation is with the nation that offers the cyber effect.

5.2.3.2. Phasing
Cyber effects and the planning of cyber effects as cyber operations are not limited to
the last phase of the crisis development of an armed conflict. This differs therefore
from the traditional domains. Cyber operations can be and are conducted in peacetime
and during the first phases of a crisis. Therefore, cyber operations are not only to be

32 A Cyber Commander and staff can make use of the US Cyber Space Operations Planning Task List (US
Cyspace OpPl UJTL Baseline measures and Cyspace conditions UJTL Baseline measures).

43
 planned and executed in parallel with land/air/maritime operations, but can be the first
effect/action that is taken during the crisis development because of the complexity
in planning, execution and operability. As an effect that can be executed without
physical deployment of any troops, the full spectrum of cyber operations can and must
be used as early as possible within the roadmap of development of a crisis. Cyber
operations are a primary asset for “shaping the battlefield” to support operations of
land/air/maritime forces that follow them. As such, cyber operations are not only
conducted during the traditional “execution phase” of military operations, but they are
also conducted concerning requirements, effectiveness, operability and availability,
separated from phases if necessary. Special attention should be paid to risk assessment
of the chances of detection by the opponent. Cyber operations have a higher risk
of failure due to the rapidly changing technical environment or enhancements of
protection, countermeasures and design.

5.2.3.3. Timelines
Planning and execution of cyber operations are different from those in other domains
and services regarding the timelines for planning and the time that is needed for
execution. Preparation of cyber operations in particular requires more time for the
evaluation of the possibility for operability of a cyber effect. As a result, cyber
operations must be considered as an option as soon as possible before and during the
operational planning process. Cyber effects cannot be considered short-notice assets,
as long as they are not a result of prepared and pre-authorised actions.

5.2.3.4. Targeting and coordination

Cyber effects and their operability need to be validated at an early stage. Cyber experts
need to be sure that there is sufficient preparation and planning time for validation
of availability and operability of cyber effects (concerning phasing and timelines).
Therefore, the targeting process needs to be supported by cyber experts from the
beginning. This includes the coordination of effects within boards and working
groups of the battle rhythm to deal with effect coordination and targeting. In addition,
relevant legal rules of international humanitarian law must be considered.33

5.2.3.5. Effects
Cyber operations can have these expected (first, second and third order) and/or
unexpected effects, which can be lethal or non-lethal with the goal, but they are not
limited to this list: coerce, deter, contain, defeat, secure, isolate, neutralise, recover,
manipulate or corrupt, exfiltrate, degrade, disrupt, deny or destroy. The always-
growing interconnected mesh that we call cyberspace is the perfect environment to
produce unwanted and uncontrolled effects. This can turn a simple cyber operation
that in a first assessment would fall below the threshold of the use of force or an
armed attack (e.g. a temporary denial of service) into a sum of undesired effects that

33 See Chapter 4, section 4.5.3: Targeting.

44
may cause sufficient damage to be considered to fall under the UN Charter and jus
ad bellum. The aforementioned would be a ground for the adversary to use force in
self-defence (individual or collective). Some of the criteria used to assess the impact
of these effects can interfere with critical infrastructure or functionality, severity and
reversibility of the effects and their invasiveness. Briefly, the legality of the response
depends on the context and the effects of the respective cyber operation. Even though
the existence of unwanted effects is not exclusive to this domain, the interconnectivity
and interdependency between all kinds of networks and systems (military, state-
owned and private or corporate) increases the risk that they may happen. It is
therefore extremely important, but also very difficult, to assess the risk of collateral
and cascading second or third order effects. Whatever a commander’s risk appetite is,
he or she has to have a perfect understanding of these interdependencies and of the
impact that the suggested cyber operation may have on their normal operation.

5.2.3.6. Cyber range

Phase zero in military planning is very intelligence heavy. The identification of targets,
the finding of possible vulnerabilities to be explored, the development of the necessary
code to create a cyber weapon, the finding of a way to deliver it to the target and the
installation of it is a very time-consuming set of activities. There is no 100% guarantee
of success; changes may be made to the target (systems updated or patched) just the
minute before the weapon is launched. Most weapons can be reverse-engineered,
adapted and reused against those who originally launched them. If successful, the
persistent presence of a weapon in the target’s system is typically guaranteed by the
establishment of a command and control channel. All this is conducted in a controlled
environment - a laboratory or cyber range - in which it will be tested in accordance
with international law. Only then can a weapon be used to execute a cyber operation.

5.2.3.7. Information sharing

One of the biggest challenges in the cyber domain is the establishment of relationships
of trust as a basis for information sharing, especially when addressing intelligence and
offensive capabilities. When sharing information, one will lose possible advantage
over the others and national interests don’t always coincide with those of alliances.
However, it is easier to share knowledge and find solutions when it comes to
defending one’s systems. This may be why the only agreed-upon solutions so far
are the malware information-sharing platform (MISP) and the cyber information and
incident coordination system (CIICS) in which it is possible to register the available
knowledge on topics and enable others to make use of and improve this knowledge,
so as to avoid duplication of effort amongst community members.

45
 5.3 Coordination and Cooperation

Coordination is essential and can act as a force multiplier in this domain due to its
interconnectivity and interdependency. This can be achieved in DCO by information
sharing and provision of mutual assistance, but may be more difficult to achieve
in OCO due to the employment of sovereign capabilities. Nonetheless, OCO may
benefit from cooperation in the preparation phase through exchange of intelligence
and situational awareness. The main goal for this is to deconflict opposing or untimely
effects and synchronise them to enable their full potential and wanted effects.

Cooperation between the military, industry and academia is probably the best way
to supply operational needs with the required resources to develop them, both
financial and intellectual. In the same way that NATO has developed a partnership
with industry (NICP), it should eventually consider establishing one with academia.
Effective collaboration could, among other things, increase the availability of qualified
personnel. These collaboration activities are essential to establish the necessary
trust relationships between stakeholders. The need for national and international
collaboration increases due to the fact that this is a knowledge domain in which
all inputs and different perspectives are helpful to find solutions and establish new
challenges. This need is highly increased with the existence of grey zones and areas
of responsibility between who owns the systems (the problem of establishing clear
borders), how to typify the cyber incidents (crime, use of force, espionage, etc.), and
the different kinds of threat actors that may be responsible for them (states, state-
sponsored, criminals, hacktivists, insiders, braggers, etc.).

Therefore, cyberspace cooperation embraces the following areas:

– Internal cooperation. Cooperation among subunits within the Cyber

Command should be encouraged, facilitated, processed, monitored
and evaluated; synergies should be sought to generate more effective
and efficient results. It is important to develop objective and evaluable
cooperation mechanisms, since trusting in a natural tendency to cooperate is
usually not effective. To facilitate internal cooperation and better access to
information, it is essential to establish a specific Information and Knowledge
Management (IKM) branch that is composed of IKM experts that are fully
dedicated to the IKM business. This IKM branch should count with experts
both at technical and at procedural levels.

Commanders often find that the integration of cyberspace operations with

other domains to make them an integral part of multi-domain operations is a
challenge. Cyber capabilities should be added to the mainstream operational

46
 planning along with conventional capabilities in the initial planning phase.
One of the best ways to enhance cooperation and mutual support between
different military domains is the establishment of training and exercises
that integrate cyberspace operations into a command module. An example
is the exercise Crossed Swords that is organised by the NATO CCDCOE.
This kind of exercise brings together cyber technical teams, intelligence
units and Special Operation Forces (SOF) to achieve the mission goal by
accomplishing integrated cyber and kinetic objectives and fostering joint
operations. Depending on national needs, such exercises help to integrate
offensive cyber with special operations, enabling new technologies, tactics,
procedures and methods of contemporary conflicts to be practised in a
realistic environment. During this process, practical joint dictionaries and
information-exchange procedures can be developed to support better mutual
understanding and communication. Communication between different
domains during multi-domain operations is crucial, bearing in mind the
intensive, fast-paced, and mission-centric environment.

– National cooperation. Cooperation between national cyber security public

entities, such as national security agencies, national intelligence services and
police, should be carefully planned and coordinated to achieve synergies. At
national level, the cyber defence scope should be well defined and clearly
assigned to the Cyber Command. The responsibilities of the Cyber Command
(cyber defence) and of other public entities (cyber security) should be clearly
delineated to avoid duplication, confusion, and unnecessary competition,
which would lead to fruitless wear and tear. The cooperation process should
be established formally and implemented by use of a reputable information-
sharing platform such as MISP.

– International cooperation. Since most of the cyber operations against

our networks and systems originate in other countries, cooperation at
international level is essential. In particular, international cooperation is
necessary to repel, identify, attribute and respond to cyber operations against
the protected networks and systems.

– Cooperation with industry. Cyberspace is essentially a technological

domain in which cyber weapons and the means to make them form a vast
and continuously evolving market. Therefore there should be a specific
branch (technology department) within the Cyber Command to identify
technologies, products and companies that are usable by the Cyber
Command.

47
 The staff who monitor technology should be in contact with cyber security/
defence-related companies, think tanks and scientific forums; should test
cutting-edge products and technologies according to the Cyber Command’s
needs; and should develop a catalogue of potentially suitable products and
technologies to serve as a reference for all the Cyber Command’s personnel.

– Cooperation with academia. The Cyber Command has several ways that
it can acquire new technologies and products, mainly through commercial
procurement processes (COTS), research and development projects from
the public sector (GOTS) and by own R&D. Own R&D, in some cases,
is necessary for economic, time or security reasons. In any case, over time
the three different mechanisms will be used to fulfil the Cyber Command’s
FOC. During the three acquisition processes, the support of the academic
community will be necessary. Furthermore, this support could be essential
to support own R&D.

Cooperation with academia will also be necessary to define, develop and

implement the staff training programmes of the Cyber Command and to
foster start-up programmes according to the Cyber Command requirements.

5.4 Assessment

During the planning of an operation, a commander should be advised on the possible

effects that can be created in and through cyberspace that would achieve the desired
objectives or would introduce higher risks and impact kinetic actions. This requires
personnel with high expertise in the domain and the capability to identify possible
targets and different courses of action, and to assess risks/opportunities that will enable
the commander to choose the best ways to employ the limited resources available
in order to get the highest return on investments. Also, there should be established
metrics of effectiveness that enable the calculation of success rates for the different
cyber operations and of collateral damage estimates so as to enable the decision to be
taken in the most informed way.

There are a number of assessments that a commander and his or her staff should take
into account when conducting cyber operations. A commander should seek to measure
whether the planned outcomes have been achieved against criteria set by the various
boards and the estimate process. Such measurements should seek to inform future
iterations of the cycle and the commander’s end-state.

Targeting Assessment: For a targeting assessment to be effective, preparatory work

must be done well in advance of the delivery of effects. This starts with the Target

48
System Analysis (TSA), which identifies and prioritises targets to best exert influence
on a system and thus to instruct which elements, criteria or conditions should be
monitored to inform targeting assessment, and which intelligence sources are best
suited to collect data against those indicators. Key to targeting assessments is gaining
an understanding of the following:

– Measures of Performance (MoP). These are the criteria used to assess

friendly action and are linked to achievement of the desired end-state.
MoP assess the effectiveness of targeting by friendly force elements and
are used to inform measures of effectiveness. MoP enable commanders to
judge whether the allocation of resources is adequate to achieve the desired
effects.

– Measures of Effectiveness (MoE). MoE are used to measure results

achieved in the execution of assigned tasks and they enable commanders
to identify the impact of targeting in relation to the mission. In cyberspace,
MoE are extremely difficult to determine. A part of MoE is the balance
of effort (cost) against the desired end-state (benefit). If the desired end-
state is not achieved, the target may need to be re-engaged using the same
means, or another means that is selected to achieve the desired end-state.
Unambiguous MoE are prerequisites for assessment. The MoE should be
directed during the planning cycle. MoE include Measures of Impact (MoI),
which are criteria used to assess the changes expected in a system because
of friendly non-kinetic tasks. MoI are a vital part of MoE.

– Effects assessment. This component of the targeting assessment checks

the effectiveness of actions to produce effects to achieve objectives. The
assessment process is continuous and directly tied to the commander’s
decisions throughout the planning, preparation and execution of operations.

– Combat assessment. This component of the targeting assessment considers

the effectiveness of targeting actions to produce effects. It is comprised of
three components:
• Battle Damage Assessment (BDA). BDA is the assessment of effects
that result from the application of military action, either lethal or non-
lethal, against a military objective.
• Munition Effectiveness Assessment (MEA). MEA assesses the means
applied in terms of overall effectiveness to determine and recommend
any required changes to the methodology, tactics or delivery parameters
to increase force effectiveness.
• Future targeting and re-attack recommendations. These recommen-

49
 dations merge the results of what has been done with how it has been
done to provide the commander with recommendations on whether a
target should be nominated for re-attack or whether attention should be
turned to a new target.

– Collateral Damage Estimate (CDE). This measure supports the propor-

tionality test by which commanders determine whether the expected
collateral damage would, in total, be excessive in relation to the direct
military advantage anticipated. CDE in support of physical attack is a well-
established process with existing tools and methodology that provide a
degree of accuracy and assurance to support the targeting process.

– Collateral Effects Estimate (CEE). During any military operation, the

means and methods of prosecuting targets, where reasonable and feasible,
minimise collateral damage and collateral effects, and ideally avoid it
altogether. Unlike CDE, CEE is not well understood, nor is it quantifiable in
the same manner as it is in munitions-based targeting. Therefore, a qualitative
cyber operations methodology is in the process of being developed (see
Annexe C).

– Positive Identification (PID). PID is an issue to be informed by expert input

from the intelligence and legal staffs as to the sufficiency and reasonableness
of the intelligence (see Annexe D). These PID criteria are not exhaustive.
Examples provided within Annex D are illustrative, not prescriptive. The
IOT provides the intelligence staff with best practices. PID is related to but
not equivalent to validity of target: e.g., a system administrator may or may
not be a valid target depending on when and where they are performing
their function. PID would be required to confirm that they are currently in
a location and/or performing a function that makes them a valid target. For
cyber domain PID, location has three inter-related aspects: for the physical
layer, location is geographic as per other domains; for the logical layer,
location is determined in terms of topological connectivity within a network;
and for the persona layer, location is in terms of degree of relation (similar to
HUMINT network analysis).

5.4.1 Considerations of targeting cycle

The targeting cycle in cyberspace should follow the same steps as those already
established for all the other domains. In AOMs, however, since the offensive cyber
effects will be produced by nations that have voluntarily declared their willingness
to produce these effects, we will have to make sure there is room for discussion,
deconfliction and coordination.

50
FIGURE 9. CONSIDERATIONS IN THE CYBERSPACE ACTIONS CYCLE 34

34 Developed in collaboration with The Netherlands Armed Forces.

51
 6. Recommendations
& Best Practices
6.1. Recommendations
6.1.1 Standard Operating Procedures
It is recommended that SOP should be implemented to ensure effective resource and
time management for execution of all types of cyberspace operations. Every complex
routine operation or set of repetitive actions should be listed as a list of instructions or
procedures to be carried out.

6.2. Future research

6.2.1. Artificial intelligence

Artificial intelligence is expected to play an increased role in cyber operations, both
for defensive as well as offensive purposes, as humans may not be able to deal with the
scope and tempo of events in the digital domain. While the employment of automated
means is often intended to relieve claims on scarce human resources, it must be
understood that development of useful artificial intelligence applications requires
a significant involvement of personnel. Machine learning is not an autonomous
process and relies on the availability of skilled human operators in order to guide
its development to maturity. This requirement for extensive involvement of human
resources may however decrease over time.

6.2.2. Standardisation and diversification

Cyberspace is currently characterised by broadly accepted technical standards and
protocols. A desire for increased control over national enclaves of cyberspace may
result in increased diversification in the technical landscape over time. This will have
an impact on the availability of the required knowledge, skills and means to the Cyber
Command.

52
Annex A
Definitions

The definitions used in this document are either: (a) agreed NATO definitions; or (b)
working definitions used in cyber-related documents in different states of maturity
which are expected to be adopted by NATO at a later date.

CIS infrastructure operations - Actions taken to employ, secure, operate and

maintain CIS in a way that creates and preserves data availability, integrity and
confidentiality as well as user/entity authentication and non-repudiation.35

Computer network attack (CNA) - Action taken to disrupt, deny, degrade or

destroy information resident on a computer and/or computer network, or the
computer and/or computer network itself. Note: A computer network attack is a
type of cyber attack.

Cyber attack - An act or action initiated in cyberspace to disrupt, deny, degrade

or destroy by compromising communication, information and other electronic
systems, or the information that is stored, processed or transmitted on these
systems.36

Cyber defence (CD) - The means to achieve and executive defensive measures
to counter cyber threats and mitigate their effects, and thus preserve and restore
the security of communications, information or other electronic systems, or the
information that is stored, processed or transmitted on these systems.37

Cyberspace domain - The global domain consisting of all interconnected

communication, information technology and other electronic systems and
networks and their data, including that which is separated or independent, which
process, store or transmit data.38

Cyber effect - Effects39 initiated in or through cyberspace.

Cyber exploitation - Actions taken in cyberspace, short of cyber attack, to gain

an advantage and/or enable future operations.

35 IMSM-0222-2018 and AJP 3-20 Allied Joint Doctrine for Cyberspace Operations, Draft Version, Jan 2017
(hereafter: Draft AJP 3-20).
36 AC/322-N(2014)0072, Report on Cyber Defence Taxonomy and Definitions, May 2014.
37 Ibid.
38 Draft AJP 3-20.
39 A working definition for effect is provided through NATO definitions.

53
 Cyber event - Any observable occurrence in cyberspace.40

Cyber incident - Any detected anomaly compromising or that has the potential
to compromise communication, information or other electronic systems or the
information that is stored, processed or transmitted in these systems.

Cyber ISR - Intelligence, surveillance and reconnaissance conducted in

cyberspace to collect data and information to achieve results that contribute to or
can be processed to intelligence.41

Cyberspace operations (CO) - Actions in or through cyberspace intended to

preserve friendly freedom of action in cyberspace and/or to create effects to
achieve the commander’s objectives.42

Cyberspace resilience - The overall technical and procedural ability of systems,

organisations and operations to withstand cyber incidents and, where harm is
caused, to recover from it with no or acceptable impact on mission assurance or
continuity.

Cyber security (CS) - The application of security measures for the protection of
communications, information and other electronic systems, and the information
that is stored, processed or transmitted in these systems with respect to
confidentiality, integrity, availability, authentication and nonrepudiation.

Cyberspace security (CS) - The state of a system in which it can resist events from
cyberspace likely to compromise the confidentiality, integrity and availability of
the data stored, processed or transmitted and of the related services that these
systems offer or make accessible.43

Cyberspace situational awareness - Situational awareness applied in cyberspace,

including information on threats, vulnerabilities, systems and services, their
mission impacts and resulting operational risks.

Defensive cyberspace operation (DCO) - Defensive actions in or through

cyberspace to preserve friendly freedom of action in cyberspace.44

Domain - The sphere of interest and influence in which activities, functions, and
operations are undertaken to accomplish missions and exercise control over an
opponent to achieve desired effects.

40 National Institute of Standards and Technology Special Publication 800-61 Revision 2, August 2012.
41 IMSM-0222-2018.
42 Draft AJP 3-20.
43 Ibid.
44 Ibid.

54
 Mission assurance (MA) - A process to protect or ensure the continued function
and resilience of capabilities and assets, including personnel, equipment, facilities,
networks, information and information systems, and infrastructure and supply
chains critical to the execution of mission-essential functions in any operating
environment or condition.45

Offensive cyberspace operation (OCO) - Actions in or through cyberspace that

project power to create effects which achieve military objectives.46

45 Ibid.
46 Ibid.

55
 Annex B
References

NATO documents

1. AJP-3 Allied Joint Doctrine for the Conduct of Operations, Edition C

Version 1, Feb 2019.
2. AJP 3-20 Allied Joint Doctrine for Cyberspace Operations, Draft Version,
Jan 2017.
3. AC/322-N(2014)0072 Report on Cyber Defence Taxonomy and Definitions,
May 2014.
4. MC 362/1 NATO Rules of Engagement, Jun 2003.
5. IMSM-0222-2018, High-level Taxonomy of Cyberspace Operations, Jun
2018.

Legal documents

6. Protocol Additional to the Geneva Conventions of 12 August 1949, and

relating to the Protection of Victims of International Armed Conflicts
(Protocol I), June 1977.
7. Draft articles on Responsibility of States for internationally wrongful acts
adopted by the International Law Commission at its fifty-third session
(2001). Extract from the Report of the International Law Commission on
the work of its Fifty-third session, 2001.

Case law

8. Military and Paramilitary Activities in and against Nicaragua (Nicaragua v

US) [1986] ICJ Rep 14.

Other

9. National Institute of Standards and Technology Special Publication 800-61

Revision 2, August 2012.
10. Zimmerman, C. 2014. Ten Strategies of a World Class Cybersecurity
Operations Centre. MITRE Corporation. Available at: https://www.mitre.
org/sites/default/files/publications/pr-13-1028-mitre-10-strategies-cyber-
ops-center.pdf

56
11. Stinissen, J., Minarik, T., Pissanidis, N., Veenendaal, M., Glorioso, L. 2015.
A Study for Existing and Possible Rules of Engagement. NATO Cooperative
Cyber Defence Centre of Excellence.
12. Schmitt, M. N. (gen. ed.) 2017. Tallinn Manual 2.0 on the International Law
Applicable to Cyber Operations. Second edition. Cambridge University
Press, Cambridge.
13. Melzer, N. 2009. ICRC Interpretive Guidance on the Notion of Direct
Participation in Hostilities under International Humanitarian Law.
International Committee of the Red Cross.

57
 Annex C
Cyber Collateral Effects Estimate Process

Step 1 TARGET VALIDATION

Step 2

Step 3

Step 4

58
Step 5

59
60

Step 6 COMMANDER’S RECOMMENDATION

COLLATERAL EFFECTS ESTIMATE PROCESS

Background

1. The purpose of this document is to provide guidance notes for the Collateral
Effects Estimate Process (CEEP). The requirement for a CEEP is to provide
a framework for operational planners and commanders to ensure that due
diligence has been applied in understanding the collateral effects that may
be realised as a result of an intended non-kinetic strike.

2. The CEEP has been designed as a 6-step process and is broken down as
follows. Step 1 is target validation; this mirrors the standard target validation
processes. Steps 2, 3 and 4 set the scene and provide context for how
significant the collateral effect will be. Steps 5 and 6 provide a quantitative
and qualitative summary of the likely collateral47 effect for the commander.

Phases

3. Step 1 - Target validation. The first step of the CEEP is to ensure that the
target is valid. The target must have been positively identified (PID) and be
authorised by Rules of Engagement (ROE); should either of these not be
in place, the collateral estimate process stops and further target validation
work is required. It is necessary to confirm that there is no environmental or
CBR plume hazard estimated; if there is a likelihood of this being possible,
the Sensitive Target Approval Review (STAR) process must be followed
before the next step of the CEEP. If the target is considered a Non-Strike
Entity (NSE) then a higher level of authority will be required and the target
removed from the NSE list before validation. A target considered NSE will
result in a CEE value of ‘high’; however, the collateral effects estimation
process can continue to better determine the residual risk.

4. Step 2 - Propagation. The second step is to consider the propagation of

the effect beyond the intended target. The output of this step should be
specifically considered during the Nature of Collateral Systems element of
Step 5. If the effect cannot propagate outside the target then the CEE value
is zero and thus the CEEP is complete. If the effect can propagate outside the
target then an estimate of the extent to which it can do so is required. Limited
propagation can be defined as a collateral effect that is realised on only the
target system or network.48 Local propagation can be defined as the target

47 Defined as the anticipated loss of life and damage to civilian property.

48 Example: A local propagation in the same circumstances would see the effect realised outside of the VLAN
and spread throughout the local network but limited to the immediately connected infrastructure.

61
 network and its immediately connected networks, systems or services.49
Wide propagation can be defined as the target network, its directly connected
networks and subsequent indirectly-connected networks.50 The effect may
propagate from the target and reach other legitimate targets. In this case, the
effect would be considered transient or additional and thus the CEE would
be considered zero.

5. Step 3 - NSE. The third step requires consideration of whether the effect
could extend into NSE. This is not to confirm if the intended target is NSE
(Step 1 deals with this), but rather to understand the likelihood of the effect
propagating beyond its intended target and resulting in an undue effect on an
NSE.

6. Step 4 - Persistence. The fourth step considers how persistent the effect
is; specifically, if the effect can be considered reversible either by the
implementer or by the adversary. Reversible is defined it being possible
through a series of actions to reverse or mitigate the effect and return all
services to normal. That is, it is non-destructive and non-permanent. From
an implementer’s perspective, this could be considered a buzzer on/buzzer
off capability. From an adversary’s perspective, it would require basic
administrative intervention or a system restart returning services to normal.
The output of this step should be considered as an input to the Estimated
Recovery Effort element of Step 5.

7. Step 5 - Assessment. The fifth step in the process reviews three critical areas
of concern and allocates a quantitative and qualitative value for each. The
three areas are:

a. Civilian Casualties.51 This requires an estimation of the total number

of civilian collateral casualties that may result as a direct effect of our
actions and an indirect result from the intended effect. The commander
will have received guidance on the number of non-combatant casualties
that are within the threshold of his decision making power. To that end,
the breakdown of each of the scores is as follows:

(1). No civilian casualties result in a score of one and a CEE

value of Low.

49 Example: A local propagation in the same circumstances would see the effect realised outside of the VLAN
and spread throughout the local network but limited to the immediately connected infrastructure.
50 Example: A wide propagation in the same circumstances would result in the effect being realised beyond
the target infrastructure and into non-target networks that may include, but is not limited to, the internet.
51 Defined as loss of human life but does not include non-lethal injury.

62
 (2). A number of civilian casualties that is greater than one but
lower than the allowed threshold results in a score of three
and a CEE value of Medium. This will result in a minimum
of an overall CEE value of Medium in step 6.
(3). A number of civilian casualties that is greater than the allowed
threshold results in a score of five and a CEE value of High.
If the estimated number of civilian casualties is likely to
be greater than the allowed threshold, other mitigations or
additional authorisation must be sought by the commander
before proceeding.

b. Nature of Collateral Systems. This requires an estimation of the type of

system that is likely to be affected. The nature of the potential collateral
systems may be significantly different from that of the target system. A
breakdown of each of the scores is as follows:

(1). A score of one is allocated when a single endpoint is likely

to be affected. Personal devices such as mobile phones,
laptops or workstations where their primary purpose is not
for commercial or business use fall into this category.
(2). A score of two is allocated when the collateral system or
systems include several devices, including mobile phones,
laptops and desktops that are not commercial in their primary
use.
(3). A score of three is allocated when the collateral systems
are integral to the operations of small-52 to medium-sized
enterprises.53 This covers public, private and third sector
enterprises.
(4). A score of four is allocated when the collateral effect
extends to systems of large54 commercial and government
organisations resulting in a significant loss of output,
including financially.
(5). A score of five is allocated when the collateral effect extends
to Critical National Infrastructure (CNI). This score is given
when the system or systems affected are not directly affecting
the function of the CNI.55
(6). A score of ten is allocated when the collateral effect extends
to CNI and the system or systems affected have a direct
impact on the function of CNI output.

52 Defined as an organisation with between 10 and 49 employees.

53 Defined as an organisation with between 50 and 249 employees.
54 Defined as an organisation with more than 250 employees.
55 Example: The HR/administrative network within a power station or similar SCADA system.

63
 c. Estimated Recovery Effort. This requires an estimation of the total
burden of effort that the adversary, neutral or friendly forces are likely
to have to expend as a direct result of the effect and its immediate
implications. The estimation takes into account time and resources to
give greater fidelity to the overall cost. A breakdown and definition of
each of the scores are as follows:

(1). A score of one is allocated when the effect can be mitigated

immediately by either the perpetrator or the affected system
owner with little or no cost.56 It should be noted that the level
of persistence (reversible or non-reversible) will significantly
influence the score.
(2). A score of two is allocated when the local administrator can
conduct mitigating actions and return services to normal at
minimal cost and minimal delay.
(3). A score of three is allocated when a 3rd party contractor (or
3rd line maintenance equivalent) is required to resolve the
effect with significant financial cost and delay.57
(4). A score of four is allocated when a 3rd party contractor (or
3rd line maintenance equivalent) is required to be employed
to resolve the effect with a high level of financial cost and
delay.58
(5). A score of five is allocated when a complete replacement of
the system is required causing a prolonged capability outage
and a high level of cost (both time and money) to the system
owner.

8. Step 6 - Commander’s recommendation. The final step in the process

results in two outputs for the commander; a numerical value indicating
the scale of collateral likely to occur and a summary narrative that draws
together the output of each of the questions. These outputs are intended to
provide the commander with an easily digestible brief indicating where the
key areas of concern sit and highlighting where additional attention and
consideration should be focussed, if necessary, before authorising non-
kinetic strike action.

56 An example of this would be a system restart by the system owner or for the perpetrator to ‘turn off’ the
effect. .
57 An example of this would be a 2-5 day degradation of service and/or up to £10k cost.
58 An example of this would be a degradation of greater than 5 days (but not resulting in complete
replacement of the system) and/or a financial cost greater than £10k.

64
a. Numerical score. The overall numerical score is an aggregate of each of
the scores from step 5. A total score of 3-6 will result in an overall CEE
value of Low. A total score of 7-10 will result in an overall CEE value of
Medium. A total score of 11 or higher will result in an overall CEE value
of High.

b. Commander’s summary. The commander’s summary is intended

to be a formal narrative that can capture the essence of the analysis
succinctly and enable easier decision making. An example template for
this narrative is below.

c. Summary template. A summary template is as follows: “The Collateral

Effects Estimate (CEE) determines that this operation is likely to
result in [A] propagation from an effect that is [B] by the employer
and [C] extend to Non-Strike Entities (NSE). It is estimated that the
level of civilian casualties is [D], the nature of the collateral systems is
determined to be [E] and the total amount of effort required to recover
from the effect is [F]. Overall that results in a CEE recommendation of
[G].”

d. Summary template key. Below is the key to the variables required to

be inputted in the summary template.

(1). A. Insert - Limited/Local/Wide.

(2). B. Insert - Reversible/Non-Reversible.
(3). C. Insert - Does/Does not.
(4). D. Insert - Low/Medium/High.
(5). E. Insert - Low/Medium/High.
(6). F. Insert - Low/Medium/High.
(7). G. Insert - Low/Medium/High.

65
 Annex D
Positive Identification

Annex E provides PID criteria that need to be further developed and analysed. The
criteria must be in accordance with international law, for instance with the principle
of distinction.59

Cyber Ops General PID Criteria

Persona Layer Logical Layer Physical Layer

Persona is associated Network information Facilities or physical

with unique account (MAC, IP, VLAN, infrastructure which
credentials (banking VPN) related systems houses or supports
information, (routers, switches, systems that provide
username/password, repeaters, servers, the target function
OAuth credentials) computers) associated
used to access with the target that
systems or networks provide the targeted
associated with target function
function

Persona performs Protocols used to End-points, IT

activities or engages establish and maintain systems or network
in communications connectivity between infrastructure
Function

(administers networks, logical elements of associated with the

communicates in the system associated target that provide the
forums) to provide or with the target that targeted function
enable the targeted enable the target
function function

Applications or People (users,

services (software administrators,
packages, maintainers) who
configurations, hosting provide the target
services, forums, function or use the
firewalls, encryption system that provides
services) that provide the target function
or enable the targeted
function

59 For example, ‘Persona is adjacent or connected to other known personas (member of an administrators’
group) within a network providing the targeted function’; It cannot be positively identified that they are
directly contributing to hostilities.

66
 Persona is associated Applications or Physical coordinates
with unique accounts services (domains, associated with
(forum ID, login IP addresses, email the facilities or
credential) associated addresses) associated infrastructure
with the target with the targeted
function function

Persona is adjacent Logical locations Physical coordinates

or connected to other or link information associated with end-
known personas used for establishing points, IT systems or
(members of an communications network infrastructure
Location

administrators’ group) (gateways, netblocks, (VSAT terminals,

within a network phone numbers, etcetera)
providing the targeted IMSI, IMEI, MSISDN)
function associated with the
targeted function

Communication Physical coordinates

channel information of users,
(frequencies, wifi administrators
SSID) associated with or maintainers in
the targeted function proximity to the target
or its communications function

67
 Annex E
Functional areas and special
advisors – cyber-specific tasks

Functional
Main Tasks / Responsibilites
area

• Management of cyber operations job profiles.

• Identify and address cyberspace operations workforce planning and
C1 management issues, such as recruitment, evaluation, discipline, career
planning, medical readiness and retention.

• Create and update the Recognised Operational Picture to maintain

situational awareness.
• Implement, maintain and update physical security procedures and
controlled access authorisation system.
• Vulnerability Assessment:
- Determine the cyber posture of the troops: Which digital means are
in use and are they vulnerable or not? These means can be social
media, online portals, personal electronic devices, Wi-Fi, radio
networks and satellite communications.
- Make sure that sufficient mitigating security controls are in place
to protect weak points in the cybersecurity posture of the troops
These measures include the usual domains such as personnel and
physical security, but must also be extended to cyber (password
management, controlled use of accounts and administrative rights,
timely updates, availability of backups, ...).
C2 • Threat Assessment: Determine and analyse internal and external
potential real-world threat actors through multiple sources. Assess
their capabilities, limitations and intent. Describe using Indicators of
behaviour for possible future planned attacks and evidence of previous
attacks.
• Intel gathering:
- Call upon the intelligence community’s assets to collect the
information needed for the preparation and execution of cyberspace
operations.
- Provide the information and intelligence gathered through
cyberspace operations to the intelligence community.

68
 • Identify, create and update the Cyber Prioritised Asset List (CPAL).
• Identify targets and Cyber Key Terrain (CKT).
• Nominate cyber targets.
• Create and update a contact database with all relevant national and
international actors.
• Integrate cyber defence aspects into all relevant processes, include
cyber considerations in operations synchronisation.
• Maintain awareness of own important enablers connected to
cyberspace, and identify and list cyber dependencies for the operation.
iC3
• Conduct a risk assessment of those dependencies.
• Coordinate mitigation efforts with J6.
• Coordinate between cyber intelligence and targeting.
• De-conflict cyber battle damage assessment.
• Include mission-relevant cyber aspects in the CPOE.
• Coordinate cyber activities within the JOA.
• Coordinate update and dissemination of Cyber IRs.
• Monitor FC/CCs cyber defence plans.
• Conduct CDWG.

• Guarantee contractors and local supply chain security compliance by

maintaining awareness of cyber vulnerabilities. Information acquired in
this respect may serve as I&Ws of adversary activities.
• Keep track of long supply chains, with complex critical logistics cyber
C4
vulnerabilities.
• Establish reach-back function to national supply chains, be aware of
whether chains have sufficient protection.
• Enable flexible and expedient ordering and delivery of cyber equipment

• Integrate cyber operations into all relevant planning products.

• Maintain a cyber risk assessment matrix.
C5 • Maintain cyber defended assets database.
• Maintain business continuity planning timeline (time needed to change
systems, etc.).

• Make sure systems are up and running, and that they stay up and
running.
• Be responsible for conducting the necessary CIS Infrastructure
Operations.
• Maintain an overview of the status of relevant systems.
• Mitigation and business continuity planning.
C6 • Information assurance, CIA.
• Maintain a detailed overview of infrastructure, bandwidth, sensors,
coding, etc.
• Support the Cyber Defence SMEs in coordinating Cyber Defence CIS
issues.
• Liaise with NCIA and other reporting/coordinating/warning
organisations – identify if and when help is needed.

69
 • Develop the goals and objectives for cybersecurity training, education,
and awareness for the different target audiences.
• Evaluate the effectiveness and comprehensiveness of existing training,
education and awareness programmes.
• Develop new or existing awareness and training materials that are
appropriate for the intended audiences.
• Setup effective learning environments and classroom techniques
(including cyber ranges).
• Follow-up of the execution the training, education and awareness
C7 programmes.
• Lessons learned: Documentation of identified lessons is important for
the ability to work continuously on improving the implementation of
cyber aspects

C8

• Maintain the contacts of key HN authorities, IOs and NGOs.

C9 • Conduct and advise on the engagement with HN authorities, IOs and
NGOs

C10 • Guarantee compliance with already defined processes and estimates.

• Maintain an overview of HN and Adversary critical infrastructure.

C Eng
• Advise on engineering aspects of infrastructures under cyber interest.

• Maintain the cyber-related action lists for Info Ops.

• Conduct Info Ops awareness campaign addressing cyber aspects.
• Coordinate Information Activities related to a Cyber Operation.
InfoOps
• Advise on Info Ops response options to cyber incidents.

• Maintain the overview of public information over cyber-related topics.

• Be aware of, and advise on, the public affairs related to cyber incidents.
PAO

70
 • Be aware of, and advise on, local, national,
regional and international cyber policies.
• Identify gaps and develop policies, programs,
and guidelines for implementation such as a
POLAD cyber security strategy, supply chain security
concept.
• Participate in International meetings and
coordination

• Be aware of, and advise on, the application

of national and international laws, regulations
and policies related to cyber incidents and
operations.
Special • Propose relevant offensive cyber aspects into
Advisors ROE.
Legad • Evaluate contracts to ensure compliance with
legal requirements.
• Evaluate the effectiveness and efficiency of
laws, regulations and policies.
• Translate applicable laws and regulatory
documents into policy.

• Ensure coordinated and appropriate use

of strategic communications activities and
STRATCOM capabilities in support of Alliance policies,
operations and activities related to the cyber
domain.

71