ib 11 Sec 1 4 tall id I USCYBERCOM 3lIl-Dayt Assessment of Operatitm t GLOWING Executive Summary t TE c Operation 0GB is a United States Cyber Command USCYBERCDM operation targeting the isiamlc State in Iraq and the Levant I To Through Operation sought to contest 1811 's to execute its media and contest the enemyt in the information domain and Key to this operation was close coordination between Joint Task Force JTF ARES USCYBERCOM the Federal Bureau of Investigation FBI the National Security Agency NBA and- to maintain pressure on and to address attempts by media to reconstitute Foot-it initiated Dos since the start of the operation Coalition foroos iT'imsu jsEL TO Wt EttE t During the initial mission period Coalition forces successfully executed the operation according to plan to And at the request of US Central Command USCENTCOM we have successfully cscoutoo in support of their Combatant Command objectives EL TC1 r i USCYBERCDM assesses that 068 has imposed time and resource costs ll Sec 1 4m id or i The Intelligence Community lC assesses that OGS disrupted media Reporting reflects that Coalition operations have temporarily caused to Overall USCYBERCOM assesses that 068 successfully contested in the information domain i To Uin EvE ri Operation GLOWING is the most complex offensive cyberspace operation USCYBERCOM has conducted to date Process establishment and re nements will help USCYBERCOM posture for future policy discussions such as the policy implications of cyber operations with effects against i The scale and complexity of OGS has also allowed us to learn a number of lessons that will benefit the community as we move forward The main report discusses our lessons learned with respect to The initial approved strike window for 088 was for 30 days concluding at Based upon the experiences and lessons of 068 USCYBERCOM will inform and coordinate for OGS with our lnteragency partners in order to disrupt bill SEC 1 4iaiidiig I USCYBERCOM 30-Day Assessment of Operation GLOWING Lu This document represents the United States Cyber Command assessment of Operation GLOWING DOS after 30 days from initiation of the operation The assessment is divided into four main sections The Operational Overview section describes the planning and execution of the operation including an assessment of task accomplishment The Operational Effectiveness section summarizes the USCYBERCOM assessment of the effects of DOS on ISIL as well as the maturation of United States US Government USO approval processes for offensive cyberspace operations 000 The Lessons Learned section describes a selected subset of the lessons learned as a result of 085 Finally the Way Ahead section describes the USCYBERCOM recommended follow-on actions OPERATIONAL OVERVIEW It MI a DOS is a USCYBERCOM operation targeting the islamic State in iron and the Levant t 065 focused on ISIL media and propaganda operations- - - - This section describes the planning and execution of DOS The planning portion eiiplains the purpose concept of the operation and initial expectations The second portion summarizes the execution of OGS including Coalition and lnteragency efforts U PLANNING In accordance with intent through OperatIon USCVBERCOM sought to contest iSii abiiIty to execute its media and nff 7 - bi 1i Sec 1 4iaiidiiqi contest the enemy in the tntetmettett demete ene i TEIGU Ttit E'ttE't i Figure 1 graphically depicts the concept of the operation for 088 The initiai phase consisted et lntera-enc Action 1' 'j FVEY PartnerAction Figure 1 OGS Concept of the Operation To tee-tint tt USCYBERCOM designed 068 to thereby degrading and disrupting lSiL's ability to disseminate and distribute media and propaganda git-belly Key to this operation was close coordination between Joint Task Force JTF ARES USCYBERCOM the FBI the zPa'ir - mil Sec NSA and The techniques used in 068 ensured that the operation would Additionally USCYBERCOM coordinated the operation with Combined Joint Task Force Operation Inherent Resolve and United States Central Command USCENTCOM to its execution with offensive operations in Mosul lrao r i DEL - _t -- ilnitiai expectations were that Coalition operations would significantly impact media distribution and dissemination however planners also recognized that U - i USCYBERCOMinitietedt- ies Sioce the start of the operation we hetie to ietti t it t' operation were well coordinated In a number of cases i 068 continues to oteooine with the The FBI is addressing 3 l5 I ibiill Sec after coordination with the Office of the Secretary of Defense for Policy and the Joint Staff The team was prior to ees execution Tr US At the request of USCENTCOM JTF ARES executed Additionaliy we are coordinating with USCENTCOM ire irr support of around With respect to the Coalition's task performance we assess our task accomplishment in the execution of 0G5 as successful overall USCYBERCOM in support of USCENTCOM operations For further discussion of task accomplishment measures of performance and assessment for 065 see Appendix A U OPERATIONAL EFFECTIVENESS i'r This section assesses the effectiveness of CBS in two parts tied to the original purpose of the operation The first part describes the effects of 068 on as reported in intelligence reflections and operational observations The second part summarizes the maturation of the process for approving OCO les-2L1 tr a LE 'IThe arrangement of cyber capaoIlItIes in time space task and purpose is critical to operational success Therefore the global actions executed by JTF ARES during 068 were characterized er IMPACT ON Trir i_r is F'ifE USCYBERCOM assesses that 068 has imposed time and resource costs on The b 1i Sec 1 4ta i operation ISIL media - This infrastructure was used to support propaganda production distribution dissemination and ISIL media The fui extent of the impact of 06 8 on the ISIL media system is difficuit to assess comprehensively due to performing simiiar functions for media t it The H assesses that 068 disrupted media Dessersetee assessed to be uses by use media fer - 5 OGSdidiaFEEt 0G5 did not target which were not directly targeted by 068 W USCYBERCOM assesses that medie c't gt -- - was not targeted in 0G8 continues to 1 While 068 was not intended to target lSlL' s 0G3 has had a limited and temporary but publically visible success against During 06 8 the Coalition was able to target _Crll'H'E However recent reporting suggests lSiL is - i' t 068 removed ateete according to USCYBERCOM analysis 7 This removal according to signals 05' i it within the ISIL media apparatus has In addition USCYBERCOM during the initial days of 068 media apparatus gun tn iS also et addittdna media to enhance future targeting efforts ' In summary Coalition operations as part of 065 contested ISIL ability to exeoute its media operations by imposing time and resource costs It is deer that OGS has impacted Reporting re ects that F See 1 4taiidllol Coalition operations have temporarily caused ISIL to but it is not yet clear whether this will make media operations - USCYBERCDM assesses that 068 has successfully contested ISIL in the information domain U PROCESS MATURANON '2 1 Planning and executing OGS the most complex offensive cyberspace operation has conducted to date provided the opportunity to truly exercise the application of existing authorities and processes As a result USCYBERCOM has stimulated the codification and normalization of processes for the approval of 000 methods which can be effectively applied to future operations 068 was successful in prosecuting only those target elements approved for action Even at the significant operational scale Coalition forces were able to execute the mission precisely and discreetly I The main strategic risk In the cyber domain is The cyber domain Is geographIcaIv agnostic is not necessarily constrained by geographic boundaries To conduct OCO effectively cyber forces maneuver through cyber infrastructure that exists globally For coordination of Interagency equities USCYBERCDM adheres to the Joint lnteragency Coordination process Outlined in the- TI- - El Joint lnteragency Coordination process is a fairly mature process but one that has not been used to the speed scope and scale of operations as executed during 068 Through 063 we have taxed the process and begun to mature it Related to- - the existing SecDef elevation policy in the event of an lnteragency partner non-concurring with has been exercised only one time again during the OGS approval process The Department of Defense DOD USCYBERCOM and the lnteragency developed processes in stride to resolve partner non-concurs These processes should be evaluated codified and tested through future operations before considering further delegation of authority bill ibii5l Sec 1 4iai id I- Operational risk Is directly correlated with the speed and efficiency with which we can conduct interagency coordination and execute_ Joint Interagency Coordination process Strong partnership with the Interagency the i0 and our international teammates mitigates this risk Furthermore codification of procedures learned through the execution of operations such as 068 will help to normalize the process increase efficiency and decrease operational risk To mitigate the strategic risk_ and to address the operational risk related to the above mentioned critical operational elements continues to work with the Joint Staff our Interagency partners and our Coalition teammates to develop and refine policy and processes If cyber operations are not conducted in strict adherence to our guiding authorities and policies then the strategic risk increases Closely coordinated notification strategies when required between the Dos and the IC are paramount to operational success - r- I The planning and execution of 063 demonstrates the value In elevating policy concerns to throughout the planning process to identify and resolve concerns concurrent with operational deconfliction between Combatant Commands and intelligence equity dec nf'icti n Within the Although the Joint Interagency Coordination process resulted in interagency non concurs the non concurs were resolved in a manner that accounted for equities but ensured the timing and tempo ofthe operations achieved the desired effect Joint Interagency Coordination process is discussed further in the Lessons Learned section U LESSONS LEARNED TE rc- ever Planning and executing OGS provided the opportunity to truly exercise the While the command learned many lessons throughout the process a number of areas stand out The primary recommendations are described below Appendix includes moredetailed discussions -- Authorities and Policies Normalize approval processes interagency policies and processes are not established to meet the demand for speed scale and scope required for effective cyberspace operations including Joint Interagency Coordination process that is still in a transitional state -- remains an unresolved policy issue- However cyberspace operations policy should allow USCYBERCOM to- Haas Joint Interagency Coordination Normalize Interagency policies and processes to adjudicate Interagency non-concurs expeditiously in a manner that supports dynamic targeting within the cyber domain Till 5 - Collection Management Incorporate positive lessons learned into standard practices collection management tradecraft and products for future operations Strengthen coordination with allies on collection and reporting capabilities and plans with a particular emphasis on_ In addition Emab'ish Dr cedure m_ PH gt bl ill 590- l-tilai ldi lei lb related to the operation- - Additional resourcing of s in cyberspace element would allow more robust support to operational planning and execution littles l Targeting Adhering to established vetting standards should reduce the time and effort required advance the targeting process as all parties get to vote comment at the same time Targets should be developed to support established plans containing measures of performance MOPS and measures of effectiveness MC-Es that are clearly linked to well defined objectives Establish measureabie MOEs based on determination of what intelligence is known or likely i to be known about adversary activities Ir'n WE Military Assessments Given the likelihood that USCYBERCOM will be conducting more frequent and widely-scoped cyber operations throughout the global Internet infrastructure 'In the future would help expedite the request and approval process and ereviee eleenere with feeteree up front Into weer CONOPS U WAY AHEAD The initial approved for OGS was concluding at Based upon the experiences and lessons of DES USCYBERCOM will inform and coordinate with our Interagency partners in order to disrupt combined with effects from the Coalition and Additionally JTF ARES will will continue a running assessment to inform a decision point Iii-'39P Ti'l ls- l Fl 'Wi USCYBERCOM and JTF ARES will continue to develop future operations focused on impacting the ISIL media brand and defeating lSlL's online presence These operations will be a viewed as a part of a larger sustained campaign and not one-time effort This way forward will require aiPage Tell-u our Sec 1 4 id U APPENDICES A i_ Assessment of Task Accomplishment B The Joint Interagenoy Coordination Timeline- E Lb 1 rliai Ci ql APPENDIX A ASSESSM ENT 0F TASK ACCOMPLISHMENT 6- This appendix describes our framework for assessing task accomplishment which captures how well we executed Operation GLOWING It is graphically depicted in Figure 2 OPERATION GLOWING Legend I Successfuitask accomplishment Succesaiul with some caveats Unsuccessiul Olnitialmission Not evaluated perIod onfy Figure 2 063 Assemment of - - The framework rs broken down by phase from the OGS Concept of the Operation with supporting measures of performance and indicators Actual numerical data for each indicator Is shown in blue After each indicator description are the Coalition partners represented in the data The stop light circle next to each indicator assesses that particular measure against the thresholds established in the CONOP The gray circles represent indicators that are not important for assessing task accomplishment but still contribute to the understanding of Coalition activities Black outlined circles indicate those measures that only apply to the initial mission period and were not updated as the operation continued The fuii legend is shown on the bottom left of the figure Overall we assess the task execution of 063 as green or successful Only two evaluated indicators are amber the remainder are green The first indicator is amber because the teams were not able to had no negative impact on the mission The second amber indicator is that for which was the eriginei intent efthe coupe The thrashed for green -- See 1 7 e Note that some reportmg shows different numbers for The difference is that here we do not count the IJU bi Sec 1 4 a APPENDIX B THE JOINT INTERAGENCY COORDINATION TIMELINE This appendix describes the Joint lnteragency Coordination process leading up to the execution of Operation -- -At the operational level USCYBERCGM planners identified three key decision points leading up to the operation The DPs are described in Table 1 below Tobie 1 065 Decision Points DP Event Decision Required Decision Criteria JIATF Actions hi Sec 1 4m tdi Il-gi r The overall Joint lnteragency Coordination timeline Is shown In Figure 3 The Concept of Operation for Operation was released to our Joint Inert-genera Task Force UIATFI partners United States sitter Command USCYBERCOM participated in a Video Teleconference with members of the Office of the Secretary of Defense for Policy and the Department of State The purpose of the WC was to present a detailed overview of the Joint Task Force ARES hosted an operations conference with key stakeholders During they conducted advanced target development force allocation and conciuded with their initial of actions by all those participating in the operation The results of this conference helped address some of the concerns raised by our lnteragency partners chaired a Joint Targeting Coordination Board with the and Combatant Command CCMD representatives This board validated the isiamic State in Iraq and the Levant iSlL as a valid military target Foilowingthis the CONDP Package was submitted to the Department of Justice -- Figure 3 MEL-TOW 065 Joint interagency Coordination Timeiino 35 t' 21 -- f' At the completion of the Joint lnteragency Coordination process- Department Agencies non- concurred The results were briefed to the Commander USCYBEFECOM and Commander US Strategic Command CDRUSSTRATCOM and USCYBERCDM initiated a series of Key Leader Engagements to resolve the non-concurs The primary concerns by lnteragency partners centered on USCYBERCOM was unable to resolve some of the concerns CDRUSCYBERCOM elevated to the Secretary of Defense SecDef I per policy A series of Deputies Committees DC and Principies Committees PC met to resolve the non-concurs During this process - the USS concept of the operation was adjusted to IJ bi l 1i Sec Leia SeeDef the execution or 068 as scoped through the 00 PC process USCYBERCOM initiated operations The time required to elevate and negotiate the interagency non- concurs ereveetee USCYERCOM frem ee- erieinelw designed While reporting indicates that the execution of witeie med4e media infrastructure iidi igi ib Sec Lei ta id to APPENDIX C LESSONS LEARNED I This appendix describes the observations and recommendations associated with our primary lessons learned as a result of planning and executing Operation GLOWING SHREL AUTHORITIES AND POLICIES 61 T O laeervation Although the collateral effects estimate GEE for 068 was determined to be no GEE the operation required within the context ei - Discussion _ was the authority used during the conduct of approved by the President of the United States POTUS in the event of a non-conour from a voting member of the interagency USCYBERCOM exercised this exact process and the timeline in support of the 068 approval see Appendix The non-concurs highlighted ifi' Recommendation Normalize approval processes lnteragency policies and are net ie Joint interagenoy Coordination process that Is still in a transitional state Observation Priort 000 111 SEC Lelia id El l5 when under the authorities granted via Kai Fuel Despite the plan and agreement of USCYBERCUM continues to analyze reportingto codify the degree to which the adversary exploited this appertunity FED i Tr ll7u She-the tettew en operations propose more invasive tactics and or utilize more sophisticated capabilities it would be ill- advised to risk critical infrastructure and or capabilities unnecessarily Recommendation remains an unresolved policy issue- However cyberspace operations policy should allow USCYBERCOM to- umeouo Jomr cooeommorv - Oheertetien- eeteeh'en Jetnt interagency Task Force JIATF that is focused on Specifically the as tent of the operational review and approval process in support of However ttees net - Lu ti Dlscussion requires targets ce deconflicted in accordance with the Trilateral Memorandum of Agreement Moe - Auctionee a Strike Package is required that consists of an lntelligence Technical Gain Loss Assessment Political Military Assessment Legal Review and CONOP II hi Sec 1 4iaiidiiqi As implemented each 000 mission requires these documents In addition to deconfliction under the Triiat MOA 125' iThe amount of informal meetings briefings and overall information sharing that occurred was eittremely in- depth and time consuming for both USCYBERCUM and JTF ARES staffs If this same ievel of detail is required for each proposed action during an 0C0 mission Further discussion of the Joint Interagency Coordination process and timeline can be found in Appendix B Cyber operations against should be fir' l rhyligril As a resuit of the Interagency coordination 0G5 was to be deliberated under different policy decisions as a maew an Combatant Command action - Recommendation Normalize Interagency policies and processes to adjudicate Interagency nonaconcurs expeditiously in a manner that supports dynamic targeting within the cyber domain COLLECTION MANAGEMENT U Ohservation Through extensive pre- operation coordination all US inteiligence agencies were highly attuned to the 0GB plan and were postured to focus collection assets to gauge the impact of 0GB on ISIL members 2 Discussion USCYBERCOM J2 and JTF ARES developed Multiple meetings in the pre- operational phase with lC DoD allied intelligence representatives ensured high awareness of OGS collection requirements 1- ' Reoommendation Incorporate positive lessons learned into standard practices collection managementtradecraft and products for future operations Pas in addition codify collection timelines and deliverables to related to the operation U xmum i 3 i Observation USCYBERCOM capabilities contributed significantly to 063 planning and execution however Discussion DoD's Cyber Strategy emphasizes in cyberspace operations howeveir le Recommendation in cyberspace element could provide substantial support to operational planning should also be requested and incorporated into the operation tux sous TARGEHNG Observation This made the target vetting process for OGS and difficult as USCYBERCOM and JTF ARES personnel had to frequently Discussion- As such it is recommended that it be vetted with the as well as it partners The target was sent out for vetting_ IC partners but Sec 1 4ielidligl lbliEli with and it vetting agencies Objectives for the mission were '7 With regard to the additional information requirement to support target development and IC vetting the inability of JTF ARES to from teams under operational control cf JTF ARES led to lo coding oroccss for JTF ARES ls that relates to JTF ARES operational needs Recommendation 1 Adhering to established vetting standards should reduce the time and effort required advance the targeting process as all parties get to vote comment at the same time Targets should be developed to support established plans containing MDPs and MOEs that are clearly linked to well-defined objectives Establish measureable MOEs based on determination of what intelligence is known or likely to be known about adversary activities Ti ll'jx Recommendation 2 U ouot DATA erPLorTArroIlv 5 i F - Observation 068 plans factored the possibility of adversary data recovery and acknowledged the need for exploiting that data but did not JTF ARES not anticipate priorities were established for exploiting the data but policies are needed to clarify handling procedures for captured data tied-Hill Discussion JTF ARES established - priorities for exploiting captured data woloh m ARES accomplished or working through HQs CYBERCOM 13 in accordance with CYBERCOM 000 data policies JTF ARES worked through CYBERCOM to identify sources for short-term support Recommendation Future plans should account for lrm 13 Sec 1 4ia tell 9 USCYBERCOM sheure formulate policy and capability to support any USCYBERCOM JTF or that covers all future operations POLITICAL MILITARYASSESSMENTS 1 eE 5' Observation The corrent_ timeline for conductinga Political Military Assessment Pile for operations against adversary infrastructure Discussion to produce PMAs for the target elements significant challenges in meeting the timeline festering the need fer - Other agencies were similarly stressed to meet the deadline _ to staff a required PMA and the $0 is given another_ to review - HREWmmenda Dn Given the likelihood that USCYBERCDM will be conducting more frequent and widely-seeped cyber operations throughout the global Internet infrastructure in the future would help expedite the request and approval process and Provide planners with factored up front into cyber CONOPs This document is from the holdings of The National Security Archive Suite 701 Gelman Library The George Washington University 2130 H Street NW Washington D C 20037 Phone 202 994-7000 Fax 202 994-7005 nsarchiv@gwu edu