SEEREF Department of Defense INSTRUCTION NUMBER $5240 23 December 13 2010 USDU SUBJECT Counterintelligence CI Activities in Cyberspace U U References See Enclosure 1 1 U PURPOSE This Instruction establishes and implements policy and assigns responsibilities for CI activities in cyberspace pursuant to Executive Order 12333 Reference and the US Government Wide Cyber CI Plan Reference in accordance with the authority in Directive 5143 01 Reference and 05240 02 Reference and cancels Under Secretary of Defense for Intelligence U Memorandum Reference 2 U APPLICABILITY a U This Instruction applies to OSD the Military Departments the Office of the Chairman of the Joint Chiefs of Staff and the Joint Staff the Combatant Commands the Of ce of the Inspector General of the Department of Defense the Defense Agencies the Field Activities and all other organizational entities within the Department of Defense hereafter referred to collectively as the Components 3 U DEFINITIONS See Glossary 4 U POLICY It is policy that CI activities in cyberspace shall a U Be directed against foreign intelligence services and international terrorist organizations hereafter referred to as foreign intelligence entities in accordance with the mission areas in Reference Classi ed by Instruction 36240 08 Reason 1 4 a Deciassil'y on I October 2035 a'l see d U Be conducted by technically trained and certi ed personnel in accordance with Enclosures 2 and 3 of this Instruction e U Be conducted in accordance with applicable statutes Reference the Intelligence Oversight procedures listed in 13on 5240 01 and 5240 141 References and and the privacy program in 5400 11-R Reference 5 U RESPONSIBILITIES See Enclosure 2 6 U PROCEDURES See Enclosure 3 7 U RELEASABILITY RESTRICTED This Instruction is approved for restricted release Authorized users may obtain copies on the SECRET Internet Protocol Router Network from the DOD Issuances Website at 8 U EFFECTIVE DATE This Instruction is effective upon its publication to the DOD Issuances Website ThomasA I Acting Under of Defense for Intelligence U Enclosures 1 U References 2 U Responsibilities 3 U Procedures U Glossary 2 mmww wm uwmwm SW December 13 2010 TABLE OF CONTENTS U The information in this Table Of Contents is UNCLASSIFIED ENCLOSURE 1 REFERENCES 4 ENCLOSURE 2 RESPONSIBILITIES 5 5 DEPUTY UNDER SECRETARY OF DEFENSE FOR HUMAN INTELLIGENCE HUMINT CI AND SECURITY 5 DIRECTOR NATIONAL SECURITY CENTRAL SECURITY SERVICE DIRECTOR CSS 5 DIRECTOR DCHC 6 ASSISTANT SECRETARY OF DEFENSE FOR NETWORKS AND INFORMATION CHIEF INFORMATION OFFICER CIO 6 HEADS OF DOD COMPONENTS WITH DEFENSE CI COMPONENTS 7 HEADS OF DOD COMPONENTS WITHOUT DEFENSE CI COMPONENTS 7 COMMANDER USCYBERCOM 8 DIRECTOR DC3 8 ENCLOSURE 3 PROCEDURES 9 GENERAL 9 CI SUPPORT TO CYBERSPACE OPERATIONS 9 DOD CI COLLECTION IN CYBERSPACE 11 OF CD IN CYBERSPACE 12 GLOSSARY I4 ABBREVIATIONS AND ACRONYMS I4 DEFINITIONS 1 5 TABLE Indicators Of Potential Threat Activity on DOD Networks 10 3 CONTENTS C o 1 In W $5240 23 December 2010 ENCLOSURE 1 REFERENCES U U Executive Order 12333 United States Intelligence Activities December 4 1981 as amended U The National Counterintelligence Executive The United States Government-Wide Cyber Counterintelligence Plan 2008 November 25 20081 U Directive 5143 01 Under Secretary of Defense for Intelligence November 23 2005 U DOD Directive 06240 02 Counterintelligence December 20 2007 U Memorandum Decon iction Of DOD Counterintelligence Cyber Operations with the Intelligence Community February 2 2007 hereby cancelled U Trilateral Memorandum of Agreement Among the Department Of Defense the Department of Justice and the Intelligence Community Regarding Computer Network Attack and Computer Network Exploitation Activities May 9 20071 U DOD Directive 5240 01 Intelligence Activities August 27 2007 U DOD 5240 141 Procedures Governing the Activities of DOD Intelligence Components That Affect United States Persons December 7 1982 U DOD 5400 1 LR Department of Defense Privacy Program May 14 2007 U Under Secretary of Defense for Intelligence Publication The DOD Strategy for Counterintelligence in Cyberspace August 28 20091 U DOD Instruction 3-524017 Counterintelligence Collection January 12 2009 U DOD Instruction 8-524009 Offensive Counterintelligence Operations OFCO October 29 2008 U DOD Directive S-5105 61 Cover and Cover Support Activities May 6 2010 U DOD Directive 55051313 Executive Agent BA for the DOD Cyber Crime Center March 1 2010 U DOD Instruction 3305 11 Counterintelligence CI Training March 19 2007 U DOD Instruction 5205 13 Defense Industrial Base DIE Cyber Security Information Assurance Activities January 29 2010 U DOD Instruction 5240 04 Counterintelligence CI Investigations February 2 2009 U DOD Directive 3600 01 Information Operations August 14 2006 U DOD Instruction 5240 6 Counterintelligence CI Awareness Brie ng and Reporting Programs August 7 2004 U DOD Instruction 5240 10 Counterintelligence Support to the Combatant Commands and the Defense Agencies May 14 2004 U Joint Publication 1-02 ofene Dictionary Of lit an ssocrated Terms current edition Available upon request from the Countennteliigence Directorate Room 3C1088 5000 Defense Pentagon Washington DC 20301 5000 4 ENCLOSURE 1 SEER-ET 515240 23 December 13 2010 ENCLOSURE 2 RESPONSIBILITIES U 1 U The shall a U Oversee the development and implementation of policy for CI activities in cyberspace b U Oversee the development and implementation of the Strategy for CI in CyberSpace Reference c U Approve training and certi cation standards for CI activities in cyberspace 2 U DEPUTY UNDER SECRETARY OF DEFENSE FOR HUMAN INTELLIGENCE HUMINT CI AND SECURITY The under the authority direction and control of the shall a U Advise the and other OSD Principal Staff Assistants on CI activities in cyberspace b U Develop coordinate and oversee the implementation of CI in cyberspace policy for the c U Represent the at and national cyber and CI community forums 1 U Serve as the OSD staff point of contact for all CI in cyberspace issues 3 U DIRECTOR NATIONAL SECURITY CENTRAL SECURITY SERVICE DIRECTOR C88 The Director NSA Chief CSS under the authority direction and control of the and in addition to the responsibilities in section 7 of this enclosure Shall 5 a ENCLOSURE 2 001315624023 December 13 2010 4 U DIRECTOR DCHC The Directcr DCHC under the directien and central cf the Director Defense Intelligence Agency shall a U Serve as the DOB CI tncticnal manager for an integrated Dell CI in Cyberspace e U Develcp and execute training fer Defense CI Ccmponents conducting activities in cyberspace in accordance with 5505 138 Reference and 3305 11 Reference l U Regularly review DOD CI in cyberspace training courses to ensure relevancy and currency 2 U Develop training standards and career paths in ceerdinatien with the Department of Defense Cyber Crime Center DC3 the Joint CI Training Academy Military Departments and Defense Agencies 3 U Devele and recommend procedures and standards to certify designated personnel to conduct CI activities in cyberspace in cecrdination with the f U Ccnduct CI analysis of cyberSpace threats and disseminate products to support CI and enable CI activities in cyberspace g U Represent Defense CI Components at national cyber and CI community forums h U Recommend CI activities in cyberspace policy to the i U Develop Reference and update as appropriate 5 ID ASSISTANT SECRETARY OF DEFENSE FOR NETWORKS AND INFORMATION CHIEF INFORMATION OFFICER C10 The CIO shall 6 ENCLOSURE 2 DoDl December 13 2010 a U Coordinate with Defense I Components to detect and identify FIE threats to and defense industrial base DIE networks pursuant to Reference and in accordance with 5205 13 Reference b U Oversee DC3 implementation of responsibilities as described in section it of this enclosure U HEADS OF Dot COMPONENTS WITH DEFENSE CI COMPONENTS The Heads of Components with Defense CI components shall wuss-heat A b U Support information operations in accordance with to 3600 01 Reference i g U Support and participate in CI functional management activities h U Ensure that personnel are technically trained and certi ed to conduct CI activities in cyberspace in accordance with the standards and procedures established by the Director DCHC and the Director DC3 i U Include threats in cyberspace for all CI awareness brie ng and reporting programs in accordance with 5240 6 Reference Examples of indicators of potential threat activity on DOD networks are listed in the Table in Enclosure 3 of this Instruction 7 U HEADS OF DOD COMPONENTS WITHOUT DEFENSE CI COMPONENTS The Heads of DOD Components without Defense CI components shall request CI activities in cyberspace support from their lead CI organization in accordance with 5240 10 Reference 0 7 ENCLOSURE 2 W 5-52-1023 December 2010 8 U COMMANDER USCYBERCOM The Commander USCYBERCOM under the authority direction and control of the Commander USSTRATCOM shall 9 U DIRECTOR DC3 The Director DC3 under the authority direction and control of the CIO and in accordance with Reference shall a U In coordination with and at the request of the DOD Components provide complete digital and multimedia forensic services to support CI investigations U Conduct Clworiented cyber training that 1 U Provides levels of technical CI cyber training from basic to advanced that address FIE cyber tactics techniques and procedures to afford CI personnel the requisite technical skills to conduct effective CI activities either in the virtual environment of information systems and computer networks or via exploitation of digital devices in the physical domain in accordance with References and 2 U Supports Reference 0 3 U Leads the development of computer and web-based cyber training for CI personnel c U Serve as the functional lead to develop evaluate and test CI techniques used in cyberspace and serve as the central repository of these techniques for Defense CI Components 8 ENCLOSURE 2 515240 23 December 13 2010 ENCLOSURE 3 PROCEDURES U I U GENERAL a U Report all IE threat information obtained through cyberspace investigative activity collection or OFCO as quickly as possible Perishable information revealing imminent threat shall be reported immediately to the affected installation command agency or component as well as to the Joint Interageney Task Force-Combating Terrorism USCYBERCOM and DCHCI d b U Support to 32 I U DOD CI activities in cyberspace shall be undertaken to deter unauthorized persons from obtaining sensitive or classi ed information from networks This includes cybet threat investigations of cyber incidents and intrusions to determine IE involvement in accordance with Reference and 9001 Reference and proactive efforts to identify foreign intelligence attempts to illegally obtain information that falls within one or more of the DOD Cl mission areas 2 U chief information off cers shall work with Defense CI Components to provide sufficient and timely access to networks network devices workstations and digital 9 ENCLOSWE 3 $5240 23 December 2010 information to facilitate inquiries cyber threat investigations or other CI activity to determine involvement except where limited by law Suspicious activity that is not Eu-related shall be referred to command or law enforcement as appropriate 3 U In support of CND and IA Defense CI Components shall identify emerging and imminent cyber threats and take appropriate actions against IE threats on Del IC and D18 networks CI investigative elements shall work with IA and security elements to U Detect anomalous activity indicative of CI insider threats U Develop leads for thorough investigative plans U Conduct analysis including the appropriate analysis and analysis of trends and behavioral patterns to better understand threat plans intentions and capabilities U Recommend appropriate action to protect the integrity of the network or to counter expose and or exploit the FIE threat 4 U Defense CI Components shall conduct CI activities in cyberspace to identify FIE threats in support of CND The following table contains examples of indicators related to a CI insider threat or IE activity on DOD networks that may require further analysis inquiry or investigation Table Indicators of Potential Threat Activity on Networks U Unauthorized network access Suspicious Internet activity including downloads or uploads of sensitive data Indications of unauthorized Universal Serial Bus removable media or other transfer devices Downloading of non-approved computer applications E rnail traf c to foreign destinations Data extiltrated to unauthorised domains Excessive and abnormal printing Unexplained storage of data Unexplained user accounts Hacking or cracking activities 10 ENCLOSURE 3 515240 23 December 13 2010 Table Indicators of Potential Threat Activity on 3 31 Networks Continued U Social engineering electronic elicitation eumail spoo ng or e-mail spear-phishing Evidence of password cracking key logging or steganography Denial of service attacks or suspicious network communications failures Malicious codes or blended threats such as viruses worms trojans logic bombs malware spyware or browser hijackers eSpecially those used for clandestine data exfiltration Tampering with or introducing unauthorized elements into information systems Network spillage incidents or information compromise Any credible anomaly nding observation or indicator previously associated with or connected to IE activity Use of Do account credentials by unauthorized parties Any tampering with supply chain This table is UNCLASSIFIEDMitzi- r n v4vh w sum ll ENCLOSURE 3 3 7 13 ENCLOSURE 3 00015624023 December 13 2010 0001 $5240 21 December 13 2010 PART It ABBREVIATIONS AND ACRONYMS U U The abbreeiatiens and in this Glossary are UNCLASSIFIED CIO Assistant Secretary of Defense for Netwerks and Infennation CI CNA 3ND CNE DC3 DCHC DIA DIB DODD I ch S FIE HUMINT IA IC IT 12X USCYBERCOM Integratien DOD Chief Informeticn Officer counterintelligence ccmputer attack eemputer netwerk defense computer netwerk expleitetion Department of Defense Cyber Crime Center Defense Counterintelligenee and Human Intelligence Center Defense Intelligence Agency defense industrial base digital and multimedia Del Directive DOD Instruction Deputy Under Secretary cf Defense fer Human Intelligence Ccuitterintelligence and Security foreign intelligence entity human intelligence information assurance Intelligence Community infomatien technology Jeint Intelligence Preparation of the Operational Environment joint force counterintelligence and human intelligence sta element National Security Agency Central Security Service - ll 4 l signals intelligence United States Cyber Commend I4 GLOSSARY 000151524023 December 13 2010 USDU Under Secretary of Defense for Intelligence USSTRATCOM United States Strategic Command PART II DEFINITIONS U U Unless otherwise noted these terms and their de nitions are for the purpose of this Instruction U anomalous activi t1 Network activities that are inconsistent with the expected norms that may suggest FIE exploitation of cyber vulnerabilities or prior knowledge of U S national security information processes or capabilities U Q De ned in Reference U CI activities De ned in Reference U Cl activities in cvbersnace CI activities in cyberspace include those forensics examinations of af liated infnnation stats and othr rved virtual or onlin activties to identi Errata U CI insider threat A known or suspected person who uses their authorized access to facilities systems equipment or infrastructure to cause damage disrupt operations or commit espionage on behalf of a FIE U CNE De ned in Joint Publication 1-02 Reference U computer network The constituent element of an enclave responsible for connecting computing environments by providing short haul data transport capabilities such as local or campus area networks or long-haul data transport capabilities such as operational metropolitan or wide area and backbone networks U cyberincident De ned in Reference r I 15 GLOSSARY a 7M 3-52-1023 December 13 2010 U cyberspace Defined in Reference U cyber threat investigation Actions taken consistent with applicable law and Presidential guidance to determine the identity location intent motivation capabilities alliances funding or methodologies of one or more IE3 that has attempted to penetrate or has in fact penetrated a D013 IC or DIB information system U Defense CI Component De ned in Reference U digital tradecraft The conduct topics or techniques of modern espionage or CI that employ digital or cyber means U E Any known or suspected foreign organization person or group public private or governmental that conducts intelligence activities to acquire U S information blocks or impairs US intelligence collection in uences US policy or disrupts U S systems and programs This term includes a foreign intelligence and security service and international terrorists U information svstern Defined in Reference U intrusion Unauthorized access to a D18 or critical infrastructure network information system or applicationGLOSSARY