Cyber Operations (CYOPS)

Cyber Operations (CYOPS)
Prepared By: B. Gen. Eng. Robert Mansour
(PhD) Lebanese Armed Forces/G3/Director of Signals


It is known nowadays that the cyber-space is the fifth domain of war, which is the newest theatre of warfare, joining land, sea, air, and space. Cyber Operations is a combination of different domains covering the entire scope of cyber-space and related operations that are both technical and non-technical in nature, including ethical, legal, lawful, terrorism, kinetic, human-centered,…etc.

Cyber Operations is a paired discipline to cyber-security. It could be in the military domain with military objectives, or in a non-military field, civilian like sphere. It could place a particular emphasis on techniques or technologies that are applicable to both operational ad system levels, depending on the scenario of attack or threat. Emphasis on skills and competences of involved players will be part of the system attack, defense, infiltration, exploitation, mitigation, and recovery.[1]

The specific tasks of Cyber Operations are to perform activities to gather evidence on criminal or foreign intelligence entities to mitigate possible or real-time threats, protect against espionage or insider threats, foreign sabotage, international terrorist activities, or to support other intelligence activities. The focus is on:         

a.     Conducting Offensive Cyber Operations (OCO), Defensive Cyber Operations (DCO), Computer/Information Network Operations (CNO), and perform cyber-space mission planning and execution.

b.    Developing and executing tactics, techniques, and procedures (TTP) for cyber-space operations.

c.     Establishing performance standards, train, and conduct evaluations to ensure personnel are proficient, qualified, and certified.


1-   Cyber-space in Action

Cyber Operations, in contrast to cyber-attacks that focus on computer and network systems, are designed to cause damage to the whole information system that could be physical besides to the access to networks to obtain or destruct information, in addition to involvement of other domains such as diplomacy, punishments, and international relations.


A-   General Background

Cyber Operations are not limited to members of the armed forces. Civilians acting alone or as part of a mass uprising can leverage widely available hacking tools and techniques to conduct Cyber Operations. They are not limited to publicly available tools or techniques; significant research and development skills are present in nonmilitary populations. The evidence for this is strong. Every year hundreds of security conferences take place at which nonmilitary individuals present new ideas and tools for attack. Breaches at major organizations continue unabated in the private sector by attackers looking to profit from their attacks. Privately funded research continues to generate a consistent stream of vulnerabilities found in widely used software.

The ability for civilians to be involved in Cyber Warfare is established, but their effectiveness is not. Civilians can slot into the attacking role easily but will struggle to pick targets, and the targets they choose will likely be visible but largely irrelevant. Furthermore, picking targets is not simply a case of choosing Internet Protocol (IP) addresses geo-located in the adversary’s territory. Targeting requires preparation in the form of mapping out the adversary’s networks far in advance, and is one of the hallmarks of Cyber Warfare professionals.[2]

It may seem that civilians are not able to assist in defensive roles because the assets are not under their control; this is largely the case. A well-resourced defense has no need for external personnel. However, for resource-constrained defenses where skills are weak, knowledgeable civilians would be able to offer services in the event of an attack.

As an illustration, in the 2006 Israeli aggression and the 2008 Israel-Hamas war, Cyber Operations and Information Operations seemed to be two sides of the same coin. In those battles, both sides used cyber operations to help spread their message while attempting to block the adversary from doing the same. We look at how Hezbollah’s strategy of cyber-cortical warfare and their use of CYOPS and IP address hijacking all contributed to their perceived “victory” over the Israeli enemy. We also look at how  the Israeli enemy then gathered lessons learned from this conflict as they prepared for their conflict with Hamas in 2008 -and how this cyber- capable adversary responded.[3]


i.     Definition

According to Tallinn Manual[4], the focus with the Cyber-space Operations is on the following basic points:

a.     States may not knowingly allow cyber infrastructure located in their territory to be used for acts that adversely affect other states.

b.    States may be responsible for cyber operations directed against other states, even though those operations were not conducted by the security agencies (i.e. hacktivist).

c.     The International Group of Experts agreed that cyber operations that merely cause inconvenience or irritation do not qualify as uses of force.

d.    States may respond to unlawful cyber operations that do not rise to the level of a use of force with countermeasures.

e.     A state that is a victim of a cyber “armed attack” may respond by using force. The force may be either cyber or kinetic.

Accordingly, Cyber Operations could be also outlined as operations that employ capabilities aimed at achieving objectives in or through cyber-space. It is described as the movements on theatre where activities and actions among cyber maneuvers and acts, including cyber-attacks, cyber terrorism, hacking, espionage, cyber-threats, cyber-crime, cyber-bullying…etc. Its tools and definition are the unauthorized access to computers, computer systems, or networks to obtain information, but without necessarily affecting the functionality of the accessed system or amending, corrupting, or deleting the data resident therein.

Cyber operators are those who conduct data collection, processing, and/or geolocation of systems to exploit, locate, and/or track targets of interest. Additional role is to perform network navigation, tactical forensic analysis, and, when directed, executes on-net operations.

“Cyber-space” is understood here as “a global domain within the information environment consisting of the interdependent network of information technology infrastructures and local data, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers.

Operations, whether in offence or in defense, intended to alter, delete, corrupt or deny access to computer data or software for the purposes of propaganda or deception; partly or totally disrupting the functioning of the targeted computer, computer system or network and related computer-operated physical infrastructure (if any); or producing physical damage extrinsic to the computer, computer system, or network.


ii.    Cyber-space Environment

Through analyzing the strategic guidance, decision makers, commanders, and planners build an understanding of the strategic environment describing the requirements of Cyber Operations in its different forms, based on:

a.     What actions or planning assumptions will be acceptable in each form of operation?

b.    What impact of such operation will be on political, economic, lawful, or legal aspects, mainly on the International law, and how to protect civilians in a soft way?

c.     What are the strategic objectives expected from such operations?

d.    What are the consequences on humanity, economy, culture, sovereignty, international relations,…?


B-   Types &Techniques of Cyber Operations

Cyber Operations are fundamentally different than many other weapons that are attached to state level violence, i.e. they are accessible to an expansive range of actors including but not limited to states. For example, only states, and very few of those, have ever developed a nuclear capability, however, on the other hand, more than hundred nations are reported to have or be developing cyber weapons, and more than thirty countries are creating cyber units in their militaries.[5]

Cyber-space is a domain created through the interaction of three different components: the hardware, the virtual, and the cognitive, all distributed among the parts of Cyber-Warfare, Cyber-Security, and Law Enforcement of Cyber. These components are described in figure 1 below, as:


•      The physical reality, the hardware, of cyber-space is involved in the interdependent network of information technology infrastructures. This includes all the hardware of telecommunication and computer systems, from the routers, fiber optic cables and transatlantic cables, cell phone towers, and satellites, to the computers, smartphones, and, eventually, any device that comprises embedded processors such as electric power grids or the Lockheed Martin tactical fighter aircraft F-22 Raptor.

•      Cyber-space also has a virtual component that encompasses the software, firmware, and data, i.e. the information that is resident on the hardware.

•      The human, or cognitive, aspect is the final element of cyber-space.

Cyber Operations are able to destroy, degrade, deny, and disrupt information technology-dependent infrastructures and data.

Cyber Operations consist mainly on offensive and defensive actions within the Information Networks, with main conflicts between their interactions. Cyber-space operations are composed of the military, intelligence, and ordinary business-oriented operations. Military cyber-space operations use cyber-space capabilities to create effects that support operations across the physical domains and cyber-space.[6]

The eight knowledge areas of Cyber Operations are summarized in the following figure[7].


Cyber-space Operations differ from Information Operations (IO), which are specifically concerned with the use of information-related capabilities during military operations to affect the decision making of adversaries while protecting our own. IO may use cyber-space as a medium, but it may also employ capabilities from the physical domains.

Subsequently, the framework developed for military operations establishes four components for CyberOps or (CyOPS): Cyber Warfare (CyberWar), Cyber Network Operations (CyNetOps) or (CNO), Cyber Support (CyberSpt), and Cyber Situational Awareness (CyberSA)

Moreover, there are interaction conflicts among cyber-space players or actors, conflict in cyber-space through a quantitative and qualitative analysis of the intentions, capabilities, and activities of state actors in this domain, as well as an analysis of the norms and rules relevant to cyberspace. Cyber operations are taking a leading role in conflicts between states, and recently the risk of a major cyber incident between nation states has been described as a major threat in national security strategies.[8] This could be illustrated as shown in table below (Table 1)[9], that shows what type of consequences are resulted from such conflicts:


Another issue is the debate that always occurs if cyber-space players favor the offense, as many analysts and policymakers claim. In the case of the Stuxnet[10], three factors undermine any cyber offensive advantage, as demonstrated in a cost-benefit analysis of the operation against Iran.

•      First, any measurement of the offense-defense balance must consider a cyber operation’s value as well as its cost to both sides.

•      Second, organizational capabilities play a significant role in determining the balance.

•      Third, offensive advantages decline when attackers target physical infrastructure rather than information networks.[11]

Cyber-space operations are categorized into the following:


i.     Offensive Cyber-space Operations (OCO):

 Intended to project power by the application of force in and through cyber-space. These operations are authorized like operations in the physical domains.

As mentioned before, Offensive Cyber Operations refer to computer activities to disrupt, deny, degrade, and/or destroy. Offensive cyber operations generally take place across multiple stages. Prioritizing offensive operations can increase the fears of the adversaries, their suspicions, and readiness to take offensive action. Cyber offenses consist of cyber exploitation (intelligence gathering) and cyber-attack (disrupting, destroying, or subverting an adversary’s computer systems). An adversary can simply mistake defensive cyber exploitation for offensive operations because the distinction is a matter of intent, not technical operation. The difficulty of distinguishing between offensive and defensive tactics makes mistrustful adversaries more reactive, and repeatedly conducting offensive cyber operations only increases distrust. A focus on offensive operations can also increase vulnerabilities; for example, secretly stockpiling information about vulnerabilities in computers for later exploitation, rather than publicizing and helping civil society to mitigate those vulnerabilities, leaves critical infrastructure vulnerable to attack.[12]


ii.    Defensive Cyber-space Operations (DCO):

Intended to defend main military or other friendly cyber-space. These are both passive and active defense operations and are conducted inside and outside of the Information Networks. The common assumption that the offense governs cyber-space is dangerous and deeply misguided.

The main Cyber-Defense target is to prevent the success of cyber-attacks. Usually, any cyber-attack follows a specific pattern known as the “cyber kill chain”. The footsteps of the “cyber kill chain” consist of the following:

•      Reconnaissance: is the step where the target is identified.

•      Weaponization: is the phase where preparation and staging take place.

•      Delivery: when the malware is delivered to the target, then the operation launches.

•      Exploitation: takes place when software, hardware, or human vulnerability occurs.

•      Installation of a persistent backdoor to maintain access.

•      Command and Control: The Command & Control of the malware opens a command channel to enable the adversary to remotely manipulate the victim.

•      Actions on the objective: occur when the goal of the mission are accomplished.


Consequently, a defensive cyber-space operation response action takes place, where it could be considered as a type of counter-attack. Here, both the military, as a state agent, or the private sector could perform these counter-attacks as a part of deterrence after the intrusions. Those actions could be organized on the following major goals:

•      Redirect the activities of the adversaries. It includes deterring, diverting, and deceiving the attacker.

•      Obviate the efforts of the attackers to make them ineffective, including preventing and preempting.

•      Impede the attackers to make their efforts or capabilities wasteful, including delay and degrading.

•      Detect the activities or effects of the attackers, thus making them identified.

•      Limit the impact of the attackers by restricting the consequences of oppositional efforts, thus mitigating their efforts.

•      Expose the attackers to take away their advantages, increase level of awareness of an attacker’s characteristics and behavior by developing and sharing threat intelligence, thus allowing the defenders to be better prepared.


iii.   Computer/Information Networks Operations (CNO):

 Mainly intended to design, build, configure, secure, operate, maintain, and sustain military communications systems and networks across the entire domain.

CNO is a broad term that has both military and civilian application. Conventional wisdom is that information is power, and more and more of the information necessary to make decisions is digitized and conveyed over an ever-expanding network of computers and other electronic devices. Computer network operations are deliberate actions taken to leverage and optimize these networks to improve human endeavor and enterprise or, in warfare, to gain information superiority and deny the enemy this enabling capability.

In the military domain, the other capabilities are Psychological Operations (PSYOPS), Military Deception (MILDEC), Operations Security (OPSEC) and Electronic Warfare (EW).

Within the military types, CNO consists of computer network attack (CNA), computer network defense (CND) and computer network exploitation (CNE).[13]

Computer Network Attack (CNA): Includes actions taken via computer networks to disrupt, deny, degrade, or destroy the information within computers and computer networks and/or the computers/networks themselves.

Computer Network Defense (CND): Includes actions taken via computer networks to protect, monitor, analyze, detect and respond to network attacks, intrusions, disruptions or other unauthorized actions that would compromise or cripple defense information systems and networks. Moreover, CND could be outline Computer Network Defense as an aspect of NetOps (Network Operations).

Computer Network Exploitation (CNE): Includes enabling actions and intelligence collection via computer networks that exploit data gathered from target or enemy information systems or networks.

A convergence between Electronic Warfare (EW) and Cyber-space Operations effects is illustrated in the following figure (Fig.3)[14]: