New DOD doctrine officially outlines and defines ‘expeditionary cyberspace operations’

A sign of the maturity of cyber ops, the Defense Department has recognized and defined what "expeditionary cyberspace operations" are.
Capt. Richard Shmel, a 17A, cyberspace operations officer, participating in the 915th Cyber Warfare Battalion’s Field Training Exercise at Muscatatuck Urban Training. (Photo by Steve Stover, U.S. Army)

For the first time, the Department of Defense has begun to recognize and even define cyber operations conducted in physical or tactical spaces in formal doctrine.

A revised version of Joint Publication 3-12 Cyberspace Operations — published in December 2022 and while unclassified, is only available to those with DoD common access cards, according to a Joint Staff spokesperson — officially provides a definition for “expeditionary cyberspace operations,” which are “[c]yberspace operations that require the deployment of cyberspace forces within the physical domains.”

DefenseScoop has seen a copy of the updated publication.

The last version was published in 2018 and was publicly available. The Joint Staff spokesman noted that five years has been the norm for updates.


The definition, recognition and discussion of such operations are indicative of not only the maturity of cyberspace and associated operations, but the need for more tactical capabilities to get at targets that the current cyber force might not be able to access.

U.S. Cyber Command owns the offensive cyber capabilities within DOD, and the services conduct offensive cyber ops through Cybercom and the cyber mission forces that each service provides to the command. Authorities to launch cyber effects have traditionally been held at the highest levels of government. In recent years, those authorities have been streamlined and delegated. However, most cyber operations are still conducted from remote locations by the cyber mission force (CMF) and primarily focused on IP-based networks.

Many of the services have begun investing in capabilities and forces for their own offensive cyber, however, that is mostly in the blended electronic warfare or radio frequency-enabled sphere at the tactical level.

The updated doctrine recognizes that these capabilities, which will still have to be coordinated centrally, could provide access to targets that remote operators might not be able to get for a variety of reasons.

“Developing access to targets in or through cyberspace follows a process that can often take significant time. In some cases, remote access is not possible or preferable, and close proximity may be required, using expeditionary [cyber operations],” the joint publication states. “Such operations are key to addressing the challenge of closed networks and other systems that are virtually isolated. Expeditionary CO are often more regionally and tactically focused and can include units of the CMF or special operations forces … If direct access to the target is unavailable or undesired, sometimes a similar or partial effect can be created by indirect access using a related target that has higher-order effects on the desired target.”


It also notes that these effects and operations should be coordinated with the intelligence community to deconflict intelligence gain/loss.

Moreover, the updated doctrine recognizes the complexity of cyberspace and how in-demand cyber capabilities might be. Thus, global cyber support might need to “reach-forward” to support multiple combatant commands simultaneously.

“Allowing them to support [combatant commands] in this way permits faster adaptation to rapidly changing needs and allows threats that initially manifest only in one [area of responsibility] to be mitigated globally in near real time. Likewise, while synchronizing CO missions related to achieving [combatant commander] objectives, some cyberspace capabilities that support this activity may need to be forward-deployed; used in multiple AORs simultaneously; or, for speed in time-critical situations, made available via reachback,” it states. “This might involve augmentation or deployment of cyberspace capabilities to forces already forward or require expeditionary CO by deployment of a fully equipped team of personnel and capabilities.”

When it comes to internalizing the new doctrine, the Air Force sees this as additional access points for operations.

“How do we leverage folks that are and forces that are at the tactical edge for access? That’s primarily how I think about the expeditionary capabilities we have … is empowering or enabling the effect they’re trying to create or using their access or position physically, to help enable some of our effects,” Lt. Gen. Kevin Kennedy, commander of 16th Air Force/Air Forces Cyber, told DefenseScoop at the AFCEA TechNet Cyber conference.


He noted that these access-enabling capabilities could be across the services, but primarily from an Air Force perspective, “I’m looking at looking within the Air Force, from aerial platforms down to ground-based airmen, as well about how we would do that,” he said.

Officials have described how the services are seeking to build their own forces separate from Cybercom.

“There was a lot of language that came out the [National Defense Authorization Act] that talked about force design in general. All the services to one degree or another are really — I’m not going to say rethinking — but evaluating what their contribution to the joint force is, as well as what their own … service-retained cyber teams are,” Chris Cleary, principal cyber advisor for the Department of Navy, told DefenseScoop at the AFCEA conference.

Last year’s NDAA directed the Pentagon to develop a strategy for converged cyber and electronic warfare conducted by deployed military and intelligence assets, specifically for service-retained assets.

As electronic warfare and cyber capabilities are expected to be a big part of the battlefield in 2030 — a key waypoint the Army has been building toward — it recognizes those capabilities can’t be held from remote sanctuary, Maj. Gen. Paul Stanton, commander of the Army Cyber Center of Excellence, told DefenseScoop in an interview on the sidelines of the AFCEA conference.


In fact, the Army’s principal cyber adviser has tasked the Cyber Center of Excellence with clarifying certain authorities and capabilities.

“How do you execute electronic attack to achieve effects? How do you differentiate a cyber-delivered capability that benefits from proximity based on owning the land, owning the ground?Because that’s what the Army does. The principal cyber advisor, Dr. [Michael] Sulmeyer is tasking me with conducting a study to clearly define and delineate where those lines are,” Stanton said. “This study is going to help us be able to clearly define that. I expect to be tasked to kick that off here in the very near future with about 90 days to complete.”

When it comes to service-retained forces and capabilities, the Army has built the 11th Cyber Battalion, formerly the 915th Cyber Warfare Battalion, which provides tactical, on-the-ground cyber operations — mostly through radio-frequency effects — electronic warfare and information ops. The unit will help plan tactical operations for commanders and conduct missions in coordination with deployed forces. It consists of several expeditionary cyber and electromagnetic activities (CEMA) teams that are scalable and will maneuver with units and conduct operations on the ground for commanders.

The Navy, meanwhile, is building what it’s calling non-kinetic effects teams, which will augment afloat forces with critical information warfare capabilities. Cleary has previously noted that the service is still working through what cyber ops at sea will look like.

“As we continue to professionalize this, [information warfare commanders within carrier strike groups] will become more and more important as it fully combines all aspects of the information warfare space, the electromagnetic spectrum, command and control of networks, eventually potentially offensive cyber being delivered from sea, information operations campaigns,” Cleary said.


“That job will mature over time, and then the trick is to get the Navy and the Marine Corps to work together because we are back to our roots of being an expeditionary force. Even the Marines through [Commandant] Gen. [David] Berger’s new force design is really about getting the Marines back to being what the Marines were designed to be, which is an expeditionary fighting force that goes to sea with the Navy. We work together to achieve our objectives as a team, and we’re getting back to our blocking [and] tackling them.”

For the Marine Corps’ part, officials have been building Marine Expeditionary Force Information Groups (MIGs), which were created in 2017 and support each MEF within the Corps, integrate electronic warfare with intelligence, communications, military information support operations, space, cyber and communication strategy — all to provide MEF commanders with an information advantage.

The service has also recently established Marine Corps Information Command (MCIC), which was designed to more tightly link the service’s information forces — including cyber, intelligence and space — in theater with the broader joint force across the globe.

Mission elements the Marines have created and sent forward with Marine expeditionary units are “right in line with [Joint Publication] 3-12,” Maj. Gen. Joseph Matos, deputy commander of Marine Corps Forces Cyberspace Command, told DefenseScoop at the AFCEA conference.

“How do we take what we do at the fort, or back at Fort Meade [where Cybercom is headquartered], and be able to extend that out to the services? That’s what we’re in the process of doing right now … We started about two years ago doing that. That capability is starting to mature pretty well,” he said. “It’s to extend Cyber Command out to those forward units.”


Matos said the recently created MCIC will act as the integrator for a lot of these capabilities throughout the force, acting as a bridge of sorts.

The organization will help tactical forces understand the authorities and capabilities that cyber can provide to help them conduct their missions.

“You kind of hit a glass ceiling of the capability [of] the lower elements being able to reach out and do cyberspace operations,” Matos said of the process prior to establishing that entity. “We’re able to say, OK, here’s a team, trained, capable,’ understand the capabilities that we can bring, give them to the deployed forces to say, ‘OK, you want to do cyber operations, here’s how we can help you do that.’ We know who to talk to, the authorities and so on so forth, and we can do that. I think it’s right in line with what the [Joint Publication] 3-12 is trying to do.”

That command essentially acts as the glue between the high-end cyber forces and the tactical elements, bridging the gap between Cybercom forces and the deployed forces.

“The genesis of the Marine Corps Information Command to tie all these elements together is to address that concern, is to be that integration point between the forces below the tactical edge who have these requirements to operate in a rapidly changing environment. But also tie that to the Marine Corps Information Command knows who to talk to at Cyber Command, or at NSA, or at Space Command. To be able to be that touchpoint between the two organizations so you don’t have to have an infantry battalion going all the way to” a combatant command, Matos said during a presentation at the AFCEA conference.


“I think as we operate in this rapidly changing cyberspace world, that Marine Corps Information Command’s going to be a tremendous benefit to the [Marine Air Ground Task Force], but also to the joint world and the intelligence and cyber world,” he added.

Latest Podcasts