[AUTHENTICITY CERTIFIED: Text version below transcribed directly from audio]

Now, at Treadstone 71, we view cyberspace as a global domain within the information environment consisting of the independent network of information technology infrastructures, including the Internet, telecommunications networks, computer systems, embedded processors, controllers — anything connected, or connected devices.

It is a fifth domain of warfare that is under attack daily — by nation states, nongovernment organizations, terrorists, criminals, and hacktivists.

Since cyberspace is a decentralized domain characterized by increasing global connectivity, ubiquity and mobility, where power can be wielded remotely, instantaneously, inexpensively and anonymously, the threats to global critical infrastructures is [sic] enormous, the challenges unprecedented.

The United States, NATO, the United Kingdom, and other friendly governments and organizations are inextricably linked to the cyberspace domain, where conflict is not limited by geography or time. Cyberspace crosses geographic and jurisdictional boundaries. The expanded use of cyberspace places our interests at greater risk from cyber threats and vulnerabilities; and cyber actors can act globally with[in] their own borders, within the borders of our allies and adversaries.

The complexity and amount of activity in this evolving domain make it difficult to detect, interdict, and attribute malicious activities. Our approach for several years has been that of a defensive posture, one that is reactive and focuses on a “see, detect, and arrest” capability, where the adversary has already emptied the coffers of our most critical information.

This needs to change.

Threats to cyberspace pose one of the most serious economic and security challenges of the 21st century. On the flip side, cyberspace offers us unprecedented opportunities to shape and control the battle space to achieve strategic objectives.

One of the key factors to meeting these challenges is cyber counterintelligence (or CCI). CCI covers the measures to identify, penetrate, or neutralized adversarial operations that use cyber means as a primary tradecraft methodology.

CCI includes activities in cyberspace such as forensics, examinations of information systems, and other approved virtual or online activities to identify, disrupt, neutralize, penetrate, or exploit hostile adversaries.

CCI is composed of both offensive and defensive elements. Offensive CCI includes a cyber penetration and deception of adversary groups, while defensive CCI includes protecting vital information and information systems from being obtained or manipulated by an adversary’s cyber intelligence organizations, activities, and operations. This two-pronged approach forms a comprehensive CCI strategy that is informed by collection results, and feeds more comprehensive CCI operations.

Treadstone 71 strongly advocates for a more progressive approach to CCI. Our doctrine, and we hope that of the United States, includes a collection and processing of technical and intelligence information derived from adversaries by other than an intended recipient. The CCI doctrine expands upon traditional cyber intelligence collection, while pursuing the offensive exploitation and defeat of adversarial intelligence activities directed against our interests.

Not only does our doctrine protect the integrity of the government and commercial information and information systems, we believe in the use of incisive, actionable intelligence provided to decision makers at all levels that serve to protect vital assets from adversarial intelligence activities, while neutralizing and exploiting their cyber intelligence capabilities.

We believe that CCI operational activity should:

#1 – Manipulate, disrupt, neutralize, and/or destroy the effectiveness of adversary cyber activities.

#2 – Recruit or induce defection of adversary personnel using cyber personas.

#3 – Leverage denial, deception, counter-denial, counter-deception, information warfare, psychological operations and online media to manipulate, direct, and redirect our adversaries, creating advantages and influencing events that lead to desired outcomes.

#4 – Collect cyber threat information on adversary operations, modus operandi, intelligence requirements, targeting objectives, personalities, communications capabilities, limitations, linguistic focus, efforts to modify, attributable hosting locations, and vulnerabilities.

#5 – Provide information and operations databases to support decision makers.

#6 – Provide CCI support to clandestine human and cyber intelligence operations.

#7 – Identify past, ongoing, or planned cyber espionage.

#8[a] – Leverage all open-source signals, geo-spatial, imagery, measurement, human, financial, and technical intelligence.

#8[b] – Support cyber force protection operations, including, and other than, war and peacekeeping.

#9 – Acquire adversary cyber espionage capabilities for analysis, and countermeasures development.


#10 – develop operational data, threat data, and espionage leads for future CCI operations, investigations and projects, and develop the potential of these leads to enhance cyber security overall.

A direct component of CCI is cyber espionage. It is the act or practice of obtaining secrets via cyber capabilities without the permission of our adversaries. This includes information — personal, sensitive, proprietary, or of a classified nature — from individuals, competitors, rivals’ groups, governments, and enemies for personal, economic, political, or military advantage, using cyber exploitation methods.

The use of cyber espionage to actively gather information from computers, information systems or networks, or manipulate, disrupt, deny, degrade, or destroy targeted adversary computers, information systems or networks, must be woven into our cyber security strategic plans and operational tactics.

Cyberspace has become a main front — the fifth domain of warfare in both irregular and traditional conflicts. Adversaries in cyberspace include both states and non-states that range from the unsophisticated amateur to highly trained professional hackers using virtual small arms that are proliferating, while growing enhanced payload and delivery capabilities.

Through cyberspace, our adversaries are targeting industry, academia, government, as well as the military, and the sea-air-land and space domains. In much the same way that air power transformed the battlefield of World War II, cyberspace has fractured the physical barriers that shield us from the attacks on our critical infrastructures. Indeed, adversaries have taken advantage of computer networks and the power of information technology to not only plan and execute savage acts of terrorism, but also to influence directly the perceptions and will of our governments and population.

In closing, CCI activities, as a component of strong cyber security practices, must be examined, strategically deployed, and operationally delivered — while being continuously enhanced as a method of both active defense and offense.

It is time we expanded our reactionary approach from see, detect and arrest, to one that is proactive and aggressive.

Thank you

By Treadstone 71

@Treadstone71LLC Cognitive Warfare Training, Intelligence and Counterintelligence Tradecraft, Influence Operations, Cyber Operations, OSINT,OPSEC, Darknet, Deepweb, Clandestine Cyber HUMINT, customized training and analysis, cyber psyops, strategic intelligence, Open-Source Intelligence collection, analytic writing, structured analytic techniques, Target Adversary Research, strategic intelligence analysis, estimative intelligence, forecasting intelligence, warning intelligence, Disinformation detection, Analysis as a Service

One thought on “Treadstone 71 Cyber Counterintelligence Doctrinal Statement”

Comments are closed.