Milcom 2018 Track 4 - System Perspectives
Functional Analysis of Cyberspace Operations
Dr. Alberto Domingo
NATO Allied Command Transformation (ACT),
North Atlantic Treaty Organization (NATO)
Norfolk, VA, USA
alberto.domingo@act.nato.int
Abstract—Cyberspace is a relatively new domain of
operations for NATO, but also for many nations. Operations in
cyberspace lack the doctrinal corpus and experience that
operations in the other domains (land, air, sea) have accumulated
over the years (or centuries, in many cases). The legal aspects of
operating in a geographical domain that exceeds the
Commander’s area of responsibility further exacerbate the
problem, calling for careful consideration when defending one’s
own cyber assets, when planning for missions and when
delivering cyber effects. One of the main questions that the
Commander must consider is how to decompose the problem of
achieving objectives in and through, potentially contested,
cyberspace. This question is not addressed in the latest military
doctrine, but can be answered by decomposing a generic mission
where cyber is to be employed and deriving a suitable functional
analysis. Such decomposition would provide a “catalogue” of
functions that the commander might need to execute, which in
itself can inform the structure and manning of the cyber
organization, the development of operational requirements and
the subsequent development of a capability breakdown to satisfy
those requirements. The mission decomposition can also provide
a very useful starting point to the cyber capability engineering
development process, thus removing most of the subjectivity and
the likelihood for capability gaps and/or overlaps to occur. This
paper presents a novel functional analysis for cyberspace
operations. The analysis separates the functions associated to
defending one’s own networks and systems (traditional
Communication and Information Systems [CIS] security and
cyber defense) from those related to cyber missions planning,
Command and Control (C2), generation of cyber Situational
Awareness (SA) (including cyber INTEL) and the delivery of
cyber effects. The proposed functional analysis is
organization/mission/capability and intent agnostic, as well as
technology/solution independent. It is, therefore, applicable to the
activities of a large scale cyber command, an individual hacker,
and the full spectrum of actors between those two.
Keywords—Cyberspace, Cyberspace Operations, Functional
Analysis.
I. INTRODUCTION
During the July 2016 Warsaw Summit [1], the North
Atlantic Treaty Organization (NATO) declared cyberspace as a
domain of operations, which meant that ‘NATO must defend
itself [in cyberspace] as effectively as it does in the air, on
land, and at sea’. Possibly the most fundamental consequence
from the declaration is that NATO needs to move from the
challenging, but well-known field of Communication and
Information System (CIS) security (including cyber defense)
XXX-X-XXXX-XXXX-X/XX/$XX.00 ©20XX IEEE
This work has been funded through the annual NATO Military Budget (NMB) Program of Work for NATO Allied Command Transformation (ACT).
978-1-5386-7185-6/18/$31.00 ©2018 IEEE
Ms. Manisha Parmar
NATO CIS Agency (NCI Agency),
North Atlantic Treaty Organization (NATO)
The Hague, Netherlands
manisha.parmar@ncia.nato.int
into the ability to conduct military missions in and through,
potentially contested, cyberspace, including all related
activities such as mission planning, intelligence, mission
execution, delivery of effects1 and battlefield assessment.
The cyberspace domain is organically different from the
traditional, kinetic domains of air, land and sea in that
cyberspace has no geographic, physical boundaries. This, in
turn, introduces unique challenges with respect to the dynamic
nature of the environment leading to reduced decision time,
variable decision quality and cascading dependencies. In fact,
the Observe, Orient, Decide, Act loop (commonly referred to
as the “OODA” loop) is deemed closer to an OODA “point”
rather than a loop given the response time requirement
associated to decision making in the cyberspace domain [2].
In light of these unique challenges posed in cyberspace, a
fundamental question that arises from the declaration is ‘what’
is actually expected from the NATO Commander when he/she
executes a mission in cyberspace. For the traditional domains
(air, land, sea) the answer is provided and continuously
enhanced through classic military doctrine 2 which has been
developed over decades and even centuries. Military doctrine is
authoritative, but requires judgement in application, and is
mostly developed and refined based on experience. In
cyberspace operations, mature doctrine is just not available and
these questions are not exclusively applicable to NATO.
Nations, who already have or are developing cyberspace
capabilities and cyber commands, have struggled with the same
challenges over the last few years. The result is a variety of
cyber defense and cyberspace operations doctrines with
capabilities that widely differ from each other and more closely
represent the problem space of the political ambition rather
than the military practice itself. Furthermore, the case of
NATO is particularly complex; not only does a brand new
doctrinal corpus need to be developed, but it also needs to be
appropriate for an international organization whose main
reason of being is to act as a catalyzer for national capabilities
(including forces and their training), while providing
interoperability among NATO nations and other (military and
civilian) partners.
1
NATO policy states that effects or weapons delivery in any
of the classic operational domains is a task for the Alliance
nations. Delivery of effects in cyberspace is subject to the
same approach, as NATO mandated is limited to collective
defensive operations.
2
Fundamental principles by which the military forces guide
their actions in support of objectives [3].
673
 Milcom 2018 Track 4 - System Perspectives
To address such a broad and complex issue in a relatively
short amount of time, the use of a formal, analytical,
engineering-based methodology is highly advisable, as the
rapid evolution of modern warfare, technology and
applications of cyber capabilities do not allow the long lead
time associated to the doctrinal development and refinement
used for the other military domains. Subsequently, traditional
information management system-engineering methodologies
do not appear to be well tailored to address the military
Command and Control (C2) problem space. Effective C2
development demands a strongly user-centered approach that
recognizes the subjective nature and variability of human-
based decision-making, as well as the incorporation of
knowledge at each stage of the C2 process. C2 development
needs to recognize that the essential mission of a C2 system is
to support the human tasks that make up the C2 activities in
planning, directing and monitoring military operations.
The Mission-Function-Task (MFT) methodology [4] is an
elegant engineering approach to military C2 specification
development. Since it originates from the field of human
factors engineering [5], it is relatively close to problems where
the requirements are behavioral-based, soft, somehow
subjective and therefore loosely coupled to the capabilities
supporting them. The MFT methodology analyses systems by
decomposing the problem into: the Mission Analysis (purpose,
environment, objectives, scenarios and phases); Function
Analysis (functions or sequence of functions that that must be
performed for the system under analysis to achieve mission
objectives); Task Analysis (information requirements,
performances, discrete actions and decision requirements) and
Operational Sequence Analysis 3 (sequences of tasks, their
frequency, variability and correlations among them). Several
attempts have been made to apply the MFT analysis approach
to cyber, including its applications to generic CIS security and
defensive cyber operations [6]. No attempt, however, to map
the complete spectrum of cyberspace operations has been
found in the literature.
The mission analysis for NATO cyberspace operations is
well addressed in [7], which describes the unique aspects of
cyberspace missions in NATO, and the vision and strategy to
operate in it. The strategy is expressed using complementary
ways for NATO to achieve its vision for operating in
cyberspace, which can be achieved through a number of
concurrent, different efforts.
II. CYBERSPACE OPERATIONS FUNCTIONAL ANALYSIS
According to Merriam-Webster dictionary, a function is
‘the special purpose or activity for which a thing exists or is
used, and implies a definite end or purpose or a particular kind
of work’, while [8] defines a functional analysis as the
‘systematic investigation of the functions of a real or planned
system’. A functional analysis responds to the ‘what’ type of
question and does not provide information about the reasons to
operate in cyberspace (why/what for), is not an expression of
the Commander requirements (which ones and how much), is
not an organizational chart (who), and is not a process for
3
For some authors, including [4], operational sequence
analysis is a self-contained subset of task analysis.
674
conducting cyberspace operations (how). The functional
analysis can assist in developing answers to these questions,
however, there are better engineering products for them. With
the intention to respond to the question ‘what shall NATO do to
conduct operations in/through cyberspace?’, NATO Allied
Command Transformation (ACT), with the support of the
NATO CIS Agency (NCI Agency), developed in 2017 a
cyberspace operations functional analysis [9], with the purpose
of (1) Developing the understanding of NATO’s role in
cyberspace; (2) De-conflicting this understanding with the
nationally provided cyberspace capabilities and contributions;
(3) Further analyzing the NATO capability requirements based
on the functions that are selected for NATO implementation
and; (4) Increasing interoperability of NATO’s cyberspace
capabilities with those provided by the nations and other
partners (through the analysis of all input/output interfaces for
all identified functions). The functional analysis is purposely
agnostic of organization, intent, mission, capability and
technology, with the aim to provide a generic view for
discussion, but also to allow embracing all possible national
arrangements and all possible mission types within a single
analysis.
Figure 1 below depicts the Level 1 and 2 functional
decomposition of the ‘Conduct (Joint) Cyberspace
Operations’. The term ‘Joint’ expresses the recognition that
cyber will very often be a component of any and all future
missions, and seldom a single domain of operation, with the
possible exception of the enduring cyber activities that are
permanently on-going due to the continuous nature of
adversaries’ actions and persistent threats.
Figure 1. Level 1 and 2 functional decomposition of cyberspace operations.
From the Commander’s standpoint (the one and only focus
of the functional decomposition), executing a mission in
cyberspace involves protecting and defending one’s own
cyberspace, by preventing attacks, defending from them when
they happen and restoring capabilities if they succeed. The
second main function is to conduct the cyber-INTEL process,
collect, generate and disseminate cyber Situational Awareness
(SA) and feed the Cyber Recognized Picture (CRP), possibly
as an input to the Common Operational Picture (COP). In the
third and final function, the Commander will be interested in
 Milcom 2018 Track 4 - System Perspectives

conducting (stand-alone or joint) operations in cyberspace, (ISR), contributing to joint SA and sharing it with applicable
which involves the traditional activities of planning, C2 and partners.
effect delivery.
The subsequent paragraphs describe the three Level 1
function areas and, as mentioned earlier, these areas are
applicable to both NATO and individual nations. NATO does,
however, face additional challenges related, but not limited, to
the integration of SA products from the nations, collation of the
C2 information required to facilitate the Commander
conducting the mission and the coordination of cyberspace
effects delivery. NATO specific requirements are not
addressed in the functional analysis, as this begins the
questions of ‘how’, for which the functional analysis is not
expected to address.

A. Protect and Defend Own Cyberspace

In [10] Sir Alfred T. Mahan already said that ‘The most
important of strategic lines are those which concern the
communications. Communications dominate war’. This
statement is particularly relevant nowadays, when mostly all
C2 is executed using electronic communications and
information systems that are an integral part of the cyberspace.
Adversaries are and will try to exclude the Alliance from
access to cyberspace in order to gain a strategic advantage in a
conflict. This is the concept of strategic Anti-Access and Area
Denial (A2/AD) as described in [11]. In response to
Adversaries’ attempts to conduct strategic A2/AD, the purpose
of the ‘Protect and Defend Alliance Cyberspace’ function is ‘to
build an effective response to measurably increase confidence
in NATO’s communications and information systems essential
for mission purposes, while at the same time decrease a would-
be attacker´s confidence in the effectiveness of their
capabilities to compromise NATO’s systems’4.
Reference [13] presents an elegant capability breakdown of
NATO CIS security (including cyber defense), based on the
NIST cybersecurity framework [14]. The breakdown, however,
is not intended to represent the Commander’s interest, as it is
capability centric and described in terms of technical functions.
Figure 2 presents an alternative representation that addresses
the Commander’s most likely (military-focused) functions in
‘Protect and Defend Own-Cyberspace’.
The decomposition shows that the military relevance of
cyber defense focuses on cyber risk assessment and positive
control of own cyberspace, while being able to detect, describe
and mitigate or cancel the effects of a successful attack, being
able to conduct prioritized systems recovery based on their
military mission impact, as well as develop Commander
alternatives to operate in degraded mode.

B. Cyber Intelligence, Situational Awareness and the Cyber

Recognized Picture
Cyber intelligence, development of SA and
generation/distribution of the Cyber Recognized Picture (CRP)
has been decomposed into sub-functions related to
understanding the key (cyber) terrain, preparing the
battlespace, Intelligence, Surveillance and Reconnaissance Figure 2. Level 1 to 4 functional decomposition of “Protect and Defend Own
Cyberspace”.

4
Adapted from [12]

675
 Milcom 2018 Track 4 - System Perspectives

None of these Level 2 functions are radically different from

their counterparts in the other domains. There are, however,
some specific details uniquely related to cyberspace operations
that are worth mentioning.
The ‘Perform Intelligence Preparation of the Battlespace
(IPB)’ Level 2 function includes the Level 3 functions ‘Define
the Operational Environment’, ‘Evaluate Threat/Adversary’
and ‘Determine Threat/Adversary Courses of Action (COAs)’.
It must be noted that the definition of the operational
environment is quite complex in cyberspace and different from
the traditional domains, since the environment is normally not
geographically bound, is subject to human manipulation and
rapid modification, and is, in general, not so well-known. Also,
when COAs are developed and analyzed, it is important to
consider the cross-domain impact of cyber and non-cyber
threats and actions over each other.
The Intelligence, Surveillance and Reconnaissance (ISR)
Level 2 function is equally similar to other domains
counterpart, but the fact that the required/available cyber
effects (weapons), for both NATO and the majority of national
Commanders, are not normally known in advance is a factor
that complicates the ISR process and introduces ambiguity,
both for planning purposes and for battlefield damage
assessment.
Many scholars argue that collection, production and
dissemination of SA are both enablers and outcomes of mission
planning and execution, and not functions in themselves. While
the authors do not disagree with this understanding, the need to
execute specific functions and tasks to generate and
disseminate SA, as well as the need to acquire their supporting
capabilities, have prompted to their inclusion as Level 2
functions as depicted in Figure 3.
Some particularities of SA in cyberspace include 1) the
need to integrate INTEL and information from different
technical (network, Service Management and Control [SMC],
CIS security), operational (mission services, adversaries’
Tactics, Techniques and Procedures [TTPs]) and strategic
levels (intent, contributions to attribution); 2) the complexity
of visualizing non-geographical information in a manner
understandable to the Commander; 3) the need to describe SA
without explicit identification of available cyber weapons; 4)
the role of commercially provided (and vulnerable) threat data-
feeds; 5) the technical difficulty of conducting damage
assessments in cyberspace; and 6) the short lived value of
zero-day exploits once revealed, to mention a few.

C. Conduct Cyberspace Operations

Conducting cyberspace operations (most likely in the
framework of a joint operation) is not that different from doing
so in the other domains and, essentially, consists of the Level 2
functions of ‘Operations Planning’ and ‘Command and
Control (C2)’ (see Figure 4). The planning function can be
further decomposed into mission analysis, Concept of
Operations (CONOPS) development and Operations Plan
(OPLAN) development. The full decomposition is available in
[8], but for the purposes of this paper, the main differences
with planning and C2 in cyber compared with the traditional
domains can be highlighted.
Figure 3. Level 1-3 decomposition of Conduct Cyber INTEL and produce of
the Cyber Recognized Picture (CRP) function.
For the planning part of mission execution, identifying
available forces and assets in cyberspace operations is
normally constrained by the need to minimize awareness of
cyber weapons in order to limit risk of the adversary
developing protection or mitigation mechanisms, thus
rendering the effects useless. When it comes to risks
identification, the risk of attribution is an important element for
consideration, which is especially relevant at the political and
strategic communications levels. Also risk related, there is
substantially less experience in the estimate of cyberspace

676
 Milcom 2018 Track 4 - System Perspectives
collateral damages, which might have strong implications for
civilians, among others.
The C2 part of mission execution also has some cyber-
related peculiarities. Exercising control of operational units
involves both synchronization of network-defensive measures
and the integration of operational cyber effects. The first one,
defensive measures, trigger the functions identified in the first
function in Level 1, ‘protect and defend own-cyberspace’,
while the integration of effects calls for synchronization of
cyber and non-cyber effects, and the request of effects,
normally blind from the underlying providing weapons.
A partial Level 1 to 5 decomposition of ‘Conduct
Cyberspace Operations’ can be seen in Figure 4, while the full
decomposition is available in [9].
There is not much publicly available information on the
Level 5 function ‘deliver offensive cyber effects’. Delivery of
offensive cyber effects attempts to exploit vulnerabilities to
create effects that interfere with the ability of their victims to
carry out military or other tasks [15]. The US Air Force Space
Command Functional Concept for Cyberspace Operations [16]
describes force application in combat operations in, through,
and from cyberspace to achieve military objectives, and
influence the course and outcome of conflict by taking decisive
actions against approved cyberspace or other data/information
infrastructure targets. While a valuable description, it says little
about the actual functional process to deliver those effects.
Figure 4. Level 1 to 5 (partial) decomposition of “Conduct Cyberspace
Operations”.
Developed by Lockheed Martin, the ‘Cyber Kill Chain’
[17] framework is part of the Intelligence Driven Defense
model for identification and prevention of cyber intrusions
activity. The model identifies what an adversary must complete
in order to achieve their objective, and can be used to enrich an
analyst’s understanding of an adversary’s TTPs. While not
strictly modelled to the Commander’s perspective, but more
suited for Network Operations Center (NOC) operations, it still
677
can be very well used to model the delivery of cyber weapons.
The Kill Chain cycle can be further augmented by
decomposing it using any of the many commercially available
life cycles and models/frameworks. For example, MITRE’s
threat-based security approach [18] further decomposes the
Kill Chain phases ‘Control, Execute, Maintain’ into 10
different tactics that represent the tactical goals of a cyberspace
operations, which include: Persistence, Privilege Escalation,
Defense Evasion, Credential Access, Discovery, Lateral
Movement, Execution, Collection, Exfiltration and C2. The
outcome, as depicted in Figure 5, can be used to inform the
functional decomposition of the ‘Deliver offensive cyber
effects’ Level 5 function.
Figure 5. Functional decomposition of ‘Deliver Offensive Cyber Effects’.
III. USING THE CYBERSPACE OPERATIONS FUNCTIONAL
ANALYSIS
As stated in the introduction, the functional analysis is an
essential product in a human-factors-focused engineering
approach to the cyberspace operations domain development. It
is, one of the products that need to be developed in order to
achieve a cyberspace operations ‘Body of Knowledge’ (BoK)
sufficient to enable NATO to play its role in synchronizing
national forces and capabilities and provide common funded
interoperable tools in support of collective defense. Figure 6
shows the role of the functional analysis in such BoK from two
dimensions: the MFT, but also in the domain life-cycle,
including domain development, capability development and
domain operation.
The figure shows how the Cyberspace Operations Vision
and Strategy, along with the under development doctrine,
satisfy the needs of the domain mission analysis, while the
functional analysis herein presented suffices as the function
analysis of the domain. The task analysis (including
operational sequence analysis) is currently under development
in the form of concepts of operation, information flows and
mission thread analysis. When it comes to the capability
development dimension, the Vision and Strategy is the main
reference for the user operational requirements, while the
functional analysis is the source of the capability breakdown.
If the functional analysis is the catalogue of all generic
functions that the Commander might invoke to achieve the
vision, the capability breakdown is the menu of capabilities
that the operational users might need to conduct cyberspace
operations. The capability breakdown, along with the task
analysis products (concepts of operation, information flows
 Milcom 2018 Track 4 - System Perspectives

and mission threads), enable the production of the capability
architectures supporting capability development and
acquisition.
functional analysis should be capable to model and describe
any and all of the options and their combinations to make sure
it serves as a vehicle to de-conflict roles and responsibilities
among NATO organizations, NATO and the nations, and
between those and any external (civilian or military) partner.

[1]
[2]
[3]
[4]
[5]
Figure 6. The role of the functional analysis in the cyberspace domain, [6]
capability and operations development.
In the operational dimension, the operational users
(Commanders and forces) will employ those capabilities [7]
(material and non-material) to execute missions and operations.
The lessons identified should serve to inform the evolution of [8]
doctrine, thus completing the development life-cycle for
cyberspace domain operations. [9]
[10]
IV. FUTURE WORK
At the time of writing, several task analysis activities are [11]
taking place, including the development of concepts,
information flows, mission threads and architectures. Those [12]
under-development products are already being used to inform
capability acquisition, and multiple cyber specific or cyber-
aware exercises are systematically taking place in NATO. [13]
Those activities will certainly allow for the validation and
enhancements of the functional analysis, towards eventual [14]
formal adoption. At the same time, the functional analysis and
the derived capability breakdown are being used as the basis
for structured scorecards to enable baselining NATO and
national capabilities, and evaluating their evolution overtime, if [15]
so desired.
[16]
V. CONCLUSIONS
Engineering methodologies are very useful approaches to
[17]
develop a brand-new, science and technology heavy domain of
operations. The functional analysis of cyberspace operations is
a great modelling tool to answer the question of ‘what’ the
Commander needs to do to conduct an operation in/through
cyberspace. The functional analysis needs to be complemented
with a number of other products to provide a domain-wide [18]
BoK. This BoK should be the reference in support of
operations, capabilities and doctrine development. The key for
broad stakeholders’ applicability and long-term validity of the
functional analysis is to make it agnostic to nation,
organization, mission-type, intent and technology. The
REFERENCES
DPRC-WP(2016)0003-REV14 (INV)-FINAL, Warsaw Summit
Communiqué, Item #70. July 2016. Available at
https://www.nato.int/cps/ic/natohq/official_texts_133169.htm.
Springer Publishing, “Cyber Defence and Situational Awareness”,
Volume 62, 2014
AAP-06. NATO Glossary of Terms and Definitions. Edition 2018. URL
http://nso.nato.int/nso/zPublic/_BranchInfo/Terminology_Public/Non-
Classified%20NATO%20Glossaries/AAP-6.pdf.
Engel, R. “Guidelines for Human Factors Engineering Requirements for
Canadian Forces Command and Control Information Systems”. DCIEM
No 98-CR-20, Department of National Defence, Government of Canada,
April 1998. URL http://cradpdf.drdc-
rddc.gc.ca/PDFS/zbb62/p508761.pdf.
MIL-HDBK-46855. Human Engineering Requirements for Military
Systems, Equipment and Facilities. US Department of Defense. 24 May
2011. URL http://everyspec.com/MIL-HDBK/MIL-HDBK-9000-and-
Up/MIL-HDBK-46855_24733/.
Bernier, M. Perrett, K. “Mission Function Task Analysis for Cyber
Defence” Technical Report, Defence Research and Development
Canada Ottawa, Ontario Canada, 11 Jul 2014. URL
http://www.dtic.mil/dtic/tr/fulltext/u2/1017005.pdf.
MC 0665 (Military Decision). NATO Military Vision and Strategy on
Cyberspace as a Domain of Operations. 23 February 2018.
ISO/IEC 2382:2015, Information Technology - Vocabulary. May 2015.
URL https://www.iso.org/obp/ui/#iso:std:iso-iec:2382:ed-1:v1:en.
6000/TSC FCR 0200/TT-180201/Ser: NU0269. Cyberspace Operations
Functional Analysis. 17 April 2018. NATO Unclassified.
Alfred Thayer Mahan, “The Influence of Sea Power Upon History”
Little, Brown and Company, 1894.
Alison Lawlor, “Strategic A2/AD in Cyberspace” Cambridge University
Press 2017.
Office of the US Secretary of Defense. Memorandum to the Chairman,
Defense Science Board on the Final Report of the Defense Science
Board (DSB) Task Force on Resilient Military Systems, October 2012.
Hallingstad. G, Dandurand, L. “Communications and Information
Systems Security Capability Breakdown” Rev 4, NCIA, August 2013.
NATO Unclassified.
National Institute of Standards and Technology. Framework for
Improving Critical Infrastructure Cybersecurity. Version 1.1. April 16,
2018. URL
https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf.
Libicki, M. “Cyberspace Is Not a Warfighting Domain” I/S: a Journal of
Law and Policy. Vol. 8:2, 2012. URL
http://moritzlaw.osu.edu/students/groups/is/files/2012/02/4.Libicki.pdf.
Air Force Space Command Functional Concept for Cyberspace
Operations. June 2010. URL https://info.publicintelligence.net/USAF-
CyberspaceOpsConcept.pdf.
Eric M. Hutchins, Michael J. Cloppert, Rohan M. Amin. Intelligence-
Driven Computer Network Defense Informed by Analysis of Adversary
Campaigns and Intrusion Kill Chains. 2010. URL
https://www.lockheedmartin.com/content/dam/lockheed-
martin/rms/documents/cyber/LM-White-Paper-Intel-Driven-
Defense.pdf.
B. Strom, J. Battaglia, M. Kemmerer, W. Kupersanin, D. Miller, C.
Wampler, S. Whitley, R. Wolf. Finding Cyber Threats with
ATT&CK™-Based Analytics. MITRE Technical Report MTR170202.
The MITRE Corporation, 2017. URL
https://www.mitre.org/sites/default/files/publications/16-3713-finding-
cyber-threats%20with%20att%26ck-based-analytics.pdf

678