The IT Law Wiki


Defensive cyberspace operations (DCO) are

[p]assive and active cyberspace operations intended to preserve the ability to utilize friendly cyberspace capabilities and protect data, networks, net-centric capabilities, and other designated systems.[1]


Defensive cyberspace operations direct and synchronize actions to detect, analyze, counter, and mitigate cyber threats and vulnerabilities; to outmaneuver adversaries taking or about to take offensive actions; and to otherwise protect critical missions that enable U.S. freedom of action in cyberspace. This line of operation can trigger offensive cyberspace operations or other response actions necessary to defend DOD networks in response to hostile acts, or demonstrated hostile intent. Dynamic Network Defense Operations is the key U.S. Cyber Command operational method for defensive cyberspace operations.

Types of DCO[]

Types of DCO consist of:

(1) DCO Internal Defensive Measures (DCO-IDM). Internal defensive measures are those DCO that are conducted within the DODIN. They include actively hunting for advanced internal threats as well as the internal responses to these threats. Internal defensive measures respond to unauthorized activity or alerts/threat information within the DODIN, and leverage intelligence, CI, [law enforcement], and other military capabilities as required.
(2) DCO Response Actions (DCO-RA). DCO-RA are those deliberate, authorized defensive actions which are taken external to the DODIN to defeat ongoing or imminent threats to defend DOD cyberspace capabilities or other designated systems. DCO-RA must be authorized in accordance with (IAW) the standing rules of engagement and any applicable supplemental rules of engagement and may rise to the level of use of force. In some cases, countermeasures are all that is required, but as in the physical domains, the effects of countermeasures are limited and will typically only degrade, not defeat, an adversary's activities.



See also[]