(U//FOUO) U.S. Army Network Operations (NETOPS) Manual

This manual was obtained from the U.S. Army’s own website where it was publicly posted.


  • 273 pages
  • For Official Use Only
  • November 19, 2008
  • 2.96 MB


FM 6-02.71 provides doctrine for the overall guidance and direction pertaining to the command and control of Army communications networks (voice, video, and data) and information services (collaboration, messaging, storage, mediation, etc.) throughout strategic, operational, and tactical levels. It describes the Army’s portion of the Global Information Grid ( hereafter referred to as LandWarNet), network operations goals and objectives, and the associated roles and responsibilities of applicable organizations, materiel, leadership, personnel, and facilities that must integrate LandWarNet standards, telecommunications, services, and applications for the purpose of enabling warfighters to conduct the information management and knowledge management tasks necessary to meet achieve information superiority and decision dominance.

The network operations construct is an integrated operational framework consisting of network management/enterprise systems management, information assurance/computer network defense, and information dissemination management/content staging. This manual provides a general functional understanding of each network operations component, along with an understanding of why the components must be integrated in order to meet overall objectives.

As stated, network operations are critical to the command and control of organizational communications networks and information services that enable commanders to use the network in order to shape and influence operations. Its principles allow for assured network and information system availability, assured information protection, and assured information delivery. The result is a horizontal fusion of information that flows to the right place, at the right time, and in the right format in order to attain information superiority and decision dominance over any adversary.

1-2. In concept, the GIG is very much like the Worldwide Web. It exists as a baseline capability and is comprised of information and information services residing on transporting infrastructures and segments. It is important to note that the GIG is a portion of cyberspace. The DOD definition of cyberspace is ―the global domain consisting of interdependent networks of information technology infrastructures, and includes the internet, telecommunications networks, computer systems, and embedded processors and controllers.‖ The GIG, as the DOD’s portion of cyberspace, interacts with and provides connections to national and global cyberspace, the national information infrastructure and global information infrastructure respectively. DOD’s strategy is to create the cyberspace domain by integrating the seven components of the GIG (warrior, global applications, computing, communications, NETOPS, information management, and foundation as described in Figure 1-1) in order to enable joint forces to achieve information superiority, as well as in the future, allow them to conduct offensive cyberspace operations when necessary. Authorized users access the GIG and its services either through military or commercial communications or through a series of entry points, e.g., standardized tactical entry point (STEP) and teleport facilities. These points provide information transfer gateways as a means of forming a junction of space-based, aerial, and terrestrial networks and a connection for strategic or fixed assets and tactical or deployed users. It provides multiple connection paths between information users and information producers and enables effective and efficient information flow.


2-27. Threats to the GIG and LWN are genuine, world-wide in origin, technically multifaceted and growing. They come from individuals and groups motivated my military, political, cultural, ethnic, religious, personal, or industrial gain. These types of threats are categorized by the Committee on National Security Systems Instruction No. 4009 as incidents (assessed occurrence having actual or potential adverse effects on an information system, or events occurrences, not yet assessed, that may affect the performance of an information system). According to FM 3-13, the capabilities of adversaries operating in the information environment are:

  • First level: lone or small groups of amateurs using common hacker tools and techniques in an unsophisticated manner without significant support.
  • Second level: individuals or small groups supported by commercial business entities, criminal syndicates, or other transnational groups using common hacker tools in a sophisticated manner. This level of adversary includes terrorists and non-governmental terrorist organizations. Their activities include espionage, data collection, network mapping or reconnaissance, and data theft.
  • Third level: individuals or small groups supported by state-sponsored institutions (military or civilian) and significant resources, using sophisticated tools. Their activities include espionage, data collection, network mapping or reconnaissance, and data theft.
  • Fourth level: state-sponsored offensive IO, especially computer network attacks, using state-of-the-art tools and covert techniques conducted in coordination with (ICW) military operations.

2-28. These events and incidents (both initiated by potential or actual adversaries or by Army users or administrators as a result of carelessness or non-compliance) are identified by the IA and CND communities into categories that include:

  • Category 1: root level intrusion (incident) unauthorized privileged access (administrative or root access to a DOD system).
  • Category 2: user-level intrusion (incident) unauthorized non-privileged access (user-level permissions) to a DOD system.
  • Category 3: unsuccessful activity attempt (event) attempt to gain unauthorized access to the system that is defeated by normal defensive mechanisms. Attempt fails to gain access to the system (e.g., attacker attempt valid or potentially valid username and password combinations) and the activity cannot be characterized by as exploratory scanning.
  • Category 4: denial of service (incident) activity that impairs, impedes, or halts normal functionality of a system or network.
  • Category 5: non-compliance activity (event) activity that due to DOD actions (or non-actions) makes an IT system potentially vulnerable (e.g., missing security patches, connections across security domains, installation of vulnerable applications, etc.).
  • Category 6: reconnaissance (event) an activity (scan or probe) that seeks to identify a computer, an open port, an open service, or any combination thereof for later exploit.
  • Category 7: malicious logic (incident) installation of malicious software (e.g., Trojan, backdoor, virus, or worm).

2-29. The globalization of network communications and the IT marketplace creates vulnerabilities due to increased access to the information infrastructure from points around the world and the uncertainties of the security of the IT supply chain. The global commercial supply chain provides adversaries with greater opportunities to manipulate information and communications technology products over the products life cycle…adversaries have greater access to our networks when (their) products or services are delivered. Threats against computers, network, and information systems vary by the level of hostility (peacetime, conflict, or war), technical capabilities and motivation of the perpetrator. Threats to the information systems and networks relied upon by strategic and tactical forces exist from various sources, and they exist on a continual basis.


2-32. An intentional intrusion is an attack against computers or information systems. Some attacks have a delayed effect and others are immediate. Both the delayed and immediate attacks corrupt databases and controlling programs, and may degrade or physically destroy the system attacked. Timely attack detection is essential to initiating network restoration and network intrusion response capabilities. The following paragraphs discuss types of attacks.

2-33. Computer attacks generally aim at software or data contained in either end-user or network infrastructure computers. Adversaries aim at unobtrusively accessing information, modifying software and data, or totally destroying software and data. These activities can target individual computers or a number of computers connected to a LAN or wide area network (WAN). Computer attacks may take place during routine tactical operations and may be multifaceted to disrupt major military missions. These attacks can also take place during wartime and peacetime. Attacks can be part of a major nation-state effort to cripple the US national information infrastructure. They can also come from mischievous or vengeful insiders, criminals, political dissidents, terrorists, and foreign espionage agents.

2-34. Malicious computer attacks can be intentionally designed to unleash computer viruses, trigger future attacks, or install software programs that compromise or damage information and systems. They may also involve unauthorized copying of files, directly deleting files, or introducing malicious software or data. Malicious software generally consists of executable software codes secretly introduced into a computer and includes viruses, Trojan horses, trap-doors, and worms. Malicious data insertion, sometimes termed ―spoofing,‖ misleads a user or disrupts systems operation. For example, an attack disrupts a packet data network by introducing false routing table data into one or more routers. An attacker who denies service or corrupt data on a wide scale may weaken user confidence in the information they receive by corrupting or sending false data.

2-35. Physical attacks generally deny service and involve destruction, damage, overrun, or capture of the systems components. This may include end-user computers, communications devices, and network infrastructure components. A physical attack involves the overrun and capture of computer equipment that allows the adversary to employ a computer attack. Another form of physical attack is theft of items, such as cryptographic keys or passwords. This is a major concern since these items can support subsequent electronic or computer attacks.

2-36. Electronic attacks focus on specific or multiple targets within a wide area. Attacks against communications links include the following two types of signal intelligence operations: signal intercept and analysis to compromised data and emitter direction findings, and geo-location to support signal analysis and physical attacks. ―Jamming‖ is another attack against communications links. Jamming corrupts data and may cause denial of service to users. For example, the jamming of communications links supporting global positioning system users is a specific concern.

Share this: