What is the CEMA Environment as a Battlespace?
The Cyber and Electromagnetic environment continues to expand within military forces as they modernise and digitise their platforms, connecting them to a military system of systems-based (SoS) capabilities. (Dahmann, 2012) These systems of systems extend cyberspace and utilise the electromagnetic environment to support military affairs. The defenders' interest is to protect the BLUE system of systems and prevent the systemic effects (Beagle, 2001) of the Attackers (RED) that may suppress essential BLUE capabilities, as illustrated in Figure 2.
Military System of systems
The US Defense Acquisition Guidebook defines a System of Systems as “a set or arrangement of systems that results when independent and useful systems are integrated into a larger system that delivers unique capabilities.” Typical SoS include Joint Fires, integrating effectors and platforms in the air, ground, and sea; Joint C5ISTAR, integrating Command and Control with Cyber Defence, Surveillance sensors, and Intelligence systems; and Combined Air Defence, integrating space air, sea, and ground-based air defence platforms for joint engagement zones.
A model for a system of systems may be illustrated, as in Figure 2, with a layered structure of Physical platforms or facilities and auxiliary systems that host hardware capacities for processing and transmission; Electromagnetic performance that transfers effective radiated power (ERP) to propagate in an electromagnetic environment (EME); Logical software and data-defined features and flows that enable processes for military affairs. The technical illustration may scale towards socio-technical SoS with users and administrators. (Mattila, 2023) Furthermore, it may extend to enterprise-wide system networks that support the main military functions of Operate, Generate and Support. (DANSE, 2025) These systems of systems open new domains and attack vectors for adversaries to penetrate, exploit, and suppress defenders' capabilities through the means and ways of cyber and electromagnetic warfare.
Cyber warfare can be thought of as techniques to create effects or gain intelligence on hostile systems through the medium of digital code. (Bronk, 2025 ) Electronic warfare can be thought of as techniques to create effects or gain intelligence on hostile systems through the medium of electromagnetic energy pulses. (Bronk, 2025 )
Cyberspace within SoS
Militaries are embracing the 4th Industrial Revolution and its key enabler: software-defined cyber-physical products, enabling faster decision-making and manoeuvring. (McNamara, Modigliani, & Nurkin, 2025) The software-defined military systems promise advantages such as:
- Modernising legacy platforms with cutting-edge technology-enabled features, like anti-missile and anti-drone defence.
- Building future software and artificial intelligence-driven autonomous forces with an iterative approach, such as swarming effectors and loitering sensors.
- Delivering time and cost efficiencies in administrative and operational processes, such as continuous software integration and AI agents capable of learning multiple tasks. (McNamara, Modigliani, & Nurkin, 2025)
As software-defined features take over from mechanical functions, the amount of software code explodes. Unfortunately, the industry average for coding errors remains 15-50 defects per 1000 lines of code, and at best, the quality may reach 0.1 defects per 1000 lines. (McDonnell, 2004) The exponential rise of software code in armament, the integration of system-of-systems, and big data together increase the area of vulnerability within the technical layer of SoS.
- Example: More than 30,000 public and private organisations were exposed to the SolarWinds hack between 2019 and 2020. Apparently, a Russian agent was able to inject malicious code into SolarWinds Orion management software. When customers updated their management software, the malevolent code created backdoors for hackers to access data. (Oladimeiji & Kerner, 2023)
On the other hand, the evolving digital transformation of the Armed Forces requires competent military personnel to manage and use software-defined features and processes. Otherwise, the increasing number of people interfacing with machines will provide lucrative avenues of attack. (Entrust Network, 2022)
- Example: The Russian Ministry of Internal Affairs is advising residents and soldiers in areas near or within Ukrainian Forces not to use online social media, dating apps, geotagging, geolocational links, or unsecured messaging applications. (Linder, 2024)
Software-defined and data-driven cyberspace is both more vulnerable but also provides strategic advantages for the military. Hence, Information technology security, Cybersecurity, and Cyber defence operations are more critical as the military's digital transformation advances. (Whyte & Mazanex, 2023)
- Example: Outdated technologies in enclaves expose the military to strategic vulnerability. An unpatched operation system in a fleet of main battle tanks may become a lucrative way to suppress the entire armoured capability. (Military Dispatches, 2024)
Electromagnetic environment within SoS
Cyberspace relies on an electromagnetic environment (EME) as part of the physical layer performance and protection. The EME extends cyberspace through the air via propagation, ensuring information flow, surveillance, and precision targeting, among other things. Unfortunately, the EME also exposes cyberspace to bit errors, interference, interception, and jamming. (Adamy, 2015)
Propagation in EME depends mainly on frequency, effective radiated power (ERP), antenna radiation patterns, atmospheric attenuation, and diffusion caused by elements along the propagation paths. This means that a significant concern in EME is the distance between the transmitter and receiver/reflector. Hence, both ES and EA sensors and effectors need to be networked to select optimally located EW sites for intercepting or jamming. (Clark, Walton, Tourangeau, & Tourangeau, 2021) Any EW system, therefore, has cyberspace and needs to be protected against adversary electromagnetic and cyber effects.
- Example: Ukrainian forces are combining electronic attacks, attack drones, and advancing infantry to penetrate behind Russian lines and create confusion. First, the Russian surveillance drones are jammed; then, attacking drones hit both aerial and ground targets; and finally, infantry can advance and take over crucial points on the ground. (Álvarez, 2025)
As the vulnerability of any radiating site increases, the need is to distribute, for example, surveillance radars and create low-size, weight, and power (SWaP) radar networks (Knight, 2025). While improving systems resilience, the distributed architecture also provides more comprehensive coverage, especially in complex terrains. With the distributed and more disposable radar structure, the cognitive electronic warfare (CEW) attributes will enhance both offensive and defensive capabilities. (Vernhes, 2025)
- Example: Artificial intelligence-driven electronic protection (EP) can adapt in real-time to conventional radar configuration and avoid detection. (Knight, 2025)
Combined cyber and electromagnetic domain from a C5ISTAR system of systems viewpoint
Figure 2 presents a technical figure of the CEMA environment. It is a snapshot from the viewpoint of a Command, Control, Communications, Computers, Cyber, Intelligence, Surveillance, Target Acquisition, and Reconnaissance system of systems, illustrating both vulnerabilities to attacks and defensive measures. Cyberspace can be used to attack transceivers and create a systemic disruption in communications services.
- Example: Russians used a strain of wiper malware, ‘AcidRain’, to remotely erase vulnerable modems and routers of the Viasat service, disrupting Ukrainian access to broadband space communications for up to a week. (CyberPeace Institute, 2022)
Electromagnetic attacks can be used to jam wireless transceivers and cause denial-of-service effects in cyberspace.
- Example: Russians are reportedly jamming GPS and other satellite-based navigation systems in the vicinity of the Baltic Sea as part of their hybrid operation to create fear of flying by degrading flight safety. (Waterman, 2024)
Cyberspace data flows can be captured by intercepting the GSM signal with a software-defined transceiver and analysing the data flow of ongoing sessions. (Louwers, 2024) By rerouting GSM traffic through compromised switches and exchanges, adversaries can capture mobile data flows.
- Example: The Russian FSB operates communications interception devices (SORM) in telecommunications exchanges to collect and analyse traffic. (Soldatov, 2014)
A hacker can take over a router in cyberspace by accessing it through a wireless interface, exploiting outdated firmware, and using the hijacked router as part of a Denial-of-Service (DoS) botnet, distorting routing protocols or capturing IP packets. (Rau, 2023)
- Example: Russia's APT28 hacking group appears to have remotely breached the Wi-Fi of an espionage target by hijacking a laptop in another building across the street. (Greenberg, 2024)
Figure 2: A View of the CEMA Environment in Typical Forces Confrontation
CEMA in an Operational Context
Since the CEMA domain overlaps cognitive and physical realms and covers most of the information realm, as illustrated in Figure 1, it is an avenue to support both kinetic and information operations. Both Electronic and cyber-attacks can contribute to kinetic fires for joint systemic effect, as presented in Figure 3. The Russian Fancy Bear hacker group successfully infiltrated a Ukrainian artillery application used to control fires. Through the breach of 2014-2016, Russian artillery was able to locate both fire controllers and weapon sites on the Ukrainian side and destroy them more efficiently. (Crowdstrike, 2016)
Moreover, information operations benefit from Cyber or Electronic attacks that suppress official media sites or utilise hijacked cyberspace elements to disseminate influence messages. (Microsoft, 2023) Within the information realm, CEMA operations can also be employed independently as a covert arm, operating below the conventional threshold of war or providing an asymmetric advantage (Russian Defense Policy, 2017) against modern forces. Russia has also used CEMA as part of a broader hybrid campaign to create terror, break the trust between population and government, and manipulate polarisation within a population. (NATO, 2024)
Since CEMA primarily focuses on the synchronisation and coordination of cyber and electromagnetic activities, the components and their combination in support of operations are more critical in various contexts. (UK MoD, 2018) The Electronic Warfare components are Electronic Attack, Electronic Support, and Electronic Protection, as shown in Figure 3.
- Electronic Attack (EA) broadly refers to the use of electromagnetic energy to degrade the performance of hostile systems for offensive purposes. It may contribute to kinetic, information, and CEMA operations independently.
- Electronic Support (ES or ESM) encompasses the exploitation of passively collected electromagnetic emissions to identify, track and possibly even target hostile systems. It supports EA, EP and Network operations directly and provides essential awareness for force protection.
- Electronic Protection (EP or ECM) involves the use of electromagnetic energy by a platform to defend itself against enemy attacks, typically by degrading the signals received by enemy fire control radars, datalink connections, or missile seekers. (Bronk, 2025 ) EP support is used directly in kinetic operations security and survivability but also contributes to Network operations and EA.
Cyberspace actions are network operations, cybersecurity, cyber defence, and cyber-attack.
- Network operations (NO, NOC) encompass actions taken to design, build, configure, secure, operate, maintain, and sustain the C5ISTAR system of systems in a manner that ensures and preserves data availability, integrity, confidentiality, as well as user and entity authentication and non-repudiation. (Senft, 2016) Network operations contribute directly to Cyber defence operations, but they also enable all military activities that use digital information. NO requires cybersecurity operations and other security measures to provide C5ISTAR support services.
- Cyber defence operations (CDO) utilise both passive and active cyberspace capabilities to protect data, networks, net-centric capabilities, and other designated C5ISTAR system of systems. (FM 3-21, 2021) CDO supports Information, CEMA and kinetic operations, ensuring the survivability of C5ISTAR services.
- Cyberattack operations (CAO) are conducted in cyberspace aiming to create noticeable destructive effects (i.e., degradation, disruption, or destruction) in cyberspace or manipulation that leads to denial-of-service impacts in physical domains. (JP 3-12, 2018) CAO supports Information, CEMA, and kinetic operations, opening options for achieving systemic effects in an adversary's system of systems.
Figure 3: A view of CEMA and its components relationship and architectural ontology
Understanding the interrelationships and dependencies of the CEMA in Figure 3 is crucial for effective operational planning and execution, given its complex nature. One instance of negligence renders the entire C5ISTAR system vulnerable to attacks. Naturally, this also applies to adversaries; hence, the coordinated CEMA's offensive activities, whether by themselves or in support of other operations, may yield surprising victories.
How does the CEMA Contribute to and Integrate with Operational and Tactical-level Operations?
The CEMA concept in Figure 4 provides a view of CEMA support to joint operational and component tactical levels of projecting military power. (Plott & Keller, 2020) Joint operations, in this case, assume an all-domain setup, where CEMA is one of the lines of operation (LoOs), in addition to the legacy lines of space, air, ground, and sea. Hence, the joint CEMA may deploy Cyber and Electronic attack effects independently from the other domains and create an alternative line of operation. The CEMA LoO requires specific operational planning, with an understanding of the environment and system of systems engineering (SOSE) of both blue and red systems, in order to contribute to joint operations planning. The execution of CEMA operations requires the orchestration of multiple activities in coordination with the execution of joint operations. Naturally, the CEMA offensive operations planning is facilitated by the Joint Operations Command (JointOpsCmd) and executed according to Operation Orders.
The Joint CEMA Centre (JCEMA), with particular SOSE competencies, is responsible for supporting the Joint Operations Command with joint CEMA planning and the execution of joint CEMA offensive operations. This requires close cooperation with the Staff that plans and executes the Joint Operations. Hence, the JCEMA usually resides within the Joint Staff and contributes to intelligence, planning, information operations execution, kinetic targeting and logistics processes. JCEMA also collects joint-level situational information and contributes to the Joint Operation Picture.
Joint CEMA effectors, such as Joint Cyber Attack (JCA) and Joint Electronic Attack (JEA) units, are under the command of the Joint Operations Command. The JCEMA controls them, while the Forces run platforms. CEMA-related sensors and effectors are integrated into the C5ISTAR support system, enabling seamless data flows and the dissemination of CEMA knowledge.
Defensive Joint CEMA activities may be planned and coordinated in J3 and J6 of the Joint Operations Command.
Figure 4: A Simplified Concept of CEMA Operations
At the tactical level, the CEMA centre (CEMAC) that supports each Component is usually close to the Component Command Staff for tactical planning and mission execution. A Component Command may have CEMA sensors and effectors assigned to it by the Joint Operations Command, or they are integral parts of units under operational control or in support. CEMA's offensive activities primarily support tactical-level fires, while defensive activities contribute mainly to force protection, operations security, and network operations.
The CEMA Centre focuses on supporting CEMA planning and coordinating offensive activities within the Component Staff. It also collects electronic threat information and maintains threat catalogues for electronic protection. Furthermore, the CEMA Centre collects CEMA-related situational information from all sensors and transceivers, contributing to the Component Recognised Picture.
The Network Operations Centre (NOC) and Cybersecurity Operations Centre (SOC) are typically part of the C5ISTAR service provider organisation, supporting both Joint operations and Component missions. The NOC executes, for example, spectrum management operations, communications security, IT security and other ICT-related support, as illustrated in Figure 3, for operations and missions. The SOC conducts cyber surveillance and reconnaissance, monitors assigned cyberspace, detects breaches, and, in conjunction with the NOC, responds to and recovers from adversary cyber-attacks.
Tactical-level CEMA units include, e.g., Cyber-attack teams (CA), Direction-Finding and Jamming platforms (EA), and EME sensors and transceivers (ES). They are assigned to Joint Operations Command and further delegated under the Component control. In addition to their platforms, all tactical-level CEMA units are connected to either the Joint or Component C5ISTAR support system to integrate with CEMA support, protection, or attack information flows.
Tactical-level CEMA defence aims to provide protected cyberspace and enable freedom of use of the Electromagnetic Environment.
Operational level concept of use
The Joint Operations Command (JointOpsCmd) plans an influence operation to effect the adversary public opinion of their government. INFOOPS requires contribution from kinetic and CEMA lines of operation. JCEMA is tasked with creating a Course of Action to take down adversary governmental sites and broadcasting, while INFOOPS would disseminate their message through troll factories and bought influencers. After analysing the adversary broadcasting systems and websites, the JCEMA assesses that jamming the TV signal transfer site in the capital and, at the same time, using a botnet for a distributed denial of service (DDoS) attack on the IP gateway that separates government intranet from the Internet would isolate the population from their government for about 24 hours.
Following the Commander of JointOpsCmd's decision, an influence operation is executed under joint coordination. JCEMA orchestrates the CEMA jamming from airborne platforms and DDoS attacks over the Internet, measures the impact, and keeps JointOpsCmd informed of the operation.
Tactical level concept of use
A: The Air Component Command (ACC) plans to target a strategic manufacturing site in adversary territory. The site is defended by a strong ground-based air defence (GBAD) that would prevent any successful air strike. The Air CEMAC is tasked with determining how it can support the future mission. After analysing the adversary's primary GBAD and secondary support systems, Air CEMAC identifies possible vulnerabilities in the power supply system for the manufacturing site. The electric grid has only one transfer station that feeds the site.
Air CEMAC drafts a mission order as part of the Air Tasking Order, and after the approval from the Commander of ACC, the mission execution is launched. The Air CEMAC coordinates parallel wiper attacks to suppress the grid control system and electromagnetic pulse attacks to burn auxiliary HVAC controllers.
B: Cybersecurity Operation Centre (SOC) surveys and reconnoitres the Internet and adjacent Intranets within the Area of Interest for adversary activities. When detecting an imminent threat and analysing its potential impact in Blue Cyberspace, the SOC creates courses of defensive action in collaboration with the NOC.
The NOC communicates CoAs either to the Component Commander or the Joint Commander, depending on the area of potential effect. After the decision, the SOC and NOC implement preventive actions, monitor the situation and prepare for recovery.
Conclusion
Cyber and Electromagnetic Activities do not integrate well in support of all campaigns and areas of operation. The more digitised and mobile the adversary, the more vulnerabilities and potential for systemic effects there are for CEMA's offensive activities, either independently or as a course of action in support of information or kinetic operations. The more network-enabled the Blue Force is, the more options the adversary has for asymmetric effects. Hence, the integrated CEMA defensive actions are necessary for Forces that aim to improve through digital transformations. Whereas, in other operational confrontations, the integration of cyber and electronic warfare means and ways do not necessarily achieve the intended ends.