VIRGINIA BEACH, VA: The American military is intrigued by the offensive uses for cyber-warfare, but it is struggling to figure out how to do it. What impact can cyber weapons have on the battlefield? What organizations should take the lead? And who makes the decision to pull the trigger?
“We’ve been thinking 90% defense, 10% offense. That’s bass-ackwards for us,” said the outspoken Gen. James “Hoss” Cartwright, the recently retired vice-chairman of the Joint Staff, speaking at last week’s Joint Warfighting Conference in Virginia Beach, co-hosted by the US Naval Institute and the industry group AFCEA. (Click here for more on Cartwright’s remarks, with video). “The offense always has the advantage.”
In an era where vital equipment is increasingly connected to the web, the potential consequences of a cyber attack have moved beyond the theft of data. “If your enemy’s pacemaker has an IP address” – and such devices already exist – “yeah, I think we can kill him,” said Maj. Gen. Steven Smith, head of the Army’s Cyber Directorate, during a panel at the conference.
At the same time, cyber attacks can do things that conventional weapons can’t. “It has effects we’ve never had the opportunity to do before,” said Lt. Gen. Richard Mills, a deputy commandant of the Marine Corps, speaking at the same panel. Instead of just bombing the enemy headquarters, he said, “you can get inside your opponent’s command and control system.”
The trick with such subtler attacks, however, is you may not be sure whether or not they actually worked. “How do you know, when you launch an offensive cyber tool, that you’ve achieved the results you want?” asked Bernard McCullough, a retired Navy vice-admiral also on the panel. “I’d submit to you that we don’t understand that.” The effects of some cyber attacks may be literally visible from space, like a power grid going down, but other effects may invisible, like planting false information or disrupting the flow of intelligence data over the enemy’s network, and their effectiveness depends as much on the reactions of the human beings using the target network as on any technical details. The best way to understand whether your cyber-attack is succeeding is to watch what’s happening inside the target network, but the more damaging your attack, the more likely the enemy is to realize something’s wrong and close the holes that gave you access in the first place. Or a cyber-attack by one command could, unwittingly, shut down an enemy system another US force was trying to exploit.
Lt. Gen. Mills argued that while cyber is unique, it still needs to be integrated into conventional military command and planning structures much like artillery: “It’s a very valuable arrow in the quiver of the tactical commander on the ground.”
The crucial unresolved question, however, remains what commander should have the authority to let that arrow fly. One audience member called out, “It’s the guy who’s getting shot at,” but that simple test isn’t always easy to apply.
“When I left, I couldn’t tell you who was the operational commander responsible” – Cyber Command, Strategic Command, or the regional “combatant commands” – said McCullough, the retired admiral. “If you don’t give the weapons release authority to the lowest [level], you’re going to watch the target go by while we’re debating.”
Some aspects of cyber-warfare suggest that it could require a lower threshold than the decision to fire a conventional “kinetic” weapon: Even a warning shot can ricochet and kill someone by accident, but – web-enabled pacemakers aside – attacks on computer networks historically have no lethal effects. Other aspects of cyberwar, however, suggest a higher threshold is required: You fire a bullet and it’s gone, but a computer virus can spread beyond its intended target to damage neutral parties, even the US, or the enemy can isolate the code that attacked them, analyze it, copy it, and throw it right back as a cyber-weapon of their own.
So the political and strategic ramifications of an ill-considered cyber-attack are hard to calculate, making the decision to launch one immensely tricky. “Should that be given to a battalion commander?” asked Brig. Gen. Burke Wilson of Air Force Space Command. “Should that be a POTUS [presidential] decision?” Legally, even the basic question of “what constitutes a ‘use of force’ in cyber” has not yet been “effectively answered,” said Cyber Command’s top lawyer, JAG officer Col. Gary Brown, at an earlier talk in March.
The military is thinking hard about these problems of organization and authority. “We’re kind of doing this with some urgency so we can align it” with the 2014 budget request due in February, said the Chairman of the Joint Chiefs of Staff, Gen. Martin Dempsey, during his own appearance at the Joint Warfighting Conference. (Click here for more on Dempsey’s remarks). But, the military’s top officer said frankly, they don’t have the answers yet: “That’s all ongoing.”
Traditional divisions of labor, whether geographic or functional, simply don’t map neatly onto the amorphous, global nature of cyber warfare. The respective roles of the four armed services, charged by law to “train, organize, and equip” all US forces, are unresolved, Dempsey said. It’s still an open question whether the US Cyber Command will remain a subordinate element – in military jargon, a “sub-unified command” – of Strategic Command, which also oversees space operations and long-range nuclear weapons, or become an independent “unified command” with global responsibilities. (Cartwright said he thought Cyber Command should stay where it is). Nor has Dempsey decided how exactly each of the geographically defined theater commands – Pacific Command, European Command, and so on – should incorporate cyber capabilities on a regional level, though he did say one model was how Special Operations forces have become increasingly closely integrated to conventional operations since 9/11.
“We need cyber to be wired into the whole force,” Dempsey said. “In the future, cyber will become both a standalone warfighting instrument with global reach and a ubiquitous enabler of the joint force.” In other words, cyber forces should be capable both of operating on their own, like strategic bombers on long-range missions deep into enemy airspace, or in close conjunction with other combat arms, like those same bombers providing close air support to ground troops in Afghanistan. Right now, however, the military is at a stage with cyber more comparable to the early, awkward days of aviation in the 1920s, when everyone knew this new technology could have awesome effects but no one was quite sure how.