The Pentagon’s cyber warfare effort has recently evolved regarding the type of weapons being developed and the processes used to acquire them, in reaction to recent challenges in the Middle East. While these developments will improve the utility of cyber weapons as a component of America’s arsenal, they are still unlikely to become a dominating strategic consideration for some time.
As a consequence of the country's troubles in the Middle East, the Pentagon is altering the type of cyberweapons under development. Efforts to use such weapons to handle Iranian and Syrian military forces have also been confounded by the fact that their militaries’ command and control systems aren’t integrated through the internet, insulating their networks from online attack. While it’s always possible to attack such networks physically, by inserting thumb drives and other hardware to infect them ( as was done to Iran’s nuclear development program with the Stuxnet virus through imported Siemens controllers) that method is difficult and unreliable. As a result, the Pentagon is accelerating development of equipment that uses radio signals to insert computer code into offline hardware, which would revolutionize our offensive capabilities across the full digital spectrum.
The Pentagon has also been plagued by the slow deployment time of cyber weapons, rendering them useless in the face of swiftly evolving conflicts. Going into Libya, planners thought about using a cyberweapon to weaken air defenses and facilitate the establishment of a no-fly zone, but were thwarted when they discovered it would take a year to build one capable of exploiting weaknesses in Libya’s network. As Benghazi would never last that long, they were forced to rely on conventional means.
Consequently, the Pentagon has quietly laid the foundation for the rapid acquisition of the next generation of offensive cyberweapons in a 16 page report to Congress that has yet to be made public. The report states that the Pentagon would create a two-tier development process for cyber weapons: “rapid” and “deliberate.” The rapid development process would use operational funds, existing hardware and software, and a simplified procurement and testing process to create simple cyberweapons over the course of days to nine months. The deliberate development process would be used for experimental, long-term projects or ones that carried greater risks for collateral damage to civilian systems and would proceed through the normal acquisition/testing process. All weapons would be developed only as required and would be designed for single-use or limited-term deployment. The process as a whole would be managed by U.S. Cyber Command, which is responsible for developing, cataloging and storing these weapons, as well as the Cyber Investment Management Board, a panel of senior Pentagon leaders charged with preventing abuse of the fast-track acquisition process.
Combined with the Pentagon’s growing focus on cyber security, which saw the release a cyber security defense strategy in 2011 and the concentration of resources on cyber security ($3.4 billion in total, including $654 million for Defense Advanced Research Projects Agency (DARPA) and U.S. Cyber Command to build and manage new weapons), it is obvious that cyber warfare is becoming a rapidly maturing military discipline. The U.S. will increasingly be able to quickly target a vast array of devices, online and off, as needed. However, the very nature of computer networks will limit the utility of cyber warfare.
Given how viruses spread and change from computer to computer and across networks over time, the threat of collateral damage to civilian systems will never fully disappear. While hospital power supplies are a frequently used example, a more concrete example worried policymakers in 2003 before the invasion of Iraq. The Pentagon and our intelligence agencies planned to freeze Saddam Hussein’s bank accounts to limit his ability to pay his soldiers and ease the invasion of Iraq, but called off the attack due to concerns that the virus might spread and wreck havoc on financial systems around the world. Until such problems are resolved, the type of attacks and the extent that cyber weapons can be usedwill remain limited.
Of course, viruses can be altered so that they only trigger when certain conditions are met, and in a sense, the scope of individual cyber weapons are inherently circumscribed. As Herbert S. Lin, a cyber security expert at the National Academy of Sciences notes, “You can make a general-purpose fighter plane and it will function more or less the same in the Pacific as in the Atlantic. The same is not true for going after a Russian cyber-target versus a Chinese target.” However, this means that any attack is dependent upon very specific computer configurations that are hard to map, irregularly deployed, and frequently change. Should any facility, ship, plane, etc. utilize different operating systems (or multiple versions of the same one), different security patches, or unique hardware configurations, then the effectiveness of even the best cyberweapons will shrink. The bewilderment one feels contemplating the size of the bureaucracy needed to investigate, document, and target computer systems around the world is only matched by the speed with which this work and the information derived from it is rendered obsolete.
The Pentagon’s latest efforts are a step in the right direction towards improving America’s ability to develop and deploy cyber weapons against diverse targets for strategic and tactical advantage in short-term combat situations. Unfortunately, they are not a game changer. Cyber weapons implicitly make a tradeoff in the scale and nature of each attack, and the costs associated with these factors limit their effectiveness as an offensive weapon. Cyber security must be pursued for defensive purposes to prevent incursions into our own networks, but conventional forces are still required to truly take the fight to the enemy.