In a recent press conference reported by Politico, Air Force Chief of Staff Mark Welsh described the goal of next-generation military electronic operations as cyber weapons that could inflict “blunt force trauma” on the enemy. The Pentagon, it appears, wants potential aggressors to know the United States is ready to strike back hard in online conflicts.
“How do you make an enemy air defense system go completely blank in the first minute of the conflict? How do you make a [surface to air missile] radar show a thousand false targets that all look real so you don’t know where the real package is in the middle of that?” said Welsh. “How do you keep enemy surface to surface missiles from ever launching — or [fly] halfway to their target and then turn around and go home?”
The damage to both military and civilian networks from a full-blown clash between, say, the U.S. and China would be incredible, with everything from financial networks to power grids going down.
Analyses of American electronic espionage plans always proceed as if the First Cyber War is a hypothetical future event, but in truth, it’s happening right now. It’s a “cold war” fought largely with deniable intermediaries, but the original Cold War against the Soviet Union felt pretty hot to its casualties, and there are plenty of government and corporate IT people on the front lines of the First Cyber War who would likewise say they are feeling the heat. Shots have been fired, networks have been compromised, and significant economic damage has been done. Sony Pictures can testify to the latter, now that Wikileaks has ripped open their barely-healed hacking wounds.
It’s likely that U.S. forces already have some of these capabilities. The point of discussing them in a press conference is to let potential enemies know we’re thinking this way. It also marks a rhetorical shift from the entirely defensive nature of American cyber-war doctrine. Until now, America’s posture on the electronic battlefield has generally been described as a defensive effort against essentially illegitimate — and even criminal — hacker attacks.
In fact, Welsh explicitly described the U.S. Cyber Command’s forces as special-operations troops who should be drilling on digital “firing ranges” and training against opposing-force units. The Politico piece captures a bit of the debate between those who believe the American cyber-war effort currently lacks offensive punch, and those who say it has more offensive capabilities than it wants to discuss in public. Now we have the Defense Department talking about training up a “Cyber Mission Force” with over six thousand military and civilian members, trained not only for defensive efforts but “full-spectrum operations.”
This is very similar to the way China trains its militarized hacker units, whose menacing existence they prefer to reveal through leaked documents and headline-grabbing but plausibly-deniable exploits.
The effectiveness of military cyber-weapons deployed in open conflict remains largely theoretical. While there have been a few successful tactical deployments of cyber weapons in coordination with real-world military operations, no full-fledged cyber war has occurred. Not even the rules of engagement for American and allied forces in a hot cyber war are clear – would America go after civilian infrastructure, the way potential adversaries would, or would there be reciprocal escalation – the enemy hits one of America’s power grids, so America does the same to them? Whether having the luxury of contemplating such strategies remains to be seen in a war where major cyber strikes could be carried out in a matter of minutes.
Last month, Senate Armed Services Committee chair John McCain said he had received a briefing from military cyber war experts on Russian and Chinese threats that was “as disturbing as any briefing I have ever had.” McCain said it was the level of threat that could not be deterred with entirely defensive capabilities. It would appear this is becoming a consensus position across the defense and intelligence communities. Retaliatory capability will henceforth be an explicitly acknowledged component of America’s cyber war strategy. At some point in the near future, one of our adversaries will probably challenge us to prove it’s more than just tough talk.