Correction: In an early audio version of this story, Lt. Gen. Richard Mills was incorrectly identified as being an Army officer. Mills is a Marine officer.
With the Pentagon now officially recognizing cyberspace as a domain of warfare, U.S. military commanders are emphasizing their readiness to defend the nation against cyberthreats from abroad. What they do not say is that they are equally prepared to launch their own cyberattacks against U.S. adversaries.
The importance of plans for offensive cyberwar operations is obscured by the reluctance of the government to acknowledge them. When the Pentagon announced its "Strategy for Operating in Cyberspace" in July 2011, for example, it appeared the military was focused only on protecting its own computer networks, not on attacking anyone else's.
"The thrust of the strategy is defensive," declared William Lynn, the deputy secretary of defense at the time. Neither he nor other Pentagon officials had one word to say about possible offensive cyberattacks. The Pentagon would not favor the use of cyberspace "for hostile purposes," according to the strategy. "Establishing robust cyberdefenses no more militarizes cyberspace," Lynn said, "than having a navy militarizes the ocean."
Those assurances are deceptive. Behind the scenes, U.S. commanders are committing vast resources and large numbers of military personnel to planning offensive cyberattacks and, in at least some cases, actually carrying them out. But the secrecy surrounding offensive cyberwar planning means there has been almost no public discussion or debate over the legal, ethical and practical issues raised by waging war in cyberspace.
Offensive cyberattacks carried out by the United States could set precedents other countries would follow. The rules of engagement for cyberwar are not yet clearly defined. And the lack of regulation concerning the development of cyberweapons could lead to a proliferation of lethal attack tools — and even to the possibility that such weapons could fall into the hands of unfriendly states, criminal organizations and even terrorist groups.
In some cases, offensive cyberattacks are being conducted within the parameters of conventional military operations. In Afghanistan, soldiers and Marines depend heavily on video and data links when they go into combat. As part of the process of "prepping the battlefield," commanders may want to launch pre-emptive attacks on the adversary's cybercapabilities in order to make sure their data networks do not get interrupted.
Marine Lt. Gen. Richard Mills, in a rare acknowledgment that the military engages in offensive cyber operations, discussed just such a situation during a military conference in August 2012.
"I can tell you that as a commander in Afghanistan in the year 2010, I was able to use my cyber operations against my adversary with great impact," Mills declared. "I was able to get inside his nets, infect his command and control, and in fact defend myself against his almost constant incursions to get inside my wire."
Another reference to the military's use of cyberattacks as part of a traditional combat operation came in 2009, during a presentation at the Brookings Institution by Air Force Gen. Norton Schwartz. Now retired, Schwartz at the time was serving as Air Force chief of staff. He told his audience that his airmen were prepared to carry out cyberattacks on another country's radar and missile installations before launching airstrikes against that country.
"Traditionally, we take down integrated air defenses via kinetic [physical] means," Schwartz said. "But if it were possible to interrupt radar systems or surface-to-air missile systems via cyber, that would be another very powerful tool in our tool kit." Schwartz hinted that the Air Force already had that capability, and in the nearly four years since he gave that speech, such a capability has certainly matured.
Cyberattacks, however, are also being used independently of traditional or kinetic operations, according to Jason Healey, a former Air Force officer who now directs the Cyber Statecraft Initiative at the Atlantic Council.
"It might happen that we will use them as an adjunct to kinetic," Healey says, "but it's quite clear that we're using [cyber] quite a bit more freely."
The best example of an offensive cyberattack independent of a kinetic operation would be Stuxnet, the cyberweapon secretly used to damage nuclear installations in Iran. A U.S. official has privately confirmed to NPR what the New York Times reported last summer — that the United States had a role in developing Stuxnet.
Because the operation has been shrouded in secrecy, however, there has been no public discussion about the pros and cons of using a cyberweapon in the way Stuxnet was used.
Among the top concerns is that other countries, seeing Stuxnet apparently used by the United States and Israel, might conclude that they would also be justified in carrying out a cyberattack. The British author Misha Glenny, writing in the Financial Times, argued that the deployment of Stuxnet may be seen "as a starting gun; countries around the world can now argue that it is legitimate to use malware pre-emptively against their enemies."
Another concern is that the malicious software code in Stuxnet, instructing computers to order Iranian centrifuges to spin out of control, could be modified and used against U.S. infrastructure assets.
"Now that technology is out there," cautions Michigan Rep. Mike Rogers, the Republican chairman of the House Permanent Select Committee on Intelligence. "People are taking a look at it. We are just a few lines of code away from someone else getting closer to a very sophisticated piece of malware that they either wittingly or unwittingly unleash across the world [and cause] huge, huge damage."
The absence of debate over the pros and cons of using cyberweapons is in sharp contrast to the discussion of nuclear weapons. The United States has adopted a "declaratory policy" regarding why it has nuclear weapons and when it would be justified to use them. There is nothing comparable for the cyberweapon arsenal.
Rep. Rogers says such gaps in military doctrine and strategy indicate that developments on the cyberwar front are getting ahead of U.S. thinking about cyberwar.
"The capabilities, I think, are keeping pace with technology," Rogers said in an interview with NPR. "It's the policy that I worry about. We have not fully rounded out what our [cyber] policies are."
The advantages of using cyberweapons are clear. They are more precise than bombs or missiles, and because they damage data rather than physical installations, they are far less likely to hurt innocent civilians. But they are new weapons, and critics say their use should be given careful consideration.
"If we are allowing ourselves to go on the offense without thinking about it, we're likely to militarize cyberspace," says the Atlantic Council's Jason Healey. "We will end up with a cyberspace where everyone is attacking everyone else. I don't believe we need to go on the offense just yet. The downside is higher than the government acknowledges."
White House officials are sensitive to the charge that they should promote more public debate surrounding cybercapabilities. "We understand that there is a view that more discussion is needed about how the United States operates in cyberspace," says National Security Council spokeswoman Caitlin Hayden. "That's why we've published numerous strategies, testified before Congress dozens of times, and [it is why] senior officials ... have given speeches and spoken at conferences and other public events."
Copyright NPR. View this article on npr.org.
STEVE INSKEEP, HOST:
The Pentagon's cyber command is about to get five times bigger. About 900 people currently track cyberwarfare. That's going up to around 5,000, even as other parts of the defense budget shrink. Now, we hear a lot about efforts at cyberdefense, defense against attack, but in the next three days, NPR's Tom Gjelten is going to talk with us about U.S. efforts to prepare for offensive operations in cyberwarfare. Hi, Tom.
TOM GJELTEN, BYLINE: Hi, Steve.
INSKEEP: Okay. We don't hear quite so much about the offensive side of this.
GJELTEN: That's right. The government is not exactly upfront about this. Let me just give you one example. In July 2011, the Pentagon announces its cyber strategy - it's all about defending the country from cyberattacks, not one word about attacking the other guy. William Lynn, who was deputy secretary of defense at the time, spoke for the Pentagon. I was actually there and I had an opportunity to ask Lynn where in the strategy is there anything about offensive attacks.
Here's what he said.
WILLIAM LYNN: The thrust of the strategy, as you correctly identified, is defensive. It is protecting the networks because those networks undergird all of our capabilities, offensive and defensive...
GJELTEN: Steve, we now know that was only part of the story. The military does not just protect computer networks here. U.S. cyber warriors attack enemy networks overseas. They go on the offense.
INSKEEP: What are some examples?
GJELTEN: Well, take Afghanistan, for example. Soldiers over there depend on computers for information sharing. You lose those computer links, you're in trouble. So when commanders set out to do an operation, a combat operation, they first have their cyber warriors preemptively go after the enemy computers. Here's Lieutenant General Richard Mills speaking at a military conference last August.
LIEUTENANT GENERAL RICHARD MILLS: I can tell you as a commander in Afghanistan in the year 2010, I was able to use my cyber operations against my adversary with great impact. I was able to get inside his nets, infect his command and control, and in fact defend myself against his almost constant incursions to get inside my wire to affect my operations.
INSKEEP: Get inside the enemy's nets, he says, the networks.
GJELTEN: Infecting them. That is a cyber attack with cyber weapons. Here's another example, this one from back in 2009. The Air Force Chief of Staff at the time, General Norton Schwartz, speaking at the Brookings Institution said his airmen were prepared to carry out cyberattacks on another country's radar and missile installations before launching airstrikes against that country. Let's listen.
GENERAL NORTON SCHWARTZ: Traditionally, we take down integrated air defenses via kinetic means.
INSKEEP: Kinetic is physical. Bombing them.
SCHWARTZ: But if it were possible to interrupt radar systems or surface-to-air missile systems via cyber, that would be another very powerful tool...
INSKEEP: Wait, wait, wait. He said if it were possible. Is it possible to do this?
GJELTEN: Yes. They can do it now. Remember, General Schwartz here was speaking more than three years ago. Now, in that case, and in Afghanistan, you have offensive cyberattacks carried out as part of a traditional combat operation, what the military calls kinetic operation, bombs and bullets. But the military is also carrying out offensive cyber-attacks on their own merits.
I spoke with a former Air Force officer named Jason Healey about this. He now directs the Cyber Statecraft Initiative at the Atlantic Council and he keeps close track of what the U.S. military is doing with offensive cyber weapons.
JASON HEALEY: It might happen that we'll use them as an adjunct to kinetic, but it's quite clear that we're using it quite a bit more freely.
GJELTEN: The best example, Steve, would be Stuxnet, the cyber-weapon secretly used to damage nuclear installations in Iran. A U.S. official has privately confirmed to NPR what the New York Times reported last summer, that the United States had a role in developing Stuxnet. It was not used as part of any larger military operation against Iran. It was used on its own. But this is still officially a secret.
As long as it's secret, there's no public discussion about the pros and cons of using a cyberweapon in this way.
INSKEEP: Well, let's have some of that discussion right here. What are some of the downsides?
GJELTEN: Well, you have to consider that using an offensive cyber weapon sets a precedent that other countries might then follow. This was a preemptive cyberattack. I'm talking about Stuxnet. It did not come in response to a provocation. It was used to deal with a potential threat, the Iranian nuclear program. So now other countries might feel they'd be justified in carrying out a preemptive cyberattack. And here's another issue.
The Stuxnet worm instructed computers to damage industrial equipment. There's a fear now that someone else could modify or copy that code and turn it back against targets in the United States. This is the danger that Republican Congressman Mike Rogers focuses on. He's the chairman of the House Intelligence Committee.
REPRESENTATIVE MIKE ROGERS: Now that technology is out there, people are taking a look at it. We are just a few lines of code away from someone else getting close to a very sophisticated piece of malware that they either wittingly or unwittingly unleash across the world that causes huge, huge damage.
INSKEEP: Okay. That sounds scary, Tom Gjelten. Is the U.S. government, the administration, focused on the implications of the policies they're pursuing?
GJELTEN: It doesn't seem like it. We don't know what they're saying secretly or behind closed doors. Here's an analogy. The U.S. government for years has had what's called a declaratory policy regarding why it has nuclear weapons and when it would be justified to use them. There is nothing comparable for the use of cyber-weapons. So you have people like Congressman Rogers saying developments on this front are getting ahead of our thinking.
ROGERS: The capabilities, I think, are keeping pace with technology. It's the policy that I worry about. We have not fully rounded out what our policies are.
GJELTEN: Policies, like when is it justified to use a cyber-weapon for offensive purposes? What rules should apply? What are the risks? Jason Healy at the Atlantic Council says you start doing a lot of offensive operations without considering the consequences, you could create chaos in cyberspace.
HEALEY: We're more likely to end up with a cyberspace where everybody is attacking everybody else 'cause we haven't built up the norms of trust.
GJELTEN: Now, see, there are powerful arguments for using cyber-weapons. They're more precise than bombs, less likely to hurt innocent civilians, but these are new weapons and you would think the pros and cons of using them would be a subject for public debate.
INSKEEP: Okay. Why isn't the U.S. government eager to have that debate?
GJELTEN: Well, I've talked to some senior officials about this and they make a couple of points. One is they are edging closer to transparency here. Just as with drone warfare, they know there is pressure to be more open and they're gradually getting more open. Part of the problem is this area's so new, they're just not sure what to say, what authorities they have, who within the government has the authority to order cyber-attacks.
A legal review of these issues has been underway and they are making progress. The other thing they say is that cyber is different. Most of the activities in the cyber domain are civilian. So for example, this analogy with nuclear weapons may just not apply.
INSKEEP: Okay. So we're trying to pry open the door to a discussion here a little bit. NPR's Tom Gjelten will be with us the next few days. Where are you going to take us to tomorrow?
GJELTEN: Tomorrow we're going to be talking about actual cyber weapons. Do you know, Steve, there's actually a global market in cyber weapons, kind of a cyber arms bazaar. We're going to talk about that tomorrow.
INSKEEP: NPR's Tom Gjelten. Thanks.
GJELTEN: Thank you. Transcript provided by NPR, Copyright NPR.