Bombs are relatively simple, when you boil everything down. You drop them, and they explode.
Offensive cyberweapons are little more complicated. To use them effectively — as in the famous Stuxnet virus that crippled Iran's nuclear centrifuges — takes a lot of knowledge about the target's capabilities and your own. Sometimes, it's not even clear what a cyberweapon is.
To avoid confusion, the Pentagon has developed its own glossary of sorts. While terms like "destroy" or "disable" might be commonly understood in a civilian context, the precise demands of military operations require very specific definitions, particularly when it comes to cyberspace.
The resulting document — published in 2009 by the U.S. Strategic Command and recently obtained by the research group Public Intelligence — is a fascinating look into the military's ever-evolving cyber doctrine. In some cases, the military borrowed existing ideas from conventional warfare. In others, the authors had to develop entirely new ways to think about problems unique to doing battle covertly over information networks.
As an example, it'd be easy to describe all attacks conducted via cyberspace as using a cyberweapon. But that's not the case, according to the document. An officer could be typing in commands to disable an enemy system; that doesn't make him (or his commands) a cyberweapon.
"Not all cyber capabilities are weapons or potential weapons," the document reads. Cyberweapons require a weaponization process that builds in a whole set of standardized features like control systems, support personnel, security safeguards and so on.
The report's authors go so far as to outline potential kinds of attacks that could be performed in cyberspace, including:
Degrade throughput on all channels of a microwave communications tower at specified GPS address by 75% beginning at 0630 for 3 hours.
Disrupt Internet service at a named cybercafe from 2130 until 2145 for the next 3 days.
Destroy the 80 GB hard drive at IP address 126.96.36.199 tonight after 2300 but before 0430.
These examples offer some really interesting insights. Yes, they hint at what the military can possibly do in cyberspace. More importantly, it highlights some of the limitations of existing military terminology. Conventional weapons are typically described by virtue of the damage they cause — how big an explosion (e.g., "bomb yields") or what kind of target they're designed for (e.g., "bunker-busters"). But the report's authors argue that cyberspace should be treated differently, focusing not on "battle damage" but on "effects."
"All of the existing kill terms are based on the concept of damage," the write, "but damage is not often the best way to describe the objective effect of a non-kinetic mission."
Read the full report here.