A RECENT report by a task force of the Defense Science Board on cyber-conflict makes clear that all is not well in preparing for this new domain of warfare.
The U.S. military often uses “red” teams to challenge established “blue” teams in exercises. According to the report, small red teams, with only a short amount of time and using tools downloaded from the Internet, have been able to “significantly” disrupt blue team military operations. The task force said, “If this level of damage can be done by a few smart people, in a few days, using tools available to everyone, imagine what a determined, sophisticated adversary with large amounts of people, time, and money could do.” In another part of the report, the task force hints that U.S. nuclear weapons, hardened to survive an atomic blast in the Cold War, may not be ready to survive a cyber-onslaught. While the task force didn’t say what the vulnerability might be, they called for “immediate action” to make sure the nuclear weapons would survive.
What would cyberwar be like? Potentially, “hundreds” of simultaneous, synchronized offensive and defensive cyber operations would be needed, and yet the task force found the U.S. military is not ready. The task force said it “could find no evidence of modeling or experimentation being undertaken to better understand the large-scale cyber war.” In a recommendation that underscores the larger direction of U.S. policy, the task force declared, “time is of the essence in developing a broader offensive cyber capability.”
A major offensive cyber capability now seems essential in a world awash in cyber-espionage, theft and disruption. Cyberwar may be over the next horizon. But the task force offered an important caution: In the past, on nuclear weapons, counterterrorism, counterinsurgency and all manner of conventional military missions, we’ve had decades of policy debate. “In contrast,” they said, “relatively little has been documented or extensively debated concerning offensive cyber operations.”
This is a worrisome facet of how the United States is entering the age of cyberconflict. President Obama has signed off on a new doctrine, but it remains classified. There’s a new national intelligence estimate of cyber-espionage and its economic costs, but it remains under wraps. Until now, most of the offensive cyber program has been hidden entirely under the cloak of intelligence. That secrecy is necessary for specific operations, but the public needs an informed, robust debate about policy in this expanding realm.
Will there be public sacrifices or costs — say, a regional electric-grid blackout or a stock-exchange crash? Who decides whether to launch an offensive cyberattack? Under what conditions? These are the type of questions that the administration and Congress ought to be talking about with the American people. We ought not wait until a disaster has arrived to address the policy implications of cyberwar.