The result, which builds on the 2011 defense strategy for cyberspace, puts the Pentagon’s two-year-old Cyber Command in charge of a new registry of weapons that would catalogue their capabilities and where they are stored. The military is also grappling with the establishment of rules for cyberwarfare.
The report on cyberweapons acquisition, sent to Congress in recent weeks but not made public, describes a new level of department-wide oversight with the establishment of a Cyber Investment Management Board, chaired by senior Pentagon officials. The board, which has already met once, was set up to prevent abuse of the fast-track process, since the cost of cyberweapons is often too low to trigger normal oversight processes. The board will also help ensure that military and intelligence cyber authorities are coordinated, officials said.
“We can’t sit around and wait for” the traditional weapons-building process, Frank Kendall, the Pentagon’s acting undersecretary of defense for acquisition, technology and logistics and co-chairman of the new board, said in a speech at the Center for Strategic and International Studies in February. “We’ve got to take it outside the conventional system for these major, long-term weapon systems entirely.”
The new framework sets up two systems for cyberweapons development: rapid and deliberate. The rapid process will take advantage of existing or nearly completed hardware and software developed by industry and government laboratories. This approach could take several months in some cases, or a few days in others.
The deliberate process is designed for weapons whose use carries greater risks. It would be for projects expected to take longer than nine months — still short compared with the years-long process to develop most Pentagon weapon systems.
Under the rapid plan, weapons can be financed through the use of operational funds, in “days to months,” and some steps that ordinarily would be required would be eliminated. These include some planning documents and test activities, according to the report.
The weapons may be designed for a single use or for some other limited deployment, and they would be used in offensive cyber operations or to protect individual computer systems against specific threats, said the report.
Herbert S. Lin, an expert on the subject at the National Research Council of the National Academy of Sciences, said the Pentagon has recognized that “cyberweapons are fundamentally different” than conventional weapons in some key ways. “That can only be good news.”
“You can make a general-purpose fighter plane and it will function more or less the same in the Pacific as in the Atlantic,” Lin said. “The same is not true for going after a Russian cyber-target versus a Chinese target.”
Designers of cyberweapons need to know a target’s operating system, what patches have been made, when security updates were made and what switches it is connected to, he said. Even sophisticated cyberweapons can be rendered obsolete in weeks or months.
The strategy also noted that Cyber Command, which is based at Fort Meade and falls under U.S. Strategic Command, will be in charge of ensuring that development of new weapons and tools is “undertaken only when required” and that “existing capabilities are broadly available.”