The Pentagon has developed a list of cyber-weapons and -tools, including viruses that can sabotage an adversary’s critical networks, to streamline how the United States engages in computer warfare.
The classified list of capabilities has been in use for several months and has been approved by other agencies, including the CIA, said military officials who spoke on the condition of anonymity to describe a sensitive program. The list forms part of the Pentagon’s set of approved weapons or “fires” that can be employed against an enemy.
“So whether it’s a tank, an M-16 or a computer virus, it’s going to follow the same rules so that we can understand how to employ it, when you can use it, when you can’t, what you can and can’t use,” a senior military official said.
The integration of cyber-technologies into a formal structure of approved capabilities is perhaps the most significant operational development in military cyber-doctrine in years, the senior military official said.
The framework clarifies, for instance, that the military needs presidential authorization to penetrate a foreign computer network and leave a cyber-virus that can be activated later. The military does not need such approval, however, to penetrate foreign networks for a variety of other activities. These include studying the cyber-capabilities of adversaries or examining how power plants or other networks operate. Military cyber-warriors can also, without presidential authorization, leave beacons to mark spots for later targeting by viruses, the official said.
One example of a cyber-weapon is the Stuxnet worm that disrupted operations at an Iranian nuclear facility last year. U.S. officials have not acknowledged creating the computer worm, but many experts say they believe they had a role.
Under the new framework, the use of a weapon such as Stuxnet could occur only if the president granted approval, even if it were used during a state of hostilities, military officials said. The use of any cyber-weapon would have to be proportional to the threat, not inflict undue collateral damage and avoid civilian casualties.
The new framework comes as the Pentagon prepares to release a cyber-strategy that focuses largely on defense, the official said. It does not make a declaratory statement about what constitutes an act of war or use of force in cyberspace. Instead, it seeks to clarify, among other things, that the United States need not respond to a cyber-attack in kind but may use traditional force instead as long as it is proportional.
Nonetheless, another U.S. official acknowledged that “the United States is actively developing and implementing” cyber-capabilities “to deter or deny a potential adversary the ability to use its computer systems” to attack the United States.
In general, under the framework, the use of any cyber-weapon outside an area of hostility or when the United States is not at war is called “direct action” and requires presidential approval, the senior military official said. But in a war zone, where quick capabilities are needed, sometimes presidential approval can be granted in advance so that the commander has permission to select from a set of tools on demand, the officials said.
The framework breaks use of weapons into three tiers: global, regional and area of hostility. The threshold for action is highest in the global arena, where the collateral effects are the least predictable.
It was drafted in part out of concerns that deciding when to fire in cyberspace can be more complicated than it is on traditional battlefields. Conditions constantly shift in cyberspace, and the targets can include computer servers in different countries, including friendly ones.
Last year, for instance, U.S. intelligence officials learned of plans by an al-Qaeda affiliate to publish an online jihadist magazine in English called Inspire, according to numerous current and senior U.S. officials. And to some of those skilled in the emerging new world of cyber-warfare, Inspire seemed a natural target.
The head of the newly formed U.S. Cyber Command, Gen. Keith Alexander, argued that blocking the magazine was a legitimate counterterrorism target and would help protect U.S. troops overseas. But the CIA pushed back, arguing that it would expose sources and methods and disrupt an important source of intelligence. The proposal also rekindled a long-standing interagency struggle over whether disrupting a terrorist Web site overseas was a traditional military activity or a covert activity — and hence the prerogative of the CIA.
The CIA won out, and the proposal was rejected. But as the debate was underway within the U.S. government, British government cyber-warriors were moving forward with a plan.
When Inspire launched on June 30, the magazine’s cover may have promised an “exclusive interview” with Sheik Abu Basir al-Wahishi, a former aide to Osama bin Laden, and instructions on how to “Make a Bomb in the Kitchen of Your Mom.” But pages 4 through 67 of the otherwise slick magazine, including the bomb-making instructions, were garbled as a result of the British cyber-attack.
It took almost two weeks for al-Qaeda in the Arabian Peninsula to post a corrected version, said Evan Kohlmann, senior partner at Flashpoint Global Partners, which tracks jihadi Web sites.
The episode reflected how offensive cyber-operations are marked by persistent disagreement over who should take action and under what conditions. The new list of approved cyber-weapons will not settle those disputes but should make the debate easier to conduct, the senior military official said.
Some lawmakers also are proposing statutory language that would affirm that the defense secretary has the authority “to carry out a clandestine operation in cyberspace” under certain conditions. The operation must be in support of a military operation pursuant to Congress’s 2001 authorization to the president to use all necessary and appropriate force against those who committed the Sept. 11, 2001, terrorist attacks.
House Armed Services Committee Vice Chairman Mac Thornberry (R-Tex.), who drafted the language as part of the House-adopted 2012 defense authorization bill, said he was motivated by hearing from commanders in Iraq and Afghanistan frustrated by an inability to protect their forces against attacks they thought were enabled by adversaries spreading information online.
“I have had colonels come back to me and talk about how they thought they could do a better job of protecting their troops if they could deal with a particular Web site,” he said. “Yet because it was cyber, it was all new unexplored territory that got into lots of lawyers from lots of agencies being involved.”
Thornberry’s provision would establish that computer attacks to deny terrorists the use of the Internet to communicate and plan attacks from throughout the world are a “clandestine” and “traditional military” activity, according to text accompanying the proposed statute.
But the White House issued a policy statement last week that it had concerns with the cyber-provision. It declined to elaborate.
Thornberry said some Pentagon lawyers thought the proposed statutory language could go further. “But my view on cyber is we need to take it a step at a time,” he said.