A WORKSHOP ON cyberwar, sponsored by the Defense Advanced Research Projects Agency (DARPA), is scheduled this month in Arlington to discuss “Plan X,” which the agency says is designed “to create revolutionary technologies for understanding, planning, and managing cyberwar” and to study “fundamental strategies and tactics needed to dominate the cyber battlespace.” People from industry and academia have been invited; the general public, news media and foreigners have not.
DARPA is the Pentagon’s often-experimental hothouse for technology development. Not everything imagined there is realized. Nor is DARPA the main U.S. military agency for cyberconflict — that would be U.S. Cyber Command. But the workshop agenda offers a tantalizing glimpse of the future of offensive cyberwarfare, a field that has been kept largely in the shadows. DARPA says it is seeking innovative research in such things as “understanding the cyber battlespace,” “battle damage monitoring,” and “visualizing and interacting with large-scale cyber battlespaces.”
The Pentagon says cyberspace is an operational domain on par with land, sea, air and outer space, and there is little doubt that a global cyberarms race is getting underway. The United States is already well engaged in this race, as evidenced by reports of the computer worm Stuxnet, used to attack Iran’s nuclear enrichment equipment. But so far these efforts have largely been kept secret and conducted as intelligence operations.
DARPA’s workshop points again to the need for more transparency. The United States still has no open, overarching doctrine to govern a cyberweapons program. A good place to start would be a declaratory policy that would lay out when and under what circumstances offensive weapons such as Stuxnet might be used. After that, an open discussion is needed about rules of engagement for this complex new field, along with additional study of such issues as how and whether the military should protect non-military assets in government and the private sector.
Cyberconflict is already at our doorstep. Recently, six U.S. banks were hit with a rather crude attack that blocked many customers from online access to their accounts. The assault underscores the urgent need for stronger action to improve defenses. Congress failed to act this year on legislation that would have deepened cooperation between the private sector and government, which possesses valuable tools for cybersecurity.
Sen. Joseph I. Lieberman (I-Conn.), a sponsor of the legislation, will try again in Congress’s lame-duck session. But in a letter sent last week, Mr. Lieberman urged President Obama to sign an executive order that would put in place some of the information-sharing and other provisions in the legislation. Such a move is being considered by the White House. While an executive order cannot be as effective as legislation, we nevertheless agree with the senator that such a start would be better than taking no action at all.