The Army is seeking the assistance of cyberattack tool sellers, joining a growing number of Pentagon entities aiming to amass advanced cyber capabilities.
A new market survey aimed at identifying suppliers is the third Defense Department document issued over the past month that points out a need to be able to execute "cyber effects.”
A cyber effect typically refers to a hack, disruption or other impact to an adversary's network, according to security experts.
The Army's request for information, which was released Thursday afternoon, expresses interest in “existing technical capabilities to deliver cyber effects with robust and mature capabilities” that can target "telecommunications, networking, components, and protocols."
Defense and intelligence community contractors have until June 15 to submit white papers containing suggestions.
The four-page solicitation for “potential sources for the procurement of cyber capabilities” does not provide any other details about the capabilities sought. Most of the space is consumed by questions about the prospective contractor’s demographic information.
Army officials did not immediately clarify what the branch is looking for.
A basic example of a "cyber effect" would be “malicious software gets on your computer and the effect is the screen goes black,” said James Lewis, a cybersecurity analyst at the Center for Strategic and International Studies.
Last week, the Navy also announced preparations to incorporate hacking tools into its munitions store.
“The Navy as a whole must understand and embrace cyber and space effects as an integral component of our arsenal," states a five-year Navy Fleet Cyber Command strategic plan issued May 6. One of five focus areas for the Navy will be to help "commanders put cyber effects on the table while they craft operational plans."
The Pentagon, writ large, wants to speed up the provision of cyberattack technologies to geographic combatant commands. In April, Defense Secretary Ash Carter unveiled a departmentwide cyber strategy that, among many other things, discusses accelerating plans for "cyberspace effects in support of operational plans and contingency operations," as well as defining "specific cyberspace effects against targets."
Previewing the Navy’s agenda April 7, a senior official said the service is building the capacity to unleash cyberattacks from points across the globe.
“Those kinds of capabilities are leveraged from all parts of the world, predominantly ashore installations, in some cases afloat,” said Kevin Cooley, executive director and command information officer of the Fleet Cyber Command.
In popular culture, cyber capabilities that produce effects on enemies are called “cyberweapons.”
But what effects do cyberweapons actually create? That's a question bugging the military's legal advisers.
The term “cyberweapon” has been interpreted to mean anything from spyware, to malicious code for destroying nuclear power plants. Former Pentagon attorneys say militaries worldwide need clarity on the word so they don’t break international laws.
"Because both procurement and use of a 'weapon' are dependent on its first being subject to legal review, it is crucial that the proper definition for cyberweaponry be chosen," retired Col. Gary Brown, former legal adviser at U.S. Cyber Command, and Lt. Col. Andrew O. Metcalf, former legal adviser to U.S. Marine Corps Forces Cyberspace Command, write in a 2014 Journal of National Security Law and Policy article.
They note "the wrong definition could lead to a failure to comply with international legal standards, if it is too narrow," while an "overly broad definition could encompass espionage tools.”
Often, the only difference between operations to collect intelligence and operations to deliver “cyber effects is the intent – intelligence activities are done with the intent of collecting intelligence, while other military activities are done in support of operational planning or execution,” Brown and Metcalf say.
It's not even clear if Stuxnet, one of the most destructive known viruses, is a cyberweapon. Legal weapons don't self-replicate, Brown and Metcalf say. Allegedly a U.S.-Israeli invention, Stuxnet sabotaged Iranian nuclear centrifuges but also accidentally spread to systems in the United States, according to Symantec. That’s an effect the Pentagon, one would hope, is not looking for.