Cyber Command struggles to define its place on a shifting battlefield

Collateral damage and a dearth of cyberwarriors are among the Pentagon’s biggest hurdles.

The U.S. Cyber Command, which directs network offensive operations for the Pentagon and protects its networks, is becoming more open about the military’s capabilities in cyberspace. Recently, the Defense Department was forced to show part of its hand when leaks surfaced about U.S.-manufactured cyber weapons and cyber espionage missions. Still, since 2011, the department has told the world it stands prepared to protect U.S. national security interests through cyberspace maneuvers. 

With intrusions becoming ever more frequent and public—Defense and the Office of the Director of National Intelligence have called Chinese hackers a continuing and concerning threat—the military is focusing its constrained budgets on cyber. The Pentagon in January announced a spending strategy that switches priorities from ground wars in the Middle East to the Asia-Pacific maritime region and cyber operations. 

But a cyber fighter shortage and the U.S. force’s dedication to civil liberties may be dragging down the agenda. 

Cyberspace demands a new breed of warrior whose skills are scarce even by private sector standards. Troop size aside, cyber weapons could backfire on U.S. civilians, because of the amorphous nature of the cyber domain. And the very idea of an Internet corps scares the people Cyber Command aims to protect: Americans who value free speech and free markets. 

The Pentagon is cognizant of the staffing, privacy and security challenges of mobilizing in cyberspace, current and former military officials say. Defense knows the competition for able cyber professionals presents a hurdle, but the command stands ready to vie for them using special incentives. The extras that Gen. Keith Alexander, head of Cyber Command, has mentioned include bonuses like the ones pilots and nuclear officers receive, as well as opportunities for education and advanced degrees.

Operations online likely will require a combination of physical and mental acuity if the recent Stuxnet campaign is any indication. The U.S.-Israeli-engineered computer virus that reportedly seized Iranian nuclear centrifuges was inserted manually through a jump drive, rather than propagated over the Internet from a safe distance. The Pentagon plans for cyber specialists from the Air Force, Army, Marines and Navy to coordinate with Cyber Command headquarters in Maryland on executing operations abroad, according to Alexander. 

“One of the challenges is finding and holding the people we need to do this mission. We have to recruit, train and retain a cyber cadre that will give us the ability to operate effectively in cyberspace for the long term,” Cyber Command spokesman Col. Rivers J. Johnson Jr. says. “Gen. Alexander has indicated that it is going to take time for us to generate the force,” Johnson says, adding the Cyber Command chief is optimistic he eventually will get the specialized force desired.

Once troops are in place, activating them may require patience, due to the risk of accidentally unleashing viruses into the wild. The Flame worm, a suspected U.S. government invention, has long been harvesting information from computers in Middle Eastern countries using a compromised Microsoft product. Microsoft had to block three of its own digital certificates to stop less well-intentioned programmers from exploiting the weakness. Stuxnet, which undermined a computer system that operated nuclear plant equipment, could theoretically ram other Iranian infrastructure, such as civilian water utilities, for instance.

Another complication with an armament such as Flame is the potential for eavesdropping on communications between innocents. Kaspersky Labs, the security firm that discovered the cyber spy tool, describes the bug as “the largest cyber weapon to date,” referring to its 20 megabytes. The worm can scoop up massive amounts of valuable information such as screen shots of online chats, audio recordings from internal microphones and storage files. Many American privacy activists and foreigners are nervous about proposed legislation that would let U.S. intelligence and military communities scan citizens’ correspondence for signs of illicit activities and viruses embedded by nation state actors. 

Both big business and human rights activists—not always best friends—are largely on the same side about any government regulations that demand sensitive information in return for greater computer protections. As much as civil libertarians would like the United States to facilitate the free flow of information in oppressive regimes, they aren’t so eager if it means monitoring all digital messages to find the bad guys.  

Yet, on the whole, some former government hackers say they’ve been surprised to see the Obama administration taking considerable care to minimize such civil liberties and cybersecurity risks. Recently uncovered attacks have involved “techniques that could have been used against us just as effectively,” says Dave Aitel, chief executive officer of cybersecurity firm Immunity Inc. and a former National Security Agency computer scientist. He was referring to the chance of a cyber backlash if adversaries figured out how to apply the same tactics against U.S. citizens. 

The order to implant the Stuxnet virus reportedly was made after thorough deliberation by the highest power in U.S. government—and not a Pentagon official. Defense’s strategy for operating in cyberspace states the commander in chief has the ultimate say-so to engage in confrontations. “Obama has to say yes or no,” Aitel says. “It’s not completely like ‘Go crazy, Cyber Command.’ ”

Pentagon officials have said they strongly respect Americans’ rights during operations. Defense spokeswoman Lt. Col. April Cunningham says, “DoD is committed to protecting the individual privacy of communications on the Internet and the civil liberties of the American people.”

Retired Gen. John P. Casciano, a former Air Force director of intelligence, surveillance and reconnaissance, says the U.S. government will never have 100 percent assurance that a cyber offensive will work as planned. Americans, however, have more to fear from adversaries and cyber crooks than from feds. “I’m not terribly concerned about the U.S. government spying on us,” says Casciano, now a private consultant. 

Some former Defense officials say cyber weapons are subject to the 1978 Foreign Intelligence Surveillance Act, which regulates the monitoring of U.S. international communications during counter-espionage activities. “All new cyber weapons must adhere to all the U.S. federal laws,” says retired Air Force Lt. Gen. Harry Raduege Jr. Or, more specifically, “it’s U.S. people who employ cyber weapons who are subject to FISA. It’s really the people.” Raduege is now chairman of the Deloitte Center for Cyber Innovation. 

Casciano says he trusts the current legal framework will protect Americans in cyberspace.

Many civil liberties activists have argued otherwise, based on their long-standing criticism of FISA for sweeping up Americans’ calls, emails and text messages. Flame so far has spread in a controlled manner among certain nation-state groups and academic institutions and has not self-replicated, according to Kaspersky researchers.

Jeffrey Carr, a cybersecurity consultant and author of Inside Cyber Warfare (O’Reilly Media, 2009), makes a distinction between cyber weapons intended to destroy systems such as Stuxnet, and cyber espionage tools such as Flame that compromise systems. With cyber weapons, collateral damage could harm civilians who use a targeted network, he says. “How do we know which networks should be targeted and which ones should be off limits?” he says. “I would think that [U.S. officials] would be concerned about their rules of engagement.” 

Cunningham notes the Pentagon does not discuss operational matters as a manner of long-standing policy and will not comment specifically on the development of cyber offensive tools. But she says, “DoD will organize, man, train and equip for operating effectively in cyberspace. DoD is in the process of developing the organizations, processes and procedures to ensure that the [combatant commands] have the appropriate cyber force structure and capabilities to operate effectively in their theaters.”

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.