There was a time, not all that long ago, when the U.S. military wouldn’t even whisper about its plans to hack into opponents’ networks. Now America’s armed forces can’t stop talking about it.
The latest example comes from the U.S. Air Force, which last week announced its interest in methods “to destroy, deny, degrade, disrupt, deceive, corrupt, or usurp the adversaries [sic] ability to use the cyberspace domain for his advantage.” But that’s only one item in a long list of “Cyberspace Warfare Operations Capabilities” that the Air Force would like to possess. The service, in its request for proposals, also asked for the “ability to control cyberspace effects at specified times and places,” as well as the “denial of service on cyberspace resources, current/future operating systems, and network devices.”
The Air Force says it will spend $10 million on the effort, mostly for short programs of three to 12 months; the service wants its Trojans and worms available, ASAP. And they should be available to both the top brass and to the “operational commander,” too. In other words, cyber strikes shouldn’t just be the prerogative of the president, to be launched at only the most strategically important moments. Malware should be a standard component of a local general’s toolkit.
These digital weapons could even be deployed before a battle begins. The Air Force notes that it would like to deploy “technologies/capabilities” that leave “the adversary entering conflicts in a degraded state.”
Such an open discussion — even one so vague — might seem like a bit of a surprise, considering the Obama administration is actively investigating leaks to the press about America’s online espionage campaign against Iran. The Senate Intelligence Committee considered the disclosure so dangerous, it passed a controversial bill last month that creates new punishments for leakers of classified information.
But this isn’t 2007, when the Pentagon was still insisting that it had a “defensive mindset” in cyberspace. New pieces of military-grade malware — apparently linked to the broader U.S. cyberspying push — are being discovered constantly on Middle Eastern networks. Besides, the Air Force is hardly alone in talking about its desire for — and use of — network attacks. They are becoming a regular part of the military conversation — so normal, in fact, that generals are even beginning to talk about their troops’ wartime hacking.
Lt. Gen. Richard Mills, who led coalition forces in southwestern Afghanistan in 2010 and 2011, bragged at a technology conference last week that his troops had broken into militants’ communications. “I can tell you that as a commander in Afghanistan in the year 2010, I was able to use my cyber operations against my adversary with great impact,” Mills said. “I was able to get inside his nets, infect his command-and-control, and in fact defend myself against his almost constant incursions to get inside my wire, to affect my operations.”
Mills added that the Marines had recently put together a company of Marines, stationed at the headquarters of the National Security Agency, to give the Corps “an offensive capability.” A second company “will be designed to increase the availability of intelligence analysts, intelligence collectors and offensive cyber operations and place them in the appropriate unit, at the appropriate time, at the appropriate place, so that forward deployed commander in the heat of combat has full access to the cyber domain.”
The day before Mills’ talk, the Pentagon’s leading research division announced a new, $110 million program to help warplanners assemble and launch online strikes in a hurry and make cyber attacks a more routine part of U.S. military operations. The effort, dubbed “Plan X” by the Defense Advanced Research Projects Agency, isn’t supposed to formally get underway until Sept. 20. But Darpa has already awarded a no-bid, $600,000 contract to the Washington-area cybersecurity firm Invincea to start work on “Plan X.”
Invincea wasn’t immediately able to comment on the “Digital Battlefield Understanding Study and proof-of-concept demonstration” that it intends to produce for Darpa. But a military document justifying Invincea’s sole-source contract notes that the company submitted an “unsolicited proposal” for the project on June 26. Less than a month later, it was approved. “Invincea is the only source who possesses the particular commercial software and knowledge necessary to rapidly address technical insights in modeling a cyber battlespace and optimizing digital battle plans,” the document notes.
Invincea isn’t the only military contractor working on the tools of cyber war, however. These days, the build-up of America’s online arsenal has become the subject of all sorts of open talk and deal-making.