When it comes to cyber, the defensive side gets the most attention. But a new report out Monday explores the “poorly understood but possibly revolutionary” offensive side of cyber, suggesting a more delineated path forward for the Defense Department .
Opinions — both legal and normative — vary on when, how or even if the U.S. can use such offensive cyber-methods. Regardless, the Center for Strategic and International Studies report points out the U.S. has already approved offensive cyber-capabilities, “though under tight restrictions.” But as the study highlights, there is no set plan across DOD to experiment and create guidelines for offensive cyber-weapons, which have the potential to “scale dramatically” and save the military considerable money in a fiscally tight era.
“A single algorithm could disable a whole class of adversary systems, for example,” writes report author Maren Leed, a senior adviser at CSIS and former senior adviser to the Army chief of staff. “They can operate at the speed of light, providing a timeliness that is increasingly necessary but difficult to achieve with shrinking inventories of far-flung traditional platforms.”
Cyber-weapons are versatile, beneficial in warfare and reconstruction. But the military has yet to define exactly what legal guidelines apply to cyber-weapons and the offensive cyber-capabilities are not yet fully developed. So while the potential exists, even offensive cyber-proponents are “trapped by circular logic,” according to the report. Without the capabilities, considering possible future uses seems rash, which makes it easier to avoid the conversation about exactly when these cyber-tools might be used. Nothing happens.
“This paper recommends steps to break this cycle by establishing a more explicit plan for robust experimentation,” the report reads.
First, Defense Secretary Chuck Hagel should be clear that offensive cyber-capabilities that support operational and tactical commanders are consistent with current law and policy. Second, Hagel should create a department-wide plan to “experiment and exercise” offensive cyber tools.
But for now these experiments should stay high level, with only U.S. Cyber Command commanders having the authority to conduct offensive cyber-attacks. As Joint Chiefs of Staff Chairman Martin Dempsey has acknowledged, it’s still unclear what each service’s role is in cyber-warfare, making it difficult to decide what offensive cyber-capabilities to give to service-specific commanders.
For all the legal and policy uncertainty around offensive cyber-tools, the study found a “general consensus” among legal and policy experts that service-specific commanders could eventually receive this responsibility.
Opinions on the technical details remain divided, however.
“Lack of consensus in areas such as technical feasibility, intelligence equities and capacity and resource requirements suggest that additional experimentation and application is needed, in controlled settings, to enable an informed decision on greater decentralization of attack authorities,” the report concludes.