Pentagon's Plan X: how it could change cyberwarfare
The Pentagon has always been secretive about its desire and ability to carry out offensive cyberwarfare. Now, Plan X makes it clear that offensive cyberattacks will be in the Pentagon playbook.
The same Pentagon futurologists who helped create the Internet are about to begin a new era of cyberwarfare.
For years, the Pentagon has been open and adamant about the nation's need to defend itself against cyberattack, but its ability and desire to attack enemies with cyberweapons has been cloaked in mystery.
Next week, however, the Pentagon's Defense Advance Research Products Agency (DARPA) will launch Plan X ‚Äď an effort to improve the offensive cyberwarfare capabilities ‚Äúneeded to dominate the cyber battlespace,‚ÄĚ according to an announcement for the workshop.
Though the program will be closed to the press, the relatively public message is a first for the Pentagon. For one, it shows that the Pentagon is now essentially treating its preparations for cyberwar the same way it treats its preparations for any potential conventional war. Just as it takes bids from aerospace companies to develop new jet fighters or helicopters, Plan X will look at bids from groups that can help it plan for cyberwarfare and expand technologies.
Moreover, it opens a window into the highly secretive world of offensive cyberwarfare. No longer is it unclear whether the US is in the business of planning Stuxnet-style cyberattacks. Plan X indicates that such capabilities ‚Äď which experts say could range from taking out electrical grids to scrambling computer networks in top-secret facilities to causing the pacemaker implanted in an enemy official to go haywire ‚Äď will be an explicit part of the military playbook.
‚ÄúIf we can have a robust public discussion of nuclear weapons why not a robust discussion of cyberstrategy?‚ÄĚ says Jim Lewis, director of the Technology and Public Policy program at the Center for Strategic and International Studies in Washington. ‚ÄúUp until now, cyber has been kind of ad hoc. What they‚Äôre doing now is saying that this is going to be a normal part of US military operations.‚ÄĚ
The US is already engaged in offensive cyberwar. Media reports claim that the US helped develop and deploy the Stuxnet digital worm, which inflicted serious harm on Iran‚Äôs uranium enrichment program.
In his most wide-ranging speech to date on cyber warfare Thursday, Defense Secretary Leon Panetta hinted at the need for increased offensive capabilities, warning that America ‚Äúwon‚Äôt succeed in preventing a cyber attack through improved defenses alone.‚ÄĚ¬†
‚ÄúIf we detect an imminent threat of attack that will cause significant physical destruction in the United States or kill American citizens, we need to have the option to take action against those who would attack us, to defend this nation when directed by the president,‚ÄĚ Mr. Panetta said. ‚ÄúFor these kinds of scenarios, the department has developed the capability to conduct effective operations to counter threats to our national interests in cyberspace.‚ÄĚ
But the lack of discussion surrounding offensive cyber capabilities ‚Äď and a clear US military plan for pursuing them ‚Äď has been a significant roadblock for US military forces interested in honing those skills, says retired Col. Joe Adams, a former West Point professor who coached the military academy‚Äôs cyber team.
In the past there has been a ‚Äúskittishness about teaching cadets offensive skills like how to hack‚ÄĚ into systems, says Dr. Adams, now executive director of research and cybersecurity for Merit Network, Inc. ‚ÄúWe‚Äôve really ramped up the defensive part, but there hasn‚Äôt been any work done to identify people who have the intuitive ability to conduct operations on the offensive side.‚ÄĚ
[Editor's note:¬†The original version of this story misspelled the name of Merit Network, Inc.]
Many of the threats the US faces ‚Äď and may in turn inflict on other countries and non-state actors ‚Äď will be nuanced.
The notion of a ‚Äúcyber Pearl Harbor,‚ÄĚ as Panetta has characterized it, is a misnomer, Adams adds.
‚ÄúEverybody‚Äôs looking for a cyber Pearl Harbor ‚Äď we don‚Äôt need a Pearl Harbor to really mess things up. That‚Äôs the very nature of this advanced, persistent threat: We‚Äôre not kicking people‚Äôs doors in anymore.‚ÄĚ
Instead, cyber incursions will be more subtle. Just imagine what could happen in a hospital, Adams says. ‚ÄúI don‚Äôt even have to turn off the refrigerators. I just have to change the thermostat so they‚Äôre too warm, or too cold, or make some blood supplies go bad, or spoil a little medicine, or just reroute where they send ambulance alerts.‚ÄĚ
In particular, offensive cyberskills ‚Äúare more art than science,‚ÄĚ says Adams. ‚ÄúThese kids need to be screened right, and they need to be utilized. A career path in the military is built on building their skills, but also retaining them. We‚Äôve done really poorly with that.‚ÄĚ
Part of the problem is that American military training has long emphasized traditional skills, which are often are at odds with developing cyber warriors. You could have an outstanding cyberthinker in a class, but tradition dictates that ‚Äúhe‚Äôs going to be a tank platoon leader, or a rifle platoon ‚Äď he‚Äôs going to have to prove himself as an Army officer before they‚Äôre going to make use of his talent,‚ÄĚ says Adams.
In the meantime, his cyberskills atrophy. ‚ÄúThe cadets I was teaching, there just wasn‚Äôt another outlet for them in the military yet.‚ÄĚ
Plan X is designed to help the Pentagon ‚Äúunderstand the cyber battlespace‚ÄĚ and to develop skills in ‚Äúvisualizing and interacting with large-scale cyber battlespaces,‚ÄĚ according to the DARPA proposal.
These, too, are unique skills that must be cultivated within the military, says Adams. ‚ÄúAnother art piece is mapping a network [that could be a potential target]. How do you do it ‚Äď and how do you do it subtly ‚Äď without knocking things over and turning things off? And if it‚Äôs hostile, how do we do it without getting caught?‚ÄĚ
Plan X hints at some of these needs ‚Äď and makes it clear that the Pentagon is grappling with how to establish a framework for fighting cyberwar, too.
‚ÄúPlan X is an attempt by the national security bureaucracy to come to grips with the multitude of issues around use of cyberweapon in an offensive form ‚Äď the legal, diplomatic, ethical issues,‚ÄĚ says Matthew Aid, a historian and author of "Intel Wars: The Secret History of the Fight Against Terror."
‚ÄúWe can‚Äôt have a public discussion about Stuxnet, about these brand new weapons ‚Äď or their ethical implications ‚Äď until the White House pulls back just a little the veil of secrecy that surrounds the entire program,‚ÄĚ Mr. Aid adds.
For example, Stuxnet revealed how unwieldy such weapons can be when it inadvertently ‚Äújumped‚ÄĚ into friendly computer systems that were never meant to be targeted.
Indeed, ‚ÄúOne of the biggest problems in cyberwarfare is the potential for collateral damage,‚ÄĚ says Mr. Lewis of the Center for Strategic and International Studies.
‚ÄúYou just can‚Äôt attack stuff and not worry that innocent civilians will be harmed ‚Äď you have to take steps to mitigate the risk.‚ÄĚ
Aid says now is the time to have these conversations. ‚ÄúWe can only see one tenth of one percent lurking beneath the surface ‚Äď what‚Äôs beneath the surface scares ... me," he says. "This is combat ‚Äď this is war by a different name.‚ÄĚ