The next great conflict will play out not just on physical terrain, but also in the electrical pulses of cyberspace and the electronic spectrum. But while anonymous enemies like ISIS or Russia’s “little green men” are free to use the digital space as they like, U.S. Army leaders say legal requirements and a pre-digital rules structure complicate their response. That’s why for the last 18 months, the service has been experimenting with different concepts of operations for the cyber units that will be on the front lines of tomorrow’s fights.
The Army, which already has 30 cyber teams at full operational capability and 11 more at initial operating capability, is aiming to have 41 fully operational teams by year’s end.
“As soon as we create them, they are in operational use” in both offense and defense, said Brig. Gen. J.P. McGee, Army Cyber Command’s deputy for operations. “We have Army soldiers delivering effects against ISIS and ISIL.”
Last April, The New York Times reported that military cyber teams are helping Iraqi security forces and Kurdish units by altering ISIS fighters’ electronic messages, “with the aim of redirecting militants to areas more vulnerable to attack by American drones or local ground forces.”
Offensive cyberweapons are a key interest of the new administration. On Jan. 20, President Donald Trump’s team added a “Making Our Military Strong Again” page to the White House’s website: “We will make it a priority to develop defensive and offensive cyber capabilities at our U.S. Cyber Command.”
Yet, the definitions of cyber weapons and cyberwarfare are not much more precise today than in 2010 when the Stuxnet worm shut down Iran’s Natanz nuclear enrichment facility. In 2011, the Pentagon acknowledged a secret list of cyber weapons but did not detail what they were.
Of course, the United States has been using various cyber espionage tactics as part of real operations for years.
In his book "@War: The Rise of the Military-Internet Complex," Shane Harris describes the work of National Security Agency hackers embedded with military squads fighting in Iraq after the fall of Saddam Hussein.
“The U.S. hackers sent fake text messages to insurgent fighters and roadside bombers,” Harris writes. “The messages would tell the recipient, in effect, ‘Meet at this street corner to plan the next attack,’ or ‘Go to this point on a road and plant your device.’ When the fighter got there, he’d be greeted by U.S. troops, or perhaps the business end of a Hellfire missile fired from a drone aircraft thousands of feet above.”
Today, the Army is putting those ideas to work at the National Training Center at California’s Fort Irwin, where soldiers and technical experts are working out formal concepts and plans for deploying cyber weapons on the battlefield. The key is to use them with precision, predictability and maximum effect, while also defending Army networks and communications.
“What it looks like is the ability to go there and first off … map out the cyber and electromagnetic terrain. So, where is everything? Where are wireless points? Where are the cellphone towers? What does that look like?” McGee told reporters Wednesday at the Pentagon.
This new dimension of war demands changes to the Army’s tables of organization. To guard tactical networks, for example, every brigade combat team will have a warrant officer and a noncommissioned officer to mind what the Army is calling a “cyber first line of defense.”
The Army’s tactical operations centers will also get a cyber adviser to guide commanders in deploying information weapons, just as the artillery experts guide fires.
Then, there are the tactical questions. If the Army’s hackers can gain access to an enemy’s wireless communications points, what should they do to them? McGee said one option is to shut down nearby civilian networks when a U.S. patrol passes through the area, to prevent insurgents from calling in aid.
“Now, you might ask, why not close it down completely, just put a bomb in it?” he said. “Well, potentially, that’s just a place we can collect [intelligence] later on.”
Commanders must also understand the legal consequences of disrupting or bugging a civilian network. Navigating the legal environment can be much more complex than just blasting a target with a howitzer.
“We have to develop a framework and a model that allows us to describe how we can break down these authorities in terms of the effects that they would have,” McGee said. “Originally, the thought of doing cyberspace operations was that everything had to be controlled by the president… We are discovering that we can have a localized, discriminating effect.”
Currently, even basic and relatively simple actions like mapping the digital networks and nodes around a battlespace can get snarled in bureaucracy.
“How do we visualize that environment … also from the electromagnetic spectrum angle, what kind of signatures are we emitting? How can we see the enemy?” said Brig. Gen. Patricia Frost, who runs the Army’s Cyber Directorate. ”The commander has [to have] a complete visualization of the domain. That’s really important. That should not take an authority granted by the [defense secretary].”
The Army has a tactical field manual for cyber and EW effects, but has not yet laid out—at least in public—an explicit policy for how, when, and under what circumstances it will use offensive cyber weapons.
The public understanding of these questions hasn’t much advanced since two years ago, when the head of U.S. Cyber Command, Adm. Michael Rogers, has said cyber weapons should be governed by the same rules of engagement as other weapons.
“Remember, anything we do in the cyber arena … must follow the law of conflict. Our response must be proportional, must be in line with the broader set of norms that we’ve created over time. I don’t expect cyber to be any different,” Rogers said in 2015.
Future adversaries won’t operate under the same constraints.
“If you don’t have to worry about authorities … you can be very effective,” Frost said. “We look at it differently. The State Department, when we are not at war, we defer to them on information operations. It’s a different approach.”
Cyber operations are also a lot easier if you “don’t look at it through a Western lens in terms of protecting citizens’ privacy rights, also not having to be completely honest in the press,” she said. “That ability to use technology and be untruthful, it’s not something we would do. You’re playing on a different field. They already have an upper hand because” they can play by different rules.
The Army plans to run exercises with different legal teams to see if the soldiers of today and tomorrow need extra legal authorities in battle. Getting those proper authorities and related issues ironed out can add delays, Frost acknowledges. She says she is “satisfied with the pace” of getting those permissions in place, but added it’s “never fast enough” if you’re the soldier in the fight.
For McGee, a bigger concern is his inability to know enough his adversary’s capabilities, a unique feature of digital weapons. There are many ways to figure out the size of a conventional force, and the number of soldiers and bombs it has. But cyber capabilities, by virtue of their ethereal nature, are also opaque.
“If you look back at the Cold War, we had a rough idea of what the Warsaw Pact [the Soviet Union and its satellite countries] had in terms of divisions, ships, planes,” McGee said. “We were probably off but not by a tremendous amount. In cyberspace it’s very hard to have that degree of certainty. The possibility of unknowns in this operational space is huge. It’s impossible for us to scale what we know and don’t know.”