On the site of a former military golf course where President Dwight Eisenhower once played, the future of U.S. warfare is rising in the shape of the new $358 million headquarters for the military’s Cyber Command.
The command, based at Fort Meade, Maryland, about 25 miles north of Washington, is rushing to add between 3,000 and 4,000 new cyber warriors under its wing by late 2015, more than quadrupling its size.
Most of Cyber Command’s new troops will focus on defense, detecting and stopping computer penetrations of military and other critical networks by America’s adversaries like China, Iran or North Korea.
But there is an increasing focus on offense as military commanders beef up plans to execute cyber strikes or switch to attack mode if the nation comes under electronic assault.
“We’re going to train them to the highest standard we can,” Army General Keith Alexander, head of Cyber Command, told the Reuters Cybersecurity Summit last month. “And not just on defense, but on both sides. You’ve got to have that.”
Officials and experts have warned for years that U.S. computer networks are falling prey to espionage, intellectual property theft and disruption from nations such as China and Russia, as well as hackers and criminal groups. President Barack Obama will bring up allegations of Chinese hacking when he meets President Xi Jinping at a summit in California beginning on Friday – charges that Beijing has denied.
The Pentagon has accused China of using cyber espionage to modernize its military and a recent report said Chinese hackers had gained access to the designs of more than two dozen major U.S. weapons systems in recent years. Earlier this year, U.S. computer security company Mandiant said a secretive Chinese military unit was probably behind a series of hacking attacks that had stolen data from 100 U.S. companies.
There is a growing fear that cyber threats will escalate from mainly espionage and disruptive activities to far more catastrophic attacks that destroy or severely degrade military systems, power grids, financial networks and air travel.
Now, the United States is redoubling its preparations to strike back if attacked, and is making cyber warfare an integral part of future military campaigns.
Experts and former officials say the United States is among the best – if not the best – in the world at penetrating adversaries’ computer networks and, if necessary, inserting viruses or other digital weapons.
Washington might say it will only strike back if attacked, but other countries disagree, pointing to the “Stuxnet” virus. Developed jointly by the U.S. government and Israel, current and former U.S. officials told Reuters last year, Stuxnet was highly sophisticated and damaged nuclear enrichment centrifuges at Iran’s Natanz facility.
NEW RULES OF ENGAGEMENT
U.S. government officials frequently discuss America’s cyber vulnerabilities in public. By contrast, details about U.S. offensive cyberwarfare capabilities and operations are almost all classified.
Possible U.S. offensive cyber attacks could range from invading other nations’ command and control networks to disrupting military communications or air defenses – or even putting up decoy radar screens on an enemy’s computers to prevent U.S. aircraft from being detected in its airspace.
The shift toward a greater reliance on offense is an important one for a nation which has mostly been cautious about wading into the uncertain arena of cyberwar – in part because gaps in U.S. cybersecurity make it vulnerable to retaliation.
But former Homeland Security Secretary Michael Chertoff said the United States must be ready and should articulate – soon – what level of cyber aggression would be seen as an act of war, bringing a U.S. response.
“One of the things the military learned, going back to 9/11, is whether you have a doctrine or not, if something really bad happens you’re going to be ordered to do something,” he told the Reuters summit. “So you better have the capability and the plan to execute.”
Reuters has learned that new Pentagon rules of engagement, detailing what actions military commanders can take to defend against cyber attacks, have been finalized after a year of “hard core” debate. The classified rules await Defense Secretary Chuck Hagel’s signature, a senior defense official said.
The official would not give details of the rules but said, “they will cover who has the authority to do specific actions if the nation is attacked.”
‘A FRAGILE CAPABILITY’
At Cyber Command, military officers in crisp uniforms mix with technical experts in T-shirts as the armed forces takes up the challenge of how to fend off cyber penetrations from individuals or rival countries.
Even as overall U.S. defense spending gets chopped in President Barack Obama’s proposed 2014 budget, cyber spending would grow by $800 million, to $4.7 billion while overall Pentagon spending is cut by $3.9 billion.
Until its new headquarters is ready, Cyber Command shares a home with the U.S. National Security Agency (NSA), which for 60 years has used technological wizardry to crack foreign codes and eavesdrop on adversaries while blocking others from doing the same to the United States. Alexander heads both agencies.
“The greatest concentration of cyber power in this planet is at the intersection of the Baltimore-Washington Parkway and Maryland Route 32,” said retired General Michael Hayden, a former CIA and NSA director, referring to NSA’s Fort Meade location.
But NSA’s role in helping protect civilian, government and private networks has been controversial – and is likely to come under greater scrutiny with this week’s revelation that it has been collecting telephone records of millions of Verizon Communications customers under a secret court order.
A January report by the Pentagon’s Defense Science Board gave a general picture of how the United States might exploit and then attack an adversary’s computer systems.
In some cases, U.S. intelligence might already have gained access for spying, the report said. From there, Cyber Command “may desire to develop an order of battle plan against that target” and would require deeper access, “down to the terminal or device level in order to support attack plans,” it said.
Because gaining access to an enemy’s computers for sustained periods without detection is not easy, “offensive cyber will always be a fragile capability,” it said.
In cyberspace, reconnaissance of foreign networks is “almost always harder than the attack” itself because the challenging part is finding a way into a network and staying undetected, said Hayden, now with the Chertoff Group consulting firm.
PURPLE HAIR AND JEANS
Cyber Command’s new Joint Operations Center, due to be complete in 2018, will pull disparate units together and house 650 personnel, officials said. Air Force, Army, Navy and Marine Corps components will be nearby and, a former U.S. intelligence official said, the complex will have power and cooling to handle its massive computing needs.
Those who have worked at Cyber Command say the atmosphere is a mixture of intensity and geek-style creativity. Military precision is present, but it is not unusual to see young civilian computer whiz kids with purple hair, a tie-dyed shirt and blue jeans.
“It’s made to be a fun environment for them. These are people who are invested and want to serve their nation. But there is some military rigor and structure around all that – like a wrapper,” said Doug Steelman, who was director of Network Defense at Cyber Command until 2011 and is now Chief Information Security Officer at Dell SecureWorks.
Cyber Command’s growth and expanding mission come with serious challenges and questions.
For example, how to prevent U.S. military action in cyberspace from also damaging civilian facilities in the target country, such as a hospital that shares an electric grid or computer network with a military base?
And some doubt that the military can train many cyber warriors quickly enough. Alexander has identified that as his biggest challenge.
The former intelligence official said Cyber Command’s new teams won’t be fully ready until at least 2016 due to military bureaucracy and because it takes time to pull together people with the special skills needed.
“To be a good cyber warrior, you have to be thinking, ‘How is the attacker discovering what I’m doing? How are they working around it?’ … Cyber security really is a cat and mouse game,” said Raphael Mudge, a private cybersecurity expert and Air Force reservist. “That kind of thinking can’t be taught. It has to be nurtured. There are too few who can do that.”
Would-be cyber warriors go through extensive training, which can take years. A recruit with proven aptitude will be sent to courses such as the Navy-led Joint Cyber Analysis Course in Pensacola, Florida, a 6-month intensive training program.
The top 10 percent of JCAC’s students will be selected for advanced cyber operations training, said Greg Dixon, a vice president at private KEYW Corp, which conducts intensive training classes.
The company can train a JCAC graduate to become an analyst in five weeks, but it takes 20 weeks to become a cyber operator. Dixon would not divulge what an operator would be capable of doing after graduation, but said it would be “a lot.”
“They’re going to pick the cream of the crop for the ‘full spectrum cyber missions’,” the former U.S. intelligence official said, using a euphemism for cyber offense.
Before a future cyber warrior can begin advanced training, he or she has to pass through the arduous security clearance process, which can take six to nine months for personnel who are not already cleared.
Troops earmarked for cyber warfare have found themselves washing floors, mowing lawns and painting at military installations as they bide time waiting for a clearance.
There is the concern about retaliation for a U.S. cyber attack. Some analysts say Iran increased its cyber capabilities after being infected with Stuxnet, which was revealed in 2010.
“The old saying, he who lives in a glass house should be careful of throwing stones … but if the stone that you threw at someone, when you live in a glass house, is a stone that in some way they could pick back up and throw back at you, that’s an even dumber idea,” the defense official said. “We definitely think about that as one aspect of considering action.”