The Pentagon Has a Classified List of Cyber Weapons Approved for Cyber Warfare

081203-N-2147L-390 NORFOLK, Va. (Dec. 3, 2008) Sailors on the watch-floor of the Navy Cyber Defense Operations Command monitor, analyze, detect and defensively respond to unauthorized activity within U.S. Navy information systems and computer networks. (U.S. Navy photo by Mass Communications Specialist 1st Class Corey Lewis/Released) MC1 Corey Lewis

More news on the cyber warfare front today as more details leak out about the Pentagon’s ongoing efforts to produce a cyber operation framework. Today we learn via the Washington Post that the Pentagon has a classified list of approved cyber weapons and tools that are ready to be deployed if necessary, just as the DoD has an approved list of traditional military responses to certain scenarios.

This list has actually existed for several months and has been accepted by other agencies like the CIA, and joins the battery of other approved weaponry the DoD can deploy under certain circumstances. But as with the Pentagon’s other tools of war, those capabilities come with restrictions.

One senior official told the Post that placing cyber weapons in the arsenal right next to cruise missiles, airstrikes, and M-16s is “perhaps the most significant operational development in military cyber-doctrine in years.” Indeed, it brings clarity to an otherwise murky area of international military relations where the rules of engagement are somewhat opaque. And, perhaps most notably, it establishes the chain of command.

For instance, it specifies when a cyber attack requires presidential authorization and when it does not. For instance, if the military wishes to plant a virus in a foreign nation’s networks that can be activated later, it needs a presidential nod. But a variety of other activities, including spying on other nations’ cyber capabilities or leaving “beacons” behind to mark vulnerable sites in foreign systems, need no approval from the Commander in Chief.

But the situation is still far from crystal clear. The rules change when the U.S. is engaged in a state of hostilities versus a state of peace with the intended target (outside of a zone of hostility, presidential approval is almost always required). During wartime, a president can pre-authorize commanders to use a range of tools so that they can remain nimble on the ground. And, as in physical warfare, there are a range of mission-specific variables, like collateral damage and potential civilian casualties, that have to be weighed. Says the Post:

Under the new framework, the use of a weapon such as Stuxnet could occur only if the president granted approval, even if it were used during a state of hostilities, military officials said. The use of any cyber-weapon would have to be proportional to the threat, not inflict undue collateral damage and avoid civilian casualties.

Stuxnet is a prime example of the real challenge the Pentagon faces here. The Stuxnet worm is largely thought to have been designed specifically to disable Iranian nuclear technologies. It is also thought to have been created by the United States or Israel. But once loose in cyberspace, the worm did not discriminate, affecting systems in several nations around the world, including the United States.

Therein lies the real cyber warfare challenge. Traditional battlefields are confined to a physical space, and while the repercussions of what happens there can quickly reverberate around the world, the raw physical impact is limited in scope. In cyber warfare, the battlefield is always global, reaching everywhere all the time, and it’s here the Pentagon must aggressively limit the law of unintended consequences.

Washington Post