Alex Grigsby is the assistant director for the Digital and Cyberspace Policy program at the Council on Foreign Relations.
This year marked a turning point in military uses of cyberspace. For the first time, the United States, United Kingdom, and Australia acknowledged deploying offensive cyber tools against the Islamic State. The fact that the United States, China, Russia, and others break into adversary computer networks is not new--intelligence organizations have done so since the early 1990s. But openly acknowledging that a military, as opposed to largely civilian intelligence organizations, is using malware to gain an advantage during an armed conflict breaks new ground.
It all started in late February when Defense Secretary Ash Carter declared that the United States was looking to attack
"the ability of someone sitting in Raqqa to command and control [self-declared Islamic State, also known as ISIS] forces outside of Raqqa or to talk to Mosul or even to talk to somebody in Paris or to the United States. So these are strikes that are conducted in the war zone using cyber essentially as a weapon of war. Just like we drop bombs, we’re dropping cyber bombs."
The use of the term "cyber bomb" caught like wildfire, and was pilloried for the imagery that it conjured. Subsequent explanations of what Carter meant provided more specificity about the nature of the United States’ cyber bombs. According to the New York Times, U.S. military units aimed to "disrupt the ability of the Islamic State to spread its message, attract new adherents, circulate orders from commanders and carry out day-to-day functions, like paying its fighters." In other words, the United States sought to sow enough chaos in the ranks of the self-declared Islamic State to disrupt command and control networks and sap the morale of fighters. In a pre-internet age, these activities would have been considered a combination of electronic warfare and information operations. Now, it’s all cyber.
Senior U.S. policymakers have not yet said whether they believe offensive cyber tools have been effective against the Islamic State. ISIS has suffered significant territorial losses and its recruiting efforts are much less successful than they once were. These setbacks could be attributed to the cyber campaign or to more conventional means, such as aerial bombardment and social media companies’ work to remove terrorist recruitment content. In fact, the Washington Post has reported that senior Pentagon officials have been disappointed with the slow pace of the deployment of U.S. Cyber Command’s operations.
Moreover, launching malware is arguably more complex, both in terms of development and deployment, than deploying ordinance or conventional military weapons. As Herb Lin recently wrote on Net Politics, malware has to be tailored to a specific target, exploiting software vulnerabilities unique to it--unlike a bomb which can be effective against a diversity of targets.
Despite these growing pains, the use of offensive cyber operations in a military context is significant for three reasons. First, offensive cyber operations are likely to be integrated into most, if not all, military efforts in the future. As many have said, there will be no such thing as a purely cyber war where adversaries stick to launching bad packets at each other. Instead, military efforts will be supplemented by a cyber component that will assist an overall campaign, such as assisting with reconnaissance or generating less violent effects (e.g. rendering a military target inoperable through cyber means instead of blowing it up and risking civilian casualties).
Second, it will allow the United States to test the practicalities of applying international humanitarian law (IHL), also known as the law of armed conflict, to cyber operations in a military context. Since the launch of its international cyber strategy in 2011, the United States has advocated that IHL applies in cyberspace and that no new international law is required to regulate state use of cyber tools, a minority view in the non-western world. Being one of the first to break the ice, the United States will now have practical experience to back up its policy advocacy. Russia and China might not be swayed by such arguments, but a number of regional powers, like Brazil, India, and others, might after having seen the results of judge advocate general officers guiding cyber targeting decisions in compliance with IHL.
Third, militaries’ use of offensive cyber tools will require a rethink of the current approach to offensive cyber activity. The vast majority of state-sponsored cyber activity has been in the form of espionage, where stealth and non-attribution are prized. In an offensive military context, an attacker might want an enemy to know that it was behind a particular cyber incident. This difference will require new thinking and new toolsets specifically designed for the military and separate from those used in the intelligence community. That is already beginning to happen in the United States, where there has been talk of divorcing Cyber Command from the National Security Agency. The United Kingdom, Australia and others looking to jump into this space might consider the same.