Cyber campaign against Islamic State marks beginning of a new secret war

The National Security Administration campus in Fort Meade, where the U.S. Cyber Command is located.
The National Security Administration campus in Fort Meade, where the U.S. Cyber Command is located. (Patrick Semansky / AP file)

Days after the United States acknowledged conducting warfare over computer networks for the first time, Defense Secretary Ashton B. Carter took the stage at a major information security conference in San Francisco.

The use of cyberweapons against the self-declared Islamic State had turned the conference audience's online world into the newest battlefield, with potentially far-reaching consequences for the future of the Internet. So it was not surprising that Carter was asked about the new campaign.


"Well, I'm not going to be very public about the details of it," he said.

Carter's stance drew laughter in the conference hall. But after a decade of classified commando raids and drone strikes, the reluctance to talk about the cybercampaign means the country is again heading into a new field of warfare with only limited public debate.


Randall R. Dipert, a philosopher who was among the first to weigh the ethics of cyberwarfare, says the secrecy is "just unbelievable."

He compares the deployment of cyberweapons to the development of nuclear weapons after World War II.

"It was entirely out in the open what these weapons were capable of, the side effects and everything," said Dipert, a professor at State University of New York, Buffalo. "By comparison we can't discuss cyberweapons because they just haven't told us what they have or what their real policies are."

Military officials have acknowledged using computer code to disrupt the Islamic State's communications. But they say they can't reveal more for fear of tipping off the enemy.


The campaign against the Islamic State is being run out of U.S. Cyber Command, an organization established at Fort Meade six years ago to lead the fight on the Internet.

The command is led by Adm. Michael S. Rogers, who also leads the National Security Agency. At the San Francisco event — the RSA Conference — Rogers said he aims to have a force of some 6,000 personnel fully ready to launch cyberattacks and defend American networks by September 2018.

The announcement of cyberattacks against ISIS comes before the new command has reached even initial combat readiness.

"It's our view that we need all the capacity we can get," Rogers said. "We can't wait for it to be perfect."

Cyberweapons are a new kind of armament that differ in significant ways from bullets and bombs. They are pieces of computer code designed to stop a target from working properly, inserted into enemy systems by military hackers.

They are typically weapons of finesse, rather than brute force, that require attackers to probe enemy defenses for holes through which they can be slipped.

Officials say those features make cyberweapons hard to talk about. If adversaries know what's coming, they can easily change their own code to blunt the attack.

Rep. Jim Himes says congressional oversight of the campaign will be important, but the secrecy makes sense.

"I don't worry too much that North Korea is going to watch an F-35 and develop one in a period of six months," said the Connecticut Democrat, a member of the House Intelligence Committee and its cybersecurity subcommittee. "Software is different."

The public announcement of the campaign against ISIS was a departure for the Defense Department. The United States still hasn't acknowledged responsibility for Stuxnet, the computer worm that disrupted the Iranian nuclear program, or an alleged follow-up plan to lay the groundwork for a cyberattack against Iran if nuclear negotiations collapsed.

Carter offered some explanation of what the military hopes in deploying these kinds of weapons against the Islamic State in a goodwill swing up the West Coast last week.

They hold the potential, he told the audience at a breakfast in Seattle on Thursday, to "black these guys out. Make them doubt their communications. Make it impossible for them to dominate and tyrannize the population."

Military ethicists and lawyers have been debating how to use cyberweaponry for years.

Because the targets are computers and enemy communication systems, some analysts argue that they're mostly safe to use.

Others see the potential for the weapons to proliferate and damage systems beyond their intended targets and say their use should be strictly controlled.

"We're starting to see some international agreements that are going to be helpful, but there are so many other problems," said Neil C. Rowe a computer scientist at the Naval Postgraduate School. "I'm more skeptical than some people about the benefits."

In an early paper on the ethics of cyberwar, Rowe wrote that while bullets are likely to reach their intended targets, the same can't be said of computer code weapons.

"If you execute cyberattack software against a cybertarget, the odds are good that it will not work," he wrote.

Worse, if the attack knocks the target system offline, it can be hard for the attacker to know precisely what damage it caused. And while activist groups can raise questions when a drone strike causes civilian casualties, it's harder to assess the damage when a cyberweapon goes astray.

Gen. Joseph Dunford, the chairman of the joint chiefs of staff, says the Islamic State's uncertainty about whether they've been attacked will be an advantage for U.S. hacking forces.

"Frankly, they're going to experience some friction that's associated with us and some friction that's just associated with the normal course of events in dealing in the information age," he told reporters at the Pentagon last week.

"And frankly, we don't want them to know the difference."

One of the biggest concerns of military ethicists is the potential for cyberweapons to cause collateral damage. It can be hard to tell military computers from civilian ones, and even military systems rely on commercially available software that might have to be subverted to carry out an attack.

An attack on the Ukrainian power grid in December revealed the potential. It hit three utility companies, knocking out power to some 225,000 customers. Power is back, up but U.S. investigators reported in late February that there were still problems on the grid.

U.S. officials have long been concerned about the potential for a similar strike against the United States. Rogers, the Cyber Command leader, ranked it as one of his top three threats.

"Seven weeks ago it was the Ukraine. That isn't the last we're going to see of this," he said. "That worries me."


Recommended on Baltimore Sun