U.S. politicians have long threatened America’s enemies with tanks, planes, submarines, and nuclear missiles. Last week defense secretary Ashton Carter leveled a new kind of threat at the Islamic State: hackers. It may signal the start of a new era in warfare and international relations.
There have been leaks about how the U.S. government used the Stuxnet malware to attack Iran. And the U.S. government has enlisted the help of social networks to combat ISIS propaganda. But the Pentagon has not talked openly about using such techniques in war.
Carter broke that silence in a briefing with reporters last week. He said that the U.S. Cyber Command was attacking ISIS communications networks in support of efforts to help local forces take back the cities of Mosul, in Iraq, and Raqqa, in Syria. Cyber Command was established in 2009 and is made up of groups from the various military branches.
Carter later offered more detail about the role of those operations at the world’s largest computer security event, the RSA Conference, in San Francisco. “We are using our cyber [attack capabilities] to interrupt their ability to command and control their forces, to make them doubt the reliability of their communications, [and] take away their ability to control the local populace,” he said. “We’re going to defeat ISIL [as ISIS is also called]. I’m looking for all the ways I can accelerate that defeat.”
People who have tracked the growing influence of computer security on national security say Carter’s comments show the Pentagon is ready to deploy its hackers more often.
“This is a big moment,” says Peter Singer, a senior fellow at New America Foundation who studies the role of computer security in defense. The policy of not talking about the Pentagon’s ability to deploy computer attacks alongside conventional forces helped minimize their use, he says. In 2011, for example, leaks revealed that the White House determined that computer attacks could disable Libya’s Russian-made air defenses, but decided instead to use cruise missiles.
Keeping quiet about its computer-based arsenal also allowed the Pentagon to save it for a time it really needed it, and avoid the ethical, legal, and policy questions that come with using such techniques, says Singer. Those unresolved questions include what kinds of computer attacks might constitute an act of war, and how to deal with the fact that computer attacks often spread beyond their intended targets, as Stuxnet did.
In the immediate fight against ISIS—where the U.S. is desperate for victory but wary of deploying ground forces—openly deploying Cyber Command hackers could be a good tactic in both military and public relations terms. The Islamic State’s use of the Internet and computers to coӧrdinate is well documented, and the brutal organization has few sympathizers.
“You don’t use your trick plays in the preseason games, you save them for the games that matter,” says Singer. “And there’s a parallel to the Apple vs. FBI case—if you’re going to do something, first choose your case; this is a good case.”
The operations Carter announced, and his willingness to talk about them, will have consequences far beyond the ISIS conflict.
Taking on ISIS, which is much weaker than other potential U.S. adversaries, functions as a training exercise that will help the Pentagon work out how to think about and coӧrdinate cyberattacks, says Ben FitzGerald, director of the technology and national security program at the Center for a New American Security.
It will also help define how computer attacks affect international relations. “Employing cyber capabilities against ISIS shows other nations that we’re willing and able to employ these capabilities—similar to the Russian use of improved cruise missiles early in their Syria campaign,” says FitzGerald.
However, the Pentagon’s coming out of the cyberwar closet also brings administrative challenges. Cyber Command is currently closely tied to the National Security Agency, with which it shares a leader, Admiral Michael Rogers. Carter said at the RSA Conference that in the future it will likely make sense to separate the two and make the hacking division larger and more independent as it became more important to warfighting.
But he added that it wasn’t clear if Cyber Command would eventually become a new service branch, as the Air Force did after aircraft became vital warfighting technology, or stay largely civilian. “I’m not sure how much it’s going to be a uniformed force, a civil force, a contracted force,” he said. “It’s not necessarily a traditional military organization.”
Singer notes that one thing Cyber Command’s adventures in fighting America’s enemies will have in common with previous military efforts is that they won’t always work out. Some of their attacks will fail, cause collateral damage, or publicly embarrass the Pentagon. “That’s the nature of war,” he says.