By Warren Strobel and Deborah Charles
WASHINGTON, June 7 (Reuters) – On the site of a former
military golf course where President Dwight Eisenhower once
played, the future of U.S. warfare is rising in the shape of the
new $358 million headquarters for the military’s Cyber Command.
The command, based at Fort Meade, Maryland, about 25 miles
north of Washington, is rushing to add between 3,000 and 4,000
new cyber warriors under its wing by late 2015, more than
quadrupling its size.
Most of Cyber Command’s new troops will focus on defense,
detecting and stopping computer penetrations of military and
other critical networks by America’s adversaries like China,
Iran or North Korea.
But there is an increasing focus on offense as military
commanders beef up plans to execute cyber strikes or switch to
attack mode if the nation comes under electronic assault.
“We’re going to train them to the highest standard we can,”
Army General Keith Alexander, head of Cyber Command, told the
Reuters Cybersecurity Summit last month. “And not just on
defense, but on both sides. You’ve got to have that.”
Officials and experts have warned for years that U.S.
computer networks are falling prey to espionage, intellectual
property theft and disruption from nations such as China and
Russia, as well as hackers and criminal groups. President Barack
Obama will bring up allegations of Chinese hacking when he meets
President Xi Jinping at a summit in California beginning on
Friday – charges that Beijing has denied.
The Pentagon has accused China of using cyber espionage to
modernize its military and a recent report said Chinese hackers
had gained access to the designs of more than two dozen major
U.S. weapons systems in recent years. Earlier this year, U.S.
computer security company Mandiant said a secretive Chinese
military unit was probably behind a series of hacking attacks
that had stolen data from 100 U.S. companies.
There is a growing fear that cyber threats will escalate
from mainly espionage and disruptive activities to far more
catastrophic attacks that destroy or severely degrade military
systems, power grids, financial networks and air travel.
Now, the United States is redoubling its preparations to
strike back if attacked, and is making cyber warfare an integral
part of future military campaigns.
Experts and former officials say the United States is among
the best – if not the best – in the world at penetrating
adversaries’ computer networks and, if necessary, inserting
viruses or other digital weapons.
Washington might say it will only strike back if attacked,
but other countries disagree, pointing to the “Stuxnet” virus.
Developed jointly by the U.S. government and Israel, current and
former U.S. officials told Reuters last year, Stuxnet was highly
sophisticated and damaged nuclear enrichment centrifuges at
Iran’s Natanz facility.
NEW RULES OF ENGAGEMENT
U.S. government officials frequently discuss America’s cyber
vulnerabilities in public. By contrast, details about U.S.
offensive cyberwarfare capabilities and operations are almost
all classified.
Possible U.S. offensive cyber attacks could range from
invading other nations’ command and control networks to
disrupting military communications or air defenses – or even
putting up decoy radar screens on an enemy’s computers to
prevent U.S. aircraft from being detected in its airspace.
The shift toward a greater reliance on offense is an
important one for a nation which has mostly been cautious about
wading into the uncertain arena of cyberwar – in part because
gaps in U.S. cybersecurity make it vulnerable to retaliation.
But former Homeland Security Secretary Michael Chertoff said
the United States must be ready and should articulate – soon –
what level of cyber aggression would be seen as an act of war,
bringing a U.S. response.
“One of the things the military learned, going back to 9/11,
is whether you have a doctrine or not, if something really bad
happens you’re going to be ordered to do something,” he told the
Reuters summit. “So you better have the capability and the plan
to execute.”
Reuters has learned that new Pentagon rules of engagement,
detailing what actions military commanders can take to defend
against cyber attacks, have been finalized after a year of “hard
core” debate. The classified rules await Defense Secretary Chuck
Hagel’s signature, a senior defense official said.
The official would not give details of the rules but said,
“they will cover who has the authority to do specific actions if
the nation is attacked.”
‘A FRAGILE CAPABILITY’
At Cyber Command, military officers in crisp uniforms mix
with technical experts in T-shirts as the armed forces takes up
the challenge of how to fend off cyber penetrations from
individuals or rival countries.
Even as overall U.S. defense spending gets chopped in
President Barack Obama’s proposed 2014 budget, cyber spending
would grow by $800 million, to $4.7 billion while overall
Pentagon spending is cut by $3.9 billion.
Until its new headquarters is ready, Cyber Command shares a
home with the U.S. National Security Agency (NSA), which for 60
years has used technological wizardry to crack foreign codes and
eavesdrop on adversaries while blocking others from doing the
same to the United States. Alexander heads both agencies.
“The greatest concentration of cyber power in this planet is
at the intersection of the Baltimore-Washington Parkway and
Maryland Route 32,” said retired General Michael Hayden, a
former CIA and NSA director, referring to NSA’s Fort Meade
location.
But NSA’s role in helping protect civilian, government and
private networks has been controversial – and is likely to come
under greater scrutiny with this week’s revelation that it has
been collecting telephone records of millions of Verizon
Communications customers under a secret court order.
A January report by the Pentagon’s Defense Science Board
gave a general picture of how the United States might exploit
and then attack an adversary’s computer systems.
In some cases, U.S. intelligence might already have gained
access for spying, the report said. From there, Cyber Command
“may desire to develop an order of battle plan against that
target” and would require deeper access, “down to the terminal
or device level in order to support attack plans,” it said.
Because gaining access to an enemy’s computers for sustained
periods without detection is not easy, “offensive cyber will
always be a fragile capability,” it said.
In cyberspace, reconnaissance of foreign networks is “almost
always harder than the attack” itself because the challenging
part is finding a way into a network and staying undetected,
said Hayden, now with the Chertoff Group consulting firm.
PURPLE HAIR AND JEANS
Cyber Command’s new Joint Operations Center, due to be
complete in 2018, will pull disparate units together and house
650 personnel, officials said. Air Force, Army, Navy and Marine
Corps components will be nearby and, a former U.S. intelligence
official said, the complex will have power and cooling to handle
its massive computing needs.
Those who have worked at Cyber Command say the atmosphere is
a mixture of intensity and geek-style creativity. Military
precision is present, but it is not unusual to see young
civilian computer whiz kids with purple hair, a tie-dyed shirt
and blue jeans.
“It’s made to be a fun environment for them. These are
people who are invested and want to serve their nation. But
there is some military rigor and structure around all that –
like a wrapper,” said Doug Steelman, who was director of Network
Defense at Cyber Command until 2011 and is now Chief Information
Security Officer at Dell SecureWorks.
Cyber Command’s growth and expanding mission come with
serious challenges and questions.
For example, how to prevent U.S. military action in
cyberspace from also damaging civilian facilities in the target
country, such as a hospital that shares an electric grid or
computer network with a military base?
And some doubt that the military can train many cyber
warriors quickly enough. Alexander has identified that as his
biggest challenge.
The former intelligence official said Cyber Command’s new
teams won’t be fully ready until at least 2016 due to military
bureaucracy and because it takes time to pull together people
with the special skills needed.
“To be a good cyber warrior, you have to be thinking, ‘How
is the attacker discovering what I’m doing? How are they working
around it?’ … Cyber security really is a cat and mouse game,”
said Raphael Mudge, a private cybersecurity expert and Air Force
reservist. “That kind of thinking can’t be taught. It has to be
nurtured. There are too few who can do that.”
Would-be cyber warriors go through extensive training, which
can take years. A recruit with proven aptitude will be sent to
courses such as the Navy-led Joint Cyber Analysis Course in
Pensacola, Florida, a 6-month intensive training program.
The top 10 percent of JCAC’s students will be selected for
advanced cyber operations training, said Greg Dixon, a vice
president at private KEYW Corp, which conducts intensive
training classes.
The company can train a JCAC graduate to become an analyst
in five weeks, but it takes 20 weeks to become a cyber operator.
Dixon would not divulge what an operator would be capable of
doing after graduation, but said it would be “a lot.”
“They’re going to pick the cream of the crop for the ‘full
spectrum cyber missions’,” the former U.S. intelligence official
said, using a euphemism for cyber offense.
Before a future cyber warrior can begin advanced training,
he or she has to pass through the arduous security clearance
process, which can take six to nine months for personnel who are
not already cleared.
Troops earmarked for cyber warfare have found themselves
washing floors, mowing lawns and painting at military
installations as they bide time waiting for a clearance.
There is the concern about retaliation for a U.S. cyber
attack. Some analysts say Iran increased its cyber capabilities
after being infected with Stuxnet, which was revealed in 2010.
“The old saying, he who lives in a glass house should be
careful of throwing stones … but if the stone that you threw
at someone, when you live in a glass house, is a stone that in
some way they could pick back up and throw back at you, that’s
an even dumber idea,” the defense official said. “We definitely
think about that as one aspect of considering action.”
