Army, Air Force seek to go on offensive in cyber war

In an unusual act of candor, both the Army and Air Force in the past two months have issued solicitations asking the computer industry to provide technologies the services can use to wage offensive cyberattacks against enemy computer systems.

The Army's Communication and Electronics Command last month released an announcement asking the IT industry to present technologies that it could use to infiltrate enemy computer networks and communications systems. The military refers to such cyberattacks as "offensive information operations," or OIO.

The Army acknowledged in the announcement that it already has waged cyberattacks on enemy networks and communications platforms, but provided no details. But it wants to "leverage innovative technologies" to improve its cyberattacks "and prevent enemy forces from detecting and countering efforts directed against them," according to the announcement. "Technologies designed to interrupt these modern networks must use subtle, less obvious methodology that disguises the technique used, protecting the ability whenever possible to permit future use."

The Air Force also is seeking offensive cyber warfare capabilities, according to an announcement and a request for information released in April. The Air Force's 950th Electronic Systems Group said it is seeking industry help to define technologies and capabilities "associated with computer network attack." The technologies would be used to "disrupt, deny, degrade or deceive an adversary's information system," according to the request for information.

The Air Force wants technology that will help it map data and voice networks, provide it with access to those networks, conduct denial-of-service attacks on current and future network operating systems and network devices and engage in data manipulation on enemy networks.

The Air Force Electronic Systems Center declined to classify potential targets of the offensive cyber operations, such as nations, terrorists, rogue groups or individuals. "Specific capabilities or procedures cannot be discussed for security reasons," said Monica Morales, a spokeswoman for the Electronic Systems Center, the parent command of the 950th Electronic Systems Group.

The offensive cyberattack capabilities that the Army and Air Force want to develop match what Marine Gen. James Cartwright, commander of the Strategic Command, called for during a hearing of the House Armed Services Committee in March. He told the panel that if "we apply the principle of warfare to the cyber domain, as we do to sea, air and land, we realize the defense of the nation is better served by capabilities enabling us to take the fight to our adversaries, when necessary, to deter actions detrimental to our interests."

Bruce Schneir, a security consultant with BT Counterpane, endorsed the Army and Air Force efforts. "Our government would be negligent if it did not develop offensive information operations capabilities," he said.

But, Schneir added, since cyber space, unlike the physical battlefield, has connections to global networks that support commerce and communications, any offensive operations conducted by the United States must be fine-tuned to avoid disrupting computer systems that are not part of any enemy system that the military would target. That would be the cyber equivalent to collateral damage inflicted in a bombing campaign.

Steven Aftergood, director of the Project on Government Secrecy for the Federation of American Scientists, described the release of the Army and Air Force offensive cyberattack solicitations as significant, because the services have only released limited information on their cyberattack plans, operations or technologies. These solicitations are more detailed.

The Army expects industry to submit responses to the announcement by the end of June. The Air Force is scheduled to hold an industry day for its Network Warfare Operations Capabilities solicitation on June 14 in San Antonio.