Now hiring: Lord of cyberwar
While not heavily publicized, it's a surprisingly public move for the Pentagon to advertise that it's going full-on into a space that has historically been kept behind closed doors. Only this past June, the Department of Defense Law of War Manual (pdf) was published for the first time ever and included Cyber Operations under its own section -- and, controversially, a section indicating that cyber-weapons with lethal outcomes are sanctioned by Pentagon doctrine.
In addition to potentially cultivating lethal malware, the winner of CYBERCOM's contract will run the whole Pentagon kit and kaboodle of cyber defense and offense. Among many tasks and deliverables, they'll review and assess cyber wargame reports, run general DoD IT defense and manage patching and internal vulnerabilities, and coordinate CYBERCOM's attack and defense capabilities with different departments.
The vendor will also do "cyber joint munitions effectiveness support" -- assessing a cyberweapon's effectiveness as a munition and advise changes to methodology, tactics, weapon system, fusing, and/or weapon delivery parameters to increase effectiveness of its force on specific targets. Likely candidates include Lockheed Martin, Northrop Grumman and Raytheon.
Well, the Pentagon sorely needs help with its cybersecurity. In March, the Pentagon's director of operational tests and evaluation Michael Gilmore turned smiles upside down when describing the state of cybersecurity across the U.S. military at a Consortium for IT Software Quality conference.
Gilmore said, "When we do cybersecurity assessments ... we get in almost every time." He noted, "the testing staff generally used novice and intermediate techniques, not even the more sophisticated malicious software used by foreign countries."
Several specific positions are in the work order, including a "Weapons & Capabilities Lead" who will "serve as the technical lead for contractor personnel performing Fires, Media Malware Analysis ... and cyberspace joint munitions effectiveness support functions."
The position requires that this person have considerable experience in what's essentially malicious black hat hacking, with "A minimum of three years of experience in Cyber Fires and/or Cyber Targeting." In military-speak, the term "fire" indicates the act of pulling a trigger; a "cyber fire" indicates a weaponry operation where the command is given to discharge that (cyber) weapon, just as one would receive the command to fire traditional munitions such as missiles or guns.
The contractor is also expected to advise on hack attacks, and "provide technical targeting expertise on the best methods to allocate fires against deliberate and dynamic targets in and through cyberspace."
Ready, aim: Cyber-fire
Unlike attack malware of yore (like Stuxnet, made for sabotage), CYBERCOM's digital arms will be made with the intent of achieving traditional warfare weaponry outcomes. In other words -- death.
Under Law of War guidelines, if a "cyber fire" like weaponized malware caused "the kind of physical damage that would be caused by dropping a bomb or firing a missile, that cyber attack would equally be subject to the same rules that apply to attacks using bombs or missiles."
According to the manual, the Pentagon's cyber-weaponry operations may include "cyber fires" that "(1) trigger a nuclear plant meltdown; (2) open a dam above a populated area, causing destruction; or (3) disable air traffic control services, resulting in airplane crashes."
0day is to missiles, as candles are to snow: unrelated
The CYBERCOM project uses the Law of War ruleset of "following the kinetic model" for all things cyber; meaning that it subjects cyber-munitions, cyber-attacks, and the cyber-weapon's effectiveness assessment to the same rules that apply to physical attacks using bombs or bullets.
And for anyone familiar with the attack landscape, that's a highly problematic approach. Malware, zero days (0day), exploits and vulns, infiltration software, surveillance software, even crap used by script kiddies, etc. ... none of it follows the same rules or characteristics as traditional weapons. This is exactly where the U.S. government's proposed interpretation of export weapons agreement Wassenaar Arrangement went wrong and triggered outrage and alienation in global infosec companies and communities.
Both CYBERCOM and Law of War's cyber-weaponry ruleset only works if the Pentagon is planning to stockpile an arsenal of DDoS attacks -- to extend the bomb analogy -- but not if it goes further than an external attack.
Hackers who develop, launch and execute attacks (or study such attacks) will certainly agree with Matt Monte, author of Network Attacks and Exploitation: A Framework, who told Engadget via email that CYBERCOM's plan overlooks the critical step of gaining access. Because of the issues around access, the same rules can't apply when it comes to cyber-weaponry in attack, execution, timing, predictability, collateral damage, so-called "friendly fire" -- or what would now constitute an act of war.
"Causing damage beyond a temporary denial of service requires access," Monte said. "And gaining access requires time. The question then becomes when is it acceptable to initiate gaining access? This is a political, strategic, and tactical question with no easy answer."
CYBERCOM spokeswoman Kara Soules was reported as saying, "understanding the success rate of the weapon is critical," -- underscoring that the checks and balances of the project hinge on knowing that "cyber joint munitions" can be guided by the same model of assessing success as a traditional munition strike.
Monte said, "This is a very hard problem. What is the probability that a computer target is vulnerable? That the vulnerability can be exploited? What are the potential effects of destroying or degrading those systems? How will you even know if you are successful?" He added, "The only way to answer these questions with any level of certainty is to gain access."
The Pentagon's cyber-unicorn
Both Law of War and the Cyberspace Operations Support Services contract have a very Silicon Valley feel to them -- and I don't mean that in a good way.
That's because both have a "ship it and fix it later" attitude about the tech at hand. In each document we can see the Pentagon's young cyber branch echoing an irresponsible startup's "move fast, break things, apologize later" approach. The COSS contract tries to solve the complex messiness of the Pentagon's cyber-defense (and offense) needs by simply hiring an arms dealer for deliverables. The Law of War Manual included Cyber Operations alongside Weapons and Military Occupations, but beginning with a slapdash caveat, "Precisely how the law of war applies to cyber operations is not well-settled."
This thinking isn't too far off, considering that the Pentagon's cyber strategy -- precursor to its forthcoming CYBERCOM contract and Law of War cyber-bits -- was unveiled in May to an audience of students and Silicon Valley entrepreneurs at Stanford University. At the startup epicenter, Defense Secretary Ash Carter said, "We're going to be increasing our fundamental research and development," with established companies and startups, Carter said. "So that together, we can create cyber capabilities that not only help DOD, but can also spin off into the wider U.S. marketplace."