The in the recent debate over the potential use of U.S. military strikes in Syria yet again raised the issue of cybersecurity defenses as threats from the Syrian forces to launch a cyber-attack on U.S. targets circulated in the news. Details about our own offensive cyber policies and capabilities are few and far between, usually cloaked in secrecy and hypotheticals. But a new report from a Washington think tank hints at the possibilities and highlights some key issues surrounding U.S. offensive cyber capabilities.

A report from the Center for Strategic and International Studies (CSIS) entitled Offensive Cyber Capabilities at the Operational Level wrestles with the legal, policy, technical, and organizational issues surrounding the use of offensive capabilities and how these dynamics change depending on whether they are used at the strategic command level or flow down to the operational or tactical commands.  The study contrasts the differences in needs between strategic actors and tactical commands as far as the type, scope, scope of attacks as well as trade-offs over secrecy and speed, etc.

Challenges that Impact Offensive Cyber Ops

Several areas that highlight the challenges of employing cyber offensives and need for further discussion include, but are not limited to:

• Limiting the ripple effects of cyber offensives – It is not always clear how targeted attacks may impact interconnected systems or how the effects of an attack will cascade throughout the immediate and extended environment.
  
  
• Timeliness – The typical judicious rate at which opponent vulnerabilities are determined does not jive well with fluid battle situations – especially for quick, tactical operations where networks and software change frequently. This calls into question the efficacy of cyber offense within operational and tactical contexts that may require real-time decisions and impacts. The weight of this concern is highly target-dependent.
  
  
• Balancing secrecy with timeliness and value – Given its sensitive nature, the DoD generally does not discuss in detail their capabilities to penetrate or attack enemy networks. Choosing to use these capabilities in tactical or operational contexts requires considering whether the immediate value and timeliness of the target outweigh the cost of exposing the capability.
  
  
• Resource trade-offs – Expanding cyber capabilities beyond strategic and intelligence realms would require either significant influx of resources or a diverting of existing resources away from current priorities. New demands require new capacity.
  
  
• Organizations and cultures – Expanding the use of typically covert cyber capabilities may exacerbate any cultural tensions between defense and intelligence communities. Maintaining the highly classified nature of programs is difficult if we were to expand the development and use of cyber weapons more readily at lower tactical levels. On the other hand, if tactical commanders are kept unaware of certain cyber capabilities then they will not integrate them into their operational planning.
  

There is also the concern of adding potential vulnerabilities if offensive tools are intercepted and reversed engineered.

These issues and risk trade-offs complicate policy and technical decisions and therefore the report makes two recommendations.  First, the Secretary of Defense should issue a clear affirmation that the use of offensive capabilities does not conflict with existing law and defense policy.  Second, the SecDef should develop a plan “for experimentation and exercises that explore operational and tactical cyber use” across the DoD.

Implications

The report notes that one of the challenges in keeping cyber targets discreet is that networks are “dynamic and constantly changing.”  This fact has implications for offensive methods, but also hints at how agencies can more effectively defend their networks. This explains in part why we see an increased use of technologies and methods to present an ever-changing network topology to our adversaries. We need to give them a moving target and tools that can help to that end will be in demand.

Experimentation is repeatedly advocated and the report acknowledges that some of this is already underway with various simulation and scenario tools that can test the ripple effects of certain attacks across highly connected and networked infrastructures. Opportunities for these and related tools will likely grow with the sophistication and complexity of networked weaponry and infrastructures.

Finally, much of what needs to be settled centers on policy and strategy, including technical concerns, and the Pentagon will draw on its partners in industry to help shape what the future state is to be.