Pentagon's Plan X: how it could change cyberwarfare

The Pentagon has always been secretive about its desire and ability to carry out offensive cyberwarfare. Now, Plan X makes it clear that offensive cyberattacks will be in the Pentagon playbook.

In a speech to business leaders in New York City on Thursday, Defense Secretary Leon Panetta became the first US official to publicly confirm that Iranian hackers, likely supported by the Tehran government, were responsible for recent cyberattacks against oil and gas companies in the Persian Gulf and that they appeared to be in retaliation for the latest round of U.S. sanctions against the country. He is shown here, in a file photo, speaking to a news conference on Sept 27 in Washington.

Jacquelyn Martin/AP/File

October 12, 2012

The same Pentagon futurologists who helped create the Internet are about to begin a new era of cyberwarfare.

For years, the Pentagon has been open and adamant about the nation's need to defend itself against cyberattack, but its ability and desire to attack enemies with cyberweapons has been cloaked in mystery.

Next week, however, the Pentagon's Defense Advance Research Products Agency (DARPA) will launch Plan X – an effort to improve the offensive cyberwarfare capabilities “needed to dominate the cyber battlespace,” according to an announcement for the workshop.

Can Syria heal? For many, Step 1 is learning the difficult truth.

Though the program will be closed to the press, the relatively public message is a first for the Pentagon. For one, it shows that the Pentagon is now essentially treating its preparations for cyberwar the same way it treats its preparations for any potential conventional war. Just as it takes bids from aerospace companies to develop new jet fighters or helicopters, Plan X will look at bids from groups that can help it plan for cyberwarfare and expand technologies.

Moreover, it opens a window into the highly secretive world of offensive cyberwarfare. No longer is it unclear whether the US is in the business of planning Stuxnet-style cyberattacks. Plan X indicates that such capabilities – which experts say could range from taking out electrical grids to scrambling computer networks in top-secret facilities to causing the pacemaker implanted in an enemy official to go haywire – will be an explicit part of the military playbook.

“If we can have a robust public discussion of nuclear weapons why not a robust discussion of cyberstrategy?” says Jim Lewis, director of the Technology and Public Policy program at the Center for Strategic and International Studies in Washington. “Up until now, cyber has been kind of ad hoc. What they’re doing now is saying that this is going to be a normal part of US military operations.”

The US is already engaged in offensive cyberwar. Media reports claim that the US helped develop and deploy the Stuxnet digital worm, which inflicted serious harm on Iran’s uranium enrichment program.

In his most wide-ranging speech to date on cyber warfare Thursday, Defense Secretary Leon Panetta hinted at the need for increased offensive capabilities, warning that America “won’t succeed in preventing a cyber attack through improved defenses alone.” 

Waste not that broken vacuum. Berlin will pay you to repair your stuff.

“If we detect an imminent threat of attack that will cause significant physical destruction in the United States or kill American citizens, we need to have the option to take action against those who would attack us, to defend this nation when directed by the president,” Mr. Panetta said. “For these kinds of scenarios, the department has developed the capability to conduct effective operations to counter threats to our national interests in cyberspace.”

But the lack of discussion surrounding offensive cyber capabilities – and a clear US military plan for pursuing them – has been a significant roadblock for US military forces interested in honing those skills, says retired Col. Joe Adams, a former West Point professor who coached the military academy’s cyber team.

In the past there has been a “skittishness about teaching cadets offensive skills like how to hack” into systems, says Dr. Adams, now executive director of research and cybersecurity for Merit Network, Inc. “We’ve really ramped up the defensive part, but there hasn’t been any work done to identify people who have the intuitive ability to conduct operations on the offensive side.”

[Editor's noteThe original version of this story misspelled the name of Merit Network, Inc.]

Many of the threats the US faces – and may in turn inflict on other countries and non-state actors – will be nuanced.

The notion of a “cyber Pearl Harbor,” as Panetta has characterized it, is a misnomer, Adams adds.

“Everybody’s looking for a cyber Pearl Harbor – we don’t need a Pearl Harbor to really mess things up. That’s the very nature of this advanced, persistent threat: We’re not kicking people’s doors in anymore.”

Instead, cyber incursions will be more subtle. Just imagine what could happen in a hospital, Adams says. “I don’t even have to turn off the refrigerators. I just have to change the thermostat so they’re too warm, or too cold, or make some blood supplies go bad, or spoil a little medicine, or just reroute where they send ambulance alerts.”

In particular, offensive cyberskills “are more art than science,” says Adams. “These kids need to be screened right, and they need to be utilized. A career path in the military is built on building their skills, but also retaining them. We’ve done really poorly with that.”

Part of the problem is that American military training has long emphasized traditional skills, which are often are at odds with developing cyber warriors. You could have an outstanding cyberthinker in a class, but tradition dictates that “he’s going to be a tank platoon leader, or a rifle platoon – he’s going to have to prove himself as an Army officer before they’re going to make use of his talent,” says Adams.

In the meantime, his cyberskills atrophy. “The cadets I was teaching, there just wasn’t another outlet for them in the military yet.”

Plan X is designed to help the Pentagon “understand the cyber battlespace” and to develop skills in “visualizing and interacting with large-scale cyber battlespaces,” according to the DARPA proposal.

These, too, are unique skills that must be cultivated within the military, says Adams. “Another art piece is mapping a network [that could be a potential target]. How do you do it – and how do you do it subtly – without knocking things over and turning things off? And if it’s hostile, how do we do it without getting caught?”

Plan X hints at some of these needs – and makes it clear that the Pentagon is grappling with how to establish a framework for fighting cyberwar, too.

“Plan X is an attempt by the national security bureaucracy to come to grips with the multitude of issues around use of cyberweapon in an offensive form – the legal, diplomatic, ethical issues,” says Matthew Aid, a historian and author of "Intel Wars: The Secret History of the Fight Against Terror."

“We can’t have a public discussion about Stuxnet, about these brand new weapons – or their ethical implications – until the White House pulls back just a little the veil of secrecy that surrounds the entire program,” Mr. Aid adds.

For example, Stuxnet revealed how unwieldy such weapons can be when it inadvertently “jumped” into friendly computer systems that were never meant to be targeted.

Indeed, “One of the biggest problems in cyberwarfare is the potential for collateral damage,” says Mr. Lewis of the Center for Strategic and International Studies.

“You just can’t attack stuff and not worry that innocent civilians will be harmed – you have to take steps to mitigate the risk.”

Aid says now is the time to have these conversations. “We can only see one tenth of one percent lurking beneath the surface – what’s beneath the surface scares ... me," he says. "This is combat – this is war by a different name.”