The Department of Defense is interested in exploring the relationship between cyber and weapons of mass destruction.
In a call for papers requested by the Defense Threat Reduction Agency, the Air Force’s Institute for National Security Studies, in support of the Project on Advanced Systems and Concepts for Countering Weapons of Mass Destruction, wants an analysis defining the scope and exploration of the cyberwarfare-weapons of mass destruction nexus and implications this has for the counter-WMD mission.
The call for research papers raises offensive cyber weapons to a level on par with other WMDs.
The notice was first reported by Quartz.
The traditional definition of WMDs — which has included nuclear, biological, chemical, radiological and, in some applications, enhanced high-explosive weapons — does not include recent advancements in nonkinetic weapons of mass effect and destruction, the call for papers states.
Rather, the notice contends, the expanded spectrum includes dazzling and blinding weapons, ultrasonics, directed energy weapons and offensive cyber warfare.
Cyber capabilities could be considered on par with WMDs because they can corrupt or destroy critical infrastructure, such as power grids or transportation; compromise large data sets, such as health or banking; corrupt confidence in data sets, such as GPS signals; and be leveraged to orchestrate widespread disinformation campaigns utilizing social media platforms, the notice states.
Adversaries have used some or all of the elements of offensive cyber in the past decade, according to the notice.
“These operations are becoming increasingly sophisticated in nature, and steadily more integrated into adversary military doctrine, strategies, plans and operations that already incorporate and integrate conventional and unconventional weapons, to include WMD,” it states. “These developments necessitate an assessment of the potential nexus between offensive cyber operations and WMD and the implications of this interrelationship for the Countering WMD (CWMD) mission, which is one of DTRA’s missions.”
Cyber capabilities and nuclear weapons have a complicated history among serious cyber experts and strategists as cyber has emerged as a ubiquitous element within society and government, as well as an increasing threat.
Some strategists have maintained that using the nuclear deterrence paradigm is an appropriate way to look at cyber. Others, however, strongly disagree.
According to a current U.S. official, starting from nuclear models for assessing risk and deterrence in the cyber domain has led the community in the wrong direction.
Speaking at a conference earlier this year under a non-attribution policy, the official noted that the difference between the nuclear discussion and cyber is how targets are held at risk.
In the nuclear arena, adversaries have a common understanding of the nuclear stockpiles of others and their risks. Adversaries’ knowledge of how they’re being held at risk has a limited application in their ability to isolate themselves from harm, the official said.
The cyber domain, however, is much murkier. What’s required to hold an adversarial system at risk in cyber depends on access gained to their system by exploiting vulnerabilities, then persisting in that environment undetected to deliver an effect, the official said. Thus, it is difficult to articulate to an adversary how they are held at risk in this environment without tipping them off to the vulnerabilities being exploited, which, of course, can be patched.
The proposal asks for research examining, among other things, how adversaries might use offensive cyber in the following ways:
- To improve effectiveness and lethality of their WMD arsenals;
- To degrade U.S. and allied defenses against WMDs;
- To degrade U.S. deterrence strategies or posture to improve their own strategies or posture; and
- As a substitute for “traditional” WMDs.
Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.