After years of building firewalls and other defenses against relentless hacker attacks, the Pentagon is going over to the dark side of computer warfare. But ethically, of course. The Defense Department, like most other large organizations, has recognized that no wall is high enough to keep out skilled and determined hackers for keeps. Instead, it has decided that in order to anticipate and thwart attacks, it needs to know what the hackers know."More than 100 foreign intelligence organizations are trying to hack into U.S. systems," Deputy Defense Secretary William Lynn warned last month. "Some governments already have the capacity to disrupt elements of the U.S. information infrastructure." So the Pentagon recently modified its regulations to allow military computer experts to be trained in computer hacking, gaining the designation "certified ethical hackers." They'll join more than 20,000 other such good-guy hackers around the world who have earned that recognition since 2003 from the private International Council of E-Commerce Consultants (also known as the EC-Council)"We are creating cyber-bodyguards," says Sanjay Bavisi, president of the council. "We're not creating combat people." But as the world becomes increasingly interconnected via the Internet, the stakes have become too high to rely on static defenses alone to protect the immense flows of vital information that operate the world's financial, medical, governmental and infrastructure systems. "The bad guys already have the hacking technologies," Bavisi says. "We can say, 'Tough luck. The bad guys play by different rules, and you can't do anything about it, so just go lock your doors.' Or we can tell the good guys, 'We will arm you with the same knowledge as the bad guys, because to defeat the hacker you need to be able to think like one.'"
Bavisi and the Pentagon are sensitive to the possibility that the tactics taught could be used for other purposes. "We're not training Department of Defense guys to become hackers and start hacking into China or any other countries," he says. Weeklong courses will train them in 150 hacking techniques and technologies, ranging from viruses, worms, sniffers and phishing to cyberwarfare. The cost of the course ranges from $450 to $2,500, depending on the training involved. Pentagon personnel "are not learning to hack," insists Air Force Lieut. Colonel Eric Butterbaugh. While the EC-Council calls it "certified ethical hacker" training, the U.S. military also calls it "penetration testing" or "red-teaming." These are proven military techniques that have been used for decades to hone war-fighting skills. The Air Force and Navy, for example, maintain "aggressor squadrons" of F-5 and MiG warplanes to give U.S. military pilots practice against the tactics of potential foes. And the Army's National Training Center at Fort Irwin, Calif., has long boasted a highly trained "op-for" — opposition force — that regular U.S. Army units engage in realistic war games.
The program will be no cure-all for the Pentagon, whose networks are hacked hundreds of times a day. Adriel Desautels, the chief technology officer at Netragard LLC, a Massachusetts-based antihacking outfit, says that while "it's better than nothing," there are simply too many vulnerabilities to protect the Pentagon's estimated 10 million computers. Desautels likens it to 1,000 Dutch boys trying to stop water from flowing through a dike springing millions of leaks. "The threat is defined by the real black hats, and it's impossible to know what the black hats are researching," he says. "The number of vulnerabilities far exceeds what any white hats are going to discover." Both Butterbaugh and Bavisi say there are no concerns that military personnel trained as hackers might go rogue. "Computer-network-defense service providers," Butterbaugh says, "are vetted and have security clearances." Not only that, notes Bavisi, but those trained as ethical hackers have to sign a legally binding pledge that they will not engage in malicious hacking. "So far," he says, "we haven't had a single case where someone became a real hacker.
The China-U.S. diplomatic spat over cyberattacks on Google has highlighted the growing significance of the Internet as a theater of combat. Deputy Defense Secretary William Lynn recently warned of its appeal to foes who are unable to match the U.S.'s conventional military might. An enemy country could deploy hackers to take down U.S. financial systems, communications and infrastructure, he suggested, at a cost far below that of building a trillion-dollar fleet of fifth-generation jet fighters. "Knowing this, many militaries are developing offensive cyber capabilities," Lynn said. "Some governments already have the capacity to disrupt elements of the U.S. information infrastructure."
What U.S. officials don't like to acknowledge is that the Pentagon is hard at work developing an offensive cyber capability of its own. In fact, it has even begun using that capability to wage war. Beyond merely shutting down enemy systems, the U.S. military is crafting a witch's brew of stealth, manipulation and falsehoods designed to lure the enemy into believing he is in charge of his forces when in fact they have been secretly enlisted as allies of the U.S. military. And some in Washington fear that there hasn't been sufficient debate over the proper role of U.S. cyberweapons that are now being secretly developed. Pentagon officials acknowledge privately that such work is under way, though nearly all of it is classified. The recent creation of U.S. Cyber Command shows that the U.S. military is taking this mission seriously. "You have to be very careful about what you say in this area," says a top cyberwarrior of the Pentagon. "But you can tell there's something going on because the services are putting their money there and contractors are going after it in a big way." The Joint Chiefs of Staff want the ability to destroy an enemy's computer network "so badly that it cannot perform any function," according to the handbook on what the Pentagon calls "Information Operations." The U.S. military wants to keep foes "from accessing and using critical information, systems and services" and to spoof adversaries "by manipulating their perception of reality." Just how such wizardry is to be accomplished is contained in a classified supplement. But hints can be gleaned in a trickle of contracts and budget documents, larded with geek-speak, that have begun seeping onto the public record. The Air Force wants the ability to burrow into any computer system anywhere in the world "completely undetected." It wants to slip computer code into a potential foe's computer and let it sit there for years, "maintaining a 'low and slow' gathering paradigm" to thwart detection. Clandestinely exploring such networks, the Dominant Cyber Offensive Engagement program's goal is to "stealthily exfiltrate information" in hopes it might "discover information with previously unknown existence." The U.S. cyberwarriors' goal: "complete functional capabilities" of an enemy's computer network — from U.S. military keyboards. The Army is developing "techniques that capture and identify data traversing enemy networks for the purpose of Information Operations or otherwise countering adversary communications." And the Navy is developing "a non-lethal, non-attributable system designed to offer non-kinetic offensive information operation solutions," according to Pentagon budget documents.
Yet concepts that have regulated war forever, such as deterrence and attribution, are slippery or missing in cyberspace. National boundaries don't exist, making moot the question of sovereignty. Asymmetries abound: defenders must defend everything, all the time, while an attacker can prevail by exploiting a single vulnerability. Tracking down the source of cybersabotage, routed like a skipping stone through a series of innocent servers, can be all but impossible. Are the attackers curious teenagers, criminal gangs, a foreign power — or, more likely, a criminal gang sponsored by a foreign power? Deterrence becomes meaningless when the identity of an attacker is unknown. "We're in the stage before warfare," cyberwarfare expert James Lewis told a Washington audience on Jan. 27. "We're in the stages of people poking around." Lewis, with the Center for Strategic and International Studies (CSIS), said cyberdefenses are inadequate. "Unless we find a way to use offensive capabilities as part of a deterrence or strategic defense," he said, "we will be unable to defeat these opponents." CSIS also released last week a survey of cybersecurity experts from around the world who "rank the U.S. as the country 'of greatest concern' in the context of foreign cyberattacks, just ahead of China."It's the instantaneous nature of cyberattacks that has rendered defenses against them obsolete. Once an enemy finds a chink in U.S. cyberarmor and opts to exploit it, it will be too late for the U.S. to play defense (it takes 300 milliseconds for a keystroke to travel halfway around the world). Far better to be on the prowl for cybertrouble and — with a few keystrokes or by activating secret codes long ago secreted in a prospective foe's computer system — thwart any attack. Cyberdefense "never works" by itself, says the senior Pentagon officer. "There has to be an element of offense to have a credible defense." Such cyberbattles are already happening in miniature. In Afghanistan and Iraq, U.S. cyberwarriors are hard at work denying enemy commanders the ability to direct their forces, the senior Pentagon officer says. "I shut it down, take away your electricity, take away the radio, infect your phone," he explains. "Now you don't know where I'm coming from, or if you do, you can't tell the rest of your force what's going on." More insidiously, the U.S. can doctor the information the foe gets. "I can alter the messages coming across," he says. But there is mounting concern that U.S. offensive capability in cyberspace is growing too fast and too secretly. "I have no doubt we're doing some very profoundly sophisticated things on the attack side," says William Owens, a retired Navy admiral and cyberwar expert who led a federal study on U.S. offensive cyberwarfare last year. "But that is little realized by many people in Congress or the Administration." That study, by the National Research Council, concluded that "the U.S. armed forces are actively preparing to engage in cyberattacks, and may have done so in the past." But it added that a lack of public debate has led to "ill-formed, undeveloped and highly uncertain" policies regarding its use, which could lead the U.S. to stumble inadvertently into a cyberwar