STEVE INSKEEP, HOST:
The Pentagon's cyber command is about to get five times bigger. About 900 people currently track cyberwarfare. That's going up to around 5,000, even as other parts of the defense budget shrink. Now, we hear a lot about efforts at cyberdefense, defense against attack, but in the next three days, NPR's Tom Gjelten is going to talk with us about U.S. efforts to prepare for offensive operations in cyberwarfare. Hi, Tom.
TOM GJELTEN, BYLINE: Hi, Steve.
INSKEEP: Okay. We don't hear quite so much about the offensive side of this.
GJELTEN: That's right. The government is not exactly upfront about this. Let me just give you one example. In July 2011, the Pentagon announces its cyber strategy - it's all about defending the country from cyberattacks, not one word about attacking the other guy. William Lynn, who was deputy secretary of defense at the time, spoke for the Pentagon. I was actually there and I had an opportunity to ask Lynn where in the strategy is there anything about offensive attacks.
Here's what he said.
WILLIAM LYNN: The thrust of the strategy, as you correctly identified, is defensive. It is protecting the networks because those networks undergird all of our capabilities, offensive and defensive...
GJELTEN: Steve, we now know that was only part of the story. The military does not just protect computer networks here. U.S. cyber warriors attack enemy networks overseas. They go on the offense.
INSKEEP: What are some examples?
GJELTEN: Well, take Afghanistan, for example. Soldiers over there depend on computers for information sharing. You lose those computer links, you're in trouble. So when commanders set out to do an operation, a combat operation, they first have their cyber warriors preemptively go after the enemy computers. Here's Lieutenant General Richard Mills speaking at a military conference last August.
LIEUTENANT GENERAL RICHARD MILLS: I can tell you as a commander in Afghanistan in the year 2010, I was able to use my cyber operations against my adversary with great impact. I was able to get inside his nets, infect his command and control, and in fact defend myself against his almost constant incursions to get inside my wire to affect my operations.
INSKEEP: Get inside the enemy's nets, he says, the networks.
GJELTEN: Infecting them. That is a cyber attack with cyber weapons. Here's another example, this one from back in 2009. The Air Force Chief of Staff at the time, General Norton Schwartz, speaking at the Brookings Institution said his airmen were prepared to carry out cyberattacks on another country's radar and missile installations before launching airstrikes against that country. Let's listen.
GENERAL NORTON SCHWARTZ: Traditionally, we take down integrated air defenses via kinetic means.
INSKEEP: Kinetic is physical. Bombing them.
SCHWARTZ: But if it were possible to interrupt radar systems or surface-to-air missile systems via cyber, that would be another very powerful tool...
INSKEEP: Wait, wait, wait. He said if it were possible. Is it possible to do this?
GJELTEN: Yes. They can do it now. Remember, General Schwartz here was speaking more than three years ago. Now, in that case, and in Afghanistan, you have offensive cyberattacks carried out as part of a traditional combat operation, what the military calls kinetic operation, bombs and bullets. But the military is also carrying out offensive cyber-attacks on their own merits.
I spoke with a former Air Force officer named Jason Healey about this. He now directs the Cyber Statecraft Initiative at the Atlantic Council and he keeps close track of what the U.S. military is doing with offensive cyber weapons.
JASON HEALEY: It might happen that we'll use them as an adjunct to kinetic, but it's quite clear that we're using it quite a bit more freely.
GJELTEN: The best example, Steve, would be Stuxnet, the cyber-weapon secretly used to damage nuclear installations in Iran. A U.S. official has privately confirmed to NPR what the New York Times reported last summer, that the United States had a role in developing Stuxnet. It was not used as part of any larger military operation against Iran. It was used on its own. But this is still officially a secret.
As long as it's secret, there's no public discussion about the pros and cons of using a cyberweapon in this way.
INSKEEP: Well, let's have some of that discussion right here. What are some of the downsides?
GJELTEN: Well, you have to consider that using an offensive cyber weapon sets a precedent that other countries might then follow. This was a preemptive cyberattack. I'm talking about Stuxnet. It did not come in response to a provocation. It was used to deal with a potential threat, the Iranian nuclear program. So now other countries might feel they'd be justified in carrying out a preemptive cyberattack. And here's another issue.
The Stuxnet worm instructed computers to damage industrial equipment. There's a fear now that someone else could modify or copy that code and turn it back against targets in the United States. This is the danger that Republican Congressman Mike Rogers focuses on. He's the chairman of the House Intelligence Committee.
REPRESENTATIVE MIKE ROGERS: Now that technology is out there, people are taking a look at it. We are just a few lines of code away from someone else getting close to a very sophisticated piece of malware that they either wittingly or unwittingly unleash across the world that causes huge, huge damage.
INSKEEP: Okay. That sounds scary, Tom Gjelten. Is the U.S. government, the administration, focused on the implications of the policies they're pursuing?
GJELTEN: It doesn't seem like it. We don't know what they're saying secretly or behind closed doors. Here's an analogy. The U.S. government for years has had what's called a declaratory policy regarding why it has nuclear weapons and when it would be justified to use them. There is nothing comparable for the use of cyber-weapons. So you have people like Congressman Rogers saying developments on this front are getting ahead of our thinking.
ROGERS: The capabilities, I think, are keeping pace with technology. It's the policy that I worry about. We have not fully rounded out what our policies are.
GJELTEN: Policies, like when is it justified to use a cyber-weapon for offensive purposes? What rules should apply? What are the risks? Jason Healy at the Atlantic Council says you start doing a lot of offensive operations without considering the consequences, you could create chaos in cyberspace.
HEALEY: We're more likely to end up with a cyberspace where everybody is attacking everybody else 'cause we haven't built up the norms of trust.
GJELTEN: Now, see, there are powerful arguments for using cyber-weapons. They're more precise than bombs, less likely to hurt innocent civilians, but these are new weapons and you would think the pros and cons of using them would be a subject for public debate.
INSKEEP: Okay. Why isn't the U.S. government eager to have that debate?
GJELTEN: Well, I've talked to some senior officials about this and they make a couple of points. One is they are edging closer to transparency here. Just as with drone warfare, they know there is pressure to be more open and they're gradually getting more open. Part of the problem is this area's so new, they're just not sure what to say, what authorities they have, who within the government has the authority to order cyber-attacks.
A legal review of these issues has been underway and they are making progress. The other thing they say is that cyber is different. Most of the activities in the cyber domain are civilian. So for example, this analogy with nuclear weapons may just not apply.
INSKEEP: Okay. So we're trying to pry open the door to a discussion here a little bit. NPR's Tom Gjelten will be with us the next few days. Where are you going to take us to tomorrow?
GJELTEN: Tomorrow we're going to be talking about actual cyber weapons. Do you know, Steve, there's actually a global market in cyber weapons, kind of a cyber arms bazaar. We're going to talk about that tomorrow.
INSKEEP: NPR's Tom Gjelten. Thanks.
GJELTEN: Thank you.
NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.