New report says U.S. Air Force should prepare for cyberwar

IT security experts have been calling for some time now for greater attention to be paid to the growing risk for cyberattacks to be carried out against U.S. critical infrastructure assets. Legislators have bought into the notion of looming cyberwar, and they have support in a new report funded by the U.S. Air Force which argues that while still somewhat ambiguous, cyberwar is an inevitability.

Matthew Hines reports that in a lengthy paper funded by federal R&D grants aimed at providing independent policy alternatives to the USAF, experts with nonprofit Rand Corp. highlight their contention that the U.S. military branches must treat cyberwar as another emerging field of battle — one that both amplifies the threat of physical combat and presents new tactical challenges unfamiliar to everyone, not just the armed forces.

As a result, the U.S. government must continue to ramp up its cyber defenses, according to the report authors. In particular, as others have noted, military leaders must seek to improve the resiliency of critical grid infrastructure, namely the very power, communications. and financial systems on which public and private sectors depend on, Rand contends.

In the most likely scenarios cyber-attacks will be used in coordination with other forms of assaults, including physical combat, either to distract opponents or merely cause more damage, the experts say. The report also indicates, however, how difficult it remains to understand when many forms of cyberattack are occurring, let alone who they should be attributed to.

The report does not conclude that the Air Force should invest significantly in any specific mechanisms to prepare or react to cyberwar at present, but it does recommend substantial attention to be given to planning for potential scenarios, and call for continued commitment to federal initiatives aimed at helping private grid providers to improve their IT security standing.

“The lessons from traditional warfare cannot be adapted to apply to attacks on computer networks, cyber-space must be addressed in its own terms.” Martin Libicki, the report’s lead author and senior management scientist at Rand said in a summary.

“Operational cyberwar has the potential to contribute to warfare. How much is unknown and, to a large extent, unknowable,” the report contends. “Because a devastating cyber-attack may facilitate or amplify physical operations and because an operational cyber-war capability is relatively inexpensive, it is worth developing.”

Hines notes that the Rand paper echoes the sentiment that too much attention is presently being given to easily-detected denial-of-service type assaults, versus those tied to computing infrastructure infiltration and quiet interference or manipulation of important systems — the kind of cyberattacks that can be used to inflict damage for longer periods of time while being less likely to be detected.

Because military networks use the same IT systems as their civilian networks, they have similar vulnerabilities, but in some senses, it may be wise for the military to keep its hands out of attacks aimed at private organizations to ensure that those companies continue to feel compelled to invest in their own defenses, Libicki’s group’s research contends.

Overall, the report reaffirms the concept that while the entire theater of electronic warfare remains extremely nascent and unproven, it clearly represents one of the most important areas of development for future U.S. national defense and military strategies.

“Cyber-defense remains the Air Force’s most important activity within cyberspace,” concludes the Rand paper. “Although most of what it takes to defend a military network can be learned from what it takes to defend a civilian network, the former differ from the latter in important ways. Thus, the Air Force must think hard as it crafts its cyber-defense goals, architectures, policies, strategies, and operations.”