With growing worries about the threat of “cyber warfare,” militaries around the world are racing to recruit the computer specialists they believe may be central to the conflicts of the 21st century.
But whilst money is plentiful for new forces of “cyber warriors,” attracting often individualistic technical specialists and hackers into military hierarchies is another matter.
Finding the people to command them is also tough. After a decade of messy and relatively low-tech ground wars in Iraq and Afghanistan, some senior western officers are if anything less confident with technology such as smartphones and tablet computers than their civilian contemporaries.
But with the Pentagon saying its computers are being attacked millions of times every day, time is short.
“We are busy and we are getting busier every day,” Lt Gen Rhett Hernandez, a former artillery officer who now heads U.S. Cyber Command, told a cyber security conference in London last month organized by British firm Defence IQ.
“Cyberspace requires a world-class cyber warrior … we must develop, recruit and retain in a different way to today.”
Even in an era of shrinking western military budgets, funding for cyber security is ratcheting up fast. The Pentagon’s 2012 budget allocated $2.5 million to improve cyber capabilities.
In December, the U.S. Army announced its first “cyber brigade” was operational, whilst the U.S. Navy and Air Force have their own cyber “fleets” and “wings.”
Not only are they tasked with protecting key U.S. military systems and networks, but they are also working to build offensive skills that U.S. commanders hope will give them an edge in any future conflict.
These, insiders say, include developing the ability to hack and destroy industrial and military systems such as traffic and electricity controls.
“For better or worse, it is American military thought that is leading American societal thought (in) how to think about things cyber,” former CIA director and Air Force Gen Michael Hayden told a security conference in Munich this month.
European, Latin American, Asian and Middle Eastern and other nations are seen following suit. Militaries had barely considered the Internet only a few years ago are building new centers and training hundreds or even thousands of uniformed personnel.
Russia and China are believed to put even greater emphasis on a field in which they hope to counter the conventional military dominance of the U.S.
But some worry much investment may be wasted.
“My theory is that huge defense agencies – having little clue of what cyber warfare is all about – follow traditional approaches and try to train as many hacking skills as possible,” says Ralph Langner, the civilian German cyber security expert who first identified the Stuxnet computer worm in 2010.
“(The) idea could be to demonstrate hypothetical cyber power by sheer numbers, i.e. headcount.”
SPY AGENCIES BETTER?
Many experts say the key to successful operations in cyberspace – such as the Stuxnet attack believed to have targeted Iran’s nuclear program by reprogramming centrifuges to destroy themselves – is quality rather than quantity of technical specialists.
“Only a very small number of people are the top notch that you would want to employ for a high-profile operation like Stuxnet,” says Langner, saying that there might be as few as 10 world-class cyber specialists. “These people will probably not be covered with a military environment.”
Commanders say they are trying to change that, relaxing rules on issues such as hair length or fitness. But there are limits on how far such loosening can go.
While the U.S. Air Force and Navy have significantly eased entry requirements for cyber specialists and removed some of the more arduous elements from basic training, the U.S. Army still requires its “cyber warriors” to endure regular basic training.
Speaking on condition of anonymity, one senior European officer with responsibility for cyber complained of struggling to find suitable recruits in part because of competition from the private sector.
Agencies such as the U.S. National Security Agency and Britain’s GCHQ say they lose some of their best talent to Microsoft and Google. But such agencies also pride themselves on their ability to find and retain the kind of eccentric expertise that would struggle to find their place in armies, navies, air forces or regular government departments.
“Higher end capability isn’t principally about spending large amounts of money and having large numbers of people,” says John Bassett, a former senior GCHQ official and now senior fellow at London’s Royal United Services Institute.
“It’s about having a small but sustainable number of very good people with imagination and will as well a technical know-how and we may be more likely to find them in an organization like GCHQ than in the military.”
JUST ANOTHER FORM OF WARFARE?
Many experts say offensive cyber warfare capability – particularly anything potentially lethal such as the ability to paralyze essential networks – should be kept in the hands of the directly accountable military, not shadowy spy agencies.
But most suspect the NSA, GCHQ and similar organizations will retain a considerable lead in technology and sophistication over their military counterparts.
The U.S. NSA and military Cyber Command are both located at Fort Meade outside Washington DC, and intelligence experts say working closely together is already the norm – with the former providing much support and expertise to the latter.
Some other countries now appear keen to avoid plowing too much money into uniformed military cyber specialists at all. Britain’s Royal Corps of Signals and Royal Air Force in particular have been keen to get their hands on a share of the U.K.’s newly expanded 650 million-pound cyber budget, but much of it is seen going straight to GCHQ.
What militaries in general and top commanders in particular need to focus on most, specialists argue, is learning to integrate the new tools and threats into their broader conflict-related understanding and training.
At the U.S. Naval War College in Rhode Island, mid-career military officers conducting “wargaming” exercises are now regularly confronted with the new cyber dimension. Systems malfunction, supply chains are attacked, and information corrupted or deleted.
Israel’s raid on a suspected Syrian nuclear weapons site in 2007, when a cyber attack was believed used to disable Syria’s air defense radar, is seen a guide of how cyber can work alongside more conventional military operations.
“It’s a new form of warfare and it has to be appreciated, just as in the past you had new developments – siege warfare, trench warfare and air warfare” says Dick Crowell, associate professor of military operations at the college.
Understanding of cyber warfare in military circles is roughly analogous to the understanding of air power in the 1930s, he said, clearly important in any future conflict, but with the shape of its role still largely unclear.
In new conflicts, those in charge may need to learn on their feet.
“What’s really important is that you have senior commanders – three and four-star (general) level – who have a good enough understanding of it is to be able to integrate cyber into wider military campaigns,” says former GCHQ official Bassett.
“Cyber fits into the wider picture of warfare now, and they have to understand that.”