Cyber warfare capabilities

4 08 2012

China has largely been seen as a formidable player in the burgeoning battle for cyber supremacy. Over the past few years, Western governments have begun to stand up their own cyber warfare capability. How far have we come and how far do we have to go? The threat of cyber attacks continues to manifest itself. There is considerable debate as to the risk involved or the motivation, but one thing cannot be denied. Systems and networks are compromised every day. As a result, the United States has begun to invest resources in the realm of cyber defense and cyber attack capabilities.

Realistically, our ability to cultivate a force of network defenders seems somewhat elementary. This is a discipline which not only requires a fundamental education in the legal considerations of defending (or attacking) networks, but also a healthy education “in the trenches”. Network defense capabilities rely on the disciplines of protection, information assurance, and computer and network forensics. Network attack relies on strategy, evasion, research, subterfuge, and a little luck. There are also ethical considerations when determining how to create a force of network attackers. We have little legislation that governs offensive action over the network. While we are increasing our cyber warfare capability in the military, there is minimal published doctrine governing the deployment of this capability.

Additionally, we must be careful in how we evaluate the cyber domain when cultivating our cyber capabilities and, of course, waging cyberwar. Rand researcher Martin C. Libicki argues that our cyber capability should be largely focused on defense rather than offense because “something that works today may not work tomorrow (indeed, precisely because it did work today). Thus, deterrence and warfighting tenets established in other media do not necessarily translate reliably into cyberspace” (Libicki, 2009). In essence, it is much more difficult to uncover and reuse reliable attack vectors than with conventional warfare. The lifespan of a kinetic weapon system is measured in years, but a cyber attack vector lifespan may only be measured in days, especially if cyber enemies are aware of their own vulnerabilities and their enemy’s ability to exploit them. The monetary investment required to create an operational force of network attack specialists, that can quickly uncover and exploit vulnerabilities may be too great. It can be argued then that recruiting and growing network defense specialists is indeed a smarter strategy for cyber warfare.

There are commercial organizations that teach network defense and attack skills, under the standard of “ethical” hacking, but this is an entirely different subset of hacking that isn’t necessarily suited to actual warfare. The military may indeed be the only place that can appropriately train this skillset. Certainly, many penetration testers were curious system or network administrators that were quick learners and had a knack for hacking. For them, the challenge of accessing a system through unconventional means was a bit of a rush. Many hackers have taught themselves how to attack systems. But this type of education doesn’t seem to support the type of warfare that a mature government and civilization would prefer to wage. For instance, self-taught hackers may specialize in a particular area. A cyber defense force would require personnel with a firm grounding in multiple attack vectors and disciplines.

Dr. Mark Maybury, Chief Scientist of the United States Air Force said “without the right talent we are not going to be able to do anything” (Brownlow, 2012) in terms of defending and exploiting the cyber domain. This lack of talent is a challenge that the Air Force is heavily focused on resolving for the future. Creating a pipeline of cyber warriors seems somewhat futuristic, but the decision to do so is becoming

more urgent. Many colleges are beginning to offer programs in cybersecurity (or a similarly named area of study). However, many of these programs prescribe a healthy dose of defense or incident response centric courses (criminal investigation or computer forensics), yet minimal instruction in attack methodologies or hands-on vulnerability assessment courses. For example, Utica College’s Cybersecurity program focuses heavily on cybercrime investigations. They do offer a system vulnerability assessment course, but it is an elective. The United States Air Force teaches an undergraduate network warfare training course which is starkly different from civilian collegiate offerings. A major difference is its use of mission simulators and network emulators that create an environment where targets are identified and exploited based upon strategic scenarios. This is the type of training that can adequately cultivate a force of network defenders.

In order to position ourselves as a formidable presence in the cyber domain, and to protect our national assets, we must smartly invest in the creation of a reliable cyber defense force. Fundamental cyber defense or security offerings at the collegiate level are one method, while military specific training is another. These methods rely on an appropriate evaluation of the cyber domain and the best way to defend it. An offensively focused strategy may not be the most efficient way to deter cyber attacks, and so new doctrine may be necessary to appropriately define our strategy.


Brownlow, C. (2012, Jul 19). Top AF scientist: ‘Airmen key to cyberspace success’. Retrieved 07 22, 2012, from The Official Website of the U.S. Air Force:

Libicki, M. C. (2009). Cyberdeterrence and Cyberwar. Arlington: Rand Corporation.




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: