The Pentagon's plan to outsource lethal cyber-weapons

Journalist

Updated Fri, Nov 13, 2015, 5:15 PM·6 min read

The Pentagon has quietly put out a call for vendors to bid on a contract to develop, execute and manage its new cyber weaponry and defense program. The scope of this nearly half-billion-dollar "help wanted" work order includes counterhacking, as well as developing and deploying lethal cyberattacks -- sanctioned hacking expected to cause real-life destruction and loss of human life.

In June 2016, work begins under the Cyberspace Operations Support Services contract (pdf) under CYBERCOM (United States Cyber Command). The $460 million project recently came to light and details the Pentagon's plan to hand over its IT defense and the planning, development, execution, management, integration with the NSA, and various support functions of the U.S. military's cyberattacks to one vendor.

Now hiring: Lord of cyberwar

While not heavily publicized, it's a surprisingly public move for the Pentagon to advertise that it's going full-on into a space that has historically been kept behind closed doors. Only this past June, the Department of Defense Law of War Manual (pdf) was published for the first time ever and included Cyber Operations under its own section -- and, controversially, a section indicating that cyber-weapons with lethal outcomes are sanctioned by Pentagon doctrine.

In addition to potentially cultivating lethal malware, the winner of CYBERCOM's contract will run the whole Pentagon kit and kaboodle of cyber defense and offense. Among many tasks and deliverables, they'll review and assess cyber wargame reports, run general DoD IT defense and manage patching and internal vulnerabilities, and coordinate CYBERCOM's attack and defense capabilities with different departments.

The vendor will also do "cyber joint munitions effectiveness support" -- assessing a cyberweapon's effectiveness as a munition and advise changes to methodology, tactics, weapon system, fusing, and/or weapon delivery parameters to increase effectiveness of its force on specific targets. Likely candidates include Lockheed Martin, Northrop Grumman and Raytheon.

Well, the Pentagon sorely needs help with its cybersecurity. In March, the Pentagon's director of operational tests and evaluation Michael Gilmore turned smiles upside down when describing the state of cybersecurity across the U.S. military at a Consortium for IT Software Quality conference.

Gilmore said, "When we do cybersecurity assessments ... we get in almost every time." He noted, "the testing staff generally used novice and intermediate techniques, not even the more sophisticated malicious software used by foreign countries."

Several specific positions are in the work order, including a "Weapons & Capabilities Lead" who will "serve as the technical lead for contractor personnel performing Fires, Media Malware Analysis ... and cyberspace joint munitions effectiveness support functions."

The position requires that this person have considerable experience in what's essentially malicious black hat hacking, with "A minimum of three years of experience in Cyber Fires and/or Cyber Targeting." In military-speak, the term "fire" indicates the act of pulling a trigger; a "cyber fire" indicates a weaponry operation where the command is given to discharge that (cyber) weapon, just as one would receive the command to fire traditional munitions such as missiles or guns.

The contractor is also expected to advise on hack attacks, and "provide technical targeting expertise on the best methods to allocate fires against deliberate and dynamic targets in and through cyberspace."

Ready, aim: Cyber-fire

Unlike attack malware of yore (like Stuxnet, made for sabotage), CYBERCOM's digital arms will be made with the intent of achieving traditional warfare weaponry outcomes. In other words -- death.

Under Law of War guidelines, if a "cyber fire" like weaponized malware caused "the kind of physical damage that would be caused by dropping a bomb or firing a missile, that cyber attack would equally be subject to the same rules that apply to attacks using bombs or missiles."

According to the manual, the Pentagon's cyber-weaponry operations may include "cyber fires" that "(1) trigger a nuclear plant meltdown; (2) open a dam above a populated area, causing destruction; or (3) disable air traffic control services, resulting in airplane crashes."

0day is to missiles, as candles are to snow: unrelated

The CYBERCOM project uses the Law of War ruleset of "following the kinetic model" for all things cyber; meaning that it subjects cyber-munitions, cyber-attacks, and the cyber-weapon's effectiveness assessment to the same rules that apply to physical attacks using bombs or bullets.

And for anyone familiar with the attack landscape, that's a highly problematic approach. Malware, zero days (0day), exploits and vulns, infiltration software, surveillance software, even crap used by script kiddies, etc. ... none of it follows the same rules or characteristics as traditional weapons. This is exactly where the U.S. government's proposed interpretation of export weapons agreement Wassenaar Arrangement went wrong and triggered outrage and alienation in global infosec companies and communities.

Both CYBERCOM and Law of War's cyber-weaponry ruleset only works if the Pentagon is planning to stockpile an arsenal of DDoS attacks -- to extend the bomb analogy -- but not if it goes further than an external attack.

Hackers who develop, launch and execute attacks (or study such attacks) will certainly agree with Matt Monte, author of Network Attacks and Exploitation: A Framework, who told Engadget via email that CYBERCOM's plan overlooks the critical step of gaining access. Because of the issues around access, the same rules can't apply when it comes to cyber-weaponry in attack, execution, timing, predictability, collateral damage, so-called "friendly fire" -- or what would now constitute an act of war.

"Causing damage beyond a temporary denial of service requires access," Monte said. "And gaining access requires time. The question then becomes when is it acceptable to initiate gaining access? This is a political, strategic, and tactical question with no easy answer."

CYBERCOM spokeswoman Kara Soules was reported as saying, "understanding the success rate of the weapon is critical," -- underscoring that the checks and balances of the project hinge on knowing that "cyber joint munitions" can be guided by the same model of assessing success as a traditional munition strike.

Monte said, "This is a very hard problem. What is the probability that a computer target is vulnerable? That the vulnerability can be exploited? What are the potential effects of destroying or degrading those systems? How will you even know if you are successful?" He added, "The only way to answer these questions with any level of certainty is to gain access."

The Pentagon's cyber-unicorn

Both Law of War and the Cyberspace Operations Support Services contract have a very Silicon Valley feel to them -- and I don't mean that in a good way.

That's because both have a "ship it and fix it later" attitude about the tech at hand. In each document we can see the Pentagon's young cyber branch echoing an irresponsible startup's "move fast, break things, apologize later" approach. The COSS contract tries to solve the complex messiness of the Pentagon's cyber-defense (and offense) needs by simply hiring an arms dealer for deliverables. The Law of War Manual included Cyber Operations alongside Weapons and Military Occupations, but beginning with a slapdash caveat, "Precisely how the law of war applies to cyber operations is not well-settled."

This thinking isn't too far off, considering that the Pentagon's cyber strategy -- precursor to its forthcoming CYBERCOM contract and Law of War cyber-bits -- was unveiled in May to an audience of students and Silicon Valley entrepreneurs at Stanford University. At the startup epicenter, Defense Secretary Ash Carter said, "We're going to be increasing our fundamental research and development," with established companies and startups, Carter said. "So that together, we can create cyber capabilities that not only help DOD, but can also spin off into the wider U.S. marketplace."

Engadget
Threads has 150 million monthly users
Meta’s Threads app now has more than 150 million monthly users, an increase of about 20 million new users since February
3h ago
Engadget
TikTok Lite axes ‘addictive as cigarettes’ reward-to-watch feature under the EU’s watchful eye
The EU has effectively vanquished a TikTok feature that Europe’s digital commissioner described as “toxic” and “addictive as cigarettes.” TikTok owner ByteDance said on Wednesday that TikTok Lite’s reward-to-watch feature would be suspended.
4h ago
Engadget
PUBG will take a nostalgia-infused trip back to its first map in May
PUBG: Battlegrounds is somehow old enough to evoke nostalgia. The pioneering battle royale game will recreate the old-school battlefield from the game’s inception for a limited two-week run in May and June.
5h ago
Engadget
JetBlue's in-flight entertainment system just got a watch party feature
JetBlue's in-flight entertainment system just got a watch party feature. The company’s Blueprint system also offers content recommendations.
6h ago
Engadget
Threads is testing automatic archiving for posts
Threads is testing a new archive feature that can be used to manually archive individual posts or automatically hide posts after a set period of time, Adam Mosseri shared.
6h ago
Engadget
WhatsApp is enabling passkey support on iOS
WhatsApp users on iOS will soon have a more secure way to log in. Meta is rolling out passkey support for that version of the app, several months after it did so for Android.
6h ago
Engadget
The White House wants a zero-emission freight industry by 2040
The Biden administration is tackling the monumental task of making America’s industrial freight system more environmentally friendly. The White House said on Wednesday that it aims to have 30 percent of industrial truck sales produce zero emissions by 2030 and 100 percent by 2040.
7h ago
Engadget
PBS Retro is a new FAST channel playing just the classics
PBS just launched a new FAST channel called PBS Retro. It’s available on Roku and shows stuff like Reading Rainbow and Mister Rogers’ Neighborhood.
7h ago
Engadget
Rabbit R1 hands-on: Already more fun and accessible than the Humane AI Pin
At the Rabbit R1 pickup party, we were able to check out the adorable AI device that costs $200. It has a screen, scroll wheel and works with some third-party apps.
8h ago
Engadget
Google has delayed killing third-party cookies from Chrome (again)
Google has once again delayed the phasing out of third-party cookies from Chrome. Now the company says it’ll happen in 2025.
9h ago
Engadget
Joe Biden signs the bill that could ban TikTok in the United States
The bill that will force a sale or ban of TikTok in the United States is now law.
9h ago
Engadget
Steam closes an early-access loophole in its refund policy
Valve has closed a loophole in its refund policy that let users play many hours of a game before its official release and still get their money back.
10h ago
Engadget
Qualcomm is expanding its next-gen laptop chip line with the Snapdragon X Plus
Ahead of the Snapdragon X Elite's arrival later this year, today Qualcomm announced a second laptop processor based on its Oryon CPU architecture.
12h ago
Engadget
Windows 11 now comes with its own adware
It used to be that you could pay for a retail version of Windows 11 and expect it to be ad-free, but those days are apparently finito.
12h ago
Engadget
FTC bans employers from using noncompete clauses
The US Federal Trade Commission (FTC) has banned noncompete clauses in a move to "drive innovation" and protect workers' rights and wages.
12h ago
Engadget
The best gifts for grads under $50
A great gift for the recent graduate in your life doesn't have the break the bank. Here are some tech gift ideas that will make their lives better, each coming in at $50 or less.
10 months ago
Engadget
Mercedes-Benz quad-motor G-Class could be the ultimate EV off-roader
The Mercedes-Benz G-Class has been in regular production since 1979. It's changed a lot since then, but it's never seen a change quite like this. Meet the Mercedes-Benz G 580 with EQ Technology.
13h ago
Engadget
The Morning After: Senate passes the bill that could ban TikTok
The biggest news stories this morning: X, for some reason, has a TV app now, The best travel gear for graduates, Adobe Photoshop’s latest beta makes AI-generated images from simple text prompts.
14h ago
Engadget
Mercedes-Benz finally unveils its electric G-Class luxury off-roader
The Mercedes-Benz G 580 with EQ Technology is the first fully electric variant of the G-Class vehicle.
14h ago
Engadget
The best cheap fitness trackers for 2024
Here are the best cheap fitness trackers you can buy for $100 or less, as tested by Engadget editors.
3 months ago

The Pentagon's plan to outsource lethal cyber-weapons

Now hiring: Lord of cyberwar

Ready, aim: Cyber-fire

0day is to missiles, as candles are to snow: unrelated

The Pentagon's cyber-unicorn

Latest Stories

Threads has 150 million monthly users

TikTok Lite axes ‘addictive as cigarettes’ reward-to-watch feature under the EU’s watchful eye

PUBG will take a nostalgia-infused trip back to its first map in May

JetBlue's in-flight entertainment system just got a watch party feature

Threads is testing automatic archiving for posts

WhatsApp is enabling passkey support on iOS

The White House wants a zero-emission freight industry by 2040

PBS Retro is a new FAST channel playing just the classics

Rabbit R1 hands-on: Already more fun and accessible than the Humane AI Pin

Google has delayed killing third-party cookies from Chrome (again)

Joe Biden signs the bill that could ban TikTok in the United States

Steam closes an early-access loophole in its refund policy

Qualcomm is expanding its next-gen laptop chip line with the Snapdragon X Plus

Windows 11 now comes with its own adware

FTC bans employers from using noncompete clauses

The best gifts for grads under $50

Mercedes-Benz quad-motor G-Class could be the ultimate EV off-roader

The Morning After: Senate passes the bill that could ban TikTok

Mercedes-Benz finally unveils its electric G-Class luxury off-roader

The best cheap fitness trackers for 2024

About

Sections

Contribute

Buying Guides