Offensive cyber operations could be a powerful weapon for U.S. Special Operations Command and the conventional services, but its potential is hindered by outdated policy and sluggish acquisition, according to SOCOM chief Gen. Raymond “Tony” Thomas.
“We have the technology. We just have to embrace it as an essential weapon in our arsenal,” he said Dec. 13 at a cyber forum hosted by the Association of the U.S. Army at its headquarters outside Washington, D.C.
“The limiting factor for cyber effectiveness continues to revolve around policy and process,” he added.
Offensive cyber capabilities are relatively inexpensive weapons that have global reach. Adversaries from near-peer nation states to non-state terrorist organizations have used a range of cyber tools to recruit operatives, steal information or interfere in U.S. and allies computer networks, Thomas said.
“This is not a case where we don’t know how to use this stuff,” he added. “We must do a better job getting this technology into the hands of our soldiers. The acquisition system that produced the M1 tank and Apache helicopter might be too slow for the adaptation required to compete with rapidly changing cyber technology.”
In many cases, it is easier for U.S. forces to launch conventional offensive attacks with bullets and bombs than to deploy an offensive cyber weapon.
“I’ll get that out of the way up front,” Thomas said. “It’s easier to kill than to turn off a computer in many cases. We can do this, but our approvals are based on old paradigms.”
Using its unique acquisition authorities, SOCOM is able to field technologies on a much shorter timeline than the conventional services. It also regularly operates “in a world that is often out ahead of policy,” Thomas said. SOCOM has integrated offensive and defensive cyber into all of its operations “in the interest of driving the policy discussion,” he said.
“Policy by CONOP has pejorative connotations, but actually acknowledges that many of our approaches over the past decade and a half of continuous combat were previously undefined in the preexisting policy realm,” he said.
SOCOM should be a model for how the larger military develops, procures and deploys cyber weapons, Thomas said. Because they are defined by ever-advancing software, rapid acquisition is necessary. If they are to be used effectively against enemies who also have cyber capabilities, the military should be freed from policies restricting the use of offensive cyber weapons, he said.
Through work by U.S. Cyber Command and Army Cyber Command, which was established as a four-star organization in 2014, approval timelines for the deployment of offensive cyber capabilities have been significantly compressed, but are “still far too slow,” Thomas said.
“We need to move at the speed of war for operational approval,” he said. “We must give commanders the ability to employ cyber at the strategic, operational and tactical levels. Tell them the desired end state or effect and allow them to get after it.”