The Pentagon wants cyber weapons that can inflict “blunt force trauma.”

That’s one vision that Air Force Chief of Staff Gen. Mark Welsh has laid out for the next phase of military cyber operations — and in a rare occurrence in the cyber realm, he elaborated with examples.


“How do you make an enemy air defense system go completely blank in the first minute of the conflict?” Welsh asked reporters last week. “How do you make a [surface to air missile] radar show a thousand false targets that all look real so you don’t know where the real package is in the middle of that? How do you keep enemy surface to surface missiles from ever launching — or [fly] halfway to their target and then turn around and go home?”

The military services devote a lot of effort to defending their networks against cyberattacks and supporting the intelligence community, he said, but so far not enough pursuing cyber weapons they could wield the way they now deploy fighter squadrons or infantry battalions.

“We haven’t thought of the domain in terms of our core missions robustly enough, and so that’s the focus we have right now,” Welsh said. “I’ve been calling it ‘Big Cyber.’ How does the Air Force get into big Air Force cyber stuff? … How do you create airpower through the cyber domain?”

Answering those questions and achieving something like Welsh’s vision will take effort, time and billions of dollars, officials acknowledge.

For example, the U.S. Cyber Command, the military’s primary operational unit, needs a “range” on which its troops could train, the way Marine riflemen practice their marksmanship. It needs “aggressors,” against whom to rehearse — the way Air Force pilots duel with other fighters playing the role of the bad guys. And it needs more time to develop as a command and figure out how to integrate into the operational military.

“They currently do not have a robust capability,” said the Pentagon’s top cyber guru, Assistant Secretary of Defense Eric Rosenbach, who has appeared recently before the Senate Armed Services Committee’s emerging threats panel.

Sen. Bill Nelson of Florida, the committee’s ranking Democrat, said that in terms of going on offense, CyberCom’s units are basically “hollow.”

Defense officials don’t agree, but they acknowledge the Pentagon is taking incremental steps, said CyberCom’s deputy commander, Air Force Lt. Gen. James McLaughlin. It’s building a “Cyber Mission Force” that will include 133 teams made up of about 6,200 troops and Defense Department civilians, which it wants ready for action by fiscal 2018. That cadre would defend military networks, defend the U.S. against attacks of “significant consequence” and conduct “full-spectrum operations” for “contingency plans and military operations,” according to CyberCom’s written statement.

U.S. Secretary of Defense Ash Carter delivers remarks to an audience of U.S. Cyber Command troops and National Security Agency employees. | Getty

Sustaining and growing that force will be a challenge for the traditional military system of recruiting and training. That’s why Defense Secretary Ash Carter has said the military branches need to rewrite some of their personnel policies to improve their ability to recruit and keep the most talented computer experts in a marketplace with fierce competition from Wall Street and Silicon Valley.

“As our growing economy creates more civilian jobs, which is a good thing obviously, we’re going to have to work harder to compete to keep bringing in America’s best and brightest to our military,” Carter said. “When it comes to recruiting some of the most highly skilled parts of our force, like cybersecurity specialists, who are also in high demand in corporate America, we’ll have to be even more creative, because we’re going to need a lot more of them in the years to come.”

There are also major questions about how much is possible or even practical for tactical cyberattacks, said Martin Libicki, a senior management scientist and information warfare expert with the government-funded RAND Corp. There’s a lot of promise and some precedent, he said, but what the military is actually doing in the cyber realm is so secret it is hard to know for certain.

“What the Air Force is talking about is neither science fiction nor something you can always count on — it’s somewhere in between,” he told POLITICO.

Libicki cited reports that Israel used a cyber weapon to neutralize Syria’s air defenses when it attacked its nascent nuclear reactor in 2007, as well as claims the U.S. attempted a similar effort when it attacked Serbia in 1999. So integrated air defenses are natural targets for American cyberattacks — but the owners of such systems know that, too.

“The more complex the system, the greater the likelihood you’ll be able to find a vulnerability,” Libicki said. “We have a lot of good hackers within the Air Force, the NSA and so forth busy looking for that type of stuff — but on the other side, there are a lot of competent defenders.”

For Welsh and other military commanders, the potential benefits are too rich to ignore. But he also acknowledged that the Air Force and other services were still in the early stages of figuring out how to juggle traditional missions and capabilities with what could be possible in the cyber realm.

“For us, the balance in the future’s going to be operating in those three domains of air, space and cyber,” he said. “How do you manage the balance? Can you become more efficient or control costs while maintaining the same operational capability? If so — it’s like nirvana.”