DENVER – A new Air Force manual for cyberwarfare describes a shadowy, fast-changing world where anonymous enemies can carry out devastating attacks in seconds and where conventional ideas about time and space don’t apply.
Much of the 62-page manual is a dry compendium of definitions, acronyms and explanations of who reports to whom. But it occasionally veers into scenarios that sound more like computer games than flesh-and-blood warfare.
Enemies can cloak their identities and hide their attacks amid the cascade of data flowing across international computer networks, it warns.
Relentless attackers are trying to hack into home and office networks in the U.S. “millions of times a day, 24/7.”
And operating in cyberspace “may require abandoning common assumptions concerning time and space” because attacks can come from anywhere and take only seconds, the manual says.
The manual — officially, “Cyberspace Operations: Air Force Doctrine Document 3-12″ — is dated July 15 but wasn’t made public until this month. It is unclassified and available on the Internet.
It dwells mostly on protecting U.S. military computer networks and makes little mention of attacking others. That could signal the Pentagon wants to keep its offensive plans secret, or that its chief goal is fending off cyberattacks to keep its networks up and running, analysts said.
“Their primary mission is in some ways defensive,” said James Lewis, a cybersecurity expert and a senior fellow at the Center for Strategic and International Studies.
Lewis said the government still hasn’t decided whether offensive cyberwarfare is the province of the military or intelligence agencies.
“Who gets to do it? Is it a military operation?… An intel operation?” Lewis said. “They’ve made a lot of progress in the last year but they’re still sorting out the doctrine.”
Noah Shachtman, a contributing editor to Wired magazine and a fellow at the Brookings Institute think tank, said even the limited mention of offensive operations in the manual surprised him.
The manual cites one example of a cyberwar objective as “shutting down electrical power to key power grids of enemy leadership.”
“That’s usually not the kind of thing we talk about doing to others,” Shachtman said. “The offensive stuff is supersecret.”
Much of the manual is entry-level material, Shachtman said, citing an appendix listing 10 things Air Force personnel should know, including a warning not to open attachments in e-mails from unknown senders.
“The equivalent appendix would be like, ‘This is a gun. Guns are unsafe. Please do not point them at your face,'” Shachtman said.
The manual explains how dependent the military and civil society have become on computer networks for communication, banking, manufacturing controls and the distribution of utilities.
It also outlines the vulnerabilities of the Internet, including the relatively low cost of computers that could give an adversary a way to block, manipulate, damage or destroy a network.
It describes a 2005 incident when a hacker or hackers got access to personal information of more than 37,000 Air Force personnel.
The manual points out that much of the Internet’s hardware and software are produced and distributed by private vendors in other countries who “can be influenced by adversaries to provide altered products that have built-in vulnerabilities, such as modified chips.”
Defending the entire U.S. military network is unnecessary and probably impossible, the manual says. Just as the Air Force doesn’t try to defend every square mile of airspace around the globe, it won’t try to defend the whole of cyberspace.
“Whether used offensively or defensively … conducting particular cyberspace operations may require access to only a very small ‘slice’ of the domain,” the manual says.
Overall U.S. military cyberwarfare operations will be the job of the U.S. Cyber Command, which began limited operations in May. It will have components from the Army, Air Force, Navy and Marines.
The Air Force component — the 24th Air Force at Lackland Air Force Base, Texas — is part of the Air Force Space Command at Peterson Air Force Base, Colo.
Lewis said the Cyber Command had a hand in the content of the Air Force manual.
“I see it as the first step in assigning special missions to the services. It’s a division of labor among the services,” he said.
The Marine Corps’ cyberspace operation document is still in development, a spokeswoman said. Army and Navy officials didn’t immediately respond to Associated Press questions about their planning.
Responsibility for civilian and government cybersecurity is less clear. Congress is debating between giving more power to the Homeland Security Department or the White House and the National Institute of Standards and Technology.
Homeland Security and the National Security Agency announced this month they would cooperate to strengthen the nation’s cybersecurity.
DAN ELLIOTT / The Associated Press