Start your day with intelligence. Get The OODA Daily Pulse.
Recently, the Defense Advanced Research Projects Agency and the U.S. Cyber Command (CYBERCOM) signed a new agreement that set forth budgets, roles, and governance to facilitate research and development of advanced cyberwarfare technology in order to expeditiously field new capabilities to the battlefield. This agreement builds on the 2022 Constellation program, a project offered private sector companies and even academics the opportunity to participate in improving national security via the creation of sophisticated cyber-related technologies. The impetus behind Constellation was to produce cyber capabilities from cutting-edge science and technology research to accelerate the adoption by CYBERCOM for use in its operations. The new agreement reinforces the United States persistent engagement mindset in cyberspace, where CYBERCOM has increased its teams that conduct defense-forward operations, and proactively disrupt adversaries from launching attacks before are at the onset of their operationality. Strengthening the relationship between CYBERCOM and the United States’ leading agency whose website asserts its mission of making “pivotal investments in breakthrough technologies for national security.”
The weaponization of cyberspace has been a legitimate concern as nation states aggressively build capabilities to project power, retaliate, and become more offensively minded. These needs not only in-house development, but they have helped spurn a global industry that supplies tools and technologies to interested buyers, giving even poorly resourced states an immediate capability in cyberspace. According to a Council of Foreign Relations tracker, between 2005-2023, 34 countries have been suspected of sponsoring cyber operations. While most of the incidents monitored consisted of cyber espionage activities, geopolitical issues have proven to be catalysts for more aggressive, disruptive, and destructive cyber attacks, whether from states or their proxies. The majority of the incidents tracked by CFR were linked to China, Iran, North Korea, and Russia, the think tank also included democratic-leaning countries like the United States, United Kingdom, and Australia into the mix as well. Regardless of the purpose or intent behind cyber operations, the point is evident: if a state possesses an offensive capability, it will leverage it to support its own objectives.
Therefore, the weaponization of cyberspace is more of a foregone conclusion than a worst-case scenario, and whose use is unlikely to be banned (as with chemical weapons) or its development limited (as with nuclear weapons). Perhaps no other technology exemplifies this than the quick adoption of artificial intelligence (AI) into cyber and traditional military operations, where it appears that governments are worried that this technology will be further enhance and bolster their capabilities at faster and more efficient rates. Indeed, recent reporting has warned that countries like China, Iran, North Korea, and Russia have been leveraging generative AI tools to include large language models into their cyber activities, according to a study by Microsoft and OpenAI. While it is unclear as to whether these governments are actively developing AI cyber tools, all indications are that this is the next evolution of cyber attack development, and one states will eagerly try to acquire to gain advantage over their adversaries.
But this should not come as a surprise. The United States is all-in with respect to AI weapon development and understands its need to be on the cusp of those efforts. Though it initiated a pledge for the responsible state military use of AI, it is committed to be on the forefront of AI technology development and adoption, which may be a reason other states have been reluctant to get on board. Recent reporting reveals that the Pentagon has more than 800 active military AI projects currently underway. Though details are vague, most appear to be more about streamlining decision making and process efficiency. Still, autonomous weapons can be developed and tested out of the public eye, and there are indications that the U.S. military has embraced its use. For example, according to one news source, a U.S. Navy task force has already an autonomous early warning drones contingent in the Persian Gulf. Additionally, the U.S. Air Force is testing out an AI-driven F-16 dubbed “X-62 Vista” in combat scenarios. Indeed, there is little doubt among scientists and industry experts that the U.S. military will possess fully autonomous lethal weapons sometime in the near future, despite pushback emerging after publication of a bipartisan Senate report on “Driving U.S. Innovation in Artificial Intelligence.” Apparently, there is real concern over what responsibility looks like with respect to industry development, the technology’s use by states, and how it could impact civil society.
So, it is a logical progression that cyberspace will continue to be quickly weaponized in this capacity as well, with the United States being on the forefront of the effort, and why the Senate report rigorously supports a rejection for a global ban on AI-powered autonomous weapons systems, arguing that adversaries are unlikely to adhere to any treaty even if they sign it. Complementing early cooperation with DARPA, CYBERCOM created an AI task force to work with the agency to develop an implementation plan to rapidly obtain “AI systems, applications, supporting data, and data management process for cyber operations forces.” Although it wasn’t expressly mentioned, it would make sense that weapons development is part of the discussion, particularly when integrating AI capabilities into the operations of CYBERCOM’s cyber mission forces.
With weaponization comes a race to be the first successful deployer of the technology, and the state able to develop and operationalize such weaponry will find itself in a powerful position. Per one source, the United States is significantly leading the charge in this area, a further reason why states don’t want to sign pledges to hamstring their efforts as they are already behind in the race. Therefore, it can be expected that states will continue to aggressively pursue this path regardless of any public statements or nonbinding agreements that are put in place. AI cyber weapons will be quickly built and tested during a period of experimentation. There will be much to learn and understand, especially given how states are still trying to figure out how to integrate cyber warfare into traditional conflict attacks, as evidenced by the last two years with Ukraine. That target has yet to be hit with any satisfaction or effectiveness.
One thing is abundantly clear: creating and implementing advanced technology is instrumental to a state’s ability to gain advantage over adversaries, expand its reach, bolster its capabilities, and otherwise. And in the competition for digital supremacy, when it comes to this technology, AI is the icing on the cake.
Corporate Board Accountability for Cyber Risks: With a combination of market forces, regulatory changes, and strategic shifts, corporate boards and their directors are now accountable for cyber risks in their firms. See: Corporate Directors and Risk
Geopolitical-Cyber Risk Nexus: The interconnectivity brought by the Internet has made regional issues affect global cyberspace. Now, every significant event has cyber implications, making it imperative for leaders to recognize and act upon the symbiosis between geopolitical and cyber risks. See The Cyber Threat
Ransomware’s Rapid Evolution: Ransomware technology and its associated criminal business models have seen significant advancements. This has culminated in a heightened threat level, resembling a pandemic in its reach and impact. Yet, there are strategies available for threat mitigation. See: Ransomware, and update.
Challenges in Cyber “Net Assessment”: While leaders have long tried to gauge both cyber risk and security, actionable metrics remain elusive. Current metrics mainly determine if a system can be compromised without guaranteeing its invulnerability. It’s imperative not just to develop action plans against risks but to contextualize the state of cybersecurity concerning cyber threats. Despite its importance, achieving a reliable net assessment is increasingly challenging due to the pervasive nature of modern technology. See: Cyber Threat