WASHINGTON — For years, even as the United States carried out sophisticated cyberattacks on Iran’s nuclear program and the Pentagon created a Cyber Command, officials have been hesitant to discuss American offensive cyberwarfare programs openly. Since June, in fact, F.B.I. agents have been investigating leaks to The New York Times about the computer attacks on Tehran. But the reticence is giving way. The chorus of official voices speaking publicly about American cyberattack strategy and capabilities is steadily growing, and some experts say greater openness will allow the United States to stake out legal and ethical rules in the uncharted territory of computer combat. Others fear that talking too boldly about American plans could fuel a global computer arms race.
Next month the Pentagon’s research arm will host contractors who want to propose “revolutionary technologies for understanding, planning and managing cyberwarfare.” It is an ambitious program that the Defense Advanced Research Projects Agency, or Darpa, calls Plan X, and the public description talks about “understanding the cyber battlespace,” quantifying “battle damage” and working in Darpa’s “cyberwar laboratory.”
James A. Lewis, who studies cybersecurity at the Center for Strategic and International Studies in Washington, says he sees the Plan X public announcement as “a turning point” in a long debate over secrecy about cyberwarfare. He said it was timely, given that public documents suggest that at least 12 of the world’s 15 largest militaries are building cyberwarfare programs.
“I see Plan X as operationalizing and routinizing cyberattack capabilities,” Mr. Lewis said. “If we talk openly about offensive nuclear capabilities and every other kind, why not cyber?”
Yet like drone aircraft, which similarly can be used for both spying and combat, American cyberattack tools now are passing through a zone of semisecrecy, no longer denied but not fully discussed. President Obama has spoken publicly twice about drones; he has yet to speak publicly on American cyberattacks.
Last week, at a public Cyber Command legal conference, the State Department’s top lawyer, Harold H. Koh — who gave the Obama administration’s first public speech on targeted killing of terrorists in 2010 — stated the administration’s position that the law of war, including such principles as minimizing harm to civilians, applies to cyberattacks.
In August, the Air Force raised eyebrows with a bluntly worded solicitation for papers advising it on “cyberspace warfare attack capabilities,” including weapons “to destroy, deny, degrade, disrupt, deceive, corrupt or usurp” an enemy’s computer networks and other high-tech targets.
And a few weeks earlier, a top Marine commander recounted at a public conference how he had used “cyber operations against my adversary” in Afghanistan in 2010. “I was able to get inside his nets, infect his command-and-control, and in fact defend myself against his almost constant incursions to get inside my wire,” said Lt. Gen. Richard P. Mills, now deputy commandant of the Marine Corps.
Cyberwarfare was discussed quite openly in the 1990s, though technological capabilities and targets were far more limited than they are today, said Jason Healey, who heads the Cyber Statecraft Initiative at the Atlantic Council in Washington.
“Our current silence dates back 8 or 10 years, and N.S.A. is a big reason,” said Mr. Healey, who is working on a history of cyberwarfare.
The National Security Agency, which plays a central role in Cyber Command, traditionally breaks foreign codes and eavesdrops on foreign communications; it is among the most secretive agencies in government. Years ago it pioneered the field of cyberespionage: breaking into foreign computer systems in order to collect intelligence. The same skills and reflexive secrecy of spies carried over to cyberwarfare, Mr. Healey said. American officials have long preferred to talk cyberdefense, leaving the attack side in the shadows.
The increased candor recently about cyberoffense results not from a policy change, officials say, but from an inevitable acceptance of attacks on computer networks as a standard part of military and intelligence capabilities. The fact that dozens of Beltway contractors see cyberwarfare as one of the few parts of the defense budget that are likely to grow is also a factor.