Friday, April 16, 2010

Military asserts right to return cyber attacks

Fascinating read from the AP Wire ...
The U.S. must fire back against cyber attacks swiftly and strongly and should act to counter or disable a threat even when the identity of the attacker is unknown, the director of the National Security Agency told Congress.

Lt. Gen. Keith Alexander, who is the Obama administration's nominee to take on additional duties as head of the new Cyber Command, also said the U.S. should not be deterred from taking action against countries such as Iran and North Korea just because they might launch cyber attacks.

"Even with the clear understanding that we could experience damage to our infrastructure, we must be prepared to fight through in the worst case scenario," Alexander said in a Senate document obtained by The Associated Press.

Alexander's answers reflect the murky nature of the Internet and the escalating threat of cyber terrorism, which defies borders, operates at the speed of light and can provide deep cover for assailants who can launch disruptive attacks from continents away, using networks of innocent computers.
The article continues,
U.S. computer networks are under constant attack, and President Barack Obama last year declared that the cyber threat is one of nation's most serious economic and national security challenges.

Alexander offered a limited but rare description of offensive U.S. cyber activities, saying the U.S. has "responded to threats, intrusions and even attacks against us in cyberspace," and has conducted exercises and war games.

It's unclear, Alexander added, whether or not those actions have deterred criminals, terrorists or nations.

In cyberspace, he said, it is difficult to deliver an effective response if the attacker's identity is not known.

But commanders have clear rights to self-defense, he said. He added that while "this right has not been specifically established by legal precedent to apply to attacks in cyberspace, it is reasonable to assume that returning fire in cyberspace, as long as it complied with law of war principles ... would be lawful."

Senators noted, in their questions, that police officers don't have to know the identity of a shooter in order to shoot back. In cyberspace, the U.S. may be able to counter a threat, rebuff an electronic probe or disable a malicious network without knowing who is behind the attack.
The article concludes,
Noting that there is no international consensus on the definition of use of force, in or out of cyberspace, Alexander said uncertainty creates the potential for disagreements among nations.

Alexander echoed other experts who warn that the U.S. is unprepared for a cyber attack. He said the first priority is to make sure the nation can defend its networks, which are now a "strategic vulnerability."

Alexander said the biggest challenge facing the development of Cyber Command will be improving the defense of military networks, which will require better real-time knowledge of intrusions.

He added that it will be difficult for the military to gain superiority in cyberspace, but the goal is "realistic."
Read the full article here.


Deven said...

To quote Washington Post writer Mike McConnell, "the United States is fighting a cyber-war today, and we are losing. It's that simple. As the most wired nation on Earth, we offer the most targets of significance, yet our cyber-defenses are woefully lacking." McConnell's call has yet to really be answered...though Washington is hopping with activity with the possible creation of a new Cyber Command.

Deterrence is tough.It used to be through attribution, location of strike response and transparency (the enemy's knowledge of our capability and intent to counter with massive force) that we could evaluate risk levels and measure risks and benefits.When no one really defines when its okay to use force in or out of cyberspace, a murky game of the security dilemma emerges.In addition to not knowing the identity of the hacker, the capabilities and intentions are not clear.

Alexander gave the panel a separate classified attachment that provided more details on how and when the military would launch cyber attacks and under what legal and command authorities. I'm glad he seems like everything else is public, so at least our actual plans are sort-of underwraps.

I found this video really useful for understanding why the United States is so vulnerable to cyber attack. It discusses how "eventually we'll drown"...if the United States doesn't step up it's security. Alexander says "we are at the top of the league" yet we are the ones with the most to lose.

Check it out:

Marley said...

I completely agree with Deven's point. It was interesting to read this article after having read Col. Williamson's "Carpet Bombing in Cyberspace" in which a military official, albeit employing stifling battlefield allegory,lays out the pressing need for a preemptive cyber defense system. As Ned's article on "Achieving Cyber Deterrence" shows us, it is very difficult to recognize the dispersive elements involved in a cyber attack. Our defense forces must take care to identify the motivations and affiliations of attackers while realizing that e-guerrillas are increasingly difficult to separate from amongst a group of criminals motivated by money or uniformed personnel.
Ultimately, I am concerned with the idea of the military botnet as it seems vulnerable and places many of our defensive eggs in one basket. However, while terrorist groups may not yet have developed the capability to undermine our critical infrastructure electronically I am sure they will improve their skills just as they've evolved more effective means of physical intimidation and violence. Therefore we must work on our power to identify the actual individuals behind attacks and make examples of single entities and perhaps even nation states who would attack our infrastructure.

Dana said...

To start, I absolutely agree that we should be able to strike back against cyber attacks using the same sorts of guidelines that determine our response to traditional military provocations. However, I think that basing our cyber deterrence on talk of striking back and attacking our enemies is problematic.

During the Cold War, it made sense for the U.S. to base its deterrence strategy on our ability to hit the Soviet Union with the same attack they might hit us with. But this made sense for a lot of reasons that no longer apply. Of these many reasons, I would argue that the most important was that the Soviet Union was a state actor AND a rational actor.

Today, on the other hand, we have dangerous enemies who are non-state actors, and who are non-rational. So the question becomes: how do you achieve effective deterrence against non-state actors who don’t care what you do them? If these people aren’t rational enough to care about blowing up their underwear, chances are that our deterrence threats aren’t going to impress them very much. So what then? Deterrence based on striking back at your enemy is inherently rooted in the assumption that your enemy cares about your retaliatory strike (not to mention that you can at least identify them after they attack, but that you can preferably identify them as a threat beforehand).

So I think talking about cyber deterrence in terms of our ability to strike back either through a return cyber attack or through conventional means misses the mark— at least as it applies to cyber terrorists and so-called patriotic hackers. What we need to do is achieve a new deterrence strategy based on better security designed to prevent the possibility of attacks happening in the first place.

To achieve this, we need to build up our security infrastructure so that terrorists and other non-state actors either won’t have the ability to break through it, or it’ll be prohibitively expensive for them to try. In addition, we need to build up our security so that if something gets compromised, we have the flexibility to adapt without being seriously impacted, so that it becomes futile for terrorists to try to take us out. Finally, we should think about ways of building defensive capabilities into our data, so that if an attacker does get ahold of it, the data itself might be able to disarm the enemy right then and there.

In other words, I think we need to stop focusing on identifying and deterring specific enemies (which seem to be literally endless). Instead, we need to close rank, and strengthen our systems so that we’re prepared no matter who the enemy might be.

Christopher Butterfield said...

I think Dana is spot on in her assertion that Mutually Assured Destruction just won’t hack it much longer in the global environment of the twenty-first century. It’s clear that MAD theory is useless the tangible world against start-up, fired-up terrorist groups. And in today’s world, the extremist, non-state Little Guy with nothing to lose—and perhaps even an aim to lose—holds all the chips.

But when it comes to states—even rogue states like North Korea or Iran—they cannot afford to be as cavalier with their cyber capabilities. If the United States could find ways to retaliate against North Korean or Chinese cyber attacks in ways that would severely hamper their cyber-capabilities, you’d have to bet your bottom dollar they would be quite concerned. This is because in today’s world, these rogue states might have tons of bravado, but where is the substance? North Korea can beat its chest all it wants, but until it successfully provokes an attack, they’ve got their hands tied. North Korea has one of the most well trained, well-equipped armies in the world. They have a dictator who must be dying to rip the Seoul out of South Korea like Kanye ripped the soul from Ray Charles. And yet the 38th parallel still stands. Why?

Because for the time being, North Korea still would like to exist. Even their allies and China have been holding the leash tighter in the last decade. The second they crossed that parallel, NATO engines around the world—mostly in America—would be revved up and ready to go. For now, North Korea knows it can only flex its muscles because it is just too dangerous for them to throw a punch. In the tangible world, that is.

That’s why they have cyberspace. Like a pasty-faced World of Warcraft guru, the North Koreans can run to cyberspace to solve their social and worldly problems. Through the use of cyber warfare they can throw all the punches they want. So why not take our retaliation threat to the Internet? If we were able to hamper their cyber-abilities in retaliatory strikes, we can secure ourselves as the good guys only trying to defend ourselves, all while taking North Korea out of the only game it can win.

We all believe North Korea and Iran are crazy, dangerous, possibly suicidal rogue states. But for the time being, they’re having a tough time breaking out of the world leash for all their bravado and drum-beating. So lets put the leash on in cyberspace as well. Even if we do not have the capabilities yet, let them know we are doing everything we can to attain those capabilities. Let them think, just like Coach Yoast said in Remember the Titans, that they will remember, forever… the night they hacked the Americans.

Dan said...

After the last few encounters that the United States have had on a technological front have not stayed in our favor. Let’s face it; a couple of the countries in Asia have our number when it comes to technological advances throughout the last decade. Even on a daily basis, US computer networks get bombarded with cyber attacks from all across the globe as stated in the article. It is important for the US to always keep a guard up on their computer networks to keep innocent civilians information safe.
Considering that the United States has the most useful information for both foreign and domestic internet hackers would want, the defensive systems used in order to protect this information is not quite adequate. We try to keep up and update our defensive systems, but the more advanced hackers can still find their way through. Like when the Chinese internet terrorists hacked their way through Google’s internet systems. No information is safe anymore.
This is why we should always hold the right to be ready to fight back. We are getting overpowered, outmatched, and we have done little about it. Our enemies are very dangerous so we should always be ready to counterattack online hackers.

izzy said...

He added that it will be difficult for the military to gain superiority in cyberspace, but the goal is "realistic."

That's funny, because it's not really realistic at all. Gaining superiority in cyberspace isn't going to be about doing it once, and it lasting forever. It's going to be a long-lasting, knock-down, drag-out fight - and not with a few superpowers. The problem with (and greatness of) the Internet is that it's easily accessible by everyone - nations, individuals, organizations. If the United States thinks all this is going to be a walk in the park, they're pretty much deluded. The fact that this article was even published is indicative of how behind the US is in placing cyberwarfare at the top of their priorities. I feel (although I sincerely hope, and please don't jump down my throat for being a raging pessimist) like not much short of a serious threat will do anything to propel us forward.

Cyber Command, however, is a fantastic idea. The thing is, it should have been created years ago. Too long has the US govt let the private sector take care of the threat of cyber insecurity. I think it's nice that they're finally budgeting for the safety of the country they're in charge of.

Megan said...

I agree with everyone's comments on this issue. The U.S. should have the rights to return a cyber attack as long as they follow legal guidelines.
However, what I find interesting in this article is that Alexander uses the phrase "legal precedent" to indicate what guidelines the U.S. will follow when returning an attack, and, to be honest, there doesn't seem to be much precedent.
Cyber-attacks are a relatively new phenomena in the world and, as such, there isn't a lot of history as to how others have responded to the attacks and what type of response is allowed.
If the U.S. was attacked by cyber criminals vs. being attacked by a nation-state, would the responses differ?
If it's cyber criminals doing the attacking, does the U.S. have the right to track down these criminals even if they live in another country? When does international law kick in?
These types of questions are fundamental to the problem with responding to a cyber attack. I mean, how far is too far?
I agree that if the US faces a cyber-attack and civilians or our military are harmed in some significant way, that we should respond, but what is an appropriate response?
Is it appropriate to counter cyber-attack with cyber-attack or could we respond with military force?
Computers are the new frontier of weaponry and unfortunately there is no clear legal precedent for response.

Just as a side note, I found this article interesting while I was researching cyber-attacks and cyber-warfare. It describes a bill Obama is trying to push through Congress that would allow him to seize control of private Internet countries in the event of a national emergency:

jessica Hardy said...

I understand that the US is going to have to protect itself from cyber attack, however, what bothers me about this article is the "unknownness" of the attackers. Are we really willing to counter a threat without knowing who and what we are against? Based on the fact that this article compares cyber war to a physical war or battle, it seems dangerous to attack without the proper precautions behind it. This article seems to be saying that we are going to "shoot" in the dark at a particular nation state and hope that this scares them enough not to shoot back. I believe that this could end up having severe consequences given that we could possibly be attacking innocent nations causing more detrimental actions against us.
With that in mind, I believe that cyber war in the United States should be especially focused on defense rather than offense, and should also be focused on finding the cyber criminals rather then just "shooting" at them. Given the "murkiness" surrounding cyber war I understand that there needs to be a way to show cyber attackers that the United States is a legitimate force, but the fact that attacking cyber criminals could cause an international war is something to be considered.
I also thought it was funny that the reasoning behind shooting blindly at an attacker in cyber space is corresponded to shooting blindly at an armed criminal. In physical police encounters they usually don't shoot blindly into a crowd of people and hope they hit the criminal. And secondly, usually by shooting at a criminal one will be able to find that criminals identity afterwards and that person will no longer be able to shoot back ever again. i think the comparison is irrelevant and unjustified.