Sunday, November 14, 2010

Pentagon is debating cyber-attacks

Fascinating article by the Washington Post's Ellen Nakashima detailing the policy debate surrounding the use of offensive cyber warfare. Some interesting excerpts from the article include ...

Cyber Command's chief, Gen. Keith B. Alexander, who also heads the National Security Agency, wants sufficient maneuvering room for his new command to mount what he has called "the full spectrum" of operations in cyberspace.

Offensive actions could include shutting down part of an opponent's computer network to preempt a cyber-attack against a U.S. target or changing a line of code in an adversary's computer to render malicious software harmless. They are operations that destroy, disrupt or degrade targeted computers or networks.

But current and former officials say that senior policymakers and administration lawyers want to limit the military's offensive computer operations to war zones such as Afghanistan, in part because the CIA argues that covert operations outside the battle zone are its responsibility and the State Department is concerned about diplomatic backlash.

The administration debate is part of a larger effort to craft a coherent strategy to guide the government in defending the United States against attacks on computer and information systems that officials say could damage power grids, corrupt financial transactions or disable an Internet provider.

The effort is fraught because of the unpredictability of some cyber-operations. An action against a target in one country could unintentionally disrupt servers in another, as happened when a cyber-warfare unit under Alexander's command disabled a jihadist Web site in 2008. Policymakers are also struggling to delineate Cyber Command's role in defending critical domestic networks in a way that does not violate Americans' privacy.


Read the full article here.

6 comments:

Caitlin said...

Until recently, cyberwarfare seemed a relatively distance concern. Now that it's apparently at the top of many nations' lists of concern, a whole new set of questions and issues has arisen. Cyberwarfare provides the potential to bypass a nation's conventional forces and strike at specific targets including critical national infrastructure whilst remaining invisible and providing the prospect of plausible deniability.

What are the limitations on this kind of work? The "sufficient maneuvering room" that Cyber Command's chief, Gen. Keith B. Alexander is demanding for his cyber operations is a bit unsettling...are we going to allow him free reign in the name of national security?

At the same time, in the era of technology in which we are living, I would hope the U.S. government would not overlook the potential of the internet/cyber world to threaten U.S. national security. There is no doubt that the threat to U.S. computers and information systems is very real and that the implications for U.S. security and privacy are profound. However, the potential risks of a policy that grants the Cyber Command free reign are equally as great, especially because, as Nakashima points out, many cyber-operations are highly unpredictable.

In late October of this year, the UK published it's national security strategy, which can be found here: http://www.direct.gov.uk/prod_consum_dg/groups/dg_digitalassets/@dg/@en/documents/digitalasset/dg_191639.pdf?CID=PDF&PLA=furl&CRE=nationalsecuritystrategy

The UK government's plan is to invest L500 in cyber defenses to bolster the country's critical national infrastructure. Among the Tier 1/Highest Priority Threats is hostile attacks on UK cyber space by other states and large scale cyber crime. I would suspect it's at the top of many other nations' national security strategy threat list.

I am super curious to see what the national defense cyber-security strategy to be released [supposedly] in the next month or so will look like.

Caitlin said...

Until recently, cyberwarfare seemed a relatively distance concern. Now that it's apparently at the top of many nations' lists of concern, a whole new set of questions and issues has arisen. Cyberwarfare provides the potential to bypass a nation's conventional forces and strike at specific targets including critical national infrastructure whilst remaining invisible and providing the prospect of plausible deniability.

What are the limitations on this kind of work? The "sufficient maneuvering room" that Cyber Command's chief, Gen. Keith B. Alexander is demanding for his cyber operations is a bit unsettling...are we going to allow him free reign in the name of national security?

At the same time, in the era of technology in which we are living, I would hope the U.S. government would not overlook the potential of the internet/cyber world to threaten U.S. national security. There is no doubt that the threat to U.S. computers and information systems is very real and that the implications for U.S. security and privacy are profound. However, the potential risks of a policy that grants the Cyber Command free reign are equally as great, especially because, as Nakashima points out, many cyber-operations are highly unpredictable.

In late October of this year, the UK published it's national security strategy, which can be found here: http://www.direct.gov.uk/prod_consum_dg/groups/dg_digitalassets/@dg/@en/documents/digitalasset/dg_191639.pdf?CID=PDF&PLA=furl&CRE=nationalsecuritystrategy

The UK government's plan is to invest L500 in cyber defenses to bolster the country's critical national infrastructure. Among the Tier 1/Highest Priority Threats is hostile attacks on UK cyber space by other states and large scale cyber crime. I would suspect it's at the top of many other nations' national security strategy threat list.

I am super curious to see what the national defense cyber-security strategy to be released [supposedly] in the next month or so will look like.

M4 said...

I think that the issue raised of whether offensive cyber warfare outside of "battle zones" is considered covert or not is a crucial issue that must be resolved before any real legislative decisions may be made. If not, Cyber Command and others conducing offensive cyber warfare will remain "muscle-bound" as Adm. Dennis C. Blair described.

I can understand the complexity of attempting to resolve the issue though and how delicately it must be treated. The internet does not have state lines, and as a U.S. official said "getting to the enemy could mean touching friends along the way." In this light, offensive cyber warfare such as computer network attacks do not seem favorable for the U.S.'s relations with other countries if such cyber warfare resulted in harmful consequences to our allies, a potential risk given the broad scope of the "battlefield."

On the other hand, you could also think in terms of analogy, comparing cyber attacks to more concrete physical ones. For example, if members of a terrorist organization or state-sponsored agents were to physically take over one of our nuclear reactors to shut it down, and we were made aware of such an attack beforehand or during the attack, we would definitely take some kind of specific military or other action to physically stop them. How different then is an attack on our reactors or other industrial systems using Stuxnet? Both attacks have the same intent, but they are just executed differently. Must this difference in manpower force versus internet force dictate our responses to such attacks? A conclusion must be reached so we can address these serious threats as soon as possible.

M4 said...

Hm.. I commented on this as my first post a week ago, but I don't see it -- (hopefully you received it, Ned). I'll just go ahead and comment again as my second post..

As I was researching for my final paper, I came across this article discussing the dismantling of a website set up by the Saudi government and the CIA to uncover terrorist plots in the kingdom.

http://www.washingtonpost.com/wp-dyn/content/article/2010/03/18/AR2010031805464_pf.html

The article further demonstrates the gray area involved in what is allowed in cyberwarfare and the balance between gathering intelligence and putting Americans (our soldiers) at risk. I agree with "crabbyolbastard" that bringing down this site constitutes a huge loss in intelligence gathering (and that jihadists will just move on to another site), but I also recognize the danger possible if we could not have stopped/arrested them before they followed through with their attacks.

http://crabbyolbastard.wordpress.com/2010/03/23/caui-dismantling-of-saudi-cia-web-site-illustrates-need-for-clearer-cyberwar-policies/

http://crabbyolbastard.wordpress.com/2010/03/27/al-faloja-forums-fall-down-go-boom/

Benjamin Kussman said...

I think cyberwarfare will be a main tactic of the United States in the coming century. Limiting cyberwarfare to zones of hot warfare seems like it the most politically correct policy, and I would advocate the United States government officially stating that as their position on cyberwarfare.

In reality, however, the threat of a cyber attack against the United States is real. Due to this, I believe that General Alexander needs to have the capabilities to target whoever is planning something against the United States. Caitlin already explained the threat that a cyber attack on the U.S. could pose, so there is no reason for me to re-state that.

I support the UK proposal to invest in cyber defenses. Resiliency and redundancy is important in all types of warfare, but it is especially important in cyberwarfare. It is not only just as important, but also much cheaper to purchase more servers as it is to build more tanks.

Paloma B said...

I found this article super interesting especially since we were discussing in class just a few weeks ago what exactly a cyberwar would be. It seems that the entire idea behind cyberwarfare is limited for now to the theoretical and to known threats such as Stuxnet, powergrid attacks, etc. What would define a threat to US security when no offensive has yet been taken? If I'm not mistaken, the US is under constant threats from terrorist groups such as Al-Qaeda and other organizations and individuals. So what exactly constitutes a threat and when, knowing that there is a sincere chance for an attack, would we use cyberwarfare as a method before actual force.

In the article, they talk about what the limits of such a technique could be, for example, this kind of offensive attack could only be in a warzone such as Afghanistan when the US government cannot claim full responsibility for it, and so on. The General also mentions the need for a team of highly trained cyber-experts to be hands-on ready for extemporaneous use by the military.

In its discussion of defense, the article mentions that should the military begin to conduct a defensive baseline on the American cyber front, the privacy of the country's citizens could be compromised. Where should the government draw the line when balancing risks and security benefits. The general did say, however, that it was not his responsibility to protect the entire nation and the country should be prepared to take defensive measures against a future attack. I think that the government should take a legitimizing stance when discussing cyber warfare, unlike what the retired admiral cautioned in the article. I think all we have now is our basis of law and its previous stance on national security, and now we have to see how these laws can be accomodated to maintain the preference of the people and their safety simultaneously. It should be interesting to see what the Obama administration formally declares on the matter.