by Bobby Akart
Experts agree there are three distinct kinds of cyber intrusions:
· economic spying in cyberspace which is intended to benefit foreign companies financially;
· cyber attacks designed to do damage to critical infrastructure and utilities, and
· traditional intelligence-gathering efforts performed by nation-states.
“For many of our adversaries in this realm, like the Chinese, there’s a benefit to blurring the distinctions here,” Congressman Schiff said in an interview with The Hill. “If they can blur the distinctions, they can justify anything they do. It seems to me it’s in our best interest to draw a line between economic espionage and intelligence gathering. Shouldn’t we make clear what the rules of the road are?”
But how should the United States, and perhaps its NATO allies, treat the various kinds of cyber activity? At what point would the theft of classified information constitute an act of war? At what point would a cyber attack result in a military or economic response beyond cyberspace?
Director of National Intelligence James Clapper and National Security Agency Director Michael Rogers pushed back on placing too much responsibility on the intelligence community to create international standards, characterizing such rulemaking as high-level policy decisions.
“The application of cyber in an offensive way is an application of force,” Rogers said. “In the broad policy context we use as nations, it will be a decision is made at a broad policy level. That’s not a decision I unilaterally decide.”
On a policy level, the adaptation of a set of international standards is attainable as it provides other nation-states some understanding of how the U.S. will respond to cyber intrusions. It would, in theory, have a significant deterrent effect. The United States should take the lead in establishing a roadmap, recognized internationally, on how cyber warfare and cyber criminal activity will be dealt with between countries. Some suggest that such norms will evolve over time. The question has to be asked—cyber attacks can happen so quickly, will the standards come too late?
Chapter Eight
The Problem of Attribution
Attribution—or lack thereof—is another major obstacle that prevents nations from defining when a bad actor can start a war via cyber attack. If a government cannot determine who carried out the attack, it’s difficult to know who to blame and whether the attack warrants a response. Without definitive evidence leading to identification of the intruder, a state can’t formulate an appropriate response without knowing who was involved. This challenge is on clear display with the Sony attack. At various times, investigators have attributed the attacks to North Korea, China, and even Sony employees. The FBI, after initially saying there was no connection between North Korea and the attack, has since concluded that indeed North Korea did carry out the attack—a conclusion that led to U.S. sanctions against the secluded country. For a time, it was alleged a disgruntled employee was behind the cyber intrusion—or perhaps both working in concert.
Just like any criminal investigation, if law enforcement could somehow figure out the assailant, then a lot of issues go away. If you know who’s conducting the cyber activity, you also get an insight into their intent. If it’s the Russian government, you know they have the ability to take things a step further. If it’s some hacker in his mom’s basement, you know there’s no intent or ability to raise the level of force that’s going to be used. Ultimately, the issue of attribution is not a legal problem; it’s a technical problem.
Determining whether a non-state entity is acting under the direction of the state further complicates the attribution problem. If it turns out that the Sony attack can’t be tied directly to the North Korea government, but rather to a group of non-state-affiliated individuals—North Korea’s response would be these individuals were just patriots. What level of command-and-control or even sponsorship is required before a state is held accountable for the cyber activity?
The problem of attribution won’t soon be solved. Most of the cyber attacks undertaken will require patient waiting and watching to establish a pattern. One policy analyst summarized the approach as follows: “We watch what states do over time and it sort of settles. State takes an action, no one objects, or everyone objects. We have a lot of people who want answers right now, but we’re in for a period of uncertainty.”
Attribution, the process of detecting an adversaries fingerprints on a cyber attack, will always be a challenge. Establishing any degree of confidence in determining guilt may always stand in the way of a military response. Will the United States government require a beyond all reasonable doubt standard as it might in a criminal prosecution? Time will tell.
Chapter Nine
U. S. Department of Defense Preparations
United States Cyber Command (USCYBERCOM) is an armed forces sub-unified command subordinate to United States Strategic Command. The command is located at Fort Meade, Maryland, and centralizes command of cyberspace operations, organizes existing cyber resources and synchronizes defense of U.S. military networks. USCYBERCOM synchronizes and conducts activities to direct the operations and defense of specified Department of Defense information networks, The agency also conducts full-spectrum military cyberspace operations in order to enable actions in all domains, ensure US/Allied freedom of action in cyberspace and deny the same to our adversaries. USCYBERCOM is charged with pulling together existing cyberspace resources, creating synergy and synchronizing war-fighting effects to defend the information security environment.
The Department of Homeland Security's United States Computer Emergency Readiness Team (US-CERT) is the 24-hour operational arm of the Department of Homeland Security's National Cybersecurity and Communications Integration Center. This team leads efforts to improve the Nation's cybersecurity posture, coordinate cyber information sharing, and proactively manage cyber risks to American interests. US-CERT strives to be a trusted global leader in cyber security—collaborative, agile, and responsive in a dynamic and complex environment. The government partners with private sector critical infrastructure operators, and domestic and international organizations to enhance the nation's cybersecurity posture.
In 2015, the U.S. took an important step designed to deter potential cyber adversaries when it released a new strategy that for the first time explicitly discusses the circumstances under which cyber weapons could be used against an attacker. Further, the Pentagon named the countries it says present the greatest threat: China, Russia, Iran, North Korea, and, for the first time, ISIS.
Defense Secretary Ash Carter announced the new policy in a speech at Stanford University, representing the fourth time in a period of four months during 2015 that the Obama administration has specifically named nation-states as being responsible for cyber activity detrimental to the U.S. The speech further announced new strategies designed to raise the geopolitical cost of conducting cyber attacks.
The administration’s previous strategy was less detailed and only suggested there was a new arsenal of cyber weapons available to the Pentagon in cyber warfare. The 2011 policy did not name any specific offenders.
President Obama’s decision to publicly declare North Korea’s leaders guilty of ordering the cyber attack on Sony Pictures, the largest destructive attack on any American target, public or private, was welcomed by cyber security specialists. The availability of new sanctions against state-sponsored and criminal hackers, and the subsequent indictment of five members of the People’s Liberation Army by the U.S. Justice Department for attacking American business interests all reflected a substantial change in Washington’s policy.
American officials have fumed for years that cyber attacks were allowed without retribution. In the middle of the twentieth century, as nuclear weapons gained favor as a military option, Presidents Truman and Eisenhower struggled to define circumstances that could prompt a nuclear response from Washington. Now, the President’s policy advisors are beginning to lay out conditions under which USCYBERCOM would employ cyber counter-attac
ks — including in retaliation for a previous cyber attacks, as an offensive weapon for conflict or in covert action.
In his speech at Stanford, Mr. Carter revealed that the Pentagon, as did the White House and the State Department, found itself the victim of a cyber attack in 2015. He stated, “The sensors that guard DoD’s unclassified networks detected Russian hackers are accessing one of our networks.” He further said the attack exploited “an old vulnerability in one of our legacy networks that hadn’t been patched.” This is very typical of the vulnerabilities used by hackers on private sector networks. Obviously, our government's networks are every bit as vulnerable.
Obama administration officials would not say if the cyber attacks mentioned by Secretary Carter bore similarities to attacks on the White House and the State Department during 2014. Those attacks, which also appeared to be of Russian origin, were kept under wraps for many months following the incident. Until Carter’s speech at Stanford, the administration had not named an adversary.
One of the purposes of Carter’s high-profile speech was the introduction of the core of a new cyber strategy published by the Pentagon identifying a hierarchy of cyber attacks. The administration’s new strategy stated routine attacks and cyber vandalism should be fended off by private sector companies without the assistance of the government. The Department of Homeland Security will assist in detecting more sophisticated attacks and helping the private sector defend against them.
But, in a significant declaration, certain attacks on American computer network systems may rise to the level of prompting a national response — led by the Pentagon and through the military’s Cyber Command. Carter indicated that this may apply to a small percentage of cyber activity, but the event may be so severe a U.S. governmental response is necessary.
The administration's new strategy provides, in part: “as a matter of principle, the United States will seek to exhaust all network defense and law enforcement options to mitigate any potential cyber risk to the U.S. homeland or U.S. interests before conducting a cyberspace operation.”.
But it also opens the door for pre-emptive cyber attacks: “there may be times when the president or the secretary of defense may determine that it would be appropriate for the U.S. military to conduct cyber operations to disrupt an adversary’s military related networks or infrastructure so that the U.S. military can protect U.S. interests in an area of operations. For example, the United States military might use cyber operations to terminate an ongoing conflict on U.S. terms, or to disrupt an adversary’s military systems to prevent the use of force against U.S. interests.”
Until now, most American cyber attacks on adversaries have been covert operations. It now appears something that threatens the significant loss of life, destruction of property or lasting economic damage could be responded to in kind, or militarily. That could cover many types of cyber attacks, but, by way of recent example, in the biggest case to date involving the private sector, the attack on Sony, the president chose to respond with sanctions on North Korea, and not in cyberspace.
Finally, at the heart of the diplomatic, economic and threatened military responses available to the U.S. Department of Defense is the concept of deterrence — something that the United States had a far easier time establishing in the nuclear arena than it has had in cyberspace, where it 's hard to establish attribution.
Deterrence is partially a function of perception most cyber security professionals say. Just like in conventional modern warfare, deterrence works by convincing a potential adversary that it will suffer unacceptable costs if it conducts an attack on the United States, thus decreasing the likelihood a potential adversary’s attack will succeed. The United States must be able to declare or display adequate response capabilities to deter an adversary from initiating an attack; develop effective defensive capabilities to deny a potential attack from succeeding; and strengthen the overall resilience of U.S. systems to withstand a possible attack if it penetrates the United States’ defenses.
But as Mr. Carter acknowledged in his Stanford speech, such a policy is easier to declare than to make vivid. The head of Cyber Command, Adm. Rogers, has often stated that the price of conducting cyber attacks is simply too low for many countries to resist.
Welcome to the world of asymmetric warfare—where the playing field is level for all.
Chapter Ten
Retaliation – Cyber Counter-Terrorism
The NATO Position on Retaliation
NATO formed the Cooperative Cyber Defense Centre of Excellence (CCDCOE) which published a guideline of rules on how to respond to cyber aggression against the government. Among the intriguing possibilities of the guide—known as the Tallinn Manual, is it suggests the United States and its European allies have the option to retaliate against cyber attacks from domestic hackers.
The NATO Cyber War Manual deals with the many controversial issues including the identification and attribution of civilian attackers.
The manual was written over the course of three years by a team of 20 international warfare experts and drew from a variety of historic warfare guidelines, including the 1868 St. Petersburg Declaration and the 1949 Geneva Convention. These principles were then applied to the digital world.
It suggests that hacktivists can be considered cyber terrorists, thus eligible for a like-kind digital response in retaliation. In extreme cases, such as attacks on hospitals or nuclear plants, physical force is an available option by the NATO alliance.
The rulebook was unveiled at the Chatham House in London. It contains 95 black letter rules spread over 302 pages of text. Colonel Kirby Abbott, representing Canadian interests at NATO remarked, "The Tallinn Manual is the most important document in the rules of cyber warfare. It will be highly useful."
Among the most relevant provisions is rule twenty-two that echoes previous cyber warfare guidelines from the Pentagon stating cyber attacks alone can be considered acts of war. It reads, in part:
An international armed conflict exists whenever there are hostilities, which may include or be limited to cyber operations occurring between two states or more.
To date, no international armed conflict has been precipitated by the use of cyber warfare. Nevertheless, the international group of experts unanimously concluded that cyber operations alone might have the potential to cross the threshold allowing international armed conflict.
Another important aspect of the Tallinn Manual is rule fourteen in which the concept of proportionality is addressed. The document suggests that cyber retaliation against civilians is allowed although unspecified, general attacks on civilian targets are generally forbidden. The proportionality rule suggests that if hacktivist attacks cause death or serious harm, a physical response (e.g. a drone death strike) may be acceptable.
Does the Tallinn Manual open the door for counterattacks on the hacktivist group Anonymous?
The rules raise a number of interesting scenarios.
In recent years, Anonymous and other hacktivist groups have caused substantial damage to the networks and reputation of the United States government. They have defaced U.S. government web pages, acquired sensitive government data via cyber intrusions, hit government domains with distributed denial of service attacks, infiltrated network systems, and conducted similar attacks on government contractors as well.
The glossary of the Tallinn Manual defines a hacktivist as:
A private citizen who on his or her own initiative engages in hacking for, among other things, ideological, political, religious or patriotic reasons.
Rule thirty-five goes further and establishes rules related to attacks by hacktivist civilians. It reads:
An act of direct participation in hostilities by civilians renders them liable to be attacked, by cyber or other lawful means.
In other words, the NATO members agreed that civilians open themselves up to counterattacks if they attack NATO member-state governments. However, not all members agreed that this opens up those citizens for attacks in the lon
g-term after the immediate threat passed. Some member-states draw the line once the immediate danger of cyber terrorism is over.
As none of these attacks caused significant infrastructure damage or resulted in death, it seems the NATO allies, under the new rules, would only be able to use digital counterattacks. However, the government could potentially use the rules as a justification to shut down social media tools utilized by hacktivist groups like Anonymous.
If future attacks resulted in death as a consequence of an attack on the power grid, the responsible civilians could face physical attacks. This could potentially include the kind of drone death strikes the Obama administration has used liberally throughout the world.
Might the U.S. be allowed to initiate counter cyber attacks against China?
The U.S. government has increasingly accused China of sweeping government-endorsed hacking and intellectual property theft. President Obama recently threatened economic consequences if the cyber intrusions continue. The Tallinn Manual would address the Chinese use of cyber attacks in rule seven. Rule seven states when there is insufficient evidence of a suspected attack originating from a government network, a victim state may attribute the operation to that state where there is an indication that the state in question is associated with the operation.
This could be significant, as some attacks have reportedly been traced back to Chinese military networks. The new guidelines make it clear that the U.S. Department of Defense's USCYBERCOM could also respond in kind with counterattacks, as the guidelines state that cyber attacks on hostile foreign governments are valid if carried out in self-defense.