10 December 2015

America’s secret arsenal

http://www.politico.com/agenda/story/2015/12/defense-department-cyber-offense-strategy-000331
It’s one of the biggest secrets in the government: The U.S. has the most powerful cyberweapons on Earth. So what are they? And when will we use them?
By Danny Vinik

To this day it remains one of the most sophisticated and mysterious offensive operations ever launched: Stuxnet, the computer virus specifically engineered to attack Iran's nuclear reactors. Discovered in 2010 and now widely believed to be a collaboration between the U.S. and Israel, its existence raised an urgent question: Just what is the U.S. government doing to attack its opponents in the cyber-realm?

Stuxnet's origins have never been officially acknowledged, and the extent of American meddling in malware is still unknown. But for the past few years there’s been something new developing within the U.S. military that has taken "cyber" from a theoretical idea to a deliberate—if secretive—part of U.S. policy. The first ripple came in January 2013, when the Washington Post reported that the Pentagon was significantly expanding its cybersecurity forces across all the service branches. By that October, the U.S. Army had launched two teams of technical experts dedicated purely to the cyber realm. Just a year later, the number was up to 10.
The growth has been snowballing. Last year, the secretary of the Army created a new branch for cyber—the first new Army branch since Special Forces was created in 1987. By October of this year, there were 32 teams, coordinated out of a new joint force headquarters for cyber opened last year in Fort Gordon, Georgia. By next summer, the Army expects to have 41.
What's going on? The growth points to one of the most cutting-edge, but also obscure, realms of American military activity: its cyber strategy, and especially its strategy for cyber offense. The United States already has, most observers believe, the most powerful cyberattack capabilities in the world. Much less clear is just what its capacities actually are—and when the Department of Defense believes it should use them.

In conventional war, weapons and strategies are fairly well-understood; the international community has developed rules of the road for armed conflict. Even tactics wrapped in secrecy, such as covert military raids, are governed by some standards about when and how we use them.
That’s not the case with cyber. It’s widely acknowledged that offensive cyberattacks will be a necessary component of any future military campaign, and the weapons are being developed now. In April, the DOD released a 32-page document that laid out specific strategic goals for U.S. cyber offense for the first time. But critics say that document still leaves many questions unanswered about how, when and where the government will use these capabilities.




Rep. Jim Himes (D-Conn.) at a House Permanent Select Committee on Intelligence regarding NSA surveillance in 2013. | AP Photo

“What is legitimate retaliation for an act of war?” said Rep. Jim Himes (D-Conn.), the ranking member of the House Intelligence subcommittee on NSA and Cybersecurity. “How do you think about things like proportionality, which is a key term in the rules of war? How do you think about that in the cyber realm? In place of those norms and definitions you've just got a series of endless question marks. That's a dangerous world because uncertainty in this world equals risk.”

Many of those decisions will likely fall to the next president and his or her advisers, whose approach to this new virtual battlefield will help determine whether this moment of restraint leads to long-lasting cyber peace, or sends us on a far riskier path.

“An all-out cyber assault can potentially do damage that can be exceeded only by nuclear warfare,” said Scott Borg, the director of the U.S. Cyber Consequences Unit, a nonprofit research institute that focuses on cyberattacks. “It’s huge.”

WHEN I SET out to examine the U.S.’s offensive cyber capabilities, the first question I asked experts was what type of cyber weapons the U.S. possesses, expecting a range of answers. With kinetic weapons, Americans are well aware of the power of our military arsenal and have some sense of the consequences of our traditional and nuclear capacities. I expected to learn something similar from cyber experts.


That’s not what happened. In fact, cyber weapons exist in a realm not unlike the early days of the nuclear program, shrouded in secrecy, with plenty of curiosity but very little public information. In part this secrecy is integral to the whole concept: a cyberattack is useful insofar as the enemy is unaware of it. The more the government reveals about what’s in its arsenal, the more our adversaries can do to protect themselves.

"If you know much about it, [cyber is] very easy to defend against," said Michael Daniel, a special assistant to the president and cybersecurity coordinator at the National Security Council. "Therefore, that’s why we keep a lot of those capabilities very closely guarded."

One thing everyone I spoke to agreed on: The U.S. has the most powerful cyber arsenal in the world. Brandon Valeriano, a lecturer at the University of Glasgow who focuses on cyber conflict, used the example of the North Korean Internet interruption in December 2014, when the nation’s fledgling Internet went out for a few hours, just a few days after the White House blamed the Sony hack on Pyongyang. “If America wanted to take down North Korea’s Internet,” he said, “it wouldn’t be two to three hours. It would be devastating.”

A cyber weapon, called a “capability” in the field, is a piece of malicious code that exploits a flaw in an enemy’s software; the point is to manipulate, disrupt or destroy computers, information systems, networks or physical infrastructure controlled by computer systems. An attacker could use a cyber weapon to take down another country’s financial systems or electrical systems.

“Anything that has a computer anywhere on earth can be stopped or taken over,” said Jason Healey, the head of the Atlantic Council’s Cyber Statecraft Initiative and former director for cyber infrastructure protection in the George W. Bush White House from 2003 to 2005.

The most powerful cyber capabilities, called “zero-days,” exploit software vulnerabilities unknown even to the author of the software itself—for example, a security hole in the Windows operating system that even Microsoft doesn’t know is there. They’re called zero-days because once discovered, the author has zero days to fix them—people can immediately use them to cause damage.

As weapons, cyber capabilities differ in a few key ways from traditional weapons like missiles and bombs. First, they cause damage that’s less overt but more widespread than a physical attack—a cyber weapon could cripple a local economy by attacking a country’s financial or communication systems. Second, an attack can occur almost instantaneously against any target in the world. The Internet makes physical distance between enemies all but irrelevant, making it both easier for enemies to launch cyberattacks and harder for the government to monitor for them. Third, the use of a cyber capability is often a one-time deal: If the government has a piece of malicious software and uses it to exploit a flaw in an enemy’s code, it could render future uses of that capability ineffective, since the adversary could just patch it. It could also compromise intelligence-collection activities that use the same exploit.

Furthermore, the line between a military attack and an espionage operation is far blurrier in the cyber realm. A cyberattack generally doesn’t involve the movement of physical objects and does not put the attacker’s soldiers at risk. “All of the potential red flags that would pop up and get congressional attention don't,” said Peter Singer, a renowned cyber expert and author of “Cybersecurity and Cyberwar: What Everyone Needs To Know.” The same exploit might be used by intelligence agencies to spy on an enemy, or as an offensive weapon to mount a sudden attack.

That blurriness can be used to cloak responsibility, many observers think. For example, analysts have pointed out that if Stuxnet were indeed a U.S. operation—as is widely believed by now—the administration could avoid taking public responsibility for it by classifying it as an intelligence operation, rather than military.

“Stuxnet is attributed by the media to have been a U.S. intelligence community operation that would have been conducted under intelligence authorities versus cyber command authorities,” said Robert Knake, a fellow at the Council on Foreign Relations who was the director for cybersecurity policy at the National Security Council from 2011 to 2015. “So from that perspective, we really don’t know that much about what DOD engaged in offensive cyberwar would look like.”

Whoever conducted it, it announced something new was happening. “Stuxnet was a game changer,” said Healey. “The Internet became a much more dangerous place after that, because almost literally everybody started to say the gloves are off now.”

WHILE THE OBAMA administration has slowly begun disclosing more information about the U.S.’s offensive cyber policy, a lot of experts would like to see a broader, public discussion about how the U.S. intends to use its capabilities.

Those 41 Army teams that will be in place by the end of 2016 are part of a bigger DOD effort to expand and organize the military’s cyber efforts. In 2013, the department revealed that it was creating 133 mission teams to conduct offensive and defensive cyber operations, with 27 of those building up capacity to attack an enemy abroad. The operations are run out of U.S. Cyber Command in Fort Meade, Maryland, which was set up in 2010 by Gen. Keith Alexander, who at the time was wearing dual hats as both head of the command and director of the National Security Agency.

The DOD’s new cyber strategy lays out strategic goals and objectives for the department but provides few details about how the military is supposed to act in practice. “If directed by the President or the Secretary of Defense, DoD must be able to provide integrated cyber capabilities to support military operations and contingency plans,” it says. A few lines later: “For example, the United States military might use cyber operations to terminate an ongoing conflict on U.S. terms, or to disrupt an adversary’s military systems to prevent the use of force against U.S. interests.”

When it comes to specifics, the most dedicated cyber watchers say it’s not the government’s official documents that contain the most details: it’s the documents leaked by Edward Snowden. Though now a few years out of date, they include detailed information about how the U.S. government was building up an arsenal of cyber capabilities—and, at times, using them. In 2013, the Washington Post reported from the Snowden disclosures that the U.S. government carried out 231 offensive cyber operations in 2011, none of which came near a Stuxnet-level attack.

Snowden also released Presidential Policy Directive-20, a top-secret document that laid out the administration’s cyber principles. But much like the DOD’s cyber strategy, PPD-20 doesn’t answer many questions, instead offering general guidelines for the U.S.’s offensive cyber goals.




General Keith B. Alexander, head of the National Security Agency, at his retirement ceremony on March 28, 2014 in Fort Meade, Maryland. | Getty

This lack of specificity has frustrated some experts—“Most of it is vague and blank,” Borg said about the DOD’s cyber strategy—but the problem may be less that the administration isn’t releasing that information and more that those decisions haven’t been made at all. Other experts who share Borg’s frustrations with the government’s offensive cyberstrategy nevertheless defended the DOD’s document, saying it was not meant to lay down specific rules for the military’s use of offensive cyber weapons. Instead, it was the first step in the process intended to lead to more specific rules of engagement.

I spoke to Alexander, now retired from the military and running the Maryland-based consulting shop IronNet Cybersecurity, about the administration’s offensive strategy and how the government was trying to build up its cyber capacity. He said that cyber offense emerged as a priority after he set up Cyber Command. Rather than just defend its own networks, he said, it became clear that the military would need to defend the country more broadly, and that would require offensive as well as defensive cyber capabilities. “If we are under attack, you can’t just try to catch every arrow,” he said. “You have to take care of the person shooting the arrows at you.

“The second part,” he continued, “is what do you do and how do you create a force that can do that.” The force has clearly started to take shape: The DOD is working on forming the 133 cyber mission teams overall and four new joint force headquarters for cyber, including the Army one in Georgia. The Army cyber branch alone now has 1,000 people. But the specific rules of engagement, he said, are still to come.

“I think the policy that goes along with the employment of cyber is still in its early stakes,” Alexander said. “So having the rules of engagement, the policy out there when to act—you’re more into an early stage than you are people really having a concrete set of decision points.”

In one sense, specifying rules of engagement is even more important for cyber weapons than for kinetic ones, he said, because attacks occur so rapidly in the cyber realm. Alexander used the example of a missile flying at a city in the U.S. while the North American Aerospace Defense Command was unable to get in touch with key decision makers—the secretary of Defense and president—about whether to shoot it down. Under that scenario, U.S. rules of engagement dictate that NORAD can shoot it down.

“Now, if someone is attacking our infrastructure and they’re doing it at network speed, Cyber Command should probably defend the nation,” he said. But, he added, “We haven’t gotten, in my opinion, to that point yet. But I think they’re getting close. The reason is people don’t understand how bad cyber can be.”

"We are still, as are all governments, thinking through how do you actually employ these capabilities in a way that make sense and how do you fit them into your larger strategic context," said Daniel, who leads the White House's development of its cyber strategy. "You don't just carry out a cyber operation for the sake of carrying out a cyber operation."

WHILE THE DEBATE over U.S. offensive cyber strategy may be happening quietly in the federal government, it’s playing out quite publicly among outside experts. In early November, Himes and four other lawmakers sent a letter to Secretary of State John Kerry and National Security Adviser Susan Rice proposing a cyber convention like the Geneva Convention, to lay out rules of the road for cyber.

“Now is the time for the international community to seriously respond again with a binding set of international rules for cyberwarfare: an E-Neva Convention,” they wrote.

One key concern they have is what actually constitutes an act of war in the digital realm, versus a smaller crime or nuisance. “What is cyber war?” Rep. Lynn Westmoreland (R-Ga.), the chair of the House Intelligence subcommittee on NSA and Cybersecurity who also signed the letter, said in an interview. “What is it?”

“What if Iran melted down one server at Florida Power and Light? They do $5,000 worth of damage. That sounds to me like a crime,” Himes said. “But what if they melt down a whole bunch of servers, a network goes down and a bunch of people die? That feels to me like an act of war.” He added: “But these lines aren’t drawn. Because they're not drawn, is our response to have the FBI investigate and file a diplomatic démarche? Or is our response to do a cyber reprisal? Or is our response to do a kinetic reprisal? We don't know. I think that's a real problem.”

Another key question in the cyber realm is if any specific infrastructure is off limits, the way hospitals are supposed to be off-limits in kinetic war. Is an electrical grid a valid target? Knocking out the Internet or the power can cause immense damage to civilians, particularly in advanced countries like the United States whose economies depend heavily on the Internet.

Forging consensus on these questions is hard but not impossible. Already, the international community is coalescing around an agreement that states cannot conduct cyber espionage for commercial purposes. Whether countries such as China will actually abide by that is unclear, but countries have at least agreed on that norm in principle.

Even among cyber experts, crafting a cohesive rules of engagement is proving to be a challenge. “I don’t know if you could come up with a set policy,” Westmoreland said. “I think it would have to be some type of living document that would allow it to change when technology changes.”

Daniel said that coming out with a specific case-by-case framework was not possible. "The idea that we are going to be able to spell out in detail exactly how we would respond to any particular incident or activity, I think doesn’t fully account for how we are going to have to act in the real world," he said.

When I asked Himes how the U.S. government should craft a cyber strategy if it can’t prepare for every possible scenario, he responded: “The laws of war, if you will, aren’t about describing every possible scenario. They are about articulating principles.”

This top-level guidance needs to come not from cyber experts but from elected leaders—and, observers say, so far that direction has not been forthcoming.

“Part of the problem is that there are so many senior people in the government, especially coming out of the political world, that just don’t understand enough about the technology,” Borg said. “They really are remarkably uninformed.”

You can see this in New Jersey Gov. Chris Christie’s comments about cyber in the last Republican debate. “If the Chinese commit cyberwarfare against us, they are going to see cyberwarfare like they have never seen before,” he said. Saber-rattling against the Chinese is nothing new for a U.S. presidential election, but it’s hard to imagine Christie making a similar claim about conventional war.

In one sense, that’s because it’s hard to imagine Christie ever being confronted with that scenario. No one is foreseeing an imminent kinetic attack from China. But that’s precisely what makes cyber so difficult: What exactly would qualify as cyberwarfare? And what type of Chinese cyber attack would result in “cyberwarfare like [China has] never seen before”?

It seems superfluous to mention, perhaps, but cyberwar with China is war with China. And a war that starts out in the cyber realm can quickly migrate to other realms.

“I consider the current state of affairs to be extremely volatile and unstable because one could escalate a cyberwar pretty quickly,” said Sami Saydjari, the founder of the Cyber Defense Agency consulting firm, who has been working on cyber issues for more than three decades. “You can imagine a scenario where a country instigates a cyberwarfare-like event but does it in such a way to blame another country, which causes an escalation between those countries, which accidentally causes a kinetic escalation, which accidentally reaches the nuclear level. This is not an implausible scenario.”

Not implausible, but perhaps not likely either. At the moment, cyber experts say, the world is at a tenuous moment of cyber peace. For all the constant theft and hacking, nobody is waging overt attacks on infrastructure and assets. But they also say this relative stability masks the underlying threats in the cyber world.

“I would say we’re in a cold war, not a peace,” Alexander said. “If you paint a picture of the world above, people are shaking hands. And then below the water, they’re kicking like crazy. I think in cyber there’s so much going on in cyber that it’s invisible to most people.”

If a major cyber incident occurred in the U.S.—one that actually hurt or even killed Americans—the public would quickly want some answers, and likely a plan for defense and retaliation. In the absence of more specific rules of engagement, it’s clear to many experts what’s going to happen at this point: We’re going to improvise. “If there were a cyber incident in the United States, we’d do it from scratch,” said Martin Libicki, a senior scientist and cyberwarfare expert at the RAND Corporation. “I don't care what's been written. That's just the nature of the beast.

No comments: