Cyber-attack: U.S. plans to destroy enemy computer networks questioned.
The Air Force will not only defend its computer networks, but it may attack those of U.S. enemy systems as well, say officials.
"Imagine what can happen to us," Air Force Gen. William T. Lord, provisional commander of the service's cybercommand, said of an attack on Defense Department computers. "We'd like to take that capability and bring it down on the heads of our enemies."
While a presidential commission focused tills spring on a government-wide examination of the nation's vulnerabilities on cyberdefense, there is an under-the-radar debate on what the military, intelligence and law enforcement communities' intentions are in the top secret realm of cyber-attack.
Retired Adm. William Owen, former vice chairman of the Joint Chiefs of Staff, said he sees little evidence that there is a government-wide understanding of the repercussions of launching an attack on enemy computers. And that goes for the military as well.
"My guess is that most of the generals and admirals don't really understand what the hell we're playing with here and we need to find a way to get some focused attention" on this topic, he told National Defense.
Owen is the co-author of a National Research Council report, "Technology, Policy, Law and Ethics Regarding U.S. Acquisition and Use of Cyber-Attack Capabilities."
The study--two-and-a-half years in the making--concludes that policies and regulations for carrying out computer attacks are "ill-formed, undeveloped and highly uncertain," said Kenneth Dam, a former deputy secretary of state who also contributed to the report.
The authors could not identify any single authority in the government responsible for coordinating cyber-attacks or promulgating policy--if there is any policy at all. Further, there are no congressional committees designated to oversee the government's efforts.
In short, if the United States government goes on the offense in cyberspace, there may be a lack of accountability, the report concluded.
Secrecy has impeded widespread debate about the nature and implications of cyberattack, the authors asserted. Much of the defense community's efforts in this realm are top secret.
"It's not so much secrecy, it's actual silence. It just isn't discussed," Dam said at a press briefing. There needs to be a public debate about the repercussions of launching cyber-attacks, the report said. In the early days of nuclear weapons, there was a great deal of literature coming out of think tanks, universities and other institutions about when and how to use atomic bombs. That just isn't happening in this new kind of warfare, Dam added.
The council said the report is the first comprehensive look at cyber-attack that addresses technical, policy, legal and ethical issues.
The committee defines cyber-attack as "deliberate actions to alter, disrupt, deceive, degrade or destroy computer systems."
Cyber-attacks can range from small-scale skirmishes to all out conflict. On the battlefield, they can be used to suppress air defenses, bring down command, control and communications networks, or degrade smart ammunitions, the report said.
Other more subtle actions are possible. They can be used in covert operations designed to influence governments, events, organizations "or persons in support of foreign policy in a manner that is not attributable to the U.S. government," the report said. They might be used to influence elections, instigate conflict between political factions, harass disfavored leaders or divert money.
This is not the same as "cyber-exploitation," which may seek to secretly gather intelligence from a computer without causing harm or disruption. These two terms shouldn't be lumped together, Dam warned. Although the technical methods to carry out these two objectives may be similar.
The authors stressed that they were not cyberpeaceniks.
"We believe that there are instances when you might do a cyber-attack. We should have a robust cyber-attack capability in this country," Owen said. Such an assault on an adversary's computers could be pursued along with traditional warfare, but could also be employed separately.
"U.S. forces are actively preparing to engage in cyber-attacks perhaps with other information warfare or in conjunction with kinetic attacks. And may have already done so," Dam said.
Nevertheless, "we have to understand all the effects of that kind of a cyber-attack," Owen added. For example, would attacking a computer system linked to a power grid also knock out the electricity at a hospital and risk the lives of patients?
Lord, speaking at the Space Symposium at Colorado Springs, Colo., before the report's release, said he did not want to share any details about taking offensive measures in cyberspace, but acknowledged there were ongoing discussions in the Air Force.
"We need to exploit in this domain. [That's] a controversial subject," he said.
"We're going to combine computer exploitation, defense and attack in one [wing]," he said. The Air Force is in the process of merging its cybercommand and space command into the 14th Air Force Wing.
"What if you could so scramble the brain of the enemy so that they can't do their command and control and they lose their ability to wage warfare?" Lord asked.
That may mean fewer war fighters deployed forward, less risk of casualties, less death and destruction on the battlefield, and later, less infrastructure to rebuild.
"How we sort out the legal authorities for our airmen to conduct those operations is one of the things we're discussing right now," Lord added.
In both cyberdefense and offense, Lord questioned whether current Defense Department acquisition methods are capable of keeping up with "warfare at the speed of light."
The Air Force is undergoing a deliberate process to not only train experts in the field, but to recruit them as well. That includes military and civilians, Lord said. This will "require new core competencies, new ways to acquire stuff at the speed of need rather than acquisition cycles measured in years or decades," he added.
The National Research Council report identified the Air Force as the main advocate for cyber-offense in the U.S. government. The operational agency is U.S. Strategic Command's joint functional component command for network warfare.
Stratcom spokesperson Air Force Maj. Belinda Peterson said officials there did not want to comment specifically on the report, but added that "our networks are probed thousands of times a day. And as in any domain, a good defense relies on a good offense and the integration of the two."
Meanwhile, Defense Secretary Robert Gates, speaking at the Air War College, said the Pentagon may establish a sub-unified command at Stratcom for cyberspace.
"We are desperately short of people who have capabilities in this area in all the services and we have to address it. This is going to be one of the significant new realms of conflict in my view," he added.
Only 80 personnel per year graduate from the military's cyberschools. Gates said he wants to quadruple that by fiscal year 2011.
Despite these efforts, the report concluded that the United States will never be a super-power in cyberspace as it is with its conventional forces. "Enduring unilateral dominance in cyberspace is neither realistic nor achievable by the United States," the report said. The tools needed to wage such warfare are relatively inexpensive and easily available. Expertise on waging such attacks is "widespread." Deterrence of cyber-attacks by the threat of in-kind response has limited applicability because an enemy attack on the United States can be launched anonymously, the report said.
Lord defined potential opponents as nation states, cyber-terrorists and common criminals. Identifying the origin of an attack is extremely difficult, he agreed.
In 2007, one million computers from 75 countries were enslaved by a bot-net to conduct a coordinated attack on Estonia's network. Most of these privately owned computers that were used by the attackers without the knowledge of their operators were located in the United States. Estonia is a NATO ally, Lord pointed out. An attack on an ally is considered an attack on the alliance. But two years later, it's still not clear who took down Estonia's network. "Who do you go to war with?" Lord asked.
"I'm not sure we have processes in place today that can handle warfare at the speed of light," he added. "Quite frankly, it's easier for us to drop a 2,000 pound bomb on another person than it is to kill an IP address in a cyberwar."
Owen said it might be time for the United States to enter into talks with China on a "no first use" agreement as far as launching cyber-attacks. The United Nations' charter on the use of force and armed attack and the laws of armed conflict are good starting points for creating a legal framework, Dam said. But before international rules of engagement can be sorted out, the U.S. government must have a vigorous public debate, and clarify its own rules and policies, Dam said.
Trey Hodgkins, vice president for national security and procurement policy at the TechAmerica trade association, said he agreed with many of the report's points, but that it left out one important factor: the need to consult with private industry before launching attacks. The military must consult with allies before flying over their airspace to launch a bombardment in a neighboring country. It should be the same when using a fiber-optic network for offense.
About 85 percent of all of the nation's cyber-network is in private hands, and a cyber-attack will most likely go through this infrastructure. "The government is not the largest owner of most of that infrastructure and would not be the one with the primary responsibility of protecting it," he said.
Companies are not permitted to carry out their own counter-attacks. However, they can partner with the government to determine where attacks come from, and then decide on a response, or discuss the risk of a reaction of it is deemed necessary, he said.
"There must be coordination between government and private industry, which owns the vast majority of that infrastructure," he said. While the government is secretive about cyber-offense, it's not unheard of for military and government officials to privately consult with technology firms about vulnerabilities on the Internet, he added. They could use the same channels to discuss their intentions.
EMAIL COMMENTS TO SMAGNUSON@NDIA.ORG