[Infowarrior] - U.S. Eyes Preemptive Cyber-Defense Strategy

[Richard Forno]

Washington Post
August 29, 2010 

U.S. Eyes Preemptive Cyber-Defense Strategy

By Ellen Nakashima

http://www.washingtonpost.com/wp-dyn/content/article/2010/08/28/AR2010082803849.html

The Pentagon is contemplating an aggressive approach to defending its
computer systems that includes preemptive actions such as knocking out parts
of an adversary's computer network overseas - but it is still wrestling with
how to pursue the strategy legally.

The department is developing a range of weapons capabilities, including
tools that would allow "attack and exploitation of adversary information
systems" and that can "deceive, deny, disrupt, degrade and destroy"
information and information systems, according to Defense Department budget
documents.

But officials are reluctant to use the tools until questions of
international law and technical feasibility are resolved, and that has
proved to be a major challenge for policymakers. Government lawyers and some
officials question whether the Pentagon could take such action without
violating international law or other countries' sovereignty.

Some officials and experts say they doubt the technology exists to use such
capabilities effectively, and they question the need for such measures when,
they say, traditional defensive steps such as updating firewalls, protecting
computer ports and changing passwords are not always taken.

Still, the deployment of such hardware and software would be the next
logical step in a cyber strategy outlined last week by Deputy Secretary of
Defense William J. Lynn III. The strategy turns on the "active defense" of
military computer systems, what he called a "fundamental shift in the U.S.
approach to network defense."

Though officials have not clearly defined the term and no consensus exists
on what it means, Lynn has said the approach includes "reaching out" to
block malicious software "before they arrive at the door" of military
networks. Blocking bad code at the border of its networks is considered to
be within the Pentagon's authority.

On the other hand, destroying it in an adversary's network in another
country may cross a line, and officials are trying to articulate a clear
policy for such preemptive cyber activity.

"We have to have offensive capabilities, to, in real time, shut down
somebody trying to attack us," Gen. Keith Alexander, the head of the
Pentagon's new Cyber Command, told an audience in Tampa this month.

The command - made up of 1,000 elite military hackers and spies under one
four-star general - is the linchpin of the Pentagon's new strategy and is
slated to become fully operational Oct. 1.

Military officials have declared that cyberspace is the fifth domain - along
with land, air, sea and space - and is crucial to battlefield success.

"We need to be able to protect our networks," Lynn said in a May interview.
"And we need to be able to retain our freedom of movement on the worldwide
networks."

Another senior defense official said, "I think we understand that in order
for us to ensure integrity within the military networks, we've got to be
able to reach out as far as we can - once we know where the threat is coming
from - and try to eliminate that threat where we can."

One senior defense official said that active defense is akin to being in a
battle zone when someone is firing a machine gun at you, detecting the
bullets, putting up a shield and knocking down the bullets. "Wouldn't it be
a far better idea to get the machine gun? So that's an extension of a
real-time defense - just shut the threat down."

Perhaps the most difficult issues are technological and operational. Because
the precise configuration of an adversary's computer is difficult to discern
through the Internet, it can be very difficult to, for example, disrupt that
computer's ability to attack without affecting other computers that might be
connected to it. The military's dismantling in 2008 of a Saudi Web site that
U.S. officials suspected of facilitating suicide bombers in Iraq also
inadvertently disrupted more than 300 servers in Saudi Arabia, Germany and
Texas, for example, and the Obama administration put a moratorium on such
network warfare actions until clear rules could be established.

"Why are you talking yourself into this massive debate when no one has said
this works 100 percent of the time and it's worth the fight?" said an
industry official who formerly worked at the Pentagon.

But a senior defense official familiar with state-of-the-art technology
said, "I would tend to say that we can be much more precise than people
could imagine." The official, like others quoted for this story, was not
authorized to speak on the record.

Alexander, who also heads the National Security Agency, which was set up in
1952 to spy electronically overseas, acknowledged in Tampa that offensive
capabilities must be based on "the rule of law," according to the Military
Tech blog Cnet News.

And that is the crux of the debate. For the better part of a year, defense
officials have been discussing the options with the White House, Justice
Department, Department of Homeland Security and Congress. "I have seen
clearly changes in the last two or three months where there's willingness of
the senior leaders to start thinking through those scenarios, and that's
something I don't think we were seeing a year ago," said a military official
who was not authorized to speak for the record.

Still, taking action against an attacker's computer in another country may
well violate a country's sovereignty, experts said. And government lawyers
have questioned whether the Pentagon has the legal authority to take certain
actions - such as shutting down a network in a country with which the United
States is not at war. The CIA has argued that doing so constitutes a
"covert" action that only it has the authority to carry out, and only with a
presidential order.

Policymakers also are grappling with questions of international law. "We are
having a big debate about what constitutes the use of force or an armed
attack in cyberspace," said Herbert S. Lin, a cyber expert with the National
Research Council of the National Academy of Sciences. "We need to know where
those lines are so that we don't cross them ourselves when we conduct
offensive actions in cyberspace against other nations."

The senior defense official who spoke about the military's capabilities said
if cyber operators detected that some attacker was about to issue a network
command to a device installed somewhere in the United States that would have
"a disastrous effect" causing mass destruction, "I'm hard pressed to imagine
that anyone would argue you shouldn't preempt that - even if it was sitting
on neutral territory."

But short of that, noted a military official, "there's a lot of reluctance
to go into foreign cyberspace and take actions that are preemptive."

Officials have noted they can use other non-cyber options, including
diplomatic action, to respond to threats. The United States might approach a
foreign government for help in blocking a threat, using the appeal that "it
might be aimed at us now, it could be aimed at you later, it might be aimed
at us collectively" in terms of the instability it induces in the global
networks, said the senior defense official. "That's an approach that is
often ignored."

The industry official said his concern is "the militarization" of the
international dialogue. "Any time Pentagon leaders start using the terms
'active defense,' " he said, "then my concern is that foreign countries use
that as a basis for their doctrine, starting a cycle of tit for tat."

The Pentagon has standing rules of engagement for network defense, such as
the right of self-defense. But the line between self-defense and offensive
action can be difficult to discern.

"This is a big, big problem," said one former intelligence official who
noted that it took years to develop nuclear deterrence doctrine. "We are
just at the beginning of figuring this out."