[Infowarrior] - US Close To OK’ing Cyber Attack Rules

[Richard Forno]

Defense News
May 27, 2013

US Close To OK’ing Cyber Attack Rules

By ZACHARY FRYER-BIGGS

http://pdfpages.gannettgov.com/prepress/fpo_pdfs/DFN_DOM_FPO.pdf

WASHINGTON ― After three years of grueling internal debate, the chairman of
the Joint Chiefs is poised to approve new rules empowering commanders to
counter direct cyberattacks with offensive efforts of their own ― without
White House approval.

Once signed, the new cyber rules contained in the US military’s new standing
rules of engagement (SROE) ― the classified legal document that outlines
when, how and with what tools America will respond to an attack ― will mark
a far more aggressive tack than envisioned when the process started in 2010,
or even much more recently. To date, any cyber action requires the approval
of the National Security Council (NSC).

A defense spokesman said that much of the focus on cyber has revolved around
defensive action, and that pre-emptive offensive ac­tion would still require
presidential approval.

Sources said the new rules are vital to address a rapidly developing domain
that should be integrated into normal military rules, but still remains
largely closed to outside observers by heavy layers of classification.
Because the SROE is classified, conversations about its composition and
details of deliberations are all considered very sensitive, and sources who
participated declined to be named.

The new rules were supposed to have been implemented in late 2010, but were
delayed as top government lawyers debated how aggressively the US should
re­spond to cyberattacks, and what tools commanders could use, according to
current and former White House, defense and intelligence officials. Now
complete, the rules are undergoing a final “internal bureaucratic process,”
a defense of­ficial said.

Lawyers from the Joint Staff and US Cyber Command (CYBERCOM) gathered in
Washington to try to update the Defense Department’s standing rules of
engagement in late 2010, with two major policy areas remaining as subjects
of debate: rules regarding deployed ships and rules about cyberwarfare.

The cyber discussion resulted in a draft cyber policy that was
gerrymandered, larded with legalese, and had become almost unintelligible
because of the many hands from multiple agencies involved in its writing. An
interagency process had been started because cyber concerns confront a
variety of agencies, the intelligence community and DoD as well as State,
Homeland Security and other departments, with each expressing views on how
the domain would be treated.

That effort aimed to update rules crafted in 2005 that did not address
broader questions regarding cyber, but were in need of updates as cyber
threats escalated. Recent reports from the security company Mandiant and
from DoD indicate the Chinese cyberattacks began to increase in 2006.

With the SROE process having stalled, three lawyers attending the conference
decided to start over, redrafting the language on cyber over a lunch break
during the conference. Huddled around a table they created what they thought
was a simple, clean approach that could gain broad support. They presented
it to the other attendees, and the new version was passed up the chain of
command for review by senior officers.

Not long afterward, that draft was rejected by a deputy of Gen. Keith
Alexander, head of CYBERCOM and director of the National Security Agency,
because it fell short of where “the SecDef wanted it to go,” said a former
defense official. 

The problem was that the document didn’t allow for a sufficiently assertive
response, the official added. In its efforts to achieve balance, the draft
didn’t accommodate the strong stance the administration, and specifically
CYBERCOM, wanted to take.

So the rules were drafted again, designed to be “forward leaning,”
permitting a stronger response. Once again they were rejected.

Nearly three years later the rules still haven’t been signed. Defense
officials said they expect the newest version to be formalized shortly, but
there is always the possibility that further policy concerns will stall the
process. 

While several sources pointed to the desire by some, especially Alexander,
to take a more assertive stance, not everyone agrees that the delay was
caused by internal dissent. A senior defense official said the process was
slowed by the administration’s need to develop larger cyber policies to make
sure the military rules fit the larger whole.

“As we were developing our standing rules of engagement and going through
that interagency process we were recognizing that there’s a natural
progression, a natural sequencing of making sure that the presidential
policy was finalized and signed out, then making sure that the doctrine and
other procedures are in place, and finally the next logical step is the
standing rules of engagement,” the senior defense official said.

According to the former defense official with knowledge of earlier drafts,
the version on the verge of completion is “way far” from previous versions,
authorizing far more assertive action than had been previously considered.

Use of cyber weapons will still be the domain of US Cyber Command, with
geographic combatant commanders requesting action through locally stationed
cyber support elements. But the debate about the rules of engagement, what
authorities they should permit and who should have them, stems from a larger
issue about normalizing cyberwarfare that was complicated by the
concentration of cyber authority within the NSC, a concentration that is the
byproduct of an inter-agency dispute dating to the Iraq war.

What the US does as it begins to normalize cyber will have a big effect on
how cyber is treated globally, said Jason Healey, director of the Cyber
Statecraft Initiative of the Atlantic Council.

“Without a doubt what we do gets copied,” he said. “The fact that we’re
including this in rules of engagement and pushing this down to lower levels,
[means that] then the military of another country will try to convince its
leaders to do the same thing.”

Concentration of Power

In 2003, with the launch of the war in Iraq, cyber capabilities weren’t very
advanced compared to some of the elegant tools at the military’s disposal
today. But that doesn’t mean that various intelligence and defense agencies
weren’t interested in using them.

When the squabbling over who would be in charge of cyber began, President
George W. Bush signed a classified presidential directive in 2004 requiring
that all cyber decisions be funneled through the NSC.

That prevented any single agency from laying claim. But it didn’t end the
disagreements. 

“It became an issue with cabinet and deputy cabinet level officials in there
hacking it out,” said a former senior intelligence official, describing
debates in the White House Situation Room.

In every instance where cyber was involved, the NSC had to be involved. That
helped settle some of the disputes between agencies by limiting any
independent application of cyber capabilities, but was useful neither for
expediting any cyber action nor for integrating cyber into larger military
capabilities. Several sources said that this has slowed the integration of
cyber into broader military tactics, possibly giving rivals without the same
hesitation, like China, a chance to become more adept at military cyber.

Some decisions by the NSC on the use of cyber were easier than others. In an
individual theater of combat, such as Afghanistan, their use was more easily
authorized if the effects were limited to the region. If anything resembling
a cyberattack or intrusion came from the area, a response was also likely
authorized. 

But when it came to more complicated issues, like international intrusions,
the standards got hazy.

Because every decision had to be run through the West Wing, potential
political blowback limited the use of cyber tools, the former senior
intelligence official said. “If they can’t be used without a discussion in
the West Wing, the president’s got no place to run if something goes wrong
when he uses them,” he said. Those decisions included what to do if the US
confronted a cyberattack.

The rules of engagement review proceeded in 2005 with limited cyber concerns
integrated into the final version. Not until 2010 did the larger debate pick
up steam. 

The rejection of the drafts developed at the end of 2010 by CYBERCOM
officials was part of a larger push to increase the authority vested in
Alexander, the former senior intelligence official said. “When we had these
dialogues with the Fort Meade population, it was often the rest of the
intelligence community cautioning the Fort Meade guys not to be so
aggressive,” he said. NSA and CYBERCOM are at Fort Meade in Maryland.

Several sources cited these interests as slowing the process, and causing
several compromises to be rejected.

Not everyone agrees that the process has been slowed by dissent or efforts
to increase authority by any one group. The senior defense official who
described the delays as being the result of larger policy development
pointed to the difficulty in crafting a new policy in a new area of warfare.

“It was much less about a turf war than it was about us wanting to make sure
that the department’s role was right in defending it, and that the level to
which the authority was delegated was appropriate and something with which
the secretary and the chairman and the White House was comfortable,” he
said. “If this is the first time ever that we’re talking about SROEs that
are outside of DoD networks, it should be expected that it’s a very
complicated thing. There’s no precedent, there’s no clear understanding on
some of the issues.”

A defense spokesman who was asked about Alexander’s role in eliminating
earlier versions of the cyber language noted that there were multiple
officials involved in the development process.

“The standing rules of engagement are a product of many minds, of which Gen.
Alexander is one,” a statement from the spokesman read. “He has worked
tirelessly with senior department leadership to develop appropriate SROEs
that for the first time will define the legal framework for how the United
States would respond if attacked by, through or with the cyber domain.”

To be sure, even when an SROE document is signed, it will not grant the
authority to wage cyberwar to low level military personnel. Even the cyber
capabilities that might be employed to respond to an attack will require
orders from senior officials.

But the document is a move that begins to standardize cyber, folding some
areas into more typical military rules and hashing out concerns about how
cyber should be treated.

The use of cyber is more a question of political influence in the West Wing,
a process that favors those like Alexander who have access to
decision-makers. If cyber capabilities become more readily accepted, their
implementation could become more democratic, based more on need than on
politics. 

More importantly, by authorizing immediate action against cyberattacks, the
SROE will greatly cut down on the reaction time. By eliminating the often
laborious process of NSC deliberations, an attack will likely be countered
sooner and potentially result in less damage.

“If you have time to run it through the NSC you don’t really need a standing
requirement,” a former defense official said.

---
Just because i'm near the punchbowl doesn't mean I'm also drinking from it.