Pentagon is debating cyber-attacks
(WASHINGTON POST) The Pentagon’s new Cyber Command is seeking authority to carry out computer network attacks around the globe to protect U.S. interests, drawing objections from administration lawyers uncertain about the legality of offensive operations.
Cyber Command’s chief, Gen. Keith B. Alexander, who also heads the National Security Agency, wants sufficient maneuvering room for his new command to mount what he has called “the full spectrum” of operations in cyberspace.
Offensive actions could include shutting down part of an opponent’s computer network to preempt a cyber-attack against a U.S. target or changing a line of code in an adversary’s computer to render malicious software harmless. They are operations that destroy, disrupt or degrade targeted computers or networks.
But current and former officials say that senior policymakers and administration lawyers want to limit the military’s offensive computer operations to war zones such as Afghanistan, in part because the CIA argues that covert operations outside the battle zone are its responsibility and the State Department is concerned about diplomatic backlash.
The administration debate is part of a larger effort to craft a coherent strategy to guide the government in defending the United States against attacks on computer and information systems that officials say could damage power grids, corrupt financial transactions or disable an Internet provider.
The effort is fraught because of the unpredictability of some cyber-operations. An action against a target in one country could unintentionally disrupt servers in another, as happened when a cyber-warfare unit under Alexander’s command disabled a jihadist Web site in 2008. Policymakers are also struggling to delineate Cyber Command’s role in defending critical domestic networks in a way that does not violate Americans’ privacy.
The policy wrangle predates the Obama administration but was renewed last year as Obama declared cyber-security a matter of national and economic security. The Pentagon has said it will release a national defense cyber-security strategy by year’s end.
Cyber Command’s mission is to defend military networks at home and abroad and, when requested, to help the Department of Homeland Security protect critical private-sector networks in the United States. It works closely with the NSA, the intelligence agency that conducts electronic eavesdropping on foreign targets, which has its headquarters at Fort Meade on the same floor as NSA Director Alexander’s office.
In a speech at the Center for Strategic and International Studies in June, Alexander said that Cyber Command “must recruit, educate, train, invest in and retain a cadre of cyber experts who will be conducting seamlessly interoperability . . . across the full spectrum of network operations.”
“We have to have offensive capabilities, to, in real time, shut down somebody trying to attack us,” Alexander told a cyber convention in August.
And in testimony to Congress in September, Alexander warned that Cyber Command could not currently defend the country against cyber-attack because it “is not my mission to defend today the entire nation.” If an adversary attacked power grids, he added, a defensive effort would “rely heavily on commercial industry.”
“The issue . . . is what happens when an attacker comes in with an unknown capability,” he said.
To counter that, he added, “we need to come up with a more . . . dynamic or active defense.”
Alexander has described active defense as “hunting” inside a computer network for malicious software, which some experts say is difficult to do in open networks and would raise privacy concerns if the government were to do it in the private sector.
A senior defense official has described it as the ability to push “out as far as we can” beyond the network perimeter to “where the threat is coming from” in order to eliminate it.
But, the official said, “we need to wait until we get some resolution on just how far we can go with regards to marrying the technology and operational concepts with law and the interagency process.”
The sort of threats that Alexander and other officials worry about include the computer worm Stuxnet, which experts say was meant to sabotage industrial systems – though exactly whose system and what type of sabotage was intended is unclear.
NSA experts “have looked at it,” Alexander told reporters in September. “They see it as essentially very sophisticated.”
Officials have not resolved what constitutes an offensive action or which agency should be responsible for carrying out attacks. The CIA has argued that such action is covert, which is traditionally its turf. Defense officials have argued that offensive operations are the province of the military and are part of its mission to counter terrorism, especially when, as one official put it, “al-Qaeda is everywhere.”
“This infuriating business about who’s in charge and who gets to call the shots is just making us muscle-bound,” said retired Adm. Dennis C. Blair, who resigned in May as the director of national intelligence after a tenure marred by spy agencies’ failures to preempt terrorist plots and political missteps that eroded the White House’s confidence in him.
Blair decried an “over-legalistic” approach to the issue. “The precedents and the laws on the books are just hopelessly inadequate for the complexity of the global information network,” he said.
The Justice Department’s Office of Legal Counsel, whose opinions are binding on the executive branch, prepared a draft opinion in the spring that avoided a conclusive determination on whether computer network attacks outside battle zones were covert or not, according to several officials familiar with the matter who were not authorized to speak for the record.
Instead, it said that permission for specific operations would be granted based on whether an operation could be, for instance, guaranteed to take place within an area of hostility. Operations outside a war zone would require the permission of countries whose servers or networks might be implicated.
The real issue, said another U.S. official, is defining the battlefield. “Operations in the cyber-world can’t be likened to Yorktown, Iwo Jima or the Inchon landing,” he said. “Defining the battlefield too broadly could lead to undesired consequences, so you have to manage the potential risks. Getting to the enemy could mean touching friends along the way.”
Senior defense officials are now inclined to “stay conservative” in line with the draft opinion, one senior military official said. He said it is probable that policymakers will have Cyber Command propose specific operations in order to test the boundary lines.
But Alexander, a 58-year-old career intelligence officer, is not conservative by nature. He rose through the Army ranks by pushing to make intelligence available on the front lines . As NSA director during the Iraq war, he developed ways to allow soldiers to read useful data culled almost in real time from insurgents’ communications.
Although he told reporters he would prefer to have Cyber Command’s authority clarified rapidly, he also acknowledged that to “race out and get authorities” only to be told, “Stop, stop, stop, you can’t do it,” makes no sense.
Stewart A. Baker, a former NSA general counsel, said calling cyber-operations, such as dismantling terrorist Web sites, “covert action” incorrectly implies they carry the same risks.
“There are lots of hackers in lots of countries who regularly break into computers, regularly disguise their identities,” he said. “No one would think that discovering the U.S. had done that would lead to a scandal comparable to . . . the funding of Nicaraguan contras with secret Iranian arms sales, which are the kind of activities the covert action law was written for.”