Rules of engagement
As the Defense Department builds a cyber force, forming a doctrine for cyber warfare is its opening challenge
- By Sean Gallagher, Brian Robinson
- Feb 09, 2009
In the face of an increasingly dangerous collection of network-enabled terrorists, politically and economically motivated hackers, and potentially adversarial countries flexing their muscle in the cyber realm, the Defense Department is in the process of creating a doctrine for waging — and preventing — war in cyberspace.
That effort has included the creation of command structures to equip and train a new class of cyber operators. The most visible of those efforts was the Air Force’s provisional Cyber Command, now destined to be a numbered Air Force under the umbrella of the Air Force Space Command. The Army also has established a cyber warfare unit, the provisional Army Network Warfare Battalion at Fort Meade, Md., created in July 2008.
At the same time, DOD has been wrestling with the question of how to conduct operations in a realm that is fraught with complexity, developing theory and doctrine for cyber warfare. When is an attack in cyberspace a criminal act, and when is it an act of war? How can the source of cyberattacks be attributed when most methods of attack easily screen the identity of the responsible party? How is deterrence possible in a world where a single person can launch an attack that does millions of dollars of financial damage or compromises national security in a way that aids enemies in taking lives? Those are all questions that DOD is seeking to answer.
As the Air Force debated the final structure of its cyber forces last summer, a cyber force of a different sort was firing the first electronic shots of the South Ossetia conflict in Georgia.
While Russian forces prepared to invade Georgia, hackers were mounting a propaganda attack on the Georgian president’s Web site. After the fighting began, the cyberattacks elevated, cutting off access to many of Georgia’s government and media Web sites.
“What was really unique with Georgia was that it was the first time we had kinetic and nonkinetic attacks going on at the same time,” said Mark Hall, director of information assurance policy and strategy at the Office of the Assistant Secretary of Defense.
The attacks on Georgia interrupted much of the country’s Internet infrastructure, as similar attacks in Estonia did to that country in 2007.
“Ultimately, who was behind [these attacks] is difficult to say, but certainly, we can all agree that sympathizers with Russia were certainly involved,” Hall said, during a presentation at the MILCOM conference in San Diego in November 2008. “That’s certainly the case with Georgia earlier this year.”
TRIPLE THREATS: COUNTRIES, CRIMINALS AND HACKTIVISTS
Even though the U.S. military has conducted cyberspace operations for many years, it has not considered cyberspace to be a true warfighting domain like its kinetic cousins, where bombs and bullets have tangible repercussions. But that hasn’t stopped others from developing serious cyber warfare capabilities.
DOD has devoted most of its cyber warfare attention to countries such as China and Russia, said Stuart Starr, distinguished research fellow at the National Defense University’s Center for Technology and National Security Policy. DOD is concerned those countries will develop the ability to extract sensitive data, execute distributed denial-of-service attacks and implement innovative cyber strategies that affect the United States, Starr said.
China has been criticized as a major proponent of cyber warfare and has been accused of everything from launching wideranging attacks on DOD systems to hacking the computers of members of Congress when they visit the country.
Col. Gary McAlum, director of operations at the Joint Task Force–Global Network Operations, which directs the operation and defense of the Global Information Grid (GIG), told a recent hearing of the United States-China Economic and Security Review Commission that the Chinese government wants to achieve dominance over the cyber domain by 2050.
Chinese hackers are becoming increasingly sophisticated in their approach, Starr said. “If you want to get a cat to eat a hot pepper, you can force it down its throat, you can mix it with cheese and try to feed it,” he said during a presentation at the MILCOM event. “Or you can mix it with cheese and put it on the cat’s fur, and the cat will lick it off its fur and feel good about it. The Chinese cyber strategy is the third way.” But other countries aren’t necessarily the most immediate concern. Other entities are using cyberspace to coordinate their activities and stage attacks for financial or political gain.
“Low-end users such as terrorists and transnational criminals have enhanced their power significantly” through cyberspace, Starr said. “Terrorists are adapting cell phone tech, and perhaps Twitter, for surveillance. We have been seeing that in the way they raise funds, educate and train, and spread propaganda — they are very adaptable.” Criminal organizations such as the Russian Business Network (RBN), terrorists and politically motivated hacker groups — known as hacktivists — use cyberattacks to support their causes. Security experts attribute much of the cyberattacks on Georgia to a server controlled by RBN, and pro-Russian and pro-Ossetian hacktivists were also involved in the denial-ofservice attacks on Georgia.
DOD also has been the target of hacktivism, particularly from China following the 1999 NATO bombing of the Chinese embassy during the Kosovo Conflict and during the April 2001 detention of a Navy EP-3 patrol aircraft after a collision with a Chinese fighter aircraft.
“We had a lot of attacks by Chinese hacktivists, mostly Web defacements,” Hall said.
Hall said he sees hacktivism as a major ongoing issue. “Hacktivists are someone we need to worry about and concentrate on as well. Are we monitoring these sites? Are we developing our ability to deal with that threat vector as well? A nation can influence their activity while also denying culpability. And we haven’t seen any sort of restraint in these communities to keep them from carrying out these attacks.”
CLOSING THE CYBER GAP
DOD is making moves to narrow the gap identified in the 2006 Quadrennial Defense Review (QDR). The review called for the development of “capabilities to shape and defend cyberspace.” “Cyber is absolutely critical to everything we do,” Lt. Gen. Robert Elder, commander of the 8th Air Force, told the audience at the Air Force Cyberspace Symposium in June 2008.
You can’t just be an air or space operator anymore, he said. “If you can’t control and ensure your cyberspace and you haven’t been prepared to deal with the fact that it will come under attack, then you will not be successful as a military operator.” The QDR also requested that the Center for Technology and National Security Policy at the National Defense University draft a theory of cyber power — a working document from which DOD could develop doctrine and strategy for cyber warfare and deterrence.
“The feeling was this is a large complex evolving area,” Starr said. “And unless we have some sort of comprehensive information understanding of it, we’re bound to make mistakes.” The results of the work are a 600-page book, “Cyberpower and National Security,” to be published by Potomac Press later this year. The book will only begin to deal with the complexities of cyber warfare and deterrence, and Starr said it provides a foundation for a “preliminary theory of cyber power.” Nevertheless, even a preliminary theory will help DOD build, train and deploy cyber warriors — particularly in devising rules of engagement to guide operations.
One factor DOD needs to consider is how the cyber domain interacts with the other domains in which air, sea and ground forces operate, said Jim Lewis, director of the technology and public policy program at the Center for Strategic and International Studies.
“We’re at a place now [with cyberspace] that the military was with the airplane in 1914,” he said. “They know it’s probably important and could be useful, but they are trying to figure out how to integrate it with other tasks.” But the No. 1 issue might be deciding when a cyber conflict is occurring and when U.S. forces are authorized to do something about it, he said.
THE LESSONS OF ESTONIA
Although DOD has weathered several major cyberattacks by Chinese hacktivists and others in this decade, the power of cyber warfare to affect an entire nation was demonstrated by the attacks on Estonia. The country suffered major denial-of-service attacks beginning in April 2007 from hackers outside the country -- reportedly from Russians upset that Estonia moved a statue honoring World War II Russian and Estonian fighters.
The event became major news because of allegations that the Russian government was behind the attacks, making it one of the first state-sponsored cyberattacks if the reports are true.
However, no one has proven that link, and only individual hackers have been prosecuted.
Nevertheless, the incident opened eyes. Suleyman Anil, head of NATO’s Computer Incident Response Capability Coordination Centre, said at an e-crime conference in London in 2008 that most countries could not recover quickly from such cyberattacks and could not stop an attack on their infrastructure.
In May 2008, NATO said it would establish a research and development center in Estonia, which is a NATO member. The Cooperative Cyber Defense Centre of Excellence will study cyber war theory and coordinate efforts by NATO members to develop cyber war defenses and weapons.
U.S. government officials also said they will forge stronger links with Estonia on cyber conflict issues, following former President George W. Bush’s visit to the country in June 2008.
Attributing the source of a cyberattack is one of the major cyber warfare issues. Even though people know something is happening, they can’t necessarily label it an act of war or determine who is responsible. For example, the Estonia attacks used a number of different computers around the world that hackers compromised and then used to launch attacks against the Estonian systems. Investigators could not positively identify the origin of the attacks.
Likewise, although the U.S. military is certain the Chinese government has been responsible for past attacks on its networks, that assertion is difficult, if not impossible, to prove. The Russian and Chinese governments have denied any connection to these and other similar events.
Unlike in conventional warfare, this attribution problem related to cyberattacks provides a layer of plausible deniability for foreign governments, said James Mulvenon, director of advanced studies and analysis at the Defense Group. Targeted countries don’t know for sure who to retaliate against, he told the United States-China Economic and Security Review Commission in a hearing May 20, 2008.
The problem is that there’s always been a great deal of malicious activity on the Internet, said George Smith, a senior fellow at GlobalSecurity.org. Now there is a huge amount of organized crime conducted using botnets, for example, as the Estonian attackers used.
“It would be naive to think governments have not been looking at creating swaths of cyber warriors,” he said. “But there’s no reason to believe that they could do anything more than what is already being done [by criminals], so how do you distinguish that government-inspired activity from the noise that everyone else is creating?” And even if people could attribute a cyberattack, the legal boundaries are not clear when it comes to cyber conflicts.
What if Russia did say it was responsible for the Estonian attacks and that it launched them to teach Estonia a lesson, asked Dan Kuehl, a professor at the National Defense University’s Information Resources Management College.
“What lines would be crossed by that, even if the [cyber] actions included knocking down some major Estonian civilian or military capability?” he asked. “There is by no means any form of consistent agreement on what that means.”
ARMING FOR THE FIGHT
There also are more fundamental problems that need to be tackled, such as the weapons the Air Force and other forces use to fight cyber wars. Unlike in the physical world, the U.S. military has no obvious superiority in cyber technology. Some of the most sophisticated attack tools are easily available, for a price, in the underground cyber economy to anyone who wants them.
The military is beginning to address that. In a solicitation published in May 2008, the Air Force Research Laboratory (AFRL) asked for white papers on scientific studies and experiments that would lead to a broad range of capabilities “required in support of dominant cyber offensive engagement and supporting technology.” Those capabilities included being able to stealthily extract information from remotely controlled closed computer systems or maintain an active presence on an adversary’s system while remaining undetected.
They also include the ability to affect computers through what AFRL calls D5 effects – deceive, deny, disrupt, degrade and destroy.
AFRL also has been investigating how to build cyber craft for its cyber warriors to fly.
The Defense Advanced Research Projects Agency recently announced the first round of contracts for the development of a National Cyber Range, a virtual environment in which the military could test cyber weapons and tactics.
Then there’s the matter of training people for cyber war. The technical side of training is much further along than the policy and legal issues people need to learn, Kuehl said, “though this is now beginning to creep into the curriculum in war colleges and other places.” The U.S. military is creating a training and education road map for this new age of cyber conflict, said Maj. Gen. William Lord, commander of the provisional Air Force Cyber Command.
It will involve people in the electronics career field and portions of the space and intelligence fields.
The first issue of the road map identifies four levels:
- Operators — officers and enlisted people who plan, direct and execute offensive and defensive operations.
- Specialists — enlisted personnel who specialize in technical aspects of cyberspace.
- Analysts — officers and enlisted intelligence people with the technical foundations to support cyberspace operations.
- Developers — officers and enlisted personnel with the advanced skills needed for designing and modifying software and hardware packages.
The details of each area will be fine-tuned during the next year, said Maj. Timothy Franz, the provisional Air Force Cyber Command’s chief of force development. Some of the tasks needed to make this vision a reality will be completed quickly, but others are expected to take several years, Franz said.
Some people think the military might struggle to find people for the highest-level jobs, the cyber warriors who will need to fight on the frontlines of coming cyber wars. The fundamental barrier is that everyone in information technology security is brainwashed into a defensive mentality, said Stephen Northcutt, president of the SANS Institute. They are raised to believe that offense in the cyber world is cheating and bad, he said.
For that reason, it will be fairly easy to train people to do various security scans and similar actions, he said, and they’ve been fairly successful in probing soft targets.
“But those who can write an exploit on the fly against something they have not seen before will be terribly hard to find,” he said. “There’s probably no more than 5,000 people on the entire Earth who have the ability to be true cyber warriors.” Northcutt said he could probably find 1,000 people in the United States with that ability without any problem. However, the military likely won’t be able to afford the $250 or $300 per hour that someone with those skills can earn in private industry.
And expert-level training is another problem. He said a low-level person could probably be trained to deal with regular network exploits in several weeks.
“But the high end stuff? I can’t look you in the eye and tell you that we know now how to train people for that,” he said. “It’s going to take a diligent effort if [the military] wants to build that capability from scratch.”