Cyber Command nominee lays out rules of engagement
Choice to lead new organization explains under which authorities the command would operate
The Defense Department wants to integrate its cyberspace operations under a new Cyber Command, but the command’s role in cyber defense would depend on the dynamics of an attack scenario, the nominee to lead the new organization has testified.
Army Lt. Gen. Keith Alexander, the nominee who also heads the National Security Agency, explained the authorities and roles of the Cyber Command in different hypothetical scenarios presented by Senator Carl Levin (D-Mich.), who chairs the Armed Services Committee, during the NSA chief's confirmation hearing.
That exchange before Levin's panel on April 15, demonstrated how the command could support cyber defense in foreign and domestic settings, with the United States at peace or war. The questioning also provided a glimpse into the complex policy and legal questions that swirl around establishing the command.
Pick to lead cyber command lays out battle plans
To demonstrate how the command would operate, Levin asked Alexander about how it could respond in different attack scenarios:
Support during a traditional armed conflict
Levin: Assume the following: That U.S. forces are engaged in a traditional military conflict with a country – we’ll call it Country C – now how would you conduct cyber operations in that country in support of the combatant commander? Under what authorities, processes, and borders would you be operating in that particular scenario?
Alexander: We would be operating under Title 10 authorities under an execute order supporting, probably, that regional combatant commander. The execute order would have the authorities that we need to operate within that country and we’d have a standing rules of engagement of how to defend our networks. I think that’s the straightforward case, [it] would be an execute order that comes down that regional combatant commander that includes the authorities for cyber [that] are parsed out and approved by the president.
The complexity of neutrality and third parties
Levin: Now the second hypothetical, I want to add a complicating factor to the scenario. Assume that an adversary launches an attack on our forces through computers that are located in a neutral country. That’s what you determine – the attack is coming from computers in a neutral country – how does that alter the way you would operate and the authorities that you would operate under?
Alexander: So that does complicate it. It would still be the regional combatant commander that we’re supporting under Title 10 authorities. There would be an execute order. In that execute order…the standing rules of engagement, it talks about what we can do to defend our networks and where we can go and how we can block. The issue becomes more complicated when on the table are facts such as: We can’t stop the attacks getting into our computers, and if we don’t have the authorities…we’d go back up to a strategic command, to the [defense secretary], and the president for additional capabilities to stop [the attack]. But right now the authorities would be to block it in theater in the current standing rules of engagement, and it would be under and execute order, and again, under Title 10 in support of that regional combatant command.
Levin: Is that execute order likely to have any authority to do more than defend the networks or would you have to, in all likelihood, go back for that authority…?
Alexander: It would probably have the authority to attack within the area of conflict against the other military that we are fighting, and there would be a rules of engagement that articulate what you can do offensively and what you can do defensively…what you would not have the authority to do is reach out into a neutral country and do an attack, and therein lies the complication for a neutral country…
Levin: And neutral being a third country presumably, is that synonymous or does the word neutral mean literally neutral?
Alexander: Well it could be either, sir, it could be a third country or it could be one that we don’t know. I should have brought in [to the conversation] attribution, because it may or may not be a country that we could actually attribute [an attack] to, and that further complicates this. And the neutral country could be used by yet a different country, the adversary, and it’s only a path through. In physical space this is a little bit easier to see, firing from a neutral country, I think the Law of Armed Conflict has some of that in it. It’s much more difficult and this is much more complex when a cyberattack could bounce through a neutral country…
The complicated case of homeland security assistance
Levin: Now a third scenario, more complicated yet. Assume you’re in a peacetime setting [and] all of the sudden we’re hit with a major attack against the computers that manage the distribution of electric power in the United States. Now, the attacks appear to be coming from computers outside the United States, but they’re being routed to computers that are owned by U.S. persons located in thee United States, the routers [are] in the United States. How would [Cyber Command] respond to that situation and under what authorities?
Alexander: That brings in the real complexity of the problem...because there are many issues out there on the table that we can extend, many of which are not yet fully answered. Let me explain: First, the [Homeland Security Department] would have the responsibility for defense of that working with critical infrastructure. [DHS] could through the defense report for civilian authorities [construct] reach out to the Defense Department and ask [for] support. And, sir, one of our requirements in the unified command plan is to be prepared for that task. So we would have that responsibility if asked to do that, again we’d get an execute order and we’d have the standing rules of engagement that we operate under all the time. The issues now [however] are far more complex because you have U.S. persons, civil liberties and privacy all come into that equation, ensuring that privacy while you try to, on the same network potentially, take care of bad actors. A much more difficult problem.
As a consequence you have a joint interagency task force, the FBI [that] has a great joint-cyber investigative task force that would be brought in, all of these come to bear. This is the hardest problem because you have attribution issues, you have the neutrality issue that we mentioned in the second scenario, you have [interagency groups] working together with industry, and I think that’s one of the things that [President Barack Obama] is trying to address with DHS and with [DOD]: how do we actually do that with industry. That’s probably the most difficult and the one that we’re going to spend the most time trying to work our way through: How does the [DOD] help [DHS] in a crisis like that.
Editor's note: The exchanges were edited for clarity.
Ben Bain is a reporter for Federal Computer Week.