The old rules of war don’t apply in cyberspace, so the federal government is writing a new book for the new age of combat.
History is rich with rules for conducting war. The Geneva and Hague conventions comprise the modern international law of armed conflict, while humanitarian norms are detailed as far back as the Old Testament. But for some of today’s most dangerous threats, there are no such laws — at least, not yet.
Cyberspace is so new a domain that many of its standard operating procedures are still being determined. Unfortunately, that’s happening while a new era of digital warfare is unfolding.
Present-day cyber risks run the gamut from fairly innocuous password hacks to attacks with the potential to bring a country’s daily operations to a grinding halt. While the latter hasn’t happened yet, the government’s highest-level leaders insist the capability is there.
“I’m very concerned at the potential to be able to cripple our power grid, to be able to cripple our government systems, to be able to cripple our financial systems,” Defense Secretary Leon Panetta told the Senate Armed Services Committee in June. “It would virtually paralyze this country. And as far as I’m concerned, that represents the potential for another Pearl Harbor, as far as the kind of attack that we could be the target of” using cyber warfare.
The Defense Department is seeking to navigate the way ahead in cyber war, or so-called non-kinetic warfare, but it’s a complicated process that is subject to numerous delays. Partnership with a number of government agencies and industry is required, and officials are still determining who should do what, how and when. Even trickier is deciding what constitutes an act of cyber war.
Right now, a primary goal is to establish that governance with new cyber rules of engagement, a digital-era version of the laws that guide U.S. participation in conflict.
To do that, DOD must come together across its components and with other agencies, including the Homeland Security, Justice, State, Treasury and Commerce departments. Decision-makers also have to integrate new cyber laws with the existing framework and initiatives, such as DOD’s Strategy for Operating in Cyberspace, the White House’s National Security Strategy and International Strategy for Cyberspace, and DOD’s Quadrennial Defense Review.
Echoing DOD officials before him, Panetta has said in many testimonies and briefings that collaboration with the private sector is also crucial. Given that much of the nation’s at-risk critical infrastructure is privately owned, neglecting to address its defense would defeat the purpose of establishing cyber rules.
“The overwhelming percentage of our nation’s critical [information] infrastructure, including the Internet itself, is in private hands,” then-Deputy Defense Secretary William Lynn said last summer. “With the threats we face, working together is not only a national imperative, it is also one of the great technical challenges of our time.”
Defining cyber war
Through this labyrinth of people, organizations and laws, the rules of engagement are taking shape. And speed is of the essence.
Until now, DOD cyber operations have largely been governed by George W. Bush-era National Security Presidential Directives, but those can’t keep pace with the latest threats and don’t adequately cover civilian and private networks, cyber experts said. The rules of engagement will aim to better define U.S. involvement in cyber conflict, reflect today’s concerns and help determine funding for cyber defense.
“These investments are critically important; they set the foundation for the department’s ability to face and defend against an ever-growing threat from malicious cyber actors,” Madelyn Creedon, assistant secretary of defense for global strategic affairs, testified before a subcommittee of the House Armed Services Committee in March. “Whereas that threat was once the province of lone-wolf hackers, today our nation, our businesses and even our individual citizens are constantly targeted and exploited by an increasingly sophisticated set of actors.”
According to Creedon and Gen. Keith Alexander, commander of the Cyber Command and director of the National Security Agency, DOD put extensive work into the policy and operational planning aspects in the run-up to the new rules’ deployment. Beyond conducting a thorough review of existing rules, department officials partnered with the Joint Staff to create an interim framework designed to standardize DOD’s various cyber-related structures and relationships ahead of the formal publication of the rules of engagement.
Exactly when that publication will come is unclear. The rules have been close to release for several months and were most recently expected in March. Lt. Col. April Cunningham, a DOD spokesperson, said the Office of the Secretary of Defense, the Joint Staff and appropriate combatant commands are still working on the issues. Furthermore, any discussion of the plan’s details would be inappropriate because they are “pre-decisional,” and rules of engagement are typically classified and not for general release.
Given the number of competing interests, unknown variables and turf disputes, the policy formulation delays don’t come as a surprise, said Jim Lewis, a senior fellow and cybersecurity expert at the Center for Strategic and International Studies.
“There are dilemmas that this particular weapon creates: Who authorizes use? What uses are authorized and at what level?” Lewis said. “Is it a combatant commander, Cyber Command or the president? What sort of action justifies engagement? There is a lot of progress in thinking about how to use the cyber weapon but not enough progress in working out the details of how you actually pull the trigger.”
DOD’s goal is to model the new rules of engagement on traditional laws of conflict, using similar legal and military structures. Doing so would make it easier to integrate the plans into routine training and operations, Lewis said.
But cyber warfare also flouts some of the established norms for armed conflict.
“We have ideas [for traditional weapons] of proportionality, limited effect, not targeting civilian populations — these conventions that have been developed over the years through practice and consensus,” said Richard Bejtlich, chief security officer at Mandiant. “All of that gets blurry when you’re talking about cyber because it’s interconnected by definition. Ideas like proportionality are more difficult. It’s hard to argue a cyber weapon was used only where it was supposed to be used, like you could with precision-guided munitions.”
The nature and sophistication of many cyberattacks make identifying perpetrators — and thus targeting retaliation — a very difficult task. It’s also tricky to determine what constitutes an attack or what kind of cyberattack would elicit an armed response. Plenty of incidents of espionage, harassment, theft and even targeted attacks have been widely publicized, but so far, none have escalated into armed conflict.
However, the Stuxnet virus that afflicted the Iranian nuclear program in 2010 and its recently discovered malware cousin, the Flame virus, marked a turning point and illustrated the rising stakes in international cyber conflict — and the potential for escalating retaliation.
Stuxnet is reported to be the handiwork of the U.S. and Israeli governments and is believed to have damaged as many as 1,000 gas centrifuges at Iran's Natanz uranium enrichment facility. Flame, which shares common computer code with Stuxnet, secretly mapped and monitored Iran’s computer networks and sent intelligence back to its creators, presumably in preparation for possible cyberattacks.
Under its new rules, DOD will seek to define when such activities could trigger an armed response if they’re targeted at U.S interests, experts say.
“Everything in government is predicated on the idea of maintaining stability…and stability often comes from predictability, knowing what’s going to happen in a given situation,” Bejtlich said. “The idea of rules of engagement is that if you think there’s going to be a conflict, you can imagine how it will play out, what the damage may be and how you can prepare for it. If there are no rules of engagement, then you have no idea how bad things could get, and there’s likely to be more damage.”
Answers at last?
As cyber warfare plays a growing role in global conflict and as the world’s dependence on networked capabilities continues to swell, cyber rules of engagement are becoming increasingly important.
“Absent some civilization-destroying event, I think we will never again see a kinetic conflict without a cyber component,” said Daniel Ryan, a professor of systems management at National Defense University. “The interesting question is the other way around: If an incident begins with a cyber ‘attack,’ is that legally sufficient to permit a kinetic response? Article 51 of the UN Charter speaks of self-defense in response to an ‘armed attack,’ so the question is, can a cyber incident rise to the level of an armed attack?”
Ryan said it could end up depending on whether a cyberattack creates widespread destruction and casualties — in the legal world, an effects test — and therefore could be considered on the level of an armed attack.
Still, it’s possible the rules of engagement might not offer a crystal-clear answer to perhaps the most obvious question of where cyber conflict ends and armed warfare begins. So far, official guidance has lacked those kinds of details.
In his International Strategy for Cyberspace, President Barack Obama noted that “when warranted, the U.S. will respond to hostile acts in cyberspace as we would to any other threat to our country.” Alexander referenced that quote in congressional testimony in March detailing the Pentagon’s pledge to assert itself in the cyber arena.
“DOD’s components, particularly Cyber Command, seek to maintain the president’s freedom of action and work to dissuade others from attacking or planning to attack the United States in cyberspace,” Alexander testified. “We will maintain the capability to conduct cyber operations to defend the U.S., its allies and its interests, consistent with the law of armed conflict.”
It’s possible the lack of clear answers might be attributable to the fact that much of the decision-making is happening in real time, just as cyber warfare is unfolding.
“Sorting out how we will use the new military capability at the same time we’re building it has been an issue,” Lewis said. “The way to think of this is [to ask] how do we make it like any other military action…like authorizing Special Forces? The goal is to get this in the framework that we use for all military command decisions. What will always be a situational decision is when to exploit, when to disrupt or when to destroy.”
Industry being pulled from the sidelines
There are some stark differences between traditional warfare and the kind going on in cyberspace. For one thing, industry has never been a direct participant in conflict, but with cyber adversaries targeting both public- and private-sector networks and assets, that involvement is quickly changing.
“Unlike other realms, the cyber domain has heavy involvement in the commercial sector and the degree to which the commercial sector is directly targeted,” said Eddie Schwartz, vice president and chief information security officer at RSA. "It has to be included in any preparation or response, whether defensive or offensive. Historically, we’ve maintained a dichotomy…but our adversaries are not constrained in that way. They don’t have the statutory limitations we have.”
In a conflict in which information reigns supreme and that information belongs to both government and industry, a new kind of dynamic is required. Accordingly, a number of proposed laws currently making their way through Congress seek to bridge existing shortfalls in communication between companies and government.
“There will be more opportunities for commercial companies to participate, and they’re going to have to defend themselves out of necessity,” Schwartz said. “There have to be parallel tracks. It’s not just about what the military is doing or not doing. It’s about what all of us are doing.”
The need for rules of engagement to govern a U.S. response to a foreign-sponsored cyberattack is growing, but it’s hardly new. In the past decade, there have been numerous examples of international cyber incidents in which presumably state-sponsored actors penetrated systems and stole national secrets or disabled critical industrial or military assets belonging to another nation. Here are some of the more notable ones.
2003 Titan Rain targets U.S.
Highly skilled hackers allegedly working out of the Chinese province of Guangdong access systems and steal sensitive but unclassified records from numerous U.S. military bases, defense contractors and aerospace companies.
2007 Cyberattacks hit Estonian websites
Distributed denial-of-service attacks cripple websites for the Estonian government, news media and banks. The attacks, presumably carried out by Russian-affiliated actors, follow a dispute between the two countries over Estonia’s removal of a Soviet-era war memorial in Tallinn.
2008 Cyber strike precedes invasion of Georgia
Denial-of-service attacks of unconfirmed origin take down Georgian government servers and hamper the country’s ability to communicate with its citizens and other countries when Russian military forces invade.
2010 Stuxnet undermines Iran’s nuclear program
The Stuxnet worm is planted in Iranian computer networks, eventually finding its way to and disrupting industrial control equipment used in the country’s controversial uranium enrichment program. The United States and Israel are believed to be behind the attack.
2011 RSA breach jeopardizes U.S. defense contractors
Hackers steal data about security tokens from RSA and use it to gain access to at least two U.S. defense contractors that use the security vendor’s products.