Cyber Warfare (10 page)

Chapter Nine
U. S. Department of Defense Preparations

United States Cyber Command (USCYBERCOM) is an armed forces sub-unified command subordinate to United States Strategic Command. The command is located at Fort Meade, Maryland, and centralizes command of cyberspace operations, organizes existing cyber resources and synchronizes defense of U.S. military networks. USCYBERCOM synchronizes and conducts activities to direct the operations and defense of specified Department of Defense information networks, The agency also conducts full-spectrum military cyberspace operations in order to enable actions in all domains, ensure US/Allied freedom of action in cyberspace and deny the same to our adversaries. USCYBERCOM is charged with pulling together existing cyberspace resources, creating synergy and synchronizing war-fighting effects to defend the information security environment.

The Department of Homeland Security's United States Computer Emergency Readiness Team (US-CERT) is the 24-hour operational arm of the Department of Homeland Security's National Cybersecurity and Communications Integration Center. This team leads efforts to improve the Nation's cybersecurity posture, coordinate cyber information sharing, and proactively manage cyber risks to American interests. US-CERT strives to be a trusted global leader in cyber security—collaborative, agile, and responsive in a dynamic and complex environment. The government partners with private sector critical infrastructure operators, and domestic and international organizations to enhance the nation's cybersecurity posture.

In 2015, the U.S. took an important step designed to deter potential cyber adversaries when it released a new strategy that for the first time explicitly discusses the circumstances under which cyber weapons could be used against an attacker. Further, the Pentagon named the countries it says present the greatest threat: China, Russia, Iran, North Korea, and, for the first time, ISIS.

Defense Secretary Ash Carter announced the new policy in a speech at Stanford University, representing the fourth time in a period of four months during 2015 that the Obama administration has specifically named nation-states as being responsible for cyber activity detrimental to the U.S. The speech further announced new strategies designed to raise the geopolitical cost of conducting cyber attacks.

The administration’s previous strategy was less detailed and only suggested there was a new arsenal of cyber weapons available to the Pentagon in cyber warfare. The 2011 policy did not name any specific offenders.

President Obama’s decision to publicly declare North Korea’s leaders guilty of ordering the cyber attack on Sony Pictures, the largest destructive attack on any American target, public or private, was welcomed by cyber security specialists. The availability of new sanctions against state-sponsored and criminal hackers, and the subsequent indictment of five members of the People’s Liberation Army by the U.S. Justice Department for attacking American business interests all reflected a substantial change in Washington’s policy.

American officials have fumed for years that cyber attacks were allowed without retribution. In the middle of the twentieth century, as nuclear weapons gained favor as a military option, Presidents Truman and Eisenhower struggled to define circumstances that could prompt a nuclear response from Washington. Now, the President’s policy advisors are beginning to lay out conditions under which USCYBERCOM would employ cyber counter-attacks — including in retaliation for a previous cyber attacks, as an offensive weapon for conflict or in covert action.

In his speech at Stanford, Mr. Carter revealed that the Pentagon, as did the White House and the State Department, found itself the victim of a cyber attack in 2015. He stated, “The sensors that guard DoD’s unclassified networks detected Russian hackers are accessing one of our networks.” He further said the attack exploited “an old vulnerability in one of our legacy networks that hadn’t been patched.” This is very typical of the vulnerabilities used by hackers on private sector networks. Obviously, our government's networks are every bit as vulnerable.

Obama administration officials would not say if the cyber attacks mentioned by Secretary Carter bore similarities to attacks on the White House and the State Department during 2014. Those attacks, which also appeared to be of Russian origin, were kept under wraps for many months following the incident. Until Carter’s speech at Stanford, the administration had not named an adversary.

One of the purposes of Carter’s high-profile speech was the introduction of the core of a new cyber strategy published by the Pentagon identifying a hierarchy of cyber attacks. The administration’s new strategy stated routine attacks and cyber vandalism should be fended off by private sector companies without the assistance of the government. The Department of Homeland Security will assist in detecting more sophisticated attacks and helping the private sector defend against them.

But, in a significant declaration, certain attacks on American computer network systems may rise to the level of prompting a national response — led by the Pentagon and through the military’s Cyber Command. Carter indicated that this may apply to a small percentage of cyber activity, but the event may be so severe a U.S. governmental response is necessary.

The administration's new strategy provides, in part: “as a matter of principle, the United States will seek to exhaust all network defense and law enforcement options to mitigate any potential cyber risk to the U.S. homeland or U.S. interests before conducting a cyberspace operation.”.

But it also opens the door for pre-emptive cyber attacks: “there may be times when the president or the secretary of defense may determine that it would be appropriate for the U.S. military to conduct cyber operations to disrupt an adversary’s military related networks or infrastructure so that the U.S. military can protect U.S. interests in an area of operations. For example, the United States military might use cyber operations to terminate an ongoing conflict on U.S. terms, or to disrupt an adversary’s military systems to prevent the use of force against U.S. interests.”

Until now, most American cyber attacks on adversaries have been covert operations. It now appears something that threatens the significant loss of life, destruction of property or lasting economic damage could be responded to in kind, or militarily. That could cover many types of cyber attacks, but, by way of recent example, in the biggest case to date involving the private sector, the attack on Sony, the president chose to respond with sanctions on North Korea, and not in cyberspace.

Finally, at the heart of the diplomatic, economic and threatened military responses available to the U.S. Department of Defense is the concept of deterrence — something that the United States had a far easier time establishing in the nuclear arena than it has had in cyberspace, where it 's hard to establish attribution.

Deterrence is partially a function of perception most cyber security professionals say. Just like in conventional modern warfare, deterrence works by convincing a potential adversary that it will suffer unacceptable costs if it conducts an attack on the United States, thus decreasing the likelihood a potential adversary’s attack will succeed. The United States must be able to declare or display adequate response capabilities to deter an adversary from initiating an attack; develop effective defensive capabilities to deny a potential attack from succeeding; and strengthen the overall resilience of U.S. systems to withstand a possible attack if it penetrates the United States’ defenses.

But as Mr. Carter acknowledged in his Stanford speech, such a policy is easier to declare than to make vivid. The head of Cyber Command, Adm. Rogers, has often stated that the price of conducting cyber attacks is simply too low for many countries to resist.

Welcome to the world of asymmetric warfare—where the playing field is level for all.

Chapter Ten
Retaliation – Cyber Counter-Terrorism

The NATO Position on Retaliation

NATO formed the Cooperative Cyber Defense Centre of Excellence (CCDCOE) which published a guideline of rules on how to respond to cyber aggression against the government. Among the intriguing possibilities of the guide—known as the Tallinn Manual, is it suggests the United States and its European allies have the option to retaliate against cyber attacks from domestic hackers.

The NATO Cyber War Manual deals with the many controversial issues including the identification and attribution of civilian attackers.

The manual was written over the course of three years by a team of 20 international warfare experts and drew from a variety of historic warfare guidelines, including the 1868 St. Petersburg Declaration and the 1949 Geneva Convention. These principles were then applied to the digital world.

It suggests that
hacktivists
can be considered cyber terrorists, thus eligible for a like-kind digital response in retaliation. In extreme cases, such as attacks on hospitals or nuclear plants, physical force is an available option by the NATO alliance.

The rulebook was unveiled at the Chatham House in London. It contains 95
black letter rules
spread over 302 pages of text. Colonel Kirby Abbott, representing Canadian interests at NATO remarked, "The Tallinn Manual is the most important document in the rules of cyber warfare. It will be highly useful."

Among the most relevant provisions is rule twenty-two that echoes previous cyber warfare guidelines from the Pentagon stating cyber attacks alone can be considered acts of war. It reads, in part:

An international armed conflict exists whenever there are hostilities, which may include or be limited to cyber operations occurring between two states or more
.

To date, no international armed conflict has been precipitated by the use of cyber warfare. Nevertheless, the international group of experts unanimously concluded that cyber operations alone might have the potential to cross the threshold allowing international armed conflict.

Another important aspect of the Tallinn Manual is rule fourteen in which the concept of proportionality is addressed. The document suggests that cyber retaliation against civilians is allowed although unspecified, general attacks on civilian targets are generally forbidden. The proportionality rule suggests that if hacktivist attacks cause death or serious harm, a physical response (e.g. a drone death strike) may be acceptable.

Does the Tallinn Manual open the door for counterattacks on the hacktivist group Anonymous?

The rules raise a number of interesting scenarios.

In recent years, Anonymous and other
hacktivist
groups have caused substantial damage to the networks and reputation of the United States government. They have defaced U.S. government web pages, acquired sensitive government data via cyber intrusions, hit government domains with distributed denial of service attacks, infiltrated network systems, and conducted similar attacks on government contractors as well.

The glossary of the Tallinn Manual defines a
hacktivist
as:

A private citizen who on his or her own initiative engages in hacking for, among other things, ideological, political, religious or patriotic reasons
.

Rule thirty-five goes further and establishes rules related to attacks by
hacktivist
civilians. It reads:

An act of direct participation in hostilities by civilians renders them liable to be attacked, by cyber or other lawful means.

In other words, the NATO members agreed that civilians open themselves up to counterattacks if they attack NATO member-state governments. However, not all members agreed that this opens up those citizens for attacks in the long-term after the immediate threat passed. Some member-states draw the line once the immediate danger of cyber terrorism is over.

As none of these attacks caused
significant
infrastructure damage or resulted in death, it seems the NATO allies, under the new rules, would only be able to use digital counterattacks. However, the government could potentially use the rules as a justification to shut down social media tools utilized by hacktivist groups like Anonymous.