Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.
OCR for page 161
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities 3 A Military Perspective on Cyberattack 3.1 U.S. MILITARY DOCTRINE AND CYBERATTACK The most current statement of U.S. military doctrine regarding cyberattack identifies computer network attack (an aspect of what this report calls cyberattack) as an element of computer network operations (CNO), the other two of which are computer network defense (CND) and related computer network exploitation (CNE) enabling operations. Computer network attack (CNA) refers to actions taken through the use of computer networks to disrupt, deny, degrade, or destroy information resident in computers and computer networks, or the computers and networks themselves. CND refers to actions taken through the use of computer networks to protect, monitor, analyze, detect, and respond to unauthorized activity against or within DOD information systems and computer networks. CNE (computer network exploitation, an aspect of what this report calls cyberexploitation) refers to operations conducted through the use of computer networks to gather data from target or adversary automated information systems or networks, and the term “related CNE enabling operations” refers to operations undertaken to gather intelligence information for carrying out CNO or CND operations. Current doctrine (Joint Publication 3-13, Joint Doctrine on Information Operations) notes that all of these capabilities can be used for both offensive and defensive purposes. For example, under this rubric, a computer network attack might be used for a defensive purpose, such as the neutralization of a cyberthreat to a DOD computer or network. At the date of this writing, an unclassified and authoritative state-
OCR for page 162
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities ment of current joint doctrine for the use of computer network attack is unavailable, and it is fair to say that current doctrine on this matter is still evolving. However, in testimony to the House Armed Services Committee on March 21, 2007, General James E. Cartwright, Commander of the United States Strategic Command, said that “cyberspace has emerged as a warfighting domain not unlike land, sea, and air, and we are engaged in a less visible, but nonetheless critical battle against sophisticated cyberspace attacks.” He pointed out the importance of deterring adversaries and assuring U.S. freedom of action in cyberspace, and argued that “fundamental to this approach is the integration of cyberspace capabilities across the full range of military operations.” He then observed that “to date, our time and resources have focused more on network defenses to include firewalls, antivirus protection, and vulnerability scanning. [But] while generally effective against unsophisticated hackers, these measures are marginally effective against sophisticated adversaries.” Following this observation, he then stated: History teaches us that a purely defensive posture poses significant risks; the “Maginot Line” model of terminal defense will ultimately fail without a more aggressive offshore strategy, one that more effectively layers and integrates our cyber capabilities. If we apply the principles of warfare to the cyber domain, as we do to sea, air, and land, we realize the defense of the nation is better served by capabilities enabling us to take the fight to our adversaries, when necessary to deter actions detrimental to our interests. A number of other DOD and service statements and publications have added texture to the perspective articulated by General Cartwright. The 2006 National Military Strategy for Cyberspace Operations (redacted copy available online1) says that “as a war-fighting domain … cyberspace favors the offense … an opportunity to gain and maintain the initiative.” It further defines cyberspace as a domain “characterized by the use of electronics and the electromagnetic spectrum to store, modify, and exchange data via networked systems and associated physical infrastructures.” Prevailing military doctrine calls for the U.S. dominance of domains of warfare, traditionally including land, sea, air, and space, and now including cyberspace. Dominance in a domain means that the U.S. military should have freedom of access to and use of the domain, and should be able to deny access to and use of that domain to an adversary—and dominance requires that the United States play both offense and defense. Furthermore, if cyberspace is like any other warfighting domain, the fundamental concepts of warfare must apply to the cyberspace domain. 1 See http://www.dod.mil/pubs/foi/ojcs/07-F-2105doc1.pdf.
OCR for page 163
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities An example of how such thinking regarding cyberspace-as-domain can play out was described to the committee in a briefing from the Air Force Cyberspace Task Force. In the CTF view, the United States should be provided with “offensive capabilities and deliberate target sets.” In addition, the briefing argued that “cyber favors the offensive” and that under this rubric fell several different missions, including strategic attack directly at enemy centers of gravity, suppression of enemy cyberdefenses, offensive countercyber, defensive countercyber, and interdiction. Consistent with Secretary of the Air Force Michael W. Wynne’s statement that “all aspects of air war will have some equivalent role in cyber war,”2 these missions have rather close analogs to traditional Air Force missions—strategic bombing attack against enemy centers of gravity, suppression of enemy air defenses to facilitate airspace penetration of enemy borders, offensive counter-air (destroying enemy aircraft on the ground), defensive counter-air (defending friendly territory from enemy aircraft in the air), and interdiction (attack of enemy assets far behind the battlefront).3 (Whether this particular view of cyberspace as a domain of military conflict will ultimately be adopted throughout the Department of Defense is not clear at this time.) The doctrinal perspective that cyberspace is another warfighting domain has other implications as well. For example, operations in cyberspace need to be synchronized and coordinated with other operations, just as land and air operations, for example, must be synchronized and coordinated. In other words, during overt or open military conflict, it is highly likely that information operations—including cyberattacks if militarily appropriate—will not be the only kind of military operations being executed. Examples of coordination issues are described in Box 3.1. The doctrinal perspective further implies that cyberweapons should be regarded as no different from any other kind of weapon available to U.S forces. That is, their use should be initiated on the basis of their suitability for conducting the attacks in question, and should not require any extraordinary analysis or authority to which the non-cyberspace military is not already accustomed. Thus, in determining the best way to attack a target, cyberweapons simply provide the operational planner with another option, in addition to the air-delivered laser-guided bomb and the Special Operations force with demolition charges. Similar considerations apply from a legal perspective. For example, 2 Michael W. Wynne, “Flying and Fighting in Cyberspace,” Air & Space Power Journal, Spring 2007, available at http://www.airpower.maxwell.af.mil/airchronicles/apj/apj07/spr07/wynnespr07.html. 3 Indeed, Lt. Gen. Bill Donahue (USAF, ret.) argued in a briefing to the committee that one could almost literally do a global search and replace that would replace “Air” with “Cyberspace” in Air Force warfighting doctrine.
OCR for page 164
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities BOX 3.1 Possible Coordination Issues for Cyberattack Cross-domain coordination requires that the effects of a cyberattack on the physical world (both direct and consequential) and the timing of those effects should be known with enough certainty that their possible use can be taken into account in operational planning. Some issues include the following: Coordination with other military operations. Planners might choose to attack a given target using both a cyberweapon and a kinetic weapon. Redundancy in an attack, especially using different modes of attack that might exploit different vulnerabilities, is often desirable from a planning perspective. On the other hand, problems may result if the damage assessment from one operation is not available to those planning the other operation (e.g., as the result of stovepiping within executing agents). Coordination between cyber operations for attack and for defense. A computer network attack launched by the U.S. military may stimulate a counter-response from an adversary that could affect U.S. computers and networks, which may—or may not—be under military control. For example, a cyberattack that is conducted against a target in a given geographic command (e.g., PACOM) by the U.S. Strategic Command may stimulate action that has an impact on the regional networks used by that geographic command. A cyberattack launched by the United States may also stimulate adversary action that would have an impact on private sector network use and potentially disrupt important civilian activities—suggesting that cyberattacks by the U.S. military may have defensive implications. Coordination between cyberattack and cyberexploitation. Unless attack and exploitation are coordinated, it is possible to imagine scenarios in which a cyberattack to plant false information in an adversary’s database results in the cyberexploitation extracting that false information and using it as though it were real and valid. And, of course, there is the classic conflict about whether it is more desirable to shut down an adversary’s communication channel (an attack operation) or to listen to it (an exploitation operation). all military operations are subject to certain limitations mandated by the law of armed conflict regarding differentiation of targets, military necessity, limiting collateral damage, and so on. Of course, targets in cyberspace are different from targets on the ground, so the facts relevant to any given operation may be different in the former case than in the latter, but the analytical process remains the same. Thus, if it was legitimate to attack a target with kinetic weapons, it remains legitimate under the laws of armed conflict to attack it with cyberweapons. These considerations are addressed at length in Chapter 7. In short, according to this perspective, conflict in cyberspace should be treated like conflict in a physical domain, the same rules and policies should apply, and the only differences are operational.
OCR for page 165
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities 3.2 DEPARTMENT OF DEFENSE ORGANIZATION FOR CYBERATTACK The U.S. Strategic Command (STRATCOM) plays a key role in DOD cyber operations. STRATCOM is composed of eight functional components, including five Joint Functional Component Commands (JFCCs).4 Each JFCC is responsible for focusing on a specific operational area—one of those operational areas involves offensive network warfare (NW) and defensive network operations (NetOps).5 Offensive network warfare is the responsibility of the Joint Functional Component Command for Network Warfare (JFCC-NW). The commander of the JFCC-NW is also the director of the National Security Agency (NSA) and is “responsible for deliberate planning of network warfare, which includes coordinated planning of offensive network attack.”6 JFCC-NW was established in January 2005.7 Network warfare as used in the context of JFCC-NW means “the employment of Computer Network Operations (CNO) with the intent of denying adversaries the effective use of their computers, information systems, and networks, while ensuring the effective use of our own computers, information systems, and networks.”8 These operations include computer network attack (CNA), computer network exploitation (CNE), and Computer Network Defense (CND). The JFCC-NW also supports the network warfare needs of Combatant Commands/Commanders (COCOMs).9 Defensive network operations are the responsibility of the Joint Task Force-Global Network Operations (JTF-GNO). The commander of JTF-GNO is also the director of the Defense Information Systems Agency and is responsible for operating and defending the DOD information infra- 4 The eight components are JFCC–Global Strike and Integration (JFCC-GSI), JFCC–Integrated Missile Defense (JFCC-IMD), JFCC–Intelligence, Surveillance and Reconnaissance (JFCC-ISR), JFCC–Space (JFCC-SPACE), Joint Information Operations Warfare Command (JIOWC), STRATCOM Center for Combating Weapons of Mass Destruction (SCC-WMD), and Joint Task Force–Global Network Operations (JTF-GNO). See http://www.stratcom.mil/organization-fnc_comp.html. 5 Lt. Gen. Keith B. Alexander, “Warfighting in Cyberspace,” Joint Force Quarterly 46(3):58-61, 2007. 6 Clay Wilson, “Information Operations and Cyberwar: Capabilities and Related Policy Issues,” U.S. Congressional Research Service (RL31787), updated September 14, 2006, p. 8. 7 JFCC-NW Implementation Directive, January 20, 2005. Cited in Keith B. Alexander, “Warfighting in Cyberspace,” Joint Force Quarterly, July 2007, available at http://www.military.com/forums/0,15240,143898,00.html. 8 USSTRATCOM Command Video, available at http://www.stratcom.mil/Videos/transcripts/Command%20Video.txt. 9 Joint Publication 3-13 (2006) states that STRATCOM has responsibility for “identifying desired characteristics and capabilities of CNA, conducting CNA in support of assigned missions, and integrating CNA capabilities in support of other combatant commanders.”
OCR for page 166
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities structure known as the Global Information Grid (GIG). The Joint Information Operations Warfare Command, responsible for assisting combatant commands with an integrated approach to information operations, coordinates network operations and network warfare with the JTF-GNO and the JFCC-NW.10 As of November 2008, the JTF-GNO is for the first time placed under the operational control of the JFCC-NW.11 The JFCC-NW engages in a substantial amount of coordination with other entities. It coordinates its offensive activities directly with the defensive activities of the JTF-GNO. It “facilitates cooperative engagement with other national entities in computer network defense and network warfare as part of global information operations.”12 Because the commander of the JFCC-NW is dual-hatted as the director of the National Security Agency (Box 3.2), the JFCC-NW can easily work with the intelligence community to provide intelligence support for computer network operations. In addition, coordination between cyberattack (a Title 10 function) and cyberexploitation (a Title 50 function) is more easily accomplished. Lastly, Joint Publication 3-13 also notes that CDRUSSTRATCOM’s specific authority and responsibility to coordinate IO [information operations, Box 3.3] across AOR and functional boundaries does not diminish the imperative for the other combatant commanders to coordinate, integrate, plan, execute, and employ IO. These efforts may be directed at achieving national or military objectives incorporated in TSCPs [Theater Security Cooperation Programs], shaping the operational environment for potential employment during periods of heightened tensions, or in support of specific military operations. Two important points are embedded in this paragraph. First, STRATCOM is not necessarily the only command that can actually carry out information operations, including computer network attack. (In some cases, STRATCOM will be a supporting command that provides support to other regional or functional commands. In other cases, it will be the supported command, receiving support from other regional or functional commands.) Second, information operations, including computer network attack, may be used both in support of specific military operations and during periods of “heightened tensions,” that is, early use before overt conflict occurs. 10 Clay Wilson, “Information Operations and Cyberwar,” 2006. 11 Memo of Robert Gates (Secretary of Defense) to DOD regarding Command and Control for Military Cyberspace Missions, November 12, 2008. Copy available from the NRC. 12 U.S. Strategic Command website, http://www.stratcom.mil/about-ch.html.
OCR for page 167
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities BOX 3.2 The National Security Agency-Central Security Service Often known simply as the National Security Agency, the organization is in fact a combat support agency of the DOD under the authority, direction, and control of the Secretary of Defense, and is responsible for centralized coordination, direction, and performance of highly specialized intelligence functions in support of U.S. government activities. It includes both the National Security Agency and the Central Security Service. The NSA carries out the responsibilities of the Secretary of Defense to serve as executive agency for U.S. government signals intelligence (SIGINT), communications security, computer security, and operations security training activities. The CSS is composed of the Service Cryptologic Elements of the four uniformed services that are responsible for conducting their Title 50 SIGINT mission, and provides the military Services a unified cryptologic organization within the DOD that assures proper control of the planning, programming, budgeting, and expenditure of resources for cryptologic activities. Service cryptologic elements also perform other missions in direct support of their respective Services related to information operations (including computer network operations), and in doing so, they operate under Title 10 authority. The director of the National Security Agency (DIRNSA) serves as the director of both the National Security Agency and the Central Security Service and has both Title 10 and Title 50 responsibilities. As national executive agent for SIGINT, DIRNSA has operated with Title 50 authority and thus would be responsible for conducting cyberexploitations, which by definition are not supposed to damage, degrade, or disable adversary computer systems or networks. As the party responsible for DOD information assurance, DIRNSA has operated with Title 10 authority. Finally, in January 2005, the Joint Functional Component Command for Network Warfare (JFCC–NW) was established under the U.S. Strategic Command, and DIRNSA was designated as its commander. As such, DIRNSA operates with Title 10 authority for any offensive missions (including cyberattacks) undertaken by the JFCC-NW. As this report is being written, these arrangements are in flux, as the DOD and the intelligence community are discussing the potential standup of a cyber combatant command. 3.3 RULES OF ENGAGEMENT In general, the rules of engagement (ROEs) for military forces specify the circumstances under which they may take certain kinds of action. (The laws of armed conflict place additional constraints on the permissible actions of military forces.) For example, many military installations contain areas in which “the use of deadly force is authorized” to stop individuals from trespassing—guards of such areas are authorized (but not required) to use any means necessary to do so.
OCR for page 168
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities BOX 3.3 Information Operations and Related Capabilities Computer network operations are themselves part of a larger complex designated as information operations (IO) by the Joint Chiefs of Staff. These other elements of information operations include: Psychological operations (PSYOP), which include operations to convey selected truthful information and indicators to foreign audiences to influence their emotions, motives, objective reasoning, and ultimately, the behavior of their governments, organizations, groups, and individuals. The purpose of PSYOP is to induce or reinforce foreign attitudes and behavior favorable to the originator’s objectives. Military deception, which includes actions taken with the purpose of deliberately misleading adversary decision makers as to friendly military capabilities, intentions, and operations, thereby causing the adversary to take specific actions (or inactions) that will contribute to the accomplishment of the friendly forces’ mission. Operations security (OPSEC), which is a process of identifying critical information and subsequently analyzing friendly actions and other activities to identify what friendly information is necessary for the adversary to have sufficiently accurate knowledge of friendly forces and intentions; deny adversary decision makers critical information about friendly forces and intentions; and cause adversary decision makers to misjudge the relevance of known critical friendly information because other information about friendly forces and intentions remains secure. OPSEC seeks to deny real information to an adversary and prevent correct deduction of friendly plans. Electronic warfare (EW) refers to any military action involving the use of electromagnetic (EM) and directed energy to control the EM spectrum or to attack the adversary. EW includes electronic attack (EM energy, directed energy, or antiradiation weapons to attack personnel, facilities, or equipment with the intent of degrading, neutralizing, or destroying adversary combat capability), electronic protection (which ensures the friendly use of the EM spectrum), and electronic warfare support (ES, which searches for, intercepts, identifies, and locates or localizes sources of intentional and unintentional radiated EM energy for the purpose of immediate threat recognition, targeting, planning, and conduct of future operations). ES data can be used to produce SIGINT, provide targeting for electronic or other forms of attack, and produce measurement and signature intelligence (MASINT). SIGINT and MASINT can also provide battle damage assessment (BDA) and feedback on the effectiveness of the overall operational plan. In addition, a number of other capabilities support information operations in the DOD context, such as information assurance (IA), physical security, physical attack, and counterintelligence. Capabilities related to IO include public affairs (PA), civil-military operations (CMO), and defense support to public diplomacy. The Joint Chiefs of Staff note that these capabilities can also make significant contributions to IO but that their primary purpose and the rules under which they operate must not be compromised by IO.
OCR for page 169
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities Some of the issues relevant to formulating ROEs for cyberattack might include: When to execute a cyberattack—what are the circumstances under which a cyberattack might be authorized? Scope of a cyberattack—what are the entities that may be targeted? Duration of the cyberattack—how long should a cyberattack last? Notifications—who must be informed if a cyberattack is conducted? Authority for exceptions—what level of authority is needed to grant an exception for standing ROEs? To illustrate, consider the standing rules of engagement promulgated by the Joint Chiefs of Staff, which state that “a [U.S.] commander has the authority and obligation to use all necessary means available and to take all appropriate [i.e., necessary and proportional] actions to defend that commander’s unit and other U.S. forces in the vicinity from a hostile act or demonstration of hostile intent [emphasis added]”13 where “hostile intent” is understood to mean that another party has taken some action that reasonably indicates a potential for more or less immediate attack. Applying this rule to the cyber domain raises the question of actions that constitute a demonstration of hostile intent. For example, do non-destructive adversary probes of important military U.S. computer systems and networks (or even systems and networks associated with U.S. critical infrastructure) constitute demonstrations of hostile intent? If so, do such actions justify actions beyond the taking of additional passive defense measures? Would a commander be permitted to conduct probes on adversary networks from which these probes were emanating? To conduct a responsive cyberattack to neutralize the probes? On this specific topic, Rear Admiral Betsy Hight of the Joint Task Force on Global Network Operations testified to the committee that the commander of the U.S. Strategic Command has operational authority to conduct cyber operations that are defensive in purpose against systems outside the DOD networks. The action taken in the operation may have an offensive character—that is, it may seek to damage or disrupt a system that is adversely affecting a DOD asset. Self-defense is generally limited in scope to addressing or mitigating the immediate hostile act, and is a last resort. The frequency with which the U.S. Strategic Command has actually acted under this asserted authority, if at all, is unknown. 13 Joint Chiefs of Staff, Chairman of the Joint Chiefs of Staff Instruction, CJCSI 3121.01A, January 15, 2000, Standing Rules of Engagement for US Forces, available at http://www.fas.org/man/dod-101/dod/docs/cjcs_sroe.pdf.
OCR for page 170
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities CND response actions (RAs) are a specific subset of self-defense and are likewise constrained to a measured response used as a last resort. CND RAs can be used only in response to a network event that creates a threshold impact. Additional limitations constrain the scope, duration, and impact of the CND RA. Moreover, CND RAs, like all self-defense, is a tactical activity, characterized as such because it is used in response to a specific hostile action and is designed to address and mitigate that action, and only that action. Offensive actions are not so limited. Both offensive and defensive actions must follow the law of war limitations with regard to differentiation of targets, military necessity, and limiting collateral damage, but defensive actions tend to be more limited in scope. Such self-defense operations would be designated as a CND response action, authority for which is described, constrained, and granted through standing rules of engagement established by the National Command Authority and flowing, through the secretary of defense, from the President’s authority as commander-in-chief. Standing rules of engagement generally describe the authority commanders have to defend their personnel and designated property. According to Admiral Hight’s testimony to the committee, the rules of engagement for CND response actions also specify that they are not authorized unless the hostile action has an impact on the ability of a combatant commander to carry out a mission or an ongoing military operation, and in particular that hostile actions that result only in inconvenience or that appear directed at intelligence gathering do not rise to this threshold. An example of a legitimate target for a CND response action would be a botnet controller that is directing an attack on DOD assets in cyberspace. Thus, if bots are active in DOD networks, and if through DOD mission partners the controller of those bots can be identified in cyberspace, and if the botnet attack is compromising the DOD network’s ability to carry out its mission operationally, a CND response action—involving cyberattack—can be directed against the controller under these standing rules of engagement. As for geographic scope, a hostile cyber act may emanate from anywhere in cyberspace. Accordingly, the impact of CND response actions directed against that source could also occur anywhere in cyberspace. The ease with which actors can use and misuse U.S.-based cyber assets for malicious purposes increases the probability that future CND response actions might impact that space. For this reason, the JTF-GNO maintains relationships with law enforcement, other federal entities, and Internet service providers. This ensures that if some other national asset, or the commercial sector, can mitigate malicious cyber activity against the DOD, those assets are used before resorting to CND response actions. The final point about this particular example is that from the DOD
OCR for page 171
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities perspective, the cessation of a hostile action may be more important than the attribution of the action to a particular actor. Accordingly, under the stated policy, the DOD may be willing to take many steps to ensure that the hostile action ceases, even if those actions have ramifications beyond U.S. borders. 3.4 SOME HISTORICAL PERSPECTIVE Because the number of confirmed and unclassified instances of cyberattack launched by governments, friendly or hostile, is vanishingly small, it is hard to cite actual experience as a basis for understanding the effects of cyberattack. But a number of other incidents can provide some insight. Although the events described are not cyberattacks themselves, the affected entities involved are the kinds of targets that proponents of cyberattack weapons often discuss when advancing the case for the value of such weapons. The operational effects are the kinds of effects that cyberattacks might seek to cause. In December 2006, a major fiber optic cable providing some 50 percent of Iran’s digital communications and Internet connections was damaged in Iran’s territorial waters in the Persian Gulf. A month later, 80 percent of the damaged capability had been restored. In late December 2006, an earthquake off the shores of Taiwan damaged or destroyed eight fiber optic lines that connected Taiwan to other nations in the Pacific. There was some disruption to Internet and phone for about 2 days, and Internet connections were slow in Taiwan, Hong Kong, Japan, China, Singapore, and South Korea. However, although the cables were not repaired for almost 3 weeks, workaround restored most services quickly. In February 2007, Mexico’s largest cell phone company experienced a “crash” that left 40 million cell phone users without service for most of a day. In May 1999, the United States targeted the Belgrade electric power system as part of the Kosovo conflict, using carbon fibers to short generators. In all, four strikes were conducted against the power system, but in each case, power generation was restored within a few days to a substantial fraction of what it was prior to the strike. Perhaps the most important feature of these incidents is the fact that their effects were relatively transitory, largely because the parties affected found workarounds that enabled them to compensate for the immediate loss of capability. If these incidents had been caused deliberately, it is likely that repeated attacks would have been necessary to ensure that
OCR for page 177
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities 3.5 CYBERATTACK IN SUPPORT OF MILITARY OPERATIONS—SOME HYPOTHETICAL EXAMPLES What are some of the applications of cyberattack? It is helpful to consider several broad categories separately. Cyberattack can support information operations within the information operations sphere and also other military operations. In addition, cyberattack can be applied to missions that are not traditionally within the military domain. 3.5.1 Cyberattack in Support of Defense, Exploitation, and Other Information Operations As noted above, cyberattack can be used defensively to eliminate a threat to DOD systems or networks (an application of computer network defense). For example, the DOD might use a botnet to launch a DDOS counterattack to disable the computers from which a threat to DOD systems originates.22 In support of CNE, a cyberattack could be used to disable security software so that a cyberexploitation could insert monitoring software (e.g., key loggers) on adversary computers or networks. Cyberattack can also be used to support other non-computer IOs. For example: Psychological operations. A cyberattack could be used to generate frequent e-mail messages or telephone calls to specific adversary decision makers. The frequency of such e-mail messages or phone calls could disrupt their work environments, making it difficult for them to work there. And the content of such e-mail messages could include threats such as “your building is going to be bombed in 30 minutes; it is a good idea if you leave” or “we know where your lover’s safe house is.”23 Another PSYOP application might call for the launching of a small but very visible 22 The notion that the United States would actually do so—use a botnet in such a manner—is speculative, but such speculation has been seen from senior military lawyers, such as the staff judge advocate for the Air Force Intelligence, Surveillance and Reconnaissance Agency. See Charles W. Williamson III, “Carpet Bombing in Cyberspace: Why America Needs a Military Botnet,” Armed Forces Journal International, May 2008, available at http://www.armedforcesjournal.com/2008/05/3375884. 23 Air Force Doctrine Document 2-5 (issued by the Secretary of the Air Force, January 11, 2005) explicitly notes that “psychological operations can be performed using network attack [defined as employment of network-based capabilities to destroy, disrupt, corrupt, or usurp information resident in or transiting through networks] to target and disseminate selected information to target audiences.” See http://www.herbb.hanscom.af.mil/tbbs/R1528/AF_Doctrine_Doc_2_5_Jan_11_2005.pdf.
OCR for page 178
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities cyberattack and then announcing it to an adversary in order to undermine the adversary’s confidence in its essential systems.24 Operations security. Cyberattacks could be used to target specific adversary sensor systems that are intended to report on information related to the location of friendly forces. For example, an adversary may have compromised a computer system on a DOD network that has access to information related to troop movements. An attack on that computer could render it inoperative, but it might be more useful to feed it incorrect information about troop movements knowing that such information might be highly trusted by the adversary. Military deception.25 Cyberattacks could be used to gain access to an adversary computer system in its command and control structure. By assuming control of a computer used by a senior intelligence analyst, for example, bogus e-mail traffic could be sent to that analyst’s customers. The contents of these e-mails could easily provide misinformation regarding the military capabilities, intentions, locations, and operations of friendly forces. Moreover, responding e-mails back to the analyst could be intercepted and appropriately modified before being displayed to the analyst. Electronic warfare. Cyberattacks could be used to disable an adversary’s software-defined radios, thus preventing enemy wireless battlefield communications (which is often a goal of EW). In addition, EW could support cyberattacks. For example, to the extent that adversary computer systems are connected through wireless links, EW might be used to jam those links in order to disrupt the wireless network—that is, jamming would be a denial-of-service cyberattack against the network in question. Cyberattack can also be used to support related missions, such as propaganda. Here is one possible example: Ruritania and Zendia are adversaries. Ruritania penetrates a Zendian GIS system focused on Armpitia, a Ruritarian ally, to alter maps and targeting databases. An Armpitian building containing a day-care center is marked as a munitions bunker, a historic cathedral as a troop barracks, and the embassy of a neutral nation as a branch of the ally’s 24 Defense Science Board, “Report of the Defense Science Board Task Force on Mission Impact of Foreign Influence on DoD Software,” U.S. Department of Defense, September 2007, p. 22. 25 Air Force Doctrine Document 2-5 (issued by the secretary of the Air Force, January 11, 2005) explicitly notes that “network attack may support deception operations against an adversary by deleting or distorting information stored on, processed by, or transmitted by network devices.” Available at http://www.herbb.hanscom.af.mil/tbbs/R1528/AF_Doctrine_Doc_2_5_Jan_11_2005.pdf.
OCR for page 179
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities ministry of defense. When Zendia launches an attack on Armpitia using cruise missiles, it destroys the embassy and the church, and kills dozens of children. CNN shows the evidence of the war crimes to the world. Public opinion swings against Zendia, war crime charges are filed at the Hague, and Zendian planners lose confidence in their standoff weapon systems. Another example is the use of botnets to send spam e-mail carrying propaganda messages to an entire population. One related instance occurred in 2000, when a virus was used to spread information regarding a specific ethnically based incident or community in Sri Lanka.26 3.5.2 Cyberattack in Support of Traditional Military Operations Cyberattacks could also be used in connection with a variety of traditional military operations. Five illustrative examples are provided below: Disruption of adversary command, control, and communications. Such disruption could involve denial of service (so that those links are unusable) or spoofing or impersonation of legitimate authorities (so that information received by one party is not the information sent by the originating party). Tactical C2 networks and/or links between the adversary national command authority and forces in the field could be disrupted. Adversary planning (e.g., for military actions against U.S. forces) could be disrupted or altered clandestinely. Suppression of adversary air defenses. A networked air defense system that can pass data from forward-deployed sensors to air defense forces in the rear is much more effective than one without such coordination available. Disruption of such communications links can degrade the performance of the overall system considerably. It is also possible to imagine that long before any attack took place, an air defense radar delivered to an adversary might be clandestinely programmed to ignore certain radar signatures, namely those associated with airplanes friendly to the attacker, but only during certain times of day. From the adversary’s perspective, the radar would appear to be working properly, as it would detect most airplanes most of the time. But the attacker would know the proper window to attack so that its airplanes would be ignored. Degradation of adversary smart munitions and platforms (example 1). Platforms (e.g., airplanes) and munitions (e.g., missiles) are increasingly 26 Second Incident of Cyber-Terrorism in Sri Lanka, available at http://www.lankaweb.com/news/items01/210501-2.html.
OCR for page 180
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities controlled by microelectronics, and such platforms may be sold or made available to other parties (e.g., friendly nations or insurgent groups). But there may be no assurances that these items will not ever be used against U.S. forces. To guard against this possibility, the electronics of such systems could be programmed to self-destruct if a “stay-alive” code were not entered after a fixed period of time, or if the hardware saw a particular bit stream on a communications bus or in memory. The “self-destruct” bit stream could, in principle, be transmitted by U.S. forces confronted with these platforms or munitions. Degradation of adversary smart munitions and platforms (example 2). Zendia acquires smart weapons using GPS chips made in a factory in a country friendly to the United States. Unbeknownst to Zendia, the GPS chips have circuitry such that if they are given coordinates within the borders of the United States or its allies, they actually translate the coordinates in a random direction to 2 times the damage radius that the United States has calculated for the weapons in use. The weapons test fine for Zendia on all ranges, and work fine when they are used in a skirmish against a neighbor. However, in any engagement with an U.S. ally, the weapons consistently fail to hit targets, and there is no adjustment possible because of the random nature of the translation. Attacking adversary warfighting or warmaking infrastructure (the adversary defense industrial base). A cyberattack might be used to gain access to a factory producing electric motors for military vehicles. (The factory in question is poorly managed and produces motors only for military use.) With a few commands, the factory is redirected to produce motors using materials that are badly suited for the demands of heavy military use. Such motors work for a short time, but by the time the problem is discovered, many such motors have been shipped and installed in the adversary’s military vehicles. 3.5.3 Cyberattack in Support of Other Operations Cyberattack can support a variety of other operations as well, though these are not in the category of what are traditionally undertaken by military forces. Illustrative cyberattacks against terrorist groups or international organized crime are described in Chapter 4, on the intelligence community; illustrative cyberattacks to support cyberexploitation on domestic criminals are described in Chapter 5, on domestic law enforcement. However, an important point to note is that irrespective of whether the intelligence community or domestic law enforcement agencies find it useful and appropriate to conduct cyberattacks against some adversary, it may well be that the U.S. military is the only U.S. government agency with the technical capacity to launch appropriately focused cyberattacks
OCR for page 181
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities of significance. Thus, if U.S. military assets and personnel are needed for such purposes, appropriate interagency understandings would have to be reached—and necessary legal authorities obtained—to allow the DOD to execute cyberattacks on behalf of any of these other agencies. For illustrative purposes only, the examples below describe how cyberattack might be used in support of non-military objectives: The leader of an adversary nation controls significant military forces, presides over significant human rights violations in his country, and enriches himself at public expense. A cyberattack could be one approach to threatening the leader’s personal financial assets. The existence of such a personal threat might be useful in influencing the leader to stand down his military forces when peacekeeping forces arrive. Cyberattack might be an element of a strategic communications effort with the population of a nation. Just as radio has been used as a medium through which the United States has been able to provide information unfiltered by the governments of nations of interest (e.g., Radio Free Europe), the Internet is such a medium today and for the future. However, since nations have been known to seek to block information flows that they regard as unfriendly, U.S. cyberattacks might be used to help residents of these nations circumvent or avoid these various blocking mechanisms. Cyberattack might be an element of a strategic communications effort against an adversary. For example, some terrorist groups are known to use the World Wide Web for recruiting purposes and the Internet for communications. Cyberattacks might be used to compromise recruiting websites or servers known to be used by terrorists. Another scenario relates to a kinetic attack on a nation that is accompanied by a cyberattack against that nation’s government and media websites. Such an attack might be used to inhibit that nation’s ability to tell the world its side of the story,27 or perhaps even to assume control of those websites and provide the world (and its own citizens) with information more favorable to the attacker’s position. It must be emphasized that the scenarios described above are not endorsed by the committee as being desirable applications—only that 27 According to press reports, a cyberattack on Georgian government websites was launched (perhaps by the Russian government, perhaps by private parties sympathetic to the Russian attack) to coincide with the August 2008 Russian attack on South Ossetia, which had the effect of limiting the Georgian government’s ability to spread its message online and to connect with sympathizers around the world during the fighting with Russia. See John Markoff, “Before the Gunfire, Cyberattacks,” New York Times, August 13, 2008, available at http://www.nytimes.com/2008/08/13/technology/13cyber.html?_r=1&oref=slogin.
OCR for page 182
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities they represent kinds of scenarios that arise naturally in discussions about cyberattack in pursuit of large-scale strategic interests. As an illustration of a potential problem with such scenarios, consider that manipulation of the information on the websites of an adversary nation’s government might affect the information received by U.S. citizens (e.g., through news media receiving altered or manipulated information from those sources and broadcasting that information in the United States). To the extent that the altered or manipulated information was untrue, the U.S. government might be explicitly responsible for misleading the public—an action that could negatively affect the free speech rights of U.S. citizens. 3.6 OPERATIONAL PLANNING Operational planning processes for cyberattack are not known publicly. But given the similarities of Air Force doctrine for air operations and the cyber missions laid out in Section 3.1, it is not unreasonable to suggest one notional planning process for cyberattack that is roughly parallel to the process for planning offensive air operations—specifically the development of the air tasking order (ATO) that specifies at a high level of detail the actions of air assets in a specific conflict for a specific period of time (usually, 24 hours). The development of a notional cyberattack tasking order (CTO) might entail the following steps. The starting point is the explication of a commander’s objectives and guidance, and his vision of what constitutes military success. The intent of the operation is defined, and priorities are set. The commander’s intent drives the development of targeting priorities and the appropriate rules of engagement. For example, the commander would determine if the intent of the cyberattack is to create widespread chaos or very specific targeted damage. The next step is target development. Subject to requirements imposed by the law of armed conflict and the rules of engagement, targets are nominated to support the targeting objectives and priorities provided by the commander. Targets are selected from a variety of sources, including requests from the field, reconnaissance, and intelligence recommendations. Target development often begins before hostilities begin, and the end product of target development is a prioritized list of targets. Legal issues enter here regarding whether a proposed target is indeed a valid and legitimate military target (the necessity requirement discussed in Chapter 7). Then comes weaponeering assessment. In these phases, the target list is matched to the appropriate types of weapons in the inventory, taking into account the expected results of using weapons on these tar-
OCR for page 183
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities gets. Knowledge of munition effectiveness is thus an essential aspect of weaponeering. Legal issues enter here regarding whether the military value of destroying the target outweighs the collateral damage that might occur during the attack (the proportionality requirement, discussed in Chapter 7). Force execution refers to the actual execution of the various forces allocated to servicing the targets on the target list, and is the phase in which all elements of the operation are integrated to gain maximum effect. A cyberattack tasking order could support other combat operations and other combat operations could support cyber operations which could be their principal role. Deconfliction (i.e., coordination of forces to ensure that they do not interfere with each other) is part of force execution. For a cyberattack, two phases of execution may be required. An initial phase may introduce a vulnerability that can be exploited later, though if an exploitable vulnerability already exists, this phase may not be necessary. A later phase (perhaps much later) involves the actual exploitation of the vulnerability to cause the damage desired. Combat assessment evaluates the effectiveness of combat operations against the commander’s objectives. Combat assessment includes battle damage assessment and recommendations for reattack, and it provides the inputs for the next iteration of the cyberattack tasking order. Another notional process for operational planning of cyberattack might be similar to that used to develop the Single Integrated Operating Plan (SIOP) for using nuclear weapons.28 It is publicly known that the SIOP contains a variety of options from which the President may select should he decide that nuclear weapons should be used. These options fall into categories such as “Major Attack Options,” “Selected Attack Options,” “Limited Attack Options,” “Demonstration Use,” and so on. Any given option consists of a list of targets, a timetable on which the targets are to be attacked, and the nuclear weapons systems that are to be used in the attack on those targets. Translated into the cyberattack domain, a cyber-SIOP could similarly include a list of targets, a timetable on which the targets are to be attacked, and the cyberweapons that are to be used in the attack on those targets. Large-scale attack options might involve large attacks intended to create far-reaching effects, while small-scale options might be narrowly tailored to address a particular target set. Depending on the rules of engagement and the authorizations needed to execute such a plan, either STRATCOM 28 The name of the strategic nuclear response plan was changed to OPLAN 8044 in early 2003. The SIOP terminology is retained here because it is less cumbersome than OPLAN 8044.
OCR for page 184
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities or the geographic combatant command could carry out any one of these options, though it is likely that STRATCOM is largely responsible for planning regional attack options as well as attack options relevant to the entire globe. A major difference between a cyber-SIOP and a nuclear response plan is the possibility of rapid changes in defensive postures for cyber targets. Many of the targets in any nuclear response plan would be fixed in location, with no defensive measures in place. To the extent that cyber targets might change their defensive postures in ways unknown to a cyberattacker, they are more analogous to targeting mobile assets in the nuclear response plan—and targeting of mobile assets is known to be an extraordinarily challenging task. The operational implication of a cyberSIOP is that a static planning process is unlikely to be effective, and both intelligence gathering and attack planning on possible targets in the various attack options would have to be done on a frequent if not continuous basis. 3.7 HUMAN CAPITAL AND RESOURCES As the U.S. armed forces become more involved with offensive cyber operations, it becomes more important to have a professional military corps that is actively engaged in thinking about how best to use the new capabilities associated with cyberattack. From an operational perspective, the complexity and scope of cyberattack suggest that the mix of skills needed to operate successfully is quite broad. Moreover, the necessary skills are not limited to the traditional military specializations of operations, intelligence, and communications—necessary specialized knowledge and information may be needed from the private sector or from other government agencies (e.g., the State Department or Department of Commerce or the Office of the U.S. Trade Representative). Thus, the operational planning process must include some ways of making such expertise available to military planners and decision makers. Note also that a distributed planning process is also more logistically cumbersome than one in which all the individuals with relevant expertise are available in one location (and are in the same time zone). Another problem regarding the specialized expertise brought to bear in operational planning is the highly classified nature of cyberattack. With such classification practices in widespread use, it becomes difficult to gain broad exposure to the techniques and the operational implications of employing those techniques—and thus the available expertise is more restricted than it would otherwise be. Yet another issue is that, as noted in Chapter 2, the success of a cyber-
OCR for page 185
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities attack may well depend on the availability of skilled operators who can think “on the fly” and adapt an attack in progress to circumvent unexpected defenses and unanticipated problems. This fact has many implications for training and suggests the importance of focusing on developing cyberattack skills to a very high level of proficiency in a few individuals in addition to developing basic skills in a large number of individuals. Today, cyberattack operators do not have their own specialization, and they are often typically drawn from those in the intelligence and communications career tracks. (In other cases, they are drawn from combat specializations that do not nurture any particular expertise relevant to cyberattack at all.) In the long run, the increasing skill requirements described above for conducting successful cyberattacks suggest a need for specialization comparable to the more traditional combat specializations for personnel. Such specialization—likely in operations rather than intelligence or communications—would provide training and education that integrates the relevant skills from all of the relevant disciplines. It would also provide upward mobility and well-defined career paths with opportunities for multiple promotions and senior leadership. Lastly, the Department of Defense invests heavily in realistic training and exercises for personnel with traditional military specializations. Training and exercises go far beyond developing individual competence and expertise in combat—they are proving grounds for new tactical concepts and provide insight into how groups of people (i.e., units) can function effectively as a team. Today, traditional military exercises may include a cyber component, but often the cyber component is not prominent in the exercise and only a relatively small fraction of the exercise involves cyber activities. The investment in training and exercises for cyberattack and cyberconflict is far below that which is allocated to training for combat in traditional domains. However, not enough is known to determine if the current investment is adequate (that is, if it properly reflects the importance and scale of cyber operations in the future) or inadequate (as might be the case if institutional pressures and prejudices gave short shrift to this type of combat). As this report was going to press, Secretary of Defense Robert Gates announced that in order to improve cyberspace capabilities, the DOD will seek to increase the number of cyber experts that the department can train from 80 students per year to 250 per year by FY 2011.29 29 “Gates Unveils Overhaul of Weapons Priorities,” Wall Street Journal, April 6, 2009, available at http://online.wsj.com/article/SB123904207376593845.html?mod=googlenews_wsj.
OCR for page 186
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities 3.8 WEAPONS SYSTEMS ACQUISITION The acquisition of weapons is one of the prime responsibilities of the military services. To illustrate some service desires for cyberweaponry: The Air Force is seeking to acquire a Cyber Control System (CCS) to provide command and control for the Air Force portion of the DOD Global Information Grid (GIG). The CCS is intended to enable active defense operations “by providing GIG situational awareness along with both automated responses (based on pre-defined Rules of Engagement) and recommended Courses of Action (COA) in response to network intrusions/attacks.” The CCS is also intended to enable network attack operations.30 The Air Force is supporting the Dominant Cyber Offensive Engagement problem, which is intended to develop capabilities for gaining access to any remotely located open or closed computer information systems; obtaining full control of a network for the purposes of information gathering and effects-based operation; and maintaining an active stealthy but persistent presence within the adversaries’ information infrastructure.31 The U.S. Air Force has noted a need for new technologies to support network attack (network-based capabilities to destroy, disrupt, corrupt, or usurp information resident in or transiting through networks), network defense (network-based capabilities to defend friendly information resident in or transiting through networks against adversary efforts to destroy, disrupt, corrupt, or usurp it), and network warfare support (actions tasked by or under direct control of an operational commander to search for, intercept, identify, and locate or localize sources of access and vulnerability for the purpose of immediate threat recognition, targeting, planning, and conduct of future operations such as network attack).32 Some of these specific needs are described in Box 3.5. The Army has issued a broad agency announcement seeking technologies for network disruption using “subtle, less obvious methodology 30 See http://www.fbo.gov/spg/USAF/AFMC/ESC/R1739/SynopsisP.html. 31 FUNDING OPPORTUNITY NUMBER: BAA 08-04-RIKA, https://www.fbo.gov/index?s=opportunity&mode=form&id=b34f1f48d3ed2ce781f85d28f700a870&tab=core&_cview=0&cck=1&au=&ck=. 32 Broad Agency Announcement (BAA ESC 07-0001), OL-AA 950 ELSG/KIS, Network Warfare Operations Capabilities (NWOC), Technology Concept Demonstrations, available at http://www.herbb.hanscom.af.mil/tbbs/R1528/Final_NWOC_BAA_Amend_5.doc.
OCR for page 187
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities BOX 3.5 Illustrative U.S. Air Force Technology Needs for Cyberattack A broad agency announcement from the U.S. Air Force calls for proposals to develop the following technologies for network attack, network defense, and network warfare support.1 Some of the technologies sought include: Mapping of networks (both data and voice); Access to networks; Denial of service on current and future operating systems and network devices; Data manipulation; Technologies/concepts for developing capabilities for IO modeling and simulation; Situational awareness that gives the operator near real-time effectiveness feedback in a form that is readily observed by the operator; Technologies/concepts for developing capabilities to assess and visualize non-kinetic effects; Technologies/capabilities/concepts for generating and distributing dynamic electronic target folders to include non-kinetic courses of action (COAs); Processing of multi-level security information; and Technologies/concepts for developing capabilities to support rapid implementation of effects-based capabilities. 1 Broad Agency Announcement (BAA ESC 07-0001), OL-AA 950 ELSG/KIS, Network Warfare Operations Capabilities (NWOC), Technology Concept Demonstrations, available at http://www.herbb.hanscom.af.mil/tbbs/R1528/Final_NWOC_BAA_Amend_5.doc. that disguises the technique used and protecting the ability whenever possible to permit future use.”33 Acquisition policy in general terms is addressed in Chapter 6. 33 Army Offensive Information Operations Technologies Broad Agency Announcement, May 3, 2007, available at https://abop.monmouth.army.mil/baas.nsf/Solicitation+By+Number/9BE5D8EAE22A6339852572D4004F0DD5/$File/BAA+Army+Offensive+Information+Operations+Technologies.doc.