Preparing for Cyberwar
Cyber Arms: Weapons of Mass Destruction?
There needs to be more public knowledge and informed debate about the topic of cyber arms and cyberwar, the National Research Council (NRC) argues in its recently published report. "Technology, Policy, Law and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities" is an impressive 3-year effort supported by Defense Department officials, academics and industry specialists that sums up the current dilemma.
The report contrasts how cyberattacks differ from physical, "kinetic" military weapons and tactics (cyberattacks offer more options, but less certainty in the outcomes they produce, for instance). It even goes so far as to compare the unchecked spread of cyber weapons to the proliferation of nuclear weapons half a century ago after World War II.
The report says the chances are growing for a cyber-arms race and points out the reckless, unchecked use of cyber-weaponry that's being developed by countries, including the U.S., and the lack of formal or comprehensive policies for cyberattacks on the national political and military level.
"Programs to develop cyberattack capabilities are classified and dispersed throughout many program elements within the Department of Defense with the result the overall capabilities are not known even among those with the necessary clearances," the NRC report says. "Effective Congressional oversight that goes beyond a few individuals on the relevant committees is also inhibited."
Emphasis on Defense
The Navy Cyber Defense Operations Command where Granger works is strictly defensive, and as Granger notes, there are rules prohibiting offensive tactics.
In the military, the operations point for offensive cyberattack capabilities and actions is the U.S. Strategic Command (STRATCOM) Joint Combat and Command of Network Warfare, set up in 2005. But the NRC report points out that the U.S. Air Force has ended up as "the main advocate," and today is seeking to acquire a Cyber Control System capable of network disruptions in an automated manner.
While the NRC report makes no mention of specific adversaries, it does discuss the history with Russia over several decades. Russia at the United Nations sought as far back as the late 1990s to make cyberattacks and cyberweapons a topic for discussion and possible international agreements.
The Russian foreign minister at the time, Igor Ivanov, told U.N. Secretary Kofi Annan in a letter that the effect of information weapons "may be comparable to that of weapons of mass destruction."Without U.S. participation, the U.N. didn't do much with the cyber-weapons topic back then. But the NRC report suggests the U.S., which today has no specific "declaratory policy" regarding cyber weapons, should be prepared to discuss this in various settings and have policy ready, especially as the prospects for cyberattacks among nation states may be mounting.
The military conflict between the countries of Georgia and Russia last year involved cyberattacks against Georgian government and civilian resources, the report says. "The primary significance of the cyberttacks on Georgia is that they appear to be the first instance of simultaneous attacks involving cyberattack and kinetic attack, rather than in any particulars of the cyberattacks themselves."
The Russian government did not claim responsibility for the Georgian cyberattacks, which the report says appeared to originate in Russia through botnet-based attacks, which may be linked to the criminal group Russian Business Network.
But Russia's official public stance on cyber weapons for quite some time has been that "Russia retains the right to use nuclear weapons first against the means and forces of information warfare, and then against the aggressor state." Basically, this is interpreted to mean that Russia equates massive cyberattacks against the country to a nuclear attack and would consider responding in kind.
Russia itself is actively developing cyber weapons, the report says. "It's widely believed that Russia is fully engaged in, or at least developing, the capability of launching a cyberattack regardless of its U.N. stance," the report says.
And though not discussed very openly, the U.S. also has significant cyberattack capabilities, according to some.
"Much of the information is classified," says Michael Vatis, attorney at Steptoe & Johnson, whose experience includes founding the FBI's National Infrastructure Protection Center back in 1998, the first government office responsible for detecting and responding to cyberattacks. A contributor to the NRC report, Vatis says "The U.S. has offensive capabilities and used them in some limited circumstances."
"These capabilities exist and we have them," Vatis says. He says there should be public discussion of the points brought up in the NRC report so there can be dialog with other nations as well as the potential for treaties or other agreements on use of cyber arms.
Patricia Titus, director of enterprise security at Unisys Federal Systems (and former chief information security officer at the Transportation Security Administration), says she's a "proponent of offensive capability" but that "we need diplomacy at the State Department" when it comes to the issue. Just like there are nuclear treaties, she notes, it's reasonable to think there should be rules of engagement for nation states when it comes to cyber weapons.