U.S. moves to contain collateral damage from cyber weapons

Amy Walters / Shutterstock.com

Alleged digital weapons have not overreached so far, former officials say.

The fallout from cyber weapons and perhaps, one day, cyber drones may not greatly affect Americans’ privacy or U.S. computer security, former military officials say.
 
Speculation about impending cyberwarfare has followed recent revelations about a stealth virus and new U.S. cyberoffensive tools. The virus Flame, a suspected U.S. government invention, was reported in May to have long been harvesting information from computers in various Middle Eastern countries. Days after that account surfaced, The Washington Post reported that a Defense Advanced Research Projects Agency program aims to test unmanned cyberattacks that strike without human beings at the keyboard. The Pentagon has said only that it has the ability conduct offensive operations in cyberspace to defend the nation.
 
There is reason for concern that foreign-aimed cyberattacks are backfiring on Americans by creating new vectors for cybercriminals and by breaching privacy. Yet, on the whole, some former government hackers say they’ve been surprised to see the Obama administration taking considerable care to minimize such risks.
 
The recently uncovered attacks involved “techniques that could have been used against us just as effectively,” said Dave Aitel, president of cybersecurity firm Immunity Inc. and a former National Security Agency computer scientist. He was referring to Flame and a U.S.-Israeli campaign called Stuxnet that undermined Iran’s nuclear program by overriding a computer system operating plant centrifuges.  
 
The order to deploy Stuxnet reportedly was made after thorough deliberation by the highest power in U.S. government -- not a Defense Department official. “Obama has to say, yes or no,” Aitel said. “It’s not completely like ‘Go crazy, Cyber Command.’”
 
Defense’s strategy for operating in cyberspace states the commander in chief determines when to engage in cyber confrontations. Pentagon officials have said they strongly respect Americans’ rights during operations. 
 
“If so directed, DoD is prepared to defend U.S. national security interests through all available means,” Defense spokeswoman Lt. Col. April Cunningham said. "DoD is committed to protecting the individual privacy of communications on the Internet and the civil liberties of the American people.”
 
Still, Microsoft suffered some collateral damage from Flame. The designers of the virus exploited a previously unknown flaw in the company’s digital certificates to disguise malicious code as a Microsoft product. The software firm subsequently issued an update to block other hackers from abusing the fraudulent certificates.
 
Kaspersky Labs, the security firm that discovered Flame, describes the bug as “the largest cyberweapon to date,” referring to its 20 megabytes. The tool can scoop up massive amounts of valuable information such as screenshots of online chats, audio recordings from internal microphones, and storage files.
 
Gen. John P. Casciano, a former Air Force director of intelligence, surveillance and reconnaissance, acknowledged the U.S. government will never have 100 percent assurance that a cyber offensive will work as planned. Americans, however, have more to fear from adversaries and cybercrooks than from the feds, he said. “I’m not terribly concerned about the U.S. government spying on us,” said Casciano, now a private consultant.  
 
Other former Defense officials say cyberweapons are subject to the 1978 Foreign Intelligence Surveillance Act, which regulates the monitoring of U.S. international communications during counterespionage activities.
 
“All new cyberweapons must adhere to all the U.S. federal laws,” said Gen. Harry D. Raduege, a retired director of the Defense Information Systems Agency. Or, more specifically, “it’s U.S. people who employ cyberweapons who are subject to FISA. It’s really the people.” Raduege is now chairman of the Deloitte Center for Cyber Innovation.
 
Casciano said he trusts the current legal framework will protect Americans in cyberspace, citing established federal protocol for wiretapping communications between Americans and foreigners when there is probable cause for suspecting a nefarious plot.
 
Civil liberties activists have argued otherwise, based on their longstanding criticism of FISA for sweeping up innocent Americans’ calls, emails and text messages. 
 
Flame so far has spread in a controlled manner among certain nation-state groups and academic institutions and has not self-replicated, according to Kaspersky researchers.
 
Aitel notes the administration recently demonstrated restraint by threatening to veto a cybersecurity bill that opponents say would encourage companies to indiscriminately share customer data with feds. “The government is afraid of overreach and is essentially afraid of the populace at some level,” he said.  “I think it’s amazing that they’ve been going so carefully and following the issues so intellectually. It speaks highly of them that they think this is something you cannot just rush into.”
 
Jeffrey Carr, a cybersecurity consultant and author of Inside Cyber Warfare, makes a distinction between cyberweapons that are intended to destroy systems such as Stuxnet, and cyber espionage tools such as Flame that compromise systems. He sees clear dangers to using either without restrictions set in advance of combat. One unintended consequence of cyberweaponry could be the accidental disruption of a civilian hospital system overseas, for instance.  International cyberspying, he said, could inadvertently encroach on the human rights of foreigners and Americans abroad.
 
With cyberweapons, collateral damage could harm civilians who use a targeted network, Carr said. “How do we know which networks should be targeted and which ones should be off limits?” he questioned. “I would think that [U.S. officials] would be concerned about their rules of engagement.” As for cyber snooping: “Anything that’s stealing data in any type of big way is going to have some privacy ramifications to it,” Carr said.
 
Cunningham noted the Pentagon does not discuss operational matters as a manner of longstanding policy and will not comment specifically on the development of cyber offensive tools.
 
The Post’s Ellen Nakashima in late May wrote that a DARPA initiative, dubbed Plan X, aims “to develop systems that could give commanders the ability to carry out speed-of-light attacks and counterattacks using preplanned scenarios that do not involve human operators manually typing in code -- a process considered much too slow.”
 
Charles Dunlap, former deputy judge advocate general of the Air Force, said the cyberdrones described in the Post article do not seem quite the same as fully autonomous weapon systems that select their own targets, but he said some observers could argue this is a first step in that direction.
 
“News reports that DARPA is seeking proposals for methodologies that would automate cyber responses in predetermined scenarios is an almost inevitable development given the speed in which cyberattacks can cause harm,” said Dunlap, now a Duke University Law School professor. “The very idea of autonomous weapons systems of any kind, cyber or kinetic, is controversial on legal, ethical and even pragmatic warfighting grounds.  Yet the development and deployment of such weaponry is sure to continue even as we sort out the law and policies to address it.”
 
Other former military officers suspect that unmanned cyber operations would be confined to protective moves, and not used during attacks.
 
“I see autonomous being used defensively, because you’ve got only nanoseconds to respond” in such instances, Casciano said.   

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.