Computer security experts react to Cyber Command proposal with optimism, blunted by reality that attacks are hard to foresee.
Pentagon plans to deploy a military cyber squad to guard U.S. networks sustaining hospitals and other vital commercial sectors drew hopeful skepticism from technology experts -- and silence from counterparts at the Homeland Security Department.
A recently-disclosed blueprint shows the Defense Department would significantly expand Cyber Command, which has been operational since 2010, and organize it into three sections: combat mission forces would support military commanders in offensive operations against adversaries’ computers; protection forces would defend military networks; and national mission forces would protect domestic critical infrastructure such as energy and transportation networks, the disruption of which could devastate civil society. The command overhaul was first reported by The Washington Post.
Cyberwar researchers, legal experts and industry officials said they believe the Defense Department is the best-resourced federal entity -- in terms of both funding and expertise -- to attempt thwarting major cyberattacks. But they are doubtful any federal department has the tools to reliably identify the source of an incident without misinterpreting the motive of the attacker or possibly targeting an innocent country.
When a destructive cyberattack is imminent, international law allows a proportional response to block the strike, said retired Maj. Gen. Charles Dunlap, a former deputy judge advocate general for the Air Force. “The U.S. does not consider it legally necessary to actually suffer an attack before taking action in self-defense,” he explained.
Still, federal law constrains the authority of military forces domestically, and even if a hostile attack were underway, it is unlikely U.S. forces would have sufficient time to react.
“That would require a rather robust ability to distinguish between major and minor attacks at, literally, the speed of light. That would be, I think, very challenging to do,” said Dunlap, now on the faculty of Duke University Law School.
Complicating matters further, the Pentagon appears to have crafted its reorganization plan without the Homeland Security Department’s cooperation. Under a 2003 presidential directive, DHS must play the primary role in any governmentwide effort to protect American critical infrastructure.
On Friday, Homeland Security officials declined to answer questions about whether the department was involved in the Pentagon’s plan for a domestic cyber force. DHS Secretary Janet Napolitano has been promoting an expected White House executive order that would require Homeland Security to develop cybersecurity standards for critical infrastructure companies and improve information-sharing about vulnerabilities.
DHS officials also would not answer questions about whether the separate military and White House critical infrastructure plans are coordinated endeavors. When asked about collaboration with the Pentagon on these matters, DHS spokesman SY Lee said in a statement, “The Department of Homeland Security is responsible for leading a coordinated national response to significant cyber incidents, and for establishing and maintaining a cyber common operational picture across federal civilian departments.”
The private sector operates an estimated 80 percent to 90 percent of critical infrastructure networks. Consequently, DHS currently works with the owners and operators of those systems to help secure them. Addressing the issue of how its forces will protect vital industries without bugging private networks, a Defense official told Nextgov in a statement, “Cyber National Mission Forces will be prepared to conduct full spectrum cyber operations” to abate threats. According to federal auditors, full spectrum cyber operations encompass surveilling and destroying adversary networks when danger is suspected, not commercial networks.
Dunlap said, “It’s critical for the military not to appear to be infringing upon the privacy and civil liberties of ordinary Americans, even in the name of cyber security,” adding that “domestic cyber-snooping could put at risk the sterling reputation the military needs to attract America’s best and brightest into its ranks.”
Where will the money come from?
Under the new organizational structure, the size of the command would swell from 900 to 4,900 military and civilian cyber professionals, according to the Post. Observers were befuddled by the envisioned personnel spike, since the Pentagon has announced hiring freezes and other measures to cut spending with sequestration looming.
Defense could squeeze more money out of Congress by stating that the command is taking on more responsibilities. “By ramping up cyber forces in era of dwindling resources, DoD sent a strong message to Congress about how serious it considers the cyber threat. I expect Congress will respond with increasing support for the cyber mission sooner rather than later,” Dunlap said. Earlier, some budget analysts had predicted Defense would rebrand programs as cyber activities to obtain funding boosts, even programs largely unrelated to computer security.
Indications are that the military would act against attacks on civil networks only in the event that national security is threatened or lives are at stake -- not to protect individuals from identity theft or monetary harm, for example. “Under certain circumstances, the DOD believes that they can intercept a hostile attack against U.S. [critical infrastructure] before it hits,” said Jeffrey Carr, a cyberwar researcher and author of “Inside Cyberwarfare” (O'Reilly Media 2009). “Theoretically, if intelligence assets uncover an imminent attack by North Korea, for example, to attack the air traffic control system and cause mass casualties, then DoD could take action to eliminate the threat” legally as an act of self-defense.
But, he added, it is doubtful the United States would be able to predict an impending attack due to the nature of malicious software and the anonymity of the Web. “If you don't know attribution, you can't know where the attack will come from, where to look,” be it China, Iran or another nation state, Carr said.
“It's not like DoD can really see malware on its way to the U.S., unless it’s a known signature,” or a hallmark of harmful code already identified by antivirus technology, he said.
More likely, he added, the carrier of the virus would be an offline USB stick inserted into a computer on a company’s internal network, as was the case with a critical infrastructure attack in Saudi Arabia. According to Bloomberg BusinessWeek, this was the method of attack used to disperse the so-called Shamoon virus during an August strike on network services at state-owned Saudi Aramco. The attack corrupted 30,000 employee workstations. “The Shamoon virus was probably the most destructive attack that the private sector has seen to date,” Defense Secretary Leon Panetta said in October 2012.
Some industry representatives, with a fairly positive view of the revamped Cyber Command, sense the Pentagon is stepping up to fortify domestic cyber forces now because cybersecurity reforms have been stalled in Congress for years.
“I had a bipolar reaction. The first reaction is that it is comforting,” said Trey Hodgkins, senior vice president for global public sector government affairs for trade association TechAmerica. “The rest of the government, including the DHS, is years behind” in cybersecurity expertise, while Defense “has done a great job in positioning itself ahead of the government. At the same time, we share the concern that companies don’t want to see their ability to manage their own data, the data of their customers, called into question or become more challenging for them.”
NEXT STORY: China hacked the Wall Street Journal, too