17 December 2015

America’s Secret Arsenal: Cyber Weapons Of Mass Disruption

December 14, 2015 

Danny Vinik had an online article on Politico, (Dec. 9, 2015) about the U.S.’s growing arsenal of cyber weapons. He contends that America has the most powerful arsenal of cyber weapons on Earth. “Today, it remains one of the most sophisticated, and mysterious offensive [cyber weapon] operations ever launched. Stuxnet, the computer virus specifically engineered to attack Iran’s nuclear reactors. Discovered in 2010, and now widely believed to be a collaboration between the U.S., and Israel, its existence raised an urgent question: Just what is the U.S. government doing to attack its opponents in the cyber realm?,” he asks.

“Stuxnet’s origins have never been officially acknowledged, and the extent of American meddling in malware is still unknown. But, for the past few years, there’s been something new developing within the U.S. military that has taken “cyber” from a theoretical idea to a deliberate — if secretive — part of U.S. policy. The first ripple came in January 2013,” Mr. Vinik writes, ‘when the Washington Post reported that the Pentagon was significantly expanding its cyber security forces across all the service branches. By that October, the U.S. Army had launched two teams of technical experts dedicated purely to the cyber realm. Just a year later, the number was up to 10.”

“The growth has been snowballing,’ Mr. Cox observes. “Last year, the Secretary of the Army created a new branch for cyber — the first new Army branch since [the] Special Forces was created in 1987. By October of this year, there were 32 teams, coordinated out of a new joint force headquarters — opened last year at Fort Gordon, Georgia. By next summer (2016), the Army expects to have 41.”

“What’s going on?,” Mr. Vinik asks. “The growth points to one of the most cutting-edge; but also, obscure realms of American military strategy, and especially its strategy for cyber offense. The United States already has, as most observers believe, the most powerful cyber attack capabilities in the world. Much less clear, is just what those capabilities actually are — and, when the Department of Defense believes it should use them.”

But, a cyber offense decision-tree on how, when where, to achieve what result, etc. is lacking in the cyber world. Mr,. Vinik notes that “in April, DoD released a 32 page document that laid out specific strategic goals for U.S. cyber offense for the first time. But, critics say the document still leaves many questions unanswered about how, when, and where the government will use these capabilities.”

“What is a legitimate retaliation for an act of [cyber] war,” said Rep. Jim Hines, (D-Conn.), the ranking member of the House Intelligence Sub-Committee on NSA and Cyber Security. “How do you think about things like proportionality, which is a key term in rules of war? How do you think about that in the cyber realm? In place of those norms and definitions, you’ve just got a series of endless question marks, That’s a dangerous world; because, uncertainty in this world equals risk.” 

“An all-out cyber assault can potentially do damage that can be exceeded only by nuclear warfare,” said Scott Berg, the Director of The U.S. Cyber Consequences Unit, a nonprofit research institute that focuses on cyber attacks, “It’s huge.” 

When Mr. Vinik began his research into U.S. offensive cyber capabilities, he noted that he expected he would find a range of capabilities from the tactical to the strategic. But, that is not what he found. He writes: “cyber weapons exist in a realm not unlike the early days of the nuclear program, shrouded in secrecy, with plenty of curiosity, but very little public information. In part,” he adds, “this secrecy is integral to the whole concept: a cyber attack is useful insofar as the enemy is unaware of it. The more the government reveals about what’s in its arsenal, the more our adversaries can do to protect themselves.”

“If you know much about it [cyber is] very easy to defend against,” said Michael Daniel, a Special Assistant to the POTUS, and Cyber Security Coordinator at the National Security Council. “Therefore, that’s why we keep a lot of those capabilities very closely guarded.”

One thing that everyone Mr, Vinik said he spoke to agreed on: “The U.S. has the most powerful cyber arsenal in the world. Brandon Valeriano, a lecturer at the University of Glasgow who focuses on cyber conflict, used the example of the North Korean Internet interruption in December 2014, when the nation’s fledgling Internet went out for a few hours, just a few days after the White House blamed the Sony [Entertainment] hack on Pyongyang.” “If America wanted to take down North Korea’s Internet,” he said, “it wouldn’t be two, or three hours — it would be devastating.”

“A cyber weapon, called a “capability,” in the field, is a piece of malicious code that exploits a flaw in the enemy’s software; the point is to manipulate, disrupt, or destroy computers, information systems, networks, or information system, networks or physical infrastructure controlled by computer systems,” Mr. Vinik wrote. “An attacker could use a cyber weapon to take down another country’s financial or electrical systems.”

“Anything that has a computer, anywhere on earth, can be stopped, or taken over,” said Jason Healy, the head of The Atlantic Council’s Cyber Statecraft Initiative and former Director for Cyber Infrastructure for the George W. Bush White House from 2003-2005.

“The most powerful cyber capabilities, called “zero days,” exploit software capabilities unknown even to the author of the software itself for example, a security hole in the Windows system that even Microsoft doesn’t know is there. They’re called zero-days, because once discovered, the author has zero-days to fix them — people can immediately use them to cause damage.”

“As weapons, cyber capabilities differ in a few key ways from traditional weapons like missiles and bombs,” Mr. Vinik notes. “First, they cause damage that’s less overt, but more widespread than a physical attack — a cyber weapon could cripple a local economy by attacking a country’s financial, or communications systems. Second, an attack can occur almost instantaneously against any target in the world. The Internet makes physical distance between enemies all but irrelevant, making it both easier for enemies to launch cyber attacks, and harder for the government to monitor for them. Third, the use of a cyber capability is often a one-time deal: If the government has a piece of malicious software and uses it to exploit a flaw in an enemy’s code, it could render future uses of that capability ineffective, since the adversary could just patch it. It could also compromise intelligence-collection activities that use the same exploit.”

“Furthermore,” Mr. Vinik notes, “the line between a military attack, and an espionage operation is far blurrier in the cyber realm. A cyber attack generally doesn’t involve the movement of physical objects, and does not put the attacker’s soldiers at risk.” “All of the potential red flags that would pop up and get congressional attention don’t,” said Peter Singer, a renowned cyber expert, and author of “Cyber Security And Cyber War: What Everyone Needs To Know.” “The same exploit might be used by intelligence agencies to spy on an enemy, or as an offensive weapon to mount a sudden attack.”

“That blurriness can be used to cloak responsibility, many observers think. For example, analysts have pointed out that irf Stuxnet were indeed a U.S. operation — as is widely believed now — the administration could avoid taking public responsibility for it by classifying it as an intelligence operation, rather than military,” Mr. Vinik wrote.

“Stuxnet is attributed by the media to have been a U.S. Intelligence Community operation that would have been conducted under intelligence authorities versus Cyber Command authorities,” [Title 50 vs. Title 10] said Robert Knake, a Fellow at the Council On Foreign Relations, who was the Director for Cyber Security Policy at the National Security Council from 2011 – 2015. “So, from that perspective, we really don’t that much about what DoD engaged in offensive cyber warfare would look like” Whoever conducted it, it announced something new was happening.;” “Stuxnet was a game changer,” said Healy. “The Internet became a much more dangerous place after that, because almost literally, everybody started to say — the gloves are off now.”

“WHILE THE OBAMA administration has slowly been disclosing more information about the U.S.’s offensive cyber policy, a lot of experts would like to see a broader, public discussion about how the U.S. intends to use its capabilities,” Mr. Vinik wrote.

“Those 41 Army teams that will be in place by the end of 2016 are part of a bigger DoD effort to expand and organize the military’s cyber efforts. In 2013 the Department revealed that it was creating 133 mission teams to conduct offensive and defensive operations, with 27 of those building up capacity to attack an enemy abroad. The operations are run out of U.S. CYBERCOM in Ft. Meade, Maryland, which was set up in 2010 by Gen. (Ret.) Keith Alexander, who at the time was wearing dual hats as both head of the command, and the Director of the National Security Ageny (NSA).”

“The DoD’s new cyber strategy lays out strategic goals and objectives for the Department [DoD] but provides few details about how the military is supposed to act in practice. “If directed, by the President, or the Secretary of Defense, DoD must be able to provide integrated cyber capabilities to support military operations and contingency plans,” it says a few lines later. “For example, the United States military might use cyber operations to terminate an ongoing conflict on U.S. terms, or disrupt an adversary’s military systems to prevent the use of force against U.S. interests.”

“When it comes to specifics, the most dedicated cyber watchers say it’s not the government’s official documents that contain the most details: it’s the documents leaked by Edward Snowden. Though now a few years out of date, they include detailed information about how the U.S. government was building up an arsenal of cyber capabilities — and, at times, using them,” Mr. Vinik contends. “In 2013, the Washington Post reported from the Snowden disclosures that the U.S. government carried out 231 offensive cyber operations in 2011, none of which came near a Stuxnet-level attack.”

“Snowden also released Presidential Policy Directive-20, a Top Secret document that laid out the administration’s cyber principals,” Mr. Vinik wrote. “But, much like the DoD’s cyber strategy, PPD-20 doesn’t answer many questions, instead of offering general guidelines for the U.S.’s offensive goals.”

“This lack of specificity has frustrated some experts — “Most of it is vague and blank,” Borg said about the DoD’s cyber strategy — but the problem may be less that the administration isn’t releasing that information, and more that those decisions haven’t been made at all. Other experts who share Borg’s frustrations with the government’s offensive cyber strategy — nevertheless, defended the DoD’s document, saying it was not meant to lay down specific rules for the military’s use of offensive cyber weapons. Instead, it was the first step in the process intended to lead to more specific rules of engagement,” Mr. Vinik noted.

“In one sense, specifying rules of engagement is even more important for cyber weapons, than kinetic ones” Borg said, “because attacks occur so rapidly in the cyber realm. Alexander used the example of a missile flying at a city in the U.S., while North American Aerospace Defense Command was unable to get in touch with key decision makers — the Secretary of Defense, the POTUS — about whether to shoot it down.”

“Now, if someone is attacking our infrastructure, and they’re doing it at network speed, CYBERCOM should probably defend the nation,” he said. But, he added, “We haven’t gotten, in my opinion, to that point yet. But, I think they’re getting close. The reason is, people don’t understand how bad cyber can be.”

“We are still, as are all governments, thinking through how do you actually employ these capabilities, in a way that make sense; and, how do you fit them into our larger strategic context,” said Daniel, who leads the White House’s development of its cyber strategy. “You don’t just carry out a cyber operation for the sake of carrying out a cyber operation.” 

“WHILE THE DEBATE over U.S. offensive cyber strategy may be happening quietly in the federal government, it’s playing out quite publicly among outside experts,” Mr. Vinik observes. “In early November, Himes and four other lawmakers sent a letter to Secretary of State John Kerry and National Security Adviser Susan Rice proposing a cyber convention — like the Geneva Convention — to lay out the rules of the road for cyber.”

“Now is the time for the international community to seriously respond again with a binding set of international rules for cyber warfare: an E-Neva Convention,” they wrote.

“One key concern they have,’ Mr. Vinik writes, “is what actually constitutes an act of war in the digital realm, versus a smaller crime, or nuisance,” “What is cyber war?” Representative Lynn Westmoreland (R.-GA), the Chair of the House Intelligence Sub Committee on NSA and Cyber Security who signed the letter, said in an interview. “What is it?”

“What if Iran melted down one server at Florida Power and Light? They do $5,000 worth of damage. That sounds to me like a crime,” Himes said. “But, what if they melt down a whole bunch of servers, a network goes down; and, a bunch of people die? That feels to me like an act of war.” He added: “But these lines aren’t drawn. Because they’re not drawn, is our response to have the FBI investigate and file a diplomatic demarche? Or, is our response to do a cyber reprisal? Or, is our response to do a kinetic reprisal? We don’t know. I think that’s a real problem,” Rep. Westmoreland said. 

“Another key question in the cyber realm,’ Mr. Vinik argues, “is if any specific infrastructure is off limits, the way hospitals are supposed to be off-limits in kinetic war. Is an electrical grid a valid target? Knocking out the Internet, or power can cause immense damage to civilians, particularly in advanced countries like the United States — whose economies depend heavily on the Internet.”

“Forging a consensus on these questions is hard, but not impossible,” Mr. Vinik argues. “Already the international community is coalescing around an agreement that states cannot conduct cyber espionage for commercial purposes. Whether countries such as China will actually abide by that is unclear, but countries have at least agreed on that norm — in principal.”

“Even among cyber experts, crafting a cohesive rules of engagement is proving to be a challenge,” Mr. Vinik observes. “I don’t know if you could come with a set policy,” Westmoreland said. “I think it would have to be some type of living document that would allow it to change when the technology changes.” “Daniel said that coming out with a specific — case-by-case framework was not possible. “The idea that we’re going to be able to spell out in detail — exactly how we would respond to any particular incident, or activity, I think doesn’t fully account for how we are going to have to act in the real world,” he added.

When Mr. Vinik asked Rep, Himes “how the U.S. government should craft a cyber strategy, if it can’t prepare for every possible scenario?,” Rep. Himes said, “The laws of war, if you will, aren’t about describing every possible scenario. They are about articulating principals.”

“This [kind] of top-level guidance needs to come not from cyber experts; but, from elected leaders — and observers say, so far….that direction [guidance] has not been forthcoming,” Mr. Vinik laments. “Part of the problem is that there are so many senior people in government, especially coming out of the political world, that just don’t understand enough about the technology,” Borg said. “They really are remarkably uninformed.”

Referring to some remarks that New Jersey Governor Chris Christie made during a recent presidential candidate’s debate, “that if China were to commit cyber warfare against us, they are going to see cyber warfare like they have never seen before,” Mr. Vinik asks, “what exactly would qualify as cyber warfare? And, what kind of Chinese cyber attack would result in “cyber warfare like [China] has never seen before?”

“It seems superfluous to mention perhaps, but cyber war with China is war with China. And, a war that starts out in the cyber realm can quickly migrate to other realms,’ Mr. Vinik wrote.

“I consider the current state of affairs to be extremely volatile, and unstable, because one could escalate [to] a cyber war pretty quickly,” said Sami Saydjari, the founder of the Cyber Defense Agency consulting firm, who has been working on cyber issues for more than three decades,” Mr. Vinik wrote. “You can imagine a scenario where a country instigates a cyber warfare-like event; but, does it in such a way to blame another country, which causes an escalation between those countries, which accidentally causes a kinetic escalation, which accidentally reaches the nuclear level. This is not an implausible scenario,” Mr. Saydjari said.

“Not implausible; but, perhaps not likely either,” Mr. Vinik contends. “At the moment, cyber experts say, the world is at a moment of tenuous peace. For all the constant threat and hacking, nobody is waging overt attacks on infrastructure and assets. But, they also say that this relative stability masks the underlying threats in the cyber world.”

“I would say we are in a cold [cyber] war, not a peace,” Alexander said. “If you paint a picture of the world above, people are shaking hands. And then below the water, they’re kicking like crazy. I think in cyber, there’s so much going on, that it’s invisible to most people.”

“If a major cyber incident occurred in the U.S. — on e that actually hurt, or even killed Americans — the public would quickly want some answer; and, likely a plan for defense and retaliation. In the absence of more specific rules of engagement, it’s clear to many experts what’s going to happen at this point: We’re going to improvise,” Mr. Vinik writes. 

“If there is a [major] cyber incident in the United States, we’d do it from scratch,” said Martin Libicki, a senior scientist, and cyber warfare expert at the RAND Corporation. “I don’t care what’s been written. That’s just the nature of the beast.”

Some Issues Mr. Vinik Did Not Address

One issue that Mr. Vinik did not address, is the issue of a limited cyber strike; and, verifying the cyber ‘bomb’ damage assessment. We are almost always concerned with the issue of collateral damage when using an offensive weapon of any kind. Are we capable, or are we on the verge of having the equivalent of a Predator drone strike in the cyber realm? Can we conduct targeted cyber strikes, that take out, or damage the intended target/s — without a cascading effect on other innocent individuals and entities? In other words, can we damage, disable, or inflict whatever damage we were hoping for in a targeted cyber strike — without also damaging other innocent individuals, or entities? Can we take out specific laptops, and other critical infrastructure — without having to damage, or disable entire facilities and routers? And, do we have the technical knowhow to understand and verify a cyber bomb damage assessment? 

Where are we with respect to cyber forensic attribution? The ability to disguise one’s malicious cyber activities is only getting more creative, innovative, and elegant. How ‘fast’ can we pin the tail on the donkey?, so to speak? How do we know we have positively identified the perpetrator of a malicious cyber attack on us? It would seem that the cyber realm is an almost perfect domain for false-flag operations. Denial and deception are two skillsets that are alive and well on the Internet. Thus, the potential for retaliating or responding to the wrong entity is great. In a cyber attack of mass disruption, the American public will be looking for the U.S. government to be able to quickly identify the culprit — as we did in the aftermath of the 9/11 attack. How realistic is it — that we will be able to do so — in an environment where our network enterprise has been severely damaged? Do we have offline, or manual workarounds that would allow us to continue to identify and pursue the guilty party? Cyber militias, and cyber patriot groups are already emerging on the net — i.e., Anonymous. The proliferation of these groups will make the job of cyber forensic attribution all the more difficult.   

Then of course, there are those who are off-the-grid; or, practice to operate in a scenario disconnected from the Web — thus, making retaliating in-kind to a cyber attack, mute. What do we do in those cases?

And, is it possible to release or conduct a cyber offensive strike that has profound, negative consequences? It is possible for a cyber attack to have unintended consequences — in that the offensive cyber weapon continues to inflict widespread network damage — well beyond the intended target — to include other friends and foes alike? Getting the toothpaste back in the tube isn’t possible. Do we have a cyber rescue plan available in case something like that ever happens?

Cyber mercenaries, and cyber-guns-for-hire, also complicate this environment. 

Cyber offensive operations are indeed, a difficult issue to fully comprehend, and exquisitely prosecute. V/R, RCP

No comments: