15 July 2018

Waging cyber war without a rulebook


By Derek B. Johnson 

For years, security experts have warned of an impending cyber Pearl Harbor: an attack so big and bold that it cripples U.S. infrastructure and demands a military response. However, in interviews with former White House and executive branch officials as well as members of Congress and staffers involved in cyber policy, many expressed more concern about the potential for a Cyber Gulf of Tonkin: a misunderstanding or misattribution around an event that precipitates or is used as a justification for war. "I think we should all be concerned about a [misunderstanding] or something that is made to look like someone else took action," said Rep. Jim Langevin (D-R.I.), a co-founder of the Congressional Cybersecurity Caucus. "Attribution is very difficult, although we are getting much better at it. There's no doubt there could always be a level of uncertainty."

The U.S. government is currently engaged in disputes with at least four other countries -- Iran, North Korea, Russia and China -- over a series of recent hacks, intrusions and cyberattacks dating back five years. In cases like Iran and North Korea, some worry the situation is potentially one precipitating incident away from breaking out into military conflict.

Furthermore, members of Congress have increasingly agitatedfor a more forceful response against nation-state- led cyberattacks, while providing little in the way of statutory guidance around rules of engagement for offensive cyber operations, including which agencies should take the lead and how brightly the lines should be drawn between private sector, civilian government and military response.

Blurred lines

The federal government lacks a commonly understood framework for the type and scope of actions that would or would not qualify as an act of war in cyberspace.

"There isn't [a document] -- to my knowledge at least when I was in government -- where it's like 'this is our list' and if it's one of these things then we're going to declare war," said Megan Stifel, a former director of international cyber policy on the National Security Council. "It's not very helpful and reassuring to many to say that we'll know it when we see it, but that has been a bit of the philosophy because we haven't seen it yet."

Stifel pointed to many of the most high-profile attacks against United States assets – such as the 2016 election disinformation campaign, the 2017 WannaCry attacks, the 2014 Sony hack and the Office of Personnel Management hack -- and questioned whether any of them could truly be interpreted as a genuine act of war by the nations who supposedly carried them out.

In its new command visionon information warfare, U.S. Cyber Command noted that nation-states have taken advantage of this ambiguous policy landscape to conduct aggressive cyber campaigns to harm or destabilize U.S. interests and infrastructure.

"Adversaries continuously operate against us below the threshold of armed conflict. In this 'new normal,' our adversaries are extending their influence without resorting to physical aggression," the vision statement reads.

Some have argued that such direction would allow policymakers to clearly communicate which kind of attacks and targets are beyond the pale and require an in-kind cyber or even kinetic military response. Alternatively, the absence of such a framework carries the risk of fostering confusion and misunderstandings on the international stage that could precipitate a larger conflict.

"There are these questions of 'what was the intent?' and I think we need to be careful not to go [like the metaphorical hammer] looking for nails," Stifel said. "Because of the way western democracies have the private sector own most of the communications and information technology infrastructure, the lines are very blurred."

A shifting policy landscape

That ambiguity has left some perplexed as to how best to respond to a series of cyber-focused operations against the United States.

Langevin is one of 12 members of Congress to co-sponsor a bill introducedthis year by Rep. Ted Yoho (R-Fl.) that would require the president to single out as a "critical cyber threat" any foreign persons or entities determined to be responsible for a cyberattack as well as any person or organization that "knowingly materially assisted or attempted such activities." Those actors would then be subject to a range of potential economic and travel-related sanctions. Yoho's bill recentlypassed the House Foreign Affairs Committee and has garnered support from a bipartisan group of cybersecurity-focused lawmakers in the House.

The legislation is meant to codify many of the strategies employed during the first 18 months of the Trump administration to respond to high-profile cyberattacks against the United States, pairing "name and shame" tactics with economic and political pressure in a way that results in meaningful consequences for those who step over the line.

The problem is many policymakers are unsure where those lines actually are, and some question whether it's even a good idea to draw them in the first place.

Langevin believes that legislation like Yoho's bill will help to better police "the grey zone" around nation-state cyberattacks, but said he worries that being too specific could feed the potential for a Gulf of Tonkin-like misunderstanding.

"It's hard to draw red lines in cyberspace as the threats are rapidly evolving," said Langevin. "We have to be careful about being too prescriptive."

That view was echoed by many others. A majority staffer on one of the congressional homeland security committees speaking on background was reluctant to even offer a broad outline of a cyber warfare doctrine, arguing the landscape is so unsettled and the potential for new technologies like AI, quantum computing and augmented reality to disrupt the status mean that any rules the Trump administration or Congress lays out today could be obsolete five years down the road.

Even worse, the rules could box them into enforcing ultimatums that no longer makes sense in an evolving policy environment. The staffer compared the status quo to "Calvinball," a game from the popular comic strip "Calvin and Hobbes" in which the only rule is that the rules must constantly change.

"We don't have examples in history of that kind of asymmetry and how to handle it," the staffer said. "Even if you looped in the smartest, most knowledgeable people with all of the letters after their name that you could possibly imagine, they couldn't sit in a room and say 10 years from now, this framework will still hold true."

Over the past year, policymakers have been working behind the scenes to carve out a larger role for U.S. Cyber Command. CyberScoop reportedin April that CyberCom has been steadily winning a tug of war with intelligence agencies for supremacy over offensive cyber operations, including those taking place outside of traditional war zones. More recently, the organization has been wading into what is typically considered the Department of Homeland Security's turf by establishingthreat information sharing programs with the banking sector.

Curtis Dukes, who ran the National Security Agency's Information Assurance unit, said unleashing a military organization like Cyber Command to engage in offensive operations outside of war zones without a shared doctrine for conducting information warfare is a recipe for unintended consequences.

"We don't know with any level of precision what would actually constitute an act of war where we would respond either militarily or using our own cyber offensive capabilities," Dukes said. "Frankly, that needs to occur if we're going to use Cyber Command as a capability to protect the homeland."

A former high-ranking congressional staffer who worked on military cyber policy speaking on background concurred with that sentiment, saying the U.S. lacks a solid interagency process for weighing risks and examining the trade-offs of such operations.

"I'm sure there are places where it would be appropriate for CyberCom to be more aggressive, but I can tell you having sat over at DOD, that CyberCom would bring out some really stupid proposals that would sometimes ignore risks to things like the integrity of the global financial system," the source said.

Like many of those interviewed, the former staffer cited the recent eliminationof the White House cyber coordinator position as a move that would only exacerbate these problems. Langevin as well as Rep. Ted Lieu (D-Calif.) have introducedlegislation to restore the position. 

Pinning the blame

There are political and public relations factors to consider as well. When nations go to war, they often couch their decision as a defensive or retaliatory response to some malicious precipitating event.

Proving to allies and the international community that a cyberattack came at the behest of a particular nation-state is difficult. Most instances of cyber attribution -- such as those done with WannaCry and NotPetya -- can take months if not years before reaching a high confidence assessment.

Even then, policymakers may not want to risk exposing intelligence-related sources and methods. In December, the White House publicly blamedNorth Korea for the 2016 WannaCry malware.

Tom Bossert, who served as White House homeland security advisor at the time, told reporters that intelligence and technical forensics gave the government high confidence about the attribution, but he declined to specify what evidence the administration was relying on and indicated that a smoking gun definitively associating the attacks to Pyongyang was "difficult" to come by.

That sort of posture could make it trickier to convince allies that the evidence justifies a cyber or military response. A State Department documentproviding guidance to the president on international engagement around cyber matters released May 31 notes that "difficulty attributing the source of [cyber] attacks or sharing sensitive evidence to support attribution findings has made international or public-private cooperation to respond to specific threats more challenging."

Such cooperation is critical to establishing international rules of engagement in most domains of war, according to John Dickson, a former Air Force officer who previously served in the Air Force Information Warfare Center. While other domains of war have had millennia to develop clear lines of engagement, there's still significant uncertainty around how best to respond to incidents of information warfare. Because of that, Dickson argued it's sometimes best to leave policymakers with maximum flexibility.

"We don't have anywhere near the level of history, the level of conflict, the level of openness and visibility [with cyberwar] that you have in other wars," Dickson said. "The biggest deal is that if you're a talented attacker, certainly a nation-state attacker, you can prosecute and attack and still maintain some level of deniability."

About the Author

Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.

No comments: