Here's why the Pentagon is publishing its cyber-warfare rulebook – if China hasn't already hacked in and read it
A 'don't make me come over there' moment in infosec
The Pentagon has published an outline of its cyber-warfare strategy for the first time, revealing the conditions under which it will hack enemy nations.
And Defense Secretary Ashton Carter, speaking at Stanford University, has named China, Russia, Iran, and North Korea as the US's greatest adversaries in computer security.
America's leaders have avoided singling out countries in public, but Carter went further than that on Thursday, outlining to his audience at the college a hierarchy of response, the New York Times reports.
Routine intrusions into US companies ought to be fended off by the businesses themselves without government involvement. In the case of more complex attacks, the Department of Homeland Security will step in to help defend.
The most serious attacks – which officials told the NYT make up about about two per cent of assaults – ought to be met with a national response led by the US Cyber Command, which is based alongside the National Security Agency in Maryland. Admiral Michael Rogers serves as Commander of the US Cyber Command and Director of the National Security Agency.
Wait, what's a "serious attack?"
Carter defined a major cyberattack as “something that threatens significant loss of life, destruction of property or lasting economic damage.” The US may attack either in retaliation of a strike, or as part of a covert operation, or just because it wants to.
Not every network intrusion has to be fought off with a cyber-counterstrike: for example, in the case of corporate espionage against American businesses, the US indicted five members of the China's Peoples Liberation Army. In the case of the destructive attack against Sony Pictures last November, Carter said the President decided to respond with sanctions against North Korea, “not in cyberspace.”
Meanwhile, the US Department of Defense has published its 33-page cyber-warfare strategy [PDF] which has more detail in it than the strategy released in 2011.
“As a matter of principle, the United States will seek to exhaust all network defense and law enforcement options to mitigate any potential cyber-risk to the US homeland or US interests before conducting a cyberspace operation,” the latest document explains.
The policy paperwork adds that “there may be times when the president or the secretary of defense may determine that it would be appropriate for the US military to conduct cyberoperations to disrupt an adversary’s military related networks or infrastructure so that the US military can protect US interests in an area of operations. For example, the United States military might use cyberoperations to terminate an ongoing conflict on US terms, or to disrupt an adversary’s military systems to prevent the use of force against US interests.”
It's all about deterrence
In other words, Uncle Sam is carefully laying out the conditions under which it will open fire from its cyber-arsenal – without expressly acknowledging the existence of things like Stuxnet, the super-worm used to knacker Iran's nuclear labs in or around 2010. America and Israel are widely assumed to be behind the malware's development.
Rather, this new openness is engineered to serve as a stronger deterrent against those who wish to harm the US through computer hacking.
It's not difficult for even an impoverished country like North Korea to launch cyberattacks. Attribution in cyber-space is notoriously difficult, so aggressors think they can escape blame when they infiltrate another nation's networks. These two factors mean deterrence in much harder in the cyber-arena than in other forms of conflict.
Right now, the US is trying its hardest to deter China and pals. "Deterrence is partially a function of perception. It works by convincing a potential adversary that it will suffer unacceptable costs if it conducts an attack on the United States," the new policy reads.
The DoD document sets out five "strategic goals" for its cyberspace missions:
- Build and maintain ready forces and capabilities to conduct cyberspace operations
- Defend the DoD information network, secure DoD data, and mitigate risks to DoD missions
- Be prepared to defend the U.S. homeland and U.S. vital interests from disruptive or destructive cyberattacks of significant consequence
- Build and maintain viable cyber options and plan to use those options to control conflict escalation and to shape the conflict environment at all stages
- Build and maintain robust international alliances and partnerships to deter shared threats and increase international security and stability
During his speech, Carter admitted that the Pentagon – much like the White House and the State Department – had been a victim of cyber-attacks over recent months.
“The sensors that guard DoD’s unclassified networks detected Russian hackers accessing one of our networks,” he said, adding that the assault exploited “an old vulnerability in one of our legacy networks that hadn’t been patched.” Carter went on to put the best possible spin on the intrusion saying a “crack team of incident responders” had “quickly kicked them off the network.”
“While it’s worrisome they achieved some unauthorized access to our unclassified network, we quickly identified the compromise and had a team of incident responders hunting down the intruders within 24 hours,” Carter said in an official DoD news release about the cyber strategy launch.
Carter also used his visit to Stanford to outline new Pentagon investment in In-Q-Tel, the CIA's tech investment arm, and new programs to allow civilian cyber-security experts to enter the defense department on short-term contracts. ®