DOD preparing to unveil overarching cyber strategy
WASHINGTON — The attack lacked the explosive impact of a roadside bomb or the visceral threat of incoming bullets. Defending against it wasn’t a matter of finding cover and returning fire.
This was a new kind of war.
The only giveaway the United States was being targeted at all was a subtle, unexplained flicker on a Department of Defense computer screen in August 2007.
The person sitting at the terminal that day was John Bumgarner, a retired U.S. Army special operations veteran and professional hacker who’d come to an office of one of the service branches — nearly four years later he says he’s not at liberty to divulge which one — to give a how-to presentation on attacking enemy computer networks. Something subtle about the behavior of the computer he’d borrowed to make printouts tripped a mental alarm.
“I saw the screen flicker and thought, ‘Hmm, that looks strange,’” said Bumgarner, a researcher at the U.S. Cyber Consequences Unit, a Washington-based think tank.
His job is to study the shape of future conflicts in which computers will be weapons, and the vast web of interlaced networks that connects them — a realm called “cyberspace” — will be the battlefield.
The Pentagon is expected in coming weeks to introduce an overarching cyber strategy that officially declares cyberspace a domain of warfare equal to land, sea and air in importance.
Using software tools, Bumgarner isolated the offender — a deviously simple computer worm able to rifle through hard drives and forward documents to servers overseas. How it got there was a mystery, but users from a number of agencies became unwitting carriers when they connected USB flash drives to the network to upload or download material.
“The people who used it all had security clearances,” he said. “They were infecting computers their agencies gave them, and then would have gone back and infected their agency’s networks.”
After notifying the proper authorities about the worm, Bumgarner saved a copy to test commercial antivirus software. He has yet to find one able to neutralize it.
While the episode might look to an outsider like little more than a case of computer help desk work on steroids, to the Defense Department, it represents one aspect of a new class of warfare.
Analysts say cyber conflicts of the future could vary in intensity from quiet campaigns of network intrusion to steal technology all the way up to what Pentagon leaders call a “cyber 9/11,” with terrorists carrying out deadly attacks on utilities, industrial facilities or air traffic control systems.
“We are collectively vulnerable to an array of threats ranging from network instability to criminal and terrorist activities to state-sponsored capabilities and actions that are progressing from exploitation to disruption to destruction,” warned Army Gen. Keith Alexander, who oversees military network defense as head of U.S. Cyber Command, during testimony before Congress in March.
Though defense officials would not discuss the upcoming cyber strategy as they finalized it in recent days, Deputy Secretary of Defense William Lynn previewed it in a February speech at a computer security conference.
Besides elevating the status of cyberspace, the strategy calls for:
-- “Active defense” systems for military networks. The systems use “sensors, software and signatures derived from intelligence to stop malicious code before it succeeds.”
-- Planning and coordination with the Department of Homeland Security. This will ensure that critical civilian infrastructure on which the military also relies is safe from cyber attacks.
-- Commitment from the Pentagon to work with allies to build international network defenses.
-- A public-private partnership to secure networks.
While experts say the strategy will leave key points undecided — for instance, which responses are merited for specific types of attack, or how much the Pentagon will participate in defending non-military networks — one thing is clear: Information technology and the Internet are entwined in nearly every facet of military operations, from departmental email to battlefield operations.
As a result, every function of the U.S. military is vulnerable in some degree to cyberattack.
Cyber incursions like the worm Bumgarner found cause slow information leaks, but keeping cyberattackers out of the Pentagon’s networks is becoming a matter of life and death.
“The modern weapons systems are all networked; they have their own IP addresses,” said Tom Conway, who works with the Defense Department as director of federal business development for computer security firm McAfee. “There are over 15,000 networks in over 100 countries. That’s a lot of targets.”
Cyber experts say threats are coming from every direction: lone hackers, foreign intelligence services and organized groups of digital infiltrators.
“The threat to our computer networks is substantial,” Lynn said in a 2010 speech. “They are scanned millions of times a day. They are probed thousands of times a day. And we have not always been successful in stopping intrusions.”
In one high-profile 2008 incident, a computer worm able to steal documents was uploaded to a military laptop in the Middle East. The worm proliferated on classified and unclassified networks before its discovery, which prompted creation in 2009 of Cyber Command.
While the defenses are getting tougher, they’re far from perfect, Alexander said. Asked to grade Cyber Command’s current capability, he gave it a C.
“I’d like to say an A, but I think it’s going to take us some time to get to an A,” Alexander told Congress in a March hearing. “An A is where I believe nobody could penetrate that network.”
Cyber Command’s top need is for trained network warfare experts, who are in high demand throughout the military, Alexander said. Because the cyber domain has only recently been made a top priority, there’s a small pool of experienced cyber operators to draw from.
“To put it bluntly, we are very thin, and a crisis would quickly stress our cyberforces,” Alexander told Congress last month.
The service academies are one part of the military ramping-up efforts to fill the demand. Mandatory computer science courses lay out the basic steps to network security, as well as more advanced training for budding specialists.
“We try to bring home to them the threat is very real, and that there are really adversaries out there trying to get into their systems,” said Lt. Col. Robert Fanelli, a professor at the U.S. Military Academy who teaches cybersecurity. “At a basic level, we try to teach them how to properly configure a secure network. Much of the cyber threat is a result of making mistakes that are the equivalent of leaving your front door open.”
While the Pentagon’s cyber defenses are far from perfect, many experts say the Defense Department is the leading government agency at network security and its efforts far outstrip private industry’s response to the threat.
“The D(efense) Department is leading the charge, far ahead of the rest of the government,” said Joel Brenner, national counterintelligence executive for the Director of National Intelligence from 2006 to 2009, in an email interview.
But currently, the Pentagon is only authorized to defend military networks. It lacks legal authority to extend its defenses elsewhere, in part because of concerns of civil libertarians and private industry about government domination of the Internet.
Testifying in March before the House Armed Services Committee, Alexander was asked what Cyber Command could do if the U.S. electric grid were targeted.
“We do not have the authority to stop that attack,” he admitted.
National infrastructure protection falls instead to the Department of Homeland Security, despite its far smaller cyber budget. The Pentagon’s most recent 2011 budget request for cybersecurity was more than $3 billion, while DHS budgeted $936 million.
In the case of a cyber 9/11, however, the military would likely have to take the lead with presidential authorization, said retired Rear Adm. Edward Masso, a cybersecurity researcher at the Potomac Institute for Policy Studies.
“Who is the country going to turn to in a cyberattack against the [Federal Aviation Administration] radar system?” he said. “It’s going to fall to the military because they’re the most capable and that’s what the public will demand.”
Although the larger jurisdiction question remains, recent collaboration between the Pentagon and DHS has targeted certain aspects of the cyber threat, Alexander told Congress. The departments are working in pilot programs with private defense contractors as well as with major Internet providers to make the nation’s networks more secure.
Establishing culpability for attacks is one of the most daunting technical tasks in the cyber domain.
“Missiles come with a return address,” Lynn said. “Cyberattacks, for the most part, do not.”
The 2010 Stuxnet computer worm, the most sophisticated yet, infiltrated an Iranian network thought to be secure and destroyed equipment crucial to the country’s nuclear program. Though no perpetrator has been established, some theories point to Israel or the United States.
But if an attacker is discovered, what options exist? The question is not addressed by the Pentagon’s upcoming cyberstrategy, but could be key if a truly damaging cyberattack occurs. There is no international legal framework for making such decisions, said Bumgarner.
“All of the guidelines for waging war were designed when war was about land, sea and air,” he said. “If a nation penetrates your land borders or airspace, it’s clear how you can respond.”
Cyberspace knows no geography, Bumgarner said. When Russian hackers shut down Estonian websites, some of their attacks came from servers within the United States. Under NATO rules, does that make the United States responsible for attacking its own ally?
“NATO Article 5, which says an attack on one is an attack on all, is going to have to be reworked to acknowledge what war is going to look like in cyberspace,” he said. For that matter, “it’s probably time right now for the United Nations to take up this topic.”
Envisioning the threat
As cyberwarfare matures, technical and policy issues will arise that planners haven’t yet thought of, Masso said.
But like all warfare, the enduring challenge will be one of imagination, of outthinking the enemy, he said. Failure to do so could result in a digital equivalent of the Maginot Line — France’s costly, supposedly impregnable border defense built after the first World War that Germany simply bypassed in 1940, attacking from a different direction.
“From the history of my own service, Admiral Chester Nimitz once said the Naval War College fully prepared him for war, except for one thing — the kamikaze,” Masso said. “That was a major step development in the history of asymmetric war, and cyberware is another step.
“So for all the services, the key thing now is to be asking, ‘What is the next kamikaze?’”