WASHINGTON — The burial at sea was just a few hours old when sources around Washington began to spill the tactics and objectives of the May 1 mission that killed Osama bin Laden. Quickly, a substantial picture of shadowy mission in Pakistan emerged.
But nearly two years after another operation that in terms of ingenuity and audacity might be considered the cyberwar equivalent of the bin Laden mission — the Stuxnet attack that destroyed crucial equipment in Iran’s nuclear program — the silence remains unbroken. Military and civilian leaders have steadfastly refused to confirm or deny U.S. involvement.
Classified, it seems, is the enduring reality of computer warfare.
Even though the Pentagon this year formally declared cyber a new domain of warfare equal in importance to land, sea and air, a murky blanket of secrecy covers not only its operations but its policies and doctrines. It’s a level of obfuscation that far outstrips that which surrounds U.S. conventional and nuclear capabilities.
“Cyber is a giant abyss at the moment,” says cybersecurity expert John Bumgarner, research director for security at the U.S. Cyber Consequences Unit. “For someone in the Defense Department to comment on their offensive capability or defensive posture at the moment, it’s very unlikely.”
Even recent published reports that the U.S. considered but opted against launching a cyberoffensive to precede the air war in Libya took months to surface.
Keeping a lid on precise capabilities is necessary to prevent adversaries from gaining information that could neutralize U.S. power, experts say. And with U.S. Cyber Command operating hand in hand with the National Security Agency — both are commanded by Army Gen. Keith Alexander — secrecy comes naturally, said cyberpolicy analyst James Lewis of the Center for Stategic and International Studies.
“NSA is always on the outskirts if not actively involved in cybermatters,” he said. “Signals intelligence people are hypersensitive talking about anything. The old joke is the lunch menu at NSA was classified.”
But with secrecy even extending to broad doctrines and policies — deciding what constitutes an attack or what avenues of response are allowed — crucial policy discussion and debate is being hampered and restricted to a tight circle with the relevant security clearances, many experts say.
“One of the things we need to do is put markers in the sand to serve as a deterrent for other actors, notably other nations [eyeing the United States as a potential target],” said Frank Cilluffo, director of the Homeland Security Policy Institute at George Washington University. “Information about our operational capabilities should be secret ... but I think we need declaratory policies in this space.”
A former high-ranking intelligence official said as much earlier this month before Congress.
“This may come as a surprise, given my background at the NSA and CIA and so on, but I think that this information is horribly over-classified,” said retired Air Force Gen. Michael Hayden, former director of the CIA and the National Security Agency. “The roots to American cyberpower are in the American intelligence community, and we frankly are quite accustomed to working in a world that’s classified. I’m afraid that that culture has bled over into how we treat all cyberquestions.”
But Air Force Gen. Robert Kehler, who oversees Cyber Command as head of U.S. Strategic Command, told the media Tuesday that some policy matters need to be guarded in the uncertainty of the still-developing domain.
“I do believe without question there needs to be a full conversation about doctrine and there needs to be a full conversation about rules of engagement,” Kehler said. “I can’t say all of that needs to be in the public domain.”
Perhaps the most successful — and most successfully locked down, from a disclosure standpoint — remains the Stuxnet attack.
No one has yet proven who perpetrated the Stuxnet malware operation that in late 2009 or early 2010 began to cause computers in the Natanz nuclear facility in Iran to go haywire. The worm may have set work back by several years in a program that the United States says is aimed at one day producing nuclear weapons with which to threaten its neighbors.
Though Western researchers and Iranian investigators alike point a finger at the United States, frequently alleging a U.S.-Israeli collaboration, U.S. officials will not comment.
Months before the attack was disclosed, Bumgarner, a retired U.S. Army special operations veteran, former intelligence officer and cyberwarrior, penned an article in an information warfare journal that, clearly, no one in Iran’s nuclear program read or took seriously. The article, titled “Computers as Weapons of War,” suggested that centrifuges used to refine nuclear fuel could be made to destroy themselves with the right kind of offensive cyberweapon. Soon after, that’s what happened. (Among its other effects, Stuxnet is also thought to have put a Russian-built Iranian nuclear power plant at risk of meltdown.)
Bumgarner says he wrote about the centrifuge vulnerability simply to show what can be accomplished. Many other U.S. opponents have similarly vulnerable systems, as does the United States, he said.
The key from the standpoint of the attacker is not to tip one’s hand, Bumgarner said. Obscuring precise capabilities gives you an edge, while revealing too much information weakens you.
“When it comes to cyberweapons, some of the things that you develop need to be held close to the vest,” he said. “If information about a specific cyberweapon leaks out, the adversary can adjust their defenses and your offensive capability will be diminished.”
The key for U.S. officials, and the thing that perhaps keeps their lips sealed in public, is knowing the line between healthy public discussion and tipping off adversaries to their own weaknesses.
“A conventional weapon can be effective for years, perhaps even decades,” he said. “A cyberweapon’s effectiveness might be measured in minutes until someone applies a patch or a new security filter.”