CYBERCOM faces host of challenges as it comes online
RAF MILDENHALL, England — As U.S. Cyber Command prepares to come online in October, it faces the most basic of questions: How will it defend against and attack shadowy Internet adversaries it can’t always identify?
The latest military combatant command is tasked with protecting vital computer networks. It is also responsible for going on the offensive as part of a conventional war or to retaliate against a crippling cyber attack that could shut down America’s computerized infrastructure, the networks that make the electricity flow and the water run.
But analysts say figuring out where an attack originated is one of many challenges for CYBERCOM.
“The biggest single technical issue we face is the attribution problem, the ability to confidently tell political and military leadership, yes, indeed, we know this [attack] came from ‘Kabukistan,’ ” said Daniel Kuehl, director of the Information Concentration Strategies Program at the National Defense University. “We can’t do that right now.”
Kuehl offered the 2007 cyber onslaught against Estonia as an example. While many suspect the Russians were ultimately behind the attack — one that swamped and disrupted the websites of the Estonian government, banks and media — Kuehl said the largest number of computers used to overwhelm Estonian networks were in the United States.
The computers had been taken over via a Trojan, a computer virus that gets into a computer and then waits for a remote command, Kuehl said. The result was a bunch of “zombie” computers that were under the control of someone other than the owner, leading to a wave of traffic that crashed the Estonian websites.
“Were we going after Estonia? Of course not,” he said. “But who was behind it? … We couldn’t answer that.”
In a speech earlier this year to the Center for International and Strategic Studies, CYBERCOM commander Army Gen. Keith Alexander said the attribution issue will be “very difficult.”
The need to figure out such questions is urgent: Defense Department systems are “probed” by unauthorized users about 250,000 times an hour, or 6 million times a day, Alexander said.
“Cyberspace consists of vexingly complex systems that ship and store unimaginably vast amounts of data,” Alexander said.
The attribution issue likely won’t go away anytime soon, according to Jeffrey Carr, the author of “Inside Cyber Warfare,” who specializes in the investigation of cyber attacks against governments and infrastructures.
“There is no way to establish attribution,” he said. “There will probably never be a way to do it under current Internet architecture.”
If CYBERCOM has figured it out, no one is telling.
“For security reasons, we will not discuss specific capabilities, and current or planned operations,” CYBERCOM spokesman Lt. Cmdr. Steven Curry said in an e-mail to Stars and Stripes.
It’s not just finding out who attacked. CYBERCOM must also ensure that any retaliation hits its intended target and doesn’t harm networks or servers in neutral countries. The problem is more vexing considering the fact that an attack could come from not only another country, but also from criminal groups, terrorists or hackers financed by another government.
The cyber world has no boundaries, and that makes planning a strike that much harder.
“The ability to confidently model and predict and analyze what’s going to happen when I press this key right here, that’s a technical issue we’re trying to figure out,” Kuehl said.
A March report in The Washington Post showcased that domino effect.
The CIA and the Saudi Arabian government took down a website in 2008 that they had used to uncover terrorist plots against the kingdom. The dismantling of the site inadvertently disrupted more than 300 servers in Saudi Arabia, Germany and Texas, an unidentified official said in the article.
A cyber attack that could “bounce through a neutral country” exacerbates the complexities of the military operating in the cyber world, Alexander said during testimony to the Senate in April.
CYBERCOM also needs to know who attacked in order to decide upon the appropriate form of retaliation, Kuehl said.
“If it’s a bunch of kids in a garage in California, it’s going to be a different response than if it’s a terrorist group,” Kuehl said.
The kind of attack that would justify a military cyber response is another question for the new command, according to James Lewis, head of the Technology and Public Policy program at the Center for Strategic and International Studies.
“The problem is most of the bad things that happen now don’t justify the use of military force,” Lewis said.
The international norms of war and questions of neutrality are also being thrown up in the air with the advent of cyber operations.
During the 2008 war between Georgia and Russia, Georgian computer systems were attacked, effectively cutting the small country off from cyberspace.
At one point, Kuehl said, a Georgian expatriate who ran a server in America offered the Georgian government use of the servers, and Georgian leaders accepted her offer.
“There are some very long-standing laws of neutrality that say when countries are engaged in armed conflict, you’re not allowed to do stuff that helps one side or the other,” Kuehl said.
In this case, it could be argued that the U.S. did not remain neutral, he said.
“Here you had stuff inside of America, committing itself to one of the two belligerents,” Kuehl said. “This is a really interesting new world we’re living in.”