Schmidt, the new cybersecurity czar for the Obama administration, has a short answer for the drumbeat of rhetoric claiming the United States is caught up in a cyberwar that it is losing.

“There is no cyberwar,” Schmidt told Wired.com in a sit-down interview Wednesday at the RSA Security Conference in San Francisco.

“I think that is a terrible metaphor and I think that is a terrible concept,” Schmidt said. “There are no winners in that environment.”

Instead, Schmidt said the government needs to focus its cybersecurity efforts to fight online crime and espionage.

His stance contradicts Michael McConnell, the former director of national intelligence who made headlines last week when he testified to Congress that the country was already in the midst of a cyberwar — and was losing it.

Schmidt’s official title is cyber-security coordinator at the White House, a job he took over just before Christmas. Schmidt has no budgetary authority, but he said that doesn’t make him powerless, because his office is in the White House. He’s been there before as an adviser to President George W. Bush, and he’s been the president and board member of countless security associations.

One of his first moves in his new job was to publish an unclassified summary of the country’s 12-point cybersecurity plan, known as the Comprehensive National Cybersecurity Initiative, a move toward transparency that he announced Monday as the keynote speaker at the world’s premier security conference.

That plan was first formulated under a veil of secrecy in January 2008 by President Bush. He was prompted in no small part by McConnell, who was director of national intelligence and reportedly convinced the president that a cyberattack could cause more economic damage to the United States than the 9/11 terrorist attacks.

Much of the authority and the funds under that initiative fell to the National Security Agency, the military’s premier spying agency that also has responsibility for locking down the government’s classified networks. Not surprisingly, McConnell, as DNI, held power over the NSA.

McConnell rejoined Booz Allen Hamilton, a defense contractor who made more than $4 billion in 2008, mostly in government contracts, including secret ones. A former NSA director, McConnell now servers as the vice president for national security business at Booz Allen Hamilton. It was recently acquired by the powerful and politically connected Carlyle Group, the world’s largest private equity whose advisers and board members have included George Bush, George W. Bush, James Baker and former SEC chief Arthur Levitt.

In an op-ed in the Washington Post last weekend, McConnell called for a re-engineering of the internet and a return to a Cold War mentality of deterrence, based on the threat that the United States would massively retaliate against any perceived attack.

“More specifically, we need to re-engineer the internet to make attribution, geolocation, intelligence analysis and impact assessment — who did it, from where, why and what was the result — more manageable,” McConnell wrote.

Threat Level rebutted that notion Monday, in a post that called McConnell the greatest threat to the internet.

For his part, Schmidt said no re-engineering of the internet is in the plans under the Obama administration. And he re-emphasized the president’s promise — delivered in a May speech addressing cybersecurity — that the government would not monitor the internet at large.

“People have to recognize that when we close the door and go home, we are just normal netizens like anyone else,” Schmidt said. “I’ve been in the internet from the very beginning. We don’t want to see it changed to where it is no longer available and we don’t have the ability to do things anonymously as we choose to in certain realms.”

“But we also need to do our financial transactions securely and you need to be able to file your story online in a manner so that by the time you upload it, it doesn’t say ‘At noon, today San Francisco had a terrible earthquake’ when that didn’t happen,” Schmidt added.

But that commitment to keep the government’s monitoring equipment out of the commercial internet seems belied by a CNET interview at RSA with a Homeland Security cybersecurity official, who said that DHS was considering installing its classified “Einstein 3″ security technology to non-government infrastructure. UPDATE: DHS spokeswoman Amy Kudwa says that the “CNET story failed to include the vast majority of Greg Schaffer’s comments, which made clear that, consistent with all published Privacy Impact Assessments, the President’s remarks last May, and the declassified summary of the CNCI released this week, EINSTEIN is intended for government networks.”) Schaeffer “simply acknowledged that as we move forward, there may be opportunities to share capabilities with the private sector.”

Cyberwar advocates make their case for this in part by pointing to high-profile stories that hackers have penetrated the grid and, in some cases, caused massive blackouts including the 2003 cascading failure in the Northeast that affected some 50 million citizens. Those stories (on 60 Minutes, in the Wall Street Journal and the National Journal), relied nearly exclusively on anonymous defense intelligence officials or contractors, and are often easily debunked.

Schmidt said it’s possible that hackers have gotten into administrative computer systems of utility companies, but says those aren’t linked to the equipment controlling the grid, at least not in developed countries. He’s never heard that the grid itself has been hacked.

“As for getting into the power grid, I can’t see that that’s realistic,” Schmidt said.

There’s been much ink spilled in recent years over the turf battles in D.C. over whether the NSA (representing the military) or DHS (on the civilian side) takes the lead role in cybersecurity.

Rod Beckstrom, now the president of the International Corporation for Assigned Names and Numbers, resigned from his role heading cybersecurity for DHS last spring. He protested that the NSA was encroaching too far, and that the job of protecting non-military government websites should be handled by civilians — especially as the government pushes citizens to use those websites for more and more business.

But Schmidt said he hasn’t run into that problem and said government agencies are working together.

“I haven’t seen that tension,” Schmidt said.

As for which will take the cybersecurity lead, Schmidt simply says it’s a shared effort.

But that’s a very thorny issue — one that has dogged the government’s intrusion protection system Einstein and its successors, Einstein 2 and 3.

Why should U.S. citizens trust cybersecurity to the NSA? Under President Bush, it secretly turned its powerful spying apparatus inward in violation of U.S. law and its longstanding mantra to never spy on citizens.

Schmidt counters that the NSA has long had the job of protecting classified computers and has already become a participant in the wider security community. Among other things, it offers advice on how to secure computer systems, such as Linux and Windows. And more important, Schmidt said, the president maintains the NSA has to obey limits.

“When your boss, in our case the president, tells an agency not to do something and here are the controls put in place and here is the coordination put into place, that’s a pretty big commitment,” Schmidt said.

As for his priorities, Schmidt says education, information sharing and better defense systems rank high.

That includes efforts to train more security professionals and have the government share more information with the private sector — including the NSA’s defensive side.

“One thing we are looking at is how do we make sure that the private sector has the information it needs from the government,” Schmidt said, referring to what he called “some of the unique visibility the government has from the attacks on our systems.”

The government must also be active in reducing its own vulnerabilities, according to Schmidt.

“We can’t sit there and be waiting for the next intrusion attempts to take place,” Schmidt said. “We need to become stronger in what we are doing so we are better able to resist the things that are being thrown at us.”

Schmidt, who has held cybersecurity positions inside the Air Force, the FBI and Microsoft, mentioned he’s part of a Facebook group of Wired magazine collectors. The oldest one he has, he said, had co-founder of the Electronic Frontier Foundation John Perry Barlow on the cover. Though the irascible Barlow never made the cover (other than a mock-up of the first edition), Schmidt could have been referring to Issue 2.04 which included a promo for an essay from Barlow.

Fittingly, that essay – about the failed effort to mandate government-accessible backdoors in encryption technology, was titled “Jackboots on the Infobahn.”

http://www.wired.com/threatlevel/2010/03/schmidt-cyberwar/

The suggestion that Lanxiang was a source of the Google attacks was greeted with widespread ridicule in China. One of many large, privately-owned vocational schools in China, it mainly offers courses in cooking, hairdressing and auto repair. Its computer classes cover basic word processing, spreadsheets and Photoshop. Like other schools in the sector, Lanxiang relies heavily on TV advertising to attract students but blog posts from former students complain of high fees, poor quality teaching and general chaos.

Keystone Cops

It is possible a secret hacker unit from Chinese intelligence is located in or using the school. But if so, it must count as the most bungling, Keystone Cops-style outfit in the history of spying.

Why wouldn’t China put investigators off the scent by mounting the attacks from abroad? Surely Chinese intelligence could recruit one or two of the 200,000 students who leave China every year to study overseas. Or send an agent abroad for a week to hack Google and bring the results back on a memory stick. Are Chinese spies really dumb enough leave their digital fingerprints all over the Internet for the men in black to pick up?

During the whole Google affair overexcited journalists have been briefed on the one hand by anonymous spooks, and on the other, by computer consultants enjoying their day in the limelight, and for whom the publicity is gold dust.

Almost nobody is putting the issue in perspective by asking obvious questions such as: Was there a serious security breach? It seems not. How long have similar attacks been going on? The answer is probably for years. What were Google’s motives in making this attack public? It will have done them no harm to polish up their “do no evil” image at a time when they are under fire from all sides on privacy issues. Who else is doing similar things? Almost certainly they include the intelligence services of every major power, as well as freelance hackers and “non-state actors”.

But perhaps we are looking in the wrong direction. The real story may be America’s cyber warfare buildup.

During his election campaign, Barack Obama said “As president, I’ll make cyber security the top priority that it should be in the 21st century. I’ll declare our cyber-infrastructure a strategic asset and appoint a national cyber adviser who will report directly to me.”

US Cyber Strategy

In May 2009, the Pentagon created a new military command for cyberspace. The New York Times remarked that it revealed “preparations by the armed forces to conduct both offensive and defensive computer warfare.”

In December 2009, as the attacks on Google were taking place, Obama appointed former Microsoft executive Howard Schmidt as Cyber-security Czar

A White House Cyberspace Policy Review published in June 2009 was peppered with references to public-private partnerships and will have made computer security firms salivate at the prospect of becoming fully-fledged members of the military-industrial complex.

In fact, another great source of bloodcurdling quotes on the Google affair has been computer security experts who have every interest in keeping the story alive.

The CEO of data encryption company PGP went so far as to compare Obama’s cyber plans to President Eisenhower’s order of the day on D-Day, calling it a “blueprint of what is required for us to achieve victory in this conflict,” adding “as Ike [Eisenhower] said, we can accept nothing less than ‘Victory!’”

Missile Gap

No-one should blame managers of security firms for taking the White House cyber strategy seriously. After all, there is serious money to be made. But journalists have a duty to be skeptical of government agents and those may profit from a story.

Fifty years ago, in his presidential campaign, John F Kennedy pointed to a “missile gap” between the Soviet Union and the US. President Eisenhower denied the Soviets had an advantage, but the Sputnik program had spooked the public and no-one believed him. By the time the missile gap was revealed as a myth it had played its political role.

2008 was not 1960. Obama’s cyber strategy played a very small part in his campaign. But the Google hacking storm has come as a welcome diversion from domestic difficulties. The rest of us would all do well to remember that the balance of power in cyberspace remains heavily weighted in favor of America and that hysteria about Chinese hackers is overblown.

Mac Slocum: If you had five minutes or less to give somebody a firm sense of cyber warfare, how would you do that? What would you tell them?

Jeffrey Carr: I like the illustration of the introduction of the handgun. When Colt invented it, it became known as the great equalizer. So the way that the handgun revolutionized warfare is being done now, again. And it would be fair to call cyber warfare the great equalizer because it balances the scales between a vastly superior force and any nation. That’s because of two things: the vulnerability of the current Internet and because most modern military forces are network-centric. The reliance on networks, particularly power networks, to conduct war is critical. Anybody who can attack the network can greatly inhibit a superior adversary. So I think that’s a revolutionary step forward.

MS: Does the cyber warfare threat come from a specific government, or is it more broadly disbursed than that?

JC: I think that every government potentially would use cyber warfare in its own defense, including the ones that we normally would think of. So when it comes to China, for example, they’ve made it very clear they’ll act defensively. You can go back historically and see that.

Part of the Chinese government’s operational guidance for their military is that if an imminent attack was present from the United States, they would launch a preemptive network attack. And so in order to be able to do that, they need to have access to our network beforehand. And that’s why I believe this is such a serious matter. You may not hear about blackouts or power grid failures or any kind of cyber intrusion into the vast electrical grid system, but I think you need to accept the Chinese military at their word and recognize that this is their goal.

Russia, on the other hand, has not made it as clear as China. And Russia has not demonstrated that it would only attack in self-defense. It has used cyber attacks in an aggressive, offensive manner many times, going back into the late ’90s. It’s a whole different ballgame there.

So it really depends on the state. Is it an aggressor nation? Then they’ll use it offensively like Russia has done. There are numerous states in Africa that are using cyber in an offensive manner against internal opposition. We’re going to see more of the prevailing party attempting to silence the opposition party through various means, including cyber attacks.

MS: Doesn’t that mean we’ve got an awful lot of states infiltrating and spying on each other’s systems right now?

JC: Sure. But that’s not new. I call espionage the world’s third oldest profession because it’s been around forever. This is just a new way to conduct espionage that we didn’t see before.

MS: How long has cyber warfare been going on?

JC: It was already happening back in the late ’90s. There was a commission during the Clinton administration. They released the Marsh Report [PDF] in 1997 and it discussed a lot of the same things that we’re hearing about today. It’s not new. It just happens to be a hot topic today.

Governments should worry, not people

MS: Clearly, there’s a threat. And clearly, it’s been present for quite a while. But if we take this down to the individual level, how does personal privacy factor into all this?

JC: Most people don’t have to worry about it. Like the current deal that’s being negotiated between Google and the NSA. The NSA really doesn’t care about most people. They’re only looking for certain things. So I don’t think privacy is an issue.

However, the more important part about privacy is that we’ve already given up privacy voluntarily because of what we post on Facebook, MySpace, Twitter, LinkedIn, Live Journal, and a host of other smaller but still available web forums. So if all a country is doing is mining what’s already out there, then is that considered a violation of privacy? Because it’s publicly available and you made it available.

MS: So how should people approach this?

JS: What I do is if I don’t want it to be known, I don’t post it. I don’t care if it’s password protected or not.

But you don’t want to get carried away. You need to consider: What do I have that’s of value to someone else? That’s what you don’t want to post. Like your bank information. Or if you work for a government or a company and you’re in a position where you know that you’re going to be targeted, then you would have a different approach to your Internet security vs someone who just works in his own neighborhood. That guy doesn’t have any national security ties or work for any industries that are of interest to foreign estates. Most likely, he’s perfectly safe. He shouldn’t really be too concerned.

MS: That’s just common sense, right?

Yeah. I really do want to see it balanced. I hate exaggeration on either side. To over blow the threat is just as wrong as to hide it. What I tried to do in the book is just make it as factual and as balanced as I possibly could.

MS: So some people might work themselves up unnecessarily, but what about governments? Do they take this seriously enough?

JC: The U.S. government is clearly not taking it seriously enough. It makes absolutely no difference what they say because, like I said, you can go back to 1997 and read the Marsh Report and see for yourself. Action is what counts.

My biggest aggravation — I published a post about this on my blog — is you need to start putting your country first. I realize that sounds corny. But in adversary states, it’s not corny. They do put their nation’s interests first. In the U.S., we push that aside for profit. If it hurts business, if it hurts the economy or if it even has the potential of doing that, then we set it aside. And that’s taken us to a place of high vulnerability.

I would like to see people put their self-interests aside, recognize the seriousness of the threat, and collaborate together on actions that can defend us.

The solutions

MS: So what recommendations would you make to governments? What actions can be taken?

JC: The first thing that I would do is enforce the existing requirements that ISPs vet their customers. By ISP I mean any Internet service company that sells or leases servers to host websites. Servers are used as attack points, and if they’re in the United States that’s the best because you’ve got reliable power, great up-time, and it’s relatively cheap. Attribution is almost impossible because you’re attacking a U.S. government website from a server that’s located in the U.S. So who’s responsible?

We can fix that if you simply bring the law to bear on these companies and force them to vet their customers and to monitor what their customers are doing. You could solve a lot of problems overnight because you would force them [countries/people looking to conduct cyber warfare] to find other servers outside of the U.S. It would help attribution and it would help reduce the vulnerability via the internet.

The other thing I would counsel is to evaluate what you own that’s at risk. Consider taking it entirely off the internet. Crucial infrastructures use what’s called an air-gapped strategy, where the control servers have no connection whatsoever to the public Internet. The U.S. government does that with their secret network. SIPRNet is completely isolated from NIPRNet, which is the unclass intranet that runs throughout the government.

MS: You mentioned cyber attack attribution. How are you tackling that?

JC: Most companies are trying to find a technical solution. The thinking is: If you look at the malware closely enough, if you look at the nodes, is there a particular signature that assigns attribution? I’m not convinced there will ever be a technical solution to attribution.

What my company does is expand the picture greatly. We start at the state level. What do we know about what those states are doing? What R&D projects are they financing within their research institutions? That’s where you have to begin because once you know what’s been attacked, then the next question is who does that serve? Who would find that information of value? Is it only of value to a state? That’s where you’ll start looking.

If you can find a state who is actively researching a particular area, and the information that was stolen supports that research, that adds another brick to the wall. We’re looking at it like a criminal case. You have to build a full picture because you’ll never find a smoking gun.

No source, no counter-attack

MS: If a cyber attack can come from anywhere, how does that change the whole notion of a counter-attack?

JC: Right now, that’s why deterrence is impossible. As long as attribution is not forthcoming, you cannot deter. You cannot respond, unless you completely change the model of attribution. And that might be possible. That’s what my company and others are working on. We’re building a more comprehensive model of how to identify where an attack has come from. So it is a challenge that’s being addressed, but it’s going to take a little time before we have an agreed upon way of doing that.

It requires international cooperation. I think the U.S. is on the right track when it comes to trying to have agreements signed among various law enforcement agencies to pursue cyber criminals across borders. It’s the same network. The network that’s being used to send out phishing scams and botnets is, often times, the very same network that’s used to launch various attacks against nation states.

MS: Is “warfare” the wrong word to describe what’s happening? Is it dangerous to categorize cyber warfare as a military domain, like “air,” “land,” or “sea”?

JC: The name of the book is “Inside Cyber Warfare,” but I hate using that word. I used it because that’s what everybody’s using. But there is no agreed upon definition of what an act of cyber warfare is. It just doesn’t exist. There’s cyber conflict. There’s cyber attacks. There’s cyber espionage. There’s all of that. But there is no cyber war that we can point to that has any legal substance.

I think it’s dangerous to define domains in the sense you don’t want to put limitations in your mind about what’s possible via the Internet. The Internet is so completely pervasive that if you only think of it as a single domain, you’re going to block out threat possibilities that could impact other domains. You’re not safe if you’re at sea from a network attack. You’re not safe in the air from a network attack. That’s why I think it’s limiting and probably shouldn’t be defined that way.

A different view of China

MS: For China in particular: what are the things to consider and what are the things to look out for?

JC: China clearly has a lot of problems internally. Their economy is growing, but it’s still relatively fragile and highly dependent on the U.S. The difference in economic conditions varies radically from the countryside to the cities. On the other hand, they own over a trillion dollars of U.S. debt. That gives them incredible leverage. So that’s a balancing act that’s going to be very interesting to watch, especially over this Google issue. But they’ll never concede to eliminating censorship on their Internet. They’ll walk away from Google if that’s what it takes.

People inflate fear about China, but China has no interest in attacking the U.S. They want the same things that any country would want. And they’re going about it the same way that we would go about it. We’re doing espionage. We’re looking after our interests. We’re exerting our will as a nation. It’s silly to try to take the moral high ground here. It doesn’t serve any useful purpose.

MS: One of the interesting points that came out of the Google-China analysis is the idea that Google has its own foreign policy now. Do you think that’s the case?

JC: Honestly, I don’t see it as anything new. The idea of a new, more sophisticated attack against Google that we’ve never seen before, I think that’s overblown. The idea that you have hackers who gain entrance to a network and then exploit data from that network, that’s not new. This is all just espionage. Google is just another company that has something of value.

But Google does represent a turning point because it’s getting so much press. It’s raising the issue to the point where the U.S State Department got involved. That’s all good.

Near-term hotspots and the most vulnerable target

MS: Broadly, what do you see happening within cyber warfare over the next few years?

JC: Africa has a huge population of infected computers. I read one estimate a few months ago that they have about 100 million PCs scattered throughout the continent and maybe 80 percent of those are infected. Once broadband hits Africa, then you’ve got this huge opportunity for botnets to spring up. These mega botnets could conceivably dwarf Conficker or some of these other huge botnets.

East Africa is another spot to watch. In Somalia, where piracy is lucrative and the area is so lawless, it’s such a chaotic environment. There’s a growth of religious extremists there as well. So you’ve got criminals with a huge pile of cash, these pirates, and then you have these radical extremists looking for ways to create havoc. Should their interests coincide, I would fear for very destructive Internet attacks.

MS: Last question: Out of all this, what’s the thing that keeps you up at night?

JC: The most worrisome thing to me is the vulnerability of the power grid. I just released a report on this — it’s Project Grey Goose’s Report on Critical Infrastructure — where I and my team of researchers document the problem. The Department of Defense has identified 34 critical assets to conducting its mission. Thirty-one out of the 34 are dependent on the public power grid.

I know in my state of Washington, they tell us that if there’s an earthquake or some other natural disaster, you can expect no help for at least seven days. There will be no police response, no 911 response, no National Guard for at least seven days because they’ll all be busy protecting critical infrastructures. And so that’s what I worry about. The grid is so vulnerable. It would cause a lot of chaos here if somebody were to actually attack it.

Note: This interview was condensed and edited.

“History teaches us that the character of each individual war is always different and most certainly will change, but the enduring nature of war as a human endeavor will remain largely unchanged.”

—General James N. Mattis

The United States Army War College in partnership with The SecDev Group conducted a workshop examining cyberspace operations from the warfighter’s perspective. The workshop was held 26–28 January 2010 at the Collins Center for Strategic Leadership, U.S. Army War College, Carlisle Barracks, Pennsylvania.

BACKGROUND
The U.S. Department of Defense defines cyberspace operations as “the employment of cyber capabilities where the primary purpose is to achieve military objectives or effects in or through cyberspace.” Cyberspace emerged as a national level concern through several recent events of geo-strategic significance. Estonian infrastructure was attacked in the spring of 2007 allegedly by Russian hackers. In August 2008, Russia allegedly again conducted cyber attacks this time in a coordinated and synchronized kinetic and non-kinetic campaign against Georgia. It is plausible that this may become the norm in future warfare among those nation-states having the capabilities to conduct such complex excursions. Much has been written about the issues of cyberspace at the national strategic level: lack of attribution; applicability to the law of armed conflict and international treaties; determination of criminality vice act of war. But
the body of knowledge does not inform us about how this concept of cyberspace operations impacts and will be adapted by warfighting commanders in the contemporary and future operational environment. The workshop seeks to examine this issue and use the Georgia-Russia case study to draw lessons to apply to current and future warfare.

The workshop will center on three themes. The first theme considers the strategic frame from the perspective of defining cyberspace as a domain of military operations including a consideration of what defines “maneuver” in cyberspace. The second will consider situational understanding in terms of how cyberspace operations fit within the warfighting commander’s mission set across the full spectrum of conflict. It will specifically consider how to gain
situational understanding as input to planning and executing joint operations. The final theme considers cyberspace “fires,” that is the toolset such as authorities and rules of engagement that determine strategic utility and tactical applicability.

OVERALL WORKSHOP OBJECTIVE

The objective of the workshop is to examine the strategic utility of cyberspace operations in the existing contemporary and future operational environment from the perspective of the warfighter.

WORKSHOP DESIGN

The workshop will bring together an international audience of military, national security community and intelligence community leaders as well as experts from academia. It will be conducted over the course of three days and will begin with a plenary session and a dinner and keynote speech to set the stage for the subsequent presentations and discussions.

Day two will include additional plenary presentations to establish a foundation of understanding followed by breakout groups which will address the key issues involved in order to satisfy workshop objectives. Day three will be devoted to briefing the recommendations, observations and insights gained from the breakout groups to the plenary group.

PROPOSED PLENARY SESSION AND BREAKOUT GROUP TOPICS

The plenary sessions will define and analyze the scope, nature and impact of cyberspace operations employed in conjunction with other actions by parties to the conflict during the Georgia-Russia conflict of 2008. Specifically, these sessions will seek to better understand the assumptions, intent, and the strategic frame (or lack thereof) employed by military actors in the conflict. The plenary also provides an opportunity to debate a key question: has the recognition of cyberspace operations as a capability within a new warfighting domain changed the nature of warfare…or is it more simply another capability to be integrated into an age-old system and process of planning and execution?

Breakout groups look to draw lessons from the case study for application to current and future conflict. Three groups will consider: operating in a constrained cyberspace domain; integrating cyberspace operations into the overarching campaign plan across the spectrum of conflict; and, achieving situational understanding to enable effective cyberspace operations.

WORKSHOP DELIVERABLES

A report reviewing the key issues, discussions, findings and recommendations of the workshop will published by the Center for Strategic Leadership and The SecDev Group.

CONTACT INFORMATION
For additional information regarding this event please contact Professor Dennis Murphy at 717-245-3937, or Mr. Jerry Johnson at 717-245-3392. Email: dennis.murphy@us.army.mil or jerry.dwayne.johnson@us.army.mil

The Joint Chiefs of Staff want the ability to destroy an enemy’s computer network “so badly that it cannot perform any function,” according to the handbook on what the Pentagon calls “Information Operations.” The U.S. military wants to keep foes “from accessing and using critical information, systems and services” and to spoof adversaries “by manipulating their perception of reality.” Just how such wizardry is to be accomplished is contained in a classified supplement. But hints can be gleaned in a trickle of contracts and budget documents, larded with geek-speak, that have begun seeping onto the public record. (See pictures of technological advances in the military.)

The Air Force wants the ability to burrow into any computer system anywhere in the world “completely undetected.” It wants to slip computer code into a potential foe’s computer and let it sit there for years, “maintaining a ‘low and slow’ gathering paradigm” to thwart detection. Clandestinely exploring such networks, the Dominant Cyber Offensive Engagement program’s goal is to “stealthily exfiltrate information” in hopes it might “discover information with previously unknown existence.” The U.S. cyberwarriors’ goal: “complete functional capabilities” of an enemy’s computer network — from U.S. military keyboards. The Army is developing “techniques that capture and identify data traversing enemy networks for the purpose of Information Operations or otherwise countering adversary communications.” And the Navy is developing “a non-lethal, non-attributable system designed to offer non-kinetic offensive information operation solutions,” according to Pentagon budget documents. (See how cyberwar was envisioned in 1995.)

Yet concepts that have regulated war forever, such as deterrence and attribution, are slippery or missing in cyberspace. National boundaries don’t exist, making moot the question of sovereignty. Asymmetries abound: defenders must defend everything, all the time, while an attacker can prevail by exploiting a single vulnerability. Tracking down the source of cybersabotage, routed like a skipping stone through a series of innocent servers, can be all but impossible. Are the attackers curious teenagers, criminal gangs, a foreign power — or, more likely, a criminal gang sponsored by a foreign power? Deterrence becomes meaningless when the identity of an attacker is unknown. (See an invasion of Chinese cyberspies.)

“We’re in the stage before warfare,” cyberwarfare expert James Lewis told a Washington audience on Jan. 27. “We’re in the stages of people poking around.” Lewis, with the Center for Strategic and International Studies (CSIS), said cyberdefenses are inadequate. “Unless we find a way to use offensive capabilities as part of a deterrence or strategic defense,” he said, “we will be unable to defeat these opponents.” CSIS also released last week a survey of cybersecurity experts from around the world who “rank the U.S. as the country ‘of greatest concern’ in the context of foreign cyberattacks, just ahead of China.”

It’s the instantaneous nature of cyberattacks that has rendered defenses against them obsolete. Once an enemy finds a chink in U.S. cyberarmor and opts to exploit it, it will be too late for the U.S. to play defense (it takes 300 milliseconds for a keystroke to travel halfway around the world). Far better to be on the prowl for cybertrouble and — with a few keystrokes or by activating secret codes long ago secreted in a prospective foe’s computer system — thwart any attack. Cyberdefense “never works” by itself, says the senior Pentagon officer. “There has to be an element of offense to have a credible defense.”

Such cyberbattles are already happening in miniature. In Afghanistan and Iraq, U.S. cyberwarriors are hard at work denying enemy commanders the ability to direct their forces, the senior Pentagon officer says. “I shut it down, take away your electricity, take away the radio, infect your phone,” he explains. “Now you don’t know where I’m coming from, or if you do, you can’t tell the rest of your force what’s going on.” More insidiously, the U.S. can doctor the information the foe gets. “I can alter the messages coming across,” he says.

But there is mounting concern that U.S. offensive capability in cyberspace is growing too fast and too secretly. “I have no doubt we’re doing some very profoundly sophisticated things on the attack side,” says William Owens, a retired Navy admiral and cyberwar expert who led a federal study on U.S. offensive cyberwarfare last year. “But that is little realized by many people in Congress or the Administration.” That study, by the National Research Council, concluded that “the U.S. armed forces are actively preparing to engage in cyberattacks, and may have done so in the past.” But it added that a lack of public debate has led to “ill-formed, undeveloped and highly uncertain” policies regarding its use, which could lead the U.S. to stumble inadvertently into a cyberwar.

* Find this article at:
* http://www.time.com/time/nation/article/0,8599,1957679,00.html

Future state-on-state conflict, as well as conflicts involving non-state actors such as al-Qaida, would increasingly be characterised by reliance on asymmetric warfare techniques, chiefly cyber-warfare, Chipman said. Hostile governments could hide behind rapidly advancing technology to launch attacks undetected. And unlike conventional and nuclear arms, there were no agreed international controls on the use of cyber weapons.

“Cyber-warfare [may be used] to disable a country’s infrastructure, meddle with the integrity of another country’s internal military data, try to confuse its financial transactions or to accomplish any number of other possibly crippling aims,” he said. Yet governments and national defence establishments at present have only limited ability to tell when they were under attack, by whom, and how they might respond.

Cyber-warfare typically involves the use of illegal exploitation methods on the internet, corruption or disruption of computer networks and software, hacking, computer forensics, and espionage. Reports of cyber-warfare attacks, government-sponsored or otherwise, are rising. Last month Google launched an investigation into cyber attacks allegedly originating in China that it said had targeted the email accounts of human rights activists.

In December the South Korean government reported an attack in which it said North Korean hackers may have stolen secret defence plans outlining the South Korean and US strategy in the event of war on the Korean peninsula. Last July, espionage protection agents in Germany said the country faced “extremely sophisticated” Chinese and Russian internet spying operations targeting industrial secrets and critical infrastructure such as Germany’s power grid.

One of the most notorious cyber-warfare offensives to date took place in Estonia in 2007 when more than 1 million computers were used to jam government, business and media websites. The attacks, widely believed to have originated in Russia, coincided with a period of heightened bilateral political tension. They inflicted damage estimated in the tens of millions of euros of damage.

China last week accused the Obama administration of waging “online warfare” against Iran by recruiting a “hacker brigade” and manipulating social media such as Twitter and YouTube to stir up anti-government agitation.

The US Defence Department’s Quadrennial Defence Review, published this week, also highlighted the rising threat posed by cyber-warfare on space-based surveillance and communications systems.”On any given day, there are as many as 7 million DoD (Department of Defence) computers and telecommunications tools in use in 88 countries using thousands of war-fighting and support applications. The number of potential vulnerabilities, therefore, is staggering.” the review said.

“Moreover, the speed of cyber attacks and the anonymity of cyberspace greatly favour the offence. This advantage is growing as hacker tools become cheaper and easier to employ by adversaries whose skills are growing in sophistication.”

Defensive measures have already begun. Last June the Pentagon created US Cyber Command and Britain announced it was opening a cyber-security operations centre attached to GCHQ at Cheltenham, in coordination with MI5 and MI6.

William Lynn, US deputy defence secretary, described the cyber challenge as unprecedented. “Once the province of nations, the ability to destroy via cyber now also rests in the hands of small groups and individuals: from terrorist groups to organised crime, hackers to industrial spies to foreign intelligence services … This is not some future threat. The cyber threat is here today, it is here now,” Lynn said.

• The IISS 2010 Military Balance, published yesterday, said the insurgency in Afghanistan is complex and Pakistan’s full cooperation remains elusive.

• Al-Qaida retains the capability to launch regular attacks in Baghdad.

• The report said technical difficulties frustrate Iran’s nuclear ambitions but all the same Iran’s stockpile of enriched uranium continues to grow.

• The IISS looked forward to increased defence co-operation between France and Britain,saying both countries needed to “spend smarter” because they cannot afford to “spend more”.

After that, the trail disappeared into a cloud of angry Chinese government denials, and then an ugly exchange of accusations between Washington and Beijing. That continued Monday, with Chinese assertions that critics were trying to “denigrate China” and that the United States was pursuing “hegemonic domination” in cyberspace.

These recent events demonstrate how quickly the nation’s escalating cyberbattles have outpaced the rush to find a deterrent, something equivalent to the cold-war-era strategy of threatening nuclear retaliation.

So far, despite millions of dollars spent on studies, that quest has failed. Last week, Secretary of State Hillary Rodham Clinton made the most comprehensive effort yet to warn potential adversaries that cyberattacks would not be ignored, drawing on the language of nuclear deterrence.

“States, terrorists and those who would act as their proxies must know that the United States will protect our networks,” she declared in a speech on Thursday that drew an angry response from Beijing. “Those who disrupt the free flow of information in our society or any other pose a threat to our economy, our government and our civil society.”

But Mrs. Clinton did not say how the United States would respond, beyond suggesting that countries that knowingly permit cyberattacks to be launched from their territories would suffer damage to their reputations, and could be frozen out of the global economy.

There is, in fact, an intense debate inside and outside the government about what the United States can credibly threaten. One alternative could be a diplomatic démarche, or formal protest, like the one the State Department said was forthcoming, but was still not delivered, in the Google case. Economic retaliation and criminal prosecution are also possibilities.

Inside the National Security Agency, which secretly scours overseas computer networks, officials have debated whether evidence of an imminent cyberattack on the United States would justify a pre-emptive American cyberattack — something the president would have to authorize. In an extreme case, like evidence that an adversary was about to launch an attack intended to shut down power stations across America, some officials argue that the right response might be a military strike.

“We are now in the phase that we found ourselves in during the early 1950s, after the Soviets got the bomb,” said Joseph Nye, a professor at the Kennedy School at Harvard. “It won’t have the same shape as nuclear deterrence, but what you heard Secretary Clinton doing was beginning to explain that we can create some high costs for attackers.”

Fighting Shadows

When the Pentagon summoned its top regional commanders from around the globe for meetings and a dinner with President Obama on Jan. 11, the war game prepared for them had nothing to do with Afghanistan, Iraq or Yemen. Instead, it was the simulated cyberattack — a battle unlike any they had engaged in.

Participants in the war game emerged with a worrisome realization. Because the Internet has blurred the line between military and civilian targets, an adversary can cripple a country — say, freeze its credit markets — without ever taking aim at a government installation or a military network, meaning that the Defense Department’s advanced capabilities may not be brought to bear short of a presidential order.

“The fact of the matter,” said one senior intelligence official, “is that unless Google had told us about the attack on it and other companies, we probably never would have seen it. When you think about that, it’s really scary.”

William J. Lynn III, the deputy defense secretary, who oversaw the simulation, said in an interview after the exercise that America’s concepts for protecting computer networks reminded him of one of defensive warfare’s great failures, the Maginot Line of pre-World War II France.

Mr. Lynn, one of the Pentagon’s top strategists for computer network operations, argues that the billions spent on defensive shields surrounding America’s banks, businesses and military installations provide a similarly illusory sense of security.

“A fortress mentality will not work in cyber,” he said. “We cannot retreat behind a Maginot Line of firewalls. We must also keep maneuvering. If we stand still for a minute, our adversaries will overtake us.”

The Pentagon simulation and the nearly simultaneous real-world attacks on Google and more than 30 other companies show that those firewalls are falling fast. But if it is obvious that the government cannot afford to do nothing about such breaches, it is also clear that the old principles of retaliation — you bomb Los Angeles, we’ll destroy Moscow — just do not translate.

“We are looking beyond just the pure military might as the solution to every deterrence problem,” said Gen. Kevin P. Chilton, in charge of the military’s Strategic Command, which defends military computer networks. “There are other elements of national power that can be brought to bear. You could deter a country with some economic moves, for example.”

But first you would have to figure out who was behind the attack.

Even Google’s engineers could not track, with absolute certainty, the attackers who appeared to be trying to steal their source code and, perhaps, insert a “Trojan horse” — a backdoor entryway to attack — in Google’s search engines. Chinese officials have denied their government was involved, and said nothing about American demands that it investigate. China’s denials, American officials say, are one reason that President Obama has said nothing in public about the attacks — a notable silence, given that he has made cybersecurity a central part of national security strategy.

“You have to be quite careful about attributions and accusations,” said a senior administration official deeply involved in dealing with the Chinese incident with Google. The official was authorized by the Obama administration to talk about its strategy, with the condition that he would not be named.

“It’s the nature of these attacks that the forensics are difficult,” the official added. “The perpetrator can mask their involvement, or disguise it as another country’s.” Those are known as “false flag” attacks, and American officials worry about being fooled by a dissident group, or a criminal gang, into retaliating against the wrong country.

Nonetheless, the White House said in a statement that “deterrence has been a fundamental part of the administration’s cybersecurity efforts from the start,” citing work in the past year to protect networks and “international engagement to influence the behavior of potential adversaries.”

Left unsaid is whether the Obama administration has decided whether it would ever threaten retaliatory cyberattacks or military attacks after a major cyberattack on American targets. The senior administration official provided by the White House, asked about Mr. Obama’s thinking on the issue, said: “Like most operational things like this, the less said, the better.” But he added, “there are authorities to deal with these attacks residing in many places, and ultimately, of course, with the president.”

Others are less convinced. “The U.S. is widely recognized to have pre-eminent offensive cybercapabilities, but it obtains little or no deterrent effect from this,” said James A. Lewis, director of the Center for Strategic and International Studies program on technology and public policy.

In its final years, the Bush administration started a highly classified effort, led by Melissa Hathaway, to build the foundations of a national cyberdeterrence strategy. “We didn’t even come close,” she said in a recent interview. Her hope had been to recreate Project Solarium, which President Dwight D. Eisenhower began in the sunroom of the White House in 1953, to come up with new ways of thinking about the nuclear threats then facing the country. “There was a lot of good work done, but it lacked the rigor of the original Solarium Project. They didn’t produce what you need to do decision making.”

Ms. Hathaway was asked to stay on to run Mr. Obama’s early review. Yet when the unclassified version of its report was published in the spring, there was little mention of deterrence. She left the administration when she was not chosen as the White House cybersecurity coordinator. After a delay of seven months, that post is now filled: Howard A. Schmidt, a veteran computer specialist, reported for work last week, just as the government was sorting through the lessons of the Google attack and calculating its chances of halting a more serious one in the future.

Government-Corporate Divide

In nuclear deterrence, both the Americans and the Soviets knew it was all or nothing: the Cuban missile crisis was resolved out of fear of catastrophic escalation. But in cyberattacks, the damage can range from the minor to the catastrophic, from slowing computer searches to bringing down a country’s cellphone networks, neutralizing its spy satellites, or crashing its electrical grid or its air traffic control systems. It is difficult to know if small attacks could escalate into bigger ones.

So part of the problem is to calibrate a response to the severity of the attack.

The government has responded to the escalating cyberattacks by ordering up new strategies and a new United States Cyber Command. The office of Defense Secretary Robert M. Gates — whose unclassified e-mail system was hacked in 2007 — is developing a “framework document” that would describe the threat and potential responses, and perhaps the beginnings of a deterrence strategy to parallel the one used in the nuclear world.

The new Cyber Command, if approved by Congress, would be run by Lt. Gen. Keith B. Alexander, head of the National Security Agency. Since the agency spies on the computer systems of foreign governments and terrorist groups, General Alexander would, in effect, be in charge of both finding and, if so ordered, neutralizing cyberattacks in the making.

But many in the military, led by General Chilton of the Strategic Command and Gen. James E. Cartwright, the vice chairman of the Joint Chiefs of Staff, have been urging the United States to think more broadly about ways to deter attacks by threatening a country’s economic well-being or its reputation.

Mrs. Clinton went down that road in her speech on Thursday, describing how a country that cracked down on Internet freedom or harbored groups that conduct cyberattacks could be ostracized. But though sanctions might work against a small country, few companies are likely to shun a market the size of China, or Russia, because they disapprove of how those governments control cyberspace or use cyberweapons.

That is what makes the Google-China standoff so fascinating. Google broke the silence that usually surrounds cyberattacks; most American banks or companies do not want to admit their computer systems were pierced. Google has said it will stop censoring searches conducted by Chinese, even if that means being thrown out of China. The threat alone is an attempt at deterrence: Google’s executives are essentially betting that Beijing will back down, lift censorship of searches and crack down on the torrent of cyberattacks that pour out of China every day. If not, millions of young Chinese will be deprived of the Google search engine, and be left to the ones controlled by the Chinese government.

An Obama administration official who has been dealing with the Chinese mused recently, “You could argue that Google came up with a potential deterrent for the Chinese before we did.”

Resolving questions about the command’s mission are central not only to the effort to defend military networks, which come under assault millions of times a day, but to establishing the Pentagon’s cyber strategy as the United States enters an era in which any major conflict will almost certainly involve an element of cyberwarfare.

“I don’t think there’s any dispute about the need for Cyber Command,” said Paul B. Kurtz, a cybersecurity expert who served in the George W. Bush and Clinton administrations. “We need to do better defending DOD networks and more clearly think through what we’re going to do offensively in cyberspace. But the question is how does that all mesh with existing organizations and authorities? The devil really is in the details.”

Officials said the initial operating plan for a cyber command is straightforward: to merge the Pentagon’s defensive unit, Joint Task Force-Global Network Operations, with its offensive outfit, the Joint Functional Command Component-Network Warfare, at Fort Meade, home to the NSA. The new command, which would include about 500 staffers, would leverage the NSA’s technical capabilities but fall under the Pentagon’s Strategic Command.

The plan also calls for beefing up “intelligence sensing,” or the blocking of malicious software and codes entering military networks, officials said.
What level of defense?

But the plan becomes more complicated as policymakers assess how aggressive to be in their defense of military networks.

Data move at the speed of light along channels owned by commercial carriers, entering government networks at “gateways,” or at the perimeter. Technology exists to detect malware at the gateways and in the commercial networks, but the ability to use that technology has given rise to policy questions.

One senior defense official said officials are trying to figure out, for instance, to what extent it is legal and desirable to remove malware outside the gateways as it heads to military networks.

“What can you do at the perimeter?” he said. “What can you do outside the perimeter? We haven’t had resolution on that.”

Privacy advocates are sensitive to government monitoring of communications networks at or just outside the gateways, particularly if the effort involves private Internet carriers, out of concern that purely private, non-government communications could be monitored. But defense officials said they are not contemplating the involvement of private firms.

The Pentagon is working with the Justice Department, the Department of Homeland Security, the White House and other agencies to ensure its efforts are legal and synchronized within a national cyber-policy framework, officials said. Congressional buy-in is important, they said. So far congressional staff have been briefed three times, and the Pentagon hopes to brief lawmakers this month.

Officials said members of the Senate Armed Services Committee will hold the confirmation hearing for a new director once staff are satisfied they understand the command’s purpose and operating plan.

“Our goal here is to better protect our forces,” said Deputy Assistant Secretary of Defense Robert J. Butler. “If someone can intrude inside the network, it could impair our ability to communicate and operate.”

President Obama has nominated the director of the NSA, Lt. Gen. Keith B. Alexander, to head the command. Alexander, who would become a four-star general, must be confirmed in that position before the command can launch at “initial operating capability.” It is scheduled to become fully operational by Oct. 1.

Sen. Bill Nelson (D-Fla.), chairman of the Armed Services emerging threats subcommittee, said that though there are “some policy questions” to be answered, he was confident Alexander would be confirmed.

Nonetheless, the NSA’s involvement, given the past controversy, has raised questions of oversight.

“How do we make sure that if the National Security Agency is involved, that we don’t have a problem with people seeing other people’s information?” the defense official said, describing one congressional concern. “We’ve made it very clear. No information will be shared other than to support what we need to defend the networks — the defense military information networks. The rest of that information, NSA is bound by legal rules” to protect Americans’ privacy.
Defining ‘defense’

NSA Deputy Director Chris Inglis said in a recent interview that “90 percent” of the command’s focus will be on defensive measures because “that’s where we are way behind.”

“If we led with attack, people would say, ‘That’s just nuts. That’s completely irrational,’ ” he said. “You’ve got to be about the defense.”

Other intelligence experts, however, said that the term “defense” is malleable. They argue that the government is spending a significant amount of money on classified cyber programs to develop offensive capabilities.

Beyond a cyber command, the Pentagon is grappling with a dizzying array of policy and doctrinal questions involving cyber warfare.

Who should authorize a cyber attack on an adversary that might be capable of undermining the United States’ financial system or energy infrastructure? What degree of certainty is needed about an alleged attacker before authorizing a response? When does an effort to defend a U.S. military network cross the line into an offensive action?

Many of these questions will be answered down the road, after the command is launched, and perhaps some won’t be answered for years, defense officials said.

Still, such issues are important ones, said one official familiar with the Pentagon’s plans, who was not authorized to speak for the record. “The rules can vary dramatically depending upon under what authority you’re doing something,” he said. “An offensive action is not a decision that can be taken very lightly. It is an extraordinary action because of the consequences that could result for either DOD or the intelligence community or critical U.S. industries.”

Despite the need for a holistic approach to cybersecurity, Ramsay acknowledged that determining how to do it poses many challenges. She related that while discussing cyber defense with her counterparts in New Zealand, she described the change in tactics as the difference between playing football and playing soccer. While the former involves offensive and defensive teams taking the field separately, the latter calls on offensive players to go on the defense as soon as possession of the ball changes sides. The New Zealanders agreed that a change has taken place but said that cyber defense today more resembles rugby.

Ramsay called on government, industry and individuals to be more proactive in their part of cybersecurity. To this end, the NSA now uses the term “Team Cyber” every day to describe how it is enacting cyber defenses. Members of the team include the government, industry and academia to such an extent that the NSA has actually brought antivirus vendors into the same room with government network defenders to observe networks under attack. The vendors were then given the information and signatures they would need to improve the next version of their products.

Everyone responsible for cybersecurity must be able to communicate at cyber speed, Ramsay emphasized. “If we don’t reach that status today, we’ll only be able to do damage assessment,” she stated.

Ramsay shared a number of ways industry can help in the fight against cyberterrorism. Among them are creating visualization tools that can handle huge amounts of data, analysis products that can predict an adversary’s next move and collaborative tools that provide secure ways to share information. She also called for better cross-domain solutions, highly searchable data storage capabilities, standards and increased training.