Should the nation ever come under a major cyber attack, the Defense Department will know how to respond.
Pentagon leaders will have a clear understanding of their specific roles and responsibilities based on an updated version of the rules of engagement in cyberspace.
Senior officials told members of the House Armed Services Committee Tuesday the new policy is key to defending against what is becoming the preferred type of cyber attack by nation states, extremist organizations, organized crime and others. “We are concerned about this shifting from exploitation and disruption attacks to destructive attacks,” said Gen. Keith Alexander, commander of the U.S. Cyber Command and director of the National Security Agency. “What concerns us is destructive attacks, those that can destroy equipment, are on the horizon and we have to be prepared for them.”
There are several well known examples of destructive attacks, including the Stuxnet virus, which affects control systems of power plants in Iran, and the Aurora experiment in 2007, which showed how an attacker could take control of an electrical turbine and spin it until it broke.
Non-destructive attacks for now
The government mostly is seeing non-destructive attacks, including denial of service or spear phishing to try to steal information.
“Largely, what we see is exploitation and the theft of intellectual property,” Alexander said. “That is what is going on in the bulk of the cyber events that we see in the United States. In May 2007, we witnessed a distributed denial of service attack, think of that as a disruptive attack against Estonia by unknown folks in Russian area and around the world.”
“The issue will be what set of authorities we will be given and what are the conditions under which we will conduct those authorities still have to be determined and ironed out within the administration,” Alexander said of the document. “I do think it’s at the top of the list of the cyber things we are working on right now. I know USD Policy is one of the key actions that is going on. I know we talk about it on a daily basis, pushing some of this forward. I’m confident over the next month or two some of that will actually go through.”
Madelyn Creedon, the assistant secretary for global strategic affairs for DoD, said the development of the rules of engagement has been a collaborative process between the joint staff, cyber command and the undersecretary of policy’s office. “We are working closely with the joint staff on the implementation of a transitional command and control model for cyberspace operations,” she said. “This interim framework will standardize existing organizational structures and command relationships across the department for the application of the full spectrum of cyberspace capabilities.”
Congress gave DoD the authority to conduct clandestine cyberspace activities in support of military operations in the 2012 DoD Authorization bill.
“The conferees recognize that because of the evolving nature of cyber warfare, there is a lack of historical precedent for what constitutes traditional military activities in relation to cyber operations and that it is necessary to affirm that such operations may be conducted pursuant to the same policy, principles and legal regimes that pertain to kinetic capabilities,” lawmakers wrote in the conference report. “The conferees also recognize that in certain instances, the most effective way to deal with threats and protect U.S. and coalition forces is to undertake offensive military cyber activities, including where the role of the United States Government is not apparent or to be acknowledged. The conferees stress that, as with any use of force, the War Powers Resolution may apply.”
Lawmakers call for broader powers
While DoD is finalizing the rules of engagement, Alexander and some members of the committee want DoD to have even broader powers.
Alexander said DoD should be in charge if the U.S. were attacked by a nation state or extremist organization. But, he also was quick to give the Homeland Security Department and the FBI back their lead roles when it came to other types of cyber threats, such as organized crime or homegrown extremists.
“In extremis, DoD would be the natural ones to defend the country. I believe within the administration there is general agreement that is correct. The issue is now what are those circumstances and how do we do it? DoD is the only one with the defensive capabilities and some of the offensive capabilities the nation would need to defend itself. I think both of those coupled with the ability of the DoD networks to see globally with the intelligence community are key to defending the nation.”
Reps. Rob Andrews (D-N.J.) and Mike Conaway (R-Texas) said they think DoD should have expanded powers.
“I think if we are worried about a threat coming from outside the United States to attack critical infrastructure, that could cripple our economy or telecommunications system or power grid, the DoD ought to be the focal point of the effort because our technology is more advanced and the agency is geared that way,” Andrews said. “Our focus ought to be hardening our systems to prevent an attack and then talk about responding to one when it occurs.”
Conway added if DoD is developing rules of engagement for the military, but DHS, which has responsibilities, is creating one for the civilian agencies, there is a disconnect.
“Is that the best way to defend the country is to have that bifurcation?” Conway said. “How do we make this work giving two different cabinet agencies?”
Creedon said DoD supports DHS in a whole-government approach to provide whatever assistance is necessary to respond.
Alexander said when an exploitation occurs, DHS pulls an interagency team together to discuss what happened and figure out roles. He said the problem is deciding when it’s a real attack from a nation state or just hackers.
“I’m pushing for rules that are fast enough to allow us to prevent and protect,” Alexander said.