Pentagon Prepares for Military Response to ‘Hacking’ Attacks

June 3rd, 2011 - by admin

Siobhan Gorman and Julian E. Barnes & David E. Sanger and Elisabeth Bumiller / The New York Times – 2011-06-03 00:57:51

http://online.wsj.com/article/SB10001424052702304563104576355623135782718.html

US Steps Up Cyber Propaganda War
Pentagon’s new software to spread positive messages raises legal and moral concerns

Cath Turner / Al Jazeera

NEW YORK (June 2, 2011) — The US military is developing software that would allow its personnel to use multiple fake online identities called “sock puppets” in chatrooms and other online forums. The idea is to use social media to spread positive messages about the United States. While the Pentagon says it is a bid to counter violent extremist and enemy ideologies, critics call it propaganda. But the strategy is causing some legal and moral concerns.


Cyber Combat: An Act of War
Pentagon Sets Stage for US to Respond to Computer Sabotage With Military Force

Siobhan Gorman and Julian E. Barnes

WASHINGTON (May 31, 2011) — The Pentagon has concluded that computer sabotage coming from another country can constitute an act of war, a finding that for the first time opens the door for the US to respond using traditional military force.

The Pentagon’s first formal cyber strategy, unclassified portions of which are expected to become public next month, represents an early attempt to grapple with a changing world in which a hacker could pose as significant a threat to US nuclear reactors, subways or pipelines as a hostile country’s military.

In part, the Pentagon intends its plan as a warning to potential adversaries of the consequences of attacking the US in this way. “If you shut down our power grid, maybe we will put a missile down one of your smokestacks,” said a military official.

Recent attacks on the Pentagon’s own systems — as well as the sabotaging of Iran’s nuclear program via the Stuxnet computer worm — have given new urgency to US efforts to develop a more formalized approach to cyber attacks.

A key moment occurred in 2008, when at least one US military computer system was penetrated. This weekend Lockheed Martin, a major military contractor, acknowledged that it had been the victim of an infiltration, while playing down its impact.

The report will also spark a debate over a range of sensitive issues the Pentagon left unaddressed, including whether the US can ever be certain about an attack’s origin, and how to define when computer sabotage is serious enough to constitute an act of war. These questions have already been a topic of dispute within the military.

One idea gaining momentum at the Pentagon is the notion of “equivalence.” If a cyber attack produces the death, damage, destruction or high-level disruption that a traditional military attack would cause, then it would be a candidate for a “use of force” consideration, which could merit retaliation.

The Pentagon’s document runs about 30 pages in its classified version and 12 pages in the unclassified one. It concludes that the Laws of Armed Conflict — derived from various treaties and customs that, over the years, have come to guide the conduct of war and proportionality of response — apply in cyberspace as in traditional warfare, according to three defense officials who have read the document.

The document goes on to describe the Defense Department’s dependence on information technology and why it must forge partnerships with other nations and private industry to protect infrastructure.

The strategy will also state the importance of synchronizing US cyber-war doctrine with that of its allies, and will set out principles for new security policies. The North Atlantic Treaty Organization took an initial step last year when it decided that, in the event of a cyber attack on an ally, it would convene a group to “consult together” on the attacks, but they wouldn’t be required to help each other respond. The group hasn’t yet met to confer on a cyber incident.

Pentagon officials believe the most-sophisticated computer attacks require the resources of a government. For instance, the weapons used in a major technological assault, such as taking down a power grid, would likely have been developed with state support, Pentagon officials say.

The move to formalize the Pentagon’s thinking was borne of the military’s realization the US has been slow to build up defenses against these kinds of attacks, even as civilian and military infrastructure has grown more dependent on the Internet. The military established a new command last year, headed by the director of the National Security Agency, to consolidate military network security and attack efforts.

The Pentagon itself was rattled by the 2008 attack, a breach significant enough that the Chairman of the Joint Chiefs briefed then-President George W. Bush. At the time, Pentagon officials said they believed the attack originated in Russia, although didn’t say whether they believed the attacks were connected to the government. Russia has denied involvement.

The Rules of Armed Conflict that guide traditional wars are derived from a series of international treaties, such as the Geneva Conventions, as well as practices that the US and other nations consider customary international law. But cyber warfare isn’t covered by existing treaties. So military officials say they want to seek a consensus among allies about how to proceed.

“Act of war” is a political phrase, not a legal term, said Charles Dunlap, a retired Air Force Major General and professor at Duke University law school. Gen. Dunlap argues cyber attacks that have a violent effect are the legal equivalent of armed attacks, or what the military calls a “use of force.”

“A cyber attack is governed by basically the same rules as any other kind of attack if the effects of it are essentially the same,” Gen. Dunlap said Monday. The US would need to show that the cyber weapon used had an effect that was the equivalent of a conventional attack.

James Lewis, a computer-security specialist at the Center for Strategic and International Studies who has advised the Obama administration, said Pentagon officials are currently figuring out what kind of cyber attack would constitute a use of force. Many military planners believe the trigger for retaliation should be the amount of damage — actual or attempted — caused by the attack.

For instance, if computer sabotage shut down as much commerce as would a naval blockade, it could be considered an act of war that justifies retaliation, Mr. Lewis said. Gauges would include “death, damage, destruction or a high level of disruption” he said.

Culpability, military planners argue in internal Pentagon debates, depends on the degree to which the attack, or the weapons themselves, can be linked to a foreign government. That’s a tricky prospect at the best of times.

The brief 2008 war between Russia and Georgia included a cyber attack that disrupted the websites of Georgian government agencies and financial institutions. The damage wasn’t permanent but did disrupt communication early in the war.

A subsequent NATO study said it was too hard to apply the laws of armed conflict to that cyber attack because both the perpetrator and impact were unclear. At the time, Georgia blamed its neighbor, Russia, which denied any involvement.

Much also remains unknown about one of the best-known cyber weapons, the Stuxnet computer virus that sabotaged some of Iran’s nuclear centrifuges. While some experts suspect it was an Israeli attack, because of coding characteristics, possibly with American assistance, that hasn’t been proven. Iran was the location of only 60% of the infections, according to a study by the computer security firm Symantec. Other locations included Indonesia, India, Pakistan and the US

Officials from Israel and the US have declined to comment on the allegations.

Defense officials refuse to discuss potential cyber adversaries, although military and intelligence officials say they have identified previous attacks originating in Russia and China. A 2009 government-sponsored report from the US-China Economic and Security Review Commission said that China’s People’s Liberation Army has its own computer warriors, the equivalent of the American National Security Agency.

That’s why military planners believe the best way to deter major attacks is to hold countries that build cyber weapons responsible for their use. A parallel, outside experts say, is the George W. Bush administration’s policy of holding foreign governments accountable for harboring terrorist organizations, a policy that led to the US military campaign to oust the Taliban from power in Afghanistan.

Copyright 2011 Dow Jones & Company, Inc. All Rights Reserved


Pentagon to Consider Cyberattacks Acts of War
David E. Sanger and Elisabeth Bumiller / The New York Times

WASHINGTON (May 31, 2011) — The Pentagon, trying to create a formal strategy to deter cyberattacks on the United States, plans to issue a new strategy soon declaring that a computer attack from a foreign nation can be considered an act of war that may result in a military response.

Several administration officials, in comments over the past two years, have suggested publicly that any American president could consider a variety of responses — economic sanctions, retaliatory cyberattacks or a military strike — if critical American computer systems were ever attacked.

The new military strategy, which emerged from several years of debate modeled on the 1950s effort in Washington to come up with a plan for deterring nuclear attacks, makes explicit that a cyberattack could be considered equivalent to a more traditional act of war.

The Pentagon is declaring that any computer attack that threatens widespread civilian casualties — for example, by cutting off power supplies or bringing down hospitals and emergency-responder networks — could be treated as an act of aggression.

In response to questions about the policy, first reported Tuesday in The Wall Street Journal, administration and military officials acknowledged that the new strategy was so deliberately ambiguous that it was not clear how much deterrent effect it might have. One administration official described it as “an element of a strategy,” and added, “It will only work if we have many more credible elements.”

The policy also says nothing about how the United States might respond to a cyberattack from a terrorist group or other nonstate actor. Nor does it establish a threshold for what level of cyberattack merits a military response, according to a military official.

In May 2009, four months after President Obama took office, the head of the United States Strategic Command, Gen. Kevin P. Chilton, told reporters that in the event of a cyberattack “the law of armed conflict will apply,” and warned that “I don’t think you take anything off the table” in considering a response. “Why would we constrain ourselves?” he asked, according to an article about his comments that appeared in Stars and Stripes.

During the cold war, deterrence worked because there was little doubt the Pentagon could quickly determine where an attack was coming from — and could counterattack a specific missile site or city. In the case of a cyberattack, the origin of the attack is almost always unclear, as it was in 2010 when a sophisticated attack was made on Google and its computer servers. Eventually Google concluded that the attack came from China. But American officials never publicly identified the country where it originated, much less whether it was state sanctioned or the action of a group of hackers.

“One of the questions we have to ask is, How do we know we’re at war?” one former Pentagon official said. “How do we know when it’s a hacker and when it’s the People’s Liberation Army?”

A participant in the debate over the administration’s broader cyberstrategy added, “Almost everything we learned about deterrence during the nuclear standoffs with the Soviets in the ’60s, ’70s and ’80s doesn’t apply.”

White House officials, responding to the article that appeared in The Journal, argued that any consideration of using the military to respond to a cyberattack would constitute a “last resort,” after other efforts to deter an attack failed.

They pointed to a new international cyberstrategy, released by the White House two weeks ago, that called for international cooperation on halting potential attacks, improving computer security and, if necessary, neutralizing cyberattacks in the making. General Chilton and the vice chairman of the Joint Chiefs of Staff, Gen. James E. Cartwright, have long urged that the United States think broadly about other forms of deterrence, including threatening a country’s economic well-being, or its reputation.

The Pentagon strategy is coming out at a moment when billions of dollars are up for grabs among federal agencies working on cyber-related issues, including the National Security Agency, the Central Intelligence Agency and the Department of Homeland Security. Each has been told by the White House to come up with approaches that fit the international cyberstrategy that the White House published in May.

Posted in accordance with Title 17, Section 107, US Code, for noncommercial, educational purposes.