Title: Understanding Cyberattack as an Instrument of U.S./National Policy
1Understanding Cyberattack as an Instrument of
U.S./National Policy
- Herb Lin
- Computer Science and Telecommunications Board
- National Academies
- 25 October 2010
- Project supported by the MacArthur Foundation,
Microsoft, and the National Research Council
2Committee and report
- Military
- WILLIAM A. OWENS, co-chair (USN Retired, fmr
VCJCS) - CARL G. OBERRY, The Boeing Company (USAF Ret)
- WILLIAM O. STUDEMAN, USN Retired (fmr NSA
Director) - Foreign Relations and Diplomacy
- KENNETH W. DAM, co-chair, University of Chicago
- SARAH SEWALL, Harvard University
- Information technology
- THOMAS A. BERSON, Anagram Laboratories
- DAVID D. CLARK, MIT
- RICHARD L. GARWIN, IBM Fellow Emeritus
(technology) - JEROME H. SALTZER, MIT, (retired)
- MARK SEIDEN, MSB Associates
- International and National Security Law
- JACK L. GOLDSMITH, Harvard Law School
- GERHARD CASPER, Stanford University
3On classification
- Study is entirely unclassified.
- To our knowledge, first comprehensive integrated
treatment of cyberattack from a policy
perspective to examine technical, legal, ethical
issues. - Useful to know for policy makers to know what is
knowable on an unclassified basis.
4The broad context
- Nations are increasingly dependent on information
technology, and thus important IT functionality
must be protected. - Cybersecurity measures taken to protect or
preserve a computer system or network and the
information it holds. - Defensive cybersecurity (reports, legislation,
op-eds) - Passive defenses
- Anti-virus and intrusion detection software
- Better password security
- Greater attack resistance in software
- More robust law enforcement mechanisms
- e.g., Convention on Cybercrime
- Offensive cybersecurity (a generally classified
subject) - Offensive operations can be used for defensive
purposes. - Cyber conflict and cyber security have both
defensive and offensive dimensions, and
comprehensive approaches require understanding
both.
5Basic taxonomy for offensive cyber operations
- Cyberattack action to destroy, degrade, disrupt
adversary IT or information therein - Cyberexploitation action to (very quietly)
obtain information from adversary IT - Technical operations
- remote (e.g., DOS, virus, worm)
- close-access (e.g., USB key, sofware swap during
shipment, compromised chip in manufacturing
supply chain) - Social engineering operations
- Tricking, bribing, blackmailing, extorting
someone to take action - Technical and social operations are often
combined - Cyberattack and cyberexploitation are technically
very similar, hard for adversary to distinguish.
(Also hard for news media to distinguish.)
6Key characteristics
- Offensive operations can be conducted with
plausible deniability - But remember that adversaries make mistakes too,
and all-source intelligence helps - Offensive technology is relatively inexpensive,
widely available, and easy to obtain. - Many nonstate actors (companies, patriotic
hackers, terrorists) can have influence and may
be able to cause some of the same kinds of
effects as state actors. - A resource-poor attacker may have significant
leverage, by - using automation to reduce personnel needed and
increase tempo. - stealing computing and financial resources
- The indirect effects of cyberatacks are almost
always more consequential than the direct effects
of the attack ? must judge cyberattacks by total
effect, and indirect does not mean not
primary - Effects can span an enormous range cyberattack
is a methodology, not a specific weapon per se. - A cyberattack is NOT of lesser consequence
because it targets only a computer. - Effects may be significantly delayed in time from
moment of insertion.
7Operational considerations and realities
- Cyber operations can be selective or
non-selective in targeting. - Selectivity implies long lead time, complex
intelligence requirements, specialized skills,
higher cost - Cyber operations (especially attacks) can be very
complex to plan and execute. - Large range of options than most traditional
military operations - Analysis of (many) outcome paths may require
specialized knowledge (Stuxnet). - Time and spatial scales can span many orders of
magnitude - A cyberattack may be
- Usable only once or a few times
- Limited temporally in effect and/or limited in
scope (if highly targeted) - Technically fast but operationally slow hence
most suitable in non-time-urgent operational
scenarios (e.g., early use) speed of light vs
speed of law/thought/analysis
8Operational (continued)
- Target identification
- Translating IP address, processor serial number,
configuration, keyboard language into target
identification - Often a manual process
- Plan operation
- Gain access in advance (prepare the battlefield),
determine vulnerability - Specify payload (identify effects sought)
- Limit collateral damage (must know what is
connected cascading effects hard to predict) - Execute operation
- May take place some time distant from obtaining
access/vulnerability defenses/configuration may
have changed - Perform assessment (distinguish between real
success and faked success) - If exploitation, misinformation may be returned
- If attack, target may only appear to shut down
- Many answers depend on detailed intelligence
information on targets, and thus success of a
cyber operation is highly contingent.
9Possible connections of offensive cyber
operations for defensive purposes
- Before adversary attack
- Early warning of attack means living inside
adversary network - May need to pre-empt offensive cyber action about
to be undertaken by adversary - During adversary attack
- May need to disrupt a cyberattack in progress by
disabling attacking computers - After adversary attack
- Need for conducting forensic investigation that
may require multiple intrusions into proximate
and intermediate nodes. - Retaliation a possibility to discourage further
attacks. - And what of non-defensive purposes?
10Illustrative non-defensive applications of
offensive cyber operations
- Traditional military operations
- Suppression of adversary air defenses.
- Disruption of adversary plans for military
deployment. - Disruption of adversary critical infrastructure
(e.g., power grids) - Covert action
- Influencing the outcome of a foreign election
using electronic voting machines. - Altering electronic medical records of adversary
military leaders. - Disruption of adversary infrastructure for
censorship. - Cyberexploitation
- Exploration of adversary command and control
networks to determine command arrangements,
orders of battle - Probes of adversary military networks in
preparation for later attack. - Exfiltration of negotiating positions, political
plans, commercial information.
11U.S. policy today
- National security
- Law enforcement
- Private sector
12(parts of) DOD policy
- DOD seeks superiority in the cyber domain--the
state in which U.S. and friendly forces have
complete freedom of action in the domain and
adversary forces have no freedom of action. - Revised in recent testimony by Keith Alexander,
who questioned US ability for the latter - NRC report concludes that enduring unilateral
dominance in cyberspace is neither realistic nor
achievable by the United States. - DOD implied declaratory policy on cyberattack
- Cyberattack is just like any other weapon in the
DOD arsenal except for operational
considerations. - Cyberattack is better suited for early use, when
there is time to collect intelligence - DOD has publicly announced policy re cyberattack
in the case of active defense - USAF seeking capabilities for automated
cyberattacks conducted for defensive purposes.
13Intelligence on cyberexploitation and covert
action
- Intelligence collection (including
cyberexploitation) undertaken to further the
interests of the United States outside CONUS
unlimited except if US persons involved. Not a
violation of international law. - Intelligence collection on behalf of specific US
companies not undertaken as a matter of US
policy (not true for some other nations, e.g.,
France) - Covert action regulated by US statute
activities of the U.S. government to influence
political, economic, or military conditions
abroad, where it is intended that the role of the
U.S. government will not be apparent or
acknowledged publicly. Must be authorized by
findings of the President, and reported to
appropriate individuals in the U.S. Congress.
Note alignment of plausible deniability
requirement and technical characteristics of
cyberattack. - One reported example- US against USSR in 1982.
14One public story regarding alleged US cyberattack
on the Soviet Union
- Soviet Union actively sought to obtain Western
technology (including pipeline control software).
US discovered the list of sought-after
technologies. - In 1982, the U.S. spiked software that was
subsequently obtained by the Soviet Union. The
software was programmed to go haywire, and
after a decent interval, to reset pump speeds and
valve settings to produce pressures far beyond
those acceptable to pipeline joints and welds. - The result -- a large explosion in a Siberian
natural gas pipeline (visible from space, looked
like a 3 kiloton nuclear blast) - Beyond the immediate effect, the Soviets came to
understand over time that they had been
stealing bogus technology, but now what were they
to do? By implication, every cell of the Soviet
leviathan might be infected. They had no way of
knowing which equipment was sound, which was
bogus. All was suspect, which was the intended
endgame for the entire operation. - Source Thomas Reed, At the Abyss An Insider's
History of the Cold War, Ballantine Books, New
York, NY, 2004
15Law enforcement and private sector action
- Law enforcement
- Cyberexploitation governed under various statutes
re wiretapping, access to stored information etc. - Cyberattack limited, but not forbidden (e.g.,
jamming of cell phones to protect President) - Law enforcement authorities exempt from Computer
Fraud and Abuse Act (CFAA). - Private sector
- Governed by CFAA, and prohibits private action
- Self-defense justification never attempted
16On cyberdeterrence
17The why and how of deterrence
- How can we persuade adversaries to refrain from
launching damaging cyberattacks? - Deterrence seems like the obvious inevitable
choice in an offense-dominant world. - Passive defense is inadequate and eventually will
fail - Law enforcement actions are too slow and
uncertain in outcome. - Deterrence of nuclear threats in the Cold War
establishes the paradigm largely successful.
Based on a credible threat to - Deny the attacker the benefits of an attack
- Punish the attacker by imposing unacceptable
costs
18Deterrence (in classical form)
- Denial (1) is too hard, hence punishment (2) is
a more appealing strategy. - Threat of punishment requires
- Attribution of attack to adversary
- what system, which actor?
- Cyberattack does not require skills that are
limited to small set of adversaries - Knowing that an attack has happened
- Noisy background
- Ambiguous effect (exploitation? Delayed effect?)
- Difficulty of correlating information across
multiple affected sites - Slow forensics
- Credibility
- Nations conduct many highly visible military
training exercises in part to demonstrate
capabilities to potential adversaries. How
should nations demonstrate (secret) cyber
capabilities? - Bottom line on cyberdeterrence uncertainty
about how traditional concepts of deterrence
(i.e., 2) apply to cyberspace. Thus, denial has
greater appeal (cf., recent Lynn Foreign Affairs
article)
19On escalation and termination
- Deterring escalation is just as important
(perhaps more so) as deterring onset of conflict. - Unintended escalation particularly dangerous when
- operational actions are less visible to senior
decision makers - outcomes of actions are more uncertain (e.g.,
cascading effects) - How can cyberconflict be terminated?
- Noisy background of criminal and hacker (and
perhaps 3rd nation) cyberattacks - Requirements for termination how to de-mine?
- How to suppress patriotic hackers?
20International law and offensive cyber operations
21Jus ad Bellem (conditions for engaging in
conflict)
- UN Charter prohibits threat or use of force
against the territorial integrity or political
independence of any state (Art. 2(4)) - Force not defined. By practice, it
- includes conventional weapon attacks that damage
persons or property - excludes economic or political acts (e.g.
sanctions) that damage persons or property - UN Charter Art. 51 - Nothing in the present
Charter shall impair the inherent right of
individual or collective self-defence if an armed
attack occurs against a Member of the United
Nations.. - Armed attack not defined, even for kinetic
force.
22When is a cyberattack a use of force or an
armed attack?
- Easier
- Exploitation w/o damage or degradation (no)
cyberattack that causes physical damage akin to
kinetic attack (yes) use of cyberattack during
acknowledged armed conflict (not covered by Art.
2(4) but subject to LOAC jus in bello). - Harder
- Economic damage without physical damage
- Temporary, reversible interference with computer
system - Mere data destruction or degradation
- Introduction of Trojan horse software agents
- Payload with exploitation and attack
capabilities? (cf. human spy skilled in
sabotage?) - Payload to accept a future upgrade with unknown
capabilities? - Destructive payload with delayed action
capability? (cf., pre-planted remotely
detonatable mine) - Empty payload a shell that can be remotely
upgraded in the future - Cyberattack that has effects comparable to a
kinetic armed attack is also an armed attack, but
few good analogies to past kinetic precedents.
23When is a cyberattack a use of force or an
armed attack?
- Answers matter to attacked party, because they
influence when and under what authority law
enforcement (vis a vis military) takes the lead
in responding, and what rights the victim might
have in responding. - Answers matter to attacking party, because they
set a threshold that policy makers may not wish
to cross in taking assertive/aggressive actions
to further its interests.
24Some hard scenarios under the UN charter
- Economic damage without physical damage
- Raiding a national treasury?
- Political interference without physical damage
- Hacking electronic voting machines?
- Temporary, reversible interference with
military/critical infrastructure systems - DOS attack?
- Mere data destruction or degradation
- Corruption of database responsible for military
logistics scheduling? - Violations of neutrality in cyberspace?
- Use of a third nations routers to carry a
cyberattack? - Ambiguities between legal exploitation and
illegal attack? - Introduction of agent for exploitation with
remotely upgradeable capabilities? - Attacks on dual-use infrastructure?
- Requirements for separation of military and
civilian infrastructure? - Inherently clandestine and deception-based
attacks? (perhaps analogous to submarine warfare
in 1914?) - National responsibility for non-state actors?
- Time delay between insertion and use for attack?
25 Jus in Bello (behavior during conflict)
- Principle of Non-Perfidy
- Cannot pretend to be legally protected entity
- Principle of Proportionality
- Collateral damage on civilian targets acceptable
if not disproportionate to the military
advantage gained. - Principle of Distinction
- Military operations only against military
objectives and not against civilian targets
26Non-perfidy
- Requirement for identification of USG
cyberattacks? - USAF insignia on airplanes and cruise missiles.
- Military personnel in distinctive uniforms.
- Trojan horses with distinctive identifiers This
agent is a bona fide weapon of the US
government? - Public infrastructure so that any victim can
verify the authenticity of such an identifier? - Requirement for identifying military and civilian
targets in cyberspace? - Nations have obligations to enable identification
of military assets (distinctive vehicles with
insignias) and are entitled to identify entities
legally immune to attack (Red Cross on
ambulances, white flags). - What must be done to identify military
computers/networks? IT assets of hospitals and
religious institutions? Who will verify the
latter? (International Red Cross?)
27Proportionality uncertainty regarding outcome of
a cyberattack
- Outcomes often more uncertain than for attacking
physical targets - Indirect, cascading effects
- Collateral damage difficult to calculate
- No empirical or theoretical basis on which to
estimate collateral damage (no cyber blast
radius) - Uncertainty amplified by need to gather
intelligence promptly in many tactical situations
- Experience in Balkans suggests long lead times
for decisions on using cyber operations, due in
part to JAG review
28Distinction Legitimacy of attacks that disable
computer-dependent civilian services
- Military communications often take place over the
Internet military forces dependend to some
extent on commercial power grid. Are the national
infrastructure for Internet (e.g., routers) and
power grid valid military targets? - To what extent are computer-dependent civilian
services or communications essential to life in
a modern society? Does disruption in these
services rise to the level of causing death and
destruction?
29Arms Control Regimes for Cyberattack?
30Why might regimes be desirable?
- Reduce likelihood of conflict, damage if conflict
occurs. - Allies significantly more dependent on IT, thus
restrictions on cyberattack asymmetrically
benefit Allies - Delegitimize cyberattack as a military weapon and
discourage other nations to develop such
capabilities for use against Allied interests.
31Reasons for skepticism?
- Other nations will develop cyberattack
capabilities under any circumstances. (Some see
cyberattack as an ideal instrument of
asymmetrical warfare.) - Verification of limiting capabilities essentially
impossible. - Cant restrict code, expertise/knowledge,
underlying technology - Infrastructure needed to conduct attacks is
small, easily hidden.
32Restrictions on use of cyberattack?
- Refrain from striking at national financial
systems or power grids (similar to no kinetic
attack on hospitals or no blinding lasers) - May require cooperative measures (e.g.,
electronic identification of permitted and/or
prohibited targets) - Attackers can violate such agreements (just as a
kinetic attacker can target ambulances or fire
mortars from sanctuaries), and compliance in
wartime is not assured. - However, such agreements
- Help to create international norms regarding the
acceptability of such behavior. - Inhibit training that calls for violation.
- May be enforced to some degree through threat of
reciprocal use. - Probably most useful prior to the onset of
conflict, because a signatory would have
incentives to comply to avoid unwanted
escalation.
33Many complicating factors
- Living with any regime we claim to want must be
reciprocal. - Routine cyberexploitation during crisis might be
escalatory refraining from cyberexploitation
during crisis may deprive NCA of valuable
tactiacl information (e.g., early warning). - Difficulty of technical attribution makes proving
a violation hard. - Non-state attackers (patriotic hackers,
terrorists) - Widespread diffusion of relevant technology and
expertise - Private sector ownership/operation of cyberspace?
- May require high degree of intrusiveness on the
behavior of individuals and of the private
sector. - Possible national responsibility for private
sector actions
34Collateral agreements/understandings may be
helpful
- Examples from non-cyber world
- Advance notification of ballistic missile
launches - Measures to prevent dangerous incidents at sea
- Hotlines to promote communication during crisis
- Possible collateral agreements for cyber
- Agreements to cooperate promptly in investigation
of cyberattacks from home territory - Agreements on sufficiency of evidence to presume
attribution
35Private Sector Equities
36Google and China
- Google raised two issues (Operation Aurora)
- Attempts to compromise email accounts of Chinese
human rights activists - Penetrations of 34 companies (mostly in Silicon
Valley) to obtain corporate data and software
source code. - China held responsible by Google for these
actions. - Targeted attack against specific individuals,
using previously unknown vulnerability in
Internet Explorer that allows remote code
execution. - Google undertook its own forensic investigation,
gaining access to a computer in Taiwan and
monitoring its operations to identify penetration
targets. - Attribution to China made largely on the basis of
attacks technical sophistication and breadth and
the targets of the cyber operations. - Some reports indicate that malware used in latter
penetration employed an algorithm contained in a
technical report published only on
Chinese-language Web sites. - Non-circumstantial evidence is scarcehighlights
difference between technical attribution and
political decision to hold a nation accountable
based on all sources of information. - Subsequent Google action to un-censor its China
search engine - Some actions traced to elite Chinese IT schools
- Many possible/plausible explanations (govt
sanctioned activity, overly enthusiastic
students, contest, final exam)
37Some questions raised by Google/China engagement
- Google action to uncensor its search engines -
retaliation for Chinese actions? - How and to what extent, if any, should private
entities be allowed to shoot back? Does private
shoot-back increase or decrease likelihood that a
private entity will be attacked? - How and to what extent, if any, should private
entities be allowed to conduct their own foresnic
investigations (which may involve some degree of
hack-back)? - Private actors in U.S. engaging in cross-border
offensive operations (patriotic hackers, U.S.
corporations acting in self-defense) have legal
implications for the U.S. - U.S. responsibility potentially implicated if
private actions rise to use of force - Possible interference with US government cyber
operations
38More broadly
- Certain cyberattacks undertaken by the United
States are likely to have significant operational
implications for the U.S. private sector. - Internet-based attack may require cooperation of
U.S./Allied ISPs (ISPs usually asked to suppress
cyberattacks what about shutting down a US
attack?) - Shaping the cyber battlefield may require
cooperation of U.S./Allied IT vendors and service
providers. - Adversary response to U.S. cyberattack may affect
U.S. ISPs and critical infrastructure may be
affected
39Some broad observations and issues
40Bear in mind
- Cyber conflict is not separate from other spheres
of potential conflict. - Options for responding to cyberattacks on the
United States span a broad range and include a
mix of dynamic changes in defensive postures, law
enforcement actions, diplomacy, cyberattacks, and
kinetic attacks. - Cyber conflict is not just relevant to US
government, and issues arise in deterring attacks
on private sector entities.
41Nuclear conflict as analogy for cyber
- Many superficially obvious connections
- Relevant concepts early/tactical warning, attack
assessment, stability, deterrence, offense
dominance, counterforce, countervalue, escalation
control, first use, first strike, secure second
strike, war termination, launch under attack,
launch on warning, employment options,
proliferation, fratricide, laws of war, cascading
effects unpredictable effects command and
control - But deeper analysis suggests badness of fit
- Private sector doesnt have nuclear weapons.
- Many of the same questions/issues arise in cyber
as in nuclear (as well as in many other forms of
conflict) - Answers to these questions are mostly very
different - Some suggest biological weapons are a better
metaphor from a strategic point of view
(deterrence, arms control, and so on).
42Fostering a national debate on cyberattack
- The U.S. government and other nations should
conduct a broad, unclassified national debate and
discussion about cyberattack policy, ensuring
that all parties are involved in discussions and
familiar with the issues. - Some aspects of cyberattack SHOULD be classified,
e.g. - U.S. interest in a specific cyberattack
technology - Fragile and sensitive operational details that
are not specific to the technologies themselves - Capabilities and intentions of specific
adversaries. - But these are not relevant to answering questions
about declaratory policy, and thus secrecy about
policy issues serves to inhibit necessary
discussion about them. - Impossible to have a coherent discussion of
policy while discussing only the defensive side
discussing defense only leads to a victim
mentality.
43C2 for offensive cyber operations
- Early use of cyberattack may be easy to
contemplate in a pre-conflict situation, so a
greater degree of operational oversight for
cyberattack and cyberexploitation may be needed
compared to use of other options. - Confusion on adversarys part regarding intent of
cyber operation an exploitation may be seen as
an attack. - Operational footprint left by cyberattack
activities is small, and routine activities may
be less visible to senior decision makers.
44Some interesting fundamental questions
- In light of the poor track record of deploying
cyber defenses adequate to meet the threat, how
and to what extent can offensive cyber operations
enhance cybersecurity? - In light of limited law enforcement response
capabilities, how and to what extent, if any,
should private entities be allowed to shoot back
or investigate? Does private shoot-back increase
or decrease likelihood that a private entity will
be attacked? - What can/should a nation do in cyberspace in
conditions short of avowed armed conflict or in
response to actions that fall short of armed
attack or uses of force? - How (if at all) should an attacking nation enable
adversaries to differentiate between exploitation
and attack? - How, if at all, are existing international legal
regimes (e.g., the laws of armed conflict, the
Geneva Conventions) adequate to manage
cyberconflict? - What is the role of international cooperation and
agreements in managing cyber conflict?
45Report explores all these issues in much greater
detail
- Herb Lin
- Chief Scientist, Computer Science and
Telecommunications Board - National Research Council
- 202-334-3191, hlin_at_nas.edu
- Download reports free
- Search for
- Macarthur Foundation, Cyberattack, Policy
- NRC report, deterring cyberattacks
- (latter has 50 interesting research questions)