Understanding Cyberattack as an Instrument of U.S./National Policy

About This Presentation

Title:

Understanding Cyberattack as an Instrument of U.S./National Policy

Description:

Cyber conflict and cyber security have both defensive and offensive dimensions, ... International law and offensive cyber operations Jus ad Bellem ... – PowerPoint PPT presentation

Number of Views:76

Avg rating:3.0/5.0

Slides: 46

Provided by: Herb50

Category:

more less

Transcript and Presenter's Notes

Title: Understanding Cyberattack as an Instrument of U.S./National Policy

1
Understanding Cyberattack as an Instrument of
U.S./National Policy

Herb Lin
Computer Science and Telecommunications Board
National Academies
25 October 2010
Project supported by the MacArthur Foundation,
Microsoft, and the National Research Council

2
Committee and report

Military
WILLIAM A. OWENS, co-chair (USN Retired, fmr
VCJCS)
CARL G. OBERRY, The Boeing Company (USAF Ret)
WILLIAM O. STUDEMAN, USN Retired (fmr NSA
Director)
Foreign Relations and Diplomacy
KENNETH W. DAM, co-chair, University of Chicago
SARAH SEWALL, Harvard University
Information technology
THOMAS A. BERSON, Anagram Laboratories
DAVID D. CLARK, MIT
RICHARD L. GARWIN, IBM Fellow Emeritus
(technology)
JEROME H. SALTZER, MIT, (retired)
MARK SEIDEN, MSB Associates
International and National Security Law
JACK L. GOLDSMITH, Harvard Law School
GERHARD CASPER, Stanford University

3
On classification

Study is entirely unclassified.
To our knowledge, first comprehensive integrated
treatment of cyberattack from a policy
perspective to examine technical, legal, ethical
issues.
Useful to know for policy makers to know what is
knowable on an unclassified basis.

4
The broad context

Nations are increasingly dependent on information
technology, and thus important IT functionality
must be protected.
Cybersecurity measures taken to protect or
preserve a computer system or network and the
information it holds.
Defensive cybersecurity (reports, legislation,
op-eds)
Passive defenses
Anti-virus and intrusion detection software
Better password security
Greater attack resistance in software
More robust law enforcement mechanisms
e.g., Convention on Cybercrime
Offensive cybersecurity (a generally classified
subject)
Offensive operations can be used for defensive
purposes.
Cyber conflict and cyber security have both
defensive and offensive dimensions, and
comprehensive approaches require understanding
both.

5
Basic taxonomy for offensive cyber operations

Cyberattack action to destroy, degrade, disrupt
adversary IT or information therein
Cyberexploitation action to (very quietly)
obtain information from adversary IT
Technical operations
remote (e.g., DOS, virus, worm)
close-access (e.g., USB key, sofware swap during
shipment, compromised chip in manufacturing
supply chain)
Social engineering operations
Tricking, bribing, blackmailing, extorting
someone to take action
Technical and social operations are often
combined
Cyberattack and cyberexploitation are technically
very similar, hard for adversary to distinguish.
(Also hard for news media to distinguish.)

6
Key characteristics

Offensive operations can be conducted with
plausible deniability
But remember that adversaries make mistakes too,
and all-source intelligence helps
Offensive technology is relatively inexpensive,
widely available, and easy to obtain.
Many nonstate actors (companies, patriotic
hackers, terrorists) can have influence and may
be able to cause some of the same kinds of
effects as state actors.
A resource-poor attacker may have significant
leverage, by
using automation to reduce personnel needed and
increase tempo.
stealing computing and financial resources
The indirect effects of cyberatacks are almost
always more consequential than the direct effects
of the attack ? must judge cyberattacks by total
effect, and indirect does not mean not
primary
Effects can span an enormous range cyberattack
is a methodology, not a specific weapon per se.
A cyberattack is NOT of lesser consequence
because it targets only a computer.
Effects may be significantly delayed in time from
moment of insertion.

7
Operational considerations and realities

Cyber operations can be selective or
non-selective in targeting.
Selectivity implies long lead time, complex
intelligence requirements, specialized skills,
higher cost
Cyber operations (especially attacks) can be very
complex to plan and execute.
Large range of options than most traditional
military operations
Analysis of (many) outcome paths may require
specialized knowledge (Stuxnet).
Time and spatial scales can span many orders of
magnitude
A cyberattack may be
Usable only once or a few times
Limited temporally in effect and/or limited in
scope (if highly targeted)
Technically fast but operationally slow hence
most suitable in non-time-urgent operational
scenarios (e.g., early use) speed of light vs
speed of law/thought/analysis

8
Operational (continued)

Target identification
Translating IP address, processor serial number,
configuration, keyboard language into target
identification
Often a manual process
Plan operation
Gain access in advance (prepare the battlefield),
determine vulnerability
Specify payload (identify effects sought)
Limit collateral damage (must know what is
connected cascading effects hard to predict)
Execute operation
May take place some time distant from obtaining
access/vulnerability defenses/configuration may
have changed
Perform assessment (distinguish between real
success and faked success)
If exploitation, misinformation may be returned
If attack, target may only appear to shut down
Many answers depend on detailed intelligence
information on targets, and thus success of a
cyber operation is highly contingent.

9
Possible connections of offensive cyber
operations for defensive purposes

Before adversary attack
Early warning of attack means living inside
adversary network
May need to pre-empt offensive cyber action about
to be undertaken by adversary
During adversary attack
May need to disrupt a cyberattack in progress by
disabling attacking computers
After adversary attack
Need for conducting forensic investigation that
may require multiple intrusions into proximate
and intermediate nodes.
Retaliation a possibility to discourage further
attacks.
And what of non-defensive purposes?

10
Illustrative non-defensive applications of
offensive cyber operations

Traditional military operations
Suppression of adversary air defenses.
Disruption of adversary plans for military
deployment.
Disruption of adversary critical infrastructure
(e.g., power grids)
Covert action
Influencing the outcome of a foreign election
using electronic voting machines.
Altering electronic medical records of adversary
military leaders.
Disruption of adversary infrastructure for
censorship.
Cyberexploitation
Exploration of adversary command and control
networks to determine command arrangements,
orders of battle
Probes of adversary military networks in
preparation for later attack.
Exfiltration of negotiating positions, political
plans, commercial information.

11
U.S. policy today

National security
Law enforcement
Private sector

12
(parts of) DOD policy

DOD seeks superiority in the cyber domain--the
state in which U.S. and friendly forces have
complete freedom of action in the domain and
adversary forces have no freedom of action.
Revised in recent testimony by Keith Alexander,
who questioned US ability for the latter
NRC report concludes that enduring unilateral
dominance in cyberspace is neither realistic nor
achievable by the United States.
DOD implied declaratory policy on cyberattack
Cyberattack is just like any other weapon in the
DOD arsenal except for operational
considerations.
Cyberattack is better suited for early use, when
there is time to collect intelligence
DOD has publicly announced policy re cyberattack
in the case of active defense
USAF seeking capabilities for automated
cyberattacks conducted for defensive purposes.

13
Intelligence on cyberexploitation and covert
action

Intelligence collection (including
cyberexploitation) undertaken to further the
interests of the United States outside CONUS
unlimited except if US persons involved. Not a
violation of international law.
Intelligence collection on behalf of specific US
companies not undertaken as a matter of US
policy (not true for some other nations, e.g.,
France)
Covert action regulated by US statute
activities of the U.S. government to influence
political, economic, or military conditions
abroad, where it is intended that the role of the
U.S. government will not be apparent or
acknowledged publicly. Must be authorized by
findings of the President, and reported to
appropriate individuals in the U.S. Congress.
Note alignment of plausible deniability
requirement and technical characteristics of
cyberattack.
One reported example- US against USSR in 1982.

14
One public story regarding alleged US cyberattack
on the Soviet Union

Soviet Union actively sought to obtain Western
technology (including pipeline control software).
US discovered the list of sought-after
technologies.
In 1982, the U.S. spiked software that was
subsequently obtained by the Soviet Union. The
software was programmed to go haywire, and
after a decent interval, to reset pump speeds and
valve settings to produce pressures far beyond
those acceptable to pipeline joints and welds.
The result -- a large explosion in a Siberian
natural gas pipeline (visible from space, looked
like a 3 kiloton nuclear blast)
Beyond the immediate effect, the Soviets came to
understand over time that they had been
stealing bogus technology, but now what were they
to do? By implication, every cell of the Soviet
leviathan might be infected. They had no way of
knowing which equipment was sound, which was
bogus. All was suspect, which was the intended
endgame for the entire operation.
Source Thomas Reed, At the Abyss An Insider's
History of the Cold War, Ballantine Books, New
York, NY, 2004

15
Law enforcement and private sector action

Law enforcement
Cyberexploitation governed under various statutes
re wiretapping, access to stored information etc.
Cyberattack limited, but not forbidden (e.g.,
jamming of cell phones to protect President)
Law enforcement authorities exempt from Computer
Fraud and Abuse Act (CFAA).
Private sector
Governed by CFAA, and prohibits private action
Self-defense justification never attempted

16
On cyberdeterrence
17
The why and how of deterrence

How can we persuade adversaries to refrain from
launching damaging cyberattacks?
Deterrence seems like the obvious inevitable
choice in an offense-dominant world.
Passive defense is inadequate and eventually will
fail
Law enforcement actions are too slow and
uncertain in outcome.
Deterrence of nuclear threats in the Cold War
establishes the paradigm largely successful.
Based on a credible threat to
Deny the attacker the benefits of an attack
Punish the attacker by imposing unacceptable
costs

18
Deterrence (in classical form)

Denial (1) is too hard, hence punishment (2) is
a more appealing strategy.
Threat of punishment requires
Attribution of attack to adversary
what system, which actor?
Cyberattack does not require skills that are
limited to small set of adversaries
Knowing that an attack has happened
Noisy background
Ambiguous effect (exploitation? Delayed effect?)
Difficulty of correlating information across
multiple affected sites
Slow forensics
Credibility
Nations conduct many highly visible military
training exercises in part to demonstrate
capabilities to potential adversaries. How
should nations demonstrate (secret) cyber
capabilities?
Bottom line on cyberdeterrence uncertainty
about how traditional concepts of deterrence
(i.e., 2) apply to cyberspace. Thus, denial has
greater appeal (cf., recent Lynn Foreign Affairs
article)

19
On escalation and termination

Deterring escalation is just as important
(perhaps more so) as deterring onset of conflict.
Unintended escalation particularly dangerous when
operational actions are less visible to senior
decision makers
outcomes of actions are more uncertain (e.g.,
cascading effects)
How can cyberconflict be terminated?
Noisy background of criminal and hacker (and
perhaps 3rd nation) cyberattacks
Requirements for termination how to de-mine?
How to suppress patriotic hackers?

20
International law and offensive cyber operations
21
Jus ad Bellem (conditions for engaging in
conflict)

UN Charter prohibits threat or use of force
against the territorial integrity or political
independence of any state (Art. 2(4))
Force not defined. By practice, it
includes conventional weapon attacks that damage
persons or property
excludes economic or political acts (e.g.
sanctions) that damage persons or property
UN Charter Art. 51 - Nothing in the present
Charter shall impair the inherent right of
individual or collective self-defence if an armed
attack occurs against a Member of the United
Nations..
Armed attack not defined, even for kinetic
force.

22
When is a cyberattack a use of force or an
armed attack?

Easier
Exploitation w/o damage or degradation (no)
cyberattack that causes physical damage akin to
kinetic attack (yes) use of cyberattack during
acknowledged armed conflict (not covered by Art.
2(4) but subject to LOAC jus in bello).
Harder
Economic damage without physical damage
Temporary, reversible interference with computer
system
Mere data destruction or degradation
Introduction of Trojan horse software agents
Payload with exploitation and attack
capabilities? (cf. human spy skilled in
sabotage?)
Payload to accept a future upgrade with unknown
capabilities?
Destructive payload with delayed action
capability? (cf., pre-planted remotely
detonatable mine)
Empty payload a shell that can be remotely
upgraded in the future
Cyberattack that has effects comparable to a
kinetic armed attack is also an armed attack, but
few good analogies to past kinetic precedents.

23
When is a cyberattack a use of force or an
armed attack?

Answers matter to attacked party, because they
influence when and under what authority law
enforcement (vis a vis military) takes the lead
in responding, and what rights the victim might
have in responding.
Answers matter to attacking party, because they
set a threshold that policy makers may not wish
to cross in taking assertive/aggressive actions
to further its interests.

24
Some hard scenarios under the UN charter

Economic damage without physical damage
Raiding a national treasury?
Political interference without physical damage
Hacking electronic voting machines?
Temporary, reversible interference with
military/critical infrastructure systems
DOS attack?
Mere data destruction or degradation
Corruption of database responsible for military
logistics scheduling?
Violations of neutrality in cyberspace?
Use of a third nations routers to carry a
cyberattack?
Ambiguities between legal exploitation and
illegal attack?
Introduction of agent for exploitation with
remotely upgradeable capabilities?
Attacks on dual-use infrastructure?
Requirements for separation of military and
civilian infrastructure?
Inherently clandestine and deception-based
attacks? (perhaps analogous to submarine warfare
in 1914?)
National responsibility for non-state actors?
Time delay between insertion and use for attack?

25
Jus in Bello (behavior during conflict)

Principle of Non-Perfidy
Cannot pretend to be legally protected entity
Principle of Proportionality
Collateral damage on civilian targets acceptable
if not disproportionate to the military
advantage gained.
Principle of Distinction
Military operations only against military
objectives and not against civilian targets

26
Non-perfidy

Requirement for identification of USG
cyberattacks?
USAF insignia on airplanes and cruise missiles.
Military personnel in distinctive uniforms.
Trojan horses with distinctive identifiers This
agent is a bona fide weapon of the US
government?
Public infrastructure so that any victim can
verify the authenticity of such an identifier?
Requirement for identifying military and civilian
targets in cyberspace?
Nations have obligations to enable identification
of military assets (distinctive vehicles with
insignias) and are entitled to identify entities
legally immune to attack (Red Cross on
ambulances, white flags).
What must be done to identify military
computers/networks? IT assets of hospitals and
religious institutions? Who will verify the
latter? (International Red Cross?)

27
Proportionality uncertainty regarding outcome of
a cyberattack

Outcomes often more uncertain than for attacking
physical targets
Indirect, cascading effects
Collateral damage difficult to calculate
No empirical or theoretical basis on which to
estimate collateral damage (no cyber blast
radius)
Uncertainty amplified by need to gather
intelligence promptly in many tactical situations
Experience in Balkans suggests long lead times
for decisions on using cyber operations, due in
part to JAG review

28
Distinction Legitimacy of attacks that disable
computer-dependent civilian services

Military communications often take place over the
Internet military forces dependend to some
extent on commercial power grid. Are the national
infrastructure for Internet (e.g., routers) and
power grid valid military targets?
To what extent are computer-dependent civilian
services or communications essential to life in
a modern society? Does disruption in these
services rise to the level of causing death and
destruction?

29
Arms Control Regimes for Cyberattack?
30
Why might regimes be desirable?

Reduce likelihood of conflict, damage if conflict
occurs.
Allies significantly more dependent on IT, thus
restrictions on cyberattack asymmetrically
benefit Allies
Delegitimize cyberattack as a military weapon and
discourage other nations to develop such
capabilities for use against Allied interests.

31
Reasons for skepticism?

Other nations will develop cyberattack
capabilities under any circumstances. (Some see
cyberattack as an ideal instrument of
asymmetrical warfare.)
Verification of limiting capabilities essentially
impossible.
Cant restrict code, expertise/knowledge,
underlying technology
Infrastructure needed to conduct attacks is
small, easily hidden.

32
Restrictions on use of cyberattack?

Refrain from striking at national financial
systems or power grids (similar to no kinetic
attack on hospitals or no blinding lasers)
May require cooperative measures (e.g.,
electronic identification of permitted and/or
prohibited targets)
Attackers can violate such agreements (just as a
kinetic attacker can target ambulances or fire
mortars from sanctuaries), and compliance in
wartime is not assured.
However, such agreements
Help to create international norms regarding the
acceptability of such behavior.
Inhibit training that calls for violation.
May be enforced to some degree through threat of
reciprocal use.
Probably most useful prior to the onset of
conflict, because a signatory would have
incentives to comply to avoid unwanted
escalation.

33
Many complicating factors

Living with any regime we claim to want must be
reciprocal.
Routine cyberexploitation during crisis might be
escalatory refraining from cyberexploitation
during crisis may deprive NCA of valuable
tactiacl information (e.g., early warning).
Difficulty of technical attribution makes proving
a violation hard.
Non-state attackers (patriotic hackers,
terrorists)
Widespread diffusion of relevant technology and
expertise
Private sector ownership/operation of cyberspace?
May require high degree of intrusiveness on the
behavior of individuals and of the private
sector.
Possible national responsibility for private
sector actions

34
Collateral agreements/understandings may be
helpful

Examples from non-cyber world
Advance notification of ballistic missile
launches
Measures to prevent dangerous incidents at sea
Hotlines to promote communication during crisis
Possible collateral agreements for cyber
Agreements to cooperate promptly in investigation
of cyberattacks from home territory
Agreements on sufficiency of evidence to presume
attribution

35
Private Sector Equities
36
Google and China

Google raised two issues (Operation Aurora)
Attempts to compromise email accounts of Chinese
human rights activists
Penetrations of 34 companies (mostly in Silicon
Valley) to obtain corporate data and software
source code.
China held responsible by Google for these
actions.
Targeted attack against specific individuals,
using previously unknown vulnerability in
Internet Explorer that allows remote code
execution.
Google undertook its own forensic investigation,
gaining access to a computer in Taiwan and
monitoring its operations to identify penetration
targets.
Attribution to China made largely on the basis of
attacks technical sophistication and breadth and
the targets of the cyber operations.
Some reports indicate that malware used in latter
penetration employed an algorithm contained in a
technical report published only on
Chinese-language Web sites.
Non-circumstantial evidence is scarcehighlights
difference between technical attribution and
political decision to hold a nation accountable
based on all sources of information.
Subsequent Google action to un-censor its China
search engine
Some actions traced to elite Chinese IT schools
Many possible/plausible explanations (govt
sanctioned activity, overly enthusiastic
students, contest, final exam)

37
Some questions raised by Google/China engagement

Google action to uncensor its search engines -
retaliation for Chinese actions?
How and to what extent, if any, should private
entities be allowed to shoot back? Does private
shoot-back increase or decrease likelihood that a
private entity will be attacked?
How and to what extent, if any, should private
entities be allowed to conduct their own foresnic
investigations (which may involve some degree of
hack-back)?
Private actors in U.S. engaging in cross-border
offensive operations (patriotic hackers, U.S.
corporations acting in self-defense) have legal
implications for the U.S.
U.S. responsibility potentially implicated if
private actions rise to use of force
Possible interference with US government cyber
operations

38
More broadly

Certain cyberattacks undertaken by the United
States are likely to have significant operational
implications for the U.S. private sector.
Internet-based attack may require cooperation of
U.S./Allied ISPs (ISPs usually asked to suppress
cyberattacks what about shutting down a US
attack?)
Shaping the cyber battlefield may require
cooperation of U.S./Allied IT vendors and service
providers.
Adversary response to U.S. cyberattack may affect
U.S. ISPs and critical infrastructure may be
affected

39
Some broad observations and issues
40
Bear in mind

Cyber conflict is not separate from other spheres
of potential conflict.
Options for responding to cyberattacks on the
United States span a broad range and include a
mix of dynamic changes in defensive postures, law
enforcement actions, diplomacy, cyberattacks, and
kinetic attacks.
Cyber conflict is not just relevant to US
government, and issues arise in deterring attacks
on private sector entities.

41
Nuclear conflict as analogy for cyber

Many superficially obvious connections
Relevant concepts early/tactical warning, attack
assessment, stability, deterrence, offense
dominance, counterforce, countervalue, escalation
control, first use, first strike, secure second
strike, war termination, launch under attack,
launch on warning, employment options,
proliferation, fratricide, laws of war, cascading
effects unpredictable effects command and
control
But deeper analysis suggests badness of fit
Private sector doesnt have nuclear weapons.
Many of the same questions/issues arise in cyber
as in nuclear (as well as in many other forms of
conflict)
Answers to these questions are mostly very
different
Some suggest biological weapons are a better
metaphor from a strategic point of view
(deterrence, arms control, and so on).

42
Fostering a national debate on cyberattack

The U.S. government and other nations should
conduct a broad, unclassified national debate and
discussion about cyberattack policy, ensuring
that all parties are involved in discussions and
familiar with the issues.
Some aspects of cyberattack SHOULD be classified,
e.g.
U.S. interest in a specific cyberattack
technology
Fragile and sensitive operational details that
are not specific to the technologies themselves
Capabilities and intentions of specific
adversaries.
But these are not relevant to answering questions
about declaratory policy, and thus secrecy about
policy issues serves to inhibit necessary
discussion about them.
Impossible to have a coherent discussion of
policy while discussing only the defensive side
discussing defense only leads to a victim
mentality.

43
C2 for offensive cyber operations

Early use of cyberattack may be easy to
contemplate in a pre-conflict situation, so a
greater degree of operational oversight for
cyberattack and cyberexploitation may be needed
compared to use of other options.
Confusion on adversarys part regarding intent of
cyber operation an exploitation may be seen as
an attack.
Operational footprint left by cyberattack
activities is small, and routine activities may
be less visible to senior decision makers.

44
Some interesting fundamental questions

In light of the poor track record of deploying
cyber defenses adequate to meet the threat, how
and to what extent can offensive cyber operations
enhance cybersecurity?
In light of limited law enforcement response
capabilities, how and to what extent, if any,
should private entities be allowed to shoot back
or investigate? Does private shoot-back increase
or decrease likelihood that a private entity will
be attacked?
What can/should a nation do in cyberspace in
conditions short of avowed armed conflict or in
response to actions that fall short of armed
attack or uses of force?
How (if at all) should an attacking nation enable
adversaries to differentiate between exploitation
and attack?
How, if at all, are existing international legal
regimes (e.g., the laws of armed conflict, the
Geneva Conventions) adequate to manage
cyberconflict?
What is the role of international cooperation and
agreements in managing cyber conflict?