The Pentagon’s decision last week to establish a unified cybercommand to defend the military’s computer networks and attack those of U.S. enemies raises at least as many questions as it answers, analysts and experts in the field say.
“How does it fit into the strategic goals of defending our economy and our way of life?” asked Marcus Sachs, who helped set up the U.S. military’s first cyberwarfare unit in 1998.
“How will it relate to other government agencies?” asked Mr. Sachs, who is now director of the Internet Storm Center, a volunteer warning and analysis service that works with Internet service providers to counter such threats as computer viruses.
In a memo to military leaders last week, Defense Secretary Robert M. Gates ordered U.S. Strategic Command — the military entity in charge of U.S. nuclear and space weapons — to set up the new cybercommand by October this year and to have it fully functioning by October 2010.
However, he also ordered Pentagon policy chief Michele A. Flournoy to lead a “review of policy and strategy to develop a comprehensive approach to [Department of Defense] cyberspace operations.”
According to a National Research Council study of cyberwarfare published this year, “an unclassified and authoritative statement of joint [military] doctrine for the use of computer network attack is unavailable and it is fair to say that current doctrine on this matter is still evolving.”
Officials say that such questions are acute because of the difficulty in identifying cyberattackers who can strike anonymously using networks of home computers infected by specially designed viruses and in distinguishing between acts of vandalism, crime and war in cyberspace.
“How can we deter and prevent attacks” in cyberspace? asked Deputy Defense Secretary William J. Lynn III at a talk last week. “Deterrence is predicated on the assumption that you know the identity of your adversary, but that is rarely the case in cyberspace, where it is so easy for an attacker to hide.”
Mr. Sachs told The Washington Times that the questions of how to respond to cyberattacks were thrown into sharp relief by events in Estonia in 2007 and Georgia last year. Both countries were subjected to cyberattacks on their infrastructure originating in Russia, but Moscow denied any role, and it is not clear to what extent the attacks — largely carried out by nationalistic hacker gangs — might have been inspired or coordinated by the Russian government.
“What would happen and who would be responsible [for responding] if that kind of attack was carried out against the United States?” Mr. Sachs asked. “All these questions are unanswered.”
When it comes to offensive operations in cyberspace, the questions become even harder to answer, he said.
“We really haven’t tested the rules [that] apply to warfare in the physical world” in cyberspace, Mr. Sachs said. He gave as an example the requirement under the Geneva Conventions that all combatants be readily identifiable.
“What does that mean in cyberspace? Should we put a special header on packets” — the tiny digital messages that make up Internet traffic — “saying, ‘This is a U.S. Air Force attack packet’? … We need to start thinking about these questions,” he said.
“We need to have a public debate, not a classified conversation,” he added, noting that U.S. policy on the use of other unconventional armaments like nuclear weapons had been publicly debated even while the exact capabilities and technical details of the bombs themselves remained secret.
In last week’s memo, Mr. Gates called for an “implementation plan” for setting up the new command that would “delineate [its] mission, roles and responsibilities” and its “command and control, reporting and support relationships with combatant commands, [military] services and U.S. government department and agencies.”