The Pentagon’s decision last week to establish a unified cybercommand to defend the military’s computer networks and attack those of U.S. enemies raises at least as many questions as it answers, analysts and experts in the field say.
“How does it fit into the strategic goals of defending our economy and our way of life?” asked Marcus Sachs, who helped set up the U.S. military’s first cyberwarfare unit in 1998.
“How will it relate to other government agencies?” asked Mr. Sachs, who is now director of the Internet Storm Center, a volunteer warning and analysis service that works with Internet service providers to counter such threats as computer viruses.
In a memo to military leaders last week, Defense Secretary Robert M. Gates ordered U.S. Strategic Command — the military entity in charge of U.S. nuclear and space weapons — to set up the new cybercommand by October this year and to have it fully functioning by October 2010.
However, he also ordered Pentagon policy chief Michele A. Flournoy to lead a “review of policy and strategy to develop a comprehensive approach to [Department of Defense] cyberspace operations.”
According to a National Research Council study of cyberwarfare published this year, “an unclassified and authoritative statement of joint [military] doctrine for the use of computer network attack is unavailable and it is fair to say that current doctrine on this matter is still evolving.”
Officials say that such questions are acute because of the difficulty in identifying cyberattackers who can strike anonymously using networks of home computers infected by specially designed viruses and in distinguishing between acts of vandalism, crime and war in cyberspace.
“How can we deter and prevent attacks” in cyberspace? asked Deputy Defense Secretary William J. Lynn III at a talk last week. “Deterrence is predicated on the assumption that you know the identity of your adversary, but that is rarely the case in cyberspace, where it is so easy for an attacker to hide.”
Mr. Sachs told The Washington Times that the questions of how to respond to cyberattacks were thrown into sharp relief by events in Estonia in 2007 and Georgia last year. Both countries were subjected to cyberattacks on their infrastructure originating in Russia, but Moscow denied any role, and it is not clear to what extent the attacks — largely carried out by nationalistic hacker gangs — might have been inspired or coordinated by the Russian government.
“What would happen and who would be responsible [for responding] if that kind of attack was carried out against the United States?” Mr. Sachs asked. “All these questions are unanswered.”
When it comes to offensive operations in cyberspace, the questions become even harder to answer, he said.
“We really haven’t tested the rules [that] apply to warfare in the physical world” in cyberspace, Mr. Sachs said. He gave as an example the requirement under the Geneva Conventions that all combatants be readily identifiable.
“What does that mean in cyberspace? Should we put a special header on packets” — the tiny digital messages that make up Internet traffic — “saying, ‘This is a U.S. Air Force attack packet’? … We need to start thinking about these questions,” he said.
“We need to have a public debate, not a classified conversation,” he added, noting that U.S. policy on the use of other unconventional armaments like nuclear weapons had been publicly debated even while the exact capabilities and technical details of the bombs themselves remained secret.
In last week’s memo, Mr. Gates called for an “implementation plan” for setting up the new command that would “delineate [its] mission, roles and responsibilities” and its “command and control, reporting and support relationships with combatant commands, [military] services and U.S. government department and agencies.”
This last point is key because of the complicated jigsaw of authorities and responsibilities than different U.S. agencies have in relation to military, government and private-sector computer networks.
“There are so many stakeholder organizations and individuals in the cyberdomain it is difficult to know exactly where to start the collaboration, information sharing, and integration” needed, said Larry McKee, a computer-security specialist and longtime adviser to U.S. Strategic Command and the U.S. Air Force.
“What’s the long-term vision here?” asked Mr. Sachs. “Is it a small elite organization just focused on the military networks, or will it have a broader, almost National Guard-like mission to protect the nation’s critical infrastructure?”
Defense officials have been keen to stress that the new command will be focused on defending military networks’ “.mil” domain and that its establishment does not represent any attempt by the Pentagon to carve out a larger role for itself in defending the nation’s civilian-owned and -operated computer systems.
“Responsibility for protecting federal civilian networks would remain with the Department of Homeland Security,” Mr. Lynn said last week. “Likewise, responsibility for protecting private-sector networks would remain with the private sector.”
However, some privacy and civil liberties advocates have nonetheless expressed concerns about the role of the military and in particular the secretive National Security Agency in the cyberarena.
The new cybercommand will be headed by the director of the NSA, and Mr. Gates said he would recommend that the current incumbent of that job, Lt. Gen. Keith B. Alexander, be nominated to the new role.
Gen. Alexander is already in charge of the Joint Functional Component Command Network Warfare, the part of Strategic Command responsible for offensive cyberoperations.
“Many of the resources to be managed by cybercommand are already under Gen. Alexander’s control,” said Alan Paller, director of research at the SANS Institute, an industry nonprofit that does research and education on computer security.
“The new piece is that military resources currently outside of Strategic Command can now be mobilized,” Mr. Paller said. “The action-oriented resource base [of the new command] is much larger.”
However, Mr. Paller said leveraging those resources also required better partnership between the military and the private sector. A key problem for civilians engaged in trying to defend U.S. networks against cyber attacks, he said, was that they do not have access to the military’s latest, best information about attackers and the methods they are using.
Mr. Paller pointed out that the vast majority of the thousands of cyber attacks against U.S. military computers are carried out across civilian networks like the Internet, mostly managed by seven or eight large private-sector companies.
Currently, he said, because the network managers of those firms don’t have security clearances, “the military can’t share intelligence about the latest threat signatures” with them, making it much harder for them to spot attacks in progress.
Gen. Alexander told a symposium of the Armed Forces Communications and Electronics Association last week that the military will have to give network operations people the security clearances they need, so they can understand the nature of the threats.
Granting such clearances to “a very small set of people” would “radically improve our capabilities to defend” against cyberattacks, Mr. Paller said.
Still, many - and not just privacy and civil liberties mavens - remain unconvinced about the likely performance of the NSA, and by extension the new cybercommand, in this crucial area of partnership.
“While NSA has improved in both areas since Sept. 11, neither collaboration nor information sharing [is] exactly NSA core competencies,” Mr. McKee said.