The rationale for offensive cyber capabilities

This article originally appeared on the Australian Strategic Policy Institute (ASPI) website. 

June 8, 2016

James A. Lewis

An early scene in the 1962 film Lawrence of Arabia shows German planes swooping back and forth to bomb the rebel camp and Prince Feisal, who’s heroically mounted on a white charger, chasing the planes with his sword in hand. Horses against aeroplanes aptly describes the circumstance for any nation that wants to defend itself if it lacks military cyber capabilities. You can’t reasonably expect to have a modern, effective military if you can’t carry out cyber operations. This isn’t a like-for-like match of cyber versus cyber—an astute opponent will use cyber techniques to paralyse command and control, interfere with the operation of weapons, and generally attempt to fatally expand the confusion that accompanies any armed conflict.

This isn’t a call for expanded cyber defence. Cyber defence usually means a bigger Computer Emergency Response Team, more technicians, essentially a Maginot line approach. We don’t talk about defensive tanks or defensive fighters. The best weapons can be used for either offence or defence. How they’re used depends on national intent and the risk of using them depends on how closely a nation adheres to international law and the laws of armed conflict—a peaceful nation that adheres to international law has nothing to fear from acquiring ‘offensive’ cyber capabilities. A purely defensive approach cedes the initiative to the opponent and leaves the defender in a reactive posture. No military would choose that.

Nor do we need to moan about the horrors of cyber war. People have let their imaginations run away with the consequences of cyber-attack. It’s not a weapon of mass destruction. It can have strategic effect, but that comes from its ability to precisely target crucial systems. Unlike nuclear weapons, cyber-attacks can have strategic effect without mass consequences.

Nations are experimenting with how to incorporate cyber capabilities into their military operations as they develop strategy and doctrine. The most advanced militaries are creating specific military cyber warfare entities. The growing military dimension makes cybersecurity an essential subject for discussion and for national strategy development.

It may be tempting to select from a menu of clichés—genies out of bottles or Pandoran boxes opened, but all are meaningless and result from the overestimation of the effect of cyber-attacks. Perhaps 30 nations are acquiring offensive cyber capabilities; some would say many more, and some of those are in Australia’s neighbourhood—it’s not just China. Eventually, all modern militaries will have offensive cyber capabilities, just as they have acquired jets, helicopters, missiles and, increasingly, UAVs. Nobody likes warfare, but declining to modernise, sticking to the cyber equivalent of horses and swords against airplanes, is a gift to opponents who will be quick to seize upon a careless attitude towards national defence.

Such developments have implications for both the public discussion and regional stability. On the first matter, the US position is slowly changing. The US first used offensive cyber operations (albeit primitive) in the second half of the 1990s. For more than a decade, there was no public recognition of this capability. Discussion is still limited, but in the last year or two the US has decided to be more open about offensive cyber capabilities. That may seem a bit odd given that PPD-20, the Top-Secret Presidential Directive for military cyber operations, including offensive operations, was leaked a few years ago and lives on The Guardian website. But the US has made strides in beginning a halting discussion of both capabilities and operations, albeit at a very general level.

Such secrecy is unhelpful. A question that outside experts have posed for a decade is, if we could have a robust discussion of nuclear strategy and capabilities, why can’twe have the same discussion of cyber capabilities? That’s slowly beginning to change but the absence of much information outside of classified channels means that much of the media and academic discussion is simply wrong. One possible reason the Obama administration has begun to slowly peel back secrecy is that it has been reminded of a scene in the film, Dr Strangelove, where the American President cautions the Russian ambassador that having a secret weapons capability does little to provide a deterrent or stabilising effect.

Secrecy damages stability. It’s better to have an open discussion of military doctrine and strategy—this openness was the intent of the April 2015 DOD Cyber Strategy(PDF)—than letting others make assumptions about policy and intentions. Transparency builds stability and confidence—that’s the reason confidence-building measures (CBMs) are valuable, and more progress on such measures in the ASEAN region would be helpful.  Australia’s done a good job of working with other ASEAN nations on CBMs, but the only region with adequate CBMs is Europe. That’s thanks to the work of the Organization for Security and Co-operation in Europe, which includes an exchange of military doctrines among members.

Having an offensive capability is nothing to be embarrassed about or keep secret, but it needs to be accompanied by diplomatic initiatives and transparency with voters. We want to normalise cyber capabilities and should treat them like any other military system, rather than as dark secrets from the world of SIGINT.

Cyberspace and armed forces: the rationale for offensive cyber capabilities

This article originally appeared on the Australian Strategic Policy Institute (ASPI) website. 

Tuesday, May 31st, 2016

By: James A. Lewis

A serious approach to military modernisation requires countries to equip, train, and organise cyberforces for what has become an essential component of national defence and deterrence. A force without adequate cyber capabilities is more dangerous to itself than to its opponents. As nations move forward in rethinking the role and nature of their military forces, and as they study the problems of organisation, doctrine and use of cyber operations, they need to:

• develop the full range of military cyber capabilities with both offensive and defensive application

• create a centralised command structure for those capabilities, with clear requirements for political-level approval for action

• embed those capabilities in doctrine and a legal framework based on international law

Full text available here. 

Federal cybersecurity initiatives timeline - Draft 1.b

An amended first cut at a list of Federal cybersecurity initiatives.  I intentionally left out some of the purely ornamental functions (White House CTOs CIOs, NSTIC, etc.) or Departmental initiatives.  There are some recurring themes (military operations, critical infrastructure protection), a lot of organizational and governance efforts, and a few dead spots.  Rough count: Clinton: 4; Bush: 6; Obama: 17.  We'll continue to refine this.

 

Timeline: Federal Cybersecurity Efforts

Clinton

1998       PDD63 - critical infrastructure (http://goo.gl/omfH05)

               Creation of CIAO/NIPC 

               Federal Computer Incident Response Center (http://goo.gl/481aiA)

1999       Encryption decontrol (https://goo.gl/aEb9iM)

 

Bush

2002       NSPD 16 - offensive cyber operations

2003       DHS (https://goo.gl/sJNZ3P)

               US-CERT (https://goo.gl/Gly3M0)

               HSPD-7 - critical infrastructure (http://goo.gl/DZyl84)

2004       NSPD 38 National strategy (https://goo.gl/OX7L7V)

2008       NSPD 54 Cybersecurity policy (CNCI) (http://goo.gl/7T7nYN)

 

Obama

2009       60 Day review (https://goo.gl/b5vK7Y)

               White House coordinator (https://goo.gl/cmbr9N)

               DHS Deputy Undersecretary for cyber (https://goo.gl/63ihOH)

               NCCIC (https://goo.gl/KEQ8tb)

               Cyber Command (http://goo.gl/XnRylS)

2010       National Cyber Incident Response Plan (http://goo.gl/PL53dG)

2011       International Strategy (https://goo.gl/vauxL1)

              Coordinator for International Cyber Issues (http://goo.gl/K075wE)

               DOD Strategy (http://goo.gl/8xIK3W)

2012       PPD 20 (military cyber operations)

2013       EO 13636 - critical infrastructure (https://goo.gl/A2ePX2)

2014       NIST Framework (http://goo.gl/83loue)

2015       EO Information Sharing (https://goo.gl/saV4WM)

               EO Cyber Sanction (https://goo.gl/bLUsOX)

               DOD Cyber strategy update (http://goo.gl/v8ld6p)

               Creation of CTIIC (https://goo.gl/XM5HKm)

2016       EO CNAP (https://goo.gl/EHfGUq)

 

Congress

2002      Homeland Security Act (https://goo.gl/xOJp8b)

              Federal Information Security Management Act (FISMA) (http://goo.gl/B4VH2Z)

2014      Federal Information Security Modernization Act (https://goo.gl/eG4nuc)

2015      Cybersecurity Information Sharing Act (http://goo.gl/C9G3Dr

Indictments, Countermeasures, and Deterrence

“What counts are the political and military consequences of a violation…since these alone will determine whether or not the violator stands to gain in the end.”
Fred Ikle, “After Detection, What?” 1961

The announcement of the indictment of seven Iranian hackers is part of a larger effort to reshape adversary thinking about the costs of attacking the United States. There has been a sequence of linked events - the PLA indictments, the response to Sony, the threat of sanctions before the Xi-Obama summit, and now these indictments. The effect is to push back against foreign-state hackers. These actions create consequences for malicious actions in cyberspace (recommended in a 2013 CSIS Report). When there is no consequence or penalty, there is no incentive to stop. Cyberspace has been largely penalty-free until recently. The indictments signal to our opponents to realize that attacking the United States can have consequences.

Iran rapidly developed its cyber-attacks capabilities after its “Green Revolution,” where political opponents of the regime used the internet to organize protests and dissent. These attack capabilities let them manage and then eliminate the political threat created by the internet. In developing these capabilities, Iran was helped by Russia, or at least by Russian hackers with the approval of the Russian state. There are no freelance hackers in Iran - the attackers are funded and controlled by the Iranian Revolutionary Guard. Iran routinely probes American critical infrastructure networks to locate vulnerabilities, has launched massive denial of service attacks against leading U.S. banks (apparently to protest sanctions) and disrupted networks and data at the Sand Casino in an effort to intimidate and punish its owner. What Iran did to Aramco in 2012 shows the kind of damage they could do in the United States, if they thought they could get away with it.

The United States has been aware of Iranian activities for several years, but was hesitant to say so. When the Department of Homeland Security (DHS) briefed critical infrastructure companies on how their networks were being probed, they were denied permission by the Intelligence Community, for reasons best known to itself, to even say the word “Iran” in the briefing even though it was an open secret. Actions like this (the DHS briefing was reported in the press) inspire more ridicule than caution in opponents. The likely cause for the self-imposed restraint was probably a desire not to put the nuclear talks at risk. This may explain why Sony received presidential attention while Sands did not.

This is not name-and-shame. Iran’s leaders do not burst into tears when they are named. Naming must be accompanied by consequences or the threat of consequences if it is to have effect. The Department of Justice’s approach has been to develop the case as if it was really going to court. They do a lot of work on evidence. We will probably never see these people stand trial (as with the PLA indictments) but Justice prepares as if this was a possibility. This slows any response - as does the need to find companies willing to go public about being the victim of hacking - but the wealth of evidence in an indictment is compelling, perhaps even frightening to opponents.

The latest indictments send a powerful message. The responses to China, North Korea and now Iran say two things: attackers are no longer invisible and there will be consequences for their actions. This message reshapes opponent thinking about the risk and potential costs of cyber actions against the United States. The effect of this is not always clear to American commentators - diplomacy and espionage are colored in half tones, not the black-and-white, clear distinction of popular culture. The most obvious evidence of change is that the PLA indictments, widely questioned when they were announced, contributed significantly to the Chinese decision to agree to refrain from commercial cyber-spying.

The United States faces four major opponents in cyberspace and the name missing from this list is Russia. Russian hackers, presumably acting with the permission of the Russian state, are the most energetic and skilled in committing financial crimes against Wall Street and other financial centers. There have been indictments against Russian hackers and some, foolish enough to travel outside of Russia, have been arrested, but these have not stopped cybercrime, suggesting that Russia has a higher tolerance for risk and a greater willingness (or desire) to flout the United States. This has implications for future actions - the United States cannot rest on its laurels and stop with these actions against China, North Korea and Iran, but must continue to create consequences for hacking incidents.

We can draw lessons from these incidents about what should be the nature of any future action. Signaling to opponents that U.S. attribution capabilities have improved markedly is a first step - the President’s 2015 State of the Union Address briefly revealed how and why they have improved when he said “we're making sure our government integrates intelligence to combat cyber threats, just as we have done to combat terrorism.” This means the ability to blend cyber espionage, signals intelligence and human sources gives the United States an unparalleled advantage in identifying hackers.

The second step involves countermeasures. The United States has held a long, painful discussion of cyber-deterrence that has been handicapped by approaching deterrence as a military problem, as if we were still in the Cold War. Complications arise from trying to identify how military force can be used in a “proportional response” to hacking and cybercrime, where no incident would justify a military response. The most effective actions to date in causing state attackers to recalculate risk have not depended on the Department of Defense or Cyber Command, but on attribution, indictments and the threat of sanctions. Looking for a military solution to cyber deterrence has tied us in knots. The better response lies in countermeasures that fall below the level of the use of force. Indictment and sanctions can make opponents wary. This will wear off if not refreshed, but the latest indictment are something we should have done a long time ago to construct the rule of law in cyberspace. Indictments make clear that the Wild West days of cyberspace are (slowly) coming to an end.

Cybersecurity Report 2016: Are We Ready in Latin America and the Caribbean?

On March 14, 2016 CSIS hosted a discussion on the state of cybersecurity in Latin America and a roll-out of the Cybersecurity 2016 report. This event was jointly sponsored by the Center for Strategic and International Studies, the Inter-American Development Bank, and the Organization of American States.

The report is available for download  in both English and Spanish HERE.

A Lack of Cooperation Between Tech Giants and the U.S. on Encryption Makes Us Less Secure

Fears about allowing law enforcement to gain access to encrypted data for criminal investigations — that it would put us on a slippery slope to massive digital privacy intrusion — are well-intentioned, but misguided.

While Americans care deeply about privacy, we also expect law enforcement agencies to fully investigate and prosecute terrorist or other criminal activities. Faced with these expectations, law enforcement cannot simply give up on trying to acquire the data they need for criminal and terrorism investigations. They will need to find other means to access that data — data that a court has deemed important to an investigation.

Establish an International Precedent for Sharing Encrypted Data

People and companies don’t get to choose when to obey the law. If a company is served with a lawful order to assist with an ongoing criminal investigation and it is possible for that company to assist, it has to comply. Apple was served a warrant. If it can comply, it has to service the warrant. If it can’t comply, it can ask a judge to vacate the warrant.

Apple says it can’t open the iPhone’s encrypted passcode. If this is true, they are off the hook, but if they can build the technology to comply (or already have), they need do what the warrant asks.

Posturing and Politics for Encryption

The encryption debate has been largely unencumbered by facts. That deserves a separate discussion, but for now, let us consider Apple’s stout refusal to cooperate with the FBI in gaining access to data stored on the phone of one of the San Bernardino murderers.

Apple’s motives are clear, if not clearly expressed. The Snowden revelations damaged the brand of all American technology products. To assuage their customers, some companies offer “end-to-end” or unrecoverable encryption. It is the growth of these commercial encryption services offering unrecoverable encryption to a mass market that is of the greatest concern to law enforcement and intelligence agencies. To reassure a global market, these companies announce they will not cooperate with American authorities. This is a reasonable response to rebuild credibility, but it is not sustainable.

Managing Risk for the Internet of Things

New CSIS Report - Managing Risk for the Internet of Things: Executive Summary https://csis.org/publication/managing-risk-internet-things.

The majority of Internet “users” are machines, not people.  The devices that make up “the Internet of Things” (IoT) connect to the internet, take action, and create immense amounts of data. These devices will perform progressively more functions, creating new risks for safety and security, but we need more than anecdotes to assess risk and devise useful policies.  An initial conclusion about security and the Internet of things is that popular portrayal significantly exaggerates and misrepresents risk. 

Actually, it's peut être: "Cryptographic backdoors? France says, “Non!”

So emphatic, but still open to question.  Maybe this is intended to influence the UK parliamentary debate, but it's confusing.   

It’s not the French government, but the Minister for Digital Stuff.  French intelligence programs are still kept very close hold, with only a few political types in the national security realm being informed.   Maybe this Minister knows, maybe they don't. 

France has extensive surveillance authorities.  Renouncing "backdoors" does not mean endorsement of unrecoverable encryption. 

G20 Communiqué Agrees on Language to Not Conduct Cyber Economic Espionage

G20 Communiqué Agrees on Language to Not Conduct Cyber Economic Espionage

Leaders at the Group of 20 conference on Monday agreed on language pledging not to conduct cyber-enabled economic espionage. The agreement is not legally binding, but it may give countries justification for responding to economically motivated cyber espionage in the future. 

Moving Forward with the Obama-Xi Cybersecurity Agreement

Moving Forward with the Obama-Xi Cybersecurity Agreement

China’s leaders often talk about the need for a “new model of great power relations.” The agreement on cybersecurity between President Xi and Obama is a first step in defining it. The agreement does not mean we are done with cybersecurity. It is the start of a long journey to define both cyberspace and the larger relationship.

Serious discussions on how to respond to China’s cyber espionage began several years ago. A strategy that combined pressure and accommodation seemed the best alternative to passivity, and U.S. concerns were raised many times, including in a December 2013 non-paper given to Chinese officials that discussed sanctions, indictments and other measures if matters did not improve. At the time, there were objections that this approach wouldn't work because Chinese culture and attitudes worked against reaching any agreement and that we could not influence their decision-making. These criticisms were wrong. If there are grounds for criticism, they would be that it was wrong to let so many months pass between indictments (which, contrary to much of the public discourse, had a powerful effect) and any follow on action.

ECJ Bombs the Safe Harbor

ECJ Bombs the Safe Harbor

Today the European Court of Justice (ECJ) invalidated the ‘Safe Harbor’ agreement. This agreement allowed the European Commission (EC) to designate individual U.S. companies as having ‘adequate’ privacy protections in place despite the fact that the U.S., as a country, does not have “adequate” protections under EU law.

The ECJ ruled in favor of Max Schrems, an Austrian citizen who submitted a complaint to Irish regulators against Facebook after the Snowden revelations in 2013. Schrems argued that, by transferring his data to the U.S. in the course of normal operations, Facebook was violating his right to privacy by exposing him to indiscriminate surveillance by U.S. authorities under the NSA’s PRISM program. The Irish data protection authority rejected his complaint, arguing that Facebook’s data transfers were protected by the ‘Safe Harbor.’ The case was then escalated to the Irish High Court, who referred the case to the ECJ. 

Measuring Cybersecurity Success at the Summit

Measuring Cybersecurity Success at the Summit

If press reports are accurate, it is a welcome development that the United States and China (in response to the threat of sanctions) have begun negotiations on cyber security in preparation for the upcoming summit. The Obama administration has a unique moment of leverage on cyber security with China and must be careful not to squander it. We cannot expect the summit to “fix” the problem – this will be a long process if it is serious – but we can look for certain outcomes that can demonstrate whether these presidential talks point to progress or are just another gesture.

Friends Don't Let Friends...

Friends Don't Let Friends...

Recent leaks reporting that the United States might sanction China reflects growing – but not universal - agreement in Washington that the United States needs to respond forcefully to rampant Chinese cyber espionage and that the authorities established by April’s Executive Order on cyber sanctions are the best option. There are several reasons for this. First, nothing has worked when it comes to economic espionage. According to data collected by the FBI and NSA, China is responsible for more economic espionage directed at U.S. companies than any other country – perhaps more than all other countries combined. This has been true for years.

The amount of economic espionage is troubling, but even more troubling is China’s decision to ignore hints, suggestions and direct requests from the United States. This indicates a certain disrespect and is a disturbing indicator for the bilateral relationship. Cyber espionage has been raised at senior levels repeatedly since 2009. President Obama made it agenda item number one at the Sunnylands Summit. The Chinese ignored all this. The only U.S. action that got their attention was the indictment of five PLA officers in 2014. Some Americans greeted the indictments with misgiving (and other with confusion), but the indictments remain the most effective public action the United States has taken to date. The chief criticism of the indictments is that the United States has been slow to follow up. If any sanctions are a “one-off,” not followed with concrete proposals for reducing tensions, we will not gain much at all.

IANA Transition and ICANN Accountability

IANA Transition and ICANN Accountability

In March 2014, the National Telecommunications and Information Administration (NTIA) – part of the U.S. Department of Commerce – announced its intention to relinquish part of its role in managing the Internet’s Domain Name System (DNS) to the global multi-stakeholder community.

NTIA asked the Internet Corporation for Assigned Names and Numbers (ICANN), a California-based nonprofit group, to convene global stakeholders to develop a proposal to replace NTIA’s current stewardship over the Internet Assigned Numbers Authority (IANA).

Pressure to let go of the final vestiges of U.S. authority over the web address system had been building for over a decade, but grew after the Snowden NSA revelations in summer 2013.

NTIA mulled the question of how best to transition these responsibilities for about a year and a half, and sought input from a diverse group of stakeholders and experts.

In July 2015, the IANA Stewardship Transition Coordinating Group (ICG) released its proposal to “Transition the Stewardship of the Internet Assigned Numbers Authority (IANA) Functions from the U.S. Commerce Department’s National Telecommunications and Information Administration (NTIA) to the Global Multistakeholder Community.”

Some Observations about Enforcement Standards from 2,000 Pages of FTC Documents

Earlier this year I filed a FOIA case against the FTC for its failure to produce any documents in response to my request for the standards it uses in deciding whether to open an unfair trade practice investigation, or bring an unfair trade practice legal action, regarding cybersecurity under section 5 of the Federal Trade Commission Act.  On Christmas Eve last year, the FTC denied my request, saying, “We have located responsive records, all of which are exempt from the FOIA’s disclosure requirements[.]”  The FTC produced no documents, not even in redacted form.  After I filed an administrative appeal, which was denied, I filed suit in order to better inform the public about what standards are used by the FTC when deciding whether to bring a case.  On July 21, 2015, in the course of the litigation, the FTC produced over 2,000 pages of documents, consisting almost exclusively of presentations, testimony, and other public communications.  Here are some observations from these documents.  You can find a more detailed analysis, with citations, here.

UN publishes latest Report of the Group of Government Experts

Seventieth session

Item 94 of the provisional agenda*

Developments in the field of information and
telecommunications in the context of international security.

 Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security

 

Note by the Secretary-General

The Secretary-General has the honour to transmit herewith the report of the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security.