President Barack Obama pledged to put cyber issues at the core of his legislative agenda. He’s sought to change how the public and private sectors share information about online threats and bolster some privacy protections for citizens while maintaining a robust NSA.
Now the administration is turning its attention to Washington’s two central pillars of national security: the military and espionage services.
In the last month, both the Pentagon and the CIA have issued broad strategy statements, vowing to assertively move and expand their operations into the cybersphere to protect and defend vital U.S. security interests.
In April, CIA Director William Brennan released an unclassified version of what he calls the Agency’s “Blueprint for the Future.” Saying that digital technologies hold as much promise as they do threats, he vowed to place “the digital domain at the very center of all our mission endeavors.”
In an April 23 speech at Stanford University, Secretary of Defense Ashton Carter laid out the Pentagon’s cyber strategy, warning potential adversaries that the U.S. is ready to respond to any act of cyberwar, using digital weapons of “blunt force trauma” as well as, potentially, conventional force.
Amid these and similar developments by other nations around the world, a larger conversation is taking hold among researchers, military strategists, cyber security specialists, privacy activists and others.
Among the questions:
What’s gained and what’s lost with the Internet’s militarization? What are the rules of cyberwar? Does the development of nuclear arms, and the resulting decades-long détente, have anything to teach the cybersphere? And if cyberwar comes, what exactly will it look like, and who will be hurt?
Rules of cyberwar
When asked a few years ago about concerns of militarizing the Internet, Chairman of the Joint Chiefs of Staff General Martin Dempsey said, “We have a Navy, but we’re not being accused of militarizing the oceans.”
That may be true as far as it goes, said Colin Clark, editor of the online defense industry news-site Breaking Defense. The Internet, Clark said, is most likely a “global common,” or a space like the sea or space that’s shared equally among nations.
“But the problem with the Internet when you look at it in terms of a civilian and military divide is that there is no divide for practical purposes because the Internet goes everywhere,” he said. “So if you’re going to operate on the Internet in a military fashion, you’ve got to come up with rules that make sense and work technically.”
Over a period of centuries, nation-states developed something called ‘Jus in Bello,’ or the international Law of War.
It sets out, in fairly codified fashion, the rules of warfare, including what’s generally considered acceptable and what isn’t regarding the start and end of war, the treatment of civilians and prisoners, and general principles to prevent unnecessary suffering and destruction.
When a new military technology - such as nuclear weapons - comes along, the rules need to be rewritten.
Nations do that, Clark said, in part by “signaling” to each other through public statements, speeches and policies, their willingness to use such weapons and under what circumstances.
“That’s exactly what’s happening here with Secretary Carter’s speech at Stanford,” he said. “He’s telling in particular the Russians and the Chinese, who commit the great majority of hacks and other attacks against the U.S., that we know what you’re doing, we’re watching what you’re doing, that we’re capable of stopping you and, in the end if necessary, we can destroy you via the Internet.”
The problem with that, said Bob Twitchell, the CEO and President of Dispersive Technologies, a cybersecurity firm based in Alpharetta, Georgia, is that there is as yet no agreed-upon rulebook of cyberwar. That makes it more unpredictable and dangerous, he said.
“Technology can do many different things, but it always comes back to policy: what’s the technology, what do you want to do with it, what’s fair and not fair, and what’s completely unacceptable,” said Twitchell, a longtime consultant and developer of electronic weapons for the Department of Defense.
Signals like Carter’s speech or Brennan’s blueprint, Twitchell said, could help begin a serious international discussion, but that would take time. Meanwhile, he said, the U.S. has thrown down the gauntlet.
“The U.S. coming out and saying they’re going to protect American citizens and companies from the world’s cyberbullies is absolutely the right thing,” he said. “I think letting them know that’s the policy will stop some of the hacking because they know what we could do to them.”
Both Twitchell and Clark, as well as other analysts VOA has spoken with, say that when it comes to cyberwar, it isn’t a case or if, or even when, but rather what is happening now.
“Cyberwar? It’s already happening,” said analyst Twitchell. “We’ve already seen the damage it can do. I think it’s increasing exponentially, but a lot of people are just being quiet about it, so you don’t give your enemies situational awareness.”
There’s an old phrase among those who’ve seen military combat: "The battle plan survives until first contact with the enemy." At that point, once reality meets theory, all bets are off.
Clark said the U.S. is already in contact with the enemy, both on the military and espionage fronts, and it’s critical to begin establishing policies that dictate when a response is called for, and more importantly, what that response should look like.
“This is the most interesting part of the cyber discussion: the balance between direct retaliation using the same weapons you were attacked with - cyber - or using another mix,” he said.
“One of the things you’ll hear, especially from the people in the space domain, is that if we’re attacked - say, someone tries to hack a satellite - instead of using cyber to retaliate, we should retaliate with missiles, rockets, bombs, and take out their command and control," Clark said.
Generally speaking, Chinese hack attacks have tended to focus more on espionage than actual damage, such as when a unit of the People’s Liberation Army allegedly tried to pry open and steal millions of secret files from U.S. corporate and government computers.
In contrast, hackers based in Russia have shown a greater willingness to create damage and havoc, such as their massive cyberattacks on Estonia and the Republic of Georgia.
But those distinctions are blurring, as well as what some analysts see as increasingly sophisticated cyberattacks coming from smaller belligerent nations, such as Iran and North Korea.
“On a daily basis I’m most concerned about the use of the Internet to commit espionage,” said journalist Clark. “On a strategic basis, I’m a lot more worried about smaller actors who may receive state sponsorship to develop cyberweapons. If Iran or North Korea or the Chinese really wanted to get serious, they could make it very difficult for us to say ‘Aha, we know who did this.’ That’s what keeps me up at night.”
If, in fact, the U.S. is “signaling” its friends, allies and putative enemies about its intent to use the cybersphere offensively as well as defensively, analyst Twitchell said not to expect much clarity about what, exactly, those intents are.
“You never tell your enemy what you’re going to do to them; you let the wonder what you’ll do,” he said. “If you say where the line is, then everyone’s going to go right up to that line every time. Keeping the line fuzzy and making it a choice is part of diplomacy today.”
Clark said the Pentagon and intelligence services are busy running various war-game scenarios to best figure out what those lines may be.
“This gets to the basic separation between espionage and waging war,” he said.
"We’re under attack all the time. In that sense, cyberwar is just a part of daily life,” he said. “But when you talk about the actual use of the Internet to inflict serious and sustained damage on our country with the intent of either taking life or destroying the economy. That’s a whole other level and one that we’ll only recognize when it happens.”