Saturday, February 6, 2010

U.S. Pentagon Cyberwar Strategy: Secret Cyberweapons

Cyber spies and thugs attacking power-water plants – Power plants, oil refineries and water supplies increasingly dependent on the Internet are under relentless …

The China-U.S. diplomatic spat over cyberattacks on Google has highlighted the growing significance of the Internet as a theater of combat. Deputy Defense Secretary William Lynn recently warned of its appeal to foes who are unable to match the U.S.’s conventional military might. An enemy country could deploy hackers to take down U.S. financial systems, communications and infrastructure, he suggested, at a cost far below that of building a trillion-dollar fleet of fifth-generation jet fighters. “Knowing this, many militaries are developing offensive cyber capabilities,” Lynn said. “Some governments already have the capacity to disrupt elements of the U.S. information infrastructure.” (On Tuesday, the nation’s top intelligence official warned that cyber-enemies have “severely threatened” U.S. computer systems. “Malicious cyber activity is occurring on an unprecedented scale with extraordinary sophistication,” Dennis Blair, the director of national intelligence, told a Senate committee.) (Comment on this story)

What U.S. officials don’t like to acknowledge is that the Pentagon is hard at work developing an offensive cyber capability of its own. In fact, it has even begun using that capability to wage war. Beyond merely shutting down enemy systems, the U.S. military is crafting a witch’s brew of stealth, manipulation and falsehoods designed to lure the enemy into believing he is in charge of his forces when in fact they have been secretly enlisted as allies of the U.S. military. And some in Washington fear that there hasn’t been sufficient debate over the proper role of U.S. cyberweapons that are now being secretly developed. (See the Top 10 Most Expensive Military Planes.)

Pentagon officials acknowledge privately that such work is under way, though nearly all of it is classified. The recent creation of U.S. Cyber Command shows that the U.S. military is taking this mission seriously. “You have to be very careful about what you say in this area,” says a top cyberwarrior of the Pentagon. “But you can tell there’s something going on because the services are putting their money there and contractors are going after it in a big way.”

The Joint Chiefs of Staff want the ability to destroy an enemy’s computer network “so badly that it cannot perform any function,” according to the handbook on what the Pentagon calls “Information Operations.” The U.S. military wants to keep foes “from accessing and using critical information, systems and services” and to spoof adversaries “by manipulating their perception of reality.” Just how such wizardry is to be accomplished is contained in a classified supplement. But hints can be gleaned in a trickle of contracts and budget documents, larded with geek-speak, that have begun seeping onto the public record. (See pictures of technological advances in the military.)

The Air Force wants the ability to burrow into any computer system anywhere in the world “completely undetected.” It wants to slip computer code into a potential foe’s computer and let it sit there for years, “maintaining a ‘low and slow’ gathering paradigm” to thwart detection. Clandestinely exploring such networks, the Dominant Cyber Offensive Engagement program’s goal is to “stealthily exfiltrate information” in hopes it might “discover information with previously unknown existence.” The U.S. cyberwarriors’ goal: “complete functional capabilities” of an enemy’s computer network – from U.S. military keyboards. The Army is developing “techniques that capture and identify data traversing enemy networks for the purpose of Information Operations or otherwise countering adversary communications.” And the Navy is developing “a non-lethal, non-attributable system designed to offer non-kinetic offensive information operation solutions,” according to Pentagon budget documents. (See how cyberwar was envisioned in 1995.)

Yet concepts that have regulated war forever, such as deterrence and attribution, are slippery or missing in cyberspace. National boundaries don’t exist, making moot the question of sovereignty. Asymmetries abound: defenders must defend everything, all the time, while an attacker can prevail by exploiting a single vulnerability. Tracking down the source of cybersabotage, routed like a skipping stone through a series of innocent servers, can be all but impossible. Are the attackers curious teenagers, criminal gangs, a foreign power – or, more likely, a criminal gang sponsored by a foreign power? Deterrence becomes meaningless when the identity of an attacker is unknown. (See an invasion of Chinese cyberspies.)

“We’re in the stage before warfare,” cyberwarfare expert James Lewis told a Washington audience on Jan. 27. “We’re in the stages of people poking around.” Lewis, with the Center for Strategic and International Studies (CSIS), said cyberdefenses are inadequate. “Unless we find a way to use offensive capabilities as part of a deterrence or strategic defense,” he said, “we will be unable to defeat these opponents.” CSIS also released last week a survey of cybersecurity experts from around the world who “rank the U.S. as the country ‘of greatest concern’ in the context of foreign cyberattacks, just ahead of China.”

It’s the instantaneous nature of cyberattacks that has rendered defenses against them obsolete. Once an enemy finds a chink in U.S. cyberarmor and opts to exploit it, it will be too late for the U.S. to play defense (it takes 300 milliseconds for a keystroke to travel halfway around the world). Far better to be on the prowl for cybertrouble and – with a few keystrokes or by activating secret codes long ago secreted in a prospective foe’s computer system – thwart any attack. Cyberdefense “never works” by itself, says the senior Pentagon officer. “There has to be an element of offense to have a credible defense.”

Such cyberbattles are already happening in miniature. In Afghanistan and Iraq, U.S. cyberwarriors are hard at work denying enemy commanders the ability to direct their forces, the senior Pentagon officer says. “I shut it down, take away your electricity, take away the radio, infect your phone,” he explains. “Now you don’t know where I’m coming from, or if you do, you can’t tell the rest of your force what’s going on.” More insidiously, the U.S. can doctor the information the foe gets. “I can alter the messages coming across,” he says.

But there is mounting concern that U.S. offensive capability in cyberspace is growing too fast and too secretly. “I have no doubt we’re doing some very profoundly sophisticated things on the attack side,” says William Owens, a retired Navy admiral and cyberwar expert who led a federal study on U.S. offensive cyberwarfare last year. “But that is little realized by many people in Congress or the Administration.” That study, by the National Research Council, concluded that “the U.S. armed forces are actively preparing to engage in cyberattacks, and may have done so in the past.” But it added that a lack of public debate has led to “ill-formed, undeveloped and highly uncertain” policies regarding its use, which could lead the U.S. to stumble inadvertently into a cyberwar.