The Pentagon has laid out its most explicit cyberwarfare policy to date, which advocates granting the president authority to launch offensive cyber operations in response to hostile acts.
Released in November 2011, the Department of Defense report asserts a need for automated, preapproved responses to some hostile acts in cyberspace. The report clearly states offensive actions will be carried out only as directed by the president, but it raises questions regarding what the Pentagon defines as automated.
“The Pentagon’s desire to automate cyber responses as a defensive measure is an interesting concept,” said Jeff Bardin, risk management director in the global security organization at EMC in Hopkinton, Massachusetts. “There are several issues associated with such a response depending upon the true definition of automation for this instance.”
Bardin says automated responses to cyberattacks resulting in the shutting down of certain ports and triggering of network segmentation tactics, for example, aren’t “much different than existing HVAC automated procedures. HVAC building systems can be built or configured to provide detection-to-HVAC-shutdown in seconds,” he said. “If the intent of the Pentagon is to automate cyber defenses to provide immediate responses to predefined stimuli, I believe the effort to be worthwhile and not in need of extensive human involvement.”
Need for Human Analysis
Howver, Bardin cautions automated offensive responses to cyberattacks “have a long way to go to reach a level of comfort.
“Offensive cyberattacks require human analysis to determine attack targets, attack vectors, lethality of payloads, length of the attack, and intended impact,” he added, warning, “There could be collateral cyber damage in such an automated response.”
Bardin says there are legal issues associated with such methods, but the United States should reserve its right to defend itself. “We should have the same rights in the virtual world with proper training, licensing, and certified skill levels,” he said. “The problem today is that we have none of this for the individual or commercial entities while the government is still cutting its teeth to become technically mature in their capabilities.”
‘Attribution Is Almost Impossible’
Guillaume Lovet, head of Fortinet’s FortiGuard security research team in Europe, says cyberspace retaliation is very dangerous. “When it comes down to cyber attacks, attribution is almost impossible,” he said. “Even more concerning, attribution can be manipulated too easily. For example the attacker may be a citizen from country X; compile a Trojan Horse with a Chinese version of Microsoft Visual Studio, planting debug strings, file paths, or comments, in Chinese; send it to everyone @whitehouse.gov from a proxy located in China, and profit while observing the U.S. retaliating on China.”
Lovet explained, “In a nutshell, retaliation in cyberspace requires a level of certainty in the initial attack’s attribution that is unlikely to be attained.”
Short-Term, Long-Range Differences
It’s important for planners to distinguishing between responses that should be automated and those that should not, says Brian Bascom, CEO of the United States Veterans Chamber of Commerce in Dallas, Texas.
“Automated responses are simply preplanned sets of processes, not all-inclusive campaigns,” Bascom said. “Initial automated responses would undoubtedly involve automated reconnaissance of affected systems, to allow better, human selection of next steps. Attacks occur very rapidly. Actively interrupting an attack must also occur very rapidly to have any impact on defending a beleaguered computer system. Operating at human decision speeds is not sufficient.
“On the other hand, deciding long-term offensive strategies is a more deliberate process, not subject to the same decision speed constraints. It is unlikely to have automated triggers,” he added.
Bascom recommends the Pentagon continue to refrain from detailing any form of tactical rules of engagement, as those merely benefit an attacker. As it is, responses will need to be altered on a constant basis to prevent an attacker from figuring out exactly how to trigger automated responses through the kinds of probing cyber intrusions the Department of Defense reportedly faces every day.
Phil Britt ([email protected]) writes from South Holland, Illinois.
“Department of Defense Cyberspace Policy Report: A Report to Congress Pursuant to the National Defense Authorization Act for Fiscal Year 2011, Section 934,” November 2011: http://news.heartland.org/sites/default/files/Pentagon%20cyber%20terrorism.pdf