Inside Cyber Warfare

Jeffrey Carr

Part 31

Report Chapter

Defense Criminal Investigative Services (DCIS) Investigates matters relating to terrorism, prevents the illegal transfer of sensitive defense technology, stops cyber crime and computer intrusions, and investigates cases of fraud, bribery, and corruption.

DOD Cyber Crime Center (DC3) Provides criminal, counterintelligence, counterterrorism, and fraud-related computer forensics support to the defense criminal investigative organizations.

Delivers cyber technical training.

Processes digital evidence and a.n.a.lyzes electronic media for criminal law enforcement and DOD counterintelligence investigations and activities.

Performs investigations and provides forensic training to DOD members to ensure that information systems are secure from unauthorized use.

[212] JS J6 has been disestablished as per the DOD Efficiencies Study: Networks and Information Integration (NII) and J6 Disestablishments (FY 2012, $13 million, FYDP, $65 million)-Transfers acquisition program oversight responsibilities from the a.s.sistant Secretary of Defense for Networks and Information Integration (ASD(NII)) to the Under Secretary of Defense for Acquisition, Technology, and Logistics (USD (AT&L)) and all remaining NII responsibilities to the DoD Chief Information Officer (CIO). The Joint Staff will transfer its J6 (Command, Control, Communications, and Computer Systems) funding and manpower to the DoD CIO and the US Cyber Command beginning in FY 2012.

[213] See the note above about disestablishment of the JS J6 and the pa.s.sing of functions from the ASD/NII to the DOD CIO.

[214] IO responsiblities have pa.s.sed from Ms. Rosemary Wenchal at OUSD(I) to Mr. Austin Branch at OUSD(P).

Chapter 18. Active Defense for Cyber: A Legal Framework for Covert Countermeasures

[T]he United State reserves the right, under the law of armed conflict, to respond to serious cyberattacks with an appropriate, proportional, and justified military response.

-William J. Lynn, III, "The Pentagon's Cyberstrategy, One Year Later," Foreign Affairs, September 28, 2011 By Catherine Lotrionte[215]

During the Cold War, the United States and the Soviet Union constantly maneuvered to achieve superiority and to counter and deter any aggressive moves by each other. When one nation was perceived to overstep its bounds, the other would signal its discontent by moving aircraft carrier groups, conducting military exercises, pursuing diplomatic engagement, seeking sanctions from the United Nations Security Council, enforcing embargoes, and even conducting proxy wars. These signals may well have prevented a nuclear exchange that would have resulted in the loss of many innocent lives and possibly a world war.

Today, when the threat of cyber conflict among nations is a reality, signaling is just as important if not more so because of the global connectivity of the Internet and its links to nations' critical infrastructure a.s.sets. This chapter presents one type of signaling: the use of covert counter cyber strikes. The use of such measures would be an element of the US active defense strategy in cybers.p.a.ce, carried out either by the United States directly or third parties on its behalf, and subject to the international laws relating to the recourse to the use of force and the laws of armed conflict where applicable. While the language used by the Department of Defense in discussing its cyber strategy focuses on the defensive aspect of the overall strategy, the notion of active defense involves offensive measures.[216] Active defense measures, however, use offensive means in order to defend against and neutralize a threat. The purpose of using a cyber counterattack is to stop a specific, immediate, or ongoing cyber threat rather than retaliate with a strategic purpose. It is offensive action for a defensive purpose.[217]

This chapter will examine the use of counter cyber strikes as a model for the United States' operations in cybers.p.a.ce. This model is one approach that would allow the United States to wage an asymmetric fight that spans the global commons while abiding by the rules of international law. It provides the United States an option for dealing with the critical issue of nonstate actors and state proxies engaging in cyber conflict against the United States. This model is not the exclusive one that has been offered, nor should it be the only one considered by the United States. Others have been offered that could shed light on effective methods for the United States to defend against cyber attacks, including a model that looks at deterrence, a nuclear weapons model of mutually a.s.sured destruction, as well as the model of strategic air power.[218] To date, however, not enough attention or writing has focused on the use of direct or indirect counter cyber strikes as an element of active cyber defense.

In 2008, in the testimony by the then-Director of National Intelligence J. Michael McConnell before the Senate Select Committee on Intelligence, McConnell underscored the need for the United States "to take proactive measures to detect and prevent [cyber] intrusions from whatever source, as they happen, and before they can do significant damage." His testimony highlighted the inadequacy of hardening a.s.sets and utilizing pa.s.sive defenses alone as defensive strategies for the United States. The inadequacy of pa.s.sive defenses suggests that the national debate over cyber security must necessarily include considering attack options for defensive purposes. In other words, if pa.s.sive defense is insufficient to ensuring security, an approach to eliminate or degrade an adversary's ability to successfully prosecute an attack may be warranted. The use of covert action within an active defense framework may increase the success of neutralizing the threat, maintaining deniability while at the same time complying with international norms of self-defense.

Precedent exists for the United States' active defense, as it incorporated such methods to deter its adversaries' aggressive actions during the Cold War. In the 1970s, while the United States initially showed restraint in developing anti-satellite weaponry, it quickly moved to a more offensive posture when the Soviet Union attacked three US satellites in 1975. The Soviets' aggressive acts led President Ford to sign the National Security Decision Memorandum No. 345, directing the Department of Defense (DoD) to develop an operational anti-satellite capability allowing for US-based counterattacks against both private and government-sponsored aggressors.[219] As the Cold War ended and new threats emerged from nonstate actors, the United States adopted an active defense approach in its counterterrorism cyber operations, launching a number of offensive counter cyber attacks against Al Qaeda and Jihadi systems and services.[220]

By 1996, the US government clarified some of the lingering questions surrounding its right to launch both physical and cyber counter attacks against cyber aggressors who compromised the ability of US-owned cyber systems. On September 14, 1996, President Clinton signed Presidential Decision Directive/National Science and Technology Council-8, defining US national s.p.a.ce policy. The policy identified key s.p.a.ce activities to be conducted in the interest of US national security, including offensive action to protect US s.p.a.ce a.s.sets.[221] Following the creation of the National s.p.a.ce Policy, Secretary of Defense William S. Cohen issued Department of Defense Directive 3100.10, identifying policies relating to military s.p.a.ce control and stating, "Purposeful interference with US s.p.a.ce systems will be viewed as an infringement on US sovereign rights. The US may take all appropriate self-defense measures, including . . . the use of force, to respond to such an infringement on US rights."[222] Similarly, in 2010, the Department of Defense in its Quadrennial Defense Review doc.u.ment made it clear that in order to operate effectively in cybers.p.a.ce, the United States needs "improved capabilities to counter threats in cybers.p.a.ce," including actively defending its own networks.[223]

In July 2011, the Department of Defense released its Cyber Strategy, which underscored the United States' right to conduct cyber counterattacks against aggressors.[224] An example of this type of active defense was shown in the 2006 US cyber attack against the Al Qaeda network of jihadist websites.[225] The United States is not alone in supporting the use of counter cyber attacks. There have been reports that the UK may have taken down Inspire, a terrorist website.[226] The Israelis have also conducted "denial of service" attacks against Palestinian National Authority websites.[227]

Cold War fears of communist world conquest have been replaced by concerns about the dangers to international peace and security from worldwide jihadism, the acquisition of weapons of ma.s.s destruction (WMD) by rogue states and nonstate actors, and the emergence of a new breed of cyber warriors willing to provide their services to states and nonstate actors. With the emergence of terrorism, the proliferation of WMD, and, more recently, cyber warriors with international ramifications as new sources of threats to national security, the United States, like other nations, has been forced to contemplate and develop new strategies and tactics for its national defense. The US intelligence community continues to play an important role in that regard, and today it must do so by supporting the broader US defense efforts against these new threats. The rest of this chapter focuses on the use of covert action as one method for deterring those who would conduct cyber attacks against the United States and its critical a.s.sets.

Covert Action

In 1996, in its final report, the Aspin-Brown Commission emphasized the need for a continuing covert action capability-even after the end of the Cold War. It stated, "in 1975, the Rockefeller Commission investigated alleged abuses in certain covert action programmes and concluded that there were 'many risks and dangers a.s.sociated with covert action, but we must live in the world we find, not the world we might wish. Covert action cannot be abandoned, but should be employed only where clearly essential to vital US purposes and then only after a careful process of high level review'." In an age of proliferated threats, states are no longer the only adversaries and there is no certain target for attribution, covert action may prove to be even more important to the United States' ability to protect national security.

By law, covert actions are those activities of the US government to influence political, economic, or military conditions abroad, where it is intended that the role of the US government will not be apparent or acknowledged publicly.[228] This can cover a wide range of activities in foreign countries, including political advice to foreign persons or organizations, financial support and a.s.sistance to foreign political parties, propaganda, and paramilitary operations designed to overthrow foreign regimes or capture and detain operations against foreign terrorists. Covert action does not include "activities the primary purpose of which is to acquire intelligence, traditional counterintelligence activities, traditional activities to improve or maintain the operational security of United States Government programs, or administrative activities."[229] Traditional military activities are also excluded from the scope of covert action.[230]

Covert action is conducted in support of US foreign policy objectives, as well as when the president has determined that the use of covert action is necessary for US national security. It is done on the a.s.sumption that the link between the activities and the US government can be kept secret. Executive Order 12333 makes the CIA the lead-though not exclusive-agency with authority for covert actions.[231] If the president determines that another agency, for example the NSA, is better suited to achieve a particular operational objective, he may direct that agency to conduct the covert action. No matter which government agency is responsible for its planning and execution, however, the legal definition of that term applies equally to those elements of the US government. Covert cyber actions could be of two general types: (1) propaganda and disinformation that would come under psychological operations; and (2) actions to paralyze the computer networks of target countries or nonstate actors supporting the critical elements of the target country.

[215] This is a guest chapter by my friend and colleague, Professor Catherine Lotrionte, Visiting a.s.sistant Professor and Executive Director, Inst.i.tute for Law, Science and Global Security, Georgetown University. In my opinion, Professor Lotrionte's work in her field of international law and global security is among the very best in the world today.

[216] US Department of Defense, "Department of Defense Strategy for Operating in Cybers.p.a.ce," July 2011. ("Active cyber defense is DoD's synchronized, real-time capability to discover, detect, a.n.a.lyze, and mitigate threats and vulnerabilities. It builds on traditional approaches of defending DoD networks and systems, supplementing best practices with new operating concepts. It operates at network speed using sensors, software, and intelligence to detect and stop malicious activity before it can affect DoD networks and systems. As intrusions may not always be stopped at the network boundary, DoD will continue to operate and improve upon its advanced sensors to detect, discover, map, and mitigate malicious activity on DoD networks.") [217] National Research Council, Technology, Policy, Law, and Ethics Regarding US Acquisition and Use of Cyberattack Capabilities, 1011 (2009), pp. 246.

[218] Martin C. Libicki, Cyberdeterrence and Cyberwar (Rand Publishing), p. 39; Greg J. Rattray, Strategic Warfare in Cybers.p.a.ce (MIT Press), p. 77.

[219] Christopher M. Petras, "The use of force in response to cyber-attack on commercial s.p.a.ce systems-reexamining 'self-defense' in outer s.p.a.ce in light of the convergence of US military and commercial s.p.a.ce activities," Journal of Air Law and Commerce 67, no. 4 (Fall 2002): 12131263, 1224.

[220] Maura Conway, "Terrorism and the Internet: New Media-New Threat," Parliamentary Affairs 59(2) (2006): 283298, 295.

[221] The White House, Fact Sheet On National s.p.a.ce Policy Review, National Security Presidential Directive/NSPD-15, June 28, 2002, p. 1.

[222] US Department of Defense, Department of Defense Directive 3100.10, s.p.a.ce Policy, July 9, 1999, pp. 67. This doc.u.ment may be found at the Washington Headquarters Services website at

[223] US Department of Defense, 2010 Quadrennial Defense Review, p. ix.

[224] US Department of Defense, Department of Defense Strategy for Operating in Cybers.p.a.ce, July 2011.

[225] Bruce Hoffman, "The Use of the Internet by Islamic Extremists," Testimony presented to the House Permanent Select Committee on Intelligence on May 4, 2006, Santa Monica, CA: RAND, 2006; David A. Fulghum, "Digits of Doom," Aviation Week & s.p.a.ce Technology 167, no. 12, September 24, 2007.

[226] Ellen Nakashima, "List of cyber-weapons developed by Pentagon to streamline computer warfare," Washington Post, May 31, 2011.

[227] P. D. Allen, "The Palestinian-Israeli Cyber War," Military Review (MarchApril 2003): 5259, 52.

[228] National Security Act of 1947, 50 U.S.C. section 413(b)(e)(2006).

[229] Id. section 413b(e)(1).

*** You are reading on ***

[230] Id. section 413b(e)(2) (this does not preclude the NSA from being the sole agency responsible for a cyber covert action).

Cyber Active Defenses as Covert Action Under International Law

At times states have determined that, when faced with an aggressive adversary, overt military engagement against the adversary would not be the best, most effective, or appropriate means to counter the threat. If diplomatic efforts have failed and military engagement is ruled out, covert measures may provide policymakers with a third option that would be legally justified and effective in countering the threat and protecting national security. If, for example, the United States was the victim of ongoing cyber attacks from a foreign adversary, and the president determined that the attacks were of such a scope, duration, or intensity that the country needed to act in self-defense, he could authorize the use of covert action to neutralize the threat. This would be done without initiating overt military hostilities against the adversary. Such offensive measures conducted during a time of peace (i.e., no acknowledged armed conflict) would be justified under a self-defense argument under Article 51 of the UN Charter.

According to press reports, the US government may have already considered the use of "preemptive cyber-strikes" designed under certain circ.u.mstances to knock out adversaries' computer systems and networks that are perceived as hostile.[243] In 2009 the Stuxnet worm that targeted Iranian nuclear facilities and caused the shutdown of 1,000 centrifuges at Iran's Natanz nuclear fuel enrichment plant may be the most recent and controversial example of a defensive "preemptive cyber-strike" against a perceived threat. The legality of the use of the Stuxnet worm that targeted the SCADA systems of Iran would depend on the factual basis for the justification to use force against Iran, and whether the use of the Stuxnet worm (i.e., its consequences) was proportionate to the threat. Knowing the consequences of a cyber strike in advance to a.s.sess proportionality may be challenging because of the highly interconnectedness of information systems, which can make indirect secondary or tertiary effects of cyber attacks more consequential than the direct ones.[244]

Looking beyond the legal a.n.a.lysis of the Stuxnet worm to its c.u.mulative effect, it clearly sent a signal to Iran that its development of nuclear weapons is perceived as an aggressive action that is not condoned. Importantly, the Stuxnet worm was a covert defensive step, avoiding the need to use military force against a nuclear plant and potentially escalating conflict. As former NSA General Counsel Stewart Baker stated, "It's the first time we've actually seen a weapon created by a state to achieve a goal that you would otherwise have used multiple cruise missiles to achieve."[245] Furthermore, where the factual basis for a.s.serting a violation of Article 2(4) and justifying self-defense against cyber attacks may be subject to uncertainty, debate, and lack of verifiability, states may find it more effective to act in self-defense in a covert manner, avoiding the challenges of publicly defending their actions.

There are some basic principles we can devise about the legality of cyber covert action. First, the international laws related to the recourse to the use of force and the UN Charter applies to covert action in cybers.p.a.ce (regardless of which US government ent.i.ty is conducting the covert action). Second, the laws of armed conflict, which regulate the manner in which hostilities can legally be waged, also apply to any US covert action involving the use of cyber attacks during armed conflict. During an acknowledged armed conflict, the laws and customs of armed conflict would govern cyber covert action: military necessity, proportionality, distinction, discrimination, chivalry. In other circ.u.mstances where a cyber covert action was conducted in less than acknowledged armed conflict, the legal status of a cyber attack would be judged primarily by its effects, regardless of the means or which ent.i.ty conducted the action. This a.s.sessment would be based on the criteria set forth by the UN Charter.

[243] Ellen Nakashima, "US Eyes Preemptive Cyber-Defense Strategy," Washington Post, August 29, 2010, A15.

[244] Ellen Nakashima, "The Dismantling of Saudi-CIA Web Site Ill.u.s.trates Need for Clearer Cyberwar Policies," Washington Post, March 19, 2010.

[245] Christopher d.i.c.key et al., "The Shadow War," Newsweek, December 20, 2010, p. 28, p. 31 (quoting Stewart Baker).

Cyber Attacks Under International Law: Nonstate Actors

International law presumes that armed conflict is initiated only at the direction of governments and not by private groups or individuals. Governments are the ent.i.ties that maintain armed forces to partic.i.p.ate in armed conflict, and those forces remain under the control and direction of the government. In the age of the Internet, however, nonstate actors such as "hacktivists" or patriotic hackers have complicated the legal landscape. During times of conflict or political tension between states, some members of a state's citizenry may be motivated to support the country's war effort or political position by taking direct action. Hacktivists or patriotic hackers are private citizens skilled in cyber attack capabilities who can, on their own, initiate a cyber attack against another state. They can do this without the consent, direction, or control of the state's government. There have been incidents, however, where it is suspected that hacktivists were encouraged and a.s.sisted by the state. For example, when Estonia was subject to "denial of service" attacks in 2007 that disrupted government and commercial functions for weeks, evidence linked the Russian government to the attacks. The Russian government, however, denied any involvement, even though the evidence suggested that the Russian government may have encouraged "patriotic hackers" to conduct the attacks.[246] There are also reports that China is similarly relying on unofficial, semi-private hackers to carry out cyber attacks, while the government denies its involvement. According to Verisign's iDefense lab, which investigated the attacks against Google in 2010, the IP addresses of the attack "correspond to a single foreign ent.i.ty consisting either of agents of Chinese state or proxies thereof."[247]

Under international law, if patriotic hackers carry out a cyber attack against another state that rises to the level of an "armed attack," the victim state has the legal right, acting in self-defense, to use force against those hackers located within the state. In 1980 the International Court of Justice in the US v. Iran case held that the actions of a state's citizens can be attributed to the government if the citizens "acted on behalf on [sic] the State, having been charged by some competent organ of the Iranian State to carry out a specific operation."[248] The court also found that the Iranian government was responsible because it was aware of its obligations under international law to protect the US and its staff, knew of the's need for help, had the means to a.s.sist the, and failed to comply with its obligations.

Proving a link among nonstate actors, hacktivists, and the government may be difficult, impossible, or take too long to confirm in order for legal authority to take swift action. Under such circ.u.mstances, states may choose to exercise the right of self-defense in a covert manner, carrying out counter cyber measures directly or through other parties. Depending on the circ.u.mstances, a state may choose to carry out the covert action on its own through its intelligence or military forces, or it may choose an indirect avenue of having surrogates conduct the covert action. Delegating the right to others to act in a state's self-defense has benefits as well as costs, and it ought to be considered carefully by policymakers. During the Cold War, for example, surrogate forces waged the major battles between the superpowers.

International law and state practice has established a state's right of active defense against those states that conduct cyber attacks directly or wage their cyber attacks through loose affiliates or proxies. As of today, the United States does not have a clear strategy for active defense in response to states that pursue aggressive cyber attacks against it. A credible counter proxy strategy needs to be constructed to signal to those states that use cyber proxies against the United States that it will not be without consequences. Such a signal could help to deter these states in their aggressive cyber actions.

A credible active defense strategy that incorporated counter proxy measures would likely need to have an overt as well as a covert component. The overt component would relate to extending political, moral, and diplomatic support to the elements of those states that struggle against the regimes. The covert component, likely never to be discussed publicly, would be integral to the success of preventing and deterring states from using cyber attacks to harm US national security. Legally justified as self-defense under the UN Charter and customary international law, the covert component would also need to be executed in a proportionate manner to the threat.

[246] Charles Clover, "Kremlin-Backed Group Behind Estonia Cyber Blitz," Financial Times, March 11, 2009, p. 8.

[247] Tania Branigan and Kevin Anderson, "Google Attacks Traced Back to China, Says US Internet Security Firm," The Guardian, January 14, 2010.

[248] United States Diplomatic and Consular Staff in Tehran (US v. Iran), International Court of Justice 3 (May 24, 1980), 29. The issue of state responsibility for nonstate actors was also an issue in the ICJ Nicaragua litigation where the court concluded that in order for the actions of the nonstate actors to be attributable to the state, the state had to have "effective control" over the nonstate actors. More recently in the Prosecutor v. Tadic case, the international tribunal held that a foreign state's overall control, rather than effective control, of a nonstate military organization may render that state responsible for acts of the organization. Prosecutor v. Tadic, Case No. IT-94-1-A, Judgment on Appeal, pp. 115162 (International Criminal Tribunal for the Former Yugoslavia, July 15, 1999).

About the Author.

*** You are reading on ***

Popular Novel