Authors: Fred Kaplan
Dark Territory (36 page)
“The network connectivity that the United States has used to tremendous advantage, economically and militarily, over the past twenty years,” the report observed, “has made the country more vulnerable than ever to cyber attacks.” It was the same paradox that countless earlier commissions had observed.
The problem was basic and inescapable: the computer networks, the panelists wrote, were
“built on inherently insecure architectures.” The key word here was
inherently
.
It was the problem that Willis Ware had flagged nearly a half century earlier, in 1967, just before the rollout of the ARPANET: the very existence of a computer
network
âwhere multiple users could gain access to files and data online, from remote, unsecured locationsâcreated inherent vulnerabilities.
The danger, as the 2013 task force saw it, wasn't that someone would launch a cyber attack, out of the blue, on America's military machine or critical infrastructure. Rather, it was that cyber attacks would be an element of all future conflicts; and given the U.S. military's dependence
on computersâin everything from the GPS guidance systems in its missiles, to the communications systems in its command posts, to the power stations that generated its electricity, to the scheduling orders for resupplying the troops with ammunition, fuel, food, and waterâthere was no assurance that America would win this war.
“With present capabilities and technology,” the report stated, “it is not possible to defend with confidence against the most sophisticated cyber attacks.”
Great Wall defenses could be leapt over or maneuvered around. Instead, the report concluded, cyber security teams, civilian and military, should focus on
detection
and
resilience
âdesigning systems that could spot an attack early on and repair the damage swiftly.
More useful still would be figuring out ways to
deter
adversaries from attacking even in the most tempting situations.
This had been the great puzzle in the early days of nuclear weapons, when strategists realized that the atomic bomb and, later, the hydrogen bomb were more destructive than any war aim could justify. As Bernard Brodie, the first nuclear strategist, put it in a book called
The Absolute Weapon
, published just months after Hiroshima and Nagasaki,
“Thus far the chief purpose of our military establishment has been to win wars. From now on its chief purpose must be to avert them.” The way to do that, Brodie reasoned, was to protect the nuclear arsenal, so that, in the event of a Soviet first strike, the United States would have enough bombs surviving to “retaliate in kind.”
But what did that mean in modern cyberspace? The nations most widely seen as likely foes in such a warâRussia, China, North Korea, Iranâweren't plugged into the Internet to nearly the same extent as America. Retaliation in kind would inflict far less damage on those countries than the first strike had inflicted on America; therefore, the
prospect
of retaliation might not deter them from attacking. So what
was
the formula for cyber deterrence: threatening to respond to an attack by declaring all-out war, firing missiles and smart bombs, escalating to nuclear retaliation? Then what?
The fact was, no one in a position of power or high-level influence had thought this through.
Mike McConnell had pondered the question in the transition between the Bush and Obama presidencies, when he set up the Comprehensive National Cybersecurity Initiative. The CNCI set twelve tasks to accomplish in the ensuing few years: among other things, to install a common intrusion-detection system across all federal networks, boost the security of classified networks, define the U.S. government's role in protecting critical infrastructureâand there was this (No. 10 on the list):
“Define and develop enduring deterrence strategies and programs.”
Teams of aides and analysts were formed to work on the twelve projects. The team assigned to Task No. 10 came up short: a paper was written, but its ideas were too vague and abstract to be described as “strategies,” much less “programs.”
McConnell realized that the problem was too hard. The other tasks were hard, too, but in most of those cases, it was fairly clear
how
to get the job done; the trick was getting the crucial partiesâthe bureaucracies, Congress, and private industryâto do it. Figuring out cyber deterrence was a conceptual problem: which hackers were you trying to deter; what were you trying to deter them from doing; what penalties were you threatening to impose if they attacked anyway; and how would you make sure they wouldn't strike back harder in response? These were questions for policymakers, maybe political philosophers, not for midlevel aides on a task force.
The 2013 Defense Science Board report touched lightly on the question of cyber deterrence, citing parallels with the advent of the A-bomb at the end of World War II.
“It took decades,” the report noted, “to develop an understanding” of “the strategies to achieve stability with the Soviet Union.” Much of this understanding grew out of analyses and war-game exercises at the RAND Corporation, the Air Forceâsponsored think tank where civilian economists, physicists, and political scientistsâamong them Bernard Brodieâconceived
and tested new ideas. “Unfortunately,” the task force authors wrote, they “could find no evidence” that anyone, anywhere, was doing that sort of work “to better understand the large-scale cyber war.”
The first official effort to find some answers to these questions got underway two years later, on February 10, 2015, with the opening session of yet another Defense Science Board panel, this one called the Task Force on Cyber Deterrence. It would continue meeting in a highly secure chamber in the Pentagon for two days each month, through the end of the year. Its goal, according to the memo that created the panel, was
“to consider the requirements for effective deterrence of cyber attack against the United States and allies/partners.”
Its panelists included a familiar group of cyber veterans, among them Chris Inglis, deputy director of the NSA under Keith Alexander, now a professor of cyber studies at the U.S. Naval Academy in Annapolis, Maryland; Art Money, the former Pentagon official who guided U.S. policy on information warfare in the formative era of the late 1990s, now (and for the previous decade) chairman of the NSA advisory board; Melissa Hathaway, the former Booz Allen project manager who was brought into the Bush White House by Mike McConnell to run the Comprehensive National Cybersecurity Initiative, now the head of her own consulting firm; and Robert Butler, a former officer at the Air Force Information Warfare Center who'd helped run the first modern stab at information warfare, the campaign against Serbian president Slobodan Milosevic and his cronies. The chairman of the task force was James Miller, the undersecretary of defense for policy, who'd been working cyber issues in the Pentagon for more than fifteen years.
All of them were longtime inside players of an insiders-only game; and, judging from their presence, the Pentagon's permanent bureaucrats wanted to keep it that sort of game.
Meanwhile, the power and resources were concentrated at Fort Meade, where U.S. Cyber Command was amassing its regiments,
and drawing up battle plans, even though broad questions of policy and guidance had barely been posed, much less settled.
In 2011, when Robert Gates realized that the Department of Homeland Security would never be able to protect the nation's critical infrastructure from a cyber attack (and after his plan for a partnership between DHS and the NSA went up in smoke), he gave that responsibility to Cyber Command as well.
Cyber Command's original two core missions were more straightforward. The first, to support U.S. combatant commanders, meant going through their war plans and figuring out which targets could be destroyed by cyber means rather than by missiles, bullets, or bombs. The second mission, to protect Defense Department computer networks, was right up Fort Meade's alley: those networks had only eight points of access to the Internet; Cyber Command could sit on all of them, watching for intruders; and, of course, it had the political and legal authority to monitor, and roam inside, those networks, too.
But its third, new missionâdefending civilian critical infrastructureâwas another matter. The nation's financial institutions, power grids, transportation systems, waterworks, and so forth had thousands of access points to the Internetâno one knew precisely how many. And even if the NSA could somehow sit on those points, it lacked the legal authority to do so. Hence Obama's executive order, which relied on private industry to share information voluntarilyâan unlikely prospect, but the only one available.
It was a bitter irony. The growth of this entire fieldâcyber security, cyber espionage, cyber warâhad been triggered by concerns, thirty years earlier, about the vulnerability of critical infrastructure. Yet, after all the commissions, analyses, and directives, the problem seemed intractable.
Still, Keith Alexander not only accepted the new mission, he aggressively pushed for it; he'd helped Gates draft the directive that gave the mission to Cyber Command. To Alexander's mind, not
only did Homeland Security lack the resources to protect the nation, it had the wrong concept. It was trying to install intrusion-detection systems on all the networks, and there were just too many networks: they'd be impossible to monitor, and it would cost way too much to try. Besides, what could the DHS bureaucrats do if they detected a serious attack in motion?
The better approach, to Alexander's mind, was the one he knew best: to go on the offensiveâto get inside the adversary's networks in order to see him preparing an attack, then deflect it. This was the age-old concept of “active defense” or, in its cyber incarnation, CNE, Computer Network Exploitation, which, as NSA directors dating back to Ken Minihan and Mike Hayden knew well, was not much different from Computer Network Attack.
But Alexander advocated another course, too, a necessary supplement:
force
the banks and the other sectorsâor ply them with alluring incentivesâto share information about their hackers with the government: and by “government,” he meant the FBI and, through it, the NSA and Cyber Command. He decidedly did not mean the Department of Homeland Securityâthough, in deference to the White House, which had designated DHS as the lead agency on protecting critical infrastructure, he would say the department could act as the “router” that sent alerts to the other, more active agencies.
Alexander was insistent on this point. Most private companies refused to share information, not only because they lacked incentives but also because they feared lawsuits: some of that information would include personal data about employees and customers. In response, President Obama urged Congress to pass a bill exempting companies from liability if they shared data. But Alexander opposed the bill, because Obama's version of the bill would require them to share data with the Department of Homeland Security. Without telling the White House, Alexander lobbied his allies on Capitol Hill to amend or kill his commander-in-chief's initiative.
It was an impolitic move from someone who was usually a bit more adroit. First, the White House staff soon heard about his lobbying, which didn't endear him to the president, especially in the wake of the Snowden leaks, which were already cutting into the reserves of goodwill for Fort Meade. Second, it was self-defeating from a substantive angle: even with exemption from liability, companies were averse to giving private data to the governmentâall the more so if “government” was openly defined as the NSA.
The information-sharing bill was endangered, then, by an unlikely coalition of civil liberties advocates, who opposed sharing data with the government on principle, and NSA boosters, who opposed sharing it with any entity but Fort Meade.
So, the only coordinated defense left would be “active defense”âcyber offensive warfare.
That was the situation inherited by Admiral Michael Rogers, who replaced Alexander in April 2014. A career cryptologist, Rogers had run the Navy's Fleet Cyber Command, which was also based at Fort Meade, before taking over the NSA and U.S. Cyber Command. He was also the first naval officer to earn three stars (and now he had four stars) after rising through the ranks as a code-breaker. Shortly after taking the helm, he was asked, in an interview with the Pentagon's news service, how he would protect critical infrastructure from a cyber attackâCyber Command's third mission. He replied that the
“biggest focus” would be “to attempt to interdict the attack before it ever got to us”âin other words, to get inside the adversary's network, in order to see him prepare an attack, then to deflect or preempt it.
“Failing that,” Rogers went on, he would “probably” also “work directly with those critical infrastructure networks” that “could use stronger defensive capabilities.” But he knew this was backup, and flimsy backup at that, since neither Fort Meade nor the Pentagon could do much to bolster the private sector's defenses on its own.
In April 2015, the Obama administration endorsed the logic. In a thirty-three-page document titled
The Department of Defense Cyber Strategy
, signed by Ashton Carter, a former Harvard physicist, longtime Pentagon official, and now Obama's fourth secretary of defense, the same three missions were laid out in some detail: assisting the U.S. combatant commands, protecting Defense Department networks, and protecting critical infrastructure. To carry out this last mission, the document stated that,
“with other government agencies” (the standard euphemism for NSA), the Defense Department had developed “a range of options and methods for disrupting cyber attacks of significant consequence
before
they can have an impact.” And it added, in a passage more explicit than the usual allusions to the option of Computer Network Attack, “If directed, DoD should be able to use cyber operations to disrupt an adversary's command-and-control networks, military-related critical infrastructure, and weapons capabilities.”