The Defense Department is close to completing a version of the rules of engagement that will clarify how troops operating in cyberspace may respond to threats, cyber espionage and attacks, according to military and cybersecurity experts. (Shawnon Lott / Army)
- Filed Under
The Defense Department is close to completing a version of the rules of engagement that will clarify how troops operating in cyberspace may respond to threats, cyber espionage and attacks, according to military and cybersecurity experts.
The rules would allow troops to identify threats and ensure senior leaders share information quickly and take action, if necessary, Gen. Keith Alexander, the top officer at Cyber Command, has said.
Pentagon officials have been more public about U.S. Cyber Command’s efforts in recent months. The military is creating a series of cyber teams, 13 focused on offense — when directed by the White House — and an additional 27 to support the military’s war-fighting commands and domestic security organizations, according to Alexander.
The standing rules, which are being updated for the first time since 2005, cover the physical war-fighting domains as well as cyberspace, according to Pentagon spokesman Lt. Col. Damien Pickart. Once released, they will not be made public.
The rules would establish a framework of legally permissible responses for U.S. troops operating in cyberspace, a new war-fighting domain defined by rapidly changing technology, adversaries whose identities are often unclear and knotty legal questions.
“The technology always outpaces the policy and the [tactics, techniques and procedures],” said Jeff Moulton, a researcher with the Georgia Tech Research Institute. “It’s clear as mud in the cyber world because there are so many variables that you don’t know.”
The cyber teams operating under those rules will be assigned to the joint geographic and nongeographic combatant commands, such as U.S. Strategic Command and U.S. Transportation Command, according to an Army official. Soldiers in newly created military occupational specialties related to cyber will be part of these teams.
The rules would reduce the need for an operational unit to consult an attorney before taking action, the official said. Troops will be able to react to threats quickly without asking for permission at every step.
“You want rules of engagement so you don’t have to go back and say, ‘Mother may I,’” the Army official said.
The rules would allow troops to conduct reconnaissance and counterreconnaissance, and offer more flexibility to identify threats and mitigate attacks, the official said.
Without rules of engagement, commanders have no idea what they are permitted to do, and with them, they have some autonomy, said Paul Rosenzweig, founder of Red Branch Consulting, who advises The Chertoff Group, a security and risk-management firm. Rosenzweig is a former deputy assistant secretary for policy in the Department of Homeland Security and former acting assistant secretary for international affairs.
“You have two modes, button-down with pre-programmed responses, and the ones where you need authority to begin the action — where you need to push the button to go,” Rosenzweig said.
It is not as though the military is paralyzed against cyber attacks today. The Defense Department is responsible for defending the nation’s critical infrastructure from an attack, supporting its combatant commands in their operations in planning, and defending its networks and other networks, “as authorized,” according to Alexander’s congressional testimony in March.
Cyber Command’s operating concept calls for it to recognize when an adversary is attacking, block malicious traffic that threatens its networks and data, and then maneuver in cyberspace to block and deter new threats. Alexander was asked how Cyber Command would respond to an attack on critical infrastructure.
“Right now, those decisions would rest with the president, the secretary [of defense],” Alexander responded. “And they would tell us to execute. I think as we go down the road, we’re going to have to look at what are the things that you would automatically do. Think of this as the missile defense, but missiles in real time.”
New ‘space race’
Though a draft of the rules is said to be nearly done, it is unclear when it will be issued. In Alexander’s testimony this month, he said the Defense Department, the White House and interagency partners would finish setting up the rules within months. In congressional testimony a year earlier, he said roughly the same thing.
Time is of the essence. The last update to the Defense Department’s standing rules of engagement came in 2005, and in about seven years, computing power has advanced by a factor of 16, Rosenzweig said.
“We’re rushing to militarize the space,” he said. “We’re kind of like where we were with the space race with the Russians and Sputnik.”
In this case, the main adversary appears to be China. A Chinese People’s Liberation Army-run hacking group out of Shanghai is said to have unleashed countless attacks on U.S. companies and government agencies over the past few years. A recent report by Mandiant, a cybersecurity firm, exposed the group, although Chinese officials have denied government-sponsored attacks.
“To a large extent the war we are in with the Chinese is not a war, it’s an espionage game, and that’s OK because we know how to deal with that,” Rosenzweig said. “If we keep ourselves there, we’ll get to a stable solution.”
There is cloudiness over this issue that raises questions of national security law. As the Defense Department creates its rules of engagement, it must grapple with the separate legal authorities for the country’s armed forces and its intelligence operations.
“In the conventional world, these are defined, but [in] the virtual battle space, there’s serious blurring,” said Moulton. “The laws on the books are not necessarily congruent with the things we want to do or need to do to protect the nation, protect our critical infrastructure and conduct conflict.”
The Pentagon is grappling with how much autonomy to give local combatant commanders and how much needs to be controlled by higher-level commanders in the United States.
If a commander in Maryland pulls an “electronic trigger” at the wrong time, it might leave soldiers on the battlefield vulnerable, but a commander without broader visibility might trigger second- and third-order effects outside his area of responsibility, Moulton said.
“What if we did something in the Pacific, we didn’t understand the network topology and we knocked granny off a dialysis machine in the Netherlands?” Moulton said.
A Government Accountability Office report in 2011 found that under the DoD standing rules of engagement, authorities needed to be better coordinated, particularly in geographic combatant commands. In at least one incident, overlapping authorities led to “uncoordinated, conflicting and unsynchronized guidance,” the GAO says in its report.
When the Defense Department launched a malware eradication effort in 2008, Strategic Command “identified confusion regarding command and control authorities and chains of command because the exploited network fell under the purview of both U.S. Strategic Command, military services, and a geographic combatant command.”
When fighting back, what response is the right response? A NATO think tank recently released a new manual for cyberwarfare that, for example, differentiates between a cyber operation that has kinetic effects and cyber espionage, which does not qualify as an attack — an issue Alexander indicated is still unresolved.
“The issue that we’re weighing is, when does a nuisance become a real problem?” Alexander has said. “And when are you prepared to step in for that? And that’s the work that, I think, the administration is going through right now in highlighting that.”
The manual suggests “proportionate countermeasures” against state-sponsored cyber attacks are allowed, but countries should refrain from the use of force. If for example, one country incapacitates a hydroelectric dam in a dispute over water resources, the other country is within its rights to target the offending country’s irrigation control system.
Cyber weapons, or system exploits, are usually single-use, Moulton said, because an adversary will act quickly to patch his system after it’s been disrupted. How should those cyber weapons be managed?
“It’s a disposable commodity, so using one in the Pacific combatant command may take an arrow out of the quiver of the European combatant commander,” Moulton said. “They’re a perishable asset, and they need a centralized management system.”
But who is attacking? The manual also highlights the thorny issue of attribution. It states that the fact that a cyber operation was launched from a government’s infrastructure is not proof that the state’s government launched the attack.
“Right now, there is an ambiguity in the attribution,” Rosenzweig said, “and our response is difficult.”
Staff writer James Sanborn and The Associated Press contributed to this report.