http://www.csmonitor.com/World/Passcode/Passcode-Voices/2016/0224/The-making-of-America-s-cyberweapons?cmpid=ema:nws:Weekly%2520Newsletter%2520%2802-27-2016%29&utm_source=Sailthru&utm_medium=email&utm_campaign=20160227_Newsletter:%20Weekender&utm_term=Weekend_Best_of_Web
SHIFT IN THOUGHT
Since Internet adoption accelerated in the 1990s, the US has proven it can successfully strike adversaries online, but in doing so we've ushered in a dangerous – and unpredictable – new military era.
By Michael V. Hayden, Contributor FEBRUARY 24, 2016
America hasn't militarized the cyberdomain more than other nations. But we certainly threw plenty of resources into our efforts and our natural tendencies toward transparency – and how we talk about defending cyberspace – has opened us up to charges that we have indeed militarized the digital world.
An example: The seminal American thought piece on cyber wasn't written by the deputy attorney general, deputy secretary of State, deputy secretary of Commerce, or even by the president's science adviser. The deputy secretary of Defense wrote it. People outside this country notice things like that.
In 2010, Bill Lynn wrote in Foreign Affairs that, "As a doctrinal matter, the Pentagon has formally recognized cyberspace as a new domain of warfare. Although cyberspace is a man-made domain, it has become just as critical to military operations as land, sea, air, and space. As such, the military must be able to defend and operate within it."
It was as if Mr. Lynn had copied the notes from our discussions in the mid-1990s at my first cyber-related command in Texas.
The ideas we developed then and there eventually gained traction in the Department of Defense. In retrospect, however, we didn't appreciate that there was an entire generation growing up at that time believing that cyberspace was a global commons, a pristine playground, and not a potential zone of conflict among powerful nation-states. The debate over those competing archetypes continues today.
The digital Eden fallacy
Several years after I had left government, I was sitting in front of a Skype screen in Colorado arguing via video link with author Jim Bamford, who has made a living writing unauthorized books about National Security Agency, where I was the director from 1999 to 2005. One of my distant NSA predecessors, Lt. Gen. Lincoln Faurer, wanted to have him arrested over his first opus, "The Puzzle Palace," when it hit bookshelves in 1982.
The Skype debate was for a TV trade audience in Beverly Hills organized by PBS, which at the time was hyping an upcoming NOVA special on NSA. Mr. Bamford was a coproducer and was arguing that America had tragically militarized the cyberdomain through actions such as the Stuxnet worm, which he described as an American cyberattack on the Iranian nuclear facility at Natanz. America's intemperate behavior, he claimed, had legitimated an Iranian attack against the giant oil company Saudi Aramco and against American banks. The Internet was now a free fire zone and it was our fault.
I responded by defaulting to the "land, sea, air, space, cyber" construct. "The cyberdomain wasn't the only global commons on the list," I said. "The maritime domain had been such for eons. And no one objected to the existence of navies. In fact, a good case could be made that navies were essential to keeping that commons common."
I could have added that the cyberdomain had never been a digital Eden. It was always Mogadishu. The president of Estonia, Toomas Hendrik Ilves, knows something about this. His country's Internet collapsed in 2007 under attack by "patriotic Russian hackers" (read criminal gangs repaying a debt to the Russian state for the freedom of action they enjoy there) after Tallinn tried to move a Red Army memorial from downtown to the suburbs.
President Ilves has a wonderful way of capturing all this. He says that, lacking a Lockean social contract in the cyberdomain, what we have is an almost purely Hobbesian universe, a universe where Hobbes' description of ungoverned life as "poor, nasty, brutish, and short" really applies. There is simply no rule of law there.
The US government agrees about the danger. In January 2005, it stood up Joint Functional Component Command-Net Warfare, or JFCC-NW, which was essentially the nation’s computer network attack force to defend itself in this Hobbesian world.
I was the first commander of JFCC-NW but didn't stay very long. A month later, the president announced my nomination as the first principal deputy director of National Intelligence and I was confirmed by the Senate for that job in late April.
Even as I left, though, I could see that we now had a structure to go along with the vision we had been nurturing since the 1990s: A defensive center in the NSA Threat Operations Center (NTOC), an ongoing espionage enterprise in NSA’s Tailored Access Operations (TAO), and an offensive arm in JFCC-NW. All were big, thriving enterprises set up in about a decade – the speed of light by Washington standards.
We also had a vote of confidence from the Joint Chiefs and enough promise that Congress swallowed some unusual command relationships. All we needed were some real weapons.
The evolution of cyberweapons
Despite the cyberdomain’s tilt toward the offense, this is still hard work. To attack a target, you first have to penetrate it. Access bought with months if not years of effort can be lost with a casual upgrade of the targeted system, not even one designed to improve defenses, but merely an administrative upgrade from something 2.0 to something 3.0.
Once in, you need a tailored tool to create the desired effects. Very often this has to be a handcrafted tool for the specific target. It is not the same as cranking out 500 pound bombs and putting them on the shelf with their laser guidance kits.
A lot of the weapons in our toolbox were harvested in the wild from the Web. Tools with a Web history would make attribution an even more difficult challenge if they were ever used. But some of those exploits could be pretty ugly, so they had to be modified to meet our operational and legal requirements.
What we wanted were weapons that met the standards of the laws of armed conflict – weapons that reflected the enduring principles of necessity, distinction, and proportionality.
First, they had to produce an effect that was predictable and responsive to a genuine military need. I'm not talking about pounding bank websites with massive distributed denial of service, or DDoS, attacks like the Iranians did to US banks in 2012. I mean disabling an air defense system – which the Israelis were alleged to have done in 2007 while destroying a Syrian nuclear reactor.
And even when the effects were predictable and legitimate, policymakers wanted to know if you could limit them to the intended target – which is the distinction part – and, to the degree you could not, if the desired effect justified the collateral damage, which is where proportionality comes in.
These are time-honored, universal principles for any war-maker with a conscience. But in physical space, there was often a century or more of experience to fall back on. You'd consider what a high-explosive warhead would do when it hit at a particular angle and against a particular target. But that calculus hadn't yet been developed when considering the damage from a cyberweapon.
In concrete terms, the dialogue in the Situation Room began with the National Security Advisor asking something like this:
"So, you're saying that you can disrupt the power supply to this key military facility."
"Yes, sir, and through persistent attacks keep it down."
"Good. Now what else is on that net?"
"Well, sir, we think we can keep the effects confined to a pretty small physical area."
"How small?"
"Probably 30-40 square miles."
"Worst case, how many hospitals in that area?"
"Worst case, four. Maybe five."
"Do they all have UPS [uninterruptible power supply]?"
"We're working that now."
The National Security Advisor pauses, reflects, and then moves on by saying, "OK. Get back to me. We'll take this up again next time".
And the next time and the next time and the next time.
These kinds of meetings invariably take place in the Situation Room – not in the Pentagon or at Langley or at some combatant command headquarters. From their inception, cyberweapons have been viewed as "special weapons," not unlike nuclear devices of an earlier time.
But these weapons are not well understood by the kind of people who get to sit in on meetings in the West Wing and as of yet there has not been a Herman Kahn, the famed military strategist who worked at Rand Corp., to explain things to them.
First, there's the technical challenge. I recall one cyberoperation while I was in government that went awry, at least from my point of view. In hindsight, it was clear that no one at the final approval session had left the Situation Room thinking they had approved the same operation.
Beyond complexity, developing policy for cyberops is hampered by excessive secrecy (even for an intelligence veteran). I can think of no other family of weapons so anchored in the espionage services for their development (except perhaps armed drones). And the habitual secrecy of the intelligence services bled over into cyberops in a way that has retarded the development – or at least the policy integration – of digital combat power. It is difficult to develop consensus views on things that are largely unknown or only rarely discussed by a select few.
Technical challenges and policy ambiguities, however, did little to dim the spirit of cyber enthusiasts. We were like Airpower enthusiasts before World War II: "The bomber will always get through!" Like them, for a long time we were long on theory and short on practical success.
Even so, in 2004 and 2005, we had largely been spray painting virtual graffiti on digital subway cars. We could harass but we weren't decisive. An effort before the invasion of Iraq to e-mail Iraqi officials warning them of their fate and suggesting alternative courses of action did little more than annoy them. In another operation, we made Slobodan Milosevic’s phone ring incessantly, but there is no evidence that it shortened any aspect of the Balkan conflict.
SHIFT IN THOUGHT
Since Internet adoption accelerated in the 1990s, the US has proven it can successfully strike adversaries online, but in doing so we've ushered in a dangerous – and unpredictable – new military era.
By Michael V. Hayden, Contributor FEBRUARY 24, 2016
America hasn't militarized the cyberdomain more than other nations. But we certainly threw plenty of resources into our efforts and our natural tendencies toward transparency – and how we talk about defending cyberspace – has opened us up to charges that we have indeed militarized the digital world.
An example: The seminal American thought piece on cyber wasn't written by the deputy attorney general, deputy secretary of State, deputy secretary of Commerce, or even by the president's science adviser. The deputy secretary of Defense wrote it. People outside this country notice things like that.
In 2010, Bill Lynn wrote in Foreign Affairs that, "As a doctrinal matter, the Pentagon has formally recognized cyberspace as a new domain of warfare. Although cyberspace is a man-made domain, it has become just as critical to military operations as land, sea, air, and space. As such, the military must be able to defend and operate within it."
It was as if Mr. Lynn had copied the notes from our discussions in the mid-1990s at my first cyber-related command in Texas.
The ideas we developed then and there eventually gained traction in the Department of Defense. In retrospect, however, we didn't appreciate that there was an entire generation growing up at that time believing that cyberspace was a global commons, a pristine playground, and not a potential zone of conflict among powerful nation-states. The debate over those competing archetypes continues today.
The digital Eden fallacy
Several years after I had left government, I was sitting in front of a Skype screen in Colorado arguing via video link with author Jim Bamford, who has made a living writing unauthorized books about National Security Agency, where I was the director from 1999 to 2005. One of my distant NSA predecessors, Lt. Gen. Lincoln Faurer, wanted to have him arrested over his first opus, "The Puzzle Palace," when it hit bookshelves in 1982.
The Skype debate was for a TV trade audience in Beverly Hills organized by PBS, which at the time was hyping an upcoming NOVA special on NSA. Mr. Bamford was a coproducer and was arguing that America had tragically militarized the cyberdomain through actions such as the Stuxnet worm, which he described as an American cyberattack on the Iranian nuclear facility at Natanz. America's intemperate behavior, he claimed, had legitimated an Iranian attack against the giant oil company Saudi Aramco and against American banks. The Internet was now a free fire zone and it was our fault.
I responded by defaulting to the "land, sea, air, space, cyber" construct. "The cyberdomain wasn't the only global commons on the list," I said. "The maritime domain had been such for eons. And no one objected to the existence of navies. In fact, a good case could be made that navies were essential to keeping that commons common."
I could have added that the cyberdomain had never been a digital Eden. It was always Mogadishu. The president of Estonia, Toomas Hendrik Ilves, knows something about this. His country's Internet collapsed in 2007 under attack by "patriotic Russian hackers" (read criminal gangs repaying a debt to the Russian state for the freedom of action they enjoy there) after Tallinn tried to move a Red Army memorial from downtown to the suburbs.
President Ilves has a wonderful way of capturing all this. He says that, lacking a Lockean social contract in the cyberdomain, what we have is an almost purely Hobbesian universe, a universe where Hobbes' description of ungoverned life as "poor, nasty, brutish, and short" really applies. There is simply no rule of law there.
The US government agrees about the danger. In January 2005, it stood up Joint Functional Component Command-Net Warfare, or JFCC-NW, which was essentially the nation’s computer network attack force to defend itself in this Hobbesian world.
I was the first commander of JFCC-NW but didn't stay very long. A month later, the president announced my nomination as the first principal deputy director of National Intelligence and I was confirmed by the Senate for that job in late April.
Even as I left, though, I could see that we now had a structure to go along with the vision we had been nurturing since the 1990s: A defensive center in the NSA Threat Operations Center (NTOC), an ongoing espionage enterprise in NSA’s Tailored Access Operations (TAO), and an offensive arm in JFCC-NW. All were big, thriving enterprises set up in about a decade – the speed of light by Washington standards.
We also had a vote of confidence from the Joint Chiefs and enough promise that Congress swallowed some unusual command relationships. All we needed were some real weapons.
The evolution of cyberweapons
Despite the cyberdomain’s tilt toward the offense, this is still hard work. To attack a target, you first have to penetrate it. Access bought with months if not years of effort can be lost with a casual upgrade of the targeted system, not even one designed to improve defenses, but merely an administrative upgrade from something 2.0 to something 3.0.
Once in, you need a tailored tool to create the desired effects. Very often this has to be a handcrafted tool for the specific target. It is not the same as cranking out 500 pound bombs and putting them on the shelf with their laser guidance kits.
A lot of the weapons in our toolbox were harvested in the wild from the Web. Tools with a Web history would make attribution an even more difficult challenge if they were ever used. But some of those exploits could be pretty ugly, so they had to be modified to meet our operational and legal requirements.
What we wanted were weapons that met the standards of the laws of armed conflict – weapons that reflected the enduring principles of necessity, distinction, and proportionality.
First, they had to produce an effect that was predictable and responsive to a genuine military need. I'm not talking about pounding bank websites with massive distributed denial of service, or DDoS, attacks like the Iranians did to US banks in 2012. I mean disabling an air defense system – which the Israelis were alleged to have done in 2007 while destroying a Syrian nuclear reactor.
And even when the effects were predictable and legitimate, policymakers wanted to know if you could limit them to the intended target – which is the distinction part – and, to the degree you could not, if the desired effect justified the collateral damage, which is where proportionality comes in.
These are time-honored, universal principles for any war-maker with a conscience. But in physical space, there was often a century or more of experience to fall back on. You'd consider what a high-explosive warhead would do when it hit at a particular angle and against a particular target. But that calculus hadn't yet been developed when considering the damage from a cyberweapon.
In concrete terms, the dialogue in the Situation Room began with the National Security Advisor asking something like this:
"So, you're saying that you can disrupt the power supply to this key military facility."
"Yes, sir, and through persistent attacks keep it down."
"Good. Now what else is on that net?"
"Well, sir, we think we can keep the effects confined to a pretty small physical area."
"How small?"
"Probably 30-40 square miles."
"Worst case, how many hospitals in that area?"
"Worst case, four. Maybe five."
"Do they all have UPS [uninterruptible power supply]?"
"We're working that now."
The National Security Advisor pauses, reflects, and then moves on by saying, "OK. Get back to me. We'll take this up again next time".
And the next time and the next time and the next time.
These kinds of meetings invariably take place in the Situation Room – not in the Pentagon or at Langley or at some combatant command headquarters. From their inception, cyberweapons have been viewed as "special weapons," not unlike nuclear devices of an earlier time.
But these weapons are not well understood by the kind of people who get to sit in on meetings in the West Wing and as of yet there has not been a Herman Kahn, the famed military strategist who worked at Rand Corp., to explain things to them.
First, there's the technical challenge. I recall one cyberoperation while I was in government that went awry, at least from my point of view. In hindsight, it was clear that no one at the final approval session had left the Situation Room thinking they had approved the same operation.
Beyond complexity, developing policy for cyberops is hampered by excessive secrecy (even for an intelligence veteran). I can think of no other family of weapons so anchored in the espionage services for their development (except perhaps armed drones). And the habitual secrecy of the intelligence services bled over into cyberops in a way that has retarded the development – or at least the policy integration – of digital combat power. It is difficult to develop consensus views on things that are largely unknown or only rarely discussed by a select few.
Technical challenges and policy ambiguities, however, did little to dim the spirit of cyber enthusiasts. We were like Airpower enthusiasts before World War II: "The bomber will always get through!" Like them, for a long time we were long on theory and short on practical success.
Even so, in 2004 and 2005, we had largely been spray painting virtual graffiti on digital subway cars. We could harass but we weren't decisive. An effort before the invasion of Iraq to e-mail Iraqi officials warning them of their fate and suggesting alternative courses of action did little more than annoy them. In another operation, we made Slobodan Milosevic’s phone ring incessantly, but there is no evidence that it shortened any aspect of the Balkan conflict.
No comments:
Post a Comment