27 December 2014

No rules of cyber war

12/23/14
U.S. in uncharted waters with ‘proportionate response’ on hack attacks.

A day after a nine-hour Internet outage in North Korea, experts are still debating whether the U.S. government pulled the plug, or perhaps a rogue group of hackers.

But whether or not the U.S. was behind the downing, President Barack Obama’s promise of an American response to the apparent hacking of Sony databases by North Korea has Washington squarely confronting a new national security reality that has been the subject of mostly abstract debate for more than a decade.

And many experts say the U.S. wasn’t ready for theory to become reality.

“Unlike plans for possible conventional military attacks in hotspots, the U.S. doesn’t have off-the-shelf response plans for cyberattacks of this sort,” said Matthew Waxman, a former senior State and Defense Department official now at Columbia University Law School.

“The legal authorities, bureaucratic responsibilities and other things are still being worked out inside the U.S. government,” Waxman said — adding that the problem is compounded by the variety and uncertainty of the cyberthreat.

With limited experience to draw from — the Sony attack has no clear precedent — administration officials have struggled to define different kinds of cyberattacks and how to respond to them. International law and the laws of war offer only partial guidance, experts say. And strategic thinking about how to punish a hacker without inviting an even more damaging response is still evolving.

“We don’t have the norms, the rules of engagement, the rules of the road for how we and other countries should operate in this space,” said Gen. Keith Alexander, former director of the National Security Agency and head of U.S. Cyber Command.

Top U.S. officials have warned for years that the nation is unready for a major cyberattack. Then-Defense Secretary Leon Panetta said in late 2012 that the U.S. faced the possibility of a “cyber Pearl Harbor” at the hands of foreign attackers.

Anticipating the day when a response might be necessary, the Obama administration has moved swiftly to increase its cyber capabilities. The Pentagon is increasing its staffing in the area by a factor of five, to 5,000 employees. As the military’s overall budget has been reduced, funding for cyber operations has grown, to more than $5 billion per year.

In October 2012, Obama signed a new presidential directive ordering U.S. intelligence officials to draw up a target list for cyberattacks. The 18-page document, officially known as Presidential Policy Directive 20, said that cyberattacks can advance U.S. security objectives “with little or no warning to the adversary or target and with potential effects ranging from subtle to severely damaging.”

The document was among the thousands leaked in 2013 by former NSA contractor Edward Snowden — and North Korea took note of it at the time: “This means that the U.S. is ready to mount a fierce cyberattack on anyone going against the grain with it any moment,” wrote the state-controlled North Korean newspaper Minju Chosun.

The U.S. has already demonstrated a “first-strike” cyber capability, in the form of the Stuxnet virus unleashed on Iran’s nuclear program several years ago. The virus sabotaged centrifuges enriching uranium that Iran might use for a nuclear weapon.

But officials and cyber and national security experts are still debating how to define different kinds of cyberattacks and how to gauge the kind of “proportional response” the White House said last week is appropriate. Many Republicans, for instance, were upset when Obama described the Sony hack during a CNN interview on Sunday as an act of “cyber vandalism.”

“It’s more than vandalism. It’s a new form of warfare,” Sen. John McCain (R-Ariz.) later complained to the network.

But the former administration official said Obama is right to tread carefully before targeting North Korean leader Kim Jong Un.

“The president is taking a step back and saying, ‘Let’s think about this,’” said Alexander, who left government in March.

U.S. officials faced a similar dilemma a couple of years ago — although without the publicity surrounding a major Hollywood studio, the story attracted comparatively little attention.

In mid-2012, the websites of several major U.S. banks were disrupted in what some U.S. officials concluded was a hacking effort orchestrated by Iran in response to economic sanctions over the country’s nuclear program. Mitigating the attacks reportedly cost institutions like Bank of America and JPMorgan Chase tens of millions of dollars.

The Obama administration decided not to retaliate directly against Iran, according to officials cited in an April 2013 Washington Post account. Instead, it appealed to more than 120 other countries in which the hackers had hijacked computer servers, and asked those governments to choke off the attacks.

Iran denied responsibility for the assault, which eventually abated.

Waxman noted that the Obama administration has long said it wants to help develop international norms governing cyberspace — drawing lines to establish what constitutes hostile conduct and how it might be punished by the international community. “This [Sony] case and the U.S. response will be an important part of that,” Waxman said.

But before deciding whether and how to respond to a cyberattack, U.S. officials first have to be sure of its origin. Unfortunately, fingerprinting a computer attack isn’t much easier than categorizing its nature.

While the FBI has publicly fingered North Korea for the assault on Sony that led the company to postpone the release of “The Interview,” some cyber experts remain skeptical. (On Tuesday, Sony said the movie will get a limited release in theaters willing to show it.)

Jack Goldsmith, a senior Bush administration lawyer now at Harvard Law School, wrote on the blog Lawfare last week that the FBI’s evidence appears flimsy.

“One hears a lot in cybersecurity circles that the government has ‘solved’ the attribution problem. The evidence presented [by the FBI] shows why it has not come close to solving it,” Goldsmith wrote.

Obama officials also fret about slow progress in the realm of prevention.

When Congress adjourned for the year, it left unfinished cybersecurity legislation that many experts say is critically needed to improve coordination between the federal government and the private sector to identify and defend against cyberattacks.

But officials say the uproar following Snowden’s leaks of NSA surveillance activity dealt a blow to their efforts to make America’s computer networks more secure. What the Obama administration called prudent information-sharing about Internet activity, privacy and civil liberties advocates called a new effort to snoop on citizens.

Part of the problem is simple psychology, experts say. Documents dumped by the Sony hackers revealed weak passwords and other careless security measures at the company.

In September remarks, the White House’s cybersecurity coordinator, Michael Daniel, said that many cyber vulnerabilities could be plugged easily — but aren’t, because people still don’t take the threat seriously enough.

“We haven’t fully confronted cybersecurity as a human behavior and motivation problem as opposed to a technical problem,” Daniel said.

Whoever is responsible for it, the Sony hack may already be changing that mind-set.

No comments: