New rules of engagement for cyber operations are being delayed by a debate over the role of the U.S. military in defending non-military networks. The current rules were enacted in 2005. (Jim Watson / AFP via Getty Images)
Despite the ongoing concern about the escalating pace of cyber attacks, a new set of standing rules of engagement for cyber operations — policy guidelines that would specify how the Pentagon would respond to different types of cyber attacks — is being delayed by a debate over the role of the U.S. military in defending non-military networks, sources said.
The new policy, in the works for years and set to be completed in the next several months, according to Defense Department officials, is meant to update rules put in place in 2005. Those rules were of a limited scope, specifying a response to attacks against only military and government networks.
This time, the department is looking for more latitude as it considers how to defend critical infrastructure and private corporations, with the division of responsibility between DoD and the Department of Homeland Security (DHS) contested.
“This is a turf war,” said James Cartwright, the retired U.S. Marine Corps general who stepped down as vice chairman of the Joint Chiefs of Staff in August.
Cartwright, now with the Center for Strategic and International Studies, a Washington think tank, said the debate boils down to concern over how well DHS is defending the public, and whether DoD needs to step in.
“The Constitution doesn’t allow for idiocy,” he said. “You either make DHS do their job or you find another way.”
The idea of DoD, in the form of U.S. Cyber Command (CYBERCOM), assisting when it comes to attacks against private entities runs into potential legal problems, said Dale Meyerrose, former associate director of National Intelligence and founder of the Meyerrose Group.
“It’s against the law,” he said. “We sometimes forget that the United States military does not protect the United States except in a very gross aggregate sense. The United States military does not operate within the borders of the United States. What they’re calling for is a redefinition of that role.”
Meyerrose encountered some of these legal limitations roughly 15 years ago when he was still in the military, and he tried to lend advice to private companies experiencing attacks.
“Some very well-known commercial entities started having problems with distributed denial of service attacks, and so they were calling me, and I was offering them ideas about what to do and how to fix it,” Meyerrose said. “I got called in by the legal folks who said, ‘You are to cease and desist.’”
Meyerrose said that concern about his position as a flag officer drove the conversation.
“I was just answering the phone and talking to friends,” he said. “I was told in no uncertain terms that as a senior military official, I was not to engage in things that affected domestic commerce.”
The conversation now revolves around capability versus legal role, Meyerrose said. “Do you want the agency that you think ought to be responsible, or do you want the agency that you think is best capable of dealing with the situation? And those are two different answers.”
In a November report to Congress, DoD cited the need for cooperation as part of the impetus behind the creation of the new rules.
“As it continues to build and develop its cyber capabilities and organizational structures, the Department is addressing operational needs by modifying its standing rules of engagement for commanders to enable required decisions and take appropriate actions to defend critical information networks and systems,” the report said. “The Department will support domestic agencies and departments, using its significant capability and expertise in support of a whole-of-government approach to protect the Nation.”
In debating cyber legislation, members of both houses of Congress have posed the question of where the development of the policy stands to Army Gen. Keith Alexander, commander of CYBERCOM and director of the National Security Agency (NSA).
Discussion of the division of authorities has been heated, with Sens. Joseph Lieberman, I-Conn., and Susan Collins, R-Maine, among those presenting legislation that would create an information-sharing office under DHS as part of an effort to concentrate authority in the agency.
The bill is facing opposition from Republicans, led by Sen. John McCain, R-Ariz., who say the NSA and DoD are better equipped to deal with cyber threats. Other bills of a more limited nature are also being debated, although none appear likely to pass both houses.
“These revised standing rules of engagement should give us authorities we need to maximize preauthorization of defense responses and empower activity at the lowest level,” Alexander said March 27 in testimony before the Senate Armed Services Committee. “Issues being ironed out are what specific set of authorities we will receive, conditions in which we can conduct response actions, and we suspect those will be done in the next few months.
“The DoD’s role in defense against cyber attacks … requires coordination with several key government players, notably DHS, the FBI, the intelligence community,” he said.
Alexander noted the DoD has responsibility for foreign threats, and that the new rules would help the department defend the U.S. against those threats.
“Inside the United States, that’s where I think DHS has the lead,” he said. “They don’t in terms of the foreign and the things coming in. That’s where you’d want us to have the lead.”
Meyerrose said those kinds of divisions are nearly impossible.
“This is where cyberspace is blurring the traditional divisions of the United States government and the world as we know it,” he said. “In cyberspace, there is no hard line between what is international and what is domestic. There’s no hard line between what is government and what is private. There’s no hard line between what is military and what is civilian.”
While Cartwright said he doesn’t agree with extending DoD authority, he pointed to ways the DoD could more effectively deter attacks. Mainly, Cartwright said the U.S. needs to display its commitment to cyberspace in a public manner.
“I have to be acquiring and training so that you know I’m serious, then incorporate it into everything you say,” he said. “I don’t believe we in the United States are taking advantage of what we could be communicating. We [need to] draw a line that we believe is reasonable, but first you put in place the elements of deterrence.”
In all likelihood, that deterrence will require some demonstration of U.S. attack power, Cartwright said: “At some point, they’re going to have to do something that’s illustrative, and then communicate.”
He said drawing a line now would be difficult, as the general level of security in the U.S. would need to be improved. “If you’re stupid enough to put your intellectual capital on an open network, it’s not their fault if something gets stolen,” he said.
First, the U.S. must improve its cybersecurity, Cartwright said. “Then when they’re attacked, I’m much more comfortable going after them.”