NEW YORK — The U.S. Defense Department is shifting its policy stance on cyber threats, hoping that the threat of offense can work as an effective defense.
In what DoD officials called the first major policy speech about cyber by a defense secretary, Leon Panetta outlined an aggressive agenda to prevent cyber attacks and repeatedly mentioned deterrence as an important mission for the department to an audience of veterans and business executives here at the Intrepid Sea, Air and Space Museum Oct. 11.
“Our mission is to defend the nation,” he said. “We defend. We deter. And if called upon, we take decisive action to defend our citizens.”
Two critical weaknesses had previously limited the U.S.’ ability to deter attackers: an inability to attribute attacks and therefore target aggressors, and a lack of tools to allow an aggressive response.
In recent weeks, defense officials have been quietly discussing improvements in attribution, some even terming the problem “solved,” sources said.
“The department has made significant advances in solving a problem that makes deterring cyber adversaries more complex: the difficulty of identifying the origins of that attack,” Panetta said. “Over the last two years, DoD has made significant investments in forensics to address this problem of attribution, and we’re seeing the returns on that investment. Potential aggressors should be aware that the United States has the capacity to locate them and to hold them accountable for their actions that may try to harm America.”
Panetta said those advancements will prevent attacks.
“Our cyber adversaries will be far less likely to hit us if they know that we will be able to link them to the attack,” he said.
Finding the source of a cyber attack remains an issue. The ability to use infected computers as middle men to launch attacks, and in some cases using multiple compromised systems, creating a chain of computers around the globe, can make determining an original source difficult. One expert termed the administration’s descriptions of attribution advances as “posturing.”
Once targets are identified, the U.S. must be able to respond, and will, Panetta said. He referred to both offensive capabilities, as well as a willingness to act not only against attacks, but also threats of attacks.
“We won’t succeed in preventing a cyber attack through improved defenses alone,” he said. “If we detect an imminent threat of attack that will cause significant physical destruction in the United States or kill American citizens, we need to have the option to take action against those who would attack us, to defend this nation when directed by the president. For these kinds of scenarios, the department has developed the capability to conduct effective operations to counter threats to our national interests in cyberspace.”
Discussion of offensive cyber capabilities has remained hushed for more than a decade, with DoD only publicly acknowledging capability in the past couple of years. The existence of powerful offensive weapons became difficult to keep quiet after the New York Times disclosed the existence of the Olympic Games program in June. The program involved both the U.S. and Israel, and was behind various offensive tools used against Iranian uranium enrichment efforts, including “Stuxnet” and “Flame.”
One of the DoD officials named by the Times as a key figure behind Olympic Games was James Cartwright, the retired U.S. Marine Corps general who stepped down as vice chairman of the Joint Chiefs of Staff in August 2011. Cartwright, now with the CSIS, has been one of the more vocal advocates for a more aggressive deterrence stance.
In a May interview with Defense News, Cartwright described the need to publicly demonstrate both capability and willingness to use offensive weapons to protect the U.S.
“I don’t believe we in the United States are taking advantage of what we could be communicating,” he said. “We [need to] draw a line that we believe is reasonable, but first you put in place the elements of deterrence.”
Cartwright said the U.S. would need to respond to an attack with a public show of force to make deterrence viable.
“At some point, they’re going to have to do something that’s illustrative, and then communicate.”
In outlining the scope of the problem, Panetta described several recent attacks against energy companies in Qatar and Saudi Arabia, Ras Gas and Saudi Aramco, respectively. Both attacks were based on a variant of the “Shamoon” virus; the attack on Saudi Aramco disabled 30,000 computers. While the attacks have been reported in the media, DoD had not formally acknowledged them. Senior defense officials said the Pentagon has determined the source of the attacks, but would not disclose the details.
“These attacks mark a significant escalation of the cyber threat, and they have renewed concerns about still more destructive scenarios that could unfold,” Panetta said. “For example, we know that foreign cyber actors are probing America’s critical infrastructure networks. They are targeting the computer control systems that operate chemical, electricity and water plants, and those that guide transportation throughout this country.”
A senior defense official said the speech was an opportunity for Panetta to clarify the Pentagon’s position in the fight against cyber.
“That mission in this case is to defend the nation from cyber attacks,” the official said.
Offense as a Solution for Defense
The shift in policy stance comes during a heated debate in the cyber community over whether the continued problems that plague cyber defenses can be fixed. If defenses cannot be adequately protected when attacks occur, then deterrence might be one of the only means available to prevent attack.
While many point to progress in cyber defense, experts have long noted that cyberspace provides an inherently asymmetrical threat that leaves defenders at a tremendous disadvantage. Attackers need only find one vulnerability to exploit, whereas defenders must protect large ungainly systems at every point of entry.
“Right now, offense has the advantage, and it seems that it’s going to have the advantage for some time,” said Peter Singer, a senior fellow at the Brookings Institution.
That disadvantage has to be corrected to ever truly fix cybersecurity deficiencies, said Jayson Healey, a fellow with the Atlantic Council.
“In other domains of conflict, there is always a shift between defense and offense — just think of how the machine gun gave the advantage to defenders, only for it to shift back with the airplane and tank,” he wrote in an email. “This is what we need to fix, to use technology, norms, and law to globally shift defense to be superior to offense.”
Despite the obstacles, Army Gen. Keith Alexander, head of the National Security Agency and U.S. Cyber Command, said at a recent conference hosted at the Woodrow Wilson Center in Washington that the issues with protection are “solvable.”
“We’re never going to get rid of 100 percent; so when I say solvable, what I mean is we can mitigate most of the problems that we’re seeing on the network today,” Alexander said.
Singer agreed that the problem could be addressed, even if complete solutions are unlikely.
“The cyber threat is not going away, but it is something that if we organize ourselves well, implement needed defenses and standards on both the public and private side, and, most of all, just keep our heads about us, then it is quite manageable,” he said.
Singer said that an acceptance of a certain amount of disruption would also be important.
“Part of it may be developing a resilience, maybe it’s a psychological resistance,” he said. “You may come to the realization that, yeah, someone knocked out my power, but I lost power last week anyway. Big deal.”
But what may be hurting the U.S. more than anything else is a failure to organize effectively internationally.
The greatest threats that the U.S. faces come from nation-states that are developing potent weapons and capable attackers, yet international law is still significantly behind the times, Jeff Moulton, a cyber expert with the Georgia Tech Research Institute (GTRI), said.
“This is a problem space that knows no boundaries, so why does the United States think itself so superior that it can solve the world’s problems without the rest of the world involved?” he said.
Moulton said solving the problem of cyber attackers is likely impossible given the nature of cyberspace.
“We don’t have a chance to ever win the battle,” he said. “It’s like saying that you’re going to eliminate crimes. There will always be bad actors.”
Still, in an effort to garner international cooperation, GTRI is hosting a conference in Dublin, Ireland, in November that aims to produce a framework for international policy change, an important step, Moulton said.
“If we don’t have this as an agreed-upon international strategy, like human rights, it’s going to be screwed up,” he said.
Uncertainty regarding when systems have been attacked adds to the problem. Many companies simply don’t know that they’ve been compromised, said Richard Bejtlich, chief security officer at Mandiant.
“Just answering that question of how many compromised systems you have would be an immense step forward,” he said.
In addition to the new push for deterrence, Panetta emphasized that other actions to improve security conditions are critical. He said that new standing rules of engagement, in the works for years and promised several times by administration officials as being “imminent,” are being finalized. The new rules, paired with policy adjustments and investment of roughly $3 billion per year in cyber, have resulted in real operational capability, he said.
“These new rules make the department more agile and provide us with the ability to confront major threats quickly,” he said.
Panetta described an imminent threat and the need for action to conclude his speech.
“Before Sept. 11, 2001, the warning signs were there,” he said. “We weren’t organized. We weren’t ready. And we suffered terribly for that lack of attention. We cannot let that happen again. This is a pre-9/11 moment. The attackers are plotting. Our systems will never be impenetrable, just like our physical defenses are not perfect. But more can be done to improve them.”