WASHINGTON — Staying silent about cyber attacks isn’t working, so senior U.S. officials are trying a new tack: public posturing.
The U.S. national security apparatus, long hush-hush on its offensive cyber capabilities and resistant to naming China as the source of numerous cyber attacks and intrusions, is starting to become more open about what it can do in cyberspace, and who it might do it to.
The shift in policy comes as an increasing number of attacks emanating from China are targeting critical infrastructure, and as experts question whether the U.S. might need to make public use of its cyber weapons to prove its resolve against cyber threats.
Thomas Donilon, President Barack Obama’s national security adviser, named China as the source of significant cyber intrusions during March 11 remarks to the Asia Society. Donilon was also clear about the administration’s commitment to taking action.
“From the president on down, this has become a key point of concern and discussion with China at all levels of our governments,” Donilon said. “The United States will do all it must to protect our national networks, critical infrastructure and our valuable public and private sector property.
“As the president said in the State of the Union, we will take action to protect our economy against cyber threats,” he said.
Who might take action became clearer the following day, when U.S. Cyber Command chief Gen. Keith Alexander outlined his plans in congressional testimony to put together 40 cyber teams, 13 of which would be built for “offensive” actions. “This is an offensive team that the Defense Department would use to defend the nation if it were attacked in cyberspace,” Alexander said. “Thirteen of the teams that we’re creating are for that mission set alone.”
Neither the U.S. intent to grow its cyber offensive teams nor its recognition that many cyber attacks originate from China are new. But the public recognition of these facts marks a new chapter in the escalating cyber conflict with China, a conflict that has changed from espionage to actual attacks on critical infrastructure in the past year, experts said.
Infrastructure Now Targeted
Verizon, the telecommunications company that handles a large percentage of the country’s Internet traffic, has noticed a shift in the types of attacks hitting the U.S. In its 2013 Data Breach Investigation Report, due to be released later this spring, the company will report that infrastructure is now suffering the brunt of the attacks on the network, said Bryan Sartin, director of investigative response for Verizon.
“These aren’t about stealing data and fraud, they’re about deny, disrupt and destroy,” Sartin said. “I’d go so far as to say that it’s [coming from a] nation state, but almost every victim is critical infrastructure.”
Sartin did not name China, but said five out of six notifications to clients are now focused on attacks to critical infrastructure. Other experts said the nation that leads the way on these types of attacks is China.
This transition from what might more appropriately be named cyber espionage to critical infrastructure attack creates a new environment and may be the cause of the escalated rhetoric from U.S. national security officials.
When the Chinese gained access to some data from the F-35 Joint Strike Fighter program in 2009, the U.S. didn’t respond by bombing Beijing. It was part of a wave of data thefts that became the norm, with U.S. companies and defense contractors losing proprietary and in some cases classified information. At the time the administration did little, and companies, fearing retribution from shareholders, were hesitant to disclose the data loss.
The administration recently introduced a new trade-secret policy and has continued diplomatic pressure, but thus far the tactics have had little effect. The policy requires diplomats to raise the issue of cyber attacks with Chinese officials regularly, a stance that several U.S. State Department sources said might damage relations with a country now closely tied to the U.S.
But as long as intruders are functioning in the model of spies — seeking data rather than destruction — immediate military action is unlikely.
“I go back to the Cold War,” Michael Chertoff, former Homeland Security secretary and founder of The Chertoff Group consultancy, told Defense News. “The Russians spied on us. We spied on them. Guys were arrested, they were imprisoned, and then they swapped them out afterward. If we caught a guy, even if a spy stole vital secrets, we didn’t attack Russia, or blow up the KGB building, because that was viewed as not the right category.”
But once critical infrastructure comes into play, the equation changes, Chertoff said.
“There’s no doubt that one threshold, which would be an unfortunate one, would be a major attack on infrastructure that would cause major economic damage and loss of life. Unquestionably that would only take 10 hours, and then we’d all of a sudden go to war,” he said.
The actual risk to critical infrastructure is the subject of fierce debate in the security community. One side argues that because the systems are so varied, creating any individual bug to wipe out the entirety of, say, the power grid would be exceedingly difficult. Others argue that because the individual components in the system are so poorly protected, the entirety is at risk.
The threat, however, is of deep concern to the intelligence community. Director of National Intelligence James Clapper began his 2013 Worldwide Threat Assessment report to Congress by mentioning the risk of cyber attack against critical infrastructure.
The line between probing networks for information and the beginning of what might be called an attack are becoming worryingly unclear. Probing a network and destroying it aren’t the same, but by breaking in and exfiltrating data, attackers can do damage. And reports indicate that while the past modus operandi focused on corporate espionage, the shift to low-level attacks on critical infrastructure is in full swing.
The Chinese seem intent on pushing the boundary, which won’t likely stop until the U.S. responds with public offensive action, several retired senior military officials said.
“Certain powers in the world, nation-states for example, all they know is power,” said retired Air Force Lt. Gen. Harry Raduege, former commander of the Defense Information Systems Agency. “They only respond to somebody that’s going to be able to launch a mutually assured disruption of them.”
Getting those world powers to rein in attacks, to deter intrusions, requires that U.S. offensive operations are credible. And in order to make them credible, the U.S. might have to use a weapon publicly, retired Marine Gen. James Cartwright, former vice chairman of the Joint Chiefs of Staff, said in a 2012 interview.
“At some point, they’re going to have to do something that’s illustrative, and then communicate,” he said. “I don’t believe we in the United States are taking advantage of what we could be communicating.”
Whether a strong response should come in the form of a cyber attack is the subject of debate in the administration. Several former officials said confidence in the ability of a cyber weapon to have a precise and desired effect is low, and as a result a conventional kinetic weapon might be used instead. If the goal is to destroy a facility to make a point, why not bomb it and make sure the target is eliminated?
Alexander wrote in a statement to Congress that he believed the increased capability of the military has been effective in deterring large cyber attacks, although it may not work indefinitely.
“We feel confident that foreign leaders believe that a devastating attack on the critical infrastructure and population of the United States by cyber means would be correctly traced back to its source and elicit a prompt and proportionate response,” he wrote. “Nonetheless, it is possible that some future regime or cyber actor could misjudge the impact and the certainty of our resolve.”
But Alexander acknowledged that lower level attacks continue, undeterred.
“We have some confidence in our ability to deter major state-on-state attacks in cyberspace, but we are not deterring the seemingly low-level harassment of private and public sites, property and data,” he said.