Should the U.S. be able to counter-attack nation-state cyber-aggressors without attribution?
Mon 9 Mar 2015
The testimony of U.S. Navy Adm. Michael S. Rogers on March 4th – before the House Armed Services Committee on cyber operations and improving the military’s cybersecurity posture – not only paints an unusually vivid picture of a nation trying to re-invent its military infrastructure in response to a problem that it only partially understands, but also provides some indication as to the means by which it intends to get off the back-foot regarding response policies to cyber-attacks such as last autumn’s Sony Hack incident.
Rogers is the Director of the National Security Agency (NSA) and of the far newer United States Cyber Command (U.S.CYBERCOM), and provided testimony [PDF] in support of President Obama’s nomination of him to continue as head of Cyber Command (potentially under full Unified Command status instead of its ongoing status as a sub-unified command subordinate to United States Strategic Command [SAC]) and in a reconfirmation of his role as head of the NSA.
In response to the question ‘Can deterrence be an effective strategy in the absence of reliable attribution?’ [p19], Rogers answers broadly in the affirmative, but notes that while attribution has improved, it is ‘not timely in many circumstances’. Rogers continues:
‘A healthy, engaged partnership with the Intelligence Community is vital to continued improvement in attribution. Second, is development of defensive options which do not require full attribution to meet the requirements of law and international agreement […] We must ensure we leverage the newest technology to identify our attackers before and during an attack – not just after.’ (my emphasis)
The problems of ascertaining cyber-attack attribution and achieving useful response times is complex, and addressed in-depth in Rogers’ testimony, which is perhaps best-summarised by his expression of the need for the U.S. to ‘move from what is currently a reactive posture, to a proactive one,’
Rogers argues for increased autonomy of action for a Cyber Command upgraded to the status of Full Combatant Command, and not answerable to the U.S. Strategic Command:
‘If confirmed, as the Commander of U.S. CYBERCOM, as a Sub-unified Combatant Commander I would be required to coordinate and communicate through Commander, U.S. Strategic Command to seek Secretary of Defense or even Presidential approval to defend the nation in cyberspace. In a response cycle of seconds to minutes, this could come with a severe cost and could even obviate any meaningful action. As required in the current Standing Rules of Engagement, as a Combatant Commander, I would have the requisite authorities to directly engage with SECDEF or POTU.S. as necessary to defend the nation,’ (p30, my emphasis)
The ‘need for speed’ in responding to a critical cyber-attack is obvious, and well-argued in Rogers’ submission. But the first implication of a military cyber-response capability which can retaliate to (apparently) nation-state cyber-attacks without attribution or subordination to departments nearer the White House is the possibility that the enemies of a nation state (or those seeking to embarrass or implicate the U.S.) need only find a way of launching a significant cyber-attack from within the ‘target’ country – or from cyberspace which appears to emanate from that country – in order to draw U.S. fire toward it.
If you want an even tighter fit to your tinfoil hat, you could speculate that the U.S. itself could undertake such action if expedient to its general aims towards a particular nation.
In reality the issue probably has more to do with ‘prior information’ – the fact that a body such as a combatant-status-enabled U.S. Cyber Command might already know the identity of a cyber-aggressor but need to trade off the future usefulness of this undisclosed information against the necessity to protect and respond publicly. Whether myth or truth, Group Captain F.W. Winterbottom’s 1974 contention that Winston Churchill let Coventry burn during WWII in order to protect the cracking of the enigma code probably remains the best-known military example of ‘balancing equities’ or ‘gain-loss’ calculations – a subject discussed extensively by Adm. Rogers in his submission to the House Armed Services Committee [p15].
Rogers writes: ‘The risk-loss equation in the DOD is made after comprehensive consultation with the intelligence community and the impacted Commander,’ and continues ‘When gain-loss issues arise, all parties have the responsibility to comprehensively state the issues and impacts with these discussions beginning at the action officer level. Formal disagreements unresolved after U.S. Cyber Command review follow a clear path to department and national decision makers, to include the President if need be.’
The testimony represents one of the most interesting recent discussions of the current politics and polemics about cyber-security in the west, with some assuring – as well as chilling – indications of how future policy and frameworks may develop.