There are oft-discussed fears that terrorists or hostile nations could launch cyber-attacks against critical sectors of the American economy, but what about the possibility the United States might conduct cyber-attacks of its own, defensive or otherwise?
The prospect of offensive U.S. cyber operations, generally a classified subject, was discussed at the recent AAAS Forum on Science and Technology Policy. Herbert Lin, chief scientist for the Computer Science and Telecommunications Board at the U.S. National Research Council (NRC), said there should be more attention to the legal, ethical and policy issues surrounding cyber-attack as an instrument of U.S. policy.
“Mostly the talk you hear about in the press is that we’re the victim of cyber-attacks coming in from other places, and we’re in big trouble,” Lin said. “While I don’t dispute that statement, there’s a whole other dimension to this that involves our launching attacks” on other parties in cyberspace.
Lin was study director on a comprehensive, unclassified NRC study on critical issues regarding U.S. cyber-attack capabilities. The study, published last year, said cyber-attack is too important to be discussed only behind closed doors and called for more transparency in development of U.S. policy on why, when, and how a cyber-attack might be authorized.
Some cyber attacks will be conducted over infrastructure largely owned and operated by the private sector, noted Gerald Epstein, director of the AAAS Center for Science, Technology and Security Policy and moderator of the 14 May Forum session. “In the cyber arena, perhaps as in no other, the fundamental coupling of national security, private infrastructure, and individual choice really comes to the fore,” Epstein said.
The 35th annual Forum, held 13-14 May at the Ronald Reagan Building and International Trade Center in Washington, D.C., attracted more than 500 attendees for sessions on international scientific engagement; societal impacts of S&T; the budget outlook for the U.S. government R&D portfolio; and other topics.
At a plenary session on the role of science and technology in national security; Lin was joined by Ben Koppelman, a senior policy adviser for The Royal Society, who discussed scientific cooperation to support future arms control and disarmament; and C.D. (Dan) Mote Jr., president of the University of Maryland, who spoke about post-9/11 efforts to promote mutual understanding between the national security and higher education communities.
C.D. (Dan) Mote Jr.
While attacks against computer systems or networks can be complex, the technology to mount them is widely available and relatively inexpensive, according to the NRC report. Traditional defensive cybersecurity relies on anti-virus and intrusion detection software, better password security, more attack-resistant software to counter attacks, and robust law enforcement when attacks do occur, Lin said.
But cybersecurity also potentially could involve offensive operations aimed at disrupting or degrading an adversary’s ability to attack your information network and discouraging further attacks. Such offensive operations might be carried out remotely via the Internet or by “close access” methods in which rogue computer chips or software programs are slipped into an adversary’s computer system.
There also is “cyber-exploitation,” quietly infiltrating an adversary’s network to steal valuable information (such as diplomatic negotiating positions), to explore command and control procedures, and to lurk for any signs of an impending cyber-attack.
As a practical matter, Lin said, cyber-attack and cyber-exploitation are quite similar technically and often would be indistinguishable. “If you’re trying to do an exploitation” on an adversary, Lin said, “They may see it as an attack.”
In addition to using cyber operations for defense, Lin said, the United States also might use cyber-attacks for traditional military purposes such as bringing down a nation’s air defenses or disrupting critical infrastructure such as power grids. Cyber methods also could be used for covert action, say to hack into electronic voting machines to influence the outcome of a foreign election or to alter medical records of an adversary’s military leadership, Lin said. He stressed that the NRC report did not endorse any of these uses, only that it identified them as possible applications.
In a world where cyber operations could become dominant, is there any hope that deterrence—comparable to the nuclear deterrence of the Cold War—might work? To be successful, Lin said, deterrence must be based on a credible threat to impose unacceptable costs on adversaries and deny them the benefits of an attack.
“There are many problems with that,” Lin said. “How do you know an attack has happened? A nuclear weapon detonating, that’s a real thing. How do you know you’ve been the victim of a cyber-attack,” particularly if the effects are delayed for many months or even years?
And if you want to make your counter-attack capabilities credible, how do you demonstrate them? “How do you exercise secret cyber capabilities?” Lin asked. “How do you advertise that you can do something without actually doing it?”
Lin touched on many other questions: How do you prevent unintended escalation and cascading effects through a computer network that is linked to many other networks that you might not want to attack? How do you bring a cyber conflict to a halt? How do you know your adversary has stopped “shooting,” so to speak? And if a conflict is halted, are you obliged to reveal where you’ve left your “mines,” destructive software that might still be lurking in your adversary’s networks?
International law on cyber conflict is not well defined, Lin said. The United Nations charter talks about the inherent right of self-defense if an armed attack occurs, he said, but if you repeatedly probe a nation’s computer systems for weaknesses, is that a use of force? Do you violate a nation’s neutrality if you use its Internet infrastructure to launch a cyber attack against a third country?
Are there any prospects for an arms control regime to limit cyber operations? Lin said there are “lots of reasons for skepticism” on that score. “Other nations will do what they want to do, regardless of what we want to do,” he said, to say nothing of what non-state actors and terrorists might do. But Lin said there are good reasons to pursue some kind of arms control regime for cyber operations.
Beyond the legal issues, Lin said, there is a need for good technical work on questions such as how to quickly locate computers that are involved in a cyber attack. As part of an effort to bring more attention to critical issues, the National Research Council is seeking contributed papers on cyber-deterrence. The papers are due by July 9, Lin said, and the NRC could award one or more $1000 prizes to papers deemed excellent.
Also during the Forum session, Koppelman of The Royal Society’s Science Policy Center discussed how scientific cooperation can prepare the technical groundwork for future nuclear arms control and disarmament agreements by developing the required monitoring and verification systems.
Researchers have been working on ways to ensure that the dismantlement of warheads is done in a transparent fashion without disclosing details about warhead design. “A priority area of research is to develop ‘information barrier technologies’ that could confirm the presence of a nuclear warhead without revealing sensitive details about its design,” Koppelman said.
Britain’s Atomic Weapons Establishment has been working on such technologies in collaboration with labs in Norway, Koppelman said, including a project to identify a radiological source and authenticate a mock warhead with a high level of confidence.
With the prospects of a global expansion of nuclear power, The Royal Society also has been studying how best to manage civilian nuclear fuel facilities to prevent nuclear materials from falling into the wrong hands. The British government has established a National Nuclear Center of Excellence, Koppelman said, to promote development of cost-effective civilian nuclear technology that will be harder for terrorists and hostile states to divert for use in weapons.
Mote described his work on the National Security Higher Education Advisory Board, created in 2005 by FBI Director Robert Mueller to promote understanding between universities and federal agencies in the changed security environment after the 9/11 terrorist attacks. Despite some traditional distrust on both sides, “higher education and security agencies are adjusting and the results, so far, have been productive,” Mote said.
Both sides need to find a balance that will enable both security and academic freedom, he said. There are about 20 university presidents and chancellors on the advisory board, which meets about three times a year with representatives of the FBI, CIA, and other security agencies.
“Fundamentally, this board is educating everyone about their cultural differences,” Mote said, and—most importantly—how to work together. He noted that universities are ripe for security problems: they are large, open places, with many international students and scholars, lots of access to information sources, and many visitors. “No one is surprised by a stranger on a university campus,” Mote said. “Everyone is surprised by a stranger inside a security agency or a corporation.”
In addition to giving security officials an understanding of the academic environment, the advisory board also gives them a point of contact in the university president’s office, Mote said, and helps to avoid misunderstandings or inadvertent mistakes. The advisory board also has given the FBI guidance on how to recruit students for national security careers in linguistics, languages, computer science and other fields.
On the other side, the security agencies try to use real-life examples to impress the academic officials with the challenges they face and the importance of security procedures, Mote said. He recalled a talk several years ago by the former director of cybersecurity at FBI who said his own bank accounts had been wiped out 15 times by overseas hackers. “I think he mentioned Romania quite a lot,” Mote said.
The hackers “were just doing this to make sure that he understood that he was not in charge,” Mote said. U.S. officials were unable to stop the incidents or chase down the culprits, he said.
The FBI official’s talk “was like hitting you across the forehead with a two-by-four,” Mote said. “He was able to get your attention on the importance and the seriousness of the cybersecurity problem.”
See more news from the 2010 AAAS Science & Technology Policy Forum.
Get details about the program and speakers at this year’s Forum.