WASHINGTON – The United States would use cyber weapons against an adversary's computer networks only after officials at the highest levels of government approved of the operation because of the risks of collateral damage, a senior U.S. military official said Tuesday.
The director of intelligence at U.S. Cyber Command, Rear Adm. Samuel Cox, said that cyberattacks can do significant harm to a country's infrastructure and should never be carried out in a cavalier manner. Offensive cyber operations are difficult to conduct with precision to avoid unintended casualties and damage to unrelated systems, he said.
"If you're trying to do precision strike in cyberspace with a very high degree of confidence," Cox said, "that takes enormous amounts of intelligence, planning, great care and very carefully crafted cyber tools that won't boomerang against you down the road."
Cox also downplayed the prospect that an enemy of the United States could completely disable the nation's electric power grid or shut down the Internet because these systems are designed to withstand severe cyberattacks.
"There's huge amounts of resiliency and redundancy built into the system nowadays that makes that kind of catastrophic thing very difficult," he said.
Cyber Command is in charge of defending U.S. military networks from attacks and intrusions. The command's top officer, Army Gen. Keith Alexander, also is the director of the secretive National Security Agency, which gathers electronic intelligence from foreign governments. Both NSA and Cyber Command are headquartered at Fort Meade, Md.
The Defense Department is developing rules of engagement for how commanders will operate in cyberspace and what missions they can conduct under their own authority.
During congressional testimony last month, Alexander said decisions on how to respond to adversaries in cyberspace would be made by the president and secretary of defense. But military commanders would have authority if circumstances demanded immediate action.
"Our job would be to defend and protect and to stop some of these attacks analogous to the missiles coming in and give the administration options of what they could do to take it to the next step, if they choose," Alexander told the Senate Armed Services Committee.
The House of Representatives on Thursday will consider legislation to better defend critical U.S. industries and corporate networks from electronic attacks and intrusions by foreign governments, cybercriminals and terrorist groups. There are deep divisions over how best to accomplish the goal, however.
The U.S. Chamber of Commerce and other business groups oppose cybersecurity regulations. Rules imposed by Washington would increase their costs without reducing their risks, they say. But Obama administration officials and security experts say companies that operate power plants, communication systems, chemical facilities and more should have to meet basic performance standards to prove they can withstand cyberattacks or recover quickly from them.
There is broad agreement, though, on the need for the private sector and government to share information about hackers and the techniques they use to control the inner workings of corporate networks. With a system to securely exchange information, there is a much better chance of blocking cyberattacks and the theft of proprietary information.
Rep. Mike Rogers, R-Mich., the chairman of the House Intelligence committee, and Rep. C.A. Dutch Ruppersberger of Maryland, the panel's top Democrat, said Tuesday that they had worked out several amendments to their information-sharing bill to address privacy concerns and clarify parts of the legislation.
"Companies like Facebook have been very good working with us on language to get the bill to where they think it helps them protect their users and still protects the privacy and civil liberties," Rogers said during a conference call with reporters.
Lawmakers will offer the amendments when the House considers the bill later this week. Rogers said he clearly had the votes to pass the overall measure.
One amendment would limit the government's use of cyberthreat information provided voluntarily by the private sector to five specific purposes: cybersecurity, investigation and prosecution of cybersecurity crimes, protection of individuals from death of serious bodily harm, protection of minors from child pornography and the protection of the country's national security.
The FBI's former top cyber cop said during testimony before a House committee on Tuesday that the American public is largely unaware of the scope of the problem the country faces in cyberspace. People see only the "tip of the iceberg," which is cybercrime involving stolen credit card numbers and identity theft, according to Shawn Henry, who served as executive assistant director of the FBI's criminal, cyber, response and services branch.
"The most significant cyber threats to our nation are those with high intent and high capability to inflict damage or even death in the U.S.; to illicitly acquire substantial assets; or to illegally obtain sensitive or classified U.S. military, intelligence, or economic information," Henry told the House Homeland Security subcommittee on oversight, investigations and management. "These are the threats from foreign intelligence services, and for those I have seen below the waterline."
Associated Press writer Donna Cassata contributed to this report.