Pentagon Gets Cyberwar Guidelines
WASHINGTON -- President Obama has signed executive orders that lay out how far military commanders around the globe can go in using cyberattacks and other computer-based operations against enemies and as part of routine espionage in other countries.
The orders detail when the military must seek presidential approval for a specific cyber assault on an enemy and weave cyber capabilities into U.S. war fighting strategy, defense officials and cyber security experts told The Associated Press.
Signed more than a month ago, the orders cap a two-year Pentagon effort to draft U.S. rules of the road for cyber warfare, and come as the U.S. begins to work with allies on global ground rules.
The guidelines are much like those that govern the use of other weapons of war, from nuclear bombs to missiles to secret surveillance, the officials said.
In a broad new strategy document, the Pentagon lays out some of the cyber capabilities the military may use during peacetime and conflict. They range from planting a computer virus to using cyberattacks to bring down an enemy's electrical grid or defense network.
"You don't have to bomb them anymore. That's the new world," said James Lewis, cybersecurity expert at the Center for Strategic and International Studies.
The new Pentagon strategy, he said, lays out cyber as a new warfare domain and stresses the need to fortify network defenses, protect critical infrastructure and work with allies and corporate partners.
The entire strategy has not been released, but several U.S. officials described it on condition of anonymity. Many aspects of it have been made public by U.S. officials, including Deputy Defense Secretary William Lynn, in speeches over the past several months.
The Pentagon is expected to announce the entire strategy soon.
As an example, the new White House guidelines would allow the military to transmit computer code to another country's network to test the route and make sure connections work -- much like using satellites to take pictures of a location to scout out missile sites or other military capabilities.
The digital code would be passive and could not include a virus or worm that could be triggered to do harm at a later date. But if the U.S. ever got involved in a conflict with that country, the code would have mapped out a path for any offensive cyberattack to take, if approved by the president.
The guidelines also make clear that when under attack, the U.S. can defend itself by blocking cyber intrusions and taking down servers in another country. And, as in cases of mortar or missile attacks, the U.S. has the right to pursue attackers across national boundaries -- even if those are virtual network lines.
"We must be able to defend and operate freely in cyberspace," Lynn said in a speech last week in Paris. The U.S., he said, must work with other countries to monitor networks and share threat information.
Lynn and others also say the Pentagon must more aggressively protect the networks of defense contractors that possess valuable information about military systems and weapons' designs. In a new pilot program, the Defense Department has begun sharing classified threat intelligence with a handful of companies to help them identify and block malicious cyber activity on their networks.
Over time, Lynn said, the program could be a model for the Homeland Security Department as it works with companies that run critical infrastructure such as power plants, the electric grid and financial systems.
Members of Congress are working on a number of bills to address cybersecurity and have encouraged such public-private partnerships, particularly to secure critical infrastructure. But they also warn of privacy concerns.
"We must institute strict oversight to ensure that no personal communications or sensitive data are inappropriately shared with the government by businesses," said Rep. Jim Langevin, D-R.I., who served as co-chairman of the Center for Strategic and International Studies' cybersecurity commission.
Cyber security experts and defense officials have varying views of cyber war, but they agree that it will be a part of any future conflict.
At a recent Capitol Hill hearing, incoming Pentagon chief Leon Panetta, the outgoing CIA director, said the U.S. must be aggressive in offensive and defensive countermeasures.
"I've often said that there's a strong likelihood that the next Pearl Harbor that we confront could very well be a cyberattack that cripples our power systems, our grid, our security systems, our financial systems, our governmental systems," he said.
Stewart Baker, a former Homeland Security official, said Americans need to come to grips with the idea that cyber warfare could hit the U.S. homeland.
"We've had 50 years in which we haven't really had to rethink what might happen in a war here," he said. "We need to think very hard about an actual strategy about how to win a war in which cyber weapons are prominently featured."
Part of that thinking, Baker said, involves ensuring that the U.S. has strong firewalls to prevent attacks and that there are established routes into the networks of potential enemies.
But officials also say that cyber capabilities must be put in perspective.
"It's a decisive weapon, but it's not a super weapon," said Lewis. "It's not a nuclear bomb."
It is, however, a new weapon that hackers, criminals and other nations are honing. Already hackers have breached military networks and weapons programs, including key defense contractor Lockheed Martin.
Military officials have also warned repeatedly of cyberattacks and intrusions coming out of China, Russia and Eastern Europe.
"Regrettably," Lynn said, "few weapons in the history of warfare, once created, have gone unused. For this reason, we must have the capability to defend against the full range of cyber threats."
Lynn predicted that terror groups eventually will learn how to launch crippling cyberattacks.
Important questions linger about the role of neutral countries. Hackers routinely route their attacks through networks of innocent computers that could be anywhere, including in the U.S. Often it may be difficult to tell exactly where an attack originated or who did it, although forensic capabilities are steadily improving.
That issue was clear during the cyberattack against Estonia in 2007 that used thousands of infected computers to cripple dozens of government and corporate websites.
Estonia has blamed Russia for the attack. But, according to Robert Giesler, the Pentagon's former director of information operations, 17 percent of the computers that attacked Estonia were in the United States. He said the question is: Did the Estonians have the right to attack the U.S. in response, and what responsibility did the U.S. bear?
Under the new Pentagon guidelines, it would be unacceptable to deliberately route a cyberattack through another country if that nation has not given permission -- much like U.S. fighter jets need permission to fly through another nation's airspace.