By Eric Brandner
We are under attack.
Somewhere, a hacker on a laptop in a busy coffee shop—or a sunny university dorm room, or the cubicle next to yours—is writing code that could harm a piece of American infrastructure. Their hack may be a warning to urge a delinquent software developer to get its act together and patch a security hole. They might be trying to steal some social security or credit card numbers. They might just want to take control of a computer to remotely send some spam.
Those are common intrusions, and one of the latter two has likely happened to you, forcing you to change passwords or—in a worst-case scenario—request credit reports and spend hours on the phone fighting fraudulent charges.
But what happens when a terror group, a combative nation or an angry lone wolf takes a run at a city’s privately operated power grid?
The answers aren’t quite as clear.
What We (Think We) Know
United States Cyber Command is one of the newest and most secretive commands in the military. Established in 2009, it became fully operational October 31, 2010.
Technically, CYBERCOM is responsible for operations and security for all websites that fall under the military’s purview. On a parallel plane, the Department of Homeland Security is in charge of security for all government sites. However, when significant cyberattacks are launched against U.S. entities, CYBERCOM can be granted expanded powers via an executive order to either defend against or directly attack the aggressors.
As a sub-unified command under the U.S. Strategic Command, CYBERCOM has domain over the Army, Navy, Air Force and Marine cyber commands. Commanded by Army General Keith Alexander, also the director of the National Security Agency, CYBERCOM is the closest thing America has to Navy SEALs on the Internet. But because it’s so new, it’s still getting organized and figuring out its jurisdiction.
Unfortunately, according to former Defense Secretary Leon Panetta, America’s institutions are already in hackers’ crosshairs.
“The most destructive scenarios involve cyberactors launching several attacks on our critical infrastructure at one time in combination with a physical attack on our country,” Panetta told to a group of business leaders last fall in New York. “Attackers could also seek to disable or degrade critical military systems and communication networks. The collective result of these kinds of attacks could be a cyber Pearl Harbor.”
Cyberattacks are complicated and at this point nearly impossible explain to anyone without some background in the field.
There are a few reasons for the lack of easily understood examples. First, technology evolves quickly. The people making national security decisions now grew up a decade or two before email addresses were prevalent, whereas most 20-year-olds can tell you exactly where on the Internet to find pirated DVDs and music and even free hacking software.
The second issue—and the one that won’t change over time—is that cyberattacks and cyberdefense are essentially espionage. While hacker collectives that make the news often take control of websites to push an agenda, an intruding nation or terror cell is likely less interested in broadcasting its exploits than carrying out its mission.
There’s assumed attribution on which nations have executed the most prolific cyberattacks, like the Stuxnet strike against Iran’s nuclear program (the United States and Israel) or the Shamoon virus that wiped data from three quarters of Saudi Arabian oil giant Saudi Aramco’s computers and replaced it with a burning American flag (Iran). But it’s rare to pin down anything beyond admissions by government officials speaking on deep background long after the damage is done.
“One of the key things that a hacker likes to do is be completely invisible to the point where they’ve gained access to a system—whether it be a company or a government—and nobody knows they’re in there,” said Evan Lesser, managing director of ClearanceJobs.com, a networking website for professionals with American security clearances.
And even if you can identify a perpetrator or stop an attack, it doesn’t guarantee you’ll be able to do it again. Most cyberweapons are for one-time use. Once detected, the best computer minds on defense will eventually devise a patch for the exploited security hole. While that’s great for network defenders, it’s a short-lived victory. The landscape requires hackers who are going after large, complex targets to constantly come up with new viruses, while cyberdefenders are just as vigilant in trying to identify security holes before they can be exploited.
As Fast as They Can
Department of Homeland Security Secretary Janet Napolitano spent a significant portion of her October 31 appearance at the Washington Post Cybersecurity Summit speaking in generalities.
Yes, America’s financial institutions are under cyberattack.
No, she wouldn’t say how, or talk about what exactly is being stolen from them.
“We have actually divided the nation’s core critical infrastructure into sectors,” Napolitano said. “And we know there are different kinds of attacks and methodologies that could cause great damage in any of those sectors.
“Even as we see what’s going now, we have to be thinking proactively. What could the next wave be? Where could it be and how could it occur?”
But the broad generalities brought home a pretty clear point. America—specifically CYBERCOM and the National Security Agency, which have both acted as the country’s presidentially empowered cybermuscle to date—needs to come up with clear rules on how to protect and defend its infrastructure from cyberattacks. And it needs to do it quickly.
Some clues to how they’ll go about that were unveiled in March, when Alexander announced CYBERCOM would have 40 cybersecurity teams—13 offensive and 27 defensive—by the fall of 2015 to stop attacks and counter perceived threats.
The creation of 13 offensive teams adds an aggressive component that hasn’t been discussed much publicly, and also raises questions about proportional response to cyberattacks, or even looming threats of computer-based mayhem.
To clear up those questions—internally, at least—the Department of Defense is redoing its rules of engagement for the first time since 2005 to incorporate protocols for cyberwarfare, making responses to incidents more automatic at lower levels of command.
“It takes a team to operate in cyberspace,” Alexander said in his March 12 congressional testimony. “But at times I think in talking about the team approach, we’re not clear on who’s in charge when.”
But while public sector cybersecurity responsibilities are still being shaped, there are no clear rules on how to respond to an attack on private industry—even if a private company controls something of significant public interest like a large bank or a utility.
It’s a no-brainer to call the police if a gunman has stormed your office building. But when a private business realizes it’s the victim of a cyberattack, it’s almost always too late to do anything about it. Large companies have legions of private cyberwarriors tasked with keeping data safe, but some of those companies may not be enamored with the idea of open data sharing with the government.
This is the point where Congress and special interests get involved. The U.S. House of Representatives earlier this year passed the Cyber Intelligence Sharing and Protection Act, which would make it easier for private industry to share cyberintrusion data with the government in real time, allowing them to work together to thwart security holes faster. The Senate is working on a variety of bills addressing public-private data sharing. A cybersecurity bill that would have increased public-private information sharing failed twice in the Senate last year because of concerns it would place new regulations on businesses.
“It really highlights the need for public-private collaboration,” former Deputy Secretary of Defense William Lynn said at the Post’s summit. “You cannot do this on one side or the other. … Almost all of the assets are in the private sector’s hands, so you have to take account of that as you develop your security regime.”
For now, the Department of Defense and CYBERCOM can only focus on what they can control—bolstering capabilities and clearing up internal gray areas. The rules of engagement, when they’re finished, will make roles and responses to threats clearer. And CYBERCOM is in line for an $800 million budget boost—up to $4.7 billion—in the 2014 DOD budget released in April. The extra funds are aimed at increasing offensive capabilities, like disabling enemy computer systems during a conflict.
“We like to laugh that government doesn’t make decisions very fast and has trouble operating at network speed, but there are reasons for that,” Lynn said. “You are considering the diplomatic impacts, the presidential impacts. What about collateral damage? Those are all important things. It’s not just that government is slow, it’s that there are a lot of serious implications to these decisions that have to be taken into account.”
–Eric Brandner is the USO’s director of story development.
You can send a message of support and thanks directly to service members via the USO’s Campaign to Connect. Your messages will appear on screens at USO locations around the world.
Stories in this Series
Aug 5, 2013
Korea's Uneasy Truce Keeps U.S. Troops Alert at DMZ
The DMZ is 155 miles long and 2½ miles wide. Inside it, about 30 miles north of the South Korean capital, Seoul, is the Joint Security Area, where talks are traditionally held between United Nations Command and North Korean military officers.