The Obama administration has placed the cyberwar threat high on its national security agenda. But this emerging threat is an amorphous one, making it difficult for the new US Cyber Command to both define and address it - leaving many questions unanswered.
The US Department of Defense (DoD) communication's system consists of 15,000 networks and over seven million computing devices. These networks are probed over six million times per day and suffer thousands of cyber attacks a year. In November 2008, some unknown foreign entities were able to hack into the classified networks of US Central Command, the military organization overseeing the conflicts in Iraq and Afghanistan. The intruders were able to monitor and interact with the command's classified military operations as if they were part of the command staff. In another incident in December 2009, Iraqi insurgents were able to hack into the downlink of a US UAV with a $29.99 software tool and view the same picture as US forces operating in Iraq.
US President Barack Obama has addressed the strength - and vulnerability - of the country's military networks, saying at a White House briefing last year that while "technological advantage is a key to America's military dominance...defense and military networks are under constant …attacks that are harder to detect and harder to defend against."
Indeed, some cyberwar experts believe the US' dependence on the Internet to run much of its critical infrastructure makes it a particularly vulnerable target, and have long been fearful of a 'cyber Pearl Harbor'. They point to the 2007 cyber attacks against Estonia, which nearly shut down that nation's infrastructure, and the 2008 Russian invasion of Georgia which was preceded by cyber attacks, as evidence of the potential magnitude of cyberwar.
Deputy Secretary of Defense William Lynn wrote in a recent issue of Foreign Affairs that some "100 foreign intelligence organizations are trying to hack into the digital networks that undergird US military operations" and that some "already have the capacity to disrupt US information systems."
"It's only a small step to go from disrupting parts of the network to destroying parts of the network," remarked director of the National Security Agency, and commander of the new US Cyber Command, General Keith Alexander. "If you think of our nation, our financial system, our power grids - all of that resides on the network. All of them are vulnerable to an attack like that. Shutting down that network would cripple our financial systems."
US Cyber Command: Many questions - but also answers?
Believing that the cyber threat had outgrown the military's existing structures, Defense Secretary Robert Gates ordered the creation of the US Cyber Command in June 2009 to consolidate disparate units under Alexander's command. Cyber Command was officially activated in May of this year, becoming fully operational last month. The command is charged with centralizing and coordinating DoD cyber operations to include defensive and, when directed, offensive operations.
The new command faces numerous challenges - and must address many open questions about the amorphous nature of the cyber threat.
First, the very core questions of who is responsible for, and what constitutes, a cyber attack can prove difficult to answer. Currently there is no commonly accepted definition. Major General Paul F Capasso, chief information officer of the Air Force comments, "I don't think you'll find one agreed upon definition of cyber warfare. Those basic definitions and key constructs are something we're working very hard on".
The attack against Estonia, a member of NATO, also raised some definitional questions, challenging the collective security organization to examine how Article V's "attack against one is an attack against all" would apply in the case of cyber attacks.
And once a cyber attack has been determined to have taken place, how is the perpetrator identified? It is not only difficult to determine who the attacker is - but even where the attack originated. Unlike traditional weapons, cyber weapons have no geographic limitations. As Lynn noted, it only takes 300 milliseconds for a keystroke to travel twice around the world.
Questions of how to improve defensive cyber capacities abound, and cyber attacks present some unique challenges in this area. While DoD can monitor the health of their networks and determine after the fact whether an attack has taken place, it cannot see it coming. According to Alexander, "We have to, with our allies, be able to see what is going on with the global network so we can provide real-time indications and warning to our defensive capabilities." This necessitates better sharing of threat information not only with other governments, but also with private industry.
Finally, because Cyber Command is responsible only for DoD networks, the question of who is responsible for protecting the rest of the US' critical infrastructure has not yet been resolved. In an attempt to address the issue, a joint Department of Homeland Security/DoD memo, Enhancing Coordination to Secure America's Cyber Network, was recently issued, outlining new areas of coordination between the two departments. The memorandum "embeds DoD cyber analysts within DHS to better support the National Cyber security and Communications Integration Center (NCCIC) and sends a full-time senior DHS leader to DoD's National Security Agency, along with a support team comprised of DHS privacy, civil liberties and legal personnel."
Exactly how this will work is unclear, but press reports suggest it will operate under principles similar to those that the president invokes when he dispatches military forces to assist in natural disasters. The devil is in the details, however, and it remains to be seen how well this will actually work. The White House, Pentagon and Congress continue to debate concerns over civil liberties and coordination with the private sector, which controls much of the critical infrastructure.
The biggest challenge: personnel
Last summer when asked what the new Command's biggest challenge would be, cyber warfare expert Bob Gourley replied:
The biggest challenge will be finding the right leaders…with the right mix of training, education and experience to succeed in this mission space … The mission of defense of DoD networks requires leaders who can coordinate with a broad spectrum of organizations, so they must have social skills. It requires leaders who can command, so they must have military bearing and command authority. The mission requires an understanding of how technology works, so leaders need a good mix of training and education, and it requires leaders who are experienced, so these people, if possible, need to come from careers in the military. These many requirements combine to make finding the right people a tougher challenge than it may seem.
Alexander struck a similar chord recently: "If you ask me, 'what is the biggest challenge that we currently face?'" he asked rhetorically. "It's generating the people that we need to do this mission."