When the history of cyberwar is written, 2012 may well be marked down as the year that it all began in earnest. Governments have been attacking one another electronically for decades now, but the last 12 months have seen both the concept and reality of cyberwar elbow their way into the consciousness of the general public through attacks such as Flame, Gauss and Shamoon, and also have seen government officials openly discussing offensive operations and calling out other nations for their extensive attacks on U.S. networks. Now, those same U.S. officials are in the process of developing doctrines for cyberwar operations as way of defining how and when military and government teams can act.
Saying that the U.S. government has a somewhat spotty record on defending its networks would be exceedingly kind. Agencies from the Department of Energy to NASA to the Pentagon itself have been penetrated repeatedly, with untold terabytes of sensitive data and classified documents lost in the process. Government officials never used to acknowledge these attacks publicly, outside of any legally required disclosures if personally identifiable information was stolen, preferring instead to keep quiet and wait for the furor to pass.
Recently, however, top-level officials in the Obama administration have begun speaking openly about attacks, pointing fingers in the direction of Beijing or Tehran in some cases, and discussing the need for the U.S. to develop offensive cyberwar capabilities. The thinking is that rather than sitting back on its heels and trying to react to new attacks, the federal government–specifically the military–needs to be in the business of deterring other nations and cybercrime crews from attacking U.S. networks in the first place. What kind of deterrents and offensive capabilities the country needs to deploy is never discussed specifically, but security experts say that the U.S. government is one of the more active buyers of zero-day exploits and has been building an arsenal of attack tools for years now.
In a speech in October, Leon Panetta, the Secretary of Defense, said that the U.S. needs to have the ability to go after its enemies whenever it detects a threat to its government networks or critical infrastructure.
“For these kinds of scenarios, the department has developed the capability to conduct effective operations to counter threats to our national interests in cyberspace,” Panetta said in his speech.
The thinking behind this strategy is that if other nations know that the U.S. has extensive offensive capabilities and is willing to use them, they’ll be less inclined to use their own. After all, that’s what kept the uneasy peace during the Cold War: each side knew that the other had stockpiles of nuclear weapons and assumed they were willing to use them. But, the value of the analogy ends there. As Gary McGraw points out in his essay on cyberwar, anyone–not just governments–can develop cyber weapons and there’s no method for tracking who has them, let alone who uses them.
To help govern the use of cyber weapons and lay out the circumstances under which they can be used, U.S. officials are in the process of developing a doctrine for cyberwar. Similar in concept to the doctrines that dictate when conventional weapons can be used and what targets are legitimate ones, the cyberwar doctrine supposedly would lay out ground rules for offensive operations and specify who is responsible for taking those actions. Such rules are vital for conventional military operations, but in the online environment they’re unlikely to be of much use.
The first problem is that any doctrine the U.S. develops only will apply to U.S. agencies. The attacks that hit the hundreds of government contractors and Beltway bandits who do classified work are a separate problem. These companies are constantly under siege by well-funded, patient and organized attack teams, many of them the same teams from China or Iran that target government agencies. This is where much of the data that is flowing out of U.S. networks is coming from, not necessarily just from government agencies. Private companies are key targets for foreign attackers, and those companies are on their own when it comes to both defense and offense.
They would not be subject to any cyberwar doctrine whenever one is developed. Instead, these companies may have to rely on the government to help them track down and go after the attackers. But it’s not clear whether the government is interested in being in that business. As we’ve seen, Washington is having enough trouble defending its own networks. The other option is that private companies can begin going after foreign attackers themselves, a very tricky proposition, not only because of the difficulty of attribution but the because of that whole legality thing.
The second major problem with the idea of a cyberwar doctrine is that in order for it to really matter, to really work, the other parties involved in cyberwar operations need to have similar policies. A declaration of U.S. policies regarding cyberwar does no good without similar ones from China, Iran and every other nation involved. If U.S. officials say that they’ll only attack foreign networks in scenarios X, Y and Z, all it does is give foreign attackers a blueprint. It certainly has no effect on whether they’re going to use their own tools. The Marquess of Queensberry rules do not apply.
Nuclear arms doctrines, treaties and other such agreements work because they’re agreements. They involve more than one party. Laying out the terms under which the U.S. may use offensive cyber capabilities may make military commanders feel more comfortable when the day comes and they need to launch an attack, but norms only work when they’re accepted by a broad community. Barring that, they’re simply suggestions.