U.S. Cyberwar Doctrine Would Not Matter Without International Agreement

When the history of cyberwar is written, 2012 may well be marked down as the year that it all began in earnest. Governments have been attacking one another electronically for decades now, but the last 12 months have seen both the concept and reality of cyberwar elbow their way into the consciousness of the general public through attacks such as Flame, Gauss and Shamoon, and also have seen government officials openly discussing offensive operations and calling out other nations for their extensive attacks on U.S. networks. Now, those same U.S. officials are in the process of developing doctrines for cyberwar operations as way of defining how and when military and government teams can act. 

When the history of cyberwar is written, 2012 may well be marked down as the year that it all began in earnest. Governments have been attacking one another electronically for decades now, but the last 12 months have seen both the concept and reality of cyberwar elbow their way into the consciousness of the general public through attacks such as Flame, Gauss and Shamoon, and also have seen government officials openly discussing offensive operations and calling out other nations for their extensive attacks on U.S. networks. Now, those same U.S. officials are in the process of developing doctrines for cyberwar operations as way of defining how and when military and government teams can act. 

Saying that the U.S. government has a somewhat spotty record on defending its networks would be exceedingly kind. Agencies from the Department of Energy to NASA to the Pentagon itself have been penetrated repeatedly, with untold terabytes of sensitive data and classified documents lost in the process. Government officials never used to acknowledge these attacks publicly, outside of any legally required disclosures if personally identifiable information was stolen, preferring instead to keep quiet and wait for the furor to pass. 

Recently, however, top-level officials in the Obama administration have begun speaking openly about attacks, pointing fingers in the direction of Beijing or Tehran in some cases, and discussing the need for the U.S. to develop offensive cyberwar capabilities. The thinking is that rather than sitting back on its heels and trying to react to new attacks, the federal government–specifically the military–needs to be in the business of deterring other nations and cybercrime crews from attacking U.S. networks in the first place. What kind of deterrents and offensive capabilities the country needs to deploy is never discussed specifically, but security experts say that the U.S. government is one of the more active buyers of zero-day exploits and has been building an arsenal of attack tools for years now.

In a speech in October, Leon Panetta, the Secretary of Defense, said that the U.S. needs to have the ability to go after its enemies whenever it detects a threat to its government networks or critical infrastructure.

“For these kinds of scenarios, the department has developed the capability to conduct effective operations to counter threats to our national interests in cyberspace,” Panetta said in his speech. 

The thinking behind this strategy is that if other nations know that the U.S. has extensive offensive capabilities and is willing to use them, they’ll be less inclined to use their own. After all, that’s what kept the uneasy peace during the Cold War: each side knew that the other had stockpiles of nuclear weapons and assumed they were willing to use them. But, the value of the analogy ends there. As Gary McGraw points out in his essay on cyberwar, anyone–not just governments–can develop cyber weapons and there’s no method for tracking who has them, let alone who uses them.

To help govern the use of cyber weapons and lay out the circumstances under which they can be used, U.S. officials are in the process of developing a doctrine for cyberwar. Similar in concept to the doctrines that dictate when conventional weapons can be used and what targets are legitimate ones, the cyberwar doctrine supposedly would lay out ground rules for offensive operations and specify who is responsible for taking those actions. Such rules are vital for conventional military operations, but in the online environment they’re unlikely to be of much use.

The first problem is that any doctrine the U.S. develops only will apply to U.S. agencies. The attacks that hit the hundreds of government contractors and Beltway bandits who do classified work are a separate problem. These companies are constantly under siege by well-funded, patient and organized attack teams, many of them the same teams from China or Iran that target government agencies. This is where much of the data that is flowing out of U.S. networks is coming from, not necessarily just from government agencies. Private companies are key targets for foreign attackers, and those companies are on their own when it comes to both defense and offense. 

They would not be subject to any cyberwar doctrine whenever one is developed. Instead, these companies may have to rely on the government to help them track down and go after the attackers. But it’s not clear whether the government is interested in being in that business. As we’ve seen, Washington is having enough trouble defending its own networks. The other option is that private companies can begin going after foreign attackers themselves, a very tricky proposition, not only because of the difficulty of attribution but the because of that whole legality thing. 

The second major problem with the idea of a cyberwar doctrine is that in order for it to really matter, to really work, the other parties involved in cyberwar operations need to have similar policies. A declaration of U.S. policies regarding cyberwar does no good without similar ones from China, Iran and every other nation involved. If U.S. officials say that they’ll only attack foreign networks in scenarios X, Y and Z, all it does is give foreign attackers a blueprint. It certainly has no effect on whether they’re going to use their own tools. The Marquess of Queensberry rules do not apply.

Nuclear arms doctrines, treaties and other such agreements work because they’re agreements. They involve more than one party. Laying out the terms under which the U.S. may use offensive cyber capabilities may make military commanders feel more comfortable when the day comes and they need to launch an attack, but norms only work when they’re accepted by a broad community. Barring that, they’re simply suggestions.

Suggested articles

Discussion

  • Anonymous on

    "... same teams from China or Iran that target government agencies." ... or Russia.

    Some people might air the same criticisms of Big K's proposal. There are those that will agree to rules and there are those that will do anything to avoid them. It's already a difficult problem in the physical world and becomes even more of a problem online. International agreements in cyber are as worthless as the paper they're printed on.

  • rgrein on

    I see several problems with this. First, WE are at the forefront of cyberattacks; claims that we are merely defending ourselves from others ring hollow. By actively engaging in cyber attacks we induce others to follow suit, making the problem worse rather than better.

    Second, by considering the ethical questions AFTER attacking rather than before, we demonstrate not only a lack of morality but our trustworthiness comes into question. Why would anyone trust us to follow a treaty?

    Third is effectiveness. If our goal is to promote a safe environment for Internet commerce we fail miserably by promoting the use of attack tools. More capital is devoted to weaponry and defense until Internet use is stunted to the detriment of all. This has been tried before - the spectacular oversupply of nuclear weapons is a great example of the failures of 'strike first' mentality. Read up on the cold war and President Kennedys' missteps in nuclear arms treaties.

    That doesn't mean we should remain helpless, but before picking up a weapon it is wise to understand thoroughly how it works and the implications. Suggested reading before offering more opinions about warfare: Sun Zu, or the Art of War. Understand THAT and you'll see why it is foolish to engage in unlimited war.

  • Anonymous on

    For an extensive analysis of the potential effectiveness of deterrence in cyberspace, please take a look at Gregory Rattray's Strategic Warfare in Cyberspace (preview -- it is highly problematical).  We also need to be real careful in throwing that term "attack" around so much.  Espionage (even preparing the battlefield) is NOT an act of war under the Law of Armed Conflict.  "Attacks" are things that trigger a state's right to defend itself and as "war" is currently understood, exfiltrating senstive information, whether economic or national security related, does not rise to this level.

    We conflate "war" and "crime" so much in the pundit-o-sphere that we're in grave danger of making flawed decisions when developing policy.

    -- Ishmael

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.