With government officials and executives in the U.S. reeling from sophisticated hacks traced to China and other state-backed entities, American spies and soldiers are sharpening the ongoing debate over if – and when – an online action, like the hack of the U.S. Office of Personnel Management (OPM), should trigger a “kinetic” response – a euphemism for military actions ranging from drone strikes and commando raids to all-out war.
It’s a question that also vexes foreign policy think tanks and former intelligence specialists now in the private sector. In a debate that parallels the policy tussles taking place at the White House, the Department of Defense and U.S. intelligence agencies, outside experts are squaring off over the very definition of cyberarmies and cyberwar – and, if and when an unambiguous cyberattack takes place, what the response should be.
Where one stands on the issue depends in part on experience and perspective. In a series of interviews with SC Magazine, former intelligence officials and military veterans debated whether the OPM breach and spectacular private-sector hacks, like that of Sony (which the U.S. attributed to North Korea), are old-school spying or the early volleys of virtual warfare.
But both views have an element of truth, says Adam Segal, senior fellow for China studies and director of the digital and cyberspace policy program at the Council on Foreign Relations. “People are throwing around the term ‘hybrid,’ which exists in the space between war and peace,” he says. There is no clear distinction between the start and the end of a conflict, he adds.
John Felker, director of cyber and intelligence strategy, HP Enterprise Services
Jason Healey, senior research scholar in cyber conflict studies at Columbia University’s School of International and Public Affairs
Maria Horton, CEO, EmeSec James Lewis, program director, Center for Strategic and International Studies
Isaac Porsche III, senior engineer at the RAND Corporation
Adam Segal, senior fellow for China studies and director of the digital and Cyberspace Policy Program, Council on Foreign Relations
Richard Schaffer, executive, KEYW
Terry Roberts, founder and president, CyberSync
The proxy wars that variously pitted allies of the old U.S.S.R. and China against U.S. client states provide a useful comparison for understanding today’s cyberconflicts, Segal says. Directly confronting the other side could be too dangerous or escalatory in an all-out cyberwar, just as a conventional military clash once risked nuclear warfare.
Segal doesn’t hesitate to disagree with those who characterize the OPM breach as a military attack. “We have basically identified it as political-military espionage,” he says. Even a hack of top military contractors, like Boeing and Lockheed Martin, to obtain plans for the F-22 or F-35 warplanes falls under that heading, he says.
But the boundaries between espionage and acts of war may soon blur in the virtual world, Segal acknowledges. “We need to have more discussion of norms and rules,” he says. “How do you prevent the virtual from becoming kinetic?”
One way to do so, he says, would be for the U.S. government to be clearer about what it may do in dealing with cyberattacks. The point is to get other countries to be more transparent about their own capabilities and doctrine.
James Lewis has taken up that challenge. A program director at the Center for Strategic and International Studies (CSIS), he’s worked as a consultant during negotiations on cybersecurity at the United Nations in an effort to cajole representatives from various nations into disclosing their cybermilitary capabilities. While a Cold War-style arms control treaty is a long way off, the UN’s focus for now is norms of behavior and confidence-building measures, like transparency, he says.
People don’t want a cyberarms control treaty, says Lewis, a former Foreign Service officer and arms control negotiator. “The Americans don’t want it, because they think the Russians and the Chinese will cheat. The Chinese say they don’t want it because it would militarize cyberspace – which sounds hypocritical to American ears.” The Russians, he adds, have a more complicated position, which focuses on the very definition of a cyberweapon.
Complicating negotiations on cybertalks is the fact that the bipolar, Washington-Moscow partition of the world in the Cold War is long gone, Lewis says. “The U.S. won the Cold War in 1989 and World War II in 1945. For most people in the world, that is ancient history. It’s like saying, ‘We are the ones who can set the rules because we won the Trojan War.’”
What keeps cyberwar at bay – and keeps negotiations on track – is a shared interest in global connectivity that fuels economic growth, says Jason Healey, a senior research scholar in cyberconflict studies at Columbia University’s School of International and Public Affairs, and senior fellow and former director of the Cyber Statecraft Initiative at the Atlantic Council.
For him, cyberwar deterrence obviously is working, pointing out that the phrase “cyber Pearl Harbor” was first used in 1991. “In the 24 of the 74 years from the actual Pearl Harbor, it hasn’t happened yet. Nobody has died from a cyberattack. Nobody.”
The constraints on nation-states launching cyberattacks on their rivals aren’t very different from the pressures against mounting conventional military attacks, Healey says. “China hasn’t tried to take electrical power out in the U.S., and the U.S. hasn’t tried to do that in Moscow. Even if we could land a strategic blow, why would we?”
Even the apparently successful U.S. use of cyberweapons to achieve Washington’s strategic aims, such as the Stuxnet virus that damaged Iran’s nuclear program in 2009, have, in fact, made wider cyberconflict more likely, Healey says. Prior to that, Iran’s focus on the internet was primarily at quelling internal dissent. “After they got hit by Stuxnet, Iran said, ‘OK, that is the way the game is going to be played,’ and they put things in that space,” Healy says.
From cyberspying to cyberattack?
The latest controversy over cyberwarfare flared in June following the disclosure of the OPM beach, which raised the specter of Chinese penetration of documents that contain sensitive information on 21.5 million current and former U.S. government employees – including foreign service and military personnel.
Yet the first response from the Obama administration wasn’t escalation, but admiration. “You have to kind of salute the Chinese for what they did,” Director of National Intelligence James Clapper said to reporters. “If we had the opportunity to do that, I don’t think we’d hesitate for a minute.”
But soon after, the Pentagon’s top cyberbrass ratcheted up the pressure to take a more assertive role. In testimony in March, before the announcement of the OPM breach, Admiral Michael Rogers, who heads both the National Security Agency (NSA) and the Department of Defense’s Cyber Command, said, “We’re at a tipping point. We need to think about how do we increase our capacity on the offensive side to get to that point of deterrence?”
The first challenge in preparing for cyberwarfare is defining just what a cyberarmy is, says Richard Schaeffer, an executive at KEYW, a Washington, D.C.-area cybersecurity and intelligence firm that serves as a contractor for the U.S. government intelligence agencies and private organizations.
“It is really complex,” says Schaeffer, who worked for 30 years in various positions at the NSA, including as director of the National Security Operations Center. Although U.S. military and intelligence leaders began grappling with the issues of cyberwarfare almost a decade ago – including rules of engagement, the escalatory nature of cyberconflict and what might happen – “people are still struggling with those issues,” he says.
“The president could go to China and say, ‘Here is my evidence,’” Schaeffer says. If the administration hesitates to do so, it’s in part because the U.S. intelligence community is reluctant to divulge information that would give up sources and methods, he says. But failure to do so, he points out, means “that we are totally silent on the fact that the U.S. is being hammered.”
In fact, the U.S. has long made clear that cyberattacks could trigger military response. “When warranted, the United States will respond to hostile acts in cyberspace as we would to any other threat to our country,” a White House paper declared in 2011, adding that “certain hostile acts conducted through cyberspace could compel actions under the commitments we have with our military treaty partners.”
But attribution of such an attack isn’t so easy, given that cyberconflicts allow nation-states the ability to outsource aggressive actions to others – criminals for hire, or perhaps the “patriotic” pro-Russian hackers that Moscow blamed for the cyberattack on NATO member Estonia in 2007.
And the picture isn’t likely to get clearer anytime soon given that asymmetrical warfare seen on the battlefield in Iraq and Afghanistan has a cyberspace equivalent among the U.S.’s e-adversaries, says Maria Horton, CEO of EmeSec, a Reston, Va.-based security firm that consults with U.S. government agencies.
“What I see is that our actions [in cyberconflict] seemed to be reined in and controlled, while theirs are more experimental,” says Horton, a Navy veteran who formerly served as CIO for the National Navy Medical Center. “They are testing to see how we are going to respond.”
In fact, the threat of irregular cybertroops has preoccupied military and civilian defense researchers for years, says Isaac Porsche III, a senior engineer at the RAND Corporation and associate director of the RAND Arroyo Center’s Forces and Logistics Program. What’s more, countries that could never afford to create a world-class air force or navy can nevertheless have success on the cyberbattlefield, he says.
“It is really important to point out that countries are building these [cyberwarfare] units,” Porsche says. “If you have 20 guys and I have 20 guys, then it’s a fair fight. You don’t have to have the equivalent of an Apache helicopter. One platform can take on 10 targets.”
But the ability of small nations to wage online battles – and the availability of off-the-shelf cyberweapons to non-state actors – shouldn’t distract policymakers from the fact that nation-states and their proxies have cyberwar capabilities that set them apart, says John Felker, director of cyber and intelligence strategy for HP Enterprise Services, a Plano, Texas-based provider of information technology services.
“An infantry is the definition of an army with artillery and armored forces,” says Felker, a former deputy commander of the U. S. Coast Guard Cyber Command. “If you accept that cyberforces are analogous to land forces in their respective domains, then take a look at what the Russians claim are the people who were doing the cyberattacks in Estonia and, in particular, in [the former U.S.S.R. republic] of Georgia. “They weren’t governmental. It is almost a standing reserve.”
But military and intelligence leaders must be clear that breaches like that hitting OPM, enormous though they are, don’t amount to an act of cyberwar, says Terry Roberts (left), founder and president of CyberSync, a security consulting group. “Frankly, OPM was a valid espionage target for China,” says Roberts, co-chair of the Cyber Council at the Intelligence and National Security Alliance (INSA) and a former deputy director of naval intelligence (DDNI).
Yet, some cyberprobes may well cross the threshold from aggressive spying to an act of war, Roberts says, adding that the Department of Defense needs statutes and policy guidelines as the U.S. military engages in cyberconflict for the foreseeable future.
“We should be able to say that these kinds of actions are espionage, these are acts of terrorism,” she says. “Other things – like taking down the dot-gov domain – may be an act of war.”