In April 2009, Gen. Keith Alexander, director of the National Security Agency, took the stage at the annual RSA Conference in San Francisco for a keynote address. He told the crowd of thousands: "The NSA does not want to run cyber security for the government."
Instead, he said, the job of protecting U.S. infrastructure is a shared responsibility, falling into hands of government agencies such as the Department of Homeland Security, as well as private sector companies and colleges and universities. “The government is here to protect the country from adversaries,” Alexander explained. “The NSA can offer technology assistance to team members. That's our role.”
Alexander wasn't lying, but he wasn't exactly telling the truth either, as leaks from former NSA contractor and whistleblower Edward Snowden have revealed. The NSA never wanted to be in the cyber defense game, but it very much was gearing up, as we now know, for offensive digital missions.
Two months after that RSA address, the U.S. Cyber Command was formed, described as a new armed collaborative for protecting Department of Defense Networks. Not long after, Alexander was tapped to head up the command, while still leading the NSA. Fast forward to this past January, and the DoD announced plans to grow the command, which is closely tied with the NSA, nearly fivefold over the next few years, from around 900 to about 4,000 military and civilian personnel.
The talent boost will go toward safeguarding infrastructure deemed critical to the country's security, such as the power grid, but also toward executing offensive missions, according to a Washington Post report. Citing an unnamed U.S. official, the article, however, said there were restrictions in place so that the "military would act only in cases in which there was a threat of an attack that could really hurt."
That likely was the justification behind the "Olympic Games" program, responsible for the creation of the Stuxnet worm, which came to light in the summer of 2010 and which targeted Iranian nuclear systems. But does it hold water for the recent revelations by Snowden that the NSA is stepping up offensive cyber actions across the world?
Snowden leaked documents to the U.S. version of The Guardian newspaper that revealed that President Obama has ordered senior security and intelligence officials to "draw up a list of potential overseas targets for U.S. cyber attacks" that "can offer unique and unconventional capabilities to advance U.S. national objectives around the world with little or no warning to the adversary or target and with potential effects ranging from subtle to severely damaging."
But in an interview last week with Hong Kong's South China Morning Post, Snowden presented much more damning evidence of the extent of these targets and attacks. The 29-year-old told the paper that the United States already has conducted at least 61,000 hacking operations globally, including against hundreds of targets in Hong Kong and mainland China, among them private businesses and a university that routes internet traffic for hong Kong.
According to the paper, Snowden wanted to showcase “the hypocrisy of the U.S. government when it claims that it does not target civilian infrastructure, unlike its adversaries."
In a live online chat, he told The Guardian on Monday: "I did not reveal any U.S. operations against legitimate military targets. I pointed out where the NSA has hacked civilian infrastructure such as universities, hospitals, and private businesses because it is dangerous. These nakedly, aggressively criminal acts are wrong no matter the target. Not only that, when NSA makes a technical mistake during an exploitation operation, critical systems crash. Congress hasn't declared war on the countries – the majority of them are our allies – but without asking for public permission, NSA is running network operations against them that affect millions of innocent people."
If this true, that the United States is spearheading widespread online assaults of civilian targets, likely in an attempt to mine for sensitive information, it is a far cry from cases in which there's a threat of an attack that could "really hurt" the country.
One can liken these engagements to the nation's ever-expanding drone war, which allegedly targets suspected terrorist targets, but often results in the deaths of innocent civilians. War journalist Jeremy Scahill, who has conducted gripping, on-the-ground reporting in some of these secret war zones like Yemen and Somalia, worries that these attacks could lead to blowback, as the families of victims will be incited to take up arms against America.
While espionage and sabotage conducted through the digital sphere won't lead to bloodshed – at least not yet – news of these U.S. attacks is troubling. At the very least, the U.S. government runs the risk of losing all credibility in its efforts to discourage and prevent Chinese hackers from infiltrating American businesses and stealing hundreds of terabytes of data, as security company Mandiant documented earlier this year.
Should the nation continue to engage in this type of cyber behavior, in secret and protected from meaningful national debate and a full understanding of the legal framework behind it, serious unintended consequences could arise, ones that may make us weaker, rather than stronger, in cyber space. There have been initial attempts to define this emerging landscape, and U.S. ally Israel is also taking steps, but it's nowhere near where it needs to be.
In short, caution, not aggression, should be the default setting for U.S. foreign cyber policy.