In cyberwar, who's in charge?

The president for sure, but after that, it's pretty murky
By Tim Greene, Network World
08 07 2010

When the first salvos of cyberwar are fired against the United States, the responsibility to defend the country falls to the president who, aided by advisers from the broad spectrum of government agencies and also the private sector, must feel his way along an uncertain path to decide the appropriate response.

Because possible return fire could come from traditional military, intelligence, diplomatic or economic agencies -- and perhaps even from private business -- the United States needs a set of policies and procedures for cyberwarfare that are still in the making, experts say.

The president's top cyber adviser, Howard Schmidt, has said in interviews that the responsibility for cybersecurity is a shared responsibility between public and private sectors. And within the government it will be shared among government agencies but not in a well-defined way. "Who's in charge?" asks Jamie Sanbower, the director of security for Force 3, an integrator that works with the federal government. "That's the number-one challenge we're facing right now."

Emerging as a powerful player is the appointed head of the U.S. military Cyber Command Army Lt. Gen. Keith Alexander, who is the director of the National Security Agency (NSA) and would retain that title if his appointment to CyberCom is approved by the U.S. Senate, indicating the broad reach and central authority the president believes is needed to respond to attacks. But it makes Congress jumpy, and it has reportedly sought explanation from the Department of Defense about what shape the relationship between the Defense Department and the NSA would take.

Meanwhile, Schmidt's role as White House adviser on cybersecurity has no such concentrated authority. His direct boss is not the president, but rather two separate groups, the National Security Council and the National Economic Council, both of which report to the president. That assignment of authority appears to limit Schmidt, but also points to the broad nature of the cyber threat.

Contributing to the difficulties creating a cyberwar framework is that rules of engagement remain uncertain. In a conventional military confrontation -- known as kinetic war -- centuries of conflict have yielded a set of agreed-upon procedures for what constitutes war and what acceptable responses are to attacks. Cyberwar, ill-defined as it is, has no such procedures.

That leaves the U.S. government scrambling to establish a chain of command for cyberwar in which threats can vary, Sanbower says, from cyber spying on government and industry to defacement and take-down of government Web sites to attacks on critical infrastructure that incapacitate, for example, the country's electrical grid.

In response to public concern about its cyber defenses, Schmidt recently released a declassified version of the Comprehensive National Cybersecurity Initiative (CNCI) that contains a 12-point list of things that ought to be done to protect against attacks that includes defining who will do what in response.

"Our Nation's senior policymakers must think through the long-range strategic options available to the United States in a world that depends on assuring the use of cyberspace," the document says. "To date, the U.S. Government has been implementing traditional approaches to the cybersecurity problem -- and these measures have not achieved the level of security needed."

The CNCI also points up shortcomings of the current cyber defenses. "This Initiative is aimed at building an approach to cyber defense strategy that deters interference and attack in cyberspace by improving warning capabilities, articulating roles for private sector and international partners, and developing appropriate responses by both state and non-state actors."

The CNCI calls for a cyber counter-intelligence plan to deter cyber spying by other countries.

The plan calls for the Department of Homeland Security to partner with owners of critical infrastructure -- power, water, communications systems -- to make their systems more resilient and includes sharing information about cyber threats.

The CNCI calls for locking down government networks by limiting access to outside networks including the Internet. It also calls for a government-network intrusion detection/prevention system, the coordination of all government R&D into cybersecurity, and the coordination of the the activities of six established but independent cyber operations centers under the National Cybersecurity Center, part of the Department of Homeland Security.

It urges establishment of cyber education initiatives to train a sophisticated network-security workforce that will be attracted to the promise of rewarding career paths. It also calls for rolling the dice on "high-risk/high-payoff" schemes to solving critical cybersecurity problems in the hopes of leap-frogging the current body of threats.

The CNCI urges supply chain risk management for government network infrastructure to assure that it is not penetrated by enemies looking to steal or alter data or to interrupt communications.

But a version of the Defense Department's "Information Operations Roadmap" declassified in 2006 calls for protection "of networks with a real defense in depth strategy," as well as a "robust offensive suite of capabilities to include full-range electronic and computer network attack, with increased reliability through improved command and control, assurance testing and refined tactics and procedures." The public version of the report doesn't detail these measures.

It is clear from the document that the military wants the tools and the rules to be the aggressor. "Defensive (electronic warfare) capabilities are overemphasized in comparison to electronic attack capabilities. There is no central investment strategy or vision for EW," the road map says.

In addition, the report says defense of Defense Department computer networks "lacks up to date policy and legal guidance (including newly acquired authorities provided by the patriot and Homeland Security Acts) to guide responses to intrusions or attacks on DoD networks."

While the administration is working out its cyberwar plans, legislation called the Cybersecurity Act is winding its way through Congress, pointing out shortcomings of the current cyber defense plans that need to be addressed.

The act would give the president authority to declare cyber emergencies and to respond to them within the powers already granted to the president. It calls for the Commerce Department to assess the security of its infrastructure. It calls for the Department of State to direct international work toward developing cybersecurity standards. It would order the FCC to keep an eye on how well network providers secure their commercial broadband networks and educate their customers in cybersecurity.

It also calls for rehearsing responses to "clarify specific roles, responsibilities and authorities" of government agencies and the private sector during cyber emergencies.

The law would let the president set rules for when private business would have to share "actionable cybersecurity threat and vulnerability information and relevant information with the Federal Government."

This is in response to the Obama administration's somber conclusion about the state of national cybersecurity: "The architecture of the nation's digital infrastructure is not secure or resilient," the administration says in its Cyberspace Policy Review. "Without major advances in the security of these systems or significant changes in how they are constructed or operated, it is doubtful that the United States can protect itself from the growing threat of cybercrime and state-sponsored intrusion and operations."

Beyond the work of the government to protect the United States, the United Nations needs to start writing language surrounding cyberwar on its warfare charters," says John Bumgarner, research director of security technologies at U.S. Cyber Consequences Unit, a nonprofit research group investigating strategic and economic consequences of cyberattacks.

International treaties are needed to set the rules, he says. "These treaty talks will debate the classification of cyber weapons, proliferation issues for these weapons [e.g. cyber arm dealers], verification programs for these weapons, sanction use for these weapons against an opponent, legality issues for these weapons and proportionate response to a cyberattack," he says.

"In kinetics, we have proven national level response strategies. [In cyberwar] we really don't even have the response strategy," he says.