U.S. military cyberwar: What's off-limits?

LAS VEGAS--The United States should decide on rules for attacking other nations' networks in advance of an actual cyberwar, which could include an international agreement not to disable banks and electrical grids, the former head of the CIA and National Security Agency said Thursday.

Michael Hayden, who was the principal deputy director of national intelligence and retired last year, said the rules of engagement for electronic battlefields are still too murky, even after the Defense Department created the U.S. Cyber Command last spring. The new organization is charged with allowing the U.S. armed forces to conduct "full-spectrum military cyberspace operations in order to enable actions in all domains," which includes destroying electronic infrastructure as thoroughly as a B-2 bomber would level a power plant.

Even a formal cyberwar may have rules different from those applying to traditional warfare, Hayden suggested. One option would be for the larger G8 or G20 nations to declare that "cyberpenetration of any (financial) grid is so harmful to the international financial system that this is like chemical weapons: none of us should use them," he said at the Black Hat computer security conference here.

Another option would be for those nations to declare that "outside of actual physical attacks in declared conflicts, denial of service attacks are never allowed and are absolutely forbidden and never excused," and a consensus would "stigmatize their use," said Hayden, who's now a principal at the Chertoff Group. Nations "do not do it and they do not allow it to happen from their sovereign space."

In 2008, for instance, Georgia accused Russia of launching a coordinated denial-of-service attack against Georgian Web sites, which coincided with military operations in the breakaway region of South Ossetia.

One complication is that Internet intrusions and denial-of-service attacks are notoriously difficult to trace back to their actual source; is a successful break-in the work of a national government or a 14-year-old hacker in Shanghai or Moscow? The U.S. State Department has linked China to penetrations into Google employees' computers, but China has officially denied it.

The United States' current cyberwar policy remains vague. Earlier this year, a congressional committee asked Lt. Gen. Keith Alexander, now the head of the NSA and Cyber Command, when he would "fire back" without consulting the host government first, whether the use of offensive force would be "pre-authorized" below the level of the president, and whether there should be "classes" of networks operated by allies that should be off-limits to infusion.

In his written response (PDF), Alexander refused to answer any of those questions publicly, saying the information was classified.

Power grids are another example of where traditional military doctrine may need to shift, Hayden said. "A power grid is, according to traditional military thought, a legitimate target under some circumstances," he said. "Mark 82s are kind of definitive and it's a one-way switch--that thing's kind of gone." (An MK-82 is a general-purpose, 500-pound unguided bomb used by the U.S. military since the 1950s.)

But destroying, or at least thoroughly disabling, a power grid through an offensive cyberattack means penetrating it well in advance. And if there are dozens of different nations stealthily invading a grid's computers and controllers all the time, it's probably not going to be stable. "There are some networks that are so sensitive that maybe we should just hold hands and hum "Kumbaya" and agree they're off limits," he said. "One is power grids...You can't just have 23 different intelligence services hacking their way through the electrical grid."

So far, the United States government has been cagey, even reticent, about discussing offensive possibilities in actual cyberwars. Hayden suggested that this should change, saying that one option proposed by the Council on Foreign Relations would provide an example for the rest of the world by saying that "no American service would penetrate any other nation's power grid absent a presidential finding."

Then there's defending against foreign cyberattacks. For the last few years, it was a little unclear about which federal agency would win this important turf battle, which carries with it billions of dollars in cash and the opportunity for bureaucratic or political advancement.

Last year, a top DHS official quit in disgust, saying that the NSA's attempted takeover of cybersecurity functions could threaten "our democratic processes." Earlier this month, though, the White House published a memo saying that Homeland Security "will exercise primary responsibility within the executive branch for the operational aspects of federal agency cybersecurity" for civilian agencies. (The military's Cyber Command will handle the defense of other federal agencies.)

"I'm told that at the new Cyber Command, 90 percent of their thinking is about attack," Hayden said, but at least 90 percent of their actual work is spent on defense.

Hayden used the opportunity to challenge attendees of Black Hat--thousands of programmers, analysts, and security researchers--to devise ways to reshape the Internet's security architecture.

"You guys made the cyberworld look like the north German plain--and then you bitch and moan because you get invaded," he said. "We made it flat. We gave all advantages to the offense. The inherent geography in this domain plays to the offense. There's almost nothing inherent in the domain that plays to the defense."