With another set of reports about a major cyber attack, this time on a supposedly secure network at Central Command, my colleagues over at DefenseTech.org have done an in-depth look at what the US needs to do to help close the holes in our defenses. Kevin Coleman's story follows:
The rapid advancement of cyber attacks and the emergence of cyber warfare have caught government and military leaders around the world off guard. Decision making in time requiring defensive measures or military crisis is guided by doctrine and rules of engagement, but in the case of cyber attacks and cyber warfare they do not currently exist. The complexities and unique characteristics of cyber warfare mandate establishing Cyber Attack and Warfare Rules of Engagement (CAWRoE).
Cyber warfare is different than the conventional war in many ways. It is this difference that will challenge the minds of experts around the world when they attempt to create cyber warfare doctrine and ROE. To frame this discussion, below you will find two definitions that put this challenge in context.
Definition - Cyber Warfare & Terrorism - "The premeditated use of disruptive activities, or the threat thereof, against computers and/or networks, with the intention to cause harm or further social, ideological, religious, political or similar objectives. Or to intimidate any person in furtherance of such objectives." Source: This definition was published in the U.S. Army Cyber Operations and Cyber Terrorism Handbook 1.02. This definition was written by Kevin Coleman back in 2004 for an online article.
Definition - Rules of Engagement - Rules of engagement date at least to the Middle Ages in Europe. In military terms this refers to a directive issued by a military authority controlling the use and degree of force, esp. specifying circumstances and limitations for engaging in combat. The directive delineates the limitations and circumstances under which forces will initiate and prosecute combat engagement with other forces encountered. Source: This definition is based on multiple authorities' sources and combined to clearly articulate ROE.
NOTE-- After months of research, we will soon publish a paper that addresses the question: "What constitutes an act of cyber war?"
History has shown that ROE are often over controlled and regulated by politicians and military leaders. It is anticipated that this will also be the case as it relates to cyber attacks and warfare. In addition, commanders and government leaders at all levels must understand the situation, complexities and uncertainty they face.
The increase in complexity, technical aspects and difficulty in tracing the cyber attacks back to the aggressor will combine to increase the difficulty of creating the ROE for cyber. Careful crafting of cyber ROE is required to diminish ambiguities that could caused delays in actions when the use of force is required and will surely lead to increased implication on the United States.
Cyber attack and warfare rules of engagement will undoubtedly require hundreds of pages to establish a decision framework. That being said, there are a few critical areas that will pose the most significant challenge to policy makers. One of these areas will be the level of confidence in the identification of the entity behind an attack on a nation. Tracing and tracking cyber attacks back to those responsible is not an easy task. Usually this takes months or years not minutes and hours. Current intelligence and surveillance capabilities will provide only minimal assistance in this effort. Although promising research on tracking and tracing cyber attacks is currently underway and advances are occurring on a regular basis, we are far from being able to rapidly identify the party or parties behind the attack with the high degree of confidence and hard evidence necessary to launch an offensive cyber response. At the present time, the newness of cyber attacks and weapons coupled with their potential, but unproven power and the uncertainty about how they might be used, have pushed the decision around the response to cyber attacks all the way to the top and in the hands of the President of the United States.
Conclusion Over 140 countries around the world have cyber weapons development efforts underway but lack a comprehensive doctrine and legal framework for responding to cyber attacks as well as using offensive cyber weapons against attackers and adversaries. President-elect Barack Obama's national security team will have to rapidly establish the rules of engagement as they relate to cyber attacks and all out cyber warfare. His national security team is said to include: Sarah Sewall, Tom Donilon, Wendy R. Sherman, Mich�le A. Flournoy, John P. White, Robert R. Beers, Clark Kent Ervin, Gayle E. Smith, Aaron Williams, John O. Brennan and Judith A. ("Jami") Miscik.
The United States Military has an expansive arsenal of sophisticated cyber weapons at its disposal, policy makers have yet to define the rules of engagement that govern when and how to use them. In a briefing earlier this year I said: "This is totally uncharted territory for policy makers. The characteristics of cyber attacks coupled with the operational aspects of cyber weapons make this a unique challenge."
This remains the case and time is growing short before the next significant cyber attack is launched. Cyber warfare requires new rules of engagement.