Click amount to donate direct to CounterPunch
  • $25
  • $50
  • $100
  • $500
  • $other
  • use PayPal
Keep CounterPunch ad free. Support our annual fund drive today!

The Missing Rules of Engagement in Cyberwar


The United States lacks a fully defined policy and legal framework for using offensive cyberwarfare capabilities against adversaries, making it difficult for policymakers to determine the origin of computer attacks and when pre-emptive action is justified against criminals, terrorists and hostile foreign nations, according to current and former government officials.

The information networks of U.S. government agencies and critical industry sectors, such as the nation’s power and banking companies, are under persistent and increasing cyber attack from foreign foes, including major criminal organizations and countries like China, according to officials and recent high-level reports.

Although the U.S. government has an arsenal of cyberwarfare capabilities at its disposal, policymakers are grappling with how and when to use them, along with what kind of privacy and civil liberties issues are raised in doing so.

Officials say the government needs to develop better policies and laws for cyberwarfare, similar to that developed for the use of nuclear weapons.

“It is, in many ways, unchartered territory and I know the policymakers are struggling with how and when to use our offensive capabilities,” House Homeland Security Emerging Threats Subcommittee Chairman James Langevin, D-R.I., said in a recent interview.

“It’s important for the government to have a clear understanding of what our offensive capabilities are and how best to employ them and when. There are a lot of questions that still need to be answered,” Langevin added. “Should the U.S. include pre-emption action as part of its cyber doctrine? What are the thresholds for proportionality of response?”

Playing Offense

The Bush administration launched the so-called Comprehensive National Cybersecurity Initiative this year to monitor Internet traffic and protect federal agencies against cyber attacks.

The initiative is expected to cost billions of dollars over many years, and most of its details are classified. Although government officials have talked publicly about defensive measures being deployed for cyber security, the U.S. government also has offensive capabilities, officials said.

Steven Chabinsky, deputy director of the joint interagency cyber task force within the office of the director of national intelligence, hinted at the offensive aspects of the initiative in a speech at a security conference last week.

“The CNCI brings the offense and defense together to try to achieve complete information awareness,” he said.

He did not give specific examples but added that the initiative will “blend the U.S. government’s talents and expertise in computer network operations with such disciplines as information security, law enforcement, combat and counter intelligence.”

That’s where things get muddy, officials say.

“We don’t have the doctrine yet that’s codified” said Steven Bucci, former Pentagon deputy assistant secretary for homeland defense. “What is an act of war in the cyber realm?”

Indeed, Pentagon officials told a cybersecurity commission established by the Center for Strategic and International Studies they need help clarifying existing doctrine for playing offense in the cyber realm, said James Lewis, director of the technology and public policy program at CSIS.

“Modernize the laws; clarify the authorities,” said Lewis, who serves as the commission’s project director. “Clarify what your doctrine is for responding to attacks.”

Chabinsky would not answer questions from reporters after his speech and directed inquires to the office of the director of national intelligence, which did not respond to questions.

Attribution vs. Retribution

One of the most difficult issues for government agencies is determining the origin of cyberattacks because intruders can hide their identity by using remote servers or by installing malicious code on computers operated by innocent users, officials said.

“Attribution is a very serious and complex troubling issue when you talk about deploying offensive capabilities for deterrence and for response,” said Langevin, co-chairman of the cybersecurity commission.

Part of the challenge for policymakers is determining whether attacks require a law enforcement response, an intelligence response or a military response, Lewis said.

“We were told the default is to use law enforcement authorities because often the circumstances are so unclear that you have to treat it as a crime rather than a military episode,” he said.

And the scale of offensive action needs to be weighed against many factors.

The U.S. government might be aware, for example, that relatively minor attacks against information networks in the United States are coming from a hostile foreign government, Bucci said.

But what happens if the United States learns that a large-scale cyber attack is going to come from that country, Bucci asked. The U.S. government will then be faced with whether to take pre-emptive cyber action against the information networks of that country, he said.

Some organized crime syndicates also operate with the implicit support of adversarial foreign governments. “Do we attack those governments?” Bucci asked.

Such policy questions now await President-elect Obama, whose transition team declined to comment for this report.

Langevin said the U.S. government must immediately define a national cyber strategy with a public component that communicates to adversaries what the United States is capable of doing and prepared to do.

Such a strategy, he said, would be equivalent to the policy of mutually assured destruction for nuclear weapons. Langevin said the government also must immediately train and equip a cybersecurity workforce.

“This is something where the Congress and the administration need to work closely to determine when and how we will respond,” Langevin said.

Growing Threats

The need to clarify policies and laws for cyberwarfare was highlighted in recent high-level government and private industry reports that documented the growing cyber threat to U.S. agencies and companies.

The congressionally charted US-China Economic and Security Review Commission released its annual report last week, concluding that China is targeting U.S. government and commercial computers for espionage.

The Defense Science Board released a report earlier this month, saying in part that cyber attacks could have a crippling impact on space-based assets that provide surveillance, communication and navigation services.

And the board of directors of the Internet Security Alliance, a trade group that advocates greater public focus on and investment in cybersecurity, issued policy recommendations for President-elect Obama last week in a report documenting vulnerabilities and concerns of major firms in such sectors as technology, banking, defense, manufacturing and higher education .

“Signature-based intrusion detection, firewalls, and anti-virus technologies are all deployed, but they do little to identify or prevent more sophisticated adversaries,” said a section of the ISA report devoted to the defense industry.

“Spam, spoofed e-mail addresses, multi-hopping exploits, and third party domain registration all serve to make internet crime and intellectual property theft all but impossible to prevent,” the report said.

Questions also persist over whether, and when, the U.S. government should take offensive cyberwarfare action to protect a private company, given that most of the critical infrastructure in the United States is owned and operated by the private sector.

“It’s a great question. It’s an important question,” said J. Michael Hickey, Verizon’s vice president of government affairs for national security policy, adding that he has not had discussions with the government about the issue.

“I do think it’s important for government and industry to address this issue given the ownership and responsibility for managing our nation’s networks,” he said. “If they are 90 percent privately owned, then there does need to be a considerable discussion about it.”

CHRIS STROHM writes for Congress Daily, where this article originally appeared.







More articles by:

2016 Fund Drive
Smart. Fierce. Uncompromised. Support CounterPunch Now!

  • cp-store
  • donate paypal

CounterPunch Magazine


October 26, 2016
John W. Whitehead
A Deep State of Mind: America’s Shadow Government and Its Silent Coup
Anthony Tarrant
On the Unbearable Lightness of Whiteness
Luke O'Brien
The Churchill Thing: Some Big Words About Trump and Some Other Chap
Mark Weisbrot
The Most Dangerous Place in the World: US Pours in Money, as Blood Flows in Honduras
Eric Draitser
Dear Liberals: Trump is Right
Chris Welzenbach
The Establishment and the Chattering Hack: a Response to Nicholas Lemann
Sabia Rigby
In the “Jungle:” Report from the Refugee Camp in Calais, France
Linn Washington Jr.
Pot Decriminalization Yields $9-million in Savings for Philadelphia
Pepe Escobar
“America has lost” in the Philippines
Pauline Murphy
Political Feminism: the Legacy of Victoria Woodhull
Lizzie Maldonado
The Burdens of World War III
David Swanson
Slavery Was Abolished
Thomas Mountain
Preventing Cultural Genocide with the Mother Tongue Policy in Eritrea
Colin Todhunter
Agrochemicals And The Cesspool Of Corruption: Dr. Mason Writes To The US EPA
October 25, 2016
David Swanson
Halloween Is Coming, Vladimir Putin Isn’t
Hiroyuki Hamada
Fear Laundering: an Elaborate Psychological Diversion and Bid for Power
Priti Gulati Cox
President Obama: Before the Empire Falls, Free Leonard Peltier and Mumia Abu-Jamal
Kathy Deacon
Plus ça Change: Regime Change 1917-1920
Robin Goodman
Appetite for Destruction: America’s War Against Itself
Richard Moser
On Power, Privilege, and Passage: a Letter to My Nephew
Rev. William Alberts
The Epicenter of the Moral Universe is Our Common Humanity, Not Religion
Dan Bacher
Inspector General says Reclamation Wasted $32.2 Million on Klamath irrigators
David Mattson
A Recipe for Killing: the “Trust Us” Argument of State Grizzly Bear Managers
Derek Royden
The Tragedy in Yemen
Ralph Nader
Breaking Through Power: It’s Easier Than We Think
Norman Pollack
Centrist Fascism: Lurching Forward
Guillermo R. Gil
Cell to Cell Communication: On How to Become Governor of Puerto Rico
Mateo Pimentel
You, Me, and the Trolley Make Three
Cathy Breen
“Today Is One of the Heaviest Days of My Life”
October 24, 2016
John Steppling
The Unwoke: Sleepwalking into the Nightmare
Oscar Ortega
Clinton’s Troubling Silence on the Dakota Access Pipeline
Patrick Cockburn
Aleppo vs. Mosul: Media Biases
John Grant
Humanizing Our Militarized Border
Franklin Lamb
US-led Sanctions Targeting Syria Risk Adjudication as War Crimes
Paul Bentley
There Must Be Some Way Out of Here: the Silence of Dylan
Norman Pollack
Militarism: The Elephant in the Room
Patrick Bosold
Dakota Access Oil Pipeline: Invite CEO to Lunch, Go to Jail
Paul Craig Roberts
Was Russia’s Hesitation in Syria a Strategic Mistake?
David Swanson
Of All the Opinions I’ve Heard on Syria
Weekend Edition
October 21, 2016
Friday - Sunday
John Wight
Hillary Clinton and the Brutal Murder of Gaddafi
Diana Johnstone
Hillary Clinton’s Strategic Ambition in a Nutshell
Jeffrey St. Clair
Roaming Charges: Trump’s Naked and Hillary’s Dead
John W. Whitehead
American Psycho: Sex, Lies and Politics Add Up to a Terrifying Election Season
Stephen Cooper
Hell on Earth in Alabama: Inside Holman Prison
Patrick Cockburn
13 Years of War: Mosul’s Frightening and Uncertain Future