Understanding Cyberattack as an Instrument of U.S./National Policy Herb Lin Computer Science and Telecommunications Board National Academies 25 October 2010 Project supported by the MacArthur Foundation, Microsoft, and the National Research Council 1 Committee and report Military WILLIAM A. OWENS, co-chair (USN Retired, fmr VCJCS) CARL G. O’BERRY, The Boeing Company (USAF Ret) WILLIAM O. STUDEMAN, USN Retired (fmr NSA Director) Foreign Relations and Diplomacy KENNETH W. DAM, co-chair, University of Chicago SARAH SEWALL, Harvard University Information technology THOMAS A. BERSON, Anagram Laboratories DAVID D. CLARK, MIT RICHARD L. GARWIN, IBM Fellow Emeritus (technology) JEROME H. SALTZER, MIT, (retired) MARK SEIDEN, MSB Associates International and National Security Law JACK L. GOLDSMITH, Harvard Law School GERHARD CASPER, Stanford University WALTER B. SLOCOMBE, Caplin and Drysdale MICHAEL A. VATIS, Steptoe & Johnson LLP Available free on Internet in PDF – last slide will have details 2 On classification • Study is entirely unclassified. • To our knowledge, first comprehensive integrated treatment of cyberattack from a policy perspective to examine technical, legal, ethical issues. • Useful to know for policy makers to know what is knowable on an unclassified basis. 3 The broad context • Nations are increasingly dependent on information technology, and thus important IT functionality must be protected. • Cybersecurity: measures taken to protect or preserve a computer system or network and the information it holds. – Defensive cybersecurity (reports, legislation, op-eds…) • Passive defenses – Anti-virus and intrusion detection software – Better password security – Greater attack resistance in software • More robust law enforcement mechanisms – e.g., Convention on Cybercrime – Offensive cybersecurity (a generally classified subject) • Offensive operations can be used for defensive purposes. • Cyber conflict and cyber security have both defensive and offensive dimensions, and comprehensive approaches require understanding both. 4 Basic taxonomy for offensive cyber operations • Cyberattack: action to destroy, degrade, disrupt adversary IT or information therein • Cyberexploitation: action to (very quietly) obtain information from adversary IT • Technical operations – remote (e.g., DOS, virus, worm) – close-access (e.g., USB key, sofware swap during shipment, compromised chip in manufacturing supply chain) • Social engineering operations – Tricking, bribing, blackmailing, extorting someone to take action • Technical and social operations are often combined • Cyberattack and cyberexploitation are technically very similar, hard for adversary to distinguish. (Also hard for news media to distinguish.) 5 Key characteristics Offensive operations can be conducted with plausible deniability Offensive technology is relatively inexpensive, widely available, and easy to obtain. A resource-poor attacker may have significant leverage, by The indirect effects of cyberatacks are almost always more consequential than the direct effects of the attack must judge cyberattacks by total effect, and “indirect” does not mean “not primary” But remember that adversaries make mistakes too, and all-source intelligence helps Many nonstate actors (companies, patriotic hackers, terrorists) can have influence and may be able to cause some of the same kinds of effects as state actors. using automation to reduce personnel needed and increase tempo. stealing computing and financial resources; Effects can span an enormous range; cyberattack is a methodology, not a specific weapon per se. A cyberattack is NOT of lesser consequence because it targets “only” a computer. Effects may be significantly delayed in time from moment of insertion. 6 Operational considerations and realities • Cyber operations can be selective or non-selective in targeting. – Selectivity implies long lead time, complex intelligence requirements, specialized skills, higher cost • Cyber operations (especially attacks) can be very complex to plan and execute. – Large range of options than most traditional military operations – Analysis of (many) outcome paths may require specialized knowledge (Stuxnet). – Time and spatial scales can span many orders of magnitude • A cyberattack may be – Usable only once or a few times – Limited temporally in effect and/or limited in scope (if highly targeted) – Technically fast but operationally slow; hence most suitable in non-timeurgent operational scenarios (e.g., early use); “speed of light” vs “speed of law/thought/analysis” 7 Operational … (continued) • Target identification – – • Plan operation – – – • May take place some time distant from obtaining access/vulnerability; defenses/configuration may have changed Perform assessment (distinguish between real success and faked success) – – Gain access in advance (prepare the battlefield), determine vulnerability Specify payload (identify effects sought) Limit collateral damage (must know what is connected; cascading effects hard to predict) Execute operation – • Translating IP address, processor serial number, configuration, keyboard language into target identification Often a manual process If exploitation, misinformation may be returned If attack, target may only appear to shut down Many answers depend on detailed intelligence information on targets, and thus success of a cyber operation is highly contingent. 8 Possible connections of offensive cyber operations for defensive purposes • Before adversary attack – Early warning of attack means living inside adversary network – May need to pre-empt offensive cyber action about to be undertaken by adversary • During adversary attack – May need to disrupt a cyberattack in progress by disabling attacking computers • After adversary attack – Need for conducting forensic investigation that may require multiple intrusions into proximate and intermediate nodes. – Retaliation a possibility to discourage further attacks. • And what of non-defensive purposes? 9 Illustrative non-defensive applications of offensive cyber operations • Traditional military operations – Suppression of adversary air defenses. – Disruption of adversary plans for military deployment. – Disruption of adversary critical infrastructure (e.g., power grids) • Covert action – Influencing the outcome of a foreign election using electronic voting machines. – Altering electronic medical records of adversary military leaders. – Disruption of adversary infrastructure for censorship. • Cyberexploitation – Exploration of adversary command and control networks to determine command arrangements, orders of battle – Probes of adversary military networks in preparation for later attack. – Exfiltration of negotiating positions, political plans, commercial information. 10 U.S. policy today National security Law enforcement Private sector 11 (parts of) DOD policy • DOD seeks superiority in the cyber domain--the state in which U.S. and friendly forces have complete freedom of action in the domain and adversary forces have no freedom of action. – Revised in recent testimony by Keith Alexander, who questioned US ability for the latter – NRC report concludes that enduring unilateral dominance in cyberspace is neither realistic nor achievable by the United States. • DOD implied declaratory policy on cyberattack: – Cyberattack is just like any other weapon in the DOD arsenal except for operational considerations. – Cyberattack is better suited for early use, when there is time to collect intelligence • • DOD has publicly announced policy re cyberattack in the case of active defense USAF seeking capabilities for automated cyberattacks conducted for defensive purposes. 12 Intelligence on cyberexploitation and covert action • • • Intelligence collection (including cyberexploitation) undertaken to further the interests of the United States outside CONUS – unlimited except if US persons involved. Not a violation of international law. Intelligence collection on behalf of specific US companies – not undertaken as a matter of US policy (not true for some other nations, e.g., France) Covert action – regulated by US statute: “activities of the U.S. government to influence political, economic, or military conditions abroad, where it is intended that the role of the U.S. government will not be apparent or acknowledged publicly.” Must be authorized by findings of the President, and reported to appropriate individuals in the U.S. Congress. Note alignment of plausible deniability requirement and technical characteristics of cyberattack. One reported example- US against USSR in 1982. 13 One public story regarding alleged US cyberattack on the Soviet Union • Soviet Union actively sought to obtain Western technology (including pipeline control software). US discovered the list of sought-after technologies. • In 1982, the U.S. spiked software that was subsequently obtained by the Soviet Union. The software was “programmed to go haywire, [and] after a decent interval, to reset pump speeds and valve settings to produce pressures far beyond those acceptable to pipeline joints and welds.” • The result -- a large explosion in a Siberian natural gas pipeline (visible from space, looked like a 3 kiloton nuclear blast) • Beyond the immediate effect, “the Soviets came to understand [over time] that they had been stealing bogus technology, but now what were they to do? By implication, every cell of the Soviet leviathan might be infected. They had no way of knowing which equipment was sound, which was bogus. All was suspect, which was the intended endgame for the entire operation.“ • Source: Thomas Reed, At the Abyss: An Insider's History of the Cold War, Ballantine Books, New York, NY, 2004 14 Law enforcement and private sector action • Law enforcement – Cyberexploitation governed under various statutes re wiretapping, access to stored information etc. – Cyberattack limited, but not forbidden (e.g., jamming of cell phones to protect President) – Law enforcement authorities exempt from Computer Fraud and Abuse Act (CFAA). • Private sector – Governed by CFAA, and prohibits private action – Self-defense justification never attempted 15 On cyberdeterrence 16 The why and how of deterrence • How can we persuade adversaries to refrain from launching damaging cyberattacks? • Deterrence seems like the obvious inevitable choice in an offense-dominant world. – Passive defense is inadequate and eventually will fail; – Law enforcement actions are too slow and uncertain in outcome. • Deterrence of nuclear threats in the Cold War establishes the paradigm – largely successful. Based on a credible threat to: 1. Deny the attacker the benefits of an attack 2. Punish the attacker by imposing unacceptable costs 17 Deterrence (in classical form) … • Denial (#1) is too hard, hence punishment (#2) is a more appealing strategy. • Threat of punishment requires: – Attribution of attack to adversary • what system, which actor? • Cyberattack does not require skills that are limited to small set of adversaries – Knowing that an attack has happened • Noisy background • Ambiguous effect (exploitation? Delayed effect?) • Difficulty of correlating information across multiple affected sites • Slow forensics – Credibility • Nations conduct many highly visible military training exercises in part to demonstrate capabilities to potential adversaries. How should nations demonstrate (secret) cyber capabilities? • Bottom line on cyberdeterrence – uncertainty about how traditional concepts of deterrence (i.e., #2) apply to cyberspace. Thus, denial has greater appeal (cf., recent Lynn Foreign Affairs article) 18 On escalation and termination • Deterring escalation is just as important (perhaps more so) as deterring onset of conflict. • Unintended escalation particularly dangerous when – operational actions are less visible to senior decision makers – outcomes of actions are more uncertain (e.g., cascading effects) • How can cyberconflict be terminated? – Noisy background of criminal and hacker (and perhaps 3rd nation) cyberattacks – Requirements for “termination” – how to de-mine? – How to suppress patriotic hackers? 19 International law and offensive cyber operations 20 Jus ad Bellem (conditions for engaging in conflict) • UN Charter prohibits “threat or use of force against the territorial integrity or political independence of any state” (Art. 2(4)) – “Force” not defined. By practice, it • includes conventional weapon attacks that damage persons or property • excludes economic or political acts (e.g. sanctions) that damage persons or property • UN Charter Art. 51 - “Nothing in the present Charter shall impair the inherent right of individual or collective selfdefence if an armed attack occurs against a Member of the United Nations..” – “Armed attack” not defined, even for kinetic force. 21 When is a cyberattack a “use of force” or an “armed attack”? • Easier: – Exploitation w/o damage or degradation (no); cyberattack that causes physical damage akin to kinetic attack (yes); use of cyberattack during acknowledged armed conflict (not covered by Art. 2(4) but subject to LOAC jus in bello). • Harder: – – – – Economic damage without physical damage Temporary, reversible interference with computer system “Mere” data destruction or degradation Introduction of Trojan horse software agents • Payload with exploitation and attack capabilities? (cf. human spy skilled in sabotage?) • Payload to accept a future upgrade with unknown capabilities? • Destructive payload with delayed action capability? (cf., pre-planted remotely detonatable mine) • Empty payload – a shell that can be remotely upgraded in the future • Cyberattack that has effects comparable to a kinetic armed attack is also an armed attack, but few good analogies to past kinetic precedents. 22 When is a cyberattack a “use of force” or “an armed attack”? • Answers matter to attacked party, because they influence when and under what authority law enforcement (vis a vis military) takes the lead in responding, and what rights the victim might have in responding. • Answers matter to attacking party, because they set a threshold that policy makers may not wish to cross in taking assertive/aggressive actions to further its interests. 23 Some hard scenarios under the UN charter • Economic damage without physical damage – • Political interference without physical damage – • • • Use of a third nation’s routers to carry a cyberattack? Ambiguities between legal exploitation and illegal attack? – • • • Corruption of database responsible for military logistics scheduling? Violations of neutrality in cyberspace? – • DOS attack? “Mere” data destruction or degradation – • Hacking electronic voting machines? Temporary, reversible interference with military/critical infrastructure systems – • Raiding a national treasury? Introduction of agent for exploitation with remotely upgradeable capabilities? Attacks on dual-use infrastructure? Requirements for separation of military and civilian infrastructure? Inherently clandestine and deception-based attacks? (perhaps analogous to submarine warfare in 1914?) National responsibility for non-state actors? Time delay between insertion and use for attack? 24 Jus in Bello (behavior during conflict) • Principle of Non-Perfidy – Cannot pretend to be legally protected entity • Principle of Proportionality – Collateral damage on civilian targets acceptable if not disproportionate to the military advantage gained. • Principle of Distinction – Military operations only against “military objectives” and not against civilian targets 25 Non-perfidy • Requirement for identification of USG cyberattacks? – USAF insignia on airplanes and cruise missiles. – Military personnel in distinctive uniforms. – Trojan horses with distinctive identifiers “This agent is a bona fide weapon of the US government”? – Public infrastructure so that any victim can verify the authenticity of such an identifier? • Requirement for identifying military and civilian targets in cyberspace? – Nations have obligations to enable identification of military assets (distinctive vehicles with insignias) and are entitled to identify entities legally immune to attack (Red Cross on ambulances, white flags). – What must be done to identify military computers/networks? IT assets of hospitals and religious institutions? Who will verify the latter? (International Red Cross?) 26 Proportionality: uncertainty regarding outcome of a cyberattack • Outcomes often more uncertain than for attacking physical targets – Indirect, cascading effects – Collateral damage difficult to calculate • No empirical or theoretical basis on which to estimate collateral damage (no cyber “blast radius”) – Uncertainty amplified by need to gather intelligence promptly in many tactical situations • Experience in Balkans suggests long lead times for decisions on using cyber operations, due in part to JAG review 27 Distinction: Legitimacy of attacks that disable computer-dependent civilian services • Military communications often take place over the Internet; military forces dependend to some extent on commercial power grid. Are the national infrastructure for Internet (e.g., routers) and power grid valid military targets? • To what extent are computer-dependent civilian services or communications “essential” to life in a modern society? Does disruption in these services rise to the level of causing death and destruction? 28 Arms Control Regimes for Cyberattack? 29 Why might regimes be desirable? • Reduce likelihood of conflict, damage if conflict occurs. • Allies significantly more dependent on IT, thus restrictions on cyberattack asymmetrically benefit Allies • Delegitimize cyberattack as a military weapon and discourage other nations to develop such capabilities for use against Allied interests. 30 Reasons for skepticism? • Other nations will develop cyberattack capabilities under any circumstances. (Some see cyberattack as an ideal instrument of asymmetrical warfare.) • Verification of limiting capabilities essentially impossible. – Can’t restrict code, expertise/knowledge, underlying technology – Infrastructure needed to conduct attacks is small, easily hidden. 31 Restrictions on use of cyberattack? • Refrain from striking at national financial systems or power grids (similar to “no kinetic attack on hospitals” or “no blinding lasers”) • May require cooperative measures (e.g., electronic identification of permitted and/or prohibited targets) • Attackers can violate such agreements (just as a kinetic attacker can target ambulances or fire mortars from sanctuaries), and compliance in wartime is not assured. • However, such agreements: – – – – Help to create international norms regarding the acceptability of such behavior. Inhibit training that calls for violation. May be enforced to some degree through threat of reciprocal use. Probably most useful prior to the onset of conflict, because a signatory would have incentives to comply to avoid unwanted escalation. 32 Many complicating factors • Living with any regime we claim to want – must be reciprocal. • Routine cyberexploitation during crisis might be escalatory; refraining from cyberexploitation during crisis may deprive NCA of valuable tactiacl information (e.g., early warning). • Difficulty of technical attribution makes proving a violation hard. • Non-state attackers (patriotic hackers, terrorists) • Widespread diffusion of relevant technology and expertise • Private sector ownership/operation of cyberspace – May require high degree of intrusiveness on the behavior of individuals and of the private sector. – Possible national responsibility for private sector actions 33 Collateral agreements/understandings may be helpful • Examples from non-cyber world – Advance notification of ballistic missile launches – Measures to prevent dangerous incidents at sea – Hotlines to promote communication during crisis • Possible collateral agreements for cyber – Agreements to cooperate promptly in investigation of cyberattacks from home territory – Agreements on sufficiency of evidence to presume attribution 34 Private Sector Equities 35 Google and China • Google raised two issues (“Operation Aurora”) – – • China held responsible by Google for these actions. – – – – – • • Attempts to compromise email accounts of Chinese human rights activists Penetrations of 34 companies (mostly in Silicon Valley) to obtain corporate data and software source code. Targeted attack against specific individuals, using previously unknown vulnerability in Internet Explorer that allows remote code execution. Google undertook its own forensic investigation, gaining access to a computer in Taiwan and monitoring its operations to identify penetration targets. Attribution to China made largely on the basis of attack’s technical sophistication and breadth and the targets of the cyber operations. Some reports indicate that malware used in latter penetration employed an algorithm contained in a technical report published only on Chinese-language Web sites. Non-circumstantial evidence is scarce—highlights difference between technical attribution and political decision to hold a nation accountable based on all sources of information. Subsequent Google action to un-censor its China search engine Some actions traced to elite Chinese IT schools – Many possible/plausible explanations (gov’t sanctioned activity, overly enthusiastic students, contest, final exam) 36 Some questions raised by Google/China engagement • Google action to uncensor its search engines - retaliation for Chinese actions? • How and to what extent, if any, should private entities be allowed to shoot back? Does private shoot-back increase or decrease likelihood that a private entity will be attacked? • How and to what extent, if any, should private entities be allowed to conduct their own foresnic investigations (which may involve some degree of hackback)? • Private actors in U.S. engaging in cross-border offensive operations (patriotic hackers, U.S. corporations acting in self-defense) have legal implications for the U.S. – U.S. responsibility potentially implicated if private actions rise to “use of force” – Possible interference with US government cyber operations 37 More broadly… • Certain cyberattacks undertaken by the United States are likely to have significant operational implications for the U.S. private sector. – Internet-based attack may require cooperation of U.S./Allied ISPs (ISPs usually asked to suppress cyberattacks – what about shutting down a US attack?) – Shaping the cyber battlefield may require cooperation of U.S./Allied IT vendors and service providers. – Adversary response to U.S. cyberattack may affect U.S. ISPs and critical infrastructure may be affected 38 Some broad observations and issues 39 Bear in mind… • Cyber conflict is not separate from other spheres of potential conflict. • Options for responding to cyberattacks on the United States span a broad range and include a mix of dynamic changes in defensive postures, law enforcement actions, diplomacy, cyberattacks, and kinetic attacks. • Cyber conflict is not just relevant to US government, and issues arise in deterring attacks on private sector entities. 40 Nuclear conflict as analogy for cyber • Many superficially obvious connections – Relevant concepts: early/tactical warning, attack assessment, stability, deterrence, offense dominance, counterforce, countervalue, escalation control, first use, first strike, secure second strike, war termination, launch under attack, launch on warning, employment options, proliferation, fratricide, laws of war, cascading effects; unpredictable effects; command and control… • But deeper analysis suggests badness of fit – Private sector doesn’t have nuclear weapons. – Many of the same questions/issues arise in cyber as in nuclear (as well as in many other forms of conflict) – Answers to these questions are mostly very different • Some suggest biological weapons are a better metaphor from a strategic point of view (deterrence, arms control, and so on). 41 Fostering a national debate on cyberattack The U.S. government [and other nations] should conduct a broad, unclassified national debate and discussion about cyberattack policy, ensuring that all parties are involved in discussions and familiar with the issues. • Some aspects of cyberattack SHOULD be classified, e.g. – – – U.S. interest in a specific cyberattack technology Fragile and sensitive operational details that are not specific to the technologies themselves Capabilities and intentions of specific adversaries. • But these are not relevant to answering questions about declaratory policy, and thus secrecy about policy issues serves to inhibit necessary discussion about them. • Impossible to have a coherent discussion of policy while discussing only the defensive side; discussing defense only leads to a “victim” mentality. 42 C2 for offensive cyber operations • Early use of cyberattack may be easy to contemplate in a pre-conflict situation, so a greater degree of operational oversight for cyberattack and cyberexploitation may be needed compared to use of other options. – Confusion on adversary’s part regarding intent of cyber operation – an exploitation may be seen as an attack. – Operational footprint left by cyberattack activities is small, and routine activities may be less visible to senior decision makers. 43 Some interesting fundamental questions • In light of the poor track record of deploying cyber defenses adequate to meet the threat, how and to what extent can offensive cyber operations enhance cybersecurity? • In light of limited law enforcement response capabilities, how and to what extent, if any, should private entities be allowed to shoot back or investigate? Does private shoot-back increase or decrease likelihood that a private entity will be attacked? • What can/should a nation do in cyberspace in conditions short of avowed armed conflict or in response to actions that fall short of armed attack or uses of force? • How (if at all) should an attacking nation enable adversaries to differentiate between exploitation and attack? • How, if at all, are existing international legal regimes (e.g., the laws of armed conflict, the Geneva Conventions) adequate to manage cyberconflict? • What is the role of international cooperation and agreements in managing cyber conflict? 44 Report explores all these issues in much greater detail Herb Lin Chief Scientist, Computer Science and Telecommunications Board National Research Council 202-334-3191, hlin@nas.edu Download reports free – Search for Macarthur Foundation, Cyberattack, Policy NRC report, deterring cyberattacks (latter has 50 interesting research questions) 45