Part 31 (1/2)

Defense Criminal Investigative Services (DCIS) Investigates matters relating to terrorism, prevents the illegal transfer of sensitive defense technology, stops cyber crime and computer intrusions, and investigates cases of fraud, bribery, and corruption.

DOD Cyber Crime Center (DC3) Provides criminal, counterintelligence, counterterrorism, and fraud-related computer forensics support to the defense criminal investigative organizations.

Delivers cyber technical training.

Processes digital evidence and a.n.a.lyzes electronic media for criminal law enforcement and DOD counterintelligence investigations and activities.

Performs investigations and provides forensic training to DOD members to ensure that information systems are secure from unauthorized use.

[212] JS J6 has been disestablished as per the DOD Efficiencies Study: Networks and Information Integration (NII) and J6 Disestablishments (FY 2012, $13 million, FYDP, $65 million)-Transfers acquisition program oversight responsibilities from the a.s.sistant Secretary of Defense for Networks and Information Integration (ASD(NII)) to the Under Secretary of Defense for Acquisition, Technology, and Logistics (USD (AT&L)) and all remaining NII responsibilities to the DoD Chief Information Officer (CIO). The Joint Staff will transfer its J6 (Command, Control, Communications, and Computer Systems) funding and manpower to the DoD CIO and the US Cyber Command beginning in FY 2012.

[213] See the note above about disestablishment of the JS J6 and the pa.s.sing of functions from the ASD/NII to the DOD CIO.

[214] IO responsiblities have pa.s.sed from Ms. Rosemary Wenchal at OUSD(I) to Mr. Austin Branch at OUSD(P).

Chapter 18. Active Defense for Cyber: A Legal Framework for Covert Countermeasures

[T]he United State reserves the right, under the law of armed conflict, to respond to serious cyberattacks with an appropriate, proportional, and justified military response.

-William J. Lynn, III, ”The Pentagon's Cyberstrategy, One Year Later,” Foreign Affairs, September 28, 2011 By Catherine Lotrionte[215]

During the Cold War, the United States and the Soviet Union constantly maneuvered to achieve superiority and to counter and deter any aggressive moves by each other. When one nation was perceived to overstep its bounds, the other would signal its discontent by moving aircraft carrier groups, conducting military exercises, pursuing diplomatic engagement, seeking sanctions from the United Nations Security Council, enforcing embargoes, and even conducting proxy wars. These signals may well have prevented a nuclear exchange that would have resulted in the loss of many innocent lives and possibly a world war.

Today, when the threat of cyber conflict among nations is a reality, signaling is just as important if not more so because of the global connectivity of the Internet and its links to nations' critical infrastructure a.s.sets. This chapter presents one type of signaling: the use of covert counter cyber strikes. The use of such measures would be an element of the US active defense strategy in cybers.p.a.ce, carried out either by the United States directly or third parties on its behalf, and subject to the international laws relating to the recourse to the use of force and the laws of armed conflict where applicable. While the language used by the Department of Defense in discussing its cyber strategy focuses on the defensive aspect of the overall strategy, the notion of active defense involves offensive measures.[216] Active defense measures, however, use offensive means in order to defend against and neutralize a threat. The purpose of using a cyber counterattack is to stop a specific, immediate, or ongoing cyber threat rather than retaliate with a strategic purpose. It is offensive action for a defensive purpose.[217]

This chapter will examine the use of counter cyber strikes as a model for the United States' operations in cybers.p.a.ce. This model is one approach that would allow the United States to wage an asymmetric fight that spans the global commons while abiding by the rules of international law. It provides the United States an option for dealing with the critical issue of nonstate actors and state proxies engaging in cyber conflict against the United States. This model is not the exclusive one that has been offered, nor should it be the only one considered by the United States. Others have been offered that could shed light on effective methods for the United States to defend against cyber attacks, including a model that looks at deterrence, a nuclear weapons model of mutually a.s.sured destruction, as well as the model of strategic air power.[218] To date, however, not enough attention or writing has focused on the use of direct or indirect counter cyber strikes as an element of active cyber defense.

In 2008, in the testimony by the then-Director of National Intelligence J. Michael McConnell before the Senate Select Committee on Intelligence, McConnell underscored the need for the United States ”to take proactive measures to detect and prevent [cyber] intrusions from whatever source, as they happen, and before they can do significant damage.” His testimony highlighted the inadequacy of hardening a.s.sets and utilizing pa.s.sive defenses alone as defensive strategies for the United States. The inadequacy of pa.s.sive defenses suggests that the national debate over cyber security must necessarily include considering attack options for defensive purposes. In other words, if pa.s.sive defense is insufficient to ensuring security, an approach to eliminate or degrade an adversary's ability to successfully prosecute an attack may be warranted. The use of covert action within an active defense framework may increase the success of neutralizing the threat, maintaining deniability while at the same time complying with international norms of self-defense.

Precedent exists for the United States' active defense, as it incorporated such methods to deter its adversaries' aggressive actions during the Cold War. In the 1970s, while the United States initially showed restraint in developing anti-satellite weaponry, it quickly moved to a more offensive posture when the Soviet Union attacked three US satellites in 1975. The Soviets' aggressive acts led President Ford to sign the National Security Decision Memorandum No. 345, directing the Department of Defense (DoD) to develop an operational anti-satellite capability allowing for US-based counterattacks against both private and government-sponsored aggressors.[219] As the Cold War ended and new threats emerged from nonstate actors, the United States adopted an active defense approach in its counterterrorism cyber operations, launching a number of offensive counter cyber attacks against Al Qaeda and Jihadi systems and services.[220]

By 1996, the US government clarified some of the lingering questions surrounding its right to launch both physical and cyber counter attacks against cyber aggressors who compromised the ability of US-owned cyber systems. On September 14, 1996, President Clinton signed Presidential Decision Directive/National Science and Technology Council-8, defining US national s.p.a.ce policy. The policy identified key s.p.a.ce activities to be conducted in the interest of US national security, including offensive action to protect US s.p.a.ce a.s.sets.[221] Following the creation of the National s.p.a.ce Policy, Secretary of Defense William S. Cohen issued Department of Defense Directive 3100.10, identifying policies relating to military s.p.a.ce control and stating, ”Purposeful interference with US s.p.a.ce systems will be viewed as an infringement on US sovereign rights. The US may take all appropriate self-defense measures, including . . . the use of force, to respond to such an infringement on US rights.”[222] Similarly, in 2010, the Department of Defense in its Quadrennial Defense Review doc.u.ment made it clear that in order to operate effectively in cybers.p.a.ce, the United States needs ”improved capabilities to counter threats in cybers.p.a.ce,” including actively defending its own networks.[223]

In July 2011, the Department of Defense released its Cyber Strategy, which underscored the United States' right to conduct cyber counterattacks against aggressors.[224] An example of this type of active defense was shown in the 2006 US cyber attack against the Al Qaeda network of jihadist websites.[225] The United States is not alone in supporting the use of counter cyber attacks. There have been reports that the UK may have taken down Inspire, a terrorist website.[226] The Israelis have also conducted ”denial of service” attacks against Palestinian National Authority websites.[227]

Cold War fears of communist world conquest have been replaced by concerns about the dangers to international peace and security from worldwide jihadism, the acquisition of weapons of ma.s.s destruction (WMD) by rogue states and nonstate actors, and the emergence of a new breed of cyber warriors willing to provide their services to states and nonstate actors. With the emergence of terrorism, the proliferation of WMD, and, more recently, cyber warriors with international ramifications as new sources of threats to national security, the United States, like other nations, has been forced to contemplate and develop new strategies and tactics for its national defense. The US intelligence community continues to play an important role in that regard, and today it must do so by supporting the broader US defense efforts against these new threats. The rest of this chapter focuses on the use of covert action as one method for deterring those who would conduct cyber attacks against the United States and its critical a.s.sets.

Covert Action

In 1996, in its final report, the Aspin-Brown Commission emphasized the need for a continuing covert action capability-even after the end of the Cold War. It stated, ”in 1975, the Rockefeller Commission investigated alleged abuses in certain covert action programmes and concluded that there were 'many risks and dangers a.s.sociated with covert action, but we must live in the world we find, not the world we might wish. Covert action cannot be abandoned, but should be employed only where clearly essential to vital US purposes and then only after a careful process of high level review'.” In an age of proliferated threats, states are no longer the only adversaries and there is no certain target for attribution, covert action may prove to be even more important to the United States' ability to protect national security.

By law, covert actions are those activities of the US government to influence political, economic, or military conditions abroad, where it is intended that the role of the US government will not be apparent or acknowledged publicly.[228] This can cover a wide range of activities in foreign countries, including political advice to foreign persons or organizations, financial support and a.s.sistance to foreign political parties, propaganda, and paramilitary operations designed to overthrow foreign regimes or capture and detain operations against foreign terrorists. Covert action does not include ”activities the primary purpose of which is to acquire intelligence, traditional counterintelligence activities, traditional activities to improve or maintain the operational security of United States Government programs, or administrative activities.”[229] Traditional military activities are also excluded from the scope of covert action.[230]

Covert action is conducted in support of US foreign policy objectives, as well as when the president has determined that the use of covert action is necessary for US national security. It is done on the a.s.sumption that the link between the activities and the US government can be kept secret. Executive Order 12333 makes the CIA the lead-though not exclusive-agency with authority for covert actions.[231] If the president determines that another agency, for example the NSA, is better suited to achieve a particular operational objective, he may direct that agency to conduct the covert action. No matter which government agency is responsible for its planning and execution, however, the legal definition of that term applies equally to those elements of the US government. Covert cyber actions could be of two general types: (1) propaganda and disinformation that would come under psychological operations; and (2) actions to paralyze the computer networks of target countries or nonstate actors supporting the critical elements of the target country.

[215] This is a guest chapter by my friend and colleague, Professor Catherine Lotrionte, Visiting a.s.sistant Professor and Executive Director, Inst.i.tute for Law, Science and Global Security, Georgetown University. In my opinion, Professor Lotrionte's work in her field of international law and global security is among the very best in the world today.

[216] US Department of Defense, ”Department of Defense Strategy for Operating in Cybers.p.a.ce,” July 2011. (”Active cyber defense is DoD's synchronized, real-time capability to discover, detect, a.n.a.lyze, and mitigate threats and vulnerabilities. It builds on traditional approaches of defending DoD networks and systems, supplementing best practices with new operating concepts. It operates at network speed using sensors, software, and intelligence to detect and stop malicious activity before it can affect DoD networks and systems. As intrusions may not always be stopped at the network boundary, DoD will continue to operate and improve upon its advanced sensors to detect, discover, map, and mitigate malicious activity on DoD networks.”) [217] National Research Council, Technology, Policy, Law, and Ethics Regarding US Acquisition and Use of Cyberattack Capabilities, 1011 (2009), pp. 246.

[218] Martin C. Libicki, Cyberdeterrence and Cyberwar (Rand Publis.h.i.+ng), p. 39; Greg J. Rattray, Strategic Warfare in Cybers.p.a.ce (MIT Press), p. 77.

[219] Christopher M. Petras, ”The use of force in response to cyber-attack on commercial s.p.a.ce systems-reexamining 'self-defense' in outer s.p.a.ce in light of the convergence of US military and commercial s.p.a.ce activities,” Journal of Air Law and Commerce 67, no. 4 (Fall 2002): 12131263, 1224.

[220] Maura Conway, ”Terrorism and the Internet: New Media-New Threat,” Parliamentary Affairs 59(2) (2006): 283298, 295.

[221] The White House, Fact Sheet On National s.p.a.ce Policy Review, National Security Presidential Directive/NSPD-15, June 28, 2002, p. 1.

[222] US Department of Defense, Department of Defense Directive 3100.10, s.p.a.ce Policy, July 9, 1999, pp. 67. This doc.u.ment may be found at the Was.h.i.+ngton Headquarters Services website at puter warfare,” Was.h.i.+ngton Post, May 31, 2011.

[227] P. D. Allen, ”The Palestinian-Israeli Cyber War,” Military Review (MarchApril 2003): 5259, 52.

[228] National Security Act of 1947, 50 U.S.C. section 413(b)(e)(2006).

[229] Id. section 413b(e)(1).

[230] Id. section 413b(e)(2) (this does not preclude the NSA from being the sole agency responsible for a cyber covert action).

[231] Executive Order No. 12333, section 1.8(e), 3 C.F.R. 200, 205 (1982) (providing that no agency other than the CIA may conduct covert action ”unless the President determines that another agency is more likely to achieve a particular objective”).