Sounding the cyber alarm

An April cyberspace symposium provided a forum for military and private-sector cybersecurity experts to discuss the challenges of cyber deterrence and raise awareness about the severity of threats to military networks.

Alarmists say it louder than military officers who prefer to whisper softly, but many cyber world thinkers agree that the United States is vulnerable to a cyberattack.

“Our sovereignty is at risk,” said O. Sami Saydjari, founder and president of Cyber Defense Agency, a strategic security consulting company. Saydjari, whom some say leans toward the alarmist side of the spectrum, spoke in April at the 2009 Cyberspace Symposium in Omaha, Neb. China and Russia “have launched a couple of cyber Sputniks," he said. "The capabilities that they are demonstrating are significant and perhaps better than ours.”

Not far from downtown Omaha is Offutt Air Force Base, which is home to the Strategic Command. One of the command’s jobs is shaping a strategy that prevents such a cyberattack from happening. Parsing conflicts in terms of deterrence — making the price of an attack so believably high to potential attackers that their cost/benefit ratio is negative — comes naturally to Stratcom. It commanded the United States’ land-based strategic bomber aircraft and land-based intercontinental ballistic missile nuclear arsenal for the duration of the Cold War.

During the Cold War, the rules coalesced into fairly clear lines. Now the command faces an array of questions for which there are no easy answers.

“Can we determine first of all that we are being attacked?” asked Air Force Brig. Gen Susan Helms, Stratcom’s director of plans and policy. “How will we differentiate between that and, let’s say, a system failure?”

Other questions include: How can anyone be sure where the attack is coming from? It’s difficult in the cyber world to attribute where an attack originates with certainty. Also, could another country be stirring up apparent attacks in an effort to channel a U.S. response toward an apparent aggressor? Then there are questions about the nature of U.S. response — do cyberattacks require a cyber response, or should the president order a live weapon reply? At what point does the threat of a kinetic attack become unbelievable?

Some states — notably, China — believe in exploiting military reliance on information technology as a combat tactic. Would other countries or organizations exploit the United States' willingness to believe a Chinese attack is imminent even if a treat does not exist? Stratcom, in conjunction with Pacific Command, will attempt to hold direct talks with the Chinese military over cybersecurity issues, said its commander, Air Force Gen. Kevin Chilton.

“Does it matter if it’s an attack on the economy, where there’s little physical damage, there’s just disruption?” asked a Stratcom official who requested to remain anonymous.

Cyberattacks also can vary in scale. An attack that shuts down a power plant in western Nebraska for a few hours could be a nuisance. The same attack in New York City would be many times costlier.

Not every intrusion into U.S. military networks is necessarily an act of war, the Stratcom official said. “You will hear people new to this discussion a lot using the word ‘attack’ interchangeable with ‘espionage,’” he said.

Espionage generally is a crime punishable by jail time — but in the cyber world, intensive spying could enable physical combat. When do “normal” cyber operations conducted in peace time cross the line — and where is the line?

“It’s not going to be the same for cyber as we’ve seen with the nuclear approach to deterrence,” Helms said.