U.S. critical infrastructure and military responsiveness is at such high risk to Chinese and Russian hacking that Pentagon advisors are recommending a special task force, or “an offensive cyber capability tiger team,” to help the military acquire new weapons of cyberwar. But the real worry for senators on the Armed Services Committee, who heard from Defense Science Board members Thursday, was not how to respond to Russia shutting off the lights but how to respond to an attack like the DNC hack and John Podesta hack — attacks on sovereignty that are not necessarily an act of war.
While the group came to warn Congress about attacks to things like the U.S. electric grid and other “vital U.S. interests,” Senators John McCain, R-Ariz., and Elizabeth Warren, D-Mass., quickly brought the discussion to the intelligence community’s assessment that Russia was using spearphishing campaigns to destabilize elections, both in the U.S. and abroad. “If an enemy or an adversary is capable of changing the outcome of an election, that’s a blow at the fundamentals of that country’s ability to govern,” said McCain. “The election is a system of democracy… if you destroy it then you have basically dealt an incredible blow to the country, which is far more severe than shutting down an electrical grid.”
“Describe the range of options the U.S. has for deterrence,” against that sort of thing, demanded Warren.
Jim Miller, a member of the Defense Science Board and a former under secretary of defense for policy, squirmed a bit at the question. “One thing we want to do is deny the benefits” of that sort of operation, he said. “Getting that information out earlier would have been very helpful.”
The board is a group of civilian experts who advise the Department of Defense on technical matters. On Thursday they presented a new report on cyber deterrence.
The military conversation about cyber capabilities and threats (at least the conversation that the public hears) is typically big on buzzwords and small on substance. The most recent report breaks somewhat from that tradition. “Major powers’ (Russia and China) have significant and increasing ability to hold U.S. critical infrastructure at risk or otherwise use the information domain to harm vital U.S. interests, and their more limited but growing capability to thwart our military response through cyber attack,” it concludes.
The proposed tiger team would “develop options and recommendations for improved and accelerated acquisition of scalable offensive cyber capabilities, including additional authorities to USCYBERCOM, and the establishment of a small elite rapid/special acquisition organization.”
The idea echoes what U.S. Cyber Command head Adm. Michael Rogers has said he wants to do with CYBERCOM in the years ahead. Rogers would structure Cyber Command teams much more like special operations forces and give commanders more license to use offensive cyber weapons, the same way you would use regular weapons largely determined by the guy with the gun or his immediate superior.
“At the moment, we tend to differentiate between the offense and defense,” Rogers said last month at the WEST 2017 conference, in San Diego. “Offensive cyber in some ways is treated almost like nuclear weapons in the sense that their application outside of the defined area of hostility is controlled at the chief executive level and not delegated down. What I hope to see in the next five to seven years is can we engender enough confidence in our decision makers and policy makers … you should feel comfortable pushing this down to the tactical level.”
Rogers means he wants fast reaction cyber-squads answering to combatant commanders and outfitted with better tools. On the defensive side, he stressed a need for “machine learning at scale,” using robust artificial intelligence methods applied to detecting and understanding what the enemy is doing and what new tools the enemy is working with. On the offensive side, Rogers said he wants to go to industry for more.
“In the application of [conventional] weapons, we go to the private sector and say, build us a JDAM [a Joint Direct Attack Munition]. On the offensive side [in cyber] to date, we do all of our development internally… is that a sustainable model?” he asked.
The newly released task force report sounds a similar note to Rogers. “Rapidly establishing and sustaining an array of scalable offensive cyber options, including strategic cyber options, will require a different approach to acquisition … Because target systems and software can change, sometimes unexpectedly and at a moment chosen by the adversary, a quick reaction capability with flexible acquisition authorities will be essential.”
Needless to say, throwing lots of money at private outfits to develop break-in tools for adversarial networks, databases, devices, etc. will likely prove controversial since civilians may use similar networks and devices. If you find the perfect hack against, say, a Cisco networking product, can Cisco sue you for damages? Can Cisco customers sue you if an outside party then uses the access tool you developed to steal their data? It’s one reason why following the rules of armed conflict becomes much harder when the battle terrain is, in part, other people’s phones and equipment and not physical space.