Marine General's Call for an Offensive Cyber-Security Strategy Dangerous

By Wayne Rash  |  Posted 2011-07-18

Marine General's Call for an Offensive Cyber-Security Strategy Dangerous

One of the things you see frequently here in Washington is infighting among senior members of the same department in the executive branch. What you don't see very often is a subordinate in the military chain of command trying his best to publicly derail a proposal put forth by a superior.

Usually the junior person ends up with a drastically shortened career. Hopefully that will be the case after Marine Gen. James Cartwright gets his justly deserved tongue lashing sometime this week.

What happened is that Cartwright called a press conference right before William Lynn, Deputy Secretary of the Department of Defense, released the Pentagon's cyber-security strategy. Part of that strategy is the U.S. Department of Defense's plan for protecting critical infrastructure.

Cartwright, vice chairman of the Joint Chiefs of Staff, said that the strategy was wrong, and that the U.S. military should be taking an offensive posture by making sure there are consequences for those who attack U.S. interests in cyberspace.

While I can understand where the general is coming from, it's not a very effective way to make your point by sandbagging your own department in advance of a policy announcement. This will surely have consequences for Cartwright. But will it end up having consequences for the rogue nations and terrorists who attack U.S. interests? Probably not.

The problem, first of all, is that it's nearly impossible to know exactly where a cyber-attack is coming from. Sure, you can probably track down the computers that make up the botnet that's being used to break into your military computers or your smart grid controllers, but that doesn't tell you anything. Neither does trying to track down an attack such as the worm that nearly took out a large number of U.S. Army computers a couple of years ago-a worm that apparently was delivered on a USB memory stick.

For that matter, nobody really has proved for sure where the Stuxnet worm that crippled Iran's nuclear projects actually came from. While there's a lot of speculation and one Israeli general claimed credit, you can't attack another nation on the basis of speculation and unverified claims. Before the U.S. military can attack another nation or a group of terrorists, or even a cohort of rogue hackers for that matter, it has to be assured that it's attacking the right place or the right person.

This is why the CIA and other intelligence agencies took months and spent millions of dollars before the Navy SEALS invaded Osama bin Laden's compound and killed him. Failing to make absolutely certain that you're attacking the right person or place has terrible consequences in its own right.

Ready, Fire, Aim


This is why the United States is having so much negative reaction to strikes in everywhere from Libya to Afghanistan when civilians get killed while American pilots are bombing anti-aircraft sites or killing terrorist leaders.

This is what Cartwright has failed to recognize. The concept of "Ready, Fire, Aim" works no better in cyberspace than it does with real bullets. That's especially a problem in cyber-warfare; it's frequently impossible to know right away who is actually responsible for an attack. Unless the attacker makes a mistake or takes public credit for the attack, you almost never have any actual proof.

Even the attacks suspected to be the work of the Chinese military against U.S. interests haven't been proven, despite the fact that U.S. intelligence agencies are reasonably certain that's where they originate from. But even in a case where the source of attacks is clear, is Cartwright ready to have the military attack China? If so, how would he propose to do this? Would he drop a cruise missile on a Chinese military academy building on the off chance it was the source of an attack? Would he launch an all-out cyber-attack against China's army? And what would he do if China openly retaliates? This sounds like the start of a real war, not a cyber-war.

And worse yet, what if we're wrong? It's no secret that it's possible to have the evidence from a cyber-attack point to somewhere else. Suppose we analyze the cyber-attack that's hitting our critical infrastructure, determine that it's coming from, for example, China, when in reality it's not. It's simply that someone has made it seem that way. Are we willing to attack another nation's digital infrastructure based on that sort of evidence?

When I mentioned my service in the Navy in a recent column about the final flight of the space shuttle Atlantis, I made it clear that I've served in the military. In fact, I'm a retired Navy officer, and I recognize it's the duty of the military to protect the United States and its citizens against all enemies. But that doesn't mean that we should go off attacking people, organizations or nations (rogue or otherwise) on a whim, on the basis of assumptions or on guesses.

While Cartwright is correct in saying that people who attack the United States should suffer consequences, that only works when you can know with certainty who they are, and where they are. Otherwise, the only thing you're shooting is yourself-in the foot. 

Rocket Fuel