eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.
The federal government is increasingly using cyber-tactics to defend its IT assets against attackers and to protect its interests. It’s about time, since enemies are already relying on an extensive arsenal of cyber-weapons, experts said.
President Obama has signed executive orders outlining how far the United States military can go when launching cyber-attacks and other cyber-operations against enemies and as part of routine espionage activities, the Associated Press reported June 22.
The orders, which were signed more than a month ago and cap a two-year Pentagon effort to draft rules for the U.S. military, detail when the military needs to seek presidential approval for a specific cyber-assault and how the Department of Defense will integrate cyber-capabilities into military strategy, defense officials said.
The strategy document outlines some of the approved activities, such as planting a computer virus on adversaries’ computers to launching attacks that bring down a target electrical grid or defense network. When under attack, the United States can defend itself by blocking cyber-intrusions and taking down servers in another country. And similar to a missile attack, the military can pursue attackers across national boundaries, the AP reported.
“We must have the capability to defend against the full range of cyber-attacks,” Deputy Defense Secretary William Lynn said. Terror groups will eventually learn how to launch crippling cyber-attacks, so the United States needs to be more aggressive in offensive and defensive countermeasures, he said.
Many of the attacks on American businesses, critical infrastructure and defense systems are a “direct challenge” to our military superiority, Charles Dodd, a government consultant for cyber-defense and an adviser to the House of Representatives Homeland Security Subcommittee on Emerging Threats, Cybersecurity, Science and Technology, told eWEEK. State-sponsored attacks are going after military secrets without any fear of retaliation, he said.
Cyber-attacks aren’t always “money-making,” but often a military tool, according to Dodd, noting that China built its networks with a tactical mindset. “It’s only a matter of time before the attackers take any of this to the next level,” Dodd said, noting that cyber-attacks are expected to escalate into much more serious threats.
The Department of Defense and other federal agencies are preparing to meet the threat. In the “International Strategy for Cyber-Space” policy document released mid-May, the White House said the United States would respond to “hostile acts in cyberspace” in the same manner as any other threat against the country.
Viruses, IT Sabotage Now Sanctioned Cyber-Weapons
“We reserve the right to use all necessary means-diplomatic, informational, military, and economic-as appropriate and consistent with applicable international law, in order to defend our Nation, our allies, our partners, and our interests,” the policy said. Military force would be used only after all other options have been exhausted.
The Pentagon has also developed a list of cyber-weapons and tools, including viruses that can sabotage foreign critical infrastructure, that the United States can use “to deter or deny a potential adversary the ability to use its computer systems,” an anonymous official recently told the Washington Post.
The techniques to launch a cyber-attack are similar to those of any other military operation, according to Dodd. Extensive reconnaissance, surveillance and research are required before launching a cyber-attack, he said. The executive orders apparently allow the military to transmit code to another country’s network to test the route and make sure connections work, much like using satellites to take pictures of a location to scout out specific sites.
Elsewhere on Capitol Hill, government officials have been discussing how to protect critical infrastructure. The federal government is considering creating a separate Internet domain for private-sector critical infrastructure, one that would be subject to monitoring by the government for cyber-threats, Ari Schwartz, Internet policy adviser at the National Institute of Standards and Technology, said before a panel of the Senate Judiciary Crime and Terrorism subcommittee on June 21.
The panel’s chairman, Sen. Sheldon Whitehouse, D-R.I., has long supported the creation of a .secure domain, arguing that the government would be able to closely monitor Internet traffic without violating the Fourth Amendment. “You just say, ‘OK, look, if you want to go look at these electrical grid things, you’ve got to be aware that the government is going to be keeping an eye of what’s going in and out of there to protect the electrical grid.’ I don’t think people mind that,” Whitehouse said.
Attackers can easily “prove a point” by taking out critical infrastructure, Dodd said.
Whitehouse also said publicly traded companies should be required to disclose their cyber-security risks in Securities and Exchange Commission filings. There is no point in promoting cyber-security awareness if actual attacks are classified if they hit .gov and .mil domains and are treated as proprietary information when businesses are hit so as not to alarm customers, Whitehouse said, calling it a “real information deficit.”