Lawmakers push for tougher U.S. stance in cyberspace

What can Dr. Strangelove teach us about fighting wars over the Internet?

As Sen. Angus King pressed national security officials to open up about their ability to wage war over the Internet, he turned not to some think tank white paper to make his point, but a five-decade-old film about the dangers of nuclear brinkmanship.

"'Dr. Strangelove' taught us that if you have a doomsday machine and no one knows about, it's useless," the Maine independent said last week during a hearing of the Senate Armed Services Committee.

In Stanley Kubrick's 1964 satire, the Soviet Union has a weapon that will destroy the world in case of a U.S. nuclear strike. The deterrent should make war pointless — but Soviet leaders have not yet told the United States about it.

"Having a secret plan as to how we will respond isn't the point I'm trying to get at," King told Director of National Intelligence James R. Clapper and U.S. Cyber Command chief Adm. Michael S. Rogers. "The deal is, they have to know how we will respond and therefore not attack in the first place."

With the United States now vulnerable to overseas attackers who wield digital weapons, lawmakers are pushing military leaders to publicize some capabilities to deter raids on U.S. databases.

There is a precedent for that approach: The Cold War-era doctrine of mutually assured destruction kept the United States and the Soviet Union from blowing each other up. But officials and analysts warn that deterrence in cyberspace — where networks are broadly vulnerable, attacks can go undetected and the perpetrator might never be known — is far more complicated.

"Deterrence is still a useful concept," said a senior Obama administration official who asked not to be named. "But I don't think we are going to have a theory of cyber deterrence the way we had a theory of nuclear destruction."

The United States has never publicly acknowledged attacking another nation's computer systems. But it is widely believed to have authored (or co-authored with Israel) Stuxnet, the sophisticated computer worm that reportedly compromised Iranian networks, collected information on its nuclear program and destroyed its centrifuges used to enrich uranium.

Clapper referred obliquely during the hearing to the nation's abilities.

"Of course, we too practice cyber espionage," he told the senators. "We're not bad at it."

But officials say the open nature of the Internet leaves the United States especially vulnerable to hackers. In authoritarian countries, where governments have stricter control, breaching networks is more difficult.

And while the U.S. military is overwhelmingly powerful in many aspects of conventional warfare, Rogers said, in cyberspace "we have to acknowledge we have at least one peer competitor in the form of the Russians."

"Then we have a set of other nation-states we pay great attention to, who I am watching increase their level of investment, increase their capacity and their capability," said Rogers, who also heads the National Security Agency at Fort Meade. "The Chinese are probably the ones that get the most attention ... but they are not alone by any stretch of the imagination."

U.S vulnerability has frustrated lawmakers, who have seen high-profile attacks on Sony Pictures Entertainment, the Office of Personnel Management and the unclassified email of the Joint Chiefs of Staff — and little public evidence that the United States is able to respond coherently.

"I know the American people are looking for answers on this," Rep. Jim Langevin, a Rhode Island Democrat, said at a hearing last week of the House Armed Services Committee. "Our enemies, adversaries have been eating our lunch for a long time. ... It's like the Wild West out there, and they're on the better side of the equation."

Lawmakers sought clarity from defense officials long before the wave of attacks that began with North Korea's digital looting of Sony last year. In the 2014 defense authorization bill, they ordered the Pentagon to produce a policy outlining how the United States would respond to a cyberattack and deter adversaries.

Sen. John McCain, chairman of the Senate Armed Services Committee, pressed officials on what progress they had made. The Arizona Republican bombarded Deputy Defense Secretary Robert O. Work with questions and then cut him off.

"We have not got a policy, and for you to sit there and tell me that you do have a broad-stroke strategy is frankly not in compliance with the law," McCain said.

The defense authorization bill approved by the House last week for the coming year would withhold some funding until the policy is presented to Congress.

Officials and analysts say there are real challenges to developing a streamlined deterrence policy in cyberspace because there are so many players, including governments, terrorist groups and criminals.

"How you deter a criminal from acting is very different from how you deter a nation-state," the senior administration official said.

On its face, deterrence seems easy: Make yourself look fearsome and no one will attack. That's the idea behind the Soviet doomsday device in "Dr. Strangelove."

In practice, dissuading an opponent from attacking takes more effort, said Joseph Cerami, a former strategy teacher at the Army War College.

"It's what you say you're going to do and what you actually do," said Cerami, now a professor at Texas A&M. And the more sides involved, the more complex things become. "It's never true, the more the merrier," he said.

The senior administration official spoke of another challenge: Because cyber weapons are still new, officials are not fully confident that they can discuss them without giving away details they would prefer to keep to themselves.

The government does not "have as much experience yet on how do you ensure you can talk about the capabilities that doesn't render them useless," the official said.

The official made the comparison to the military's fighter jets: The United States acknowledges that it has them but does not disclose information that might reveal their vulnerabilities.

"We need to arrive at the same place with our cyber capabilities," the official said.

The Defense Department has started to open up in recent months about how it might exploit computer networks to gain military advantages. A strategy unveiled in April put new emphasis on the nation's offensive capabilities, and Cyber Command is readying a force of about 6,200 troops and civilians.

But Rogers, the commander leading that effort, told the House panel that overcoming decades of military development when protecting computer networks was not a priority will take time.

"The argument I have made with my team is that this is all about prioritization," he said. "We've got to step back and assess where do we think the greatest vulnerabilities lie. Where do we think our opponents are most interested in attempting to generate effects against us, and how do we forestall their ability to do that?"

Rep. Mac Thornberry, chairman of the House Armed Services Committee, jumped in.

"So to summarize, we're getting better, but not better fast enough," the Texas Republican said.

"I think that's fair," Rogers said.

iduncan@baltsun.com

twitter.com/iduncan

Copyright © 2017, The Baltimore Sun, a Baltimore Sun Media Group publication | Place an Ad
59°