If there’s a sudden cyberattack on the U.S. Navy, Jim Granger could be among the first to know since it’s his job to keep watch.
“We monitor the Navy’s grid,” says Granger, who is director of capabilities and readiness at the Navy Cyber Defense Operations Command in Norfolk, Va., home to the Naval Network Warfare Command. Granger works with a team of cyber-defense operations specialists in a security operations center, hunkered down behind computers to keep an eye on networks the Navy uses — such as the Navy-Marine Corps Intranet — both on land and at sea.
Distributed intrusion-prevention and firewall sensors send real-time data to be analyzed by what the Navy calls its Prometheus system, which includes the Novell Sentinel security event management system and SAS data management tools.
There are hundreds of thousands of alerts each day, though “not all are necessarily attacks,” Granger says. The Navy’s Cyber Defense Command Center is, in some respects, like a security operations center at a large organization in the commercial sector, he says.
But this is the U.S. military, which has to be prepared to protect the nation and is dependent on networking to do that. Robert Lentz, assistant secretary of information assurance at the Department of Defense, recently made that point when he said that without network support, aircraft couldn’t fly. The Army and Air Force also have their own cyber-defense command operations, and they strive to work together through the Joint Task Force – Global Network Operations (JTF-GNO).
But how can the individuals in any cyber-defense operations command be sure about the exact nature of an attack? Is it coming from an enemy state or militant groups such as Al-Qaeda or simply a lone attacker who has put together an arsenal of network attack tools?
“We’re trying to winnow the massive data stream to something that is actionable,” Granger says. “We have to provide network-domain awareness” to the technical analyst on up to the four-star general. But while the Navy can see the attacks and block them through various means, pinning down attribution “is extremely difficult,” Granger notes.
Granger’s sentiments on that score aren’t unique. Security experts tend to agree that while attacks of all sorts can often be traced back to certain IP addresses, being absolutely certain of the source of an attack is another problem altogether.
That raises the questions: What is a cyberattack and when might it be seen as the start of a cyberwar? Will the U.S. — or any other country — be able to recognize a cyberattack for what it is? And how might the U.S. consider using cyber weapons offensively?
These questions are getting attention in the highest reaches of the Pentagon and federal government. Much of the discussion is not made public, but there’s growing belief that it should be as the cyber-arms race accelerates largely behind closed doors.
Cyber arms: Weapons of mass destruction?
There needs to be more public knowledge and informed debate about the topic of cyber arms and cyberwar, the National Research Council (NRC) argues in its recently published report. “Technology, Policy, Law and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities” is an impressive 3-year effort supported by Defense Department officials, academics and industry specialists that sums up the current dilemma.
The report contrasts how cyberattacks differ from physical, “kinetic” military weapons and tactics (cyberattacks offer more options, but less certainty in the outcomes they produce, for instance). It even goes so far as to compare the unchecked spread of cyber weapons to the proliferation of nuclear weapons half a century ago after World War II.
The report says the chances are growing for a cyber-arms race and points out the reckless, unchecked use of cyber-weaponry that’s being developed by countries, including the U.S., and the lack of formal or comprehensive policies for cyberattacks on the national political and military level.
“Programs to develop cyberattack capabilities are classified and dispersed throughout many program elements within the Department of Defense with the result the overall capabilities are not known even among those with the necessary clearances,” the NRC report says. “Effective Congressional oversight that goes beyond a few individuals on the relevant committees is also inhibited.”
The Navy Cyber Defense Operations Command where Granger works is strictly defensive, and as Granger notes, there are rules prohibiting offensive tactics.
In the military, the operations point for offensive cyberattack capabilities and actions is the U.S. Strategic Command (STRATCOM) Joint Combat and Command of Network Warfare, set up in 2005. But the NRC report points out that the U.S. Air Force has ended up as “the main advocate,” and today is seeking to acquire a Cyber Control System capable of network disruptions in an automated manner.
While the NRC report makes no mention of specific adversaries, it does discuss the history with Russia over several decades. Russia at the United Nations sought as far back as the late 1990s to make cyberattacks and cyberweapons a topic for discussion and possible international agreements.
The Russian foreign minister at the time, Igor Ivanov, told U.N. Secretary Kofi Annan in a letter that the effect of information weapons “may be comparable to that of weapons of mass destruction.”
Without U.S. participation, the U.N. didn’t do much with the cyber-weapons topic back then. But the NRC report suggests the U.S., which today has no specific “declaratory policy” regarding cyber weapons, should be prepared to discuss this in various settings and have policy ready, especially as the prospects for cyberattacks among nation states may be mounting.
The military conflict between the countries of Georgia and Russia last year involved cyberattacks against Georgian government and civilian resources, the report says. “The primary significance of the cyberttacks on Georgia is that they appear to be the first instance of simultaneous attacks involving cyberattack and kinetic attack, rather than in any particulars of the cyberattacks themselves.” The Russian government did not claim responsibility for the Georgian cyberattacks, which the report says appeared to originate in Russia through botnet-based attacks, which may be linked to the criminal group Russian Business Network.
But Russia’s official public stance on cyber weapons for quite some time has been that “Russia retains the right to use nuclear weapons first against the means and forces of information warfare, and then against the aggressor state.” Basically, this is interpreted to mean that Russia equates massive cyberattacks against the country to a nuclear attack and would consider responding in kind.
Russia itself is actively developing cyber weapons, the report says. “It’s widely believed that Russia is fully engaged in, or at least developing, the capability of launching a cyberattack regardless of its U.N. stance,” the report says. And though not discussed very openly, the U.S. also has significant cyberattack capabilities,