Вы находитесь на странице: 1из 6

The State Departments Weary Soldier in

Americas Cyber War


From Ukraine to Sony, cyber attacks are spooking governments and private companies -- and leaving
officials like Christopher Painter scrambling to help devise rules of the road for how to respond.

BY TIM STARKS-MAY 13, 2015


Anew age of cyberwarfare is dawning, and a little-known State Department official
named Christopher Painter a self-described computer geek who made his name
prosecuting hackers is racing to digital battlegrounds around the world to help stave
off potential future threats.
One of his stops was in South America, where he visited Argentina, Chile, and
Uruguay, to hear about what those countries were doing to protect computer networks.
One was in Costa Rica, to tout the U.S. vision for the Internet, including security.
Another was in The Hague, to, among other things, promote international cooperation
in cyberspace.
Its been a hectic couple of weeks, he said
Theres a reason for that. Last month, Arlington, Va.-based security firm Lookingglass
released a report detailing a full-scale cyber war being waged by Russia against
Ukraine. Russia, Lookingglass concluded, was hacking Ukrainian computers and

vacuuming up classified intelligence that could be used on the battlefield. The week
before, the Pentagon publicly released a new strategic document declaring, for the
first time, that it was prepared to pair cyber war with conventional warfare in future
conflicts, such as by disrupting another countrys military networks to block it from
attacking U.S. targets
Painter is charged with finding answers to some of thorniest policy questions
confronting Washington in the digital age: How to wage cyber war, how not to, and
how nations can or even should cooperate on establishing rules for cyber offense.
Countries have found it so hard to sort out answers to these difficult subjects, Painter
is setting his sights low, at least for now. One of his initial goals: Promoting a set of
voluntary international standards, such as one that says that nations should not
knowingly support online activities that damage critical infrastructure that provides
services to the public.
Were in the relative infancy of thinking about this issue, Painter said. This is a fastchanging technology. Were at the beginning of the road.
Other, related debates on surveillance and cyber defense are further along.
Congress is working through a renewal of expiring provisions of the Patriot Act. Other
countries are getting in on the act as well: Frances National Assembly this month
approved a bill being dubbed the French Patriot Act, which controversially allows the
government to collect mass e-mail data, and Canadas House of Commons last week
passed anti-terrorism legislation that critics contend endangers online privacy.
Congress also has a good chance this year to pass a cybersecurity bill that fosters
threat data sharing between companies and the government.
The nascent conversation about cyber offense draws, in some ways, on existing
international law, but in other ways has no historical precedent, because cyber war is
unlike any other kind of war. Government hackers can do tremendous damage to an
enemy country without touching it physically or using any troops or military hardware
whatsoever, and without leaving much of a trace about who is responsible. It also
upends the traditional notion of deterrence in a realm where the often-invisible attacks
make it hard to figure out whom to retaliate against and signal that offense will be
answered with offense. Sometimes its hard to tell what an offensive weapon even is,
since so many cyber tools have both offensive and defensive uses.
The U.S. position is complicated by how advanced its offensive capabilities are in
relation to the rest of the world not only in how far its willing to go to limit itself, but
also how willing anyone else is to listen because of how it aggressively the U.S. has
used its technological edge to spy on other countries and, in the case of Iran, directly
attack their infrastructure.
The United States is in a very unique position. Its definitely in a class of its own when
it comes to cyber offensive operations, said Henry Farrell, an international affairs
professor at George Washington University. The other problem is that its in a class of
its own in the unique vulnerability to various forms of cyber attack.

And for the United States, there are both domestic and global components of the
debate over what kind of offensive authorities it should have. While the Obama
administration tries to figure out what kind of posture it wants to take on the
international stage, some in Congress are agitating for the executive branch to say
what it can do on offense, and under what circumstances. If the executive branch
doesnt do that, Congress might do it for them. Senate Armed Services Chairman John
McCain (R-Ariz.), is among those contemplating taking action; he is weighing an
amendment to the annual defense policy bill that would spell out what the Defense
Departments cyber offensive and defensive capabilities should be.
There are widespread worries across Capitol Hill, meanwhile, that Washington isnt
doing enough to keep up with steady stream of cyber attacks designed to steal
corporate secrets and financial data. That never-ending drumbeat has in recent
months afflicted Anthem, the second-biggest U.S. health insurer in which hackers
accessed personal data like Social Security numbers for millions of customers, and
JPMorgan Chase, in which a sophisticated cyber attack compromised the accounts of
millions of households and small businesses. McAfee, a leading cyber defense firm,
estimates that there are hundreds of cyber attacks per minute.
One major question House Armed Services Committee Chairman Mac Thornberry of
Texas and others want to resolve is what the U.S. government should do in instances
like the Sony hack last fall, which led to the release of reams of sensitive corporate
emails, movie scripts, and even digital copies of unreleased films. President Barack
Obama blamed the North Korean government, which was angry over the unflattering
portrayal of Kim Jong-un in the film The Interview, then promised the United States
would respond proportionally.
Some cyber experts have subsequently raised doubts about whether Pyongyang was
actually behind the attack. If they were, it would mark a milestone as the first time
government hackers in one country attacked a private firm in another.
We dont have the proper structure in place because our thinking and policies have
not evolved to the reality of what cyber is as a domain of warfare, Thornberry said in
an interview. We dont really have authorities in place about how to defend
civilian/private networks, much less what sort of offensive preemptive retaliatory
actions potentially the government would take on their behalf.
But lawmakers also want to be prepared for more catastrophic attacks, like an assault
on the electricity grid, which is largely controlled by private sector computer networks.
As far back as 2009, there were reports of foreign governments infiltrating the U.S.
electricity grid, and while they didnt damage the networks they penetrated, National
Security Agency director Adm. Michael Rogers has warned they would be a major
target in a large scale cyber war.
***
Painter, who considers himself an early aficionado of computer technology, has said
he began playing with a primitive personal computer while he was at college in the
1980s. After graduating from Cornell in 1980 and Stanford law school in 1984, he

gravitated toward tech-oriented lawsuits, and prosecuted the most prominent early
hacking cases, securing a conviction in 1999 of the famed hacker Kevin Mitnick
said to be the inspiration for the film War Games for stealing files from companies
like Sun Microsystems and Motorola. Later, Painter moved to the Justice Department
headquarters and the White House to work on cyber issues.
One thing Painter isnt looking for, in all his travels, is any kind of comprehensive cyber
treaty to somehow tackle the myriad security topics or, to use his quote from Lord
of the Rings during a panel in The Hague, one ring to rule them all.
Because of how complicated and formless the cyber offense problem is, and how new
it is compared to more established forms of warfare, the idea of any kind of
comprehensive cyber treaty has been set aside not just by the United States but
many other countries as well, at least for now. Instead, Painters focus has been on
creating a commonly held set of principles norms that nations adhere to on a
voluntary, legally non-binding basis.
Painter maintains that the emphasis on norms isnt about preserving American
hegemony. Yet many others have noted a distinct lack of interest from the United
States when it comes to taking any kind of action that could limit its own offensive
options.
Just as a general matter, administrations of any stripe are certainly not looking to limit
their ability in legislation and would probably be loathe in international regulation to
swear off particular lines of attack, said Michael Allen, a former top National Security
Council staffer in the George W. Bush administration and former staff director for the
House Intelligence Committee who now is managing director at Beacon Global
Strategies, a consulting firm. I dont think people are eager to start immediately
signing up to regimes, norms or certainly not laws, without serious consideration, that
begin to restrict this new tool of warfare in its infancy.
Michael Hayden, a former NSA director and now a principal at the Chertoff Group
consulting firm, said the bigger issue is simply that a cyber treaty would be
unenforceable. Its easy enough to cheat on a biological weapons treaty, he said;
imagine how easy it would be to cheat on a cyber treaty, since sophisticated hackers
can leave no fingerprints whatsoever.
The reason it would easy, he said, is because of how hard it is to determine,
forensically, whos behind any given attack at any time. The landmark 2013 Mandiant
report that tracked a host of cyber attacks netting government documents and
company secrets to a Chinese military unit was the result of six years of work, and it
ultimately could place the attacks as originating only from the doorstep of the building
suspected of conducting the hacking.
The same problem of so-called attribution for attacks applies under existing
international law. In April, both Defense Secretary Ashton Carter and current NSA chief
Rogers made headlines for saying cyberwarfare fell under international law, although
that was not a new position for the U.S. government. The origins of that position

emerged from a United Nations Group of Governmental Experts that declared a set of
principles in 2013, a group that included China.
Some legal experts contended that the Stuxnet virus that attacked Iranian nuclear
centrifuges, reportedly a collaboration between the United States and Israel, was a
violation of international law because it was an act of force.
Thats already a violation of international law unless you have a justification for that,
said David Fidler, and Indiana University law professor serving as a visiting fellow for
cybersecurity at the Council on Foreign Relations. Thats even if anyone
acknowledges they were involved, which they dont do.
Fidler said some of the norms under discussion in the cyber sphere are merely
restatements of norms or international laws that apply to existing forms of warfare, and
are either unworkable because they dont apply to cyberspace or originate from poorly
agreed-upon definitions of terminology.
As an example, he pointed to a proposal from Temple Law professor Duncan Hollis to
create an e-SOS, similar to the distress signal ships at sea send when they are in
trouble and merchant vessels are obligated to respond with help. In the event that a
country is under cyber attack, Fidler asked, does it really want a nation like Russia
getting into its networks to lend a hand?
Additionally, the U.S. message on norms about cyber intrusions hasnt always been
well received, given the wide scale international electronic spying revealed by former
intelligence contractor Edward Snowden, Fidler said. To the rest of the world, he said,
it kind of looks like the U.S. has given up on norms and is relying on unilateral action,
especially when combined with an April executive order to financially punish foreign
hackers.
Its not, he said, that the State Department is doing poor work advancing cyber norms
its that doing so is inherently difficult, especially under the circumstances.
For his part, Painter acknowledged that theres much more to be done in figuring out
how international law applies to cyberspace. What does the international law of
warfare dictating proportionality in attack apply there? That kind of question is going
to take a ton of academic work, Painter said.
Its a subject that has nonetheless made Congress antsy. In February, House
Homeland Security Chairman Michael McCaul (R-Texas) joined with House Foreign
Affairs Chairman Ed Royce (R-Calif.) to write a letter to National Security Adviser
Susan Rice, asking how the Obama administration defined different attacks and how it
was prepared to respond to them.
McCaul said he hasnt received a response to the letter. But he said he and Royce are
preparing legislation outlining what they expect from the State Department on those
questions.
Others on Capitol Hill said they see gaps in the administrations authorities and
doctrines, but arent yet ready to press their case without more examination, among

them Thornberry and a leading Democrat on his committee, Rep. Jim Langevin.
Were developing capabilities faster than the policies and doctrines that control them,
said Rhode Islands Langevin, the top Democrat on the Armed Services Emerging
Threats Subcommittee. Theres the need for further definition for actions to do things
like defend the nation.
The vast majority of the systems at risk are not DOD systems. Theyre in the private
sector, Langevin said. In a worst-case scenario, DOD is going to be asked to defend
them. If theres an active cyber attack going on on our electrical grid and DOD has to
step in and shuts down the entity thats carrying out that cyber attack, you can imagine
that has all sorts of ramifications.
***
Over time, Fidler said he expects the State Department to get more creative on the
development of cyber offense norms. There also might be some other kinds of
international consultation that could de-escalate cyber, with both Fidler and Painter
touting the Global Forum for Cyber Expertise that launched in The Hague to build up
the capabilities of developing nations to handle cybersecurity.
But, again, its very early.
Painter, citing one estimate, said that when you compare it to the process of nuclear
rules, it took about 40 years to get grounded.
I dont anticipate the length of time to socialize and draw lines is going to be
anywhere near as long as nuclear, he said. Still, its not an overnight process.
Ulrich Baumgarten via Getty Images
Posted by Thavam

Вам также может понравиться