U.S. moves to contain collateral damage from cyber weapons

Amy Walters / Shutterstock.com

Alleged digital weapons have not overreached so far, former officials say.

The fallout from cyber weapons and perhaps, one day, cyber drones may not greatly affect Americans’ privacy or U.S. computer security, former military officials say.
 
Speculation about impending cyberwarfare has followed recent revelations about a stealth virus and new U.S. cyberoffensive tools. The virus Flame, a suspected U.S. government invention, was reported in May to have long been harvesting information from computers in various Middle Eastern countries. Days after that account surfaced, The Washington Post reported that a Defense Advanced Research Projects Agency program aims to test unmanned cyberattacks that strike without human beings at the keyboard. The Pentagon has said only that it has the ability conduct offensive operations in cyberspace to defend the nation.
 
There is reason for concern that foreign-aimed cyberattacks are backfiring on Americans by creating new vectors for cybercriminals and by breaching privacy. Yet, on the whole, some former government hackers say they’ve been surprised to see the Obama administration taking considerable care to minimize such risks.
 
The recently uncovered attacks involved “techniques that could have been used against us just as effectively,” said Dave Aitel, president of cybersecurity firm Immunity Inc. and a former National Security Agency computer scientist. He was referring to Flame and a U.S.-Israeli campaign called Stuxnet that undermined Iran’s nuclear program by overriding a computer system operating plant centrifuges.  
 
The order to deploy Stuxnet reportedly was made after thorough deliberation by the highest power in U.S. government -- not a Defense Department official. “Obama has to say, yes or no,” Aitel said. “It’s not completely like ‘Go crazy, Cyber Command.’”
 
Defense’s strategy for operating in cyberspace states the commander in chief determines when to engage in cyber confrontations. Pentagon officials have said they strongly respect Americans’ rights during operations. 
 
“If so directed, DoD is prepared to defend U.S. national security interests through all available means,” Defense spokeswoman Lt. Col. April Cunningham said. "DoD is committed to protecting the individual privacy of communications on the Internet and the civil liberties of the American people.”
 
Still, Microsoft suffered some collateral damage from Flame. The designers of the virus exploited a previously unknown flaw in the company’s digital certificates to disguise malicious code as a Microsoft product. The software firm subsequently issued an update to block other hackers from abusing the fraudulent certificates.
 
Kaspersky Labs, the security firm that discovered Flame, describes the bug as “the largest cyberweapon to date,” referring to its 20 megabytes. The tool can scoop up massive amounts of valuable information such as screenshots of online chats, audio recordings from internal microphones, and storage files.
 
Gen. John P. Casciano, a former Air Force director of intelligence, surveillance and reconnaissance, acknowledged the U.S. government will never have 100 percent assurance that a cyber offensive will work as planned. Americans, however, have more to fear from adversaries and cybercrooks than from the feds, he said. “I’m not terribly concerned about the U.S. government spying on us,” said Casciano, now a private consultant.  
 
Other former Defense officials say cyberweapons are subject to the 1978 Foreign Intelligence Surveillance Act, which regulates the monitoring of U.S. international communications during counterespionage activities.
 
“All new cyberweapons must adhere to all the U.S. federal laws,” said Gen. Harry D. Raduege, a retired director of the Defense Information Systems Agency. Or, more specifically, “it’s U.S. people who employ cyberweapons who are subject to FISA. It’s really the people.” Raduege is now chairman of the Deloitte Center for Cyber Innovation.
 
Casciano said he trusts the current legal framework will protect Americans in cyberspace, citing established federal protocol for wiretapping communications between Americans and foreigners when there is probable cause for suspecting a nefarious plot.
 
Civil liberties activists have argued otherwise, based on their longstanding criticism of FISA for sweeping up innocent Americans’ calls, emails and text messages. 
 
Flame so far has spread in a controlled manner among certain nation-state groups and academic institutions and has not self-replicated, according to Kaspersky researchers.
 
Aitel notes the administration recently demonstrated restraint by threatening to veto a cybersecurity bill that opponents say would encourage companies to indiscriminately share customer data with feds. “The government is afraid of overreach and is essentially afraid of the populace at some level,” he said.  “I think it’s amazing that they’ve been going so carefully and following the issues so intellectually. It speaks highly of them that they think this is something you cannot just rush into.”
 
Jeffrey Carr, a cybersecurity consultant and author of Inside Cyber Warfare, makes a distinction between cyberweapons that are intended to destroy systems such as Stuxnet, and cyber espionage tools such as Flame that compromise systems. He sees clear dangers to using either without restrictions set in advance of combat. One unintended consequence of cyberweaponry could be the accidental disruption of a civilian hospital system overseas, for instance.  International cyberspying, he said, could inadvertently encroach on the human rights of foreigners and Americans abroad.
 
With cyberweapons, collateral damage could harm civilians who use a targeted network, Carr said. “How do we know which networks should be targeted and which ones should be off limits?” he questioned. “I would think that [U.S. officials] would be concerned about their rules of engagement.” As for cyber snooping: “Anything that’s stealing data in any type of big way is going to have some privacy ramifications to it,” Carr said.
 
Cunningham noted the Pentagon does not discuss operational matters as a manner of longstanding policy and will not comment specifically on the development of cyber offensive tools.
 
The Post’s Ellen Nakashima in late May wrote that a DARPA initiative, dubbed Plan X, aims “to develop systems that could give commanders the ability to carry out speed-of-light attacks and counterattacks using preplanned scenarios that do not involve human operators manually typing in code -- a process considered much too slow.”
 
Charles Dunlap, former deputy judge advocate general of the Air Force, said the cyberdrones described in the Post article do not seem quite the same as fully autonomous weapon systems that select their own targets, but he said some observers could argue this is a first step in that direction.
 
“News reports that DARPA is seeking proposals for methodologies that would automate cyber responses in predetermined scenarios is an almost inevitable development given the speed in which cyberattacks can cause harm,” said Dunlap, now a Duke University Law School professor. “The very idea of autonomous weapons systems of any kind, cyber or kinetic, is controversial on legal, ethical and even pragmatic warfighting grounds.  Yet the development and deployment of such weaponry is sure to continue even as we sort out the law and policies to address it.”
 
Other former military officers suspect that unmanned cyber operations would be confined to protective moves, and not used during attacks.
 
“I see autonomous being used defensively, because you’ve got only nanoseconds to respond” in such instances, Casciano said.