Like one, that on a lonesome road

Doth walk in fear and dread,

And having once turned round walks on,

And turns no more his head;

Because he knows, a frightful fiend,

Doth close behind him tread.

 

Samuel Taylor Coleridge[1]

[Hi! This is Fred, and I’m bewildered. G. Sallust says that’s chronic with me, and while I disagree, this time it’s serious. My problem isn’t with the bit of poetry that kicks off this piece. Clearly it’s not about our forthcoming election. Fiends or not, the candidates for president aren’t following anybody; they’re pretty much in our collective face, all day, every day. But tagging along, behind them and usually behind us, is something much more alarming. And that is – the prospect of a cyberattack by (i) enemies; (ii) neutrals; or I suppose, (iii) even by friends. If it’s in anyone’s national interest to launch one, I’m sure they will, unless there are consequences.  How’s that for an unseen threat?

We’ve had several of these events in the last few years. There was, of course, the attack we [and the Israelis] allegedly made on the on the Iranian nuclear program back in 2010.[2] That little adventure was a success, it’s said, because it substantially damaged Iran’s nuclear enrichment program, and perhaps made them more willing to negotiate about it with us and the rest of the world.[3]Then there was the attack North Korea [allegedly] made on Sony Pictures in November, 2014[4] possibly in response to the forthcoming release of a satirical movie. And, of course, there’s the avalanche of stories about emails recently hacked from the DNC, and released via WikiLeaks.[5] Currently the Russians are blamed for having done that deed, although they deny it. In any case, apparently the leaked emails are genuine; the DNC is acting as though they are, and people – including the Chairperson – have left as a result.[6]

It’s a good story when we dish out this kind of thing to our non-friends, like Iran; but of course we have an entirely different attitude when we’re the object of an attack. This has me wondering, just how important are cyber intrusions, etc., and what are we doing about them? I don’t know that answer, so I asked around. Nobody here claims expertise, but Larry, our retired lawyer, has done some research and says he has ideas. That’s enough for me. I don’t have any at all.]

Yes I have ideas, but so far they’re mostly speculations. When facts are scarce, and nobody on the inside will talk, you have to follow the paper trail. Unfortunately there’s not much of that, either, except some policy guidance from the White House and/ or the Department of Defense. As we all know, policy is mostly aspirational; it doesn’t represent real progress until somebody does something to comply. Nevertheless, it can be useful as an indicator of where the leadership thinks it’s going, eventually.

So let’s look at U.S. policy.

Making a Framework

We have to start somewhere, and I’m a lawyer by trade, so I started with one of the President’s famous Executive Orders. This one, issued on February 12, 2013, is called Improving Critical Infrastructure Cybersecurity.[7] It says three things: (i) cyber intrusions into U.S. “critical infrastructure” are increasing; (ii) this is serious; and (iii) it’s the policy of the United States to “enhance the security and resilience of [our] infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties.”[8] That’s a long way of saying that we know there’s a problem, and will keep everybody safe.

What is critical Infrastructure? Why, it’s all the stuff that’s critical; it includes any systems or assets that, if destroyed or incapacitated, “would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”[9]

Only great minds would take on such an enormous task. So how did the Administration propose to do it? Well, by going into “partnership” with the owners and operators of the infrastructure. It’s mostly privately owned, don’t you know? The Government will share its cyber threat information[10], and will develop a “framework” for reducing everyone’s cyber risks. This last part, I have to admit, left me wondering. “What in the world are they talking about?” I asked, and “Who is supposed to do the work?

It turns out that the Administration has an answer for the second question.  It tasked the Department of Commerce, or rather, its National Institute of Standards and Technology [the “NIST],[11] to take the lead. However the scope of work, or the actual task NIST was to undertake, remained a bit nebulous. “The Cybersecurity Framework shall include a set of standards, methodologies, procedures and processes that align policy, business and technological approaches to address cyber risks.”[12]

NIST produced a draft framework in 2014.[13] Not being a software engineer, I’m not clear about what that accomplished; but the work continues and NIST issues frequent, public updates.[14] From my perspective, the most significant thing about the work product is that it’s public. Executive Order 13636 requires transparency. “In developing the Cybersecurity Framework, the Director [of NIST] shall engage in an open public review and comment process.”[15] No doubt some of the underlying documentation is classified, however, because NIST also consults with the National Security Administration [NSA], the Director of National Intelligence [the DNI] and others to do its job.[16]

So why is the Cybersecurity Framework a public document? Well, it’s there to help guide security specialists in detecting and responding to security threats. It’s not going to be useful if it isn’t distributed to them. But what’s the downside of publishing this kind of thing? I can think of one, for sure. If the framework helps our side detect and counter threats, then it also tells our adversaries something about how we will respond to cyberattacks. Perhaps what we’re doing is a little bit like a football team giving its play book to the other team the night before a big game. Perhaps we’re telling our adversaries more than they really should know. Perhaps.

I have the questions, but no answers. We’ll just have to wait to see what happens.

Military Options

You might say that 2013 was a banner year for cybersecurity. While the President – or at least the White House – was wrestling with frameworks, the Department of Defense was trying to figure out how to fight a cyber war.[17] Originally the Pentagon hoped to have its rules of engagement in place by the end of that year; and perhaps they did, but we’ll never know, because the work product would have been classified.[18] In 2015, however, DOD released a formal policy that appears to cover the same ground, and that document is very interesting indeed. It’s called The DOD Cyber Strategy[19] and is available online, for free.

I’m not going to discuss the document in detail – it’s quite long and we don’t have the space for that – but I’ll try to highlight some of the good stuff. By my count, that comes to about four points.

  • DoD, in “concert with other agencies,” is “responsible for defending the U.S. homeland and U.S. interests from attack.” In doing so, it will act “in a manner consistent with U.S. and international law.”[20] Although some idiots on the right no doubt object, I think it’s a good thing to follow the law when we’re at war.
  • DoD “has developed capabilities for cyber operations and is integrating these capabilities into the full array of tools that the United States government uses to defend U.S. national interests ….”[21] It’s focused primarily on (i) defending DoD networks, systems, etc.; (ii) supporting “operational and contingency plans,” and (iii) defending “the nation against cyberattacks of significant consequence.”[22]
  • Two of these foci are obvious.

(i) Modern weapons incorporate sophisticated cyber technology; that needs to be protected if the weapons are to be effective.

(ii) Also today’s military operations knit together weapons, troops, intelligence, etc. in complex patterns that are subject to change on short notice. This is possible only because our command and control over such operations is cyber-intensive. So it makes perfect sense to protect our cyber capabilities in this area, and degrade an enemy’s, if possible.

  • But what about the third mission, that of defending the nation against cyberattacks. What cyberattacks are contemplated? Who makes the decisions about what is to be done?

The cyberattack has to involve “significant consequences” [presumably bad] for us. The decider of what’s “significant” will be a civilian, either the President or the Secretary of Defense.[23] He or she will decide that on a case-by-case basis.[24] What criteria might he or she follow? Well, the DoD policy tells us that “… significant consequences may include loss of life, significant damage to property, serious adverse foreign policy consequences, or serious economic impact on the United States.”[25] However, those are just examples; they’re not an exclusive list of what might be considered.[26]

If this all seems pretty loose to you, let’s take it a step further. Suppose a few years from now we have the following situation:

A hacker, who lives near an opium field in Afghanistan, finds a way into the computer network of a U.S. power company, takes control of a nuclear plant just north of New York City, and announces that he’s going to trigger a meltdown at the facility. He says he’ll take money to not do it, but nobody in authority really believes him. They expect him to blow the plant in 24 hours. DoD finds the hacker and tells the President that there’s a U.S. drone, fully armed, in his vicinity. What should the President do?

For those of you who picked “order the strike,” I can understand your reasons. In our fact pattern, DoD has the capability to strike, and the President has the authority to avoid “significant” consequences. Nuclear meltdowns can mess you up; just ask the Japanese, they have the most recent experience with them. A meltdown in New York certainly would damage property, could kill people, and might [negatively] impact our economy. That sounds pretty “significant” to me. So why not proceed? Bombs away!

The point of all this, of course, is simply that a cyberwar can turn into a shooting war, given the right circumstances.

[I’ve got to admit, there’s something strangely appealing about your notion of exploding hackers. But why limit such attacks to hackers in foreign lands? We have plenty of malicious ones here at home. Why not send in the drones when our own – the criminals, terrorists, juvenile delinquents or whatever – start to act up?  Surely extreme measures can be justified if people in authority think they’re necessary to keep us safe.

Don’t answer that! It’s a joke and, as G would say, it raises a whole ‘nuther topic. Let’s wait a bit, until we have a “situation” of some sort, and one of our brilliant politicians raises the issue. This being an election year, we may not have to wait for long.

In the meantime, don’t look back! There may be fiends.]

 

 

[1] See Coleridge, Selected Poetry (Penguin, 1996) (editor, R. Holmes), at The Rime of the Ancient Mariner, p. 95.

[2] See, e.g., Reuters/Business, Chon, Review: Iran cyber hack opened a Pandora’s box (July 29, 2016), available at http://blogs.reuters.com/breakingviews/2016/07/29/review-iran-cyber-hack-opened-a-pandoras-box/

[3] I don’t know who said that, but somebody did. It’s generally thought today that the Stuxnet virus was part of a larger plan, not fully implemented, that would have taken effect if Iran was not persuaded to curb its nuclear program. See, e.g., ARS TECHNICA, Goodin, Massive US-planned cyberattack against Iran went well beyond Stuxnet (02/16/2016), available at http://arstechnica.com/tech-policy/2016/02/massive-us-planned-cyberattack-against-iran-went-well-beyond-stuxnet/

[4] See DoD, The Department of Defense Cyber Strategy (April, 2015) at Introduction, p. 1-2, available at http://www.defense.gov/News/Special-Reports/0415_Cyber-Strategy: “[I]n November, 2014, likely in retaliation for the planned release of a satirical film, North Korea conducted a cyberattack against Sony Pictures Entertainment, rendering thousands of Sony computers inoperable and breaching Sony’s confidential business information. In addition to the destructive nature of the attacks, North Korea stole digital copies of several unreleased movies …” Henceforth this publication will be cited as Cyber Strategy at __.

[5] The website for WikiLeaks is at https://wikileaks.org/  Right now the link to the DNC emails is posted on the front page.

[6] See, e.g.,  Fox News/ Politics, Heads roll at DNC: 3 top officials out after email hack (August 02, 2016), available at http://www.foxnews.com/politics/2016/08/02/sources-ceo-at-democratic-national-committee-resigns.html

[7] It was announced by the White House press office on February 12, see https://www.whitehouse.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity ; and published in the Federal Register a week later. The “official” version, of course, is the one in the Federal Register. See Exec. Ord. 13636 (Feb. 12, 2013), 78 Fed. Reg. 11739 et seq. (Feb. 19, 2013).

[8] See Exec. Ord. 13636 at § 1

[9] See Exec. Ord. 13636 at § 2

[10] See Exec. Ord. 13636 at § 4

[11] See Exec. Ord. 13636 at § 7(a)

[12] Id.

[13] See NIST, Framework for Improving  Critical Infrastructure Cybersecurity  (February 12, 2014), available at http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf

[14] Updates are  posted on the NIST website, at http://www.nist.gov/cyberframework/

[15] See Exec. Ord. 13636 at § 7(d)

[16] Id.  ”The Secretary, the Director of National Intelligence, and the heads of other relevant agencies shall provide threat and vulnerability information and technical expertise to inform the development of the Cybersecurity Framework.”

[17] See USA Today, Michaels, Pentagon seeking ‘rules of engagement’ for cyber-war (April 4, 2013), available at http://www.usatoday.com/story/news/nation/2013/04/04/pentagon-wants-cyber-war-rules-of-engagement/2054055/

[18] Id. “The rules will be secret and cover more conventional combat as well.”

[19] See n. 4 for the full citation. Again, the document is available at http://www.defense.gov/News/Special-Reports/0415_Cyber-Strategy

[20] See Cyber Strategy at p. 2.

[21] Id.

[22] See Cyber Strategy at p. 3.

[23] See Cyber Strategy at p. 5: “If directed by the President or the Secretary of Defense, the U.S. military may conduct cyber operations to counter an imminent or ongoing attack against the U.S. homeland or U.S. interests in cyberspace.”

[24] Id.

[25] Id.

[26] Id. DoD has written this very carefully, to avoid foreclosing Presidential discretion. This is only natural. After all, the President, under our Constitution, is Commander-in-Chief, and outranks anyone in DoD. See U.S. Constitution, Article II, Sec. 2: “The President shall be Commander in Chief of the Army and Navy of the United States, and of the Militia of the several States, when called into the actual Service of the United States …” The Constitution is available from many sources; our favorite is the National Archives, at http://www.archives.gov/exhibits/charters/constitution_transcript.html  Look around and you can find all of the Amendments, as well.

Advertisements