[Owasp-delhi] Nice Read on Pentagon's strategy on Cyber Warfare

Soi, Dhruv dhruv.soi at owasp.org
Sat Jun 4 07:37:57 EDT 2011

The Pentagon has developed a list of cyber-weapons and -tools, including
viruses that can sabotage an adversary's critical networks, to streamline
how the United States engages in computer warfare.

The classified list of capabilities has been in use for several months and
has been approved by other agencies, including the CIA, said military
officials who spoke on the condition of anonymity to describe a sensitive
program. The list forms part of the Pentagon's set of approved weapons or
"fires" that can be employed against an enemy.

"So whether it's a tank, an M-16 or a computer virus, it's going to follow
the same rules so that we can understand how to employ it, when you can use
it, when you can't, what you can and can't use," a senior military official

The integration of cyber-technologies into a formal structure of approved
capabilities is perhaps the most significant operational development in
military cyber-doctrine in years, the senior military official said.

The framework clarifies, for instance, that the military needs presidential
authorization to penetrate a foreign computer network and leave a
cyber-virus that can be activated later. The military does not need such
approval, however, to penetrate foreign networks for a variety of other
activities. These include studying the cyber-capabilities of adversaries or
examining how power plants or other networks operate. Military
cyber-warriors can also, without presidential authorization, leave beacons
to mark spots for later targeting by viruses, the official said.

One example of a cyber-weapon is the Stuxnet worm that disrupted operations
at an Iranian nuclear facility last year. U.S. officials have not
acknowledged creating the computer worm, but many experts say they believe
they had a role.

Under the new framework, the use of a weapon such as Stuxnet could occur
only if the president granted approval, even if it were used during a state
of hostilities, military officials said. The use of any cyber-weapon would
have to be proportional to the threat, not inflict undue collateral damage
and avoid civilian casualties.

The new framework comes as the Pentagon prepares to release a cyber-strategy
that focuses largely on defense, the official said. It does not make a
declaratory statement about what constitutes an act of war or use of force
in cyberspace. Instead, it seeks to clarify, among other things, that the
United States need not respond to a cyber-attack in kind but may use
traditional force instead as long as it is proportional.

Nonetheless, another U.S. official acknowledged that "the United States is
actively developing and implementing" cyber-capabilities "to deter or deny a
potential adversary the ability to use its computer systems" to attack the
United States.

In general, under the framework, the use of any cyber-weapon outside an area
of hostility or when the United States is not at war is called "direct
action" and requires presidential approval, the senior military official
said. But in a war zone, where quick capabilities are needed, sometimes
presidential approval can be granted in advance so that the commander has
permission to select from a set of tools on demand, the officials said.

The framework breaks use of weapons into three tiers: global, regional and
area of hostility. The threshold for action is highest in the global arena,
where the collateral effects are the least predictable.

It was drafted in part out of concerns that deciding when to fire in
cyberspace can be more complicated than it is on traditional battlefields.
Conditions constantly shift in cyberspace, and the targets can include
computer servers in different countries, including friendly ones.

Last year, for instance, U.S. intelligence officials learned of plans by an
al-Qaeda affiliate to publish an online jihadist magazine in English called
Inspire, according to numerous current and senior U.S. officials. And to
some of those skilled in the emerging new world of cyber-warfare, Inspire
seemed a natural target.

The head of the newly formed U.S. Cyber Command, Gen. Keith Alexander,
argued that blocking the magazine was a legitimate counterterrorism target
and would help protect U.S. troops overseas. But the CIA pushed back,
arguing that it would expose sources and methods and disrupt an important
source of intelligence. The proposal also rekindled a long-standing
interagency struggle over whether disrupting a terrorist Web site overseas
was a traditional military activity or a covert activity - and hence the
prerogative of the CIA.

The CIA won out, and the proposal was rejected. But as the debate was
underway within the U.S. government, British government cyber-warriors were
moving forward with a plan.

When Inspire launched on June 30, the magazine's cover may have promised an
"exclusive interview" with Sheik Abu Basir al-Wahishi, a former aide to
Osama bin Laden, and instructions on how to "Make a Bomb in the Kitchen of
Your Mom." But pages 4 through 67 of the otherwise slick magazine, including
the bomb-making instructions, were garbled as a result of the British

It took almost two weeks for al-Qaeda in the Arabian Peninsula to post a
corrected version, said Evan Kohlmann, senior partner at Flashpoint Global
Partners, which tracks jihadi Web sites.

The episode reflected how offensive cyber-operations are marked by
persistent disagreement over who should take action and under what
conditions. The new list of approved cyber-weapons will not settle those
disputes but should make the debate easier to conduct, the senior military
official said.

Some lawmakers also are proposing statutory language that would affirm that
the defense secretary has the authority "to carry out a clandestine
operation in cyberspace" under certain conditions. The operation must be in
support of a military operation pursuant to Congress's 2001 authorization to
the president to use all necessary and appropriate force against those who
committed the Sept. 11, 2001, terrorist attacks.

House Armed Services Committee Vice Chairman Mac Thornberry (R-Tex.), who
drafted the language as part of the House-adopted 2012 defense authorization
bill, said he was motivated by hearing from commanders in Iraq and
Afghanistan frustrated by an inability to protect their forces against
attacks they thought were enabled by adversaries spreading information

"I have had colonels come back to me and talk about how they thought they
could do a better job of protecting their troops if they could deal with a
particular Web site," he said. "Yet because it was cyber, it was all new
unexplored territory that got into lots of lawyers from lots of agencies
being involved."

Thornberry's provision would establish that computer attacks to deny
terrorists the use of the Internet to communicate and plan attacks from
throughout the world are a "clandestine" and "traditional military"
activity, according to text accompanying the proposed statute.

But the White House issued a policy statement last week that it had concerns
with the cyber-provision. It declined to elaborate.

Thornberry said some Pentagon lawyers thought the proposed statutory
language could go further. "But my view on cyber is we need to take it a
step at a time," he said.


Source: Reuters


-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-delhi/attachments/20110604/f41d4092/attachment.html 

More information about the Owasp-delhi mailing list