This week, the Tallinn Manual -- a NATO initiative by which legal experts have articulated laws for the cyber battlefield -- is set to make its stateside debut. But the United States says it is already ahead of the document's recommendations: it insists the existing laws of war are sufficient to govern the use of cyber weapons.
"Existing international law applies to cyberspace just as it does in the physical world," said Christopher Painter, the State Department's coordinator for cyber issues, during a forum at George Washington University last Thursday. "That is a very important concept. It means a couple of things. First, it means we don't need new norms in cyberspace; we apply existing norms."
The United States is trying to establish international rules of the road in cyberspace that are accepted by other nations, but it believes they should reflect rules that are already on the books, such as the law of armed conflict.
"It is the clear and consistent policy of the United States that the Law of Armed Conflict applies to our operations in all domains, including cyberspace," a Pentagon official told Killer Apps when asked about the Tallinn manual. "The cyber activities of the Department of Defense are always undertaken in accordance with existing policy and law and executed under specific authority."
Adhering to existing law, according to Painter, means that militaries should recognize the distinction between soldiers and civilians and exercise proportionality in using force. They should not target civilians, and nations should be held accountable when proxy cyber groups use force on their behalf.
The Tallinn Manual was commissioned by NATO, but it was produced by independent legal scholars and practitioners and does not speak for any government. But the Pentagon official said that "the department values the contributions that independent reports like the Tallinn Manual for Cyber Law bring to the dialogue and important work being done in the realm of Cybersecurity."
(Click here to read remarks a State Department lawyer gave regarding the law of armed conflict and cyberspace during a speech at U.S. Cyber Command last summer.)
U.S. officials say the process of formalizing rules for cyberspace will likely take decades given the differing priorities among various governments. For example, the U.S. and its allies want to focus on things like fighting intellectual property theft and banning destructive cyber attacks during peacetime, while nations such as China and Russia want to be free to censor information and monitor what their citizens do online -- a stance U.S. officials call a "nonstarter."
Painter said that, while nations continue to discuss such issues, they may want to develop cyber hotlines so that government leaders can communicate freely and directly about cyber incidents.
"You can do confidence and transparency measures for those states where there may be some distrust, just understanding how they're organized, maybe having hotlines between them. I think that's an important part of the political-military bucket," he said.
The notion of a cyber hotline, similar to the nuclear hotline between the White House and the Kremlin, is something yours truly has also heard suggested by senior foreign officials, who wished to remain anonymous.
U.S. Air Force
How serious is intellectual property theft and cyber crime against U.S. businesses? It depends on who you ask.
When Jim Lewis of the Center for Strategic and International Studies gave someone he would only describe as one of the "gods of economics" his initial estimates about the cost of cyber espionage, this is what happened:
"I said, ‘I apologize, we're at a very preliminary stage of our research, there's an embarrassing range and we hope to narrow it over time, but I would say the minimum might be $20 billion dollars a year and the maximum might be $100 billion dollars a year,' noting that there's all sorts of problems, it's a very preliminary estimate," Lewis recounted during a forum on cyber security at The George Washington University last week. "He looked at me and he said, ‘100 billion dollars!? That's a rounding error in a $15 trillion dollar economy!' And he's right, it's a rounding error."
More recent estimates have put the cost of theft as high as $338 billion per year, but Lewis' anecdote puts the fear of cyber espionage in perspective.
Still, Lewis admitted that the blatant theft of U.S. economic and defense secrets is "very disturbing" and needs to be addressed.
U.S. Air Force
Happy Monday from snowy, slushy Washington. Check out this screenshot of Google's autofill options for the phrase "Drones are" that was posted by Caitlin Fitz Gerald on her blog, Drawnward.
It's easy to see how the autofill suggestions sum up plenty of the varying opinions about drones in the United States right now.
Hat tip to Lawfare.
Happy Friday. Here are your photos of the week. Bet you didn't realize that the U.S. Navy still has wooden-hulled warships? The photo above shows the USS Guardian trapped on a reef in the Pacific Ocean being scrapped. Notice how the ship's paint has been stripped away by waves revealing the wooden hull.
Why a wooden hull? The Guardian is an Avenger-class mine hunter, the same type of ship that the U.S. deployed eight of to the Persian Gulf when tensions ran high with Iran last summer. Wooden hulls give the ships an extra layer of protection against magnetic mines set up to explode when a large chunk of floating metal -- like a ship -- passes close by. Specifically, the hulls of the 14 Avenger-class ships are made from oak, Douglas fir, and Alaskan cedar, which, in addition to reducing the ships' magnetic signature, apparently helps them to better withstand the blast from a mine.
Guardian ran aground on Tubbataha Reef in the Sulu Sea on January 17. After failed attempts to free her from the shallow reef -- which was misplaced on the National Geospatial Intelligence Agency-supplied digital maps the Guardian's crew was using (and you thought Apple Maps were bad) -- the Navy decided to dismantle and scrap the 224-foot-long ship on site.
Here are some more photos of her stranded and being salvaged:
Hat tip to Stars and Stripes
U.S. Department of Defense
We hear a lot about Chinese and Iranian hackers, but we don't usually hear much about North Korea. In the wake of this week's cyber attacks against South Korean banks and television stations, though, there have been several news reports claiming North Korea is one of the world's top cyber players. (The image above shows South Korean cyber investigators looking into this week's attacks) While there's no doubt that the North Korean military has growing cyber capabilities, most experts wouldn't put them at the top of the list in terms of ability or sophistication.
"Limited internet access, limited electricity, bad infrastructure means that North Korea isn't a place you'd look for a hacker culture," Jim Lewis of the Center for Strategic and International Studies told Killer Apps today. "The tendency is to overestimate their capabilities. When you look at their nuclear weapons or their missiles, yeah they have them, but they're pretty primitive. Hacking probably tracks with their other programs."
"Are they trying? Sure, they've been trying since 1995, 1996 when Korean diplomats in the UN began to take computer programming courses in New York," added Lewis. "But the idea that they have low capabilities in all these areas and high capabilities in this one area [cyber] is just a little bit hard to believe."
Here's what the intelligence unit at cyber security firm Mandiant tells Killer Apps about the North Korean military's cyber endeavors:
While we are unable to determine the extent of North Korean cyber capabilities, we anticipate they may be capable of offensive cyber operations, cyber espionage, and surreptitious intelligence collection on individuals or organizations they perceive as threatening.
North Korea's Automation University graduates around 100 skilled cyber specialists each year and several academies and schools in North Korea now focus on training electronic warfare specialists that support at least two hacker brigades. The majority of North Korea's cyber activities, as reported in the open press, have focused on South Korea. However, we consider that North Korea could target U.S. commercial entities for military or dual use technologies it lacks due to ongoing trade sanctions. During times of heightened political tensions, targeting critical infrastructure or computer networks of either South Korea or the United States might appeal as a perceived lower-risk form of escalation.
We believe North Korea will become more active in the cyber domain as the regime struggles to maintain legitimacy as a military power amid international scrutiny surrounding its nuclear program. Computer network operations employed as a lever of influence, coercion or disruption might appeal to North Korean authorities constrained by the sanctions regime.
This week has provided a couple of interesting clues as to how the U.S. Navy might deal with the proliferation of weapons meant to keep U.S. ships so far from an enemy's shore that its weapons would be useless.
On Wednesday, Lockheed Martin scored a $54 million contract to prepare its prototype next-generation anti-ship missile for a pair of test launches from a ship. DARPA gave the Bethesda-based defense giant the money to move ahead with its Long Range Anti-Ship Missile (LRASM) program, according to a DOD contract announcement.
"LRASM is a joint DARPA/Office of Naval Research effort to develop and demonstrate standoff anti-ship strike weapon technologies," reads the announcement.
In English, that means the missile is meant to allow U.S. ships and planes to hit enemy ships from outside the range of the adversary's weapons and air defenses. The LRASM is supposed to use its own sensors to autonomously hunt for its targets once it is in the air, in case the enemy is jamming communications between the missile and the ship that fired it.
To keep costs and development time under control, DARPA is looking at basing the LRASM (under development since 2009) on the long-range version of Lockheed's stealthy Joint Air-to-Surface-Standoff Missile and packing it with additional sensors.
Today, Flight Global reported that the Navy is thinking about putting extra fuel tanks on its fleet of F/A-18E/F Super Hornets in an attempt to give them extra range -- something that would be helpful when fighting a nation with weapons aimed at keeping U.S. aircraft carriers at bay.
Remember, nations like China are developing radars and missiles aimed at keeping enemy ships and aircraft far from their shores in hopes of limiting the weapons that can be brought to bear against them -- a strategy the Pentagon calls anti-access/area denial, or A2AD.
U.S. defense officials want to overcome this by developing a new host of stealthy long-range carrier-based drones, a new fleet of stealth bombers and a variety of long-range missiles that can slip through radars screens, find targets, collect intelligence on them, and then destroy them. In addition, the U.S. is looking at ways to spread its forces among bare-bones bases throughout the Pacific in an effort to make them harder to target in case of a conflict.
Web commerce giant Amazon is apparently building a cloud-computing network for the CIA. Trade publication Federal Computer Week has reported that the agency will pay the online retail pioneer up to $600 million to develop its own private cloud over the next decade.
This would make plenty of sense. Amazon is well-known for providing cloud-computing services to the private sector, and government agencies dealing with classified information are pushing to adopt cloud services as a way of consolidating thousands of network "enclaves" that are hard to defend. The Pentagon, for example, is building what it says will be a defendable, upgradable network, known as the Joint Information Environment.
While the CIA declined to comment to FCW about the project, an agency official revealed in a public forum that Langley is adopting commercial software in order to keep up with the pace of innovation in the private sector.
Speaking to the Northern Virginia Technology Council Board of Directors on March 12, Central Intelligence Agency Chief Information Officer Jeanne Tisinger told an audience of several dozen people how the CIA is leveraging the commercial sector's innovation cycle, looking for cost efficiencies in commodity IT, and using software-as-a-service for common solutions.
Two audience members who asked not to be named told FCW that Tisinger said the CIA was working "with companies like Amazon."
The piece goes on to cite CIA Chief Technology Officer Gus Hunt's February comments saying that Amazon had a software-as-a-service model that "really works." Remember, software-as-a-service (SaaS) means that businesses buy web/cloud-hosted software accounts rather than making a onetime purchase of software that is installed on their computers. Think of all the features your Google account gives you -- email, document creation and sharing, Web site analytics, etc. That's a very basic example of a mix of free and premium software-as-a-service.
"Think Amazon - that model really works," regarding the purchasing of software services on a "metered" basis for which Amazon is well-known for. Hunt has also spoken publicly in the past about the potential for leveraging public cloud infrastructure for non-classified information.
Historically, the CIA's cloud computing strategy centered on a number of smaller, highly specific private clouds. While the full scope of its current contract with Amazon is not yet clear, it is likely this contract essentially brings a public cloud computing environment inside the secure firewalls of the intelligence community, thereby negating concerns of classified data being hosted in any public environment.
Expect this trend to continue as the government moves to purchase technology -- especially in cloud and mobile tech -- that can keep up the extremely rapid pace of innovation at a time of declining military budgets. NSA and the Defense Information Systems Agency (DISA) -- the Pentagon's Internet service provider -- are working to field commercially-available smart phones and tablets that use secure cloud software to allow them to handle classified information.
Keep in mind that all this commercially available tech will need to be tweaked to be extra secure against cyber attack
"We've got to be able to do this securely. We cannot give up the security, the confidentiality, the pedigree of our data at the unclassified level, because of [the need to protect personal information about users]. But at the classified levels, consistent themes are going to be not only security but identification and access management," said DISA's Chief Technology Officer, Dave Mihelcic, said while discussing the DOD's efforts to adopt such technology at an industry luncheon in February.
In case you haven't been following it, the Twitter traffic from today's Cyber Dialogue 2013 at the University of Toronto's Munk School of Global Affairs featured a great quote from a recently retired Canadian general.
Lt. Gen. Andrew Leslie (chief of the Canadian Army from 2006 to 2010, shown above in 2009) apparently made a comment that yours truly has heard plenty of times in Washington: a major, destructive cyber attack would likely prompt a knee-jerk reaction from governments that greatly expanded their control of the Internet. Killer Apps wasn't at the event to hear the quote directly, but here's what people who were at the event tweeted about it.
Taylor Owen, research director at Columbia University's Tow Center for Digital Journalism, tweeted that the general's comments sent "a chill over" the conference:
Scott Carpenter of Google Ideas called the Canadian general's comment "a weird threat":
Finally, Richard Bejtlich, chief security officer at cyber firm Mandiant, tweeted:
It's interesting to see cyber professionals from some of the foremost institutions in tech, business, and journalism express surprise over Leslie's comments. U.S. lawmakers have made similar comments throughout the last year in trying to pass cyber security legislation.
Reps. Mike Rogers and Dutch Ruppersburger -- co-sponsors of CISPA, the cyber security bill currently being worked on in the House -- have used this argument several times in an attempt to push lawmakers to adopt their bill, which civil liberties advocates say is harmful to individual privacy rights.
Last summer, James Lewis of the Center for Strategic and International Studies warned that a destructive cyber attack will likely result in Congress passing legislation that runs roughshod over privacy rights.
Bruce MacRae, Flickr
John Reed reports on the frontiers of cyber war and the latest in military technology for Killer Apps.