In language discussing the bill, conferees say that because there is no historical precedent for what constitutes traditional military activities in cyberspace, “it is necessary to affirm that such operations may be conducted pursuant to the same policy, principles and legal regimes that pertain to kinetic capabilities.”
This is big news, and historical. The rules and laws of kinetic war now apply to Cyber War, and this brings up all sorts of ideas. For example, will we see more Cyber Lance type activities? Maybe a US special forces team combined with civilian hackers to locate and kill/capture enemy hackers or whomever? Who knows, and who knows how these new rules will apply?
Perhaps we will see the same issues that have popped up for today’s modern wars. Especially with the hybrid of private and public forces in conflict. I say this, because the US does not have the monopoly on ‘hacking force’. If they want the best, they can try to develop that capability internally, but inevitably they will have to reach out to private companies or individuals that are experts in these fields and pay them to do it.
Here is one quote below that really perked me up. Check it out:
Since the military cannot afford to pay enough to recruit qualified software and Internet engineers for this sort of work, it has turned to commercial firms. There are already some out there, companies that are technically network security operations, but will also carry out offensive missions (often of questionable legality, but that has always been an aspect of the corporate security business.)
Some of these firms have quietly withdrawn from the Internet security business, gone dark, and apparently turned their efforts to the more lucrative task of creating Cyber War weapons for the Pentagon. It may have been one of these firms that created, or helped create, the Stuxnet worm.
I read this and thought, why not just fire up the Letter of Marque and Reprisal and give these firms the legal authority and protections necessary to take part in offensive operations? The LoM is sitting right there in the War Powers clause in the US Constitution, and it just seems to me that we are missing the boat when it comes to doing this stuff. We could be legally authorizing the companies to steal funds and intellectual property from all sorts of enemies out there, and label these companies cyber privateers. (which if the military helped at all, would those commanders or the US be entitled to a cut? lol)
My other thought about all of this is when will we see a Cyber Weapon used in such a way as to actually kill like a real weapon? And with this public/private partnership we will have, we could potentially see IT Security companies build these weapons, and possibly even launch it. Just imagine if Stuxnet actually caused deaths in some weapons plant or nuclear facility? That would definitely put the ‘War’ in Cyber War. Very interesting….-Matt
America Legalizes Cyber War
December 18, 2011
The U.S. Congress approved a new law on December 14th that allows the Department of Defense to conduct offensive Cyber War operations in response to Cyber War attacks on the United States. That is, the U.S. military is now authorized to make war via the Internet. The new law stipulates that all the rules that apply to conventional war, also apply to Cyber War. This includes the international law of armed conflict (meant to prevent war crimes and horrid behavior in general) and the U.S. War Powers Resolution (which requires a U.S. president to get permission from Congress within 90 days of entering into a war).
The U.S. Department of Defense has long advocated going on the offensive against criminal gangs and foreign governments that seek (and often succeed) to penetrate U.S. government and military Internet security, and steal information, or sabotage operations. Over the past year, and without much fanfare, the Department of Defense has been making preparations to do just that.
Since the military cannot afford to pay enough to recruit qualified software and Internet engineers for this sort of work, it has turned to commercial firms. There are already some out there, companies that are technically network security operations, but will also carry out offensive missions (often of questionable legality, but that has always been an aspect of the corporate security business.)
Some of these firms have quietly withdrawn from the Internet security business, gone dark, and apparently turned their efforts to the more lucrative task of creating Cyber War weapons for the Pentagon. It may have been one of these firms that created, or helped create, the Stuxnet worm.
An Internet worm is a computer program that constantly tries to copy itself to other computers. Stuxnet was a worm designed, very skillfully, as a weapons grade cyber weapon. The first “real one” as Internet security experts came to call it. While released in late 2009, Stuxnet was not discovered until a year later, and engineers are still dissecting it, and continue to be amazed at what a powerful Cyber War weapon it is. Stuxnet is the first live example of a first class Cyber War weapon, which means more are on the way (or sitting on someone’s hard drive waiting to be deployed.)
The success of Stuxnet, and similar worms believed to be out there, may be responsible for more Internet security companies moving over to the Cyber War weapons business. The most dangerous Cyber War weapons are those that, like Stuxnet, take advantage of largely unknown Internet vulnerabilities. These allow the attacker access to many business, government and military computers. This sort of thing is called, “using high value exploits” (flaws in code that are not yet widely known). Finding these exploits is expensive, and requires even more skill to use. For a long time, a major source of exploits was hackers for hire. These are skilled hackers, who know they are working on the wrong side of the law, and know how to do the job, take the money, and run. This situation has developed because organized crime has discovered the Internet, and the relatively easy money to be made via Internet extortion and theft.
But now commercial firms are hiring hackers and paying them good money to find and “weaponize” these exploits. It is believed that those nations that have Cyber War organizations, maintain arsenals of exploits. But exploits have a short shelf-life. Nearly all exploits eventually come to the attention of the publisher that created the exploitable software, and gets fixed.
However, not every user applies the “patches”, so there will always be some computers out there that are still vulnerable. But that makes “zero day exploits” (discovered and used for the first time) very valuable. That’s because you can use these exploits on any computer with the flawed software on it. While your average zero day exploit costs up to $100,000, or more, to discover, it is not useful for very long. Thus it is expensive to maintain an exploits arsenal, as you must keep finding new exploits to replace those which are patched into ineffectiveness.
Most of the Internet combat so far has been done under peacetime conditions. In wartime, it’s possible (especially for the United States) to cut off enemy countries from the Internet. Thus potential American foes want to maintain an official peacetime status, so the United States cannot use its ability to cut nations off (or nearly off) from the Internet, and remove easy access to American (and Western) targets. Thus the need to make attacks discreetly, so as to make it more difficult for an enemy to target stronger attacks against you, or threaten nuclear or conventional war.
Story here.
—————————————————————-
Congress authorizes offensive cyberspace military operations
December 15, 2011
By David Perera
A provision of the fiscal 2012 national defense authorization bill says the military may conduct offensive cyberspace operations subject to the same principles the Defense Department uses for kinetic operations, including the law of armed conflict, and the War Powers Resolution.
A conference committee of House and Senate lawmakers approved Dec. 12 a compromise version of the annual authorization bill; House lawmakers approved it in a 283-136 vote the evening of Dec. 14. The Senate is expected to approve the bill shortly and the White House has indicated President Obama will sign it.
In language discussing the bill, conferees say that because there is no historical precedent for what constitutes traditional military activities in cyberspace, “it is necessary to affirm that such operations may be conducted pursuant to the same policy, principles and legal regimes that pertain to kinetic capabilities.”
Conferees say they “stress that, as with any use of force, the War Powers Resolution may apply.” If that was meant to ensure congressional oversight over cyber military operations, it may not be a strong inducement, since under the War Powers Resolution of 1972, the president can committee troops abroad for up to 90 days without congressional authorization–and the constitutionality of even that restriction is in doubt.
The bill would also require the Defense Department to set up an insider threat mitigation program for information systems, a provision that was inspired by Wikileaks’ release of material allegedly given to it by Army PFC Bradley Manning. The bill provision would require the DoD to centrally monitor for unauthorized access to classified or controlled unclassified information.
In addition, the bill would require the Army to designate its effort to consolidate email systems as a formal acquisition program and have the secretary of the Army certify to Congress that the consolidation is “in the best technical and financial interests” of the Army.
The Army’s consolidation effort has been troubled, with service officials, who cited “nasty stuff,” pausing the effort in summer.
During a recent event sponsored by AFCEA NOVA, Rick Davis, director of operations, Army Network Enterprise Technology Command, said migration to a centralized solution is complete for 28.18 percent of Army email users.
“We should be close to wrapping the NIPRnet enterprise email with a few outliers by the end of March and then we’ll move on to SIPRnet,” he said, referring to DoD unclassified and secret-level classification networks. The Army has 977,227 email accounts, he added.
Story here.