NSA Chief: Cyberwar Rules of Engagement a Policy Minefield
It's not often that the military calls on Congress for guidance in conducting a war, but that's what the nominee to head the Pentagon's command for cyberwarfare did on the eve of a hearing on his appointment.
In a 32-page response to questions posed to him prior to the hearing by the Senate Armed Services Committee, Lt. Gen. Keith B. Alexander reportedly wrote that changes in cyberwarfare were happening so swiftly that there was a "mismatch between our technical capabilities to conduct operations and the governing laws and policies."
Requests by TechNewsWorld to obtain a copy of Alexander's response from the Department of Defense and the Senate committee were denied. "Responses to questions from Congressional committee members are the property of that committee," spokesperson USAF Lt. Col. Rene White told TechNewsWorld. "It would be inappropriate for the Defense Department to release that information." A committee staffer told TechNewsWorld that it was against the panel's policy to release the material to the public.
"He, in effect, is saying to the Congress that he needed some direction as the U.S. began to pursue various cyberwar scenarios to understand what was permitted and what wasn't," Marc Rotenberg, executive director of the Electronic Privacy Information Center (EPIC) in Washington, D.C., told TechNewsWorld.
EPIC has raised concerns about the impact of cyberwarfare on the privacy rights of U.S. citizens.
One policy gap created by cyberwarfare concerns the military's doctrine of engagement, Rotenberg noted, especially cyberattacks on civilian institutions, such as banks, power grids, financial networks and telecommunications. "That was an issue that came up in Iraq in the run-up to the war in 2003," Rotenberg said.
At that time, Bush cyberwarriors planned to freeze billions of dollars in Iraqi assets so the country would not be able to buy war supplies or pay its troops. The plan was scrapped, however, because it was feared that the collateral damage would extend beyond Iraq and create worldwide financial havoc that might even reach the U.S. financial system.
Another troublesome issue is the possibility that a cyberwar may spill over to U.S. soil. That creates a thorny problem for a military institution like the Cyber Command, since by tradition and law, the military only conducts domestic operations by order of the president.
"That's the largest concern here," Rotenberg declared. "When you have a battlefield, participants in that conflict understand, generally speaking, what the scope of activity can be."
"When the battlefield is unconstrained because the entire Internet is subject to warfare, both attack and defense," he continued, "then anything that's online can become caught up in the cyberwarfare strategy."
In his response to Congress, Alexander wrote that a presidential order would be necessary for the Defense department and the Cyber Command to respond to a computer network attack on American soil.
In the conduct of a cyberwar, EPIC is concerned that one of the first causalities will be privacy. "We have concerns about privacy and surveillance and the use of the Cyber Command to extend the NSA's [National Security Agency's] surveillance authority, which we think is already too broad," Rotenberg argued.
EPIC's privacy concerns have been exacerbated by the fact that if Alexander's appointment is approved, he would head both the Cyber Command and the NSA. "We would like to see that authority separated," Rotenberg observed.
"We see the NSA's mission quite far-reaching in terms of surveillance and intelligence gathering," he continued, "and to also give Alexander this very broad authority to coordinate cyberattacks and cyberdefense will make this an extraordinary powerful agency."
There seems to be little doubt that U.S. institutions are under attack every day by foreign governments, governments whose tactics are cribbed from the Internet underworld. "The difference is the amount of money they can spend on their attacks," Alan Paller, director of research for The SANS Institute in Chevy Chase, Md., told TechNewsWorld. "They can spend hundreds and hundreds of thousands of dollars to make an attack look real."
Computer networks add a new dimension to warfare, added Rotenberg. "But whether it should lead to much more surveillance of American Internet users, whether there should be new techniques of online authentication and identification are really big issues," he said. "They should be considered very carefully."