In Digital Combat U.S. Finds No Easy Deterrent

What some participants in the simulation knew — and others did not — was that a version of their nightmare had just played out in real life, not at the Pentagon where they were meeting, but in the far less formal war rooms at Google Inc. Computers at Google and more than 30 other companies had been penetrated, and Google’s software engineers quickly tracked the source of the attack to seven servers in Taiwan, with footprints back to the Chinese mainland.

After that, the trail disappeared into a cloud of angry Chinese government denials, and then an ugly exchange of accusations between Washington and Beijing. That continued Monday, with Chinese assertions that critics were trying to “denigrate China” and that the United States was pursuing “hegemonic domination” in cyberspace.

These recent events demonstrate how quickly the nation’s escalating cyberbattles have outpaced the rush to find a deterrent, something equivalent to the cold-war-era strategy of threatening nuclear retaliation.

So far, despite millions of dollars spent on studies, that quest has failed. Last week, Secretary of State Hillary Rodham Clinton made the most comprehensive effort yet to warn potential adversaries that cyberattacks would not be ignored, drawing on the language of nuclear deterrence.

“States, terrorists and those who would act as their proxies must know that the United States will protect our networks,” she declared in a speech on Thursday that drew an angry response from Beijing. “Those who disrupt the free flow of information in our society or any other pose a threat to our economy, our government and our civil society.”

But Mrs. Clinton did not say how the United States would respond, beyond suggesting that countries that knowingly permit cyberattacks to be launched from their territories would suffer damage to their reputations, and could be frozen out of the global economy.

There is, in fact, an intense debate inside and outside the government about what the United States can credibly threaten. One alternative could be a diplomatic démarche, or formal protest, like the one the State Department said was forthcoming, but was still not delivered, in the Google case. Economic retaliation and criminal prosecution are also possibilities.

Inside the National Security Agency, which secretly scours overseas computer networks, officials have debated whether evidence of an imminent cyberattack on the United States would justify a pre-emptive American cyberattack — something the president would have to authorize. In an extreme case, like evidence that an adversary was about to launch an attack intended to shut down power stations across America, some officials argue that the right response might be a military strike.

“We are now in the phase that we found ourselves in during the early 1950s, after the Soviets got the bomb,” said Joseph Nye, a professor at the Kennedy School at Harvard. “It won’t have the same shape as nuclear deterrence, but what you heard Secretary Clinton doing was beginning to explain that we can create some high costs for attackers.”

Fighting Shadows

When the Pentagon summoned its top regional commanders from around the globe for meetings and a dinner with President Obama on Jan. 11, the war game prepared for them had nothing to do with Afghanistan, Iraq or Yemen. Instead, it was the simulated cyberattack — a battle unlike any they had engaged in.

Participants in the war game emerged with a worrisome realization. Because the Internet has blurred the line between military and civilian targets, an adversary can cripple a country — say, freeze its credit markets — without ever taking aim at a government installation or a military network, meaning that the Defense Department’s advanced capabilities may not be brought to bear short of a presidential order.

“The fact of the matter,” said one senior intelligence official, “is that unless Google had told us about the attack on it and other companies, we probably never would have seen it. When you think about that, it’s really scary.”

William J. Lynn III, the deputy defense secretary, who oversaw the simulation, said in an interview after the exercise that America’s concepts for protecting computer networks reminded him of one of defensive warfare’s great failures, the Maginot Line of pre-World War II France.

Mr. Lynn, one of the Pentagon’s top strategists for computer network operations, argues that the billions spent on defensive shields surrounding America’s banks, businesses and military installations provide a similarly illusory sense of security.

“A fortress mentality will not work in cyber,” he said. “We cannot retreat behind a Maginot Line of firewalls. We must also keep maneuvering. If we stand still for a minute, our adversaries will overtake us.”

The Pentagon simulation and the nearly simultaneous real-world attacks on Google and more than 30 other companies show that those firewalls are falling fast. But if it is obvious that the government cannot afford to do nothing about such breaches, it is also clear that the old principles of retaliation — you bomb Los Angeles, we’ll destroy Moscow — just do not translate.

“We are looking beyond just the pure military might as the solution to every deterrence problem,” said Gen. Kevin P. Chilton, in charge of the military’s Strategic Command, which defends military computer networks. “There are other elements of national power that can be brought to bear. You could deter a country with some economic moves, for example.”

But first you would have to figure out who was behind the attack.

Even Google’s engineers could not track, with absolute certainty, the attackers who appeared to be trying to steal their source code and, perhaps, insert a “Trojan horse” — a backdoor entryway to attack — in Google’s search engines. Chinese officials have denied their government was involved, and said nothing about American demands that it investigate. China’s denials, American officials say, are one reason that President Obama has said nothing in public about the attacks — a notable silence, given that he has made cybersecurity a central part of national security strategy.

“You have to be quite careful about attributions and accusations,” said a senior administration official deeply involved in dealing with the Chinese incident with Google. The official was authorized by the Obama administration to talk about its strategy, with the condition that he would not be named.

“It’s the nature of these attacks that the forensics are difficult,” the official added. “The perpetrator can mask their involvement, or disguise it as another country’s.” Those are known as “false flag” attacks, and American officials worry about being fooled by a dissident group, or a criminal gang, into retaliating against the wrong country.

Nonetheless, the White House said in a statement that “deterrence has been a fundamental part of the administration’s cybersecurity efforts from the start,” citing work in the past year to protect networks and “international engagement to influence the behavior of potential adversaries.”

Left unsaid is whether the Obama administration has decided whether it would ever threaten retaliatory cyberattacks or military attacks after a major cyberattack on American targets. The senior administration official provided by the White House, asked about Mr. Obama’s thinking on the issue, said: “Like most operational things like this, the less said, the better.” But he added, “there are authorities to deal with these attacks residing in many places, and ultimately, of course, with the president.”

Others are less convinced. “The U.S. is widely recognized to have pre-eminent offensive cybercapabilities, but it obtains little or no deterrent effect from this,” said James A. Lewis, director of the Center for Strategic and International Studies program on technology and public policy.

In its final years, the Bush administration started a highly classified effort, led by Melissa Hathaway, to build the foundations of a national cyberdeterrence strategy. “We didn’t even come close,” she said in a recent interview. Her hope had been to recreate Project Solarium, which President Dwight D. Eisenhower began in the sunroom of the White House in 1953, to come up with new ways of thinking about the nuclear threats then facing the country. “There was a lot of good work done, but it lacked the rigor of the original Solarium Project. They didn’t produce what you need to do decision making.”

Ms. Hathaway was asked to stay on to run Mr. Obama’s early review. Yet when the unclassified version of its report was published in the spring, there was little mention of deterrence. She left the administration when she was not chosen as the White House cybersecurity coordinator. After a delay of seven months, that post is now filled: Howard A. Schmidt, a veteran computer specialist, reported for work last week, just as the government was sorting through the lessons of the Google attack and calculating its chances of halting a more serious one in the future.

Government-Corporate Divide

In nuclear deterrence, both the Americans and the Soviets knew it was all or nothing: the Cuban missile crisis was resolved out of fear of catastrophic escalation. But in cyberattacks, the damage can range from the minor to the catastrophic, from slowing computer searches to bringing down a country’s cellphone networks, neutralizing its spy satellites, or crashing its electrical grid or its air traffic control systems. It is difficult to know if small attacks could escalate into bigger ones.

So part of the problem is to calibrate a response to the severity of the attack.

The government has responded to the escalating cyberattacks by ordering up new strategies and a new United States Cyber Command. The office of Defense Secretary Robert M. Gates — whose unclassified e-mail system was hacked in 2007 — is developing a “framework document” that would describe the threat and potential responses, and perhaps the beginnings of a deterrence strategy to parallel the one used in the nuclear world.

The new Cyber Command, if approved by Congress, would be run by Lt. Gen. Keith B. Alexander, head of the National Security Agency. Since the agency spies on the computer systems of foreign governments and terrorist groups, General Alexander would, in effect, be in charge of both finding and, if so ordered, neutralizing cyberattacks in the making.

But many in the military, led by General Chilton of the Strategic Command and Gen. James E. Cartwright, the vice chairman of the Joint Chiefs of Staff, have been urging the United States to think more broadly about ways to deter attacks by threatening a country’s economic well-being or its reputation.

Mrs. Clinton went down that road in her speech on Thursday, describing how a country that cracked down on Internet freedom or harbored groups that conduct cyberattacks could be ostracized. But though sanctions might work against a small country, few companies are likely to shun a market the size of China, or Russia, because they disapprove of how those governments control cyberspace or use cyberweapons.

That is what makes the Google-China standoff so fascinating. Google broke the silence that usually surrounds cyberattacks; most American banks or companies do not want to admit their computer systems were pierced. Google has said it will stop censoring searches conducted by Chinese, even if that means being thrown out of China. The threat alone is an attempt at deterrence: Google’s executives are essentially betting that Beijing will back down, lift censorship of searches and crack down on the torrent of cyberattacks that pour out of China every day. If not, millions of young Chinese will be deprived of the Google search engine, and be left to the ones controlled by the Chinese government.

An Obama administration official who has been dealing with the Chinese mused recently, “You could argue that Google came up with a potential deterrent for the Chinese before we did.”

In the news ....

North Korea-China

:  China's Premier Wen Jiabao met North Korean premier Kim Yong Il on Sunday at Sunan airport at the start of Wen’s three day state visit.  Despite the speculation, Wen’s trip is about restoring bilateral ties that have been strained since China supported sanctions against North Korea last May.  The significance of the visit is that it is taking place. That means the strain since May has ended, but not that relations will ever be as they had been in the past.

 North Korea-India

: The Indian Navy detained a North Korean ship in Indian waters near Vatakara, Kerala State, southwestern India, China Daily reported 4 October, citing a statement from the Indian Defence Ministry. The navy and coast guard spotted the ship, Hyang Ro, anchored in Indian waters, and immediately detained the ship and its crew. Unnamed Indian sources said the preliminary investigations show the ship was bound for Pakistan via Colombo, Sri Lanka. A search is being conducted to make sure no illegal cargo is aboard. The Hyang Ro is owned by Pyongyang-based Sinhung Shipping Company, a state-owned export company.
 The Indians are serious about enforcing the sanctions against North Korea, especially when the cargos are bound for Pakistan. The North Koreans are equally serious about continuing to try to ship their weapons.

Pakistan:

 Unnamed US defense officials said today that Pakistan has enough soldiers and equipment mobilized to launch a ground offensive against Taliban militants in South Waziristan, Reuters reported 4 October. The officials said that a Pakistani effort to eliminate Taliban and al Qaida sanctuaries in the border region between Pakistan and Afghanistan is critical to the success of the U.S. mission in Afghanistan.
The Pakistani military has been imposing a blockade on the region, and used air and artillery attacks to harass the Pakistani Taliban. However, the Army has claimed that shortages in supplies are the reason for its delay in commencing ground operations in Waziristan. About 28,000 Pakistani forces are deployed to the region, according to a Pakistani military spokesman.
Comment:  The Reuters item published the comments attributed to US defense officials without providing context. Still, the comments are odd because the US is applying a capabilities yardstick to the Pakistan Army that it does not apply to itself, the most powerful country in the world.
No public source has estimated the strength of the Wazir opposition fighters that the Pakistan Army might face. It might be a 1:1 ratio in which case the unnamed US defense officials need to work on their sums, before moving to higher math.  The issues in South Asia seem to invite vacuous statements in the name of information operations, which the US does not seem to do well. But the statements do lack context.
Not lacking in context are the ten steps to victory in Afghanistan published by the New York Times. Each could be challenged in one or other way, but Paul Pillar’s comments about ending Pakistani patronage to the Afghan Taliban is on point.  Pakistan’s continuing support to its proxy in the long fight against India is an open secret, just as its support to Kashmiri militants and separatists is. It has given up neither, just as the commitment to counter terrorism as a national security priority is a grand ruse for the Americans.
The one issue NW would take with Pillar’s comment is the benchmarks.  Pillar’s metrics are soft and subjective, but the world has seen what Pakistan can do when its leaders set their minds to it.  In 2003, when Musharraf was in power in Islamabad and Vajpayee in office in New Delhi, Musharraf ordered a military ceasefire across the Line of Control in Kashmir and instituted a sustained control regime on the Kashmiri militants supported by the Inter-Services Intelligence Directorate. 
The result of Musharraf’s orders were Inter-Services Intelligence agents were forced to reduce aid to the militants to bare sustainment levels; stopped infiltration; stopped the flow of arms and ammunition to the militants and into Indian Kashmir and confined militant leaders and supporters to camps back from the Line of Control.  
To his credit, Musharraf maintained the ceasefire and the clamp down on the militants until his resignation in 2008. It was the longest period of comparative quiet along the Line of Control in decades. The point is Pakistan can control insurgency based in Pakistan. Omar and the Quetta Shura have safehaven in Pakistan because Pakistanis have concluded the survival of the Afghan Taliban is in Pakistan’s national security interests during the period after the Americans tire and leave again.
If the Pakistani leaders should get serious about booting the Quetta Shura, there will be plenty of metrics and easy to detect. They are not serious.
Putting the two comments together, it is vital that the US impose greater discipline on the big mouths who are leaking in the name of information operations or other misguided ideas.  US successes in Afghanistan do not create a record that would justify anonymous US defense officials in presuming to preach to anyone, much less Pakistanis.
Secondly, the US record of engagement in south Asia is that of a nation with attention deficit disorder. Consider, in the past week Iran’s facility at Qom supplanted Pakistan and Afghanistan – real battle zones -- as the issues du jour. Perceptive Readers will presume this was a deliberate US stratagem.  Thus, Pakistan’s focus on its long term interests and its long term, sustained loyal friends is well justified. Only China and the Pashtuns fall into those categories.
Finally, the collective wisdom of the US experts about Waziristan could fit into a small booklet and most of that would be plagiarized. The British, now, and the Pakistanis have first hand experience in mounting combat operations against the Wazirs. None were particularly distinguished, but at least they did not feature unnamed defense officials sitting in air conditioned comfort in Washington criticizing Pakistan.

Afghanistan

: For the record. As for the record of US success in Afghanistan, a US spokesman said eight American soldiers and two Afghans were killed in an attack on two outposts in remote eastern Afghanistan. The military statement Sunday said a tribal militia launched the attack from a mosque and a nearby village in Nuristan Province. eastern Afghanistan. 
This makes any US criticism of Pakistan look quite misaimed.

Afghanistan

-The Netherlands: Update. The leaders of two parties essential to the Christian Democrat-led coalition in the Netherlands announced their parties will not vote to extend the presence of the 1,400-man Dutch contingent in Afghanistan. When the latest commitment expires in 2010, the Dutch soldiers will depart, according to the party leaders, who point out the Dutch soldiers already have stayed two years longer than first agreed.

Iran

:  Comment:  The weekend press was over the top in repeating old news about the state of Iran’s knowledge of nuclear warhead design.  This is old news.  Last month The Associated Press and Night

Watch

reported on the draft study by the International Atomic Energy Agency that concluded Iran had the knowledge for making a nuclear weapon.
The big news this weekend, which no television or radio media repoprted, is that the Institute for Science and International Security has obtained more details from the same study and posted the information on its web site.  More is not better and the new data in no way changes the bottom line from a month ago: Iran almost certainly knows how to make a nuclear bomb.  Pakistan’s A.Q. Khan made certain of that several years ago. Those who have followed this story are well aware.

International Atomic Energy Agency (IAEA)

chief Mohamed El Baradei said that the conflict over Iran's nuclear program is "shifting gears" from confrontation into transparency and cooperation, and that nuclear inspectors will visit Iran's recently disclosed uranium processing facility 25 October, China Daily reported. El Baradei made the statement in Tehran following talks with Iranian officials, including nuclear chief Ali Akbar Salehi, about the recently revealed nuclear site, and said that the inspections will be conducted in accordance with the nuclear Non-Proliferation Treaty.
El Baradei lost his detachment about Iran years ago and failed to maintain discipline in his own organization. He opposes sanctions or other forms of coercion that would limit his access to Iran or prove the agency under his tenure failed in controlling, much less preventing, nuclear weapons proliferation.

Somalia

:  Update. The government in Mogadishu will not be able to defeat hard-line al Shabaab militants without international assistance to strengthen its security forces, Somali Interior Minister Abdukadir Ali Omar said 4 October. Omar said Somali security forces are not strong enough, and that African Union peacekeepers have a defensive mandate that prevents them from eradicating the al Shabaab militant group, which recently recaptured Kismayo port.
Omar’s timing in calling for outside troops could hardly be worse. The irony is that Afghanistan has no al Qaida presence, according to National Security Advisor Jones, today, but reinforcements for Afghanistan are being justified on the grounds of stopping al Qaida from re-establishing a base there. 

Somalia

is on the verge of becoming a new safe haven for al Qaida and any number of other terrorist groups. Unlike Afghanistan, Somalia is a region where the international terrorist threat is authentic, but only two African states, a few French and a few American security specialists and some Somali clans want to stop al Qaida from establishing a base in Somalia

NATO’s Rasmussen on Cyber Risks

On 1 October, NATO Sec Gen Anders Fogh Rasmussen

addressed Lloyd’s of London

on the emerging security risks of piracy, cyber and climate change. Most of his

speech

concerned the latter but he had this to say about responding to cyber threats:
Cyber security – our second topic today – is another case in point.  Government and private companies launch cyber-attacks.  Governments and industry suffer the consequences, in terms of lost revenue, lost data and lost services.  And it will take cooperation between the public and private sectors to build real defences.
We also want to do better at cyber defence.  NATO’s Cyber Defence Centre is a good step in the right direction.  But the sustained, directed cyber attacks Estonia suffered a couple of years ago shows that the problem is much bigger than that.  On both subjects, I’m very much looking forward to the discussions today.
But there is a fundamental difference between, one the one hand, piracy and cybersecurity, and climate change on the other.  In the first two cases, the threat is very clear.  We know what a pirate looks like – and no, I’m not thinking of someone with an eye patch and parrot on his shoulder.  I’m thinking of someone well armed and ruthless.  The kidnapping and ransom is taking place now.  The costs to industry and Governments are easily calculated.  And while implementing them might be difficult, we have a pretty good idea of what the right solutions might be.
The same is true of cyber defence.  Attacks on industry and government websites and information systems are already a daily occurrence.  Again, the costs are pretty easy to calculate.  And while we are certainly able to do better, we have a general idea of the steps we should take. The challenge is figuring out how to do it.
Although referring principally to climate change, his concluding comments were also applicable to cyber:
This cannot be done by the defence people alone.  It has to be a true team effort: civilian and military, public sector and private companies as well – all talking together, and working out mutually reinforcing efforts.  That might seem unrealistic, to those of us who have been in politics a few years.  No glacier is as imposing, no desert so impassable as the stovepipes within Governments.  Then again, sailors never thought the mythical North-West Passage would ever open. But it is opening.  Anything’s possible.
Rasmussen’s right – the door is opening (the North-West Passage metaphor, if it was meant as a metaphor, is a curious one; I thought it was a bad thing, what with the Arctic ice melting like billy-o ‘n all) but not very wide.