Communications Litigation Today was a Warren News publication.
‘Often Wrong, Never in Doubt’

Hill, Public Discussion Sought on Critique of U.S. Strategy to Carry Out Cyberattacks

BERKELEY, Calif. -- Capitol Hill committees are being asked to hold hearings on the risks and shortcomings of U.S. strategy for carrying out cyberattacks, said the director of an expert study for one of the congressionally chartered National Academies. Chief Scientist Herbert Lin of the National Research Council’s Computer Science and Telecommunications Board told us that participants in the board’s Committee on Offensive Information War have made inquiries about hearings in the Foreign Relations committees or preferably the Intelligence committees. “We're working to the issue,” Lin said at the University of California campus. “We don’t know that there will be hearings."

The House Foreign Affairs Committee has considered the issue but has no hearings planned, a spokeswoman said Thursday. Lin “has not approached us,” she said, saying the Intelligence or Homeland Security committees might be a more suitable forum. Representatives of the other committees that Lin mentioned didn’t get back to us right away, apart from a spokesman for Chairman Dianne Feinstein, D-Calif., of the Senate Select Committee on Intelligence noting that much of its work is secret.

Lin was making a presentation late Wednesday publicizing the committee’s conclusions that U.S. attack efforts are uncoordinated, fraught with danger and complexity, and unduly secret. The committee’s 14 members included William Studeman, a former National Security Agency director; MIT’s David Clark, an architect of the Internet; lawyers Michael Vatis of Steptoe & Johnson and Walter Slocombe of Caplin & Drysdale; and faculty members at elite law schools. A 368-page report put out in April 2009, and the research that went into it, were paid for by the council, Microsoft and the MacArthur Foundation.

The report may have had effects already, Lin said. “People are more willing to talk” about U.S. cyberwarfare than before it came out, he said. Lin said he promotes the report’s conclusions to unspecified audiences made up of people with high security clearances. “They say ’thank you,’ and then there’s dead silence,” he recounted. Lin said presentation organizers tell him afterward, “You stimulated all kinds of fascinating discussions. They couldn’t talk to you about it. You came in uncleared.” Obama administration officials are more responsive than their predecessors, but only in “certain ways,” Lin said. When information about the government’s Comprehensive National Cybersecurity Initiative was made public this month, the material about offensive capabilities “was not declassified,” he said.

The council’s report couldn’t reach a crucial goal of any policy document, Lin acknowledged: Addressing the suggestions to the specific officials responsible so they can take action. “We couldn’t find anybody who was the right target for the recommendations. There was no entity in Washington set up to take action.” The government has no structure for dealing with cyberattack policy, he said. A “cyberczar” finally has been appointed, but lacking “a budget line” and subordinate to the National Security Council and National Economic Council is “relatively impotent,” Lin said.

The “implied declared policy” of the U.S. government, pieced together from unclassified statements, is that “we want to use cyberattacks like any other weapon,” Lin said. But “you never write it down anywhere.” Former cyberczar Richard Clarke said at the RSA Conference this month that the U.S. certainly engages in cyberwar, but the policy is kept from Congress and the public.

Cyberattack strategy is a minefield, Lin said. The U.S. government might someday have to decide whether to attack large numbers of hijacked American computers, he said. It probably would instead ask ISPs to cut them off, Lin said. He predicted that ISPs will increasingly include in their service agreements promises by subscribers not to let their machines be used for misconduct. The hack against Google said to have been traced into China highlights many complications, Lin said. They include whether a private attack victim can intrude on a foreign network for retaliation or even to gain evidence of responsibility and whether the U.S. will be held responsible for private actions along these lines.

It’s by no means clear that government authority should be highly centralized, Lin said. “You want a place where all” the interests involved are represented, “not just the military,” he said. “It’s not just the domain of one party."

Offensive information warfare requires flexibility because no “one-size-fits-all” response will work for all the kinds of crisis possible, Lin said. But “the tendency of policymakers” is “to have one solution,” he said. And U.S. leaders have little experience in the field and must make decisions with little hard information and in an atmosphere of high tension, Lin said. “They are often wrong but never in doubt” about cyberattacks, he quoted an unidentified former Justice Department official as saying.

Many people “say we as a nation should foreswear certain kinds of cyberwarfare capabilities,” Lin said. But “if you said you weren’t developing this capability, no one would believe you” anyway, so “people would be reluctant to give up” the option unilaterally, he said. The “characteristics of cyberattack” that get in the way of attributing it are “very, very well aligned” with the “plausible deniability” required for covert action, Lin said.

The expertise to carry out an attack is widespread and the technology is “available at Best Buy and Fry’s,” Lin said. This is one of the reasons that parallels to nuclear warfare and deterring it are “problematic,” he said. The National Research Council last week offered a $1,000 prize and a conference speaking spot to the winner of a contest for the best idea for deterring a cyberattack on the U.S. The deadline for submitting an abstract is April 1.

International control agreements would be very tricky, because trust and verification would be nearly impossible, Lin said. Each country would have to assume that the others are cheating, he said. The legitimacy of hacking for intelligence would come into question under a ban on cyberattacks to destroy facilities, since the methods are the same, Lin said. The U.S. “would have to live by -- on paper” whatever restrictions it got any other country to agree to, he said. The Defense Department “likes a situation where we can do everything and nobody else can do anything,” he said. “But that’s not stable in the long term.”