Pentagon considers preemptive strikes as part of cyber-defense strategy

By Ellen Nakashima

Washington Post Staff Writer

Saturday, August 28, 2010; 10:00 PM



The Pentagon is contemplating an aggressive approach to defending its computer systems that includes preemptive actions such as knocking out parts of an adversary's computer network overseas - but it is still wrestling with how to pursue the strategy legally.

The department is developing a range of weapons capabilities, including tools that would allow "attack and exploitation of adversary information systems" and that can "deceive, deny, disrupt, degrade and destroy" information and information systems, according to Defense Department budget documents.

But officials are reluctant to use the tools until questions of international law and technical feasibility are resolved, and that has proved to be a major challenge for policymakers. Government lawyers and some officials question whether the Pentagon could take such action without violating international law or other countries' sovereignty.

Some officials and experts say they doubt the technology exists to use such capabilities effectively, and they question the need for such measures when, they say, traditional defensive steps such as updating firewalls, protecting computer ports and changing passwords are not always taken.

Still, the deployment of such hardware and software would be the next logical step in a cyber strategy outlined last week by Deputy Secretary of Defense William J. Lynn III. The strategy turns on the "active defense" of military computer systems, what he called a "fundamental shift in the U.S. approach to network defense."

Though officials have not clearly defined the term and no consensus exists on what it means, Lynn has said the approach includes "reaching out" to block malicious software "before they arrive at the door" of military networks. Blocking bad code at the border of its networks is considered to be within the Pentagon's authority.

On the other hand, destroying it in an adversary's network in another country may cross a line, and officials are trying to articulate a clear policy for such preemptive cyber activity.

"We have to have offensive capabilities, to, in real time, shut down somebody trying to attack us," Gen. Keith Alexander, the head of the Pentagon's new Cyber Command, told an audience in Tampa this month.

The command - made up of 1,000 elite military hackers and spies under one four-star general - is the linchpin of the Pentagon's new strategy and is slated to become fully operational Oct. 1.

Military officials have declared that cyberspace is the fifth domain - along with land, air, sea and space - and is crucial to battlefield success.

"We need to be able to protect our networks," Lynn said in a May interview. "And we need to be able to retain our freedom of movement on the worldwide networks."

Another senior defense official said, "I think we understand that in order for us to ensure integrity within the military networks, we've got to be able to reach out as far as we can - once we know where the threat is coming from - and try to eliminate that threat where we can."

One senior defense official said that active defense is akin to being in a battle zone when someone is firing a machine gun at you, detecting the bullets, putting up a shield and knocking down the bullets. "Wouldn't it be a far better idea to get the machine gun? So that's an extension of a real-time defense - just shut the threat down."

Perhaps the most difficult issues are technological and operational. Because the precise configuration of an adversary's computer is difficult to discern through the Internet, it can be very difficult to, for example, disrupt that computer's ability to attack without affecting other computers that might be connected to it. The military's dismantling in 2008 of a Saudi Web site that U.S. officials suspected of facilitating suicide bombers in Iraq also inadvertently disrupted more than 300 servers in Saudi Arabia, Germany and Texas, for example, and the Obama administration put a moratorium on such network warfare actions until clear rules could be established.

"Why are you talking yourself into this massive debate when no one has said this works 100 percent of the time and it's worth the fight?" said an industry official who formerly worked at the Pentagon.

But a senior defense official familiar with state-of-the-art technology said, "I would tend to say that we can be much more precise than people could imagine." The official, like others quoted for this story, was not authorized to speak on the record.

Alexander, who also heads the National Security Agency, which was set up in 1952 to spy electronically overseas, acknowledged in Tampa that offensive capabilities must be based on "the rule of law," according to the Military Tech blog Cnet News.

And that is the crux of the debate. For the better part of a year, defense officials have been discussing the options with the White House, Justice Department, Department of Homeland Security and Congress. "I have seen clearly changes in the last two or three months where there's willingness of the senior leaders to start thinking through those scenarios, and that's something I don't think we were seeing a year ago," said a military official who was not authorized to speak for the record.

Still, taking action against an attacker's computer in another country may well violate a country's sovereignty, experts said. And government lawyers have questioned whether the Pentagon has the legal authority to take certain actions - such as shutting down a network in a country with which the United States is not at war. The CIA has argued that doing so constitutes a "covert" action that only it has the authority to carry out, and only with a presidential order.

Policymakers also are grappling with questions of international law. "We are having a big debate about what constitutes the use of force or an armed attack in cyberspace," said Herbert S. Lin, a cyber expert with the National Research Council of the National Academy of Sciences. "We need to know where those lines are so that we don't cross them ourselves when we conduct offensive actions in cyberspace against other nations."

The senior defense official who spoke about the military's capabilities said if cyber operators detected that some attacker was about to issue a network command to a device installed somewhere in the United States that would have "a disastrous effect" causing mass destruction, "I'm hard pressed to imagine that anyone would argue you shouldn't preempt that - even if it was sitting on neutral territory."

But short of that, noted a military official, "there's a lot of reluctance to go into foreign cyberspace and take actions that are preemptive."

Officials have noted they can use other non-cyber options, including diplomatic action, to respond to threats. The United States might approach a foreign government for help in blocking a threat, using the appeal that "it might be aimed at us now, it could be aimed at you later, it might be aimed at us collectively" in terms of the instability it induces in the global networks, said the senior defense official. "That's an approach that is often ignored."

The industry official said his concern is "the militarization" of the international dialogue. "Any time Pentagon leaders start using the terms 'active defense,' " he said, "then my concern is that foreign countries use that as a basis for their doctrine, starting a cycle of tit for tat."

The Pentagon has standing rules of engagement for network defense, such as the right of self-defense. But the line between self-defense and offensive action can be difficult to discern.

"This is a big, big problem," said one former intelligence official who noted that it took years to develop nuclear deterrence doctrine. "We are just at the beginning of figuring this out."

© 2010 The Washington Post Company