Security experts said this week that they were cheered by calls from General Keith Alexander, head of the new U.S. Cyber Command, for global rules of engagement for cyber-war, and for increased engagement with nations that are major sources of cyber crime and espionage, including Russia and China.
Following through on these calls will be crucial to securing cyberspace, says Ronald Deibert, who directs the Citizen Lab Internet think-tank at the University of Toronto. “There is a major imperative for governments to negotiate the ‘rules of the road’ for engagement in this domain, or risk increasing chaos and mutual insecurity,” he says.
Alexander, director of the National Security Agency, was confirmed to his additional post on May 7. The command merges existing military cyber operations, and would defend against–and potentially launch–cyber attacks in times of war. “Their primary function is military, and he made it sound mainly defensive: it’s to give the combatant commanders an edge in cyberspace,” says James Lewis, a senior fellow at the Center for Strategic and International Studies (CSIS) who directs its technology and public policy program.
But the role will be more expansive than that, as Alexander made clear in his June 3 talk at CSIS, his first public appearance since his confirmation. The Cyber Command will also support military and counterterrorism missions, work with the Department of Homeland Security to help protect government and private networks and–if his speech was any indication–serve as a means to advance global cyber accords. (Highlights and a full transcript can be found here.)
Alexander called for global agreements to crack down on espionage such as the China-based attacks that hit Google earlier this year. “It’s going to take all take all of the countries together to fix that,” Alexander said, referring to the lack of incentives for nations and corporations to refrain from cyber espionage. “And when all countries can come up and agree: ‘This is going to be the way we’re going to operate and the way we’re going to defend and the way we’re going to do this,’ and we all agree to it, that will go a long way.”
He also suggested that the U.S. might follow up with Russia’s proposal for a cyber arms control treaty–an idea Russia advanced after declining to join a global cyber-crime accord sought by the United States and many European nations. “I do think that we have to establish the rules and I think what Russia’s put forward is, perhaps, the starting point for international debate–not at my level, but at levels above me.”
In 2007, when Estonia was hit by extensive cyber attacks directed largely from Russia, the Russian government blamed “patriotic Russians” and denied involvement. Lewis says that the U.S., if it were to join any such agreement, would want Russia and other countries to take responsibility for attacks launched from their soil. “If pirate ships were to set sail from Leningrad, we wouldn’t let them get away with that,” he said.
Leningrad, of course, is now known as St. Petersburg, a city that is a major center of cyber crime. Lewis adds that the U.S. is accelerating its shift away from Bush-era unilateralism. “For a long time the U.S. focused on unilateral action and no engagement and cooperation, and we appear to have realized that doesn’t work in a global network.”
Last month, a leading Russian cyber official, Vladimir Sherstyuk, who directs the Institute of Information Security Issues at Moscow State University and sits on the nation’s National Security Council, told Technology Review that Russia was willing to work with the United States. Efforts to reach Sherstyuk this week were unsuccessful.
Alexander also outlined the extreme difficulty of gaining “situational awareness” in cyberspace, especially with regard to espionage. “There are many takeaways [from Alexander’s talk] but a major one is that they have insufficient ability to understand what is transpiring on networks quickly,” said John Mallery, a researcher at MIT’s Computer Science and Artificial Intelligence Lab. “Advanced cyber threats, like those posed by the Russians or Chinese, are hard to detect. Their exploits are professional and supported by large skilled intelligence bureaucracies.” Defending against such threats may require more access to private networks to detect subtle and sophisticated attack patterns, he added.
Deibert says one major question now is how to preserve privacy amid such efforts. “The key questions, as always, will concern the substance of those negotiations: will we see a charter for global cyberspace that protects and preserves this domain as an open, global commons of information? Or will we see the further imposition of digital controls, nationalized communications spaces, and widespread surveillance?”
In April, Alexander reassured Congress that he would work to protect civil liberties even as he sought to gain a clearer picture of cyberspace. Elaborating, on June 3, he explained that the new command will operate under the same umbrella as the NSA, meaning it would consult with Congress, the Department of Justice, and would seek approval from the Foreign Intelligence Surveillance Court–which oversees surveillance on foreign agents inside the United States–to ensure the constitutionality of its actions.
In terms of waging actual cyber warfare, Alexander also said the new command is reviewing how it will handle different situations–such as a direct attack on the United States, one passing through a third country, or a case of espionage that resembles an attack. In general, Alexander said, he is reviewing the complex nuances of the rules of engagement. “Do those comport with the laws, the responsibilities that we have? Can we clearly articulate those so that people know and expect what will happen? And I think we have to look at it in two different venues, what we’re doing here in peacetime and what we need to do in wartime to support those units that are in combat,” he explained.