Stuxnet and the Pentagon's Cyber Strategy
by Mr. Eric Sterner
October 13, 2010
Deputy Secretary of Defense William Lynn recently caused a stir in official Washington by publicly confirming that the Pentagon had suffered a massive computer breach in 2008. A foreign intelligence service successfully slipped an infected flash drive into a Central Command computer. The drive contained software that surreptitiously spread through both classified and unclassified government networks, establishing a "digital beachhead, from which data could be transferred to servers under foreign control." According to Lynn, "it was a network administrator's worst fear."
In addition to confirming the breach, Lynn previewed the Defense Department's cyber strategy, expected to be finalized by the end of the year. The strategy has several elements, including a defense in depth, with three layers: first, follow commercial best practices on security; second, deploy sensors, which map and detect intrusions; and, third, conduct "active defense." Lynn describes active defense as a system that automatically deploys defenses in real time based on intelligence warnings. According to Lynn, "part sensor, part sentry, part sharpshooter, these active defense systems represent a fundamental shift in the U.S. approach to network defense." This reference to "sharpshooters" raises questions, for it implies a more active role for the Defense Department.
Given the speed and range of cyber attacks, active defense depends on sophisticated rules of engagement, which must be set in advance. Lynn focuses on an attacker's motivation -- hacking, criminal, espionage or strategic -- to determine which body of law and regulation will govern a U.S. response. Although reading intent is not impossible, it is exceedingly difficult, perhaps more so given the difficulties associated with attributing an attack to any particular entity. (Indeed, Lynn dismisses retaliatory deterrence given these very difficulties in identifying an attacker, but does not address how the Defense Department will assess an attacker's motivations without knowing his or her identity.)
This may well prove a fatal flaw in the Pentagon's defensive posture. Attackers may seek to disguise their intent for the purposes of tricking the United States into employing the wrong defensive measures and applying the wrong legal regime. The Stuxnet worm, currently infecting thousands of computers around the world, illustrates the problem. The worm penetrates and issues new commands to Supervisory Control and Data Acquisition (SCADA) systems, the programmable nodes that automate various procedures and processes and which are embedded throughout the U.S. critical infrastructure. Stuxnet appears designed to attack machines using Siemens software to operate large infrastructure projects, such as nuclear plants. It has been found widely in Iran, but China, India, Pakistan and the United States have also reported incidences. The attack coincides with delays in Iran's nuclear program, which may be particularly vulnerable to cyber attack. As a result, many analysts predictably speculated that the attack represents a coordinated cyber attack on Iran's nuclear program, which the Iranians deny.
The strategic environment may warrant such speculation, but other explanations are also plausible. For example, a Siemens competitor might have launched the worm for the primary purpose of discrediting Siemens products, disguising its commercially motivated attack within the strategic context. Conversely, intelligence agencies, or any number of cyber actors, may have released the worm simply for the purpose of studying its propagation and laying the groundwork for future campaigns.
A cyber strategy that persists in segregating cyber attacks and attackers into existing legal and policymaking frameworks -- such as the one Lynn describes -- only ensures that the U.S. will always be a step behind. Individual attacks may occur in milliseconds. The offense-dominant nature of cyberspace ensures that an attacker will always have the initiative. While defenders are determining which framework and regime to use, the attacker moves on. Older frameworks, and rules of engagement based upon them, will not be able to adjust to the range of attackers, tools or possible consequences quickly enough to serve as reliable guides for an engagement. Instead, it will be necessary to create a new strategic mindset, new laws, and new regulations that treat conflict in cyberspace for what it is -- something entirely new and unique.
Active defense should not be approached as a series of discrete attack-defense engagements with corresponding rules for each engagement, but rather as a posture that grants a highly trained and expert defender some freedom of action to respond to an attack in real time. Sophisticated rules of engagement will still be necessary, but defenses must have greater strategic flexibility than a preset response framework generally permits once an attack is categorized.
One might consider an analogy from medicine: An emergency-room doctor possesses a set body of knowledge and complex training that provide guidelines for treating a problem, but is also free to use his or her intellect in dealing with an immediate crisis. At the same time, once a patient is out of immediate danger, specialists usually enter the picture to assess the original causes of a trauma and deal with its consequences. Each uses a different set of expertise, tools, and standard regimens to address a condition. Overall treatment is not limited by any particular preconceived framework. Of course, doctors do not deal with conscious adversaries who are purposely trying to confuse them, which means the task for America's cyber defenders will be considerably more challenging.
Active defense is a necessary component in America's cyber posture. But in developing rules of engagement, the United States will require more flexibility than doctors treating a patient. Stuxnet demonstrates cyberspace's vulnerability to determined attackers, but it also highlights the need to avoid rigid frameworks in developing appropriate rules of engagement for our cyber-defense systems.