Why are the protocols and rules of engagement for defending cyberspace seemingly different than in the physical world? Especially when it comes to defending the private sector?
If a missile hit a private company, there is no question what the protocols would be. However, cyberspace offers a different paradigm, leading retired Army Gen. Keith Alexander, the former National Security Agency director and U.S. Cyber Command commander, to say “our approach to defending our country in cyberspace is not where it needs to be. It’s broken.”
During an appearance at an event hosted by the Aspen Institute July 18, Alexander outlined his vision for defending the nation in cyberspace, noting that the gist of this plan is what he briefed to President Trump during a recent meeting on securing the nation.
Alexander explained that most agree the government and private sector own this responsibility; however, for the private sector, if they can’t see what or who is attacking them, they can’t ask for help.
“If a nation state were to throw a missile into Sony it would be Northern Command’s responsibility to stop that missile because Northern Command can see the missile coming in. NORAD would see it, they would work and shoot down that missile, hopefully. That’s a military response,” he said. “In cyber, the issue is how do you create the rules of engagement that go at network speed? Remember shooting down a missile you got 25-30 minutes … In cyber it can go around the world [in] 134 milliseconds.”
The rules of engagement have to go with the people defending, he said. “Right now industry can’t show the government what’s attacking them. So, if you take ... when Sony’s being attacked, Sony doesn’t know it’s being attacked, it’s being attacked by a nation state and by the time Sony understands it, it’s all over,” Alexander continued.
The previous administration established a framework for civilian defense under Presidential Policy Directive 41, outlining the government’s response to cyber incidents affecting both the private and public sector.
Despite these processes outlined, which essentially define a set of so-called whole-of-government efforts aimed at deterring malicious actions and responding to incidents, Alexander went a step further discussing how incidents can be prevented and intervened.
“Let’s now change that whole framework and say for a company or a set of companies and sectors, what if they were able to push up data — think of it as dialing 9-1-1 but at network speed — when they’re being attacked,” he said. “And that has to go to the right government agencies, in this case the Defense Department, in my opinion. And the Defense Department should have a set of rules of engagement — they say it’s coming from North Korea and they know what then to do to stop it. And it should be practiced and rehearsed.”
Cyber Command’s annual Cyber Guard exercise, in part, seeks to game out how DoD, in conjunction with other federal and private sector partners, will respond to a national cyber incident.
Cyber Command, Alexander said, is the only government organization with offensive authority and capability that can counterattack. NSA can provide reconnaissance and maybe covert capabilities, if that’s the direction the president decides to go, while the Department of Homeland Security would have the responsibility to keep the affected sector operational.
Cyber Command could offer its cyber protection teams, essentially quick reaction forces that intervene following incidents to get networks back up and running. “Send them or help them virtually help keep that sector up,” Alexander said. These teams were sent in after the email hack of the Joint Chiefs of Staff and White House a few years ago.
Alexander explained that his recommendation to the president was to allow Secretary of Defense Jim Mattis and Secretary of Homeland Security John Kelly to come up with the division of effort in the event of a cyber incident.
“Cyber Command has the only offensive force. There are no shooters in DHS. Period,” he said. “So if you want to stop someone from attacking you, DHS can do incident response … that means the National Transportation Safety Board, clean up after the plane crashes, it doesn’t stop it. We want to stop this from happening. And what DHS would do is set standards.”
Others have proposed a “hack back” solution that affords limited authorities to private companies to be able to go into gray space — or the natural internet space — to retrieve stolen data from cyber thieves. The thinking is that there are so many incidents that move so fast the government is too overworked to respond to every one. Detractors of this policy note that it could become a slippery slope making cyberspace — what some already refer to as the wild west — even more chaotic.
“I see [threats and risk within the private sector] every single day, I saw it in my time at the bureau and I see that now, but that is the battlefield; we’ve got civilians, citizens who are literally fighting nation-states day in and day out,” CrowdStrike President and former FBI agent Shawn Henry said in 2016 at the Intelligence and National Security Summit.
“Twenty-eight-[year-olds], 32-year-olds who have no war training to fight and sustain an attack by a nation-state adversary — yet that’s what they’re being asked to do because in our current role, while the government brings great value and great benefit to help to deter our adversary, the reality of it is we are not sitting in the ISPs filtering out all the traffic. Therefore, all the malicious code, all the adversary’s capabilities are being brought to bear in the private sector, and often times that’s the first line of defense.”
Cyber Iron Dome
Alexander also described what he called an “iron dome” for the energy sector.
“The energy sector, if they’re attacked, how do we see it? Several of the energy companies are working with us now to now create what we’ll call an ‘iron dome’ — so think of this as these big companies they’re going to all instrument their network so that when they’re being attacked it can be visible and you can see what’s attacking our energy sector,” he said. “Some of that is criminal … but you would be able to see it with the intent — if you can see it amongst the companies in the energy sector they can share it with the government at the same speed.”
This, Alexander said, is truly a comprehensive cybersecurity solution allowing sectors and the government to work together for a comprehensive common defense.
Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.