Pentagon Sets Stage for U.S. to Respond to Computer Sabotage
![Post Post](./styles/RI_2012/imageset/icon_topic_latest.gif)
WSJ is on a roll
Cyber Combat: Act of War
Pentagon Sets Stage for U.S. to Respond to Computer Sabotage With Military Force
By SIOBHAN GORMAN And JULIAN E. BARNES
WASHINGTON—The Pentagon has concluded that computer sabotage coming from another country can constitute an act of war, a finding that for the first time opens the door for the U.S. to respond using traditional military force.
The Pentagon's first formal cyber strategy, unclassified portions of which are expected to become public next month, represents an early attempt to grapple with a changing world in which a hacker could pose as significant a threat to U.S. nuclear reactors, subways or pipelines as a hostile country's military.
In part, the Pentagon intends its plan as a warning to potential adversaries of the consequences of attacking the U.S. in this way. "If you shut down our power grid, maybe we will put a missile down one of your smokestacks," said a military official.
Reuters
The Pentagon is studying when cyber attacks justify military action. An Air Force security center in Colorado.
Recent attacks on the Pentagon's own systems—as well as the sabotaging of Iran's nuclear program via the Stuxnet computer worm—have given new urgency to U.S. efforts to develop a more formalized approach to cyber attacks. A key moment occurred in 2008, when at least one U.S. military computer system was penetrated. This weekend Lockheed Martin, a major military contractor, acknowledged that it had been the victim of an infiltration, while playing down its impact.
The report will also spark a debate over a range of sensitive issues the Pentagon left unaddressed, including whether the U.S. can ever be certain about an attack's origin, and how to define when computer sabotage is serious enough to constitute an act of war. These questions have already been a topic of dispute within the military.
One idea gaining momentum at the Pentagon is the notion of "equivalence." If a cyber attack produces the death, damage, destruction or high-level disruption that a traditional military attack would cause, then it would be a candidate for a "use of force" consideration, which could merit retaliation.
The War on Cyber Attacks
Attacks of varying severity have rattled nations in recent years.
June 2009: First version of Stuxnet virus starts spreading, eventually sabotaging Iran's nuclear program. Some experts suspect it was an Israeli attempt, possibly with American help.
November 2008: A computer virus believed to have originated in Russia succeeds in penetrating at least one classified U.S. military computer network.
August 2008: Online attack on websites of Georgian government agencies and financial institutions at start of brief war between Russia and Georgia.
May 2007: Attack on Estonian banking and government websites occurs that is similar to the later one in Georgia but has greater impact because Estonia is more dependent on online banking.
The Pentagon's document runs about 30 pages in its classified version and 12 pages in the unclassified one. It concludes that the Laws of Armed Conflict—derived from various treaties and customs that, over the years, have come to guide the conduct of war and proportionality of response—apply in cyberspace as in traditional warfare, according to three defense officials who have read the document. The document goes on to describe the Defense Department's dependence on information technology and why it must forge partnerships with other nations and private industry to protect infrastructure.
The strategy will also state the importance of synchronizing U.S. cyber-war doctrine with that of its allies, and will set out principles for new security policies. The North Atlantic Treaty Organization took an initial step last year when it decided that, in the event of a cyber attack on an ally, it would convene a group to "consult together" on the attacks, but they wouldn't be required to help each other respond. The group hasn't yet met to confer on a cyber incident.
Pentagon officials believe the most-sophisticated computer attacks require the resources of a government. For instance, the weapons used in a major technological assault, such as taking down a power grid, would likely have been developed with state support, Pentagon officials say.
The move to formalize the Pentagon's thinking was borne of the military's realization the U.S. has been slow to build up defenses against these kinds of attacks, even as civilian and military infrastructure has grown more dependent on the Internet. The military established a new command last year, headed by the director of the National Security Agency, to consolidate military network security and attack efforts.
The Pentagon itself was rattled by the 2008 attack, a breach significant enough that the Chairman of the Joint Chiefs briefed then-President George W. Bush. At the time, Pentagon officials said they believed the attack originated in Russia, although didn't say whether they believed the attacks were connected to the government. Russia has denied involvement.
The Rules of Armed Conflict that guide traditional wars are derived from a series of international treaties, such as the Geneva Conventions, as well as practices that the U.S. and other nations consider customary international law. But cyber warfare isn't covered by existing treaties. So military officials say they want to seek a consensus among allies about how to proceed.
"Act of war" is a political phrase, not a legal term, said Charles Dunlap, a retired Air Force Major General and professor at Duke University law school. Gen. Dunlap argues cyber attacks that have a violent effect are the legal equivalent of armed attacks, or what the military calls a "use of force."
"A cyber attack is governed by basically the same rules as any other kind of attack if the effects of it are essentially the same," Gen. Dunlap said Monday. The U.S. would need to show that the cyber weapon used had an effect that was the equivalent of a conventional attack.
James Lewis, a computer-security specialist at the Center for Strategic and International Studies who has advised the Obama administration, said Pentagon officials are currently figuring out what kind of cyber attack would constitute a use of force. Many military planners believe the trigger for retaliation should be the amount of damage—actual or attempted—caused by the attack.
For instance, if computer sabotage shut down as much commerce as would a naval blockade, it could be considered an act of war that justifies retaliation, Mr. Lewis said. Gauges would include "death, damage, destruction or a high level of disruption" he said.
Culpability, military planners argue in internal Pentagon debates, depends on the degree to which the attack, or the weapons themselves, can be linked to a foreign government. That's a tricky prospect at the best of times.
The brief 2008 war between Russia and Georgia included a cyber attack that disrupted the websites of Georgian government agencies and financial institutions. The damage wasn't permanent but did disrupt communication early in the war.
A subsequent NATO study said it was too hard to apply the laws of armed conflict to that cyber attack because both the perpetrator and impact were unclear. At the time, Georgia blamed its neighbor, Russia, which denied any involvement.
Much also remains unknown about one of the best-known cyber weapons, the Stuxnet computer virus that sabotaged some of Iran's nuclear centrifuges. While some experts suspect it was an Israeli attack, because of coding characteristics, possibly with American assistance, that hasn't been proven. Iran was the location of only 60% of the infections, according to a study by the computer security firm Symantec. Other locations included Indonesia, India, Pakistan and the U.S.
Officials from Israel and the U.S. have declined to comment on the allegations.
Defense officials refuse to discuss potential cyber adversaries, although military and intelligence officials say they have identified previous attacks originating in Russia and China. A 2009 government-sponsored report from the U.S.-China Economic and Security Review Commission said that China's People's Liberation Army has its own computer warriors, the equivalent of the American National Security Agency.
That's why military planners believe the best way to deter major attacks is to hold countries that build cyber weapons responsible for their use. A parallel, outside experts say, is the George W. Bush administration's policy of holding foreign governments accountable for harboring terrorist organizations, a policy that led to the U.S. military campaign to oust the Taliban from power in Afghanistan.
Iran Vows to Unplug Internet
By CHRISTOPHER RHOADS and FARNAZ FASSIHI
Andres Gonzalez for The Wall Street Journal
An Iranian engineer who helped design and run the country's Internet filters says he subtly undermined some censorship until fleeing into exile
Iran is taking steps toward an aggressive new form of censorship: a so-called national Internet that could, in effect, disconnect Iranian cyberspace from the rest of the world.
The leadership in Iran sees the project as a way to end the fight for control of the Internet, according to observers of Iranian policy inside and outside the country. Iran, already among the most sophisticated nations in online censoring, also promotes its national Internet as a cost-saving measure for consumers and as a way to uphold Islamic moral codes.
In February, as pro-democracy protests spread rapidly across the Middle East and North Africa, Reza Bagheri Asl, director of the telecommunication ministry's research institute, told an Iranian news agency that soon 60% of the nation's homes and businesses would be on the new, internal network. Within two years it would extend to the entire country, he said.
The unusual initiative appears part of a broader effort to confront what the regime now considers a major threat: an online invasion of Western ideas, culture and influence, primarily originating from the U.S. In recent speeches, Iran's Supreme Leader Ayatollah Ali Khamenei and other top officials have called this emerging conflict the "soft war."
On Friday, new reports emerged in the local press that Iran also intends to roll out its own computer operating system in coming months to replace Microsoft Corp.'s Windows. The development, which couldn't be independently confirmed, was attributed to Reza Taghipour, Iran's communication minister.
Iran's national Internet will be "a genuinely halal network, aimed at Muslims on an ethical and moral level," Ali Aghamohammadi, Iran's head of economic affairs, said recently according to a state-run news service. Halal means compliant with Islamic law.
Mr. Aghamohammadi said the new network would at first operate in parallel to the normal Internet—banks, government ministries and large companies would continue to have access to the regular Internet. Eventually, he said, the national network could replace the global Internet in Iran, as well as in other Muslim countries.
A spokesman for Iran's mission to the United Nations declined to comment further, saying the matter is a "technical question about the scientific progress of the country."
There are many obstacles. Even for a country isolated economically from the West by sanctions, the Internet is an important business tool. Limiting access could hinder investment from Russia, China and other trading partners. There's also the matter of having the expertise and resources for creating Iranian equivalents of popular search engines and websites, like Google.
Few think that Iran could completely cut its links to the wider Internet. But it could move toward a dual-Internet structure used in a few other countries with repressive regimes.
Myanmar said last October that public Internet connections would run through a separate system controlled and monitored by a new government company, accessing theoretically just Myanmar content. It's introducing alternatives to popular websites including an email service, called Ymail, as a replacement for Google Inc.'s Gmail.
Cuba, too, has what amounts to two Internets—one that connects to the outside world for tourists and government officials, and the other a closed and monitored network, with limited access, for public use. North Korea is taking its first tentative steps into cyberspace with a similar dual network, though with far fewer people on a much more rudimentary system.
Iran has a developed Internet culture, and blogs play a prominent role—even President Mahmoud Ahmadinejad has one.
Though estimates vary, about 11 of every 100 Iranians are online, according to the International Telecommunication Union, among the highest percentages among comparable countries in the region. Because of this, during the protests following 2009's controversial presidential election, the world was able to follow events on the ground nearly live, through video and images circulated on Twitter, Facebook and elsewhere.
"It might not be possible to cut off Iran and put it in a box," said Fred Petrossian, who fled Iran in the 1990s and is now online editor of Radio Farda, which is Free Europe/Radio Liberty's Iranian news service. "But it's what they're working on."
The discovery last year of the sophisticated "Stuxnet" computer worm that apparently disrupted Iran's nuclear program has added urgency to the Internet initiative, Iran watchers say. Iran believes the Stuxnet attack was orchestrated by Israel and the U.S.
"The regime no longer fears a physical attack from the West," said Mahmood Enayat, director of the Iran media program at the University of Pennsylvania's Annenberg School of Communications. "It still thinks the West wants to take over Iran, but through the Internet."
The U.S. State Department's funding of tools to circumvent Internet censorship, and Secretary of State Hillary Clinton's recent speeches advocating Internet freedom, have reinforced Iran's perceptions, these people said.
Iran got connected to the Internet in the early 1990s, making it the first Muslim nation in the Middle East online, and the second in the region behind Israel. Young, educated and largely centered in cities, Iranians embraced the new technology.
Authorities first encouraged Internet use, seeing it as a way to spread Islamic and revolutionary ideology and to support science and technology research. Hundreds of private Internet service providers emerged. Nearly all of them connected through Data Communications Iran, or DCI, the Internet arm of the state telecommunications monopoly.
The mood changed in the late 1990s, when Islamic hardliners pushed back against the more open policies of then-president Mohammad Khatami. The subsequent shuttering of dozens of so-called reformist newspapers had the unintended effect of triggering the explosion of the Iranian blogosphere. Journalists who had lost their jobs went online. Readers followed.
Authorities struck back. In 2003, officials announced plans to block more than 15,000 websites, according to a report by the OpenNet Initiative, a collaboration of several Western universities. The regime began arresting bloggers.
Iran tried to shore up its cyber defenses in other ways, including upgrading its filtering system, for the first time using only Iranian technology. Until around 2007, the country had relied on filtering gear from U.S. companies, obtained through third countries and sometimes involving pirated versions, including Secure Computing Corp.'s SmartFilter, as well as products from Juniper Networks Inc. and Fortinet Inc., according to Iranian engineers familiar with with the filtering.
Such products are designed primarily to combat malware and viruses, but can be used to block other things, such as websites. Iranian officials several years ago designed their own filtering system—based on what they learned from the illegally obtained U.S. products—so they could service and upgrade it on their own, according to the Iranian engineers.
A Fortinet spokesman said he was unaware of any company products in Iran, adding that the company doesn't sell to embargoed countries, nor do its resellers. McAfee Inc., which owns Secure Computing, said no contract or support was provided to Iran. Intel Corp. recently bought McAfee, which added that it can now disable its technology obtained by embargoed countries. A Juniper spokesman said the company has a "strict policy of compliance with U.S. export law," and hasn't sold products to Iran.
The notion of an Iran-only Internet emerged in 2005 when Mr. Ahmadinejad became president. Officials experimented with pilot programs using a closed network serving more than 3,000 Iranian public schools as well as 400 local offices of the education ministry.
The government in 2008 allocated $1 billion to continue building the needed infrastructure. "The national Internet will not limit access for users," Abdolmajid Riazi, then-deputy director of communication technology in the ministry of telecommunications, said of the project that year. "It will instead empower Iran and protect its society from cultural invasion and threats."
Iran's government has also argued that an Iranian Internet would be cheaper for users. Replacing international data traffic with domestic traffic could cut down on hefty international telecom costs.
The widespread violence following Iran's deeply divisive presidential election in June 2009 exposed the limits of Iran's Internet control—strengthening the case for replacing the normal Internet with a closed, domestic version. In one of the most dramatic moments of the crisis, video showing the apparent shooting death of a female student, Neda Agha-Soltan, circulated globally and nearly in real time.
More Censorship Inc.
U.S. Products Help Block Mideast Web (03/28/2011)
Some of the holes in Iran's Internet security blanket were punched by sympathetic people working within it. According to one former engineer at DCI, the government Internet company, during the 2009 protests he would block some prohibited websites only partially—letting traffic through to the outside world.
Since the 2009 protests, the government has ratcheted up its online repression. "Countering the soft war is the main priority for us today," Mr. Khamenei, the Supreme Leader, said November 2009 in a speech to members of the Basij, a pro-government paramilitary volunteer group. "In a soft war the enemy tries to make use of advanced and cultural and communication tools to spread lies and rumors."
The Revolutionary Guard, a powerful branch of the Iranian security forces, has taken the lead in the virtual fight. In late 2009, the Guard acquired a majority stake of the state telecom monopoly that owns DCI. That put all of Iran's communications networks under Revolutionary Guard control.
The Guard has created a "Cyber Army" as part of an effort to train more than 250,000 computer hackers. It recently took credit for attacks on Western sites including Voice of America, the U.S. government-funded international broadcasting service. And at the telecom ministry, work has begun on a national search engine called "Ya Hagh," or "Oh, Justice," as a possible alternative to popular search engines like Google and Yahoo.