Wednesday, October 17, 2012

Fact-checking Secretary Panetta's Speech Regarding a Preemptive Strike


In an important speech on Thursday night, Defense Secretary Leon Panetta spoke about how the Department of Defense has improved capabilities to protect the U.S. against the threat of a catastrophic cyber attack; that if such an attack were imminent, the U.S. would strike first. While this statement was clearly mean't to deliver a message to Iran which featured prominently in the Secretary's remarks, the U.S. lacks the technical ability to deliver on that threat.

According to the Law of Armed Conflict, a nation state must be under imminent threat of an attack which will cause grievous harm to its populace before it can launch a pre-emptive strike in self defense. Rather than a traditional kinetic attack, Secretary Panetta specifically referred to a cyber attack by "an aggressor nation or extremist group [who] could gain control of critical switches and derail passenger trains, or trains loaded with lethal chemicals". The Secretary went on to say that "If we detect an imminent threat of attack that will cause significant physical destruction or kill American citizens, we need to have the option to take action to defend the nation when directed by the President".

The fact is however that neither the NSA nor any other agency has the ability to identify a malicious program that was custom-written to target an industrial control system before the attack occurs. It cannot "see" such a program traveling across the Internet backbone assuming that were the delivery method. More likely, as in the case of Stuxnet, Shamoon, and other malware, it would be hand-carried onto the target's premises and inserted via removable media into a networked computer which bypasses the capabilities of any NSA-run signals intelligence program to identify it.

Even if we had the ability to discern the purpose and target of malware in-transit, we'd also have to know which nation state was behind it. Although Secretary Panetta claimed that DoD has made "significant advances" in determining attribution, there's ample reason to doubt that statement - the most obvious being the Secretary's own words that "DoD is already in an intense daily struggle against thousands of cyber actors who probe the Defense Department’s networks millions of times per day." Anonymity has provided much of the impetus for the increasing number of automated and targeted attacks against the U.S. and other countries. Those attacks are on the rise because anonymity remains intact.

U.S. offensive cyber warfare capabilities are second to none, but in the words of General Peter Pace, the former Chairman of the Joint Chiefs of Staff, we cannot defend against what we send out, and since what we have sent out (like Stuxnet) is being reverse-engineered, we should re-think whether our being in a weak defensive state is really the best time to be running offensive cyber operations in the first place.

No comments:

Post a Comment