3Qs: The rules of cyber-engagement

Mar 06, 2013 by Jason Kornwitz
The Obama administration is reportedly close to approving the nation’s first set of rules for how the military can defend or retaliate against a major cyberattack, according to a report last month in The New York Times. Credit: Thinkstock

The Obama administration is close to approving the nation's first set of rules for how the military can defend or retaliate against a major cyberattack, according to a report last month in The New York Times. One such new rule would reportedly give the president power to order a pre-emptive strike if the U.S. detects a credible threat from a foreign adversary. Northeastern University news office asked William Robertson, an expert in detecting and preventing Web-based attacks and an assistant professor with dual appointments in the College of Engineering and the College of Computer and Information Science, to assess the potential policy and the growing cyberarms race.

Former Defense Secretary Leon E. Panetta has warned that a cyberattack from a foreign nation or extremist group could be equally as destructive as the terrorist attack of 9/11. What would a cyber-9/11 look like and how does the president's power to order a pre-emptive cyberstrike against a foreign adversary impact the chances of such an attack?

The term "cyber-9/11″ is quite clearly meant to conjure up imagery surrounding the nation's shock in reaction to the airliner hijackings of 2001. One between those attacks and an imagined cyber-9/11 is the element of surprise, where the attackers might very well execute an operation against the nation without advance detection. A strike against the nation's —such as the power distribution network or —could have far-reaching effects that harm or in some other way affect millions of Americans.

One can interpret the recent reported strategizing by the administration on the preemptive use of cyberweapons as a form of deterrence against would-be attackers, in much the same way that our nation's conventional military serves as a deterrent to potential adversaries. Given the history of alleged attacks against American assets by foreign actors located in China and Russia, it is quite possible that the recent decision to allow for preemptive cyberattacks is aimed squarely at nations such as these.

Unfortunately, only goes so far. It's unlikely to be effective against those adversaries that either do not anticipate experiencing great harm from a preemptive —for instance, if attack attribution is difficult or the attackers do not possess significant technological assets—or the attackers have sufficient motivations—e.g., religious or political—that they are willing to risk the consequences.

The Washington Post recently reported the Pentagon is planning to significantly expand the Defense Department's Cyber Command to counter attacks against the nation's computer networks and execute operations on foreign adversaries. From your vantage point as a co-principal investigator of a $4.5 million grant from the National Science Foundation to train the next generation of cyberdetectives, why is the federal government having such a difficult time finding and training qualified cyberspecialists?

One reason for the difficulty in recruiting cyberoperators is simply the scarcity of qualified labor. People with the necessary skills are few and far between, and this shortage is evident in both government and industry circles. A related difficulty is that not every candidate who possesses the requisite technical background has the temperament or inclination for these jobs. Both defensive and offensive roles are stressful and demanding, and as in the case of the conventional military, many choose career paths that do not involve these characteristics.

Another consideration is that convincing top talent to work in a state or federal role can be an uphill battle. Government is competing for a small pool of candidates that can quite easily command large salaries and benefits in the private sector, either by working for any number of established security companies or as freelance consultants.

According to reports, critics have suggested that contractors and consultants looking for a big payday are overstating the cyberthreats to the nation's critical infrastructure. Where should the potential for a catastrophic cyberattack rank on the federal government's list of security concerns?

In my opinion, preparation for catastrophic cyberattacks should be a top priority for government, in cooperation with industry. Those who work in security are all too aware of the fact that our systems are already being attacked, our data is already being exfiltrated, and our infrastructure has already been demonstrated to be "porous" at best. When you consider that bolstering our defenses against catastrophic attacks will also likely translate to a more secure posture against the low-intensity cybercold war that we are already experiencing, as well as stimulate the creation of new jobs and technologies, it would seem to be the forward-​​thinking direction to move.

Explore further: Ebola.com domain sold for big payout

add to favorites email to friend print save as pdf

Related Stories

US military prepares new rules for cyber war: Panetta

Oct 12, 2012

The United States faces a growing threat of a "cyber-Pearl Harbor" and has drafted new rules for the military that would enable it to move aggressively against digital attacks, Defense Secretary Leon Panetta ...

Too much hysteria over cyber attacks: US experts

Feb 15, 2011

Overblown talk of full-on cyber war between nations fueled by recent attacks like the computer worm Stuxnet could hamper Internet security efforts, officials and experts warned Tuesday.

24,000 files stolen from defense contractor: Pentagon

Jul 15, 2011

A foreign intelligence service swiped 24,000 computer files from a US defense contractor in March in one of the largest ever cyberattacks on a Pentagon supplier, a top Defense Department official revealed on Thursday.

Destructive cyber attack inevitable: NSA chief

Feb 18, 2011

The US National Security Agency (NSA) chief on Thursday urged top computer security specialists to harden the nation's critical infrastructure against inevitable destructive cyber attacks.

US Senate in new cybersecurity push

Feb 15, 2012

US senators, warning of potentially catastrophic cyberattacks, introduced a bill Tuesday aimed at protecting critical infrastructure such as power, water and transportation systems.

Recommended for you

Ebola.com domain sold for big payout

Oct 24, 2014

The owners of the website Ebola.com have scored a big payday with the outbreak of the epidemic, selling the domain for more than $200,000 in cash and stock.

Facebook goes retro with 'Rooms' chat app

Oct 23, 2014

Facebook on Thursday released an application that lets people create virtual "rooms" to chat about whatever they wish using any name they would like.

User comments : 0