Long predicted to emerge as the next theater of military operations and intelligence services, cyber warfare has finally come of age in a string of global attacks and retaliatory strikes stretching from China to the highest echelons of the U.S. government.
But the steps the Obama administration say must be taken to protect the nation from computer-based enemies — explained in secret leaked memos not meant to for public consumption — raise critical questions in the familiar debate over how far is too far in protecting what the government insists is vital national security interests.
A series of hacks and malicious breaches of sensitive computer systems in the United States and other Western nations in the past 12 months have raised awareness of the apparent threat posed by cyber criminals, either working alone or as part of government-sponsored groups in countries like China. Just last week, the Energy Department’s computer system were crippled by a hacking event that some experts charge was conducted by China, although federal officials would not officially comment on the source.
The Energy Department incident is just one of several in a wave of “widespread” cyber attacks many say can be linked back to China. Several financial institutions have been targeted, and computer systems at the New York Times and the Wall Street Journal were breached in the wake of investigations by those two newspapers into allegations of criminal corruption within the Chinese government. Such attacks are on the rise, and increasingly targeting a wide range of private companies and key public infrastructure or government agencies in the US and abroad.
Allegations that Chinese hackers infiltrated the computers of two leading U.S. newspapers add to a growing number of cyber attacks on Western companies, governments and foreign-based dissidents that are believed to originate in China, experts say.
According to one recent report, one in every three observed computer attacks in the third quarter of 2012 emanated from China.
Chinese officials have denied that Beijing has supported any cyber attacks, stressing that hacking is illegal in the country.
The New York Times reported Wednesday it had been the target of four months of cyber assaults, which started during an investigation by the newspaper into the wealth reportedly accumulated by relatives of the Chinese premier, Wen Jiabao. The Wall Street Journal said Thursday that its computer systems also had been infiltrated by Chinese hackers.
Cyber security experts say the alleged attack on The New York Times appeared to be similar to previously reported attacks that were linked to China.
But rather than being an innocent victim of virtual foreign invasions, the United States — along with key allies — has been engaging in similar cyber-based intelligence gathering and military-style operations that can only be described as hostile.
Now a new directive from top advisors to President Obama sets a legal groundwork for sweeping presidential authority to preemptively launch cyber strikes against real or perceived enemies overseas or within US borders, a move that civil liberties activists say is a dangerous “power grab” that could severely erode the rights of American citizens.
The New York Times reports on a leaked legal review that covers how and when the growing “cyberarsenal” stockpiled by the Pentagon and the federal government can be used. That opinion gives “broad powers” to the president in being able to launch preemptive cyber attacks against groups or countries perceived to be threats to US national security. Specifics of the rules are to remain “highly classified,” identical to the controversial drone program used in extrajudicial killings of suspected terrorists, including American citizens.
Public perception may be that using computer-based weaponry or offensive tactics may be considerably more innocuous than launching a preemptive ground or air attack, and is thus no cause for debate or alarm. But the rapidly changing nature of cyber warfare means that using the military’s arsenal of cyber weapons is every bit as belligerent and dangerous as authorizing a ground war, and will likely be viewed by any potential targets of such strikes as an act of outright war.
With the rules of engagement relating to computer-based attacks now crafted to give the president startling powers and little chance to be overruled on any decision to launch hostilities, military officials expect a much more “aggressive” stance to be taken in combating cyber probes from hostile nations or groups.
A secret legal review on the use of America’s growing arsenal of cyberweapons has concluded that President Obama has the broad power to order a pre-emptive strike if the United States detects credible evidence of a major digital attack looming from abroad, according to officials involved in the review
That decision is among several reached in recent months as the administration moves, in the next few weeks, to approve the nation’s first rules for how the military can defend, or retaliate, against a major cyberattack. New policies will also govern how the intelligence agencies can carry out searches of faraway computer networks for signs of potential attacks on the United States and, if the president approves, attack adversaries by injecting them with destructive code — even if there is no declared war.
The rules will be highly classified, just as those governing drone strikes have been closely held. John O. Brennan, Mr. Obama’s chief counterterrorism adviser and his nominee to run the Central Intelligence Agency, played a central role in developing the administration’s policies regarding both drones and cyberwarfare, the two newest and most politically sensitive weapons in the American arsenal.
Cyberweaponry is the newest and perhaps most complex arms race under way. The Pentagon has created a new Cyber Command, and computer network warfare is one of the few parts of the military budget that is expected to grow. Officials said that the new cyberpolicies had been guided by a decade of evolution in counterterrorism policy, particularly on the division of authority between the military and the intelligence agencies in deploying cyberweapons. Officials spoke on condition of anonymity because they were not authorized to talk on the record.
As the process of defining the rules of engagement began more than a year ago, one senior administration official emphasized that the United States had restrained its use of cyberweapons. “There are levels of cyberwarfare that are far more aggressive than anything that has been used or recommended to be done,” the official said.
There has only been one known instance of the United States using cyber warfare against a foreign target. President Obama personally ordered a sophisticated and extensive hacking operation against Iran and its suspected nuclear ambitions. The so-called “Stuxnet” worm was used by the US and Israel to cripple Iranian nuclear sites and government computer programs, bringing them down for an extended period of time and ostensibly setting back Iran’s nucelar weapons operations.
Besides the sweeping memo detailing the use of preemptive cyber strikes, the Obama administration has also launched a more public effort to focus on prevention and security of the nation;s computer-based infrastructure. Part of that initiative is getting private corporations on board with a coordinated security apparatus, something businesses have been skeptical of due to the chance that such a program would lead to greater government control of databases and even the internet.
The unlikely partner of these corporations have been privacy advocates and civil liberties advocates that share the concern with the lack of transparency and unchecked government authority in the name of cyber protection.
But now the administration has strongarmed the private sector into backing a comprehensive cyber security program, aided by the slew of attacks on corporate systems coming from China.
Big business lobbyists quashed an effort to pass a comprehensive cybersecurity law on Capitol Hill last year, but the attacks – some reportedly orchestrated by Iran – have caused companies to reconsider, some experts said.
“We tried to do cybersecurity legislation pre- and post-9/11 and what was challenging was that the private sector was reluctant to share information and so was the government,” says Kiersten Todt Coon, a former senior staff member of the Senate homeland security committee and now president of Liberty Group Ventures.
But after a slew of attacks that Ms Todt Coon said were committed with a level of “diligence and intensity” that the financial sector in particular had never experienced before, there was a new sense of “we need your help and we need to work together”.
The leaked memo on America’s use of cyberwarfare has sparked outcry from critics contending that the Obama administration is tacking an “undemocratic” path and even usurping the Constitution by giving the President warmaking powers that go far beyond mere computer viruses.
The complexity and scope of the modern cyberwarfare arsenal, amassed at great cost by the Pentagon, means that one presidential directive launching a cyber-based strike on a foe could quickly develop into something far more serious when dealing with nuclear powers like China, moving the world “closer” to the “midnight” of a nuclear war.
According to The New York Times, the Obama Administration has concluded that the President has the authority to launch preemptive cyberattacks.
This is a very dangerous, and very undemocratic power grab.
There are no checks or balances when the President, alone, decides when to engage in an act of war.
And this new aggressive stance will lead to a cyber arms race. The United States has evidently already used cyber weapons against Iran, and so many other countries will assume that cyber warfare is an acceptable tool and will try to use it themselves.
Most troubling, U.S. cybersupremacy—and that is Pentagon doctrine—will also raise fears among nuclear powers like Russia, China, and North Korea that the United States may use a cyberattack as the opening move in a nuclear attack.
For if the United States can knock out the command and control structure of an enemy’s nuclear arsenal, it can then launch an all-out nuclear attack on that enemy with impunity. This would make such nuclear powers more ready to launch their nuclear weapons preemptively for fear that they would be rendered useless. So we’ve just moved a little closer to midnight.
Broad authority to order hostile cyber attacks on foreign foes without congressional approval — a free pass to start a war, in essence — is only one of the latest instances where President Obama and his talented team of legal minds have created new policies and powers for a commander in chief that can easily be categorized as unprecedented.
As Kevin Gosztola writes at Firedoglake, Obama’s policies on drones to de facto assassinations to cyber warfare is carefully selected to manufacture a path to “conduct war without needing authorization.”
Finally, like with the drone program, President Barack Obama is presiding over the creation and development of a power that previous presidents never imagined having. The national security state is effectively appointing him and all future presidents the proverbial judge, jury and executioner when it comes to cyber warfare.
There is no indication that any group of members in Congress or judicial body will have to approve of a preemptive strike before it is carried out. As has become typical, the president wants to be able to conduct war without needing authorization.
The policy will expand the imperial presidency and the public and civil society organizations, which have a distinct interest in knowing what the government is doing, will be kept in the dark on what is legal and illegal in cyber operations. The Congress will barely make any effort to defend its right to provide oversight of this new power. And any future details on this power will mostly come from selective leaks provided by officials, who do not think they will face repercussions for talking to the press. The policy itself, the rules for cyber war, will remain concealed.