Legalizing Private Hack Backs leads to Federal Risks

During the last year several op-ed articles and commentaries have proposed that private companies should have the right to strike back if cyber attacked and conduct their own offensive cyber operations.

The demarcation in cyber between the government sphere and the private sphere is important to uphold because it influences how we see the state and the framework in which states interact. One reason why we have a nation state is to, in a uniform and structured way, under the guidance of a representative democracy, deal with foreign hostility and malicious activity. The state is given its powers by the citizenry to protect the nation utilizing a monopoly on violence. The state then acts under the existing laws on behalf of the citizens to ensure the intentions of the population it represents. These powers create an authority that federal government utilizes to enforce compliance of the laws and handle our relations with foreign powers. If the federal government cannot uphold the authority, legitimacy and confidence in government will suffer. The national interest in protecting legitimacy and authority and to maintain the confidence in the federal government is by far stronger than the benefits of a few private entities departing on their own cyber odysseys to retaliate against foreign cyber attacks.

I would like to visualize the importance of demarcation between government and private entities with an example. A failed bank robbery leads to a standoff where the robbers are encircled by government law enforcement. The government upholds its monopoly on violence based on laws that permit the government, on behalf of the people, to engage the robbers in a potential shootout. All other citizens are instructed to leave the area. The law enforcement officers seek to solve the situation without any violence. This is how we have designed the demarcation between the government and the private sphere in the analog world.
If the US decides to allow companies to strike back on foreign cyber attacks, then the US has abandoned this demarcation between nation state and private sphere. Going back to the bank robbers that are surrounded by law enforcement, using the logic of the private cyber retaliation, any bank customer who had an account in the robbed bank could show up at the standoff and open fire at the robbers at their own discretion and depart directly afterward leaving the police to sort out the shootout and the aftermath with no responsibility for the triggering event.
Abandoning the clear demarcation between government and private sphere leads to entropy, loss of control, and is counterproductive for the national cyberdefense and the national interest.
The counter argument is that the private companies are defenseless against cyber attacks and therefore they will have the right to self-defense.
The Commission on the Theft of American Intellectual Property published a report that was a strong proponent of allowing private companies to strike back and even retaliate against cyber attackers. According to the commission these counter strikes should be conducted as follows: “Without damaging the intruder’s own network, companies that experience cyber theft ought to be able to retrieve their electronic files or prevent the exploitation of their stolen information.”

The proponents for private cyber retaliation base their view on several assumptions. First, that the private company can attribute the attack and determine who is attacking them. The second assumption is that the counterstriking companies have the cyber resources to engage, even if it is a state-sponsored organization on the other end, and that there will be no damages. A third hidden assumption is that the events do not lead to uncontrolled escalation and that the cyber interchanges only affect the engaged parties.

An attacker has other options and can seek to attack other entities and institutions as a reprisal for the counterattack. If the initial attacker is a state-sponsored organization in a foreign country, multinational companies can have significant business and interests at risk if the situation escalates. Private companies will not be responsible for the aftermath and the entropy that can occur undermines the American stance and the nation loses its higher ground in challenging the state sponsors behind the cyber attacks in the framework of the international community.
The answer to who should hack back, if deciding to do so, is simple; it should be the federal government for the same reason that you would not fly on a passport issued by your neighbor across the street. Only the federal government is suitable to engage foreign nations and the private entities therein.

The unaddressed core problem is that we have not yet been able to create mechanisms to transfer cyber incidents from the private realm to the authorities. This limited ability during the short timeframe an attack occurs leads to initially a cyber attacker’s advantage, but this will be solved over time and does not outweigh the damages from an undermined federal authority due to entropy in cyber.

 

NDU Publication: China’s Strategic Support Force: A Force for a New Era

NDU Press just published:

http://ndupress.ndu.edu/Media/News/Article/1651760/chinas-strategic-support-force-a-force-for-a-new-era/

From the Executive Summary:

“In late 2015, the People’s Liberation Army (PLA) initiated reforms that have brought dramatic changes to its structure, model of warfighting, and organizational culture, including the creation of a Strategic Support Force (SSF) that centralizes most PLA space, cyber, electronic, and psychological warfare capabilities. The reforms come at an inflection point as the PLA seeks to pivot from land-based territorial defense to extended power projection to protect Chinese interests in the “strategic frontiers” of space, cyberspace, and the far seas. Understanding the new strategic roles of the SSF is essential to understanding how the PLA plans to fight and win informationized wars and how it will conduct information operations.”

 

Area Denial in Outer Space

Any future nation-state adversary surely understands the U.S. reliance on satellite communications for global military operations. Therefore, they likely understand there is a crude and unsophisticated way to disturb and degrade satellite communication, an IED of outer space that can be introduced, by polluting orbits with shrapnel and debris that are likely to damage any space-borne assets in their way. Essentially, an adversary can choose between two types of noncyber anti-satellite attacks: direct kinetic and indirect kinetic. While a direct kinetic anti-satellite missile attack on a U.S. satellite is possible, it would provide direct attribution to the attacker, thus leading to repercussions.

The thruster and the heat from a missile would be identified and attributed to the country or vessel that launched the attack. A direct kinetic attack might be inviting, but the political price is high. Even though it would be inviting to attack satellites, an adversary would not be able to attack without leaving a trace of tangible evidence. Using an ASAT missile is a grave act of war and can only reasonably be used if the perpetrator anticipates and accepts a wartime response.

For a potential adversary, it can be far more advantageous to increase the amount of debris that clutters specific orbits, thus epitomizing the indirect attack. Increasing debris can be accomplished through actively adding debris to specific well-targeted orbits, systematic designer accidents or collisions in space.

(I initially published this text in Fifth Domain)

Any future nation-state adversary surely understands the U.S. reliance on satellite communications for global military operations. Therefore, they likely understand there is a crude and unsophisticated way to disturb and degrade satellite communication, an IED of outer space that can be introduced, by polluting orbits with shrapnel and debris that are likely to damage any space-borne assets in their way.

Essentially, an adversary can choose between two types of noncyber anti-satellite attacks: direct kinetic and indirect kinetic. While a direct kinetic anti-satellite missile attack on a U.S. satellite is possible, it would provide direct attribution to the attacker, thus leading to repercussions.

The thruster and the heat from a missile would be identified and attributed to the country or vessel that launched the attack. A direct kinetic attack might be inviting, but the political price is high. Even though it would be inviting to attack satellites, an adversary would not be able to attack without leaving a trace of tangible evidence. Using an ASAT missile is a grave act of war and can only reasonably be used if the perpetrator anticipates and accepts a wartime response.

For a potential adversary, it can be far more advantageous to increase the amount of debris that clutters specific orbits, thus epitomizing the indirect attack. Increasing debris can be accomplished through actively adding debris to specific well-targeted orbits, systematic designer accidents or collisions in space.

During the 18th century and until the Second World War, artillery units had a special round to be used if enemy infantry came uncomfortably close to the battery position: the case shot. The battery aimed toward the closing infantry and fired the case shots, which dispersed thousands of steel balls that created massive losses in the infantry ranks. Whether those steel balls hit an arm, a leg, the torso, or a hand did not matter; the infantry assault against the battery position lost momentum and ended.

By applying the case shot idea to space, we can see an unsophisticated way to radically increase debris by using space boosters to reach lower Earth orbit (LEO) and then using kinetic energy to disperse hundreds of thousands of shrapnel into a segment of space. Any obsolete or crude missile — exemplified by the Iranian Shahab or the North Korean Taepodong — could act as a space booster to take the payload to space. A salvo of 20 such crude space boosters delivering a significant amount of prefragmented shrapnel could radically increase the amount of hypervelocity debris.

The probability for collision in space between a functional satellite and debris is a numbers game. Reduced to a simplified example, if the presence of 5,000 debris pieces at a specific altitude generates a risk of one satellite hit every 10 years — not taking into account additional debris generated from the impact — an additional 100,000 debris pieces would increase that risk drastically.

To illustrate the principle, 20 space boosters can lift 30 metric tons of payload to LEO — roughly 300,000 10g steel balls — that would be spread at hypervelocity into the satellite orbits. The attack is kinetic but indirect, as the target satellites are not individually targeted but are instead approached by a swarm of hypervelocity debris that impacts the target satellites either by penetration or by destroying antennas, solar panels or other equipment. This impact would initially generate more debris, although orbital decay would counterbalance some of it by moving it to a lower altitude; eventually, it would disappear from space. It would serve as anti-access and area denial for defined space orbits, depending on the orbit, for a calculable amount of time.

Either a direct or indirect kinetic attack would be an act of war and provide the necessary attribution to give the United States casus belli approved by at least a part of the international community. First, both the direct and indirect kinetic attack would be attributable to the nation that launched the attack, and observations from space-borne monitoring satellites would be accurate enough to give the United States a solid case.

Second, creating unprecedented amounts of space debris would not only be hazardous to U.S. satellites, but also to those of other major powers. If rogue nation X launches an indirect kinetic attack, it could affect Russia, Europe, China, India, Pakistan and other nations’ satellites. Depending on the dispersing of these debris objects, damage could be limited to small areas of space, but it would still be a space territory not used solely by the United States. A future adversary will have to weigh the benefit against the geopolitical risk of collateral damage to friendly nations.

If the future adversary is ready to take the risk of collateral damage, it is likely within their reach to disrupt and degrade the satellites in targeted orbits or with reachable means, preventing the U.S. utilization of space terrain by using orbit pollution as area denial.

Jan Kallberg is a research scientist at the Army Cyber Institute at West Point and an assistant professor in the department of social sciences at the United States Military Academy. The views expressed are those of the author and do not reflect the official policy or position of the Army Cyber Institute at West Point, the United States Military Academy or the Department of Defense.

The Death of the Cyber Generalist

I recommend reading Patrick Bell and my article from June 2018:

“The Department of Defense (DoD) must abandon its “up-or-out” promotion model for cyber forces. It should let competent officers hold their positions longer. Applying the outdated Defense Officer Personnel Management Act’s (DOPMA) staffing model to the cyber force is foolish, and makes it difficult to keep experienced, technically-proficient cyber officers in the military. DOPMA’s prescribed career paths entail officers’ attendance at a variety of schools, with several rotations through geographical areas and work domains. In the process, domain-specific knowledge that would allow officers to lead and understand the impact of their various choices in a technically complex and ever-changing environment evaporates. In a world of increasing complexity, shortened windows of opportunity to act, and constantly-changing technical environments, the generalist leaders that the DOPMA system yields may doom the military’s cyber force to failure.”

The link to the article:

https://warroom.armywarcollege.edu/articles/death-of-cyber-generalist/

 

Retention is Key for Cyber Talent Management

 

If the armed forces seek to create a more significant force, recruitment and training of cyber support will only meet demand if retention is high. (Bill Roche/Army Cyber Command)
The United States is an engineering country where technical solutions are born, and solutions are thought up, in an innovation-friendly environment of academia and industry. There are gaps, but the United States is highly adaptive and able to face technological challenges due to its research capacity and industrial base.

The more substantial challenges are retention, maintaining an able workforce and transferring the willingness to serve to the next generation. The cost for the Department of Defense to recruit and train, or transition a mid-career officer, are high. Equally challenging is the time to replace an officer that decides to leave the armed forces. This is a simple math problem: If the armed forces seek to create a more significant force, recruitment and training will only meet demand if retention is high; otherwise, the inflow is only compensating the outflow from the service.

With the strengthening of the American economy, combined with a radically increased demand for information security competence in the civilian workforce, retention of cyber skills and cyberwarriors will be an ongoing concern. If you train, you need to be able to retain the personnel — otherwise it is a lost investment for the organization.

The millennials are likely the next decade’s cultural-change agents, not by intent but through catalyzing change and, from a cyber perspective, it might be necessary.
According to the RAND study “Millennial Perceptions of Security,” millennials and young people are less invested in national security issues, but care about their economic security. Millennials will be the predominant workforce in the next decade, slowly replaced by the post-millennials in the late-2020s. The retention of “Generation Instagram” is likely different than earlier generations.

Should we expect that “Generation Instagram” to leave their social media-upheld island in the digital world, return to the 20th century and embrace the bureaucracy and its industrial age apparatus?

A culture shift is needed. Conventional forces consistently prepare for war, while cyber forces are continuously engaged in cyberwar. Therefore, rotating cyber officers through assignments reduces readiness and increases risks. Allowing one individual to hold a position for five or more years will significantly improve operational readiness. Exempting the cyber force from mandatory positional and geographic moves will help build and maintain a more effective future force.

Also in need of change is the dated Defense Officer Personnel Management Act, which includes an embedded assumption that one partner makes a career and the other tags along with the rotations, trying to see what they can do at the post where they land. To retain these two smart individuals as a military family we have to design rotations and positions in a way that the spouses have career opportunities that match their abilities. Millennials and the younger generation want to influence their future.

Alexander Hamilton, writing in 1775, said “There is a certain enthusiasm in liberty, that makes human nature rise above itself, in acts of bravery and heroism.” A rigid bureaucracy has limited workplace appeal for millennials; to release the enthusiasm, an organization that has a higher degree of freedom is more adaptive and mission-centered as the unit commanders are empowered.

Freedom is also a prerequisite for innovation, the freedom to fail an informed and rational attempt. Millennials are likely the next decade’s cultural-change agents, not by intent but through catalyzing change, and from a cyber perspective, it might be necessary.

The rapid changing technical landscape, the increased velocity in engagements, the thick fog of uncertainty, all create a need for future cyberwarriors to stay current within an innovative, embracing, and enabling culture. At a large scale, it can be a strategic advantage compared to our potential adversaries that lack initiative, and have fear-driven cultures and repressive outlooks.

Jan Kallberg, PhD

Jan Kallberg is a research scientist at the Army Cyber Institute at West Point and an assistant professor in the department of social sciences at the United States Military Academy. The views expressed are those of the author and do not reflect the official policy or position of the Army Cyber Institute at West Point, the United States Military Academy or the Department of Defense.

The Fight for Spectrum

An EC-130H Compass Call aircraft is parked at Bagram Airfield, Afghanistan Sept. 12, 2014. The aircraft is configured to execute worldwide information warfare tactics. (U.S. Air Force photo by Staff Sgt. Evelyn Chavez/Released)

Spectrum sounds to many ears like old-fashioned, Cold War jamming, crude brute electromagnetic overkill. In reality though, the military needs access to spectrum and more of it.

Smart defense systems need to communicate, navigate, identify, and target. It does not matter how cyber secure our platforms are if we are denied access to electromagnetic spectrum. Every modern high tech weapon system is a dud without access to spectrum. The loss of spectrum will evaporate the American military might.

Today, though, other voices are becoming stronger, desiring to commercialize military spectrum. Why does the military need an abundance of spectrum, these voices ask. It could be commercialized and create so much joy with annoying social media and stuff that does not matter beyond one of your lifetime minutes.

It is a relevant question. We as an entrepreneurial and “take action” society see the opportunity to utilize parts of the military spectrum to launch wireless services and free up spectrum space for all these apps and the Internet of Things that is just around the corner of the digital development of our society and civilization. In the eyes of the entrepreneurs and their backers, the military sits on the unutilized spectrum that could put be good use – and there could be a financial harvest of the military electromagnetic wasteland.

The military needs spectrum in the same way the football player needs green grass to plan and execute his run. If we limit the military access to necessary spectrum it will, to extend the football metaphor, be just a stack of players not moving or be able to win. Our military will not be able to operate effectively.

The electromagnetic space is no wasteland, it is a space ready to be utilized, at computational speed, and it serves as a deterrent in the same way as the ICBM in the silo. It exists, it can be utilized, and our adversaries understand. The military needs its electromagnetic space to ensure that they can operate in a degraded environment when our adversaries seek to limit the American might through electronic warfare, we should be able to fully operate and execute our operations to the extent of our abilities.

We invite people to talk about others to talk about justice, democracy, and freedom, to improve the world, but I think it is time for us to talk to our fellow man about electromagnetic spectrum because the bulwark against oppression and totalitarian regimes depends on access.

Jan Kallberg, PhD

/I originally wrote this as an opinion text for c4isrnet.com in 2015. Its relevance has increased with the shifted focus on peer and near-peer adversaries.

CV

Current Position

Army Cyber Institute at West Point
Research Fellow /Scientist

United States Military Academy (West Point)
Assistant Professor, Department of Social Sciences

Education

University of Texas at Dallas
Post Doc, Research Scientist, Cyber Security Research and Education Institute, Erik Jonsson School of Engineering and Computer Science, the University of Texas at Dallas

University of Texas at Dallas
PhD Public Affairs. Dissertation: “The Internet as a Proxy for Democratic Accountability and Transparency – A Comparative Test of Waldo’s Five problems Areas in Five Advanced Democracies”.

University of Texas at Dallas
M.A. Political Science – Public Management major, IR minor

Stockholm University – Juridicum Law School
J.D./LL.M. Thesis: “Reputational Risks on the Internet – a Pragmatic Study of International Cyberlaw”

Brief about Dr. Jan Kallberg

Dr. Kallberg’s research is focused mainly on cyber-supported strategic surprise, accelerated warfare, cyber defense, and how cyber impact societal stability/destabilization.

Dr. Jan Kallberg is an Assistant Professor of Political Science at the Department of Social Sciences at the United States Military Academy at West Point and a Research Fellow at the Army Cyber Institute at West Point. He was earlier a researcher at Cyber Security Research and Education Institute under the guidance of Dr. Bhavani Thuraisingham, the University of Texas at Dallas, an Assistant Professor at Arkansas Tech University, and part-time faculty at George Washington University. Dr. Kallberg is certified CISSP and CISM. He also serves as the Managing Editor for the Cyber Defense Review.

Dr. Kallberg’s research is focused mainly on cyber-supported strategic surprise, accelerated warfare, cyber defense, and how cyber impact societal stability/destabilization.

Dr. Jan Kallberg is an Assistant Professor of Political Science at the Department of Social Sciences at the United States Military Academy at West Point and a Research Fellow at the Army Cyber Institute at West Point. He was earlier a researcher at Cyber Security Research and Education Institute under the guidance of Dr. Bhavani Thuraisingham, the University of Texas at Dallas, an Assistant Professor at Arkansas Tech University, and part-time faculty at George Washington University. Dr. Kallberg is certified CISSP and CISM. He also serves as the Managing Editor for the Cyber Defense Review.

When he registered cyberdefense.com as his personal domain in 1997 there were four (4) references on the Internet (Altavista) to cyber defense. Today it is a million.  A small claim of being ahead of time.

Dr. Kallberg has been published in Joint Forces Quarterly, Strategic Studies Quarterly, Air and Space Power Journal, Military Review, IEEE IT-Professional, IEEE Security & Privacy, IEEE Technology & Society, and IEEE Access. Dr. Kallberg is on the editorial board for IEEE Access.

Read Jan Kallberg, Ph.D., latest column in Fifth Domain (Defense News).