U.S. on offense in cyberwar? - Omaha.com
Published Sunday, November 20, 2011 at 1:00 am / Updated at 1:09 pm
U.S. on offense in cyberwar?

Gen. Keith Alexander is a man who keeps secrets.

Alexander directs the National Security Agency, that oh-so-mysterious group of American military code breakers, eavesdroppers and cyber-sleuths who work out of an ominous-looking headquarters in suburban Baltimore.

Which is why it was a little surprising when Alexander showed up in Omaha last week at a military conference hosted by the Bellevue-based U.S. Strategic Command, took the stage in front of 1,500 military officers and defense contractors, and bluntly suggested that the U.S. military should have the power to attack other countries in cyberspace.

"We can't just defend," Alexander said at StratCom's Cyber and Space Symposium.

With that, he unceremoniously and publicly dumped a nearly decade-old official stance that the United States should focus solely on the defense of the country's military and corporate computer networks.

The U.S. military, he said, must be able to effectively fight back against countries — experts repeatedly point to China and Russia — that have used the Internet to heist enormous amounts of valuable information from U.S. companies and defense contractors.

The military must also have the capability, he said, to counter cyberattacks that could steal military secrets or shut down a part of the U.S. infrastructure, potential volleys in a high-tech war that the United States must be ready to fight.

To illustrate, Alexander told a story about a boxing club he joined as a teenager.

The coach would split the club into two teams. One team would block punches. The other team, the offensive team, would punch the defenders until they were bruised.

"Which team do you want to be on?" Alexander asked.

This year, for the first time, American political and military leaders are openly discussing the specter of an American cyberattack.

These leaders, including Gen. Robert Kehler, the commander of StratCom, are beginning to debate the messy issue of rules of engagement in cyberspace.

How do you determine whether someone has shot at you?

When and how do you shoot back?

They are pouring more money into the development of cyber-offense, funneling hundreds of millions of dollars to the Defense Advanced Research Projects Agency, known as DARPA, which is generally credited with helping to create the Internet.

The Obama administration all but acknowledged last month that it had contemplated a cyberattack to try to knock out Libya's air defense system, making it safer for allied warplanes to bomb Moammar Gadhafi's regime during the first day of the Libyan airstrikes.

The administration and its military advisers eventually decided against the overt cyberattack, in part because they worried about ushering in an age where hackers play a key role in all armed conflicts.

But ask the military leaders and computer experts who crowded into the CenturyLink Center Omaha last week, and many will tell you that this future is unavoidable.

Countries and rogue groups will continue to launch attacks in cyberspace, and they will do so using more advanced and potentially more damaging tactics.

"Anybody who says they know what (the future) looks like is wrong," said Dr. Herbert Lin, the chief scientist on computer science matters at the National Academies, who has published several studies on cyberattacks and cyberdefense. "But I know this: We ain't seen nothing yet."

What the United States has seen, practically since the dawn of the Internet age, is other world powers and tech thieves alike hacking into U.S. corporate and government computer systems.

The computer security company McAfee has estimated the United States loses $1 trillion annually in intellectual property and other proprietary information, taken either by foreign countries or unaffiliated hackers, Alexander said.

In the past few years, Google and two of the country's largest defense contractors — Lockheed Martin and Booz Allen Hamilton — have lost staggering amounts of data and proprietary information to hackers, Alexander said.

"These companies are the gold standard for network security," said the NSA director, who also commands the new U.S. Cyber Command, overseen by StratCom. "If they get hacked, where does that leave the rest of us?"

In fact, a recent survey indicated that nearly six of every 10 American corporations believe that their networks have been hacked into, said retired Lt. Gen. Steven Boutelle, formerly the U.S. Army's chief information officer and now a vice president at Cisco.

The ones that don't think they have been hacked, Boutelle believes, are the companies with the weakest cybersecurity — too weak to realize they have been hacked.

The most likely culprits, particularly in the cyberattacks on defense contractors, are China and Russia, Boutelle said.

"It should not surprise you when some of our adversaries have planes that look like our stealth ones," Boutelle said. "When nations steal terabytes of information . our nation suffers for 20, 30, 40 years."

Many of the speakers at the Omaha conference can envision a far worse fate than a foreign nation or terrorist group stealing U.S. information.

Russian operators used cyberattacks to knock out the banking system in Estonia during a dispute in 2007 and followed with similar aggressive moves in the Republic of Georgia, Azerbaijan and several other former Soviet republics, Alexander said.

Cyber-experts can envision scenarios where American power grids are knocked out, along with military satellites or even the American financial system, in an attack that could weaken the country's infrastructure for days or weeks.

In fact, two U.S. satellites appear to have been interfered with and likely briefly controlled by a foreign entity in 2007 and 2008, according to a congressional report released last week.

The report said the alleged cyberattacks "appear consistent with authoritative Chinese military writings," although StratCom's Kehler said Wednesday that StratCom didn't have sufficient detail to identify the attackers.

"The critical infrastructure of the nation is at risk today," Boutelle said.

Now the U.S. military is starting to fight back, or at least is starting to concede it has been fighting all along.

After all, Stuxnet, the most famous cyberattack, crippled the nuclear program of Iran — no friend of the United States — in 2010.

Stuxnet, a highly sophisticated computer worm, burrowed its way into Iran's nuclear centrifuges and made them spin out of control. Outside experts believe that nearly a fifth of the centrifuges spun themselves to pieces, a disaster that likely slowed by three to five years Iran's effort to enrich uranium and build a bomb.

The chief suspects in this attack, according to experts, were the United States and Israel.

Intelligence leaked since the attack suggests that the United States, along with the German company Siemens, tested the weaknesses of the Iranian centrifuges in Idaho in 2008. The worm itself was then tested at the Dimona complex in Israel, according to Wikileaks and other published reports.

"I'm absolutely convinced that the United States is the leading force behind Stuxnet," said Ralph Langner, the German cybersecurity researcher who first successfully analyzed the Stuxnet code, during a September speech at the Brookings Institution.

In Omaha last week, there was only silence about Stuxnet. American military officials have repeatedly declined to comment on the computer worm.

But there was much talk about the need to publicly grapple with the technological and political issues that surround any potential U.S. cyberattack.

On the first day of the conference, the Pentagon released an updated cyberwarfare policy that said the military could and would launch an offensive cyber-operation if ordered to do so by the president.

But when, based on the military's standing rules of engagement, is it permissible to cyberattack a foreign country? And when, under the doctrine of proportional response, is a cyberattack the correct move?

"StratCom, if there's a nuclear event, they know what they need to do," said Madelyn Creedon, an assistant secretary of defense. "Cybercommand is searching for that."

The conference speakers and panelists seemingly agreed that not much is yet known about how and why to use cyberattacks.

Andrew Krepinevich, a defense policy analyst and the director of the Center for Strategic and Budgetary Assessments, compared the knowledge about cyberweapons to what was known about nuclear weapons in 1948 or 1949.

They also seemed to agree on this: Building up cyberdefenses alone won't prevent foreign hackers from successfully messing with the United States in cyberspace.

Given time, a hacker always beats a well-defended computer network, Lin said.

Several suggested that the only way for the United States to deter cyberattacks was for the U.S. itself to attack.

"We really just don't know how to do good cyberdefense," Lin said in an interview after the conference. "The only thing left, really, is offense. I'd like to be wrong about that, but I don't think I am."

Contact the writer:

402-444-1064, matthew.hansen@owh.com

Contact the writer: Matthew Hansen

matthew.hansen@owh.com    |   402-444-1064    |  

Matthew Hansen is a metro columnist who writes roughly three columns a week focusing on all things Omaha.

Kelly: A California university president returns to her Nebraska roots on Ivy Day
Dems criticize governor hopeful Beau McCoy's ad in which he strikes a Barack Obama doll
Man, 21, shot in ankle while walking near 30th, U Streets
State Department moves to delay Keystone XL pipeline decision
Omahan charged in fatal shooting in Benson neighborhood
Friday's attendance dips at Millard West after bathroom threat
High school slam poets don't just recite verses, 'they leave their hearts beating on the stage'
Crack ring's leaders join others in prison as a result of Operation Purple Haze
High court denies death row appeal of cult leader convicted of murder
Haze in area comes from Kansas, Oklahoma
Man taken into custody in domestic dispute
Omaha judge reprimanded for intervening in peer attorney's DUI case
Intoxicated man with pellet gun climbs billboard's scaffold; is arrested
Police seek public's help in finding an armed man
Saturday forecast opens window for gardening; Easter egg hunts look iffy on Sunday
Database: How much did Medicare pay your doctor?
Last day of 2014 Legislature: Praise, passage of a last few bills and more on mountain lions
New public employee pay data: Douglas, Lancaster, Sarpy Counties, plus utilities
A voice of experience: Ex-gang member helps lead fight against Omaha violence
Church is pressing its case for old Temple Israel site
OPPD board holding public forum, open house May 7
The thrill of the skill: Omaha hosts statewide contest for students of the trades
A recap of what got done — and what didn't — in the 2014 legislative session
When judge asks, Nikko Jenkins says ‘I killed them’
Nancy's Almanac, April 17, 2014: Trees save money
< >
Kelly: A California university president returns to her Nebraska roots on Ivy Day
The main speaker at today's Ivy Day celebration at the University of Nebraska-Lincoln is a college president who grew up roping calves and earned her Ph.D. at the prestigious Oxford University in England.
Breaking Brad: Stuck in a claw machine? You get no Easter candy
I know of one kid in Lincoln who will be receiving a lump of coal from the Easter Bunny, just as soon as he's extricated from that bowling alley claw machine.
Breaking Brad: Mountain lion season's over, but the bunny's fair game!
Thursday was the last day of a Nebraska Legislature session. Before leaving town, legislators passed a bill to hold a lottery to hunt the Easter Bunny.
Breaking Brad: At least my kid never got stuck inside a claw machine
We need a new rule in Lincoln. If your kid is discovered inside the claw machine at a bowling alley, you are forever barred from being nominated for "Mother of the Year."
Breaking Brad: How many MECA board members can we put in a luxury suite?
As a stunt at the Blue Man Group show, MECA board members are going to see how many people they can stuff into one luxury suite.
Deadline Deal thumbnail
The Jaipur in Rockbrook Village
Half Off Fine Indian Cuisine & Drinks! $15 for Dinner, or $7 for Lunch
Buy Now
< >
Omaha World-Herald Contests
Enter for a chance to win great prizes.
OWH Store: Buy photos, books and articles
Buy photos, books and articles
Travel Snaps Photo
Going on Vacation? Take the Omaha World-Herald with you and you could the next Travel Snaps winner.
Click here to donate to Goodfellows
The 2011 Goodfellows fund drive provided holiday meals to nearly 5,000 families and their children, and raised more than $500,000 to help families in crisis year round.
Want to get World-Herald stories sent directly to your home or work computer? Sign up for Omaha.com's News Alerts and you will receive e-mails with the day's top stories.
Can't find what you need? Click here for site map »