The head of U.S. Cyber-Command said his organization is struggling to define and balance defense and especially offense, in cyber-warfare becomes increasingly complex.
Air Force General Robert Kehler, head of U.S. Cyber and Strategic Commands, Tuesday addressed reporters at a press conference in Washington, D.C.
He said the government continues to discuss the military’s role in cyberspace, adding, “I do believe that without question, there needs to be a full conversation about doctrine and there needs to be a full conversation about rules of engagement.”
Specifically, Kehler raised questions about the military’s offensive tactics in the digital realm.
“I think we are looking at what an offensive component would be: What does that look like? What kind of options would we want to be able to offer?” he asked. “I think that we have always said that there needs to be an offense and defense mix.”
Kehler’s remarks illuminate the government’s difficulty in determining how best to protect its networks both defensively and offensively from online attacks, especially as data breaches ramp up against official targets and cyber-warfare becomes another option in international conflict.
Defense is relatively straightforward, if challenging, given the long list of hacking attacks against the U.S. government.
Major operations like Shady RAT, which collected U.S. and other countries’ data for five years, and attacks on the International Monetary Fund and even the Pentagon itself, are prompting U.S. officials to strengthen their firewalls against intruders.
The Defense Department also drew up a five-pillared list of initiatives against cyber-criminals, authorizing it to protect critical infrastructure and partner with countries like Australia to fight online combatants.
The Pentagon’s initiative also allows for offensive measures, but the lines here are not as clear. Cyberspace is a newly militarized realm, and presents unique difficulties for those aiming to actively seek out and destroy potential threats.
The Defense Department is technically allowed to use missiles and other physical means of retaliation against government-backed hackers, but guidelines remain ambiguous and such offensives are permissible only in extreme circumstances.
Likely because of this lack of clarity, the Obama administration this spring reportedly declined to launch an online attack against Libya and Pakistan’s infrastructure. Crippling the latter may have helped troops corner Osama bin Laden more easily, but it would also have set a precedent for other countries to similarly attack the U.S. in this way.
The Pentagon’s Defense Advanced Research Projects Agency may have hit a balance between offensive and defensive tactics in the social media sphere, at least. It is spending $42 million to encourage contractors to use Facebook and Twitter in discovering and even undermining attacks before they happen.
Kehler’s comments shed light on the government’s predicament, calling for more discussion to bridge the gulf between online offense and defense.
“Is active defense really offense in cyberspace?” Kehler asked. “I would argue that it really is not. It does not have to be, for sure. But those are the issues that we are trying to work our way through.”