3 June 2010
U.S. Seeks To Define Rules On Cyberwar
by Tom Gjelten
"We don't have precision in those rules of engagement," Alexander said Thursday, in his first public comments since his confirmation last month.
War in cyberspace would be like nothing that has come before it, and it would raise difficult legal issues. What does "territory" mean, for example? What is ethical?
Speaking at the Center for Strategic and International Studies in Washington, Alexander cited the example of a country launching a cyberattack against the U.S. or another nation from computers based in a third country.
"It's not unlike warfare where you have armed conflict in one state, and somebody attacks [into that state] from a neutral state," Alexander said. "There are laws of land warfare that deal with that. We now have to look at that in the light of cyberspace."
The U.S. years ago made clear that it might strike pre-emptively against a terrorist group or enemy state if it's necessary to stop an attack against the United States. But could Alexander order a pre-emptive cyberattack to stop someone from penetrating U.S. computer networks?
"He needs clear guidance from the president, secretary of state, director of national intelligence, attorney general and so on, as to how cyber assets may be employed in an offensive setting, in the event the United States finds itself in a conflict," said former CIA general counsel Jeffrey Smith. "What may he, as the commander of Cyber Command, do?"
Among the unanswered questions is who would give permission to launch a cyberattack or authorize a counterattack. Alexander acknowledged that there may be a need to "streamline" such decision-making, particularly if it is not possible to pinpoint the origin of the attack.
"What we need to establish are clear rules of engagement that say what we can stop," Alexander said. "We have to look at it in both peacetime and wartime."
The design of cyberwar-fighting rules is complicated by the extent to which computer networks are globally interconnected.
"If [Alexander] believes we are under attack from computers based in a foreign country, can he counterattack those computers to zap them?" Smith asked. "If so, how confident must he be that it is only those computers that will be zapped and that nobody else's records will be harmed around the rest of the world?"
Alexander simultaneously serves as director of the National Security Agency, with which U.S Cyber Command will work in conjunction. One important issue is whether Cyber Command will get the authority to identify computer users who may have malicious intent. Privacy advocates have already raised concerns about the Cyber Command mission.
In response to questions, Alexander said good oversight will be key.
"[As NSA director], I do spend a lot of time with the [Foreign Intelligence Surveillance] Court and with the Congress," he said, "explaining exactly what we're doing, where we have issues, where there needs to be change, what we can and cannot do."
The oversight challenge is complicated, Alexander said, by the fact that so much of what NSA and the Cyber Command do is, by necessity, secret.
"I think the real key to the issue [is] how do we build the [public]
confidence that we're doing it right? Alexander said. "That's going to be
the hard part."