“The legal and policy entanglement in cyber is far, far more difficult than it is in some of the other domains” of warfare, William J. Lynn III, a former deputy defense secretary, said at a global security conference this year.
The SROE discussion is part of a larger interagency policy debate over the role of government in fighting attacks on the nation’s privately owned critical computer systems.
Ideally, current and former officials say, the Pentagon would like Cyber Command to be able to undertake a range of activities, from blocking or redirecting viruses to disabling a computer server in another country to prevent destructive malware from being launched.
But something as aggressive as shutting down a server in another country is probably going to require presidential permission, Gen. Keith Alexander, the head of Cyber Command, has said.
Indeed, “going after something outside the network in defense of the nation, which may still be characterized as offensive, is definitely the hardest policy part,” a senior U.S. official said.
Even actions on networks in the United States would involve an integrated cyber operations center with personnel from all relevant agencies: the National Security Agency, Cyber Command, the Department of Homeland Security and the FBI. When a cyber threat is detected, whichever agency has the lead by law — FBI for criminal and counterintelligence cases, Cyber Command for foreign adversary and terrorist attacks — would take over, officials said.
DHS has the lead for working with critical industries. NSA and Cyber Command are able to lend their expertise to DHS and other agencies, officials said.
“We’re very careful about roles and responsibilities between Justice, DHS and DOD,” the U.S. official said. “Those are being carefully reviewed. But in every domain, ultimately DOD has the responsibility to defend the nation.”
A variety of blocking techniques can be used that are not destructive to networks, officials said. They include diverting malware into a “sinkhole,” effectively a cyber black hole, which is something Internet service providers do now to protect their own networks.
Alexander, who is also director of the NSA, has pushed publicly for new rules on rules of engagement. Officials “need standing rules of engagement and execute orders that allow the government to do defense that is reasonable and proportionate,” he said at a recent conference in Aspen.
Earlier efforts to establish the ability for the military to defend private critical networks failed in the face of opposition from the Justice Department, which did not want to set a legal precedent for military action in domestic networks, and the State Department, which feared the military might accidentally disrupt a server in a friendly country, undermining future cooperation.
Alexander said an enhanced ability for the Pentagon to take action to defend the nation rests in part on expanded cyberthreat data-sharing.
He said that in debating the rules, policymakers are “trying to do the job right.” But what concerns him is the discussion over whether “you can use this tool, but not that one, without understanding what that really means.”