Paul's Blog


Cyber warfare: the new front line 14.02.12


Filed under: Uncategorized

13 US Senate Cyber Operations Topics Cyber Leaders Should Consider


“Warfare is the greatest affair of the state, the basis of life and death, the way of survival or extinction. It must be thoroughly pondered and analyzed.” –Sun Tzu

This article focuses on the requirements of Section 934 of the Ike Skelton National Defense Authorization Act (NDAA). This bill became law and was signed by President Obama.

These are my personal views, reflections, and comments regarding the questions posed by Congress and the answers given by the DoD. These topics can deeply affect politics, economic growth, and military operations which can equally affect both the private and public sectors. The topics covered in this article are complex in nature and under no circumstance am I attempting to answer these questions. The ultimate goal of my observations and comments are geared towards creating more dialogue and motivating our cyber leaders to ponder about such issues. Let’s not forget the words of Richard Clarke: “If there is a major devastating cyberspace attack in the future, the Congress will slam regulation on the industry faster than anyone can imagine.”

The questions and issues that follow come from the Senate report 111-201, Sec. 934 – Report on the cyber warfare policy of the Department of Defense.


1. “The development of a declaratory deterrence posture for cyberspace, including the relationship between military operations in cyberspace and kinetic operations. The Committee believes that this deterrence posture needs to consider the current vulnerability of the U.S. economy and government institutions to attack, the relatively lower vulnerability of potential adversaries, and the advantage currently enjoyed by the offense in cyberwarfare.

It is interesting to notice the need for the development of deterrence in cyberspace. The US needs to consider the vulnerability posture of our economy and our government networks, also the understanding of how vulnerable our adversaries are in cyberspace in order to truly take advantage of offensive operations without suffering major losses to our own systems. From a technical perspective, can these activities really be accomplished by passive means only?

Deterrence: “denying objectives and imposing costs for aggression.” One may ask the following question: How do we as a nation impose costs on the adversary? By which means? Should we consider the current CNE (Computer Network Exploitation) activities originating from China an act of aggression against American national security? And if so, how do we deny the aggressors in China from achieving their objectives?

The US is working with “like-minded nations” to “establish an environment of expectations or norms of behavior.” What is deemed responsible behavior to Americans may not have the same meaning to other nations. A cultural shift needs to take place, and sometimes that is near impossible. The current US approach to enforce deterrence in cyberspace does not seem to have the impact necessary to truly deny the objectives of our adversaries in cyberspace. I believe that a strong CND (Computer Network Defense) approach may minimize the blow, but ultimately the need for a possible kinetic military response may be the answer to the current slow bleeding of America on the internet. A serious question to be posed to modern military commanders would be what are our true cyber military capabilities in the defensive and offensive domains? Cyber responses to aggression seem to be the choice for future military operations; how ready are we? How can the private sector be more involved in supporting military mission sets in the cyber domain?

2. “The necessity of preserving the President’s freedom of action in crises and confrontations involving nations which may pose a manageable conventional threat to the United States but which in theory could pose a serious threat to the U.S. economy, government, or military through cyber attacks.

The document focuses on the understanding of the cyber capabilities of adversaries as a means “of preserving the President’s freedom of action in crises and confrontations.” This understanding would come from forensic analysis, foreign intelligence collection (I would like to comment on our current lack of cyber intel analysis capabilities), and the obvious, cyber international law consensus. The DoD relies on two very strong entities, CYBERCOM and the NSA, to currently accomplish this mission. One must have in mind that the President’s freedom of action is closely tied to private networks and a clear collaborative strategy between private and public sectors with focus on this distinct objective must be developed and ultimately tested. It is interesting to notice that the document reads “the President reserves the right to respond using all necessary means to defend our Nation, our Allies, our partners, and our interests from hostile acts in cyberspace. Hostile acts may include significant cyber attacks directed against the U.S. economy, government or military. As directed by the President, response options may include using cyber and/or kinetic capabilities provided by DoD.” It is obvious that .mil, .gov, and .com domains can be equally defended by the DoD if cyber attacks against such networks end up crippling “the president’s freedom of action.”

3. “How deterrence or effective retaliation can be achieved in light of attribution limitations.

The golden question! The document covers some very interesting efforts taken by the DoD to work on this issue. The DoD is seeking to increase attribution by supporting R&D not only in the federal realm, but also in the private sector. In fact there is a great market and an incredible need out there for technologies that could increase levels of attribution.

Another interesting effort by the DoD is to increase the number of cyber forensics experts in this field. Such effort increases the need for trained cyber forensics professionals thus creating great opportunities for educational institutions in the private sector selling forensics training and education. CSFI is a partner with Utica College, which offers a very comprehensive Master’s degree that I highly recommend in the cyber forensics field.

Visibility and shared situational awareness is the core of cyber operations. Attribution is not only dependent on technical attribution but also social attribution, and there are few organizations out there really cracking this nut. Trusted Cyber Solutions led by Mr. Riley Repko is one of the few companies I know really tackling this problem head-on.

4. “To the extent that deterrence depends upon demonstrated capabilities or at least declarations about capabilities and retaliatory plans, how and when the Department intends to declassify information about U.S. cyber capabilities and plans or to demonstrate capabilities.

This is certainly a sensitive area, and according to the document, the DoD could be deployed to show full spectrum cyber capabilities. However, today such capability is unknown to most, and the actual effects and collateral damage are not fully comprehended. The demonstration of cyber capabilities can improve deterrence but also create a stronger cyber arms race around the world. There are certain efforts taking place in the US Congress to facilitate the relationship between the classified domain and the private domain for the benefit and security of all. Congressman Ruppersberger is a big proponent of such a relationship. Congressman Ruppersberger was named Ranking Member of the Intelligence Committee in 2011. The Ranking Member is the senior-most member from the minority party and places Congressman Ruppersberger on the elite “Gang of Eight,” which refers to the four top members of the House and Senate Intelligence Committees, along with the Senate Majority Leader, Senate Minority Leader, House Speaker and House Minority Leader. By law, the President must keep the Gang of Eight informed on our country’s most secret intelligence activities to maintain proper oversight. According to Congressman Ruppersberger, “cyber” is a top threat to national security.

5. “How to maintain control of or manage escalation in cyberwarfare, through, for example, such measures as refraining from attacking certain targets (such as command and control and critical infrastructure).

The DoD does a great job of explaining in the document how our military would be able to control escalation of cyberwarfare by facilitating transparency among key international actors (to include adversaries) “with regard to their command and control, doctrine, and deployment of cyber capabilities.” It is interesting to note that many nations already have clear cyber doctrines and cyber capabilities mapped out by various organizations. One good example of such study is the CyberHub, conducted by Booz Allen Hamilton: The Economist Intelligence Unit, sponsored by Booz Allen Hamilton, set out to understand the significance of cyber power today. Their research was built on several integral parts: an interactive index that assesses specific aspects of the cyber environment of the G20 countries and a series of research papers that examine the implications for the business community.

6. “The rules of engagement for commanders at various command echelons for responding to threats to operational missions and in normal peacetime operating environments, including for situations in which the immediate sources of an attack are computers based in the United States.

The report states that the “DoD has implemented rules of engagement for the operation and defense of its networks.” To many people, such rules of engagement in cyberspace are not fully understood. The DoD clarified in the document that rules of engagement in cyberspace would take into consideration three elements: “the implications of cyber threats; the operational demands of DoD’s continuous, worldwide operations; and the need to minimize disruption from collateral effects on networked infrastructure.” It is worth noting that rules of engagement must follow an acceptable legal framework which would justify what is appropriate and acceptable and what evidence is required to support an action decision.

7. “How the administration will evaluate the risks and consequences attendant to penetrations of foreign networks for intelligence gathering in situations where the discovery of the penetration could cause the targeted nation to interpret the penetration as a serious hostile act.

“The United States Government collects foreign intelligence via cyberspace, and does so in compliance with all applicable laws, policies, and procedures.” The document openly explains the bi-directional nature of espionage and the acknowledgment that state actors may interpret CNE (Computer Network Exploitation) as a hostile action. CNE and CNA (Computer Network Attack) are closely related and inter-dependent when engaging in cyber intelligence collection. The actual detailed DoD answers and comments to this critical question are classified as stated by the report.

8. “How DoD shall keep Congress fully informed of significant cyberspace accesses acquired for any purpose that could serve as preparation of the environment for military action.

“DoD will provide quarterly cyber briefings to appropriate Members of Congress and their congressional staff in fulfillment of notification requirements.” Intelligence Preparation of the Operational Environment also known as IPOE can be fully implemented in cyberspace; however, such activity requires a very dynamic strategy because cyberspace as a man-made-domain continually morphs.

9. “The potential benefit of engaging allies in common approaches to cyberspace deterrence, mutual and collective defense, and working to establish norms of acceptable behavior in cyberspace.

The text stresses the importance of relationships and closer communication with allies and like-minded nations to achieve collective defense. It is understood by many that no one nation can win a battle alone. Strong relationships and transparent talks are the key elements for success in protecting American national security in cyberspace. In my opinion, the DoD is the department with the most understanding of such dynamics with a record to prove it. Without the proper support of the US State Department, the DoD will eventually fail in its efforts to cross this bridge; therefore, it is of upmost importance that the current administration gives the DoD the necessary foreign policy support in the domain of cyber. The private sector has successfully penetrated various technological markets and created strong commercial relationships; perhaps such relationships could be leveraged by the DoD in the fulfillment of its mission.

10. “The issue of third-party sovereignty to determine what to do when the U.S. military is attacked, or U.S. military operations and forces are at risk in some other respect, by actions taking place on or through computers or other infrastructure located in a neutral third country.

“The nature of the DoD response to a hostile act or threat is based upon a multitude of factors, but always adheres to the principles of the law of armed conflict. These responses include taking actions short of the use of force as understood in international law.”

It comes down to awareness and accountability of the neutral country from whence the attacks are originating. The DoD responds in a simplistic way, covering the basics of “awareness.” Situations to consider: Role of the country in the attack (hosting the offending servers)? Helping the adversary with cyber capabilities? Not being cooperative, etc? The malicious nature of the attack (to include the intent behind the sophistication of the attack), willingness of the neutral country to positively respond to incidents, etc…In my view, all these elements will ultimately influence the DoD in taking action against a sovereign nation used as a launching pad for cyber-attacks against America.

11. “The issue of the legality of transporting cyber ‘weapons’ across the Internet through the infrastructure owned and/or located in neutral third countries without obtaining the equivalent of ‘overflight rights’.

“The form of any war… depends upon the technical means of war available.” –Douhet, The Command of the Air, 6.

The document states that “there is currently no international consensus regarding the definition of a ‘cyber weapon’.” While this is true, I like to think of cyber weapons as sophisticated code created with the intent of denying, disrupting, destroying, and/or degrading data and computer systems in cyber operations for political, economic, or military gain. The key word here is “intent” where the participation of a state actor in the creation of such code would validate and seal its definition as a cyber weapon.

“A cyber arms race is well underway! This arms race differs greatly from all others in history and traditional arms control doctrine and techniques will not effective against this class of weaponry.” –Kevin Coleman, former Chief Strategist at Netscape and Senior Fellow with the Technolytics Institute

Cyber weapons are here to stay. This is a new era where private companies are being/will be contracted to develop cyber weapons at a fraction of the cost of missiles with greater damage to society and the militaries of the world. With current DoD budget cuts, this option becomes a viable and desirable one. How to control its proliferation? That’s another chapter!

12. “The definition or the parameters of what would constitute an act of war in cyberspace and how the laws of war should be applied to military operations in cyberspace.

“Cyber war is like Carl Sandburg’s fog. It comes in on little cat feet, and it’s hardly noticed. That’s its greatest potential.” –John Arquilla, associate professor of defense analysis at the Naval Postgraduate School

From the report: “Without question, some activities conducted in cyberspace could constitute a use of force, and may as well invoke a state’s inherent right to lawful self-defense.” Unfortunately, the media has a tendency to abuse the word cyber “war” in cases where the word cyber “conflict” should be used instead. Not all acts of aggression in cyber space are cyber war; in fact, many experts believe we have not had a real case of a cyber war yet, whereas many others believe that Estonia and Georgia have already experienced such a reality. This serious and sober discussion continues on across governments worldwide and clear internationally acceptable frameworks that can break this down have not been developed yet.

It is my belief that the laws of war should not have to be reinvented as it applies to cyber. Cyber is only another tool used to accomplish a military mission.

13. “What constitutes use of force in cyberspace for the purpose of complying with the War Powers Act (Public Law 93-148).

The document states that “cyber operations might not include the introduction of armed forces personnel into the area of hostilities. Cyber operations may, however, be a component of larger operations that could trigger notification and reporting in accordance with the War Powers Resolution. The Department will continue to assess each of its actions in cyberspace to determine when the requirements of the War Powers Resolution may apply to those actions.”

The DoD makes the clear point of a case by case approach, which in my opinion, makes complete sense.

In conclusion, I would to voice my concern regarding the slow process being taken regarding the clarification of such issues. Congress has valid questions, which are a representation of the will of the people along with our public and private sectors. The DoD has a tremendous job to do in cyberspace and not enough support or budget to fully accomplish its mission. Collaboration, service, and knowledge-sharing are the answer.


Paul de Souza is the Founder/President/Director of CSFI (Cyber Security Forum Initiative) and its divisions CSFI-CWD (Cyber Warfare Division) and CSFI-LPD (Law and Policy Division). CSFI is a non-profit organization with headquarters in Omaha, NE, with offices in Washington, D.C. Paul has over 13 years of cyber security experience and has worked as a Chief Security Engineer for AT&T, where he designed and approved secure networks for MSS. Mr. de Souza also worked for CSC and US Robotics as a Security Engineer. Paul has consulted for several governments, military organizations, and private institutions on best network security practices and also presented in Estonia, the country of Georgia, Australia, Czech Republic and all across the United States.

Filed under: Uncategorized

CSFI Blog Calendar

February 2012

Enter your email address to follow this blog and receive notifications of new posts by email.

CSFI Twitter

Career Thoughts

I am humbled and honored to have the opportunity to manage and run one of the biggest and most active forums on the Internet dealing with cyber warfare and cyber security – CSFI (The Cyber Security Forum Initiative). With over 16 years of cyber security experience, I continue to actively raise Cyber Warfare/Cyber Security awareness worldwide. I have worked as a Chief Security Engineer for AT&T, where I designed and approved secure networks for MSS. I have also consulted for several governments, military and private institutions on best network security practices throughout my career.

CSFI and its divisions CSFI-CWD (Cyber Warfare Division), CSFI-LPD (Law and Policy Division) and CSFI-WD (Wireless Division) continue to grow and expand with more than 60,000 information security members.

One of my personal goals is to serve our security community to the best of my abilities, in the protection and defense of our American national security interests, the American people, and that of our international partners. I am always ready to serve and to give of my time and skills to help our society with the growing problems we experience in cyberspace. I thank God and my family for the opportunities I have had in life and the most precious of all opportunities, which is the chance to serve others. I love what I do, and I appreciate all the support I have received from friends, family and our CSFI members.


Paul de Souza, CSFI Founder Director