Senior Pentagon officials are working to determine how the centuries-old Law of Armed Conflict applies to potential conduct of operations in the newest military domain of the Internet, the deputy assistant secretary for cyber policy said yesterday.
“We’re trying to think about cyber operations as a new form of policy tool that gives the president or the secretary of defense new options,” Eric Rosenbach told American Forces Press Service.
“We’re not actively looking to mount operations in cyberspace just to do it,” he added. “We want to do it only when appropriate and when there’s a good reason to do it and when we can do it in a way that allows us to [avoid using] kinetic tools.”
Defense experts are helping update the rules of engagement for cyberspace, Rosenbach said, a job made tougher by a lack of agreement on definitions for even the most basic Internet-related language.
“It is a challenge to have different organizations and different individuals understand [the term] ‘cyber’ in the same way,” the deputy assistant secretary said.
“Even within the Department of Defense and around the world, it’s not clear to a lot of people what [cyber] means,” he said. “From there it only gets more complicated.”
At the Pentagon, where no clear definition has yet been determined, Rosenbach said, cyber tends to mean anything that involves a network.
“If it’s on a network or connected to a network, there’s some cyber aspect to it. It doesn’t necessarily have to be connected to the Internet,” he said.
In the policy world, he added, the most complex aspect of defining terms arises with words used to describe offensive and defensive cyber operations.
Until last November, Rosenbach said, defense officials didn’t publicly discuss offensive cyber operations — a sensitive topic in an organization that declines to speak openly about ongoing military operations.
The Senate Armed Services Committee last year asked department officials to answer 13 questions about its cyber policy, as part of the National Defense Authorization Act. “One of the things that was clarified is that we do have the capability to conduct offensive cyber operations” if ordered to do so by the president of the United States, Rosenbach said.
“The dynamic and sensitive nature of cyberspace operations makes it difficult to declassify specific capabilities,” DOD officials wrote.
“However,” they added, “the department has the capability to conduct offensive operations in cyberspace to defend our nation, allies and interests.”
Thinking through the Law of Armed Conflict and what an armed attack and [other terms] mean is important to the DOD effort to update the rules of engagement, Rosenbach said.
The same cyber-language barrier also impedes international collaborations and agreements that potentially could help fight back against the steady rush of cyber intrusions that target organizations, firms and nations.
“We definitely spend a lot of time thinking about international engagements and international agreements,” he said.
At DOD, the work begins with the closest allies and partners, including the United Kingdom, Australia, Canada and New Zealand.
“But I’ve also had very interesting and productive engagements with the French and the Germans, and it’s not limited to European, western-type powers or even NATO,” the deputy assistant secretary said.
“A couple of times … in an unofficial capacity we have spoken with the Chinese, both in Beijing and in Washington, and really tried to engage,” he added.
“One of the things we would like to do more is engage with the Chinese,” Rosenbach said, ” … so we don’t risk an accidental escalation of tension in cyberspace, [where] there is a lot of room for misunderstanding.”
In the meantime, as the fight against crime and espionage on the Internet intensifies, Rosenbach said catastrophic cyber attacks are not the only serious threat.
“It’s the kind of day-to-day onslaught, the death by 1,000 cuts, that we do see every day, and that’s mostly in the economic environment, that really hurts the United States,” he said.
“It’s like a slow bleed of the country — $10 million stolen from a firm here by organized crime, important intellectual property stolen from another major U.S. firm there,” he said.
“Every day,” he added, “it’s the relentless theft or noise that makes it more difficult for the economy to grow and flourish that eventually bleeds the country and makes us less competitive in the world.”
Against this threat, the Defense Department works with like-minded nations around the world and here at home with companies that form the critical defense industrial base, he said.
Overall, Rosenbach said, the DOD is doing very well defending DOD networks and is sensitive about protecting people’s Fourth Amendment rights — against unreasonable searches and seizures — and respecting privacy.
“Because it’s a new domain and people in the department and senior military officers tend to use a military-type language when talking about [the cyber domain], it often looks like we’re more aggressive in cyberspace than we, in fact, are,” Rosenbach said.
” … We don’t want to establish unhelpful norms [and] we don’t want to use force in cyberspace unless we absolutely have to,” he added. “So we’re working to protect the nation but in a way that’s not overly aggressive and [doesn’t do] anything that Americans wouldn’t be proud of.”