Authors: Fred Kaplan
He didn't receive a reply until the last day of 2008, almost two years later. The counsel wrote that, yes, a cyber attack
might
rise to the level that called for a military responseâit
could
be deemed an act of armed aggression, under certain circumstancesâbut what those circumstances were, where the line should be drawn, even the criteria for drawing that line, were matters for policymakers, not lawyers, to address. Gates took the reply as an evasion, not an answer.
One obstacle to a clearer answerâto clearer thinking, generallyâwas that everything about cyber war lay encrusted in secrecy: its roots were planted, and its fruits were ripening, in an agency whose very existence had once been highly classified and whose operations were still as tightly held as any in government.
This culture of total secrecy had a certain logic back when SIGINT was strictly an intelligence tool: the big secret was that the NSA had broken some adversary's code; if that was revealed, the adversary would simply change the code; the agency would have to
start all over, and until it broke the new code, national security could be damaged; in wartime, a battle might be lost.
But now that the NSA director was also a four-star commander, and now that SIGINT had been harnessed into a weapon of destruction, something like a remote-control bomb, questions were raised and debates were warranted, for reasons having to do not only with morality but with the new weapon's strategic usefulnessâits precise effects, side effects, and consequences.
General Michael Hayden, the former NSA director, had moved over to Langley, as director of the CIA, when President Bush gave the go-ahead on Olympic Games. (He was removed from that post when Obama came to the White House, so he had no role in the actual operation.) Two years after Stuxnet came crashing to a halt, when details about it were leaked to the mainstream press, Haydenâby now retired from the militaryâvoiced in public the same concerns that he and others had debated in the White House Situation Room.
“Previous cyber-attacks had effects limited to other computers,” Hayden told a reporter. “This is the first attack of a major nature in which a cyber-attack was used to effect physical destruction. And no matter what you think of the effectsâand I think destroying a cascade of Iranian centrifuges is an unalloyed goodâyou can't help but describe it as an attack on critical infrastructure.”
He went on: “Somebody has crossed the Rubicon. We've got a legion on the other side of the river now.” Something had shifted in the nature and calculation of warfare, just as it had after the United States dropped atom bombs on Hiroshima and Nagasaki at the end of World War II. “I don't want to pretend it's the same effect,” Hayden said, “but in one sense at least, it's August 1945.”
For the first two decades after Hiroshima, the United States enjoyed vast numerical superiorityâfor some of that time, a monopolyâin nuclear weapons. But on the cusp of a new era in cyber
war, it was a known fact that many other nations had cyber war units, and America was far more vulnerable in this kind of war than any likely adversary, than any other country on the planet, because it relied far more heavily on vulnerable computer networksâin its weapons systems, its financial systems, its vital critical infrastructures.
If America, or U.S. Cyber Command, wanted to wage cyber war, it would do so from inside a glass house.
There was another difference between the two kinds of new weapons, besides the scale of damage they could inflict: nuclear weapons were out there, in public; certain aspects of their production or the exact size of their stockpile were classified, but everyone knew who had them, everyone had seen the photos and the film clips, showing what they could do, if they were used; and if they were used, everyone would know who had launched them.
Cyber weaponsâtheir existence, their use, and the policies surrounding themâwere still secret. It
seemed
that the United States and Israel sabotaged the Natanz reactor, that Iran wiped out Saudi Aramco's hard drives, and that North Korea unleashed the denial-of-service attacks on U.S. websites and South Korean banks. But no one took credit for the assaults; and while the forensic analysts who traced the attacks were confident in their assessments, they didn'tâthey couldn'tâboast the same slam-dunk certainty as a physicist tracking the arc of a ballistic missile's trajectory.
This extreme secrecy extended not only to the mass public but also inside the government, even among most officials with high-level security clearances. Back in May 2007, shortly after he briefed George W. Bush on the plan to launch cyber attacks against Iraqi insurgents, Mike McConnell, then the director of national intelligence, hammered out an accord with senior officials in the Pentagon, the NSA, the CIA, and the attorney general's office, titled
“Trilateral Memorandum of Agreement Among the Department of
Defense, the Department of Justice, and the Intelligence Community Regarding Computer Network Attack and Computer Network Exploitation Activities.” But, apart from the requirement that cyber offensive operations needed presidential approval, there were no formal procedures or protocols for top policy advisers and policymakers to assess the aims, risks, benefits, or consequences of such attacks.
To fill that vast blank, President Obama ordered the drafting of a new presidential policy directive, PPD-20, titled “U.S. Cyber Operations Policy,” which he signed in October 2012, a few months after the first big press leaks about Stuxnet.
Eighteen pages long, it was the most explicit, detailed directive of its kind. In one sense, its approach was more cautious than its predecessors. It noted, for instance, in an implied (but unstated) reference to Stuxnet's unraveling, that the effects of a cyber attack can spread to “locations other than the intended target, with potential unintended or collateral consequences that may affect U.S. national interests.” And it established an interagency Cyber Operations Policy Working Group to ensure that such side effects, along with other broad policy issues, were weighed before an attack was launched.
But the main intent and impact of PPD-20 was to institutionalize cyber attacks as an integral tool of American diplomacy and war. It stated that the relevant departments and agencies “shall identify potential targets of national importance” against which cyber attacks “can offer a favorable balance of effectiveness and risk as compared to other instruments of national power.” Specifically, the secretary of defense, director of national intelligence, and director of the CIAâin coordination with the attorney general, secretary of state, secretary of homeland security, and relevant heads of the intelligence communityâ“shall prepare, for approval by the President . . . a plan that identifies potential systems, processes, and infrastructure against which the United States should establish and maintain [cyber offensive] capabilities; proposes circumstances under which [they] might
be used; and proposes necessary resourcing and steps that would be needed for implementation, review, and updates as U.S. national security needs change.”
Cyber options were to be systematically analyzed, preplanned, and woven into broader war plans, in much the same way that nuclear options had been during the Cold War.
Also, as with nuclear options, the directive required “specific Presidential approval” for any cyber operation deemed “reasonably likely to result in âsignificant consequences'â”âthose last two words defined to include “loss of life, significant responsive actions against the United States, significant damage to property, serious adverse U.S. foreign policy consequences, or serious economic impact to the United States”âthough an exception was made, allowing a relevant agency or department head to launch an attack without presidential approval in case of an emergency.
However, unlike nuclear options, the plans for cyber operations were not intended to lie dormant until the
ultimate
conflict; they were meant to be executed, and fairly frequently. The agency and department heads conducting these attacks, the directive said, “shall report annually on the use and effectiveness of operations of the previous year to the President, through the National Security Adviser.”
No time was wasted in getting these plans up and ready.
An action report on the directive noted that the secretary of defense, director of national intelligence, and CIA director briefed an NSC Deputies meeting on the scope of their plans in April 2013, six months after PPD-20 was signed.
PPD-20 was classified TOP SECRET/NOFORN, meaning it could not be shared with foreign officials; the document's very existence was highly classified. But it was addressed to the heads of all the relevant agencies and departments, and to the vice president and top White House aides. In other words, the subject was getting discussed, not only in these elite circles, but alsoâwith Stuxnet out in
the openâamong the public. Gingerly, officials began to acknowledge, in broad general terms, the existence and concept of cyber offensive operations.
General James Cartwright, who'd recently retired as vice chairman of the Joint Chiefs of Staff and who, before then, had been head of U.S. Strategic Command, which had nominal control over cyber operations, told a reporter covering Stuxnet that the extreme secrecy surrounding the topic had hurt American interests.
“You can't have something that's a secret be a deterrent,” he said, “because if you don't know it's there, it doesn't scare you.”
Some officers dismissed Cartwright's logic: the Russians and Chinese knew what we had, just as much as we knew what they had. Still, others agreed that it might be time to open up a little bit.
In October, the same month that PPD-20 was signed, the NSA declassified a fifteen-year-old issue of
Cryptolog
, the agency's in-house journal, dealing with the history of information warfare. The special issue had been published in the spring of 1997, its contents stamped TOP SECRET UMBRA, denoting the most sensitive level of material dealing with communications intelligence. One of the articles, written by William Black, the agency's top official for information warfare at the time, noted that the secretary of defense had delegated to the NSA
“the authority to develop Computer Network Attack (CNA) techniques.” In a footnote, Black cited a Defense Department directive from the year before, defining CNA as “operations to disrupt, deny, degrade, or destroy information resident in computers and computer networks, or the computers and networks themselves.”
This was remarkably similar to the way Obama's PPD-20 defined “cyber effect”âas the “manipulation, disruption, denial, degradation, or destruction of computers, information or communications systems, networks, physical or virtual infrastructure controlled by computers or information systems, or information resident therein.”
In this sense, PPD-20 was expressing, in somewhat more detailed language, an idea that had been around since William Perry's counter command-control warfare in the late 1970s.
After all those decades, the declassified
Cryptolog
article marked the first time that the term CNA, or such a precise definition of the concept, had appeared in a public document.
Within the Air Force, which had always been the military service most active in cyberspace, senior officers started writing a policy statement acknowledging its CNA capabilities, with the intent of releasing the paper to the public.
But then, just as they were finishing a draft, the hammer came down. Leon Panetta, a former Democratic congressman and budget director who'd replaced a fatigued Robert Gates as Obama's secretary of defense, issued a memo forbidding any further references to America's CNA programs.
Obama had decided to confront the Chinese directly on their rampant penetrations of U.S. computer networks. And Panetta didn't want his officers to supply the evidence that might help the Chinese accuse the American president of hypocrisy.
O
N
March 11, 2013, Thomas Donilon, President Obama's national security adviser, gave a speech at the Asia Society on Manhattan's Upper East Side. Much of it was boilerplate: a recitation of the administration's policy of
“rebalancing its global posture” away from the ancient battles of the Middle East and toward the “dynamic” region of Asia-Pacific as a force for growth and prosperity.
But about two thirds of the way through the speech, Donilon broke new diplomatic ground. After listing a couple of “challenges” facing U.S.-China relations, he said, “Another such issue is cyber security,” adding that Chinese aggression in this realm had “moved to the forefront of our agenda.”
American corporations, he went on, were increasingly concerned “about sophisticated, targeted theft of confidential business information and proprietary technologies through cyber intrusions emanating from China on an unprecedented scale.”
Then Donilon raised the stakes higher. “From the president on down,” he said, “this has become a key point of concern and discussion with China at all levels of our governments. And it will continue
to be. The United States will do all it must to protect our national networks, critical infrastructure, and our valuable public and private sector property.”
The Obama administration, he said, wanted Beijing to do two things: first, to recognize “the urgency and scope of this problem and the risk it posesâto international trade, to the reputation of Chinese industry, and to our overall relations”; second, to “take serious steps to investigate and put a stop to these activities.”
The first demand was a borderline threat: change your ways or risk a rupture of our relations. The second was an attempt to give Chinese leaders a face-saving way out, an opportunity for them to blame the hacking on hooligans and “take serious steps” to halt it.
In fact, Donilon and every other official with a high-level security clearance
knew
that the culprit, in these intrusions, was no gang of freelance hackers but rather the Chinese government itselfâspecifically, the Second Bureau of the Third Department of the People's Liberation Army's General Staff, also known as PLA Unit 61398, which was headquartered in a white, twelve-story office building on the outskirts of Shanghai.