Guest Post: Jim Bitzes on “Defending United States Critical Infrastructure from Cyber Attacks: A Modest Proposal”

On Lawfire we like to give you fresh perspectives on difficult issues, so I invite you to consider retired Air Force Colonel Jim Bitzes’ proposal as to how best to defend critical U.S. infrastructure from cyber attack. 

Jim grapples with the fact that responding to complex cyber incidents which may be the result of nation-state machinations or activity by cyber crooks (or some mixture of the two) often requires involvement with both high-end military capabilities as well as law enforcement protocols that the military is typically not especially well-suited – or, often, not legally authorized – to employ.  He offers a solution in the form of an existing entity that has significant experience in both the military and law enforcement realms. 

Jim has real expertise in this area as prior to his retirement for active duty he served as the staff judge advocate (general counsel) for U.S. Cyber Command.  He also served as the staff judge advocate for the Air Force Office of Special Investigations and supported U.S. Special Operations counter-terrorism operations.  Here’s Jim’s idea:

Defending United States Critical Infrastructure from Cyber Attacks:   A Modest Proposal

James G. Bitzes, Colonel, USAF (Retired)

On April 11, 2018, former Department of Homeland Security (DHS) Secretaries Michael Chertoff and Jeh Johnson, along with former Commander of U.S. Cyber Command and Director of the National Security Agency, General Keith Alexander, testified before the House Armed Services Committee on “Cyber Operations Today: Preparing for 21st Century Challenges in an Information-Enabled Society.” Emerging from session looms a question which has yet to be firmly answered between the Departments responsible for defending the Nation in the cyberspace domain: How will we defend our Nation’s critical infrastructure during an actual attack when that attack emanates from within our sovereign borders? Secretary Chertoff posed a scenario and a challenge which I contend can and must be answered. He stated,

“Unlike in the physical world where you can see a missile or a bomber coming from overseas, you could easily have a nation state attack launched from a café down the street here in Washington from a thumb drive. We’ve built our doctrine in terms of what the military can do in terms of the away game and the home game, and we may need to revisit it when we use some of our away powers for attacks that emanate from home.”

General Alexander spoke of the need to address rules of engagement to provide elements of U.S. Cyber Command the ability to respond and block attacks emanating from overseas. General Alexander testified, in part, that:

“So, I’ll give you my thoughts on responding to an attack against the country, and I’ll use the 2012 attacks that occurred. And in those times, it was my experience that the attacks against our country could have been stopped and turned off, not [with] destructive attacks, but [with] blocking attacks.

* * *

… most of those systems that are being attacked have been exploited by a bad guy to attack us to attack us. So, the country whose device or computer sits in their turf is actually being used to shoot us. In physical space, if somebody put a weapon in neutral space and started shooting at you, you have the inherent right of self-defense. I think we need a similar thing in cyber where you can defend it.

* * *

… what you’re asking then the Cyber Command forces to do is block that attack and give you the time you need to make a decision of what elements of national power [to use].”

For years, I have agreed with this proposition. With respect to responding to attacks emanating from overseas, I’ll simply say, ‘I concur.’ With respect to attacks emanating from within the United States, I contend we can and must do much more.

Given the nature of cyberspace, some threat actors will launch attacks from within our borders. These efforts attempt to obfuscate attacker identity. However, they also use our own commitment to the rule of law, as embodied in our Constitution and significant legislative actions as a shield for their illegal activities. See for example, the Posse Comitatus Act (18 U.S.C. § 1835).

In this context, I must make an important distinction. In his statement, Secretary Chertoff used the phrase “away powers” to address threats from inside our borders. In my view, it is not a question of using “away powers” but rather a question of using ‘away capabilities,’ lawfully. General Alexander spoke in terms of “blocking attacks” that should be permitted by putting proper authorities in place. To be fair, this could be what Secretary Chertoff meant, but it is not just a semantic distinction. We can and must bring ‘away capabilities’ to this fight.

By ‘away capabilities’ in this context, I refer to those minimally intrusive tactics, techniques and procedures (TTPs) employed by military units that have the effect of “blocking” enemy cyber attacks. Their effects are well-below the use of force, as that phrase is defined in international humanitarian law. Used domestically, these TTPs may require invocation of the “protective” exception for law enforcement contained in the Computer Fraud and Abuse Act in a way in which may not have been used to date. See, 18 U.S.C. § 1030(f).

I am admittedly frustrated. In the post-9/11 world, it remains ‘easier’ to shoot down a hijacked civilian airliner over U.S. airspace than it is to put the brakes on a cyber intrusion or attack emanating from inside the sovereign U.S. territory. This strikes me as a bit upside down, especially when such an attack could cripple U.S. critical infrastructure. See, Executive Order 13636, Improving Critical Infrastructure Cybersecurity.

During testimony, each of the three hearing participants emphasized the importance of the approach dubbed as “whole of government.” Yet, each acknowledged to varying degree that significant gaps exist to create a cyber defense. A “whole of government” approach reflects a decision made at the grand strategic level, to employ various means of national power to address threats in cyberspace, vice just the military. See, B.H. Liddell Hart, The Theory of Strategy. While I agree that this approach is vital in the cyber domain, we must not ignore lawful military means of stopping attacks.

In my view, we can have no meaningful defense of the homeland in cyberspace without the authority to bring ‘away capabilities’ to the fight in a timely manner. Certainly, the authority to block attacks emanating from outside the United States is vital, but in this highly adaptive domain, our enemies will simply shift their operational strategy to attack us from within. Moreover, by employing asymmetric strategies and sowing confusion on the ‘battlefield,’ our enemies will make it appear as though the threat comes from within the U.S. for as long as possible. Our strategy, therefore, must prepare for attacks that emanate from all fronts. Anything less is just consequence management.

Congress continues to grapple with the various challenges associated with defense of critical infrastructure and resilience of the same. Most recently, the House Subcommittee on Emerging Threats and Capabilities released proposed amendments to the FY 2019 National Defense Authorization Act (NDAA). One of these amendments would authorize the Secretary of Defense, in coordination with the Secretary of Homeland Security, to provide up to 50 technical personnel to DHS to enhance cooperation, collaboration, and unity of government efforts in support of the protection of critical infrastructure from cyber incidents. This same mark-up of the NDAA also includes a provision to study the feasibility, advisability, and necessity of the establishment of reserve component cyber civil support teams for each State to respond to an attack, natural disaster, or other large-scale incident affecting computer networks, electronics, or cyber capabilities.

These Congressional efforts certainly move us closer to where we need to be in prevention and resilience. However, both provisions fall short of enabling and authorizing the kind of effort required to defend the Nation from ongoing attack.

To be fair, there are more than a few challenges facing our Nation in cyberspace. Rightly, we continue to try to carefully define the role of government (national, state and local) versus the private sector (domestic and international) versus the individual citizen. As a people governed by and respecting the rule of law, we should be cautious about trying to strike a balance that best preserves the policy set forth in Executive Order 13800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, “To ensure that the internet remains valuable for future generations, it is the policy of the executive branch to promote an open, interoperable, reliable, and secure internet that fosters efficiency, innovation, communication, and economic prosperity, while respecting privacy and guarding against disruption, fraud, and theft.”

Yet, I see four critical points reflected in Secretary Chertoff’s statement: 1) the ubiquitous nature of cyberspace; 2) the role and obligation of the United States, as a sovereign nation, to defend itself; 3) the importance of sovereign nations taking the initiative to defend against threats emanating from within their borders; and 4) the reality that cyberspace is a space like no other that requires us to be prepared to fight a war like no other. See, Victor Davis Hansen, A War Like No Other – How the Athenians and Spartans Fought the Peloponnesian War

On May 15, 2018, Secretary Kirstjen Nielsen announced the release of the DHS Cybersecurity Strategy. “The cyber threat landscape is shifting in real-time, and we have reached a historic turning point,” said Secretary Nielsen. “Digital security is now converging with personal and physical security, and it is clear that our cyber adversaries can now threaten the very fabric of our Republic itself.” The DHS Cybersecurity Strategy makes significant strides towards laying out clear, specific, feasible, and measurable goals to guide DHS forward.

However, if we agree as a Nation that our critical infrastructure must be defended, then we must have entities armed with the authorities and capabilities to defend it. Indeed, the President’s National Security Strategy directs as a “Priority Action” that, “The Federal Government will ensure that those charged with securing critical infrastructure have the necessary authorities, information, and capabilities to prevent attacks before they affect or hold at risk U.S. critical infrastructure.” [Emphasis added]. To effectively answer the President’s challenge, we need a force with the right authorities and capabilities to defend against threats emanating from within our sovereign territory, at net speed.

Intrusions or attacks in the cyber domain require decision makers enabled with the facts and the authority to make decisions in seconds, not minutes, hours or days. No other domain consistently demands such a rapid Observe, Orient, Decide and Act cycle. Inside the United States, it requires an entity like no other that is at once both law enforcement and military (and is a formal member of the intelligence community). Congress has grappled with this challenge before, and a proven lawful model for this entity already exists. It is the U.S. Coast Guard.

The U.S. Coast Guard Cyber Strategy (June 2015) captures the challenge. “Foreign governments, criminal organizations, and other illicit actors attempt to infiltrate critical government and private sector information systems, representing one of the most serious threats we face as a nation.”

In the cyber domain, the new coastal and inland waterways are the vast network of endpoints, switches and routers that make up the network. As with General Alexander’s example, a concept of defense necessarily involves the ability to at least “block” attacks at the source (including when that source is in the U.S.) as they are taking place.

Potentially, the Coast Guard provides a force capable of defending the Nation against cyber threats already present within our borders in real time, even though in real time we may not yet know whether the threat actor is a criminal or a nation state actor. The Coast Guard already organizes, trains and equips to fight along side the Soldiers, Sailors, Airmen and Marines of U.S. Cyber Command. On a daily basis, it enforces the laws of the U.S. and works seamlessly alongside other elements of our domestic law enforcement apparatus. It is a formal member of the intelligence community. In short, the Coast Guard is optimally placed to support synchronization and unity of effort between DHS and DOD both during and in the aftermath of attack.

And what do we expect and demand of our law enforcement agents when the see a crime in progress? We expect prudent but immediate intervention followed by diligent efforts to investigate in order to hold perpetrators accountable. The Coast Guard does this every day in physical space. As a critical infrastructure sector focused agency, it is able to focus on the development and dissemination of timely policies and cyber threat indicators to enhance the security and safety of the Maritime Transportation Sector.

Moreover, there is precedent for employment of Coast Guard assets to protect elements of one other critical infrastructure sector: the energy sector. In the immediate aftermath of 9/11, members of the Coast Guard were assigned duties to provide security around some of the Nation’s nuclear facilities.  By making this 9/11 response comparison, I am not suggesting that current statutory authority exists for the Coast Guard to assume a broader cyber role similar to that which it performs to secure the Maritime Transportation Sector.

By statute, the domestic mission of the Coast Guard is principally limited to this sector, but the robust authorities granted in the Maritime Transportation Security Act of 2002 provide a roadmap for application to at least some other critical infrastructure sectors, like the energy sector.

The threat is known. On 9/11, our Nation was attacked in manner that we had not seriously envisioned, considered, or prepared for. We can no longer say this about cyber threats to critical infrastructure. We must be prepared to fight the war that will be like no other. Thus, we must address both threat vectors, and we can do so without compromising our adherence to the rule of law. The Coast Guard model best epitomizes what Congress can do when it grants authority to support whole of government efforts to defend the Nation while, at the same time, respect the rule of law.

And as we like to say on Lawfire, gather the facts, examine the arguments, assess the law, and decide for yourself! 

(The views expressed are those of the author alone and not necessarily those of myself, Lawfire, Duke Law, or anyone other than our guest essayist. )