Ex-U.S. general urges frank talk on cyber weapons

WASHINGTON Sun Nov 6, 2011 9:07am EST

James Cartwright testifies at a hearing of the Senate Armed Services Committee on the situations in Iraq and Afghanistan, on Capitol Hill in Washington September 23, 2008.  REUTERS/Jonathan Ernst

James Cartwright testifies at a hearing of the Senate Armed Services Committee on the situations in Iraq and Afghanistan, on Capitol Hill in Washington September 23, 2008.

Credit: Reuters/Jonathan Ernst

Related Topics

WASHINGTON (Reuters) - The United States should be more open about its development of offensive cyber weapons and spell out when it will use them as it grapples with an increasing barrage of attacks by foreign hackers, the former No. 2 uniformed officer in the U.S. military said.

"We've got to step up the game; we've got to talk about our offensive capabilities and train to them; to make them credible so that people know there's a penalty to this," said James Cartwright, the four-star Marine Corps general who retired in August as the vice chairman of the Joint Chiefs of Staff.

Cartwright, who raised the profile of cyber security issues while still in uniform, told Reuters in an interview that the increasing intensity and frequency of network attacks by hackers underscored the need for an effective deterrent.

"You can't have something that's a secret be a deterrent. Because if you don't know it's there, it doesn't scare you," Cartwright, now a fellow at the Washington-based Center for Strategic and International Studies, said in one of his first interviews after leaving office.

Current and former U.S. officials are tight-lipped about any specific weapons. But it is widely acknowledged the United States has both offensive and defensive ways to respond to escalating and increasingly destructive attacks from overseas.

Underscoring the threat, this week an arm of the U.S. intelligence community released a report identifying China and Russia as the most active and persistent nations that are using cyber espionage to steal U.S. trade and technology secrets.

Cartwright said it was important to send a strong signal to potential adversaries that the United States viewed responding to cyber attacks as its "right to self-defense," even if hackers were using a server in a third country.

"We've got to get that done, because otherwise everything is a free shot at us and there's no penalty for it," he said.

His comments come as the Obama administration debates the rules of engagement for cyberspace, now seen as a fifth domain for military operations, joining air, land, sea and space.

Earlier this year, the White House released a new cyber strategy that said that, when warranted, the United States would respond to hostile acts in cyberspace "as it would to any other threat to our country."

Now the military must work out exactly how to implement that. Key questions include how forthright Washington will be about work on offensive computer network attack weapons; what would constitute an act of war; and operational plans for training, testing and using of its electronic arsenal.

PENTAGON PRIORITY

Recent attacks on U.S. corporations such as Google Inc, the Nasdaq stock exchange, Lockheed Martin Corp, and RSA, the security division of EMC Corp, have given government officials and lawmakers a renewed sense of urgency about addressing threats to U.S. computer networks.

Cartwright's concerns are widely shared by U.S. military and law enforcement officials, who are alarmed by the lack of adequate network security they see in corporate America.

General Martin Dempsey, chairman of the Joint Chiefs of Staff, told lawmakers at a classified briefing on Tuesday that improving cyber security was an increasingly important priority.

"He prominently mentioned cyber security as a growing threat ... something that needs to be much higher up on our national security priority lists than it has been in the past," Representative Adam Smith, the top Democrat on the House Armed Services Committee, told reporters after the briefing.

U.S. Army General Keith Alexander, director of the National Security Agency and U.S. Cyber Command, last month said U.S. military officials would finalize new rules of engagement and operational planes for cyber space in coming months.

QUESTIONS ABOUT DETERRENCE

Experts say any deterrent posture must be carefully crafted, but that is particularly true in cyberspace.

David Smith, a fellow at the Potomac Institute for Policy Studies and former U.S. diplomat engaged in talks with the former Soviet Union, said a deterrence policy had to be crafted very carefully to establish a credible threat of possible action without being too specific.

"You deter by keeping a level of uncertainty," Smith told Reuters. "To craft a good deterrent posture, you sort of tell people the kinds of things you have, and roughly, what the response would be if the interest of the United States were threatened, basically, that nothing is off the table."

Unlike the nuclear arena, where it was fairly easy to determine who had launched a ballistic missile attack, attribution remains an enormous challenge in cyberspace, where hackers can mask their identities.

Eric Sterner, a former Pentagon official and fellow at the conservative Marshall Institute think tank, said being too clear about what would provoke a response would invite hackers to test the limits up to that point.

"As soon as you declare a red line, you're essentially telling people that everything up to that line is OK," Sterner said.

Cartwright said it would probably take hackers two to five years before they could disable a large percentage of the banking industry or the U.S. electrical grid. But even a smaller attack could undermine confidence in financial markets, he said.

Establishing a deterrent posture now would help stem the endless tide of attacks coming from overseas, he said.

(Editing by Eric Walsh)

FILED UNDER:
We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see http://blogs.reuters.com/fulldisclosure/2010/09/27/toward-a-more-thoughtful-conversation-on-stories/
Comments (5)
SinoKat wrote:
The “American” tech companies that offshore R&D and jobs to the People’s Republic of China have enabled China to steal, hack, and otherwise threaten U.S. cyber security. Symantec, Apple, Microsoft, and Intel are among the many multinationals that are selling out America’s security in the interest of making a buck.

Nov 06, 2011 9:48am EST  --  Report as abuse
JamVee wrote:
The best way to let attacking hackers (individuals or countries) know that you have a counter offensive weapon, is to use it on them, hopefully with devastating effects. Then, immediately claim responsibility, and announce that future such attacks will be met with similar counter attacks!

I see no reason for a warning. They know they are committing a crime, but up until now, the consequences, if they are caught (for the most part), has been rhetoric, or a slap on the wrist.

Nov 06, 2011 10:54am EST  --  Report as abuse
ARJTurgot2 wrote:
Cyber warfare is asymmetrical warfare, a massive response capability will mean nothing to someone coming from hacked systems in Rio, Paris, Copenhagen. The problem is our DEFENSE capability, and that is not under the control of the DOD, it is under the incredibly dysfunctional Homeland Security.

Nov 06, 2011 12:43pm EST  --  Report as abuse
This discussion is now closed. We welcome comments on our articles for a limited period after their publication.