WASHINGTON (Reuters) - The United States should be more open about its development of offensive cyber weapons and spell out when it will use them as it grapples with an increasing barrage of attacks by foreign hackers, the former No. 2 uniformed officer in the U.S. military said.
“We’ve got to step up the game; we’ve got to talk about our offensive capabilities and train to them; to make them credible so that people know there’s a penalty to this,” said James Cartwright, the four-star Marine Corps general who retired in August as the vice chairman of the Joint Chiefs of Staff.
Cartwright, who raised the profile of cyber security issues while still in uniform, told Reuters in an interview that the increasing intensity and frequency of network attacks by hackers underscored the need for an effective deterrent.
“You can’t have something that’s a secret be a deterrent. Because if you don’t know it’s there, it doesn’t scare you,” Cartwright, now a fellow at the Washington-based Center for Strategic and International Studies, said in one of his first interviews after leaving office.
Current and former U.S. officials are tight-lipped about any specific weapons. But it is widely acknowledged the United States has both offensive and defensive ways to respond to escalating and increasingly destructive attacks from overseas.
Underscoring the threat, this week an arm of the U.S. intelligence community released a report identifying China and Russia as the most active and persistent nations that are using cyber espionage to steal U.S. trade and technology secrets.
Cartwright said it was important to send a strong signal to potential adversaries that the United States viewed responding to cyber attacks as its “right to self-defense,” even if hackers were using a server in a third country.
“We’ve got to get that done, because otherwise everything is a free shot at us and there’s no penalty for it,” he said.
His comments come as the Obama administration debates the rules of engagement for cyberspace, now seen as a fifth domain for military operations, joining air, land, sea and space.
Earlier this year, the White House released a new cyber strategy that said that, when warranted, the United States would respond to hostile acts in cyberspace “as it would to any other threat to our country.”
Now the military must work out exactly how to implement that. Key questions include how forthright Washington will be about work on offensive computer network attack weapons; what would constitute an act of war; and operational plans for training, testing and using of its electronic arsenal.
Recent attacks on U.S. corporations such as Google Inc, the Nasdaq stock exchange, Lockheed Martin Corp, and RSA, the security division of EMC Corp, have given government officials and lawmakers a renewed sense of urgency about addressing threats to U.S. computer networks.
Cartwright’s concerns are widely shared by U.S. military and law enforcement officials, who are alarmed by the lack of adequate network security they see in corporate America.
General Martin Dempsey, chairman of the Joint Chiefs of Staff, told lawmakers at a classified briefing on Tuesday that improving cyber security was an increasingly important priority.
“He prominently mentioned cyber security as a growing threat ... something that needs to be much higher up on our national security priority lists than it has been in the past,” Representative Adam Smith, the top Democrat on the House Armed Services Committee, told reporters after the briefing.
U.S. Army General Keith Alexander, director of the National Security Agency and U.S. Cyber Command, last month said U.S. military officials would finalize new rules of engagement and operational planes for cyber space in coming months.
Experts say any deterrent posture must be carefully crafted, but that is particularly true in cyberspace.
David Smith, a fellow at the Potomac Institute for Policy Studies and former U.S. diplomat engaged in talks with the former Soviet Union, said a deterrence policy had to be crafted very carefully to establish a credible threat of possible action without being too specific.
“You deter by keeping a level of uncertainty,” Smith told Reuters. “To craft a good deterrent posture, you sort of tell people the kinds of things you have, and roughly, what the response would be if the interest of the United States were threatened, basically, that nothing is off the table.”
Unlike the nuclear arena, where it was fairly easy to determine who had launched a ballistic missile attack, attribution remains an enormous challenge in cyberspace, where hackers can mask their identities.
Eric Sterner, a former Pentagon official and fellow at the conservative Marshall Institute think tank, said being too clear about what would provoke a response would invite hackers to test the limits up to that point.
“As soon as you declare a red line, you’re essentially telling people that everything up to that line is OK,” Sterner said.
Cartwright said it would probably take hackers two to five years before they could disable a large percentage of the banking industry or the U.S. electrical grid. But even a smaller attack could undermine confidence in financial markets, he said.
Establishing a deterrent posture now would help stem the endless tide of attacks coming from overseas, he said.
Editing by Eric Walsh