Cyber Command nominee lays out rules of engagement

Featured eBooks
The State of Trust in Government
Cybersecurity in State and Local Government
Building Data Literacy in the State and Local Workforce
By Ben Bain
 

Connecting state and local government leaders

By Ben Bain

|

The nominee to head the Defense Department's new Cyber Command outlines how the command could respond to different cyberattack scenarios.

The Defense Department wants to integrate its cyberspace operations under a new Cyber Command, but the command’s role in cyber defense would depend on the dynamics of an attack scenario, the nominee to lead the new organization has testified.

Army Lt. Gen. Keith Alexander, the nominee who also heads the National Security Agency, explained the authorities and roles of the Cyber Command in different hypothetical scenarios presented by Senator Carl Levin (D-Mich.), who chairs the Armed Services Committee, during the NSA chief's confirmation hearing.

That exchange before Levin's panel  on April 15, demonstrated how the command could support cyber defense in foreign and domestic settings, with the United States at peace or war. The questioning also provided a glimpse into the complex policy and legal questions that swirl around establishing the command.

Related story

Pick to lead cyber command lays out battle plans

To demonstrate how the command would operate, Levin asked Alexander about how it could respond in different attack scenarios:

Support during a traditional armed conflict

Levin: Assume the following: That U.S. forces are engaged in a traditional military conflict with a country – we’ll call it Country C – now how would you conduct cyber operations in that country in support of the combatant commander? Under what authorities, processes, and borders would you be operating in that particular scenario?

Alexander: We would be operating under Title 10 authorities under an execute order supporting, probably, that regional combatant commander. The execute order would have the authorities that we need to operate within that country and we’d have a standing rules of engagement of how to defend our networks. I think that’s the straightforward case, [it] would be an execute order that comes down that regional combatant commander that includes the authorities for cyber [that] are parsed out and approved by the president.

The complexity of neutrality and third parties

Levin: Now the second hypothetical, I want to add a complicating factor to the scenario. Assume that an adversary launches an attack on our forces through computers that are located in a neutral country. That’s what you determine – the attack is coming from computers in a neutral country – how does that alter the way you would operate and the authorities that you would operate under?

Alexander: So that does complicate it. It would still be the regional combatant commander that we’re supporting under Title 10 authorities. There would be an execute order. In that execute order…the standing rules of engagement, it talks about what we can do to defend our networks and where we can go and how we can block. The issue becomes more complicated when on the table are facts such as: We can’t stop the attacks getting into our computers, and if we don’t have the authorities…we’d go back up to a strategic command, to the [defense secretary], and the president for additional capabilities to stop [the attack]. But right now the authorities would be to block it in theater in the current standing rules of engagement, and it would be under and execute order, and again, under Title 10 in support of that regional combatant command.

Levin: Is that execute order likely to have any authority to do more than defend the networks or would you have to, in all likelihood, go back for that authority…?

Alexander: It would probably have the authority to attack within the area of conflict against the other military that we are fighting, and there would be a rules of engagement that articulate what you can do offensively and what you can do defensively…what you would not have the authority to do is reach out into a neutral country and do an attack, and therein lies the complication for a neutral country…

Levin: And neutral being a third country presumably, is that synonymous or does the word neutral mean literally neutral?

Alexander: Well it could be either, sir, it could be a third country or it could be one that we don’t know. I should have brought in [to the conversation] attribution, because it may or may not be a country that we could actually attribute [an attack] to, and that further complicates this. And the neutral country could be used by yet a different country, the adversary, and it’s only a path through. In physical space this is a little bit easier to see, firing from a neutral country, I think the Law of Armed Conflict has some of that in it. It’s much more difficult and this is much more complex when a cyberattack could bounce through a neutral country…

The complicated case of homeland security assistance

Levin: Now a third scenario, more complicated yet. Assume you’re in a peacetime setting [and] all of the sudden we’re hit with a major attack against the computers that manage the distribution of electric power in the United States. Now, the attacks appear to be coming from computers outside the United States, but they’re being routed to computers that are owned by U.S. persons located in thee United States, the routers [are] in the United States. How would [Cyber Command] respond to that situation and under what authorities?

Alexander: That brings in the real complexity of the problem...because there are many issues out there on the table that we can extend, many of which are not yet fully answered. Let me explain: First, the [Homeland Security Department] would have the responsibility for defense of that working with critical infrastructure. [DHS] could through the defense report for civilian authorities [construct] reach out to the Defense Department and ask [for] support. And, sir, one of our requirements in the unified command plan is to be prepared for that task. So we would have that responsibility if asked to do that, again we’d get an execute order and we’d have the standing rules of engagement that we operate under all the time. The issues now [however] are far more complex because you have U.S. persons, civil liberties and privacy all come into that equation, ensuring that privacy while you try to, on the same network potentially, take care of bad actors. A much more difficult problem.

As a consequence you have a joint interagency task force, the FBI [that] has a great joint-cyber investigative task force that would be brought in, all of these come to bear. This is the hardest problem because you have attribution issues, you have the neutrality issue that we mentioned in the second scenario, you have [interagency groups] working together with industry, and I think that’s one of the things that [President Barack Obama] is trying to address with DHS and with [DOD]: how do we actually do that with industry. That’s probably the most difficult and the one that we’re going to spend the most time trying to work our way through: How does the [DOD] help [DHS] in a crisis like that.

Editor's note: The exchanges were edited for clarity.

NEXT STORY: Pick to lead cyber command lays out battle plans

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.