The U.S. Building up its Cyber Power

By Pavel Karasev, Research Fellow, MSU Institute of Information Security Issues

The opportunity to use information and communication technologies (ICT) for military and political purpose is becoming a factor affecting current international relations. The report of the Group of Governmental Experts, UN, 2015, states that a number of countries are building up their ICT potential for military purpose. Firstly, the terms and definitions used are recognized only by separate groups of countries. For instance, SCO countries use the term «information weapon» defined as «information technologies, means and ways of waging an information war»[i]. Practically any ICT-tool — both specialized and publicly available, like the Internet, social networks and databases, mobile systems, telecommunications networks, etc. — can be defined as information weapons. On the other hand, NATO member states use the definition of cyber weapons from Tallinn Manual on the International Law Applicable to Cyber Warfare: «cyber means of warfare that are by design, use, or intended use capable of causing either injury to, or death of, persons; or damage to, or destruction of objects, that is, causing the consequences required for qualification of a cyber operation as an attack». The Joint Doctrine on Cyberspace Operations, 2014, by the U.S. Department of Defense, defines «cyberspace capability» as «a device, computer program, or technique, including any combination of software, firmware, or hardware, designed to create an effect in or through cyberspace». Therefore, in the most general sense, cyber weapons (not considering information and humanitarian impact) are specialized ICT capabilities aimed at causing injury to computer systems and networks, acting as infrastructure, and information contained therein.

Secondly, the international law aspects relevant to the use of ICTs for military purposes are still to be defined. The 2013 report by the UN Group of Governmental Experts recognizes the application of norms derived from existing international law relevant to the use of ICTs in cyberspace, though there is still no direct answer to the question how the international law must be applied in cyberspace. In particular, there are still no legal definitions for cyber warfare, attack in cyberspace, combatants, and how to ensure the observance of civilians’ rights.

Thirdly, cyber warfare is a specialized software, and this fact defines the potential for its development, distribution, and use. The attacks can come from common PCs connected to the Internet. However it is known, that the malware and/or its components (like «zero-day»[ii] exploits) can be bought, and the specialist needed can be hired. Low threshold of cyber weapons availability[iii] might significantly increase the range of actors, not only states, but also terrorist organizations and organized crime groups. At present the process of cyber weapons distribution goes uncontrolled, and the only existing mechanism – the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies – is intergovernmental and does not touch upon terrorist and criminal groups.

Fourthly, there is no fast and accurate cyber attack attribution at the current stage of ICT development. And while it is impossible to identify the source of the threat, it is likely that the accusation for the attack will be made without any evidence, on the basis of assumptions and conclusions, or according to the political conjuncture. There are many examples of the kind, including recent charges against Russia on hacking the U.S. Democratic Party servers, no substantial evidence having been produced.
The U.S. Cyber Weapons – History and Modernity

The funding for activity in cyberspace proves that this area is one of the key priorities for the U.S. Department of Defense. In 2014 hundreds of millions of dollars were spent to create special cyber ranges to train experts, analyze cyber operations, develop tools, and to establish a cyber security adviser post. In the 2016 budget, compared to the one of 2015, the funding for cyber operations technology development (basically, for cyber weapons) has grown to USD 100 million; USD 200 million is planned for search and assessment analysis of vulnerabilities in all weapon systems. Also, Cyber Command had planned to generate a total cyber mission force of about 6,000 people by 2016.

Former U.S. Secretary of Defense Ashton Carter stated, that the budget put a priority on funding the cyber strategy, investing a total of USD 6.7 billion annually and about USD 35 billion over the FYDP. This is a USD 900 million increase. 2017 fiscal year budget draft provides twice as much funding on the U.S. Air Forces offensive and defensive operations —making a total increase from USD 20 million to USD 50 million, and up to USD 150 million for technology development.

According to one of the amendments in the budget draft, there are plans to separate Cyber Command branch from the U.S. Strategic Command to make it a unified battle command. First of all, it will significantly speed up the decision making; secondly, Cyber Command will be more involved in Department of Defense budget planning, policy, and strategy. Moreover, the new structure will be directly subject to the U.S. Secretary of Defense and the President.

In the course of election campaign D.Trump unveiled his four-part cybersecurity strategy:

an immediate review of all U.S. cyber defenses and vulnerabilities, including critical infrastructure;

create «joint task forces» across the country, teaming up federal, state and local police, to combat hackers;

top military officials, U.S. Secretary of Defense and the United States Chairman of the Joint Chiefs of Staff, to provide recommendations for enhancing U.S. Cyber Command;

develop the offensive cyber capabilities to deter attacks by both state and non-state actors and, if necessary, to respond appropriately.
A Roadmap for U.S.-Russia Relations

It is obvious that D.Trump is not becoming an ambassador for peace in cyberspace. At the same time, the U.S. Government possesses some sort of inertia which allows to maintain the continuity of power. For instance, in the first term of being the President of the U.S., B. Obama was implementing a revised version of the Comprehensive National Cybersecurity Initiative that had been prepared by George W. Bush team. In April 2016 senior cybersecurity officials from the U.S. and Russia held a meeting on international cybersecurity — the sides agreed to continue building on their relations in the area on a non-confrontation basis and to activate bilateral cooperation in practical terms to address the threats of ICT in the context of global security. However, there is no information that after Russia being linked to breaking into the Democratic National Committee’s computer networks special hotlines were made within the Joint Statement by the Presidents of the United States of America and the Russian Federation. In September, during the G20 Summit in China, B.Obama stated, that the «goal is not to, in the cyber arena, duplicate a cycle of escalation that we saw when it comes to other arms races in the past, but rather to start instituting some norms so that everybody is acting responsibly». October was marked by the publication of the Joint Statement from the Department of Homeland Security and Office of the Director of National Intelligence on Election Security, which directly states that the recent disclosures of alleged hacker attacks are consistent with Russia's senior-most officials authorized efforts. Later it was announced that the U.S. would ensure that the «response is proportional».

The meeting of the Russian and the U.S. leaders at G20 Summit in Hamburg showed the interest to cooperate on global security in cyberspace, however, D.Trump’s subsequent waiver of the arrangements, that had already been under implementation, proves that there were certain difficulties encountered in political processes, first and foremost, within the USA. The current situation indicates a turning point that can influence further development of the entire system of international information security. On the one hand, the U.S. can promote its rules of the game in cyberspace, regardless of the interests of others. On the other hand, with pragmatic approach, the rules will imply a broader participation to address the expectations of the many, perhaps within the UN Group of Governmental Experts.

[i] Information war — confrontation between two or more states in the information space aimed at damaging information systems, processes, and resources, critical and other structures, undermining political, economic, and social systems, mass psychologic brainwashing to destabilize society and state, as well as to force the state to taking decisions in the interest of an opposing party.

[ii] Malware or vulnerability that is unknown to the vendor. No patch yet exists to mitigate the vulnerability being exploited. (according to Kaspersky Lab)

[iii] By Kaspersky Lab estimate, the cost of developing Stuxnet malware is around USD 100 million, while according to Fortinet, development of basic botnet tool like Zeus starts at USD 700.

Bookmark/Search this post with