With immense capacity and advanced technical capabilities, the military is well prepped to support the commercial sector handling complex nation state intrusions
Recent events have shaped the way policy-makers view the Department of Defense’s (DoD) role in defending the United States against cyber-intrusions. Cyberspace strategies used by nation states are shifting from the targeting of government organizations for the purposes of gathering intelligence, which is an expected occurrence, to the deliberate targeting of commercial organizations for the purpose of asymmetric warfare.
Sensitive data for more than 22 million government workers was recently compromised during a nation state intrusion into the Office of Personnel Management’s (OPM) network. Acts of legitimate cyber-espionage, like what occurred at OPM, are less concerning than the increasing number of targeted attacks against commercial organizations. In early 2015 CrowdStrike, a private security firm, identified the Chinese People’s Liberation Army, nicknamed ‘Deep Panda’, as the entity responsible for the theft of more than 80 million Social Security numbers from insurance giant Anthem.
Does public opinion really expect commercial organizations like Sony Pictures Entertainment, victim of a North Korean sponsored cyber-attack, or Anthem to be capable of defending against intrusions orchestrated by nation states with vast resources? DoD support to commercial intrusions should be considered when the threat and risk to the general public warrants military action, levelling the competition to nation state versus nation state.
Commercial sector intrusions fall under one of two legal purviews. Homeland Security Presidential Directive 7 grants authorities to the Department of Homeland Security (DHS) for the defense of 16 critical infrastructure sectors including healthcare, financial services, and critical manufacturing. The 16 critical infrastructure sectors span federal, state, and commercially-owned assets giving DHS the necessary authorities to work with commercial organizations when required. Intrusions on assets not deemed critical infrastructure, therefore not requiring DHS involvement, become law enforcement equity under US Code Title 18 which grants authorities to law enforcement for criminal investigations.
Defense support to the commercial sector is a complex legal issue. No direct authorities currently exist authorizing DoD support to the commercial sector. Authorities for DoD support to the commercial sector can only be granted via special consideration called Defense Support to Civil Authorities (DSCA, pronounced dis-ka).
Outlined in DoD Policy 3025.18 a DSCA action inherits its authorities from section 5121 of US Code Title 42 and section 1535 of US Code Title 31, commonly referred to as The Stafford Act and The Economy Act respectively. By definition, DSCA is support provided by DoD personnel or supporting affiliates to a request for assistance pertaining to domestic emergencies, law enforcement, and other domestic activities.
A DSCA can be approved by the President of the United States or, if authorized, the Secretary of Defense, except for cases deemed an ‘extreme’ emergency. In the case of DSCA support to law enforcement the provisions of US Code Title 10 restricts the support of DoD personnel, equipment, or capabilities depending on the situation.
"The Secretary of Defense’s control over both military and intelligence organizations give the DoD unique insight into a cyber-intrusion"
Focusing on cyber-intrusions, the general military powers provision (Title 10, Subtitle A, Part I, Chapter 18) prohibits the participation of any member of the armed services in a search, seizure, or arrest. A DSCA does not provide the DoD autonomous authority to assist the commercial sector with an intrusion; a successful request for a DSCA provides an avenue for DoD personnel to inherit authorities granted to law enforcement, DHS, and other government departments or agencies.
The DoD is uniquely positioned to assist other government organizations with commercial intrusions because it inherits authorities from two distinct US Codes, military operations (Title 10) and intelligence (Title 50). Title 10 gives the Secretary of Defense all “authority, direction, and control” over the DoD, including all subordinate agencies and commands. Title 50 establishes, defines, and delineates authorities within the intelligence community, but it also clarifies that the Secretary of Defense controls those members of the US intelligence community, such as the National Security Agency and Defense Intelligence Agency, that are part of DoD. The Secretary of Defense’s control over both military and intelligence organizations give the DoD unique insight into a cyber-intrusion. When operating under a DSCA, benefits derived from both authorities can be extended to assist a commercial organization.
In December 2012, General Keith Alexander, Director of the National Security Agency and Commander, United States Cyberspace Command, put forth a plan to build Cyber Protection Teams that can conduct a wide variety of defensive cyberspace operations. The teams are divided into three tiers: Military Service Component, Combatant Command, and National Teams. The first two tiers, Service Component and Combatant Command, are tasked with the defense of military and DoD networks. The Cyber National Mission Force architecture is built with the flexibility to support any contingency and is the perfect organization to respond DSCA operations supporting commercial intrusions.
In 2015, Cyber Protection Teams out of the National Mission Force have reached maturity responding to intrusions worldwide on a regular basis. They are experienced organizations at both responding to intrusions and harnessing the advantages provided by Title 10, Title 50, and their close relationship with national intelligence organizations. The greatest advantage, however, is capacity. The Cyber Mission Forces have 68 total teams with thousands of personnel tasked with defense. This fact makes the DoD the largest defensive cyberspace organization in the United States Government.
Requesting DoD support to a commercial intrusion is based on three contributing factors: attribution, intent, and the affected organization. These data points define the threat to national security and the threat to the general public. Not every intrusion warrants DoD involvement; under certain conditions the use of DoD assets, like the Cyber National Mission Force, in support of a DSCA will enhance national security.
Adversary attribution defines the threat’s sophistication level. For example, the intrusion into Target Corporation’s network resulted in a significant loss of financial data and millions in damages. The culprit: criminal activity. While many criminal organizations are technically sophisticated, compared to nation states, they are significantly constrained by resource availability specifically financial backing, manpower, and research and development. On the other hand, In June 2014, CrowdStrike released a report outing the 12th Bureau, Third General Staff Department, of the Chinese People’s Liberation Army as conducting cyber espionage against government and commercial sector organizations alike.
Adversary intent defines the threat to national security and the general public. Intent answers the question, what are the intruder’s objectives within the targeted network? The driving force behind a criminal organization is typically financial gain; hence they target data repositories housing Social Security or credit card numbers. Nation states on the other hand are interested in furthering national objectives. Strategic objectives are dependent on the adversary and can change over time.
Recently, the Chinese Government focused on the theft of intellectual property where the Russian government has been more focused on strategic deterrence. In the case of Sony Pictures Entertainment, the Democratic People’s Republic of Korea’s government conducted a destructive attack against a commercial organization in response to the politically controversial movie The Interview.
Threat intelligence can reveal intent from either historical precedence or forensic investigation. Symantec, a private security firm, exposed a massive campaign against 10 major financial institutions to include JP Morgan Chase and Co as well as Western energy companies. The Russian group’s intentions excluded financial gain and intellectual property, instead a strategy to posture against the United States through the compromise of critical infrastructure. Risk to the general public and national security is derived by analyzing adversary intent. For example, a destructive attack against Sony Pictures Entertainment poses significantly less risk than a destructive attack against a power company.
The affected organization further defines the threat to national security. Weighing the relative importance of a commercial sector organization to national security is highly subjective. Homeland Security Presidential Directive 7 defines sixteen critical infrastructure sectors serving as a baseline. However, it’s not a complete list covering every contingency. The jurisdiction of the affected organization and the capacity of the responding government agency will drive the requirement for a DSCA.
When does DoD support in domestic defense make sense? Current trends prove that commercial organizations are the subject of targeted intrusions by nation states. In March 2015, Admiral Michael Rogers, Commander United States Cyber Command, reaffirmed his dedication to the defense of the United States and its allies in a statement before the House Armed Services Committee, Subcommittee on Emerging Threats and Capabilities, stating, “Our collective missions are to direct the operation and defense of the Department of Defense’s networks while denying adversaries (when authorized) the freedom to maneuver against the United States and its allies in and through cyberspace.”
Intrusions like the ones that occurred at Sony Pictures Entertainment and Western energy companies were nation-state-sponsored intrusions into commercial sector organizations. In resource capacity alone, commercial sector organizations cannot compete with nation states. Breaches will undoubtedly occur and DoD support to commercial organizations through a DSCA can significantly raise the cost of conducting an attack and enhance national security.
Robert S. Johnston is a Marine Corps Captain and the team lead for 81 National Cyber Protection team out of United States Cyber Command