LAS VEGAS--The United States should decide on rules for attacking other nations' networks during an actual cyberwar, which could include an international agreement not to disable banks and electrical grids, the former head of the CIA and National Security Agency said Thursday.
Michael Hayden, who was the principal deputy director of national intelligence and retired last year, said the rules of engagement for electronic battlefields are still too murky, even after the Defense Department created the U.S. Cyber Command this spring. The new organization is charged with allowing the U.S. armed forces to conduct "full-spectrum military cyberspace operations in order to enable actions in all domains," which includes destroying electronic infrastructure as thoroughly as a B-2 bomber would level a power plant.More from Black Hat Conference
Even a formal cyberwar may have rules different from those applying to traditional warfare, Hayden suggested. One option would be for the larger G8 or G20 nations to declare that "cyberpenetration of any (financial) grid is so harmful to the international financial system that this is like chemical weapons: none of us should use them," he said at the Black Hat computer security conference here.
Another option would be for those nations to declare that "outside of actual physical attacks in declared conflicts, denial of service attacks are never allowed and are absolutely forbidden and never excused," Hayden said. In 2008, for instance, Georgia accused Russia of launching a coordinated denial-of-service attack against Georgian Web sites, which coincided with military operations in the breakaway region of South Ossetia.
Internet intrusions and denial-of-service attacks are notoriously difficult to trace back to their actual source...Is a successful break-in the work of a national government or a 14-year old hacker in Shanghai or Moscow? The U.S. State Department has linked China to penetrations into Google employees' computers, but China has officially denied it.
The United States' current cyberwar policy remains vague. Earlier this year, a congressional committee asked Lt. Gen. Keith Alexander, now the head of the NSA and Cyber Command, when he would "fire back" without consulting the host government first, whether the use of offensive force would be "pre-authorized" below the level of the president, and whether there should be "classes" of networks operated by allies that should be off-limits to infusion.
In his written response (PDF), Alexander refused to answer any of those questions publicly, saying the information was classified.