T HE steady march of technological progress, which has empowered recent generations to save countless lives, has also inevitably opened new military theatres of operation to the battlespace. Over a modern college student’s short two decades of existence, another one of these theatres has entered the conventional domains of land, sea, air, and space — cyberspace.
Cyberspace is defined as the domain created by the use of electronics, and as with all other types of military power, cyber power is measured by the ability to use that domain to achieve a particular strategic outcome. The potential of this new battlespace is only beginning to be realized, creating both terrifying national security vulnerabilities and unprecedented new opportunities for cooperation between the public and private sector and between nations.
According to the Council on Foreign Relations, the three main strategic challenges unique to the digital medium are asymmetry, attribution, and offensive advantage. Asymmetry refers to the idea that through a cyberattack, actors with limited resources can compromise high-level targets. Why expend time, money, and casualties bombing the U.S. electrical grid if you can take it down remotely through a computer virus instead? In terms of attribution, the United States Computer Emergency Readiness Team (U.S.-CERT) designates five possible cyber threat sources: national governments, terrorists, industrial spies and organized crime groups, hacktivists, and hackers.
However, unlike in the theatres of land, sea, air, and space, cyberattacks do not come with the uniforms of an occupying army, nor flags stamped on predator drones — in fact, their digital footprint can disappear in a matter of seconds. Not only is it difficult to determine who might have been responsible for an attack, the lines between acts of war, terrorism, espionage, crime, protest, vandalism, and more are frequently blurred. It is not always easy to separate a white hat (a hacker who hacks for benevolent purposes, e.g. a security expert) from a black hat or a green hat (a hacker who hacks for malevolent or money-making purposes). As the saying goes, “on the Internet, nobody knows you’re a dog.”
Finally, offensive advantage derives from the fact that openness on the Internet is prized over security, so there is limited capability to build defenses against a first strike. Perhaps the saying should be expanded to include: “on the Internet, everyone is a sitting duck.” The technological advancements and legal framework necessary to improve attribution and response to a given cyberattack are still in their infancy. So far, however cyberattacks have fallen into two broad categories: information heists and industrial sabotage.
Cyberattack Type 1.0: Information Heist
The most common type of cyberattack is an attempt to track the online activity of people within a secure network without their knowledge or permission, usually to gather information about the movements and searches conducted by authorized users or to lift key documents from secure servers (WiseGEEK). The most well known example of this kind of attack is the Operation Aurora virus that began in mid-2009 and continued through December 2009, first publicly disclosed by Google on January 12, 2010. Three other companies (Adobe Systems, Juniper Networks, and Rackspace) admitted to being targeted by the virus, and dozens more were reportedly hit as well, including Yahoo, Symantec, Northrop Grumman, Morgan Stanley, and Dow Chemical. Uri Rivner of RSA (the security division of EMC2) characterized the attack as a form of “Advanced Persistent Threat,” or security lingo for “Pretty sure it came from China” (Vanity Fair).
According to a McAfee White Paper released a few months later, Operation Aurora attacked source-code management systems, manipulating a trove of security flaws that allowed easy access to valuable intellectual property (Wired.com). In a global competition among knowledge-based economies, the Chinese government (or whoever perpetrated the attacks) is using cyberattacks to skip ahead on years of research and development and gain a competitive edge against American companies (WSJ.com). On the surface this sort of attack would probably be classified as espionage conducted by industrial spies, but the Chinese government’s refusal to answer Secretary Clinton’s call for an explanation implies that the attack had national, and therefore possibly warlike, dimensions. It’s an extremely difficult (and politically fraught) call to make. So far, the U.S. government has been cautious in outright accusing the Chinese government of these illegal activities.
The leaking of valuable proprietary secrets to foreign governments is harmful to American companies’ comparative advantage, but the threat from silent, information-gathering attacks can be much more serious than that. A year previously, in 2008, the U.S. Department of Defense suffered a catastrophic compromise of its classified military computer networks. An infected flash drive was inserted into a military laptop at a base in the Middle East, and malicious code uploaded itself to a secure network used by U.S. Central Command (CENTCOM). The code in effect established a digital beachhead from which any information on the network, including operational plans, could be transferred to foreign servers (Foreign Affairs). This nightmare scenario is only the tip of the iceberg of what is possible with creative hackers and an increasingly Internet-dependent U.S. security establishment. The scare at CENTCOM in 2008 was what led the Pentagon to officially declare cyberspace the “fifth domain of warfare.”
An important component of preventing information heist-type cyberattacks lies in improved cooperation between the public and private sector. The Operation Aurora debacle exposed major jurisdictional confusion between Google and the government agencies they assumed were protecting their intellectual property. According to Vanity Fair, a former White House official has reported: “After Google got hacked, they called the N.S.A. in and said, ‘You were supposed to protect us from this!’ The N.S.A. guys just about fell out of their chairs. They could not believe how naïve the Google guys had been” (Gross).
Apparently, Google executives believed that the government monitors the Internet the same way it monitors foreign military threats, when in fact USCYBERCOM only defends U.S. military networks and the Department of Homeland Security only protects government networks. Corporate Internet infrastructure is the sole responsibility of private companies. Estimates published on CNET have shown that in 2008 cyberattacks may have cost businesses as much as $1 trillion globally in lost intellectual property and expenditures for repairing the damage — and the total has only gone up since.
In the near future, clear jurisdictional protocols delineating the responsibilities of government agencies and corporations must be established, as well as an extensive sharing of best practices in combating cyberattacks. A massive technology gap has nearly always existed between the public and private sectors, but in the age of rapidly evolving cyberwarfare the consequences of complacently tolerating this gap have become a matter of critical national security. Jerry Cochran, chief cybersecurity architect at Microsoft, has stated: “without a set of concrete government incentives or enforceable regulations, corporations will continue to make risk-management decisions based on their individual self-interest. These are considerations that do not necessarily account for larger U.S. national security concerns” (CFR). Governments and corporations must be brought into the age of cyberwarfare together, or neither will be able to avert disastrous information heists in the future.
Cyberattack Type 2.0: Industrial Sabotage
The second type of cyberattack, industrial sabotage, is potentially more destructive than the first. The most formidable example of this type of attack so far is the Stuxnet virus that critically damaged Iranian nuclear power plants, first reported publicly in June 2010. The virus caused the reactors’ Siemens centrifuge systems to spin too fast and self-destruct while maintaining the appearance of a normal operation, much like a pre-recorded security tape in a bank heist (Broad et al, NY Times). As with every other cyberattack, Stuxnet’s precise origins remain mysterious, though strong evidence suggests that it was a collaboration between the U.S. and Israel, possibly with assistance from Germany and Britain (CFR). From a certain perspective, Stuxnet and similar viruses have huge potential for making the world a safer place by sabotaging weapons programs worldwide.
In the words of CFR’s Richard Falkenrath, “A sophisticated half-megabyte of computer code apparently accomplished what a half-decade of United Nations Security Council resolutions could not” (CFR). But since then, Stuxnet has spread to similar industrial facilities in various countries just like a biological virus, with a hit rate of 58.85 percent in Iran, 18.22 percent in Indonesia, 8.31 percent in India, 2.57 percent in Azerbaijan, 1.56 percent in the U.S., 1.28 percent in Pakistan, and 9.2 percent in others (Symantec). American officials have raised fears that a modified Stuxnet worm could cause “blowback” in the U.S. by attacking an electric or telecommunications grid, an oil refinery, or a water treatment facility. As of yet, it remains very difficult to take back control of the industrial machinery once it has become infected.
The only way to combat viruses like Stuxnet that easily traverse national borders is increased international cooperation and transparency. According to James Lewis of the Center for Strategic and International Studies, international cooperation among law enforcement agencies is critical due to the problem of attribution. Cyberattacks must typically be traced a step at a time from one computer to the next, relying either on the voluntary cooperation of the owners or the compulsory legal processes within each country involved. So far only 19 countries have signed on to Mutual Legal Assistance in Criminal Matters Treaties (MLATs) with the U.S. that would accomplish this goal, which is not nearly enough to effectively investigate cybercrime worldwide. Furthermore, the delays caused by following formal legal procedures can be fatal in investigating cyberattacks due to the transient nature of digital evidence; international cooperation regarding cyberwarfare will have to be the most streamlined ever seen to date.
The contribution of the private sector will be crucial in meeting this new standard, as well as extensive inter-agency cooperation between law enforcement, intelligence, national defense, diplomacy, commercial promotion, and technology. So far the best blueprint for success seems to be the G-8 Subgroup on High-Tech Crime (formed January 1997) that established a 24/7 network of law enforcement points-of-contact in each of the participating countries. One issue with expanding membership of such groups is that only a handful of countries are actually impacted by cyberattacks, so the vast majority of the world has no interest or capacity in joining. And of the countries that do suffer from cyberattacks, there is concern that too much transparency would erode hard-earned technological advantages (Lewis).
But regardless of the enormous challenges, the status quo of international confusion and mistrust surrounding cyberwarfare cannot go on indefinitely — we cannot allow disaster to strike before establishing a cooperative and streamlined international response procedure to cyberattacks.
A Desperate Need to ‘Think Different’
Earlier this year, the Pentagon unveiled a new military strategy, emerging from several years of debate modeled on the 1950s effort to deter nuclear attacks, that declares any cyberattack that threatens widespread civilian casualties (e.g. cutting off power or emergency-responder communications) an act of war that could merit a military response. According to the head of the United States Strategic Command, General Kevin P. Chilton, the proportionality of response is deliberately left vague to leave all options on the table. As an administration official intimated: “almost everything we learned about deterrence during the nuclear standoffs with the Soviets in the ‘60s, ‘70s and ‘80s doesn’t apply” (Sanger and Bumiller, NY Times). The deterrence dynamics of cyberwarfare are desperately in need of greater theorizing.
The United States’ counter-cyber establishment is also desperately in need of more personnel. In March 2011, General Keith Alexander, chief of USCYBERCOM, described cybersecurity staffing and resources as very thin and likely to be overwhelmed by a crisis. U.S. Deputy Secretary of Defense William J. Lynn III also acknowledged the disproportionate number of computer scientists being produced by India and China, suggesting that the United States will “lose its advantage in cyberspace if that advantage is predicated on simply amassing trained cybersecurity professionals” (CFR). Looking for a job after graduation in a guaranteed growth sector with a focus on public service? Major in computer science and dust off your white hat — cyberwarfare is here to stay, and the Department of Homeland Security is hiring.
Donna Horning is a junior in Davenport College.