Their field is a young one, but the last few years have been salad days for the cyberwarriors. Computer attack appears no longer to be the exclusive purview of teenage hackers and organized criminals: along with its closely related and increasingly indistinguishable cousin electronic attack, cyberwarfare seems to be emerging as an instrument of national power alongside the more traditional military tools of guns and bombs. It is a new and rapidly-developing world, but its importance seems assured in conflicts between, or at least involving, relatively sophisticated powers. What is rather less clear, however, is what this new form of attack and manipulation means for how we approach statesmanship, and for concepts such as strategic deterrence. To begin to appreciate its novelty in these regards, come with me on a quick survey of recent developments in cyberwar.
I. A New World of Cyber Mayhem
In the spring of 2007, in the middle of a bitter political dispute between Estonia and Russia over Estonia’s decision to take down a Stalin-era war memorial commemorating the triumph of the Soviet dictatorship that enslaved that Baltic republic for more than half a century, Estonian computer servers were deluged with denial-of-service and other attacks, causing considerable damage and economic disruption. The attackers employed a “botnet” – a widely-distributed network of computers hijacked by malicious software and coordinated in order to mount various types of attack – and essentially shut down Estonia’s digital infrastructure for a while.
In June 2008, Lithuanian systems suffered a separate attack, just by coincidence also during a dispute with Russia over Lithuanian moves to eradicate Soviet-era political symbols. Some 300 Lithuanian sites were attacked, many being defaced by the addition of those same Soviet symbols as well as spiteful messages written in Russian. Kyrgyzstan is reported to have had a similar experience in January 2009, when denial-of-service attacks essentially shut down two of its four Internet Service Providers (ISPs) – reputedly just when the Russians were leaning on its government to close a U.S. airbase there.
Earlier this year, U.S. sources revealed that a number of U.S. Government and South Korean websites had been subjected to a widespread campaign of network attacks on the Fourth of July weekend, also using relatively unsophisticated “botnet”-type attacks, but on a considerable scale. The assault involved some 170,000 computers in 74 countries, and caused troublesome disruption. South Korean media sources had been reporting since May 2009 that Pyongyang had established a cyberwarfare unit that worked through the Chinese Internet. (China’s Internet system is said to be something of a “Wild West” environment in cybersecurity terms, notwithstanding – and in perhaps suspicious contrast to – the extraordinarily comprehensive effort made by the communist regime in Beijing to control the Internet in order to prevent its subjects from expressing their own political opinions or learning the views of others.) After the July 2009 attacks, officials in Seoul suspected a North Korean hand behind this campaign. A month after the assault, however, the U.S. Director of National Intelligence admitted that American cyber-security officials were still “working … to figure out if we can actually nail … down” who was responsible.
Around the same time, Western experts revealed the broad contours of a widespread campaign of computer penetrations – controlled by China-based computers, but which couldn’t quite be traced to officials in Beijing – into networks affiliated with or containing information about the Tibetan diaspora, including the entourage of His Holiness the XIVth Dalai Lama. This effort apparently infiltrated 1,295 computers in 103 countries over nearly two years. (It apparently included some computers owned by the Iranian, Indonesian, Philippine, German, Indian, and Pakistani governments, as well as NATO.) In the spring of 2009, U.S. officials also revealed that a series of unknown attackers had used Chinese Internet sites to break into a computer network associated with the development of the stealthy F-35 Joint Strike Fighter (JSF) and download terabytes of data about some aspects of that multi-national aircraft program which is expected provide the backbone of American and NATO airpower in years ahead. (To put this in context, a single terabyte contains a trillion bytes. That is a great deal of information – more than 1,300 times the total memory capacity of the battered Apple iBookG4 on which I composed this essay.)
Fortunately for their victims, these latter two campaigns appear to have been devoted more to information-gathering (i.e., spying) than to attack. There is, however, a fine line between these concepts, for the same techniques that permit data exfiltration can permit data infiltration. Indeed, stealing information sometimes involves the installation of one’s own code on the subject’s system. Through this prism, the only difference between such computer spying and actual cyber-attack is what one programs that code to do, and a good programmer could in fact choose to employ “dual-use” code that provides intelligence information until such point as it is commanded to manipulate or simply crash the host network.
Perhaps the most significant and dramatic recent cyber campaign, however – part of a real shooting war – occurred in connection with Russia’s attack on the Republic of Georgia in the summer of 2008. To the extent that foreign observers have been able to piece together what happened, the Georgia war appears to have been the most interesting example of full-up cyber warfare to date. Accounts in the Western press suggest that the Kremlin’s performance in military terms was lackluster – Russian forces having apparently failed adequately to train with some of the advanced electronic attack capabilities they possessed, and consequently suffering embarrassing losses to Georgian air defenses – but a comprehensive and costly computer network attack was nonetheless mounted against the hapless Georgians.
Computer attacks on Georgian communications systems, logistics centers, and oil and gas pipelines appear to have been to some extent coordinated with more conventional Russian attacks using bombs, artillery, and missiles. Hackers operating out of Russia, Ukraine, Latvia, Turkey, and elsewhere – many of them apparently civilians recruited for this purpose, and acting in collaboration through U.S.-based social-networking sites such as Twitter and Facebook – operated as a sort of “cyber-army” to mount various sorts of assaults. Some attacking websites were registered using identification and credit card information stolen from American or French citizens, and some attacks seem to have been undertaken using “botnets” associated with Russian organized crime. (Nor did the attacks cease when ground operations did: according to press accounts, the cyber-assaults continued for weeks thereafter.) It was a remarkable campaign that is said to have drawn enormous attention from computer security insiders, and which some suspect gives a glimpse into the future of 21st Century warfare.
II. Attribution Challenges
One common element of all the recent series of computer attacks is the mysteriousness of the attackers. To be sure, given the circumstances and what is apparently known about the assaults, there are obvious suspects. The Russians were clearly behind the Georgian cyber campaign coordinated with Moscow’s military operations, for instance, and no one seems to think Russians weren’t responsible for trying to punish Estonia for daring to suggest that Stalin did not elicit fond memories in the Baltic republics he conquered and brutalized after cutting his fateful deal with Adolf Hitler for the division of Eastern Europe. And who else but China would devote such time and effort to penetrating the computers of the Tibetan exile community that represents precisely the potential democratic future for Tibet that Beijing wishes at all costs to prevent?
Yet it is apparently the nature of any modestly sophisticated cyber attack that one cannot be absolutely sure – in a technical sense – about its origin. Despite Russia’s responsibility in the Georgia cyber-assaults, it appears that there was little or no direct involvement by Russian government or military personnel. The “foot soldiers” in this war are said, for the most part, to have been civilians, often recruited in other countries just for the occasion: a malevolent ad hoc cyberforce of volunteer mercenaries, perhaps working hand-in-glove with criminal syndicates who treated the occasion as an opportunity to profiteer.
Moscow seems, in other words, to have maintained what is sometimes described as “plausible deniability.” This is not to say that the Kremlin’s denials of responsibility are in fact genuinely plausible – for they are not – but rather merely that no one in the rest of the world can “prove” the attacks were not a coincidence, or were not undertaken by opportunistic freelancers entirely unconnected to the innocent Russian government, which would naturally never do any such thing. (In the wake of the Estonian attack of 2007, an activist with a pro-Kremlin group claimed he had organized the attack entirely on his own initiative. A massive U.S.-assisted investigation resulted in a number of prosecutions of individuals involved, but Russia’s authorship of the campaign apparently remains today as “unprovable” as it is likely.) In an era when diplomatic culture apparently requires documentary “proof” of obvious things such as Iran’s interest in nuclear weaponry, and regards everyone – except Americans and Israelis – as being innocent until proven guilty beyond a shadow of a doubt, even this implausible degree of Russian deniability seems quite adequate for most purposes.
This attribution problem would seem to raise all sorts of interesting questions about deterrence. Cyberwar specialists concede that the Internet is a “wilderness of mirrors,” and that attack attribution is – as one article in the New York Times put it – “difficult at best and sometimes impossible.” Famously, in 2000, a series of debilitating denial-of-service attacks against commercial websites turned out to have been perpetrated by no one more sophisticated than a 15-year-old Canadian high school student. He was only caught, however, after publicly bragging about his feat on an online forum. What are the experts to do when targeted by a sophisticated and ruthless international opponent who feels no need to boast to high school friends?
III. An Expanding Toolbox
It is not as if the United States and other governments with sophisticated military and computing capabilities are allowing Russian and Chinese autocrats to move into the age of cyberwar without them. Because of the vast dependence of our national security apparatus and our civilian economy upon networked computer systems, American officials are presumably concerned first and foremost with cyber-defense, and do not talk much about cyber-attack possibilities. Nevertheless, it is a poorly-kept secret that cyber missions of this sort are increasingly a part of U.S. military planning for potential future conflicts.
One of the most interesting areas of technical development in the defense contractor world, for instance, is the development of cyber-attack tools. Indeed, it is widely believed – and openly admitted by U.S. military officials – that in conflicts with sophisticated modern adversaries, some kind of cyber-related electronic attack capability will increasingly be necessary even in order to accomplish traditional kinetic attack missions. (A “kinetic” mission is the sort that blows something up.) The former commander of the U.S. 13th Air Force told the magazine Aviation Week and Space Technology not long ago, for instance, that in the face of really good air defenses, he felt it was no longer possible for American guided weapons to get to their targets without first “entering the cyber-world to achieve the survivability that’s given to us only by electronic attack.” We can be confident that the United States is working hard to ensure that such cyber-facilitated survivability will be an integral part of future combat operations.
Defense contractors are said to be at work developing new tools that could be useful not just in protecting but in fact in attacking – and not just crashing but indeed invading and manipulating – computer networks, especially networks with wireless components. Prime potential targets are the supervisory control and data acquisition (SCADA) networks that are used to run many critical systems such power plants, fuel pipelines, chemical plants, power grids, and water systems. The Defense Department even recently created a new cyber command under a four-star flag officer – co-located in Maryland with the codebreakers and cyber-spies of the National Security Agency – to coordinate the military’s planning for both defensive and offensive operations in cyberspace.
In fact, stereotypically “computer”-based cyberwarfare applications are increasingly being blended into more conventional military operations. Future warfare is likely to involve not only Internet-based attacks launched through servers thousands of miles away but also “electronic attack” operations of various varieties carried out by assets in a war zone itself. The lines between cyberwar, electronic attack, directed energy weapons, and electronic intelligence gathering are said to be disappearing.
In the past, for instance, electronic attack was limited largely to jamming and spoofing of enemy radar and radio-frequency communications. This activity was conducted by specialist aircraft and military units, and involved munitions such as “anti-radiation” missiles that home in on anti-aircraft radar transmissions in order to destroy enemy radar units. Current planning seems to envision less reliance upon specialty assets, however, with the full spectrum of electronic activities – from surveillance to attack functions – being increasingly distributed instead among all (or at least a great many) participants in the battlespace, networked together and dividing up tasks between them in a shifting and largely ad hoc fashion depending upon the electronic environment they encounter.
The U.S. military’s changing array of available tools reflects this shift. The U.S. Air Force abandoned its last penetrating jammer aircraft, the EF-111 Raven, in the early 1990s. The Navy and Marine Corps retained carrier-capable E/A-6B Prowlers in this role, but this aircraft was anything but stealthy and is based upon the antiquated Vietnam-era A-6 Intruder airframe. The Americans’ first-generation stealth aircraft, the F-117 Nighthawk was stealthy, but it became operational in the early 1980s and was not designed for a networked battlespace and is apparently unequipped with the kind of data-collection and -sharing capabilities necessary for such operations. Even the more advanced B-2 Spirit bomber presently lacks an active, electronically scanned array (AESA) radar that could be used in electronic attack mode, though this is expected to be fixed in an expensive upgrade.
But U.S. military hardware is evolving even as one presumes the computer programmers are improving their toolkit for Internet-based operations. The F-35 will have an integral electronic attack capability in its sophisticated AESA radar. Similarly, the radar on the new F-22 Raptor fighter is designed to be capable of employment as a conventional aircraft radar as well as an electronic jammer, high-volume communications tool, or “network attack” device – perhaps all at the same time. Even less sophisticated aircraft as the F-15E Strike Eagle, F/A-18E/F Super Hornet, and EA-18G Growler are reported to have long-range AESA radars that could be turned into high-power microwave weapons with modified software.
Exemplifying the multi-role capabilities of such AESA units, there are presently radars in development for large patrol and surveillance aircraft that may be able to switch effortlessly and instantly between detecting airborne threats such as cruise missiles and transmitting high-powered microwave bursts to shoot such targets out of the air. Meanwhile, the military is developing ever-improving capabilities for missiles that attack electronic equipment by means of similar microwave bursts. (One long-sought objective: a device that can kill all vehicular ignitions in its vicinity, bringing a mechanized army, or the local economy, instantly to a halt.) Rumors also abound of unmanned stealthy aerial vehicles with advanced electronic-kill capabilities. The assets available for electronic attack are proliferating, even as it is becoming both more difficult and more imperative to protect one’s own communications-dependent network-based battlefield operations against the adversary’s electronic assaults.
The current thinking thus aims to be able to conduct a kind of electronic symphony, in which incoming information is integrated from a wide range of units in the field, and in which a huge range of attack functions is similarly coordinated. (Warfighting concepts presently used by the U.S. Marines, for instance, call for the use of ground-based radio battalions to analyze electronic targets, unmanned aerial vehicles to locate them, and EA-6B Prowler aircraft to deploy electronic attack tools to attack them. Such attacks may include not simply power pulses but also transmissions full of what press accounts tactfully describe as “specialized [computer] algorithms.” Future concepts will be even more sophisticated and have even more players.) To help test some of these concepts, the Defense Advance Research Projects Agency recently awarded several contracts for the development of a “National Cyber Range” – a partially electronic analogue to the military’s sprawling physical proving grounds where equipment, personnel, and techniques are tested and honed in simulated combat. It is clearly a new world out there.
It is also, in many respects, virgin territory. Some available techniques are apparently potentially powerful enough to create a sort of self-deterrence. It has been reported, for instance, that U.S. commanders declined to mount certain types of cyber-attack against Iraq in 1991, Serbia in 1999, and Iraq in 2003, for fear that the consequences might spin out of control through interconnected international banking, communications, and financial systems. According to one account, for instance, Iraq’s French-built air defense network could have been taken down with a proverbial keystroke, but American attack programmers were not sure that these effects would not spread to the broader Iraqi computer network and even to French systems. One U.S. general told Aviation Week & Space Technology later that “[w]e were afraid we were going to take down all the automated banking machines in Paris.”
At least with respect to attacks in which malevolent code is capable of a degree of autonomous propagation, therefore, it might not be inapt to suggest analogies to biological warfare – making such types of attack probably more useful to a cyber-terrorist than to a government interested simply in augmenting its warfighting capabilities. By contrast, the effects of some of the more specifically “military” types of electronic attack described above are probably quite geographically and functionally controllable. They are, however, “luxury goods,” requiring a sophisticated military establishment, highly skilled operators, and expensive equipment. Some of the simplest techniques – such as the “botnet”-driven Internet denial-of-service attacks used against Georgia – are both inherently limitable and quite simple and inexpensive. The emerging cyber-arena apparently offers participants a broad potential toolkit of possibilities.
Whatever techniques are developed, and however they might or might not be employed, it also seems clear that the Americans are not alone in developing them. (As usual, they are just the most talkative, and the most casual about security.) One can be quite sure that many other countries are not neglecting the future cyberworld and electronic battlespace. Israel’s security agencies, for instance, are said to have established cyberwar teams within its spy agencies, drawing upon that country’s considerable expertise in software development and other high-technology applications, as well as in covert operations. (One American consultancy firm reportedly told its clients in 2008 that Israel was the sixth-greatest “cyber warfare threat” in the world – right behind China, Russia, Iran, France, and “extremist/terrorist groups.”) Perhaps most dramatically, Israel is reported to have demonstrated quite an effective electronic attack capability in 2007, spoofing Syria’s relatively sophisticated Russian-built integrated air defense network and mounting an essentially unopposed aerial raid on the nuclear reactor complex the Syrians were secretly constructing at Dair Alzour with North Korean assistance. (Israel has also suffered cyber attacks, such as from Hamas sympathizers during the Israeli assault on Gaza late last year. Israeli and pro-Palestinian hackers ended in a war of dueling attacks that went on for some time.) The list of apparent cyberwar “players” is lengthening – Russia, China, North Korea, the United States, Israel – even as the range of available techniques is growing.
The role of cyber-attack in recent political and military confrontations in the Baltics and the Caucasus has led some knowledgeable observers to issue dire warnings about the future. According to Secretary-General Hamadoun Toure of the International Telecommunications Union, in fact, “[t]he next world war could happen in cyberspace” and would be “a catastrophe.” Even discounting somewhat for alarmist cyber-pessimism – not to mention Toure’s eagerness to land the jibe that in a cyber-war “there is no such thing as a superpower,” with its fashionably confused anti-American insinuation that it is somehow Washington that threatens cyber peace and security – it seems clear that something very significant is afoot. It will probably be increasingly hard, in the years ahead, to manage international conflicts without taking into account their actual or potential cyber aspects.
IV. Whither Deterrence?
Quite apart from questions related to the actual capabilities involved in attack and defense, the emergence of this new world of cyberwarfare and electronic attack presents some interesting challenges. For the most part, American approaches to this field seem merely to be outgrowths of conventional concepts of warfighting and deterrence. If we happen to get into a shooting war with someone, in other words, we may employ such capabilities as adjuncts to our “normal” combat operations, and we will do so to the extent necessary for us to accomplish our military objectives. Countries should think twice about tangling with us, the closely-related deterrent logic runs, precisely because these capabilities will help ensure that the precision-guided weapons that are the centerpiece of modern U.S. power projection are able to penetrate even very sophisticated modern air defenses. So far so good.
The Georgian war certainly does seem to validate these conceptions, for cyber- and electronic-attack operations were an important part of Moscow’s invasion. (Indeed, in view of their aerial losses, the Russians probably wish they’d been a bit better at using electronic attack methods to degrade Georgia’s surface-to-air missile network.) But the recent history of the young field of cyberwarfare suggests that it would be a mistake to regard these capabilities only through the prism of their utility as an extension of conventional warfighting. How should we think about deterring – or perhaps even waging – cyberwarfare more akin to the suspected North Korean attack on U.S. and South Korean systems on the Fourth of July 2009?
The existence of what we might call the “Fourth of July” model – an “out of the blue” attack that, in theory, could rise to the level of the “Cyber Pearl Harbor” of cybersecurity nightmares – raises challenging questions about how to think about the use of “force” and about deterrence in this new age. U.S. officials have suggested for years that we are likely to regard a major cyberattack as being morally and legally equivalent to a conventional attack (e.g., with bombs) as an act of war. If we mean this, however, we may have to adjust how we think about such issues.
Take the example of attack attribution. Unless one is willing to adopt a sort of “universal” approach to deterrence – such as the madcap “Doomsday Device” of Dr. Strangelove fame that would cause catastrophic harm to all countries in the event of anyone’s attack upon us, a deterrence heuristic first proposed (and rejected) by seminal nuclear theorist Herman Kahn – attack attribution capabilities are essential to the operation of any kind of deterrence. To wit, if I cannot know whether it is you who has attacked me, how are you to be deterred by my preparations for retaliation?
Although it involves real technical challenges – e.g., early warning and air defense radar nets, and nuclear and other detonation forensics – attack attribution, and thus deterrence, seems comparatively straightforward when one is talking about harm caused by bombers and ballistic missiles. Even with cyberwarfare, in fact, it is probably easy enough – as a policy and political matter, even if without a good deal of technical “proof” – to assign blame in the heat of a shooting war. Should the Georgians have regarded it as improper to launch a cyber-counterattack against Russia under the circumstances, despite the lack of “proof” of official Russian involvement? Of course not.
But what happens in out-of-the-blue scenarios of the “Fourth of July” sort? What does it mean for deterrence – and the political and legal proprieties of retaliation – if much of the future of cyber-war involves the equivalent of Country A attacking Country B by secretly co-opting and dispatching the air force of Country C and unleashing a rag-tag army of guerillas recruited entirely within Country D? If an attacker can be reasonably sure that his assault will lack “fingerprints” – thus depriving the victim of clear attack attribution – can he be deterred? And how should the victim approach issues of retaliatory response?
To some extent, the issue of what might be called probabilistic attribution is not new. After all, all attack attribution is to some extent probabilistic, for absolute certainty will surely be elusive no matter how many resources one throws at the problem. (Popular television shows about criminal justice forensics, such as CSI, greatly exaggerate the speed and certainty with which modern science can reconstruct the details of past violence and identify its perpetrator.) In this arena, as in so many other areas of public policy, one must content oneself with reasonable certainty. But the cyberworld may press this concept further than we have yet become comfortable going. What is reasonable certainty in this context?
Cyberwar presents, in this regard, a challenge of judgment, and of political and moral courage, for our policymakers. To what extent is our leadership prepared to undertake something dramatic and risky – such as retaliating for a cyber-attack by mounting a regular military attack upon its presumed initiator – on the basis of evidence that is not conclusive? And if we are, how prepared are we for the political repercussions, both domestically and internationally? How prepared are we for the political challenges of building and maintaining domestic and international coalitions to facilitate appropriately muscular responses to cyber-aggression? How confident are we that we will not ourselves be perceived as aggressors? (To be sure, if the cyber threat is grave enough, and we believe action is necessary to prevent worse harm, we may not care what the rest of the diplomatic community thinks. To say this, however, is not to argue that such reactions do not matter, or that we should be unprepared for them.) What, furthermore, are the legal implications of any such uncertainty – such as with regard to our right to use force in self defense against aggression, or the proprieties of our conduct in a shooting war, when our actions need to conform to principles of necessity and proportionality under the law of armed conflict?
This is still quite a new area, and we have a lot of thinking to do about these issues – and surely a good deal of planning and preparation too. Is it possible to adapt traditional notions of deterrence and retaliation to these circumstances? To some extent, the cyber arena might seem more similar to modern “war-on-terrorism” challenges than to conventional statesmanship.
If an incident of weapons of mass destruction (WMD) terrorism occurs, attribution will be an obvious and immediate challenge. Even with respect to conventional attacks, attribution is often tricky, and may rely so heavily upon intelligence information that reasons for our conclusions cannot always be given publicly. Either way, achieving any useful deterrence is challenging, in part because of the difficulty of attribution but perhaps most of all simply because it does not always seem that terrorist attackers respond to conventional deterrent strategies in the first place. Nevertheless, we claim to be prepared to hold state sponsors or facilitators of such acts – who may indeed be deterrable – responsible for their own sins of commission and omission in this regard. And we can be quite ruthless in moving against any actual attackers whom we are able to identify and locate.
Thanks to U.N. Security Council Resolution 1540, states have an obligation to patrol their own jurisdictions and follow what is in effect a set of international “best practices” – or at least minimum practices – to prevent terrorist acquisition of WMD-related materials. As the United States demonstrated vis-à-vis the Taliban regime in Afghanistan, we are prepared to mount a vigorous and decisive physical response (in that case, a full-scale invasion) against a state that supports and encourages groups that wage war against us. In exercising our right of self-defense against those who have attacked us, we have both claimed and exercised the right to strike at them wherever they may be found – even if this happens to be the territory of another sovereign state not involved in overt hostilities with us (e.g., Yemen, Somalia, or Pakistan). When we have identified perpetrators of attacks against us, we have also sometimes seized them on foreign soil, taking them into our own custody or handing them over to others (“extraordinary rendition”). Even under Barack Obama, these approaches remain U.S. policy vis-à-vis terrorism and its sponsors. Are we prepared to adopt similar rules, and take similar positions, with respect to cyber attacks? Or can we still somehow squeeze the idiosyncrasies of the cyber arena into more conventional approaches to conflict and deterrence?
So far, the policy community has not wrestled very satisfactorily with these challenges in the cyberwar context. We will need to do rather better.
– Christopher Ford